- DL manuals
- D-Link
- Firewall
- DFL-1100 - Security Appliance
- User Manual
D-Link DFL-1100 - Security Appliance User Manual - Introduction
Introduction
The DFL-1100 provides four 10/100Mbps Ethernet network interface ports, which are (1)
Internal/LAN, (1) External/WAN, (1) DMZ, and (1) ETH4 port. In addition the DFL-1100 also
provides a user-friendly Web UI that allows users to set system parameters or monitor
network activities using a Web browser supporting Java.
Features and Benefits
Firewall Security
High Availability
Through the use of the Sync port (ETH4) two DFL-1100’s can form a
High Availability cluster that will fail over Firewall and VPN sessions.
VPN Server/Client Supported
Supports IPSec LAN-to-LAN or Roaming user tunnels with AES
encryption in addition to PPTP and IPSec over L2TP
Content Filtering
Strip ActiveX objects, Java Applets, JavaScript, and VBScript from
HTTP traffic
Bandwidth Management
DFL-1100 features an extensive Traffic Shaper for bandwidth
management.
Web Management
Configurable through any networked computer’s Web browser using
Netscape or Internet Explorer.
Access Control supported
Allows assignment of different access rights for different users, such
as Admin or Read-Only User.
Introduction to Firewalls
A firewall is a device that sits between your computer and the Internet that prevents
unauthorized access to or from your network. A firewall can be a computer using firewall
software or a special piece of hardware built specifically to act as a firewall. In most
circumstances, a firewall is used to prevent unauthorized Internet users from accessing
private networks or corporate LAN’s and Intranets. Firewalls are also deployed to prevent
sensitive information about your network from leaking out of your network.
A firewall monitors all of the information moving to and from your network and analyzes
each piece of data. Each piece of data is then checked against a set of criteria configured by
the administrator. If any data does not meet the criteria, that data is blocked and discarded. If
the data meets the criteria, the data is passed through. This method is called packet filtering.
A firewall can also run specific security functions based on the type of application or type
of port that is being used. For example, a firewall can be configured to work with an FTP or
Telnet server. Or a firewall can be configured to work with specific UDP or TCP ports to allow
certain applications or games to work properly over the Internet.
Summary of DFL-1100 - Security Appliance
Page 1
D-link dfl-1100 network security firewall manual building networks for people (04/19/2005) tm.
Page 2: Contents
2 contents introduction ....................................................................................7 features and benefits ........................................................................... 7 introduction to firewalls ...................................................................
Page 3
The synchronization interface .....................................................................27 setting up a high availability cluster ...........................................................28 interface monitoring ...............................................................................
Page 4
4 grouping services ......................................................................................52 protocol-independent settings ....................................................................53 vpn..........................................................................................
Page 5
Disable dns relayer ..................................................................................70 tools..............................................................................................71 ping ...........................................................................................
Page 6
6 settings for main office ...............................................................................113 windows xp client and l2tp server ..................................................116 settings for the windows xp client ............................................................116 set...
Page 7: Introduction
Introduction the dfl-1100 provides four 10/100mbps ethernet network interface ports, which are (1) internal/lan, (1) external/wan, (1) dmz, and (1) eth4 port. In addition the dfl-1100 also provides a user-friendly web ui that allows users to set system parameters or monitor network activities using ...
Page 8
8 introduction to local area networking local area networking (lan) is the term used when connecting several computers together over a small area such as a building or group of buildings. Lans can be connected over large areas. A collection of lans connected over a large area is called a wide area n...
Page 9
Leds & physical connections power: a solid light indicates a proper connection to the power supply. Status: a system status indicator that flashes occasionally to indicate a functional, active system. Solid illumination of the status led indicates a hardware/software critical failure. Wan, lan, dmz,...
Page 10
10 package contents contents of package: • d-link dfl-1100 firewall • manual and cd • installation guide • pc power cable • straight-through cat-5 cable • rs-232 null modem cable if any of the above items are missing, please contact your reseller. System requirements • computer running microsoft win...
Page 11: Managing D-Link Dfl-1100
Managing d-link dfl-1100 when a change is made to the configuration, a new icon named activate changes will appear. When all changes made by the administrator are complete, those changes need to be saved and activated to take effect by clicking on the activate changes button on the activate configur...
