D-Link DFL-1500 User Manual - Chapter 2

Other manuals for DFL-1500: User Manual

Manual is about: D-Link DFL-900; DFL-1500 VPN/Firewall Router

Page of 269

Download

Print this page

Bookmark us

DFL-900/1500 User Manual

Chapter 2

System Overview

Chapter 2 System Overview

In this chapter, we will introduce the network topology for use with later chapters.

2.1 Typical Example Topology

In this chapter, we introduce a typical network topology for the DFL-1500. In Figure 2-1, the left half side is a DFL-1500 with one

LAN, one DMZ, and one WAN link. We will demonstrate the administration procedure in the later chapters by using the below

Figure 2-1.

The right half side contains another DFL-1500 connected with one LAN, one DMZ, and one WAN. You can imagine this is a

branch office of Organization_1. In this architecture, all the users under Organization can access sever reside in the Internet or DMZ

region smoothly. Besides, Organization_1 communicates with Organization_2 with a VPN tunnel established by the two DFL-1500

VPN/Firewall routers. The VPN tunnel secures communications between Organizations more safely.

We will focus on how to build up the topology using the DFL-1500 as the following Figure 2-1. In order to achieve this purpose, we

need to know all the administration procedure.

Figure 2-1 Typical topology for deploying DFL-1500

Continually, we will introduce all the needed administration procedure in the following section.

« ‹ Prev 30 31 32 33 34 35 36 Next › »