Page 12: Administration Settings
12 administration settings administrative access management ui ports –the ports for the dfl-1100’s web server management ui (http and https) can be customized if so desired. These values must change if user authentication is enabled (user authentication uses 80 and 443 to accomplish user login). Pin...
Page 13
Snmp – specifies if snmp should or should not be allowed on the interface. The dfl- 1100 only supports read-only access. Add ping access to an interface to add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an interface. Step 1. Click on the ...
Page 14
14 add read-only access to an interface to add read-only access, click on the interface you would like to add it to. Note that if you only have read-only access enabled on an interface, all users will only have read-only access, even if they are administrators. Follow these steps to add read-only ac...
Page 15: System
System interfaces click on system in the menu bar, and then click interfaces below it. Change ip of the lan, dmz, or eth4 interface follow these steps to change the ip of the lan, dmz, or eth4 interface. Step 1. Choose which interface to view or change under the available interfaces list. Step 2. Fi...
Page 16
16 wan interface settings – using static ip if you are using static ip, you have to fill in the ip address information provided to you by your isp. All fields are required except the secondary dns server. Note: do not use the numbers displayed in these fields, they are only used as an example. • ip ...
Page 17
Wan interface settings – using pppoe use the following procedure to configure the dfl-1100 external interface to use pppoe (point-to-point protocol over ethernet). This configuration is required if your isp uses pppoe to assign the ip address of the external interface. You will have to fill in the u...
Page 18
18 wan interface settings – using pptp pptp over ethernet connections are used in some dsl and cable modem networks. You need to enter your account details, and possibly also ip configuration parameters of the actual physical interface that the pptp tunnel runs over. Your isp should supply this info...
Page 19
Wan interface settings – using l2tp l2tp over ethernet connections are used in some dsl and cable modem networks. You need to enter your account details, and possibly also ip configuration parameters of the actual physical interface that the l2tp tunnel runs over. Your isp should supply this informa...
Page 20
20 wan interface settings – using bigpond the isp telstra bigpond uses bigpond for authentication; the ip is assigned with dhcp. • username – the login or username supplied to you by your isp. • password – the password supplied to you by your isp. Traffic shaping when traffic shaping is enabled and ...
Page 21
Mtu configuration to improve the performance of your internet connection, you can adjust the maximum transmission unit (mtu) of the packets that the dfl-1100 transmits from its external interface. Ideally, you want this mtu to be the same as the smallest mtu of all the networks between the dfl-1100 ...
Page 22
22 vlan click on system in the menu bar, and then click vlan below it, this will give a list of all configured vlan tags, which should look something like this: add a new vlan follow these steps to add a new route. Step 1. Go to system and vlan. Step 2. Click on add new in the bottom of the routing ...
Page 23
Routing click on system in the menu bar, and then click routing below it; this will provide a list of all configured routes, and it will look something like this: the routes configuration section describes the firewall’s routing table. The dfl-1100 uses a slightly different method of describing rout...
Page 24
24 add a new static route follow these steps to add a new route. Step 1. Go to system and routing. Step 2. Click on add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent through from the dropdown menu. Step 4. Specify the network and subnet mask. Step...
Page 25
High availability d-link high availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deems that the primary firewall is no longer functioning,...
Page 26
26 ip addresses explained for each cluster interface, there are three ip addresses: • two "real" ip addresses; one for each firewall. These addresses are used to communicate with the firewalls themselves, i.E. For remote control and monitoring. They should not be associated in any way with traffic f...
Page 27
Cluster heartbeats a firewall detects that its peer is no longer operational when it can no longer hear "cluster heartbeats" from its peer. Currently, a firewall will send five cluster heartbeats per second. When a firewall has "missed" three heartbeats, i.E. After 0.6 seconds, it will be declared i...
Page 28
28 setting up a high availability cluster first of all, each of the dfl-1100 firewalls must be setup so far that one can manage them over the web interface. In this example the two units are configured as follow, the master dfl-1100 will be configured with 192.168.1.2 on its internal interface, and ...
Page 29
Now login to the slave firewall and click on system in the menu bar, and then click ha below it; in this screen you will click on receive configuration from first unit. You will need to fill in the cluster id configured on the first unit. When you click apply the unit should transfer the configurati...
Page 30
30 logging click on system in the menu bar, and then click logging below it. Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The d-link dfl-1100 provides several options for logging activity. The d- link dfl-1100 logs activity by sendin...