Summary of DFL-1500

Page 1
D-link dfl-900/1500 vpn/firewall router user manual d-link building networks for people.
Page 2
Ii © copyright 2003 d-link systems, inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prio...
Page 3: Table of Contents
I table of contents part i overview...............................................................................................................................................2 about this user manual ....................................................................................................
Page 4
Ii 4.4.2 ddns setting ................................................................................................................................................. 47 4.4.3 dns proxy setting.............................................................................................................
Page 5
Iii 8.4.2 add a policy routing entry.............................................................................................................................. 78 8.5 the priority of the routing..........................................................................................................
Page 6
Iv 14.3 methods ................................................................................................................................................................. 127 14.4 steps...............................................................................................................
Page 7
V 21.3 methods ................................................................................................................................................................. 186 21.4 steps................................................................................................................
Page 8
Vi 28.4 steps....................................................................................................................................................................... 227 28.4.1 system logs ...................................................................................................
Page 10
Part i overview d-link 2 part i overview.
Page 11: About This User Manual
Dfl-900/1500 user manual chapter 1 3 about this user manual this user manual provides information about installing and configuring your dfl-900/1500 vpn/firewall router using its built-in web browser interface (wbi) and command line interface (cli). This guide is primarily for network and security p...
Page 12: What
Part i overview d-link 4 what ’s new in version 2.004? This section describes the enhancements that were made to dfl-900/1500 as compared to the previous version. It includes changes to the way that the dfl-900/1500 operates, some of which are reflected by changes to the wbi and others that were mad...
Page 13: Chapter 1
Dfl-900/1500 user manual chapter 1 quick start 5 chapter 1 quick start this chapter introduces how to quick setup the dfl-900/1500. Dfl-900/1500 vpn/firewall router is an integrated all-in-one solution that can facilitate the maximum security and the best resource utilization for the enterprises. It...
Page 14
Part i overview d-link 6 figure 1-2 all items in the dfl-1500 package 1.2 hardware feature dfl-900 dfl-1500 chassis dimensions l rack mount 1u size l 146 mm (h) x 275 mm (d) x 203 mm (w)(8''*5.75''*10'') l rack mount 1u size l 146 mm (h) x 275 mm (d) x 203 mm (w)(8''*5.75''*10'') look & feel d-link ...
Page 15
Dfl-900/1500 user manual chapter 1 quick start 7 lan port l 1 port for connecting inbound lan l rj-45 connector l ieee 802.3 compliance l ieee 802.3u compliance l support half/full-duplex operations l support backpressure at half-duplex operation. L ieee 802.3x flow control support for full-duplex m...
Page 16
Part i overview d-link 8 safety approval ul csa tuv/gs t-mark ul csa tuv/gs t-mark table 1-1 dfl-900/1500 hardware 1.3 software specifications product dfl vpn/firewall router model dfl-900 dfl-1500 features basic setup wizard ü ü transparent mode ü ü wan1 ip ü (no default wan link) ü wan2 ip û ü wan...
Page 17
Dfl-900/1500 user manual chapter 1 quick start 9 firewall rule ü ü firewall anti-dos ü ü web filter ü ü mail filter ü ü content filters ftp filter ü ü ids ids ü ü bandwidth management edit actions ü ü binding ü ü ip/mac binding allow range ü ü high availability high availability û ü system tools ü ü...
Page 18
Part i overview d-link 10 mail logs ü ü system access logs ü ü firewall logs ü ü system logs anti-dos logs ü ü ids logs ids logs ü ü web filter logs ü ü mail filter logs ü ü content filter logs ftp filter logs ü ü ipsec logs - ike ü ü ipsec logs - manual key ü ü pptp logs - server ü ü pptp logs - cl...
Page 19
Dfl-900/1500 user manual chapter 1 quick start 11 here we would like to alter the original ip sharer with the dfl-900/1500 like figure 1-4. If we hope to have dfl-900/1500 to replace the ip sharer, we just need to simply execute the following five steps as figure 1-5 showed. By these steps, we hope ...
Page 20
Part i overview d-link 12 step 4. Nat: configure the connection of lan to wan direction. It will make all the client pc access the internet through dfl-900/1500. For more information, please refer to section 1.8.1. Step 5. Virtual server: if there is any server located inside the dfl-900/1500. You m...
Page 21
Dfl-900/1500 user manual chapter 1 quick start 13 figure 1-8 front end of the dfl-900 figure 1-9 front end of the dfl-1500 1.6 default settings and architecture of dfl-900/1500 you should have an internet account already set up and have been given most of the following information as table 1-3. Fill...
Page 22
Part i overview d-link 14 gateway ip ____.____.____.____ ____.____.____.____ primary dns ____.____.____.____ ____.____.____.____ secondary dns ____.____.____.____ ____.____.____.____ pppoe username ____.____.____.____ ____.____.____.____ pppoe pppoe password ____.____.____.____ ____.____.____.____ d...
Page 23
Dfl-900/1500 user manual chapter 1 quick start 15 figure 1-10 the default settings of dfl-1500 as the above diagram figure 1-10 illustrated, this diagram shows the default topology of dfl-1500. And you can configure the dfl-1500 by connecting to the lan1_ip (192.168.1.254) from the pc1_1 (192.168.1....
Page 24