Page 31
The d-link dfl-1100 specifies a number of events that can be logged. Some of these events, such as startup and shutdown, are mandatory and will always generate log entries. Other events, for instance when allowed connections are opened and closed, are configurable. It is also possible to have e-mail...
Page 32
32 time click on system in the menu bar, and then click time below it. This will give you the option to either set the system time by synchronizing with an internet network time server (ntp) or by entering the system time manually..
Page 33
Changing time zone follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify the dates to begin and end daylight saving time or choose no daylight saving time by checking the correct box. Click the apply button below to apply the settings...
Page 34: Firewall
34 firewall policy the firewall policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is app...
Page 35
Source and destination filter source nets – specifies the sender span of ip addresses to be compared to the received packet. Leave this blank to match everything. Source users/groups – specifies if an authenticated username is needed for this policy to match. Simply make a list of usernames separate...
Page 36
36 intrusion detection / prevention the dfl-1100 intrusion detection/prevention system (ids/idp) is a real-time intrusion detection and prevention sensor that identifies and takes action against a wide variety of suspicious network activity. The ids uses intrusion signatures, stored in the attack da...
Page 37
There are two ways to configure policy routing; both include specifying the gateway to send the traffic over. The first one, redirect via routing (make gateway next hop), will just reroute the traffic to the given gateway as if it was just another router. The second mode, via address translation (ch...
Page 38
38 change order of policy follow these steps to change the order of a policy. Step 1. Choose the policy list for which you would like to change the order from the available policy lists. Step 2. Click on the edit link corresponding to the rule you want to move. Step 3. Change the number in the posit...
Page 39
Configure intrusion prevention follow these steps to configure idp on a policy. Step 1. Choose the policy you would like have idp on. Step 2. Click on the edit link corresponding to the rule you want to configure. Step 3. Enable the intrusion detection / prevention checkbox. Step 4. Choose preventio...
Page 40
40 port mapping / virtual servers the port mapping / virtual servers configuration section is where you can configure virtual servers (such as a lan web server) on the lan or dmz interfaces to be accessible through the wan. One may also regulate how bandwidth management (traffic shaping) is applied ...
Page 41
Delete mapping follow these steps to delete a mapping. Step 1. Choose the mapping list (wan, lan, or dmz) you would like do delete the mapping from. Step 2. Click on the edit link corresponding to the rule you want to delete. Step 3. Enable the delete mapping checkbox. Click the apply button below t...
Page 42
42 administrative users click on firewall in the menu bar, and then click users below it. This will show all the users, and the first section is the administrative users. The first column shows the access levels, administrator and read-only. An administrator user can add, edit and remove rules, chan...
Page 43
Change administrative user access level to change the access lever of a user click on the user name and you will see the following screen. From here you can change the access level by entering the appropriate level in the group membership field. Access levels • administrator – the user can add, edit...
Page 44
44 delete administrative user to delete a user click on the user name and you will see the following screen. Follow these steps to delete an administrative user. Step 1. Click on the user you would like to delete. Step 2. Enable the delete user checkbox. Click the apply button below to apply the set...
Page 45
Users user authentication allows an administrator to grant or reject access to specific users from specific ip addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. The...
Page 46
46 enable user authentication via http / https follow these steps to enable user authentication. Step 1. Enable the checkbox for user authentication. Step 2. Specify if http and https or only https should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before bei...
Page 47
Add user follow these steps to add a new user. Step 1. Click on add corresponding to the type of user you would like to add, admin or read-only. Step 2. Fill in user name; make sure you are not trying to add one that already exists. Step 3. Specify which groups the user should be a member of. Step 3...
Page 48
48 delete user to delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to delete. Step 2. Enable the delete user checkbox. Click the apply button below to apply the settings or click cancel to discar...
Page 49
Schedules it is possible to configure a schedule for policies to take effect. By creating a schedule, the dfl- 1100 allows the firewall policies to be used only at those designated times. Any activities outside of the scheduled time slot will not follow the policies and therefore will not likely be ...
Page 50
50 add new one-time schedule follow these steps to create and add a new one-time schedule. Step 1. Go to firewall and schedules and choose add new. Step 2. Choose the starting and ending date and hour when the schedule should be active. Step 3. Use the checkboxes to set the times this schedule shoul...
Page 51
Services a service is basically a definition of a specific ip protocol with corresponding parameters. The service http, for instance, is defined as using the tcp protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a...
Page 52
52 adding ip protocol when the type of the service is ip protocol, an ip protocol number may be specified in the text field. To have the service match the gre protocol, for example, the ip protocol should be specified as 47. A list of some defined ip protocols can be found in the appendix named “ip ...
Page 53
Protocol-independent settings allow icmp errors from the destination to the source – icmp error messages are sent in several situations: for example, when an ip packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication...
Page 54
54 vpn introduction to ipsec this chapter introduces ipsec, the method, or rather set of methods used to provide vpn functionality. Ipsec, internet protocol security, is a set of protocols defined by the ietf, internet engineering task force, to provide ip security at the network layer. An ipsec bas...
Page 55
Introduction to l2tp l2tp, layer 2 tunneling protocol, a combination of microsoft’s pptp and cisco’s l2f (layer 2 forwarding), is used to provide ip security at the network layer. An l2tp based vpn is made up by these parts: • point-to-point protocol (ppp) • authentication protocols (pap, chap, ms-c...
Page 56
56 authentication protocols ppp supports different authentication protocols, pap, chap, ms-chap v1 and mschap v2. The authentication protocol to be used is decided during lcp negotiation. Pap pap (password authentication protocol) is a simple, plaintext authentication scheme, which means that both u...
Page 57
L2tp/pptp clients settings for l2tp/pptp client configuration name – specifies a friendly name for the pptp/l2tp client tunnel. Username – specify the username for this pptp/l2tp client tunnel. Password/confirm password – the password to use for this pptp/l2tp client tunnel. Interface ip - specifies...
Page 58
58 l2tp/pptp servers settings for l2tp/pptp server configuration name – specifies a name for this pptp/l2tp server. Outer ip - specifies the ip that the pptp/l2tp server should listen on, leave it blank for the wan ip. Inner ip - specifies the internal ip of the vpn tunnel. Leave this field blank fo...
Page 59
Ipsec vpn between two networks in the following example users on the main office internal network can connect to the branch office internal network and vice versa. Communication between the two networks takes place in an encrypted ipsec vpn tunnel that connects the two dfl-1100 netdefend firewalls a...
Page 60
60 vpn between client and an internal network in the following example users can connect to the main office internal network from anywhere on the internet. Communication between the client and the internal network takes place in an encrypted vpn tunnel that connects the dfl-1100 and the roaming user...
Page 61
Adding an l2tp/pptp vpn client follow these steps to add an l2tp or pptp vpn client configuration. Step 1. Go to firewall and vpn and choose add new pptp client or add new l2tp client in the l2tp/pptp clients section. Step 2. Enter a name for the new tunnel in the name field. The name can contain nu...
Page 62
62 vpn – advanced settings advanced settings for a vpn tunnel is used when the user needs to change some characteristics of the tunnel to, for example, try to connect to a third party vpn gateway. The different settings per tunnel are: limit mtu with this setting it is possible to limit the mtu (max...
Page 63
Proposal lists to agree on the vpn connection parameters, a negotiation process is performed. As the result of the negotiations, the ike and ipsec security associations (sa) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption para...
Page 64
64 certificates a certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates. Before a vpn tunnel with c...
Page 65
Note: if the uploaded certificate is a ca certificate, it will automatically be placed in the certificate authorities list, even if add new was clicked in the remote peers list. Similarly, a non-ca certificate will be placed in the remote peers list even if add new was clicked from the certificate a...
Page 66
66 content filtering dfl-1100 http content filtering may be configured to scan all http protocol streams for urls or for potentially dangerous web page content. If a match is found between the requested url and the url blacklist the dfl-1100 will block the web page. You can configure the url blackli...
Page 67
Edit the url global blacklist follow these steps to add or remove a url. Step 1. Navigate to firewall / content filtering and choose edit global url blacklist. Step 2. Add or edit a url that should be filtered and blocked. File extensions may also be defined to block download of specified file types...
Page 68: Servers
68 servers dhcp server settings the dfl-1100 contains a dhcp server. Dhcp (dynamic host configuration protocol) is a protocol that allows network administrators to automatically assign ip numbers to dhcp enabled computers on a network. The dfl-1100 dhcp server helps to minimize the work necessary to...