Part i overview d-link 16 step 1. Login type “admin” in the account field, “admin” in the password field and click login. Note: please do not access web ui through proxy, or the login may be locked by others or the original user. Connect to https://192.168.1.254 step 2. Run setup wizard click the ru...
Page 25
Dfl-900/1500 user manual chapter 1 quick start 17 transparent mode transparent mode provides the same basic protection as nat mode. Packets received by the dfl-900/1500 are intelligently forwarded or blocked according to firewall rules. The dfl-900/1500 can be inserted in your network at any point w...
Page 26
Part i overview d-link 18 step 5.B — fixed ip if fixed ip address is selected, enter the isp-given ip address, subnet mask, gateway ip , primary dns and secondary dns ip. Click next to proceed. Basic setup > wizard > next > fixed ip step 5.C — pppoe client if ppp over ethernet is selected, enter the...
Page 27
Dfl-900/1500 user manual chapter 1 quick start 19 step 6. System status here we select fixed ip method in wan1 port. Then the dfl-1500 provides a short summary of the system. Please check if anything mentioned above is properly set into the system. Click finish to close the wizard. Basic setup > wiz...
Page 28
Part i overview d-link 20 step 1. Device ip address setup the ip address and ip subnet mask for the dfl-1500. Step 2. Client ip range enable the dhcp server if you want to use dfl-1500 to lease ip addresses to lan pcs. Specify the pool starting address, pool size , primary dns, and secondary dns tha...
Page 29
Dfl-900/1500 user manual chapter 1 quick start 21 1.8.2 wan1-to-dmz1 connectivity this section tells you how to provide an ftp service with a server installed under your dmz1 to the public internet users. After following the steps, users at the wan side can connect to the ftp server at the dmz1 side...
Page 30
Part i overview d-link 22 step 6. Setup ip for the ftp server assign an ip of 10.1.1.5/255.255.255.0 to the ftp server under dmz1. Assume the ftp server is at 10.1.1.5. And it is listening to the well-known port (21). N/a step 7. Setup server rules insert a virtual server rule by clicking the insert...
Page 31
Dfl-900/1500 user manual chapter 1 quick start 23 ü warning message after applying the virtual server rule, there will appear two messages as above diagrams. The purpose of the above two message boxes are trying to remind you to add firewall/nat rules manually while you add a virtual server rule for...
Page 32
Part i overview d-link 24 figure 1-11 dfl-1500 transparent mode connections basically, transparent mode provides the same firewall protection as nat mode. Packets received by the dfl-1500 are intelligently forwarded or blocked according to the firewall rules. However, some advanced firewall features...
Page 33: Chapter 2
Dfl-900/1500 user manual chapter 2 system overview 25 chapter 2 system overview in this chapter, we will introduce the network topology for use with later chapters. 2.1 typical example topology in this chapter, we introduce a typical network topology for the dfl-1500. In figure 2-1, the left half si...
Page 34
Part i overview d-link 26 1. Part ii basic configuration how to configure the wan/dmz/lan port settings and user authentication. 2. Part iii nat & routing introducing the nat, routing, firewall features. 3. Part v virtual private network if you need to build a secure channel with your branch office,...
Page 35
Dfl-900/1500 user manual chapter 2 system overview 27 step 2. Setup lan1 ip information enter the ip address and ip subnet mask with 192.168.40.254 / 255.255.255.0 and click apply . Warning: after you apply the changed settings, the network will be disconnected instantly since the network ip address...
Page 36
Part i overview d-link 28 2.3 the design principle 2.3.1 web gui design principle figure 2-2 you can select the functional area by the sequence in web gui if we want to configure dfl-1500, we can follow the sequence as the figure 2-2 illustrated. Step1. Select main-function step2. Select sub-functio...
Page 37
Dfl-900/1500 user manual chapter 2 system overview 29 2.3.2 rule principle figure 2-3 the rule configuration is divided into three parts you may find many rules configuration in the dfl-1500. They are distributed in the respective feature. These rules include 1. Nat rule 2. Virtual server rule 3. Fi...
Page 38
Part i overview d-link 30 figure 2-4 the rules in the page of the rule edition are also divided into three parts..
Page 40
Part ii basic configuration d-link 32 part ii basic configuration.
Page 42: Chapter 3
Part ii basic configuration d-link 34 chapter 3 basic setup in this chapter, we will introduce how to setup network settings for each port separately 3.1 demands 1. For the external network, suppose your company uses dsl to connect internet via fixed-ip. By this way, you should setup wan port of the...
Page 43
Dfl-900/1500 user manual chapter 3 basic setup 35 ip address assignment field description range / format example default wan link (gateway/dns) when default wan link is enabled. All the packets sent out from dfl-1500 will be via this port. Enable/disable enabled get dns automatically / dns ip addres...
Page 44
Part ii basic configuration d-link 36 get dns automatically / dns ip address get dns automatically à get dns related information from pppoe isp dns ip address à manually specify these primary and secondary dns server information get dns automatically / dns ip address get dns automatically disconnect...
Page 45
Dfl-900/1500 user manual chapter 3 basic setup 37 ospf area id specify ospf area id number ipv4 format or digit string (max 9 bits) n/a table 3-2 configure dmz network settings step 2. Setup lan port here we are going to configure the lan1 settings. Setup ip address and ip subnet mask, and determine...
Page 46
Part ii basic configuration d-link 38 Ø what is the difference between lan and dmz area in the dfl-1500? Area feature lan dmz usage method placing the client pcs placing the server pcs firewall rule lan to dmz default is forward. Dmz to lan default is block. Authentication have restriction no restri...
Page 47
Dfl-900/1500 user manual chapter 3 basic setup 39 step 4. Edit, delete ip alias record you can easily add, edit, or delete ip alias records by the add, edit, or delete button. Basic setup > wan settings > ip alias field description example prev. Page if there are more than one ip alias pages, you ca...
Page 49: Chapter 4