Page 69
Enable dhcp server to enable the dhcp server on an interface, click on servers in the menu bar, and then click dhcp server below it. Follow these steps to enable the dhcp server on the lan interface. Step 1. Choose the lan interface from the available interfaces list. Step 2. Enable by checking the ...
Page 70
70 dns relay settings click on servers in the menu bar, and then click dns relay below it. The dfl-1100 contains a dns relay function that can be configured to relay dns queries from the internal lan to the dns servers used by the firewall itself. Enable dns relayer follow these steps to enable the ...
Page 71: Tools
Tools ping click on tools in the menu bar, and then click ping below it. This tool is used to send a specified number of icmp echo request packets to a given destination. All packets are sent in immediate succession rather than one per second. This method is the best suited for diagnosing connectivi...
Page 72
72 dynamic dns the dynamic dns (requires dynamic dns service) allows you to alias a dynamic ip address to a static hostname, allowing your device to be more easily accessed by a specific name. When this function is enabled, the ip address in dynamic dns server will be automatically updated with the ...
Page 73
Backup click on tools in the menu bar, and then click backup below it. Here an administrator can backup and restore the configuration. The configuration file stores system settings, ip addresses of the firewall’s network interfaces, address table, service table, ipsec settings, port mapping, and pol...
Page 74
74 restart/reset restarting the dfl-1100 follow these steps to restart the dfl-1100. Step 1. Choose if you want to do a quick or full restart. Step 2. Click restart unit and the unit will restart..
Page 75
Restoring system settings to factory defaults use the following procedure to restore system settings to the factory defaults. This procedure will possibly change the dfl-1100 firmware version to a lower version if it has been upgraded. Make sure you have the current firmware file available for uploa...
Page 76
76 upgrade the dfl-1100’s software, ids signatures, and system parameters are all stored on a flash memory card. The flash memory card is re-writable and re-readable. Upgrade firmware to upgrade the firmware of the dfl-1100, obtain the latest version from support.Dlink.Com (us). Make sure the firmwa...
Page 77: Status
Status in this section, the dfl-1100 displays the status information about the firewall. Administrator may use the status section to check the system status, interface statistics, vpn status, ip connections, and dhcp servers status. System click on status in the menu bar, and then click system below...
Page 78
78 interfaces click on status in the menu bar, and then click interfaces below it. A window will appear providing information about the interfaces on the dfl-1100. By default, information about the lan interface will be displayed. To see information for a specific interface, click on the respective ...
Page 79
Vpn click on status in the menu bar, and then click interfaces below it. A window will appear providing information about the vpn connections on the dfl-1100. By default information about the first vpn tunnel will be displayed. To see another one, click on that vpn tunnels name. The two graphs displ...
Page 80
80 connections click on status in the menu bar, and then click connections below it. A window will appear providing information about the content of the state table. The state table shows the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass ...
Page 81
Dhcp server click on status in the menu bar, and then click dhcp server below it. A window will appear providing information about the configured dhcp servers. By default, information about the lan interface will be displayed. To see another one, click on that interface. Interface – name of the inte...
Page 82: How to Read The Logs
82 how to read the logs although the exact format of each log entry depends on how your syslog recipient works, most are very similar. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on unix servers usually log to text files, line by line. Most sys...
Page 83
Conn events these events are generated if auditing has been enabled. One event will be generated when a connection is established. This event will include information about the protocol, receiving interface, source ip address, source port, destination interface, destination ip address, and destinati...
Page 84: Step By Step Guides
84 step by step guides the following guides make use of example ip addresses, users, sites and passwords. You will have to exchange the example information with your own values. Passwords used in these examples are not recommended for real life use. Strong passwords and keys should be chosen making ...
Page 85
Lan-to-lan vpn using ipsec settings for branch office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.10 lan ip: 192.168.4.1, subnet mask: 255.255.255.0 2. Setup ipsec tunnel, firewall->vpn: under ipsec tunnels click add new name the tunnel tomainoffice local net: 192.168.4.0/24 psk: 123456...
Page 86
86 select tunnel type: lan-to-lan tunnel remote net: 192.168.1.0/24 remote gateway: 194.0.2.20 enable automatically add a route for the remote network click apply 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: internal->vpn, vpn->...
Page 87
Settings for main office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.20 lan ip: 192.168.1.1, subnet mask: 255.255.255.0 2. Setup ipsec tunnel, firewall->vpn: under ipsec tunnels click add new name the tunnel tobranchoffice local net: 192.168.1.0/24 psk: 1234567890 (note! You should use ...
Page 88
88 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: internal->vpn, vpn->internal and vpn->vpn click apply 4. Click activate and wait for the firewall to restart this example will allow all traffic between the two offices. To get a m...
Page 89
Lan-to-lan vpn using pptp settings for branch office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.10 lan ip: 192.168.4.1, subnet mask: 255.255.255.0 2. Setup pptp client, firewall->vpn: under pptp/l2tp clients click add new pptp client name the tunnel tomainoffice.
Page 90
90 username: branchoffice password: 1234567890 (note! You should use a password that is hard to guess) retype password: 1234567890 interface ip: leave blank remote gateway: 194.0.2.20 remote net: 192.168.1.0/24 dial on demand: leave unchecked under authentication mschapv2 should be the only checked ...
Page 91
Under mppe encryption 128 bit should be the only checked option. Leave use ipsec encryption unchecked click apply 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: internal->vpn, vpn->internal and vpn->vpn click apply 4. Click activa...
Page 92
92 2. Setup pptp server, firewall->vpn: under l2tp / pptp server click add new pptp server name the server pptpserver leave outer ip and inner ip blank set client ip pool to 192.168.1.100 – 192.168.1.199 check proxy arp dynamically added routes check use unit’s own dns relayer addresses leave wins s...
Page 93
Under authentication mschapv2 should be the only checked option. Under mppe encryption 128 bit should be the only checked option. Leave use ipsec encryption unchecked click apply 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: inte...
Page 94
94 4. Set up the authentication source, firewall->users: select local database click apply 5. Add a new user, firewall->users: under users in local database click add new name the new user branchoffice enter password: 1234567890 retype password: 1234567890 leave static client ip empty (could also be...
Page 95
Lan-to-lan vpn using l2tp settings for branch office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.10 lan ip: 192.168.4.1, subnet mask: 255.255.255.0 2. Setup l2tp client, firewall->vpn: under l2tp / pptp client click add new l2tp client name the server tomainoffice.
Page 96
96 username: branchoffice password: 1234567890 (note! You should use a password that is hard to guess) retype password: 1234567890 interface ip: leave blank remote gateway: 194.0.2.20 remote net: 192.168.1.0/24 dial on demand: leave unchecked under authentication only mschapv2 should be checked.
Page 97
Under mppe encryption only none should be checked check use ipsec encryption enter key 1234567890 (note! You should use a key that is hard to guess) retype key 1234567890 click apply 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: ...
Page 98
98 settings for main office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.20 lan ip: 192.168.1.1, subnet mask: 255.255.255.0 2. Setup l2tp server, firewall->vpn: under l2tp / pptp server click add new l2tp server name the server l2tpserver leave outer ip and inner ip blank set client ip p...
Page 99
Under authentication mschapv2 should be the only checked option. Under mppe encryption none should be the only checked option. Check use ipsec encryption enter key 1234567890 (note! You should not use this key) retype key 1234567890 click apply.
Page 100
100 3. Setup policies for the new tunnel, firewall->policy: click global policy parameters enable allow all vpn traffic: internal->vpn, vpn->internal and vpn->vpn click apply 4. Set up authentication source, firewall->users: select local database click apply.
Page 101
5. Add a new user, firewall->users: under users in local database click add new name the new user branchoffice enter password: 1234567890 retype password: 1234567890 leave static client ip empty (could also be set to eg 192.168.1.200. If no ip is set here the ip pool from the l2tp server settings ar...
Page 102
102 a more secure lan-to-lan vpn solution in order to establish a more secure lan-to-lan vpn connection, traffic policies should be created instead of allowing all traffic between the two private networks. The following steps show how to enable some common services allowed through the vpn tunnel. In...
Page 103
4. Setup the new rule: name the new rule: allow_pop3 select action: allow select service: pop3 select schedule: always we don’t want any intrusion detection for now, so leave this option unchecked. Click apply.
Page 104
104 5. The first policy rule is now created. Repeat step 4 to create services named allow_imap, allow_ftp and allow_http. The services for these policies should be imap, ftp_passthrough and http respectively. The policy list for lan->tomainoffice should now look like this. 6. Click activate and wait...
Page 105
Settings for main office 1. Setup policies for the new tunnel, firewall->policy: click global policy parameters disable allow all vpn traffic: internal->vpn, vpn->internal and vpn->vpn click apply 2. Now it is possible to create policies for the vpn interfaces. Select from tobranchoffice to lan and ...
Page 106
106 windows xp client and pptp server settings for the windows xp client 1. Open the control panel (start button -> control panel). 2. If you are using the category view, click on the network and internet connections icon. Then click create a connection to the network on your workplace and continue ...
Page 107
5. Select connect to the network at my workplace and click next.
Page 108
108 6. Select virtual private network connection and click next.
Page 109
7. Name the connection mainoffice and click next.
Page 110
110 8. Select do not dial the initial connection and click next.
Page 111
9. Type the ip address to the server, 194.0.2.20, and click next 10. Click finish.
Page 112
112 11. Type user name homeuser and password 1234567890 (note! You should use a password that is hard to guess) 12. Click properties.
Page 113
13. Select the networking tab and change type of vpn to pptp vpn. Click ok. All settings needed for the xp client are now complete. Once we have configured the server on the firewall you should be able to click connect to establish the connection to the main office. Settings for main office 1. Setup...
Page 114
114 2. Setup pptp server, firewall->vpn: under l2tp / pptp server click add new pptp server name the server pptpserver leave outer ip and inner ip blank set client ip pool to 192.168.1.100 – 192.168.1.199 check proxy arp dynamically added routes check use unit’s own dns relayer addresses leave wins ...
Page 115
This example will allow all traffic from the client to the main office network. To get a more secure solution read the settings for the main office part of the a more secure lan-to- lan vpn solution section..
Page 116
116 windows xp client and l2tp server the windows xp client to l2tp server setup is quite similar to the pptp setup above. Settings for the windows xp client to setup a l2tp connection from windows xp to the main office firewall, please follow the steps in the pptp guide above for the client side. T...
Page 117
2. Select the security tab and click ipsec settings 3. Check use pre-shared key for authentication, type the key and click ok.
Page 118
118 settings for main office 1. Setup interfaces, system->interfaces: wan ip: 194.0.2.20 lan ip: 192.168.1.1, subnet mask: 255.255.255.0 2. Setup l2tp server, firewall->vpn: under l2tp / pptp server click add new l2tp server name the server l2tpserver leave outer ip and inner ip blank set client ip ...
Page 119
5. Add a new user, firewall->users: under users in local database click add new name the new user homeuser enter password: 1234567890 retype password: 1234567890 leave static client ip empty (could also be set to eg 192.168.1.200. If no ip is set here the ip pool from the pptp server settings are us...
Page 120
120 intrusion detection and prevention intrusion detection and prevention can be enabled for both policies and port mappings. In this example we are using a port mapping. The policy setup is quite similar. In this example a mail server with ip 192.168.2.4 and a web server with ip 192.168.2.5 is conn...
Page 121
2. Set up the newly created port mapping: name the rule map_www select service http-in-all enter pass to ip: 192.168.2.5 (the ip of the web server) check the intrusion detection / prevention option select mode prevention enable email alerting by checking the alerting box click apply.
Page 122
122 the new mapping is now in the list. 3. Setup email server and enable alerting, system->logging: check enable e-mail alerting for ids/idp events select sensitivity normal enter smtp server ip (email server): 192.168.2.4 enter sender: idsalert@examplecompany.Com enter e-mail address 1: webmaster@e...
Page 123: Appendixes
Appendixes appendix a: icmp types and codes the internet control message protocol (icmp) has many messages that are identified by a “type” field; many of these icmp types have a "code" field. Here we list the types with their assigned code fields. Type name code description reference 0 echo reply 0 ...
Page 124
124 1 redirect datagram for the host rfc792 2 redirect datagram for the type of service and network rfc792 3 redirect datagram for the type of service and host rfc792 8 echo 0 no code rfc792 9 router advertisement 0 normal router advertisement rfc1256 16 does not route common traffic rfc2002 10 rout...
Page 125
Appendix b: common ip protocol numbers these are some of the more common ip protocols. For a list of all protocols, follow the link after the table. Decimal keyword description reference 1 icmp internet control message rfc792 2 igmp internet group management rfc1112 3 ggp gateway-to-gateway rfc823 4...
Page 126
126 appendix c: multiple public ip addresses mapping of a public ip address other than that of the firewall to a server located on either internal interface can be accomplished in two basic steps (order does not matter): add a port mapping/virtual server rule that forwards specified services to a si...
Page 127
To accomplish this we need to create the following firewall settings: - configure two static routes (one for each public ip we wish to forward) - create two port mappings (one for each public ip mapping to each private server) routing configuration: static route configuration for a server on the lan...
Page 128
128 static route configuration for a server on the dmz: navigate to the system tab, then the routing page of the web-based configuration. Select the add new link to create the second static route. Select the interface that the internal server is connected to (lan or dmz). Specify the public ip to be...
Page 129
Configure port mapping/virtual server rules for lan server: virtual server configuration for a server on the lan: navigate to the firewall tab, port mapping page of the web-based configuration. Click the add new link to create a new port mapping. Input the public ip address to be forwarded in the de...
Page 130
130 virtual server configuration for a server on the dmz: navigate to the firewall tab, port mapping page of the web-based configuration. Click the add new link to create a new port mapping. Input the public ip address to be forwarded in the destination ip field. Select the service to be forwarded t...
Page 131
Example scenario using dmz w/out nat: an alternative method to that described in the preceding pages is to isolate publicly accessible servers to the dmz interface with nat disabled. This configuration requires multiple (at least 2) public ip addresses to function, as the firewall will assume one ip...
Page 132
132 the default wan route must be modified to enable proxy arp. The default route for any interface cannot be deleted or modified other than to enable the proxy arp feature. From the system > routing page select wan to edit the default route of the wan interface. Enable the proxy arp feature by chec...
Page 133
Disable nat on the dmz interface: by default the dfl-1100 is enabled to perform nat on both lan and dmz interfaces. Disable nat on the dmz interface. Navigate to firewall > policy in the web-based configuration. Click on dmz->wan to modify the behavior of the dmz interface. Select the no nat – requi...
Page 134
134 appendix d: http content filtering http content filtering global policy protection from malicious or improper web content is a must for business owners and concerned parents alike. There are numerous vehicles for hackers to damage or take control of one’s pc or even network. Malicious code may b...
Page 135
The whitelist items entered in the whitelist will always be allowed through the firewall, assuming http content filtering is enabled. This section should only be used to allow essential domains and servers, such as microsoft.Com and dlink.Com to ensure the ability to locate and download critical upd...
Page 136
136 navigate to the firewall tab, content filtering section of the web-administration. Click on edit url black list to modify or append the contents of the filtering database. To allow an entire domain and all sub-domains use the following syntax dlink.Com/* # allows access to the domain dlink.Com *...
Page 137
Navigate to the firewall tab, content filtering section of the web-administration. Click on edit url black list to modify or append the contents of the filtering database. To block an entire domain and all sub-domains use the following syntax casino.Com/* # blocks access to the domain casino.Com *.C...
Page 138
138 navigate to the firewall tab, content filtering section of the web-administration. Click the check box next to each filter you would like to enable. Once finished selecting additional filters, click apply to save changes or cancel to clear. Http rule using the http alg now that the content to be...
Page 139
Check the check box next to delete this rule. Click apply. To allow dns queries to pass through navigate to the firewall tab, policy section of the web-administration. Select the appropriate policy based on desired effect (lan->wan or dmz->wan). Click add new at the bottom of the list. Give the rule...
Page 140
140 to configure the http content filtering rule - navigate to the firewall tab, policy section of the web-administration. Select the appropriate policy based on desired effect (lan->wan or dmz->wan). Click add new at the bottom of the list. Give the rule a friendly name, such as http_cntnt_filtr. P...
Page 141: Warranty
Warranty subject to the terms and conditions set forth herein, d-link systems, inc. (“d-link”) provides this limited warranty for its product only to the person or entity that originally purchased the product from: d-link or its authorized reseller or distributor and products purchased and delivered...
Page 142
142 submitting a claim: the customer shall return the product to the original purchase point based on its return policy. In case the return policy period has expired and the product is within warranty, the customer shall submit a claim to d-link as outlined below: the customer must submit with the p...
Page 143
Limitation of liability: to the maximum extent permitted by law, d-link is not liable under any contract, negligence, strict liability or other legal or equitable theory for any loss of use of the product, inconvenience or damages of any character, whether direct, special, incidental or consequentia...
Page 144
144 reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/tv technician for help. For detailed warran...