Dfl-900/1500 user manual chapter 4 system tools 41 chapter 4 system tools this chapter introduces system management and explains how to implement it. 4.1 demands 1. Basic configurations for domain name, password, system time, timeout and services. 2. Ddns: suppose the dfl-1500’s wan uses dynamic ip ...
Page 50
Part ii basic configuration d-link 42 figure 4-1 ddns mechanism chart 3. Dns proxy: after activating the dns proxy mode, the client can set its dns server to the dfl-1500 (that is, send the dns requests to the dfl-1500). The dfl-1500 will then make the enquiry to the dns server and return the result...
Page 51
Dfl-900/1500 user manual chapter 4 system tools 43 request from the preconfigured port (lan1) to the real dhcp server (10.1.1.4). Besides, in this diagram, we can find that the pc of dmz region communicated with the dhcp server directly. Figure 4-3 dhcp relay mechanism chart 5. As the following figu...
Page 52
Part ii basic configuration d-link 44 figure 4-4 it is efficient to use snmp manager to monitor dfl-1500 device 6. We can adjust the dfl-1500 interface in the system tools > admin settings > interface in according to our preference and requirement (3 wan, 1 dmz, 1 lan). As the following figure 4-5 d...
Page 53
Dfl-900/1500 user manual chapter 4 system tools 45 4.4 steps 4.4.1 general settings step 1. General setup enter the host name as dfl-1, domain name as the domain name of your company. Click apply . System tools > admin settings > general field description example host name the host name of the dfl-1...
Page 54
Part ii basic configuration d-link 46 step 3. Setup time/date select the time zone where you are located. Enter the nearest ntp time server in the ntp time server address . Note that your dns must be set if the entered address requires domain name lookup. You can also enter an ip address instead. Ch...
Page 55
Dfl-900/1500 user manual chapter 4 system tools 47 4.4.2 ddns setting step 1. Setup ddns if the ip address of dfl-1500 wan port is dynamic allocated, you may want to have the dynamic dns mechanism to make your partner always use the same domain name (like xxx.Com) to connect to you. Select a wan int...
Page 56
Part ii basic configuration d-link 48 4.4.3 dns proxy setting step 1. Setup dns proxy check the enable dns proxy and click the apply to store the settings. From now on, your lan/dmz pcs can use dfl-1500 as their dns server, as long as the dns server for dfl-1500 has been set in its wan settings. Sys...
Page 57
Dfl-900/1500 user manual chapter 4 system tools 49 4.4.5 snmp control step 1. Setup snmp control through setting the related information in this page, we can use snmp manager to monitor the system status, network status of dfl-1500. System tools > snmp control field description example enable snmp e...
Page 58
Part ii basic configuration d-link 50 4.4.6 change dfl-1500 interface step 1. Change interface definition the default port settings are 2 wan ports, 1 dmz port and 2 lan ports. But in order to fit our requirement. Here we select 3 wan (port1~3), 1 dmz (port4), 1 lan (port5). And then press apply but...
Page 59: Chapter 5
Dfl-900/1500 user manual chapter 5 remote management 51 chapter 5 remote management this chapter introduces remote management and explains how to implement it. 5.1 demands administrators may want to manage the dfl-1500 remotely from any pc in lan_1 with http at port 8080, and from wan_pc with telnet...
Page 60
Part ii basic configuration d-link 52 remote management access methods definition telnet telnet is a protocol for remote computing on the internet. It allows a computer to act as a remote terminal on another machine, anywhere on the internet. This means that when you telnet to a particular host and ...
Page 61
Dfl-900/1500 user manual chapter 5 remote management 53 5.4 steps 5.4.1 telnet step 1. Setup telnet enter 23 instead of the default 2323 in the server port field. Check the wan1 checkbox. Click the selected of secure client ip address , and then enter the specified ip address ( 140.2.5.1 ) for acces...
Page 62
Part ii basic configuration d-link 54 5.4.4 https step 1. Setup https check the wan1/lan1/lan2 checkbox, and enter the new server port 443 that will be accessed by the user ’s browser (https://192.168.40.254). Here we click all for all no ip range limitation of clients. And click the apply button. S...
Page 63: Chapter 6
Dfl-900/1500 user manual chapter 6 authentication 55 chapter 6 authentication this chapter introduces user authentication and explains how to implement it. 6.1 demands dfl-1500 vpn/firewall router supports user authentication against the internal user database, a radius server or a ldap server. You ...
Page 64
Part ii basic configuration d-link 56 step 2. Configure local settings enter the username and password, and then click add to add it to user ’s list. If you would like to delete a user, just click that username and then click delete to remove it. Click apply to finish the settings. Basic setup > aut...
Page 65
Dfl-900/1500 user manual chapter 6 authentication 57 server port the port which the data goes into or out of the pop3(s) server. For instance, pop3 service uses port 110 and pop3s service uses port 995. 110 encryption encryption is the process of changing data into a form that can be read only by th...
Page 66
Part ii basic configuration d-link 58 6.3.4 radius setting step 1. Configure radius settings if you have configured radius support and a user is required to authenticate using a radius server, the dfl-1500 then will contact the radius server for authentication. Click authentication type as radius. E...
Page 67
Dfl-900/1500 user manual chapter 6 authentication 59 in openldap: entry1: uid=mary,ou=people,dc= yourcompay,dc=com entry2: uid=jack,ou=people,dc= yourcompay,dc=com base dn: ou=people,dc=yourcompany,dc=com uid : uid in windows ad (special case): entry1: cn=mary,dc= yourcompay,dc=com entry2: cn=jack ,...
Page 68
Part iii nat & routing d-link 60 part iii nat & routing.
Page 69: Chapter 7
Dfl-900/1500 user manual chapter 7 nat 61 chapter 7 nat this chapter introduces nat and explains how to implement it in dfl-1500. To facilitate the explanation on how dfl-1500 implements nat and how to use it, we zoom in the left part of figure 1-10 into figure 7-1. 7.1 demands 1. The number of publ...
Page 70
Part iii nat & routing d-link 62 figure 7-2 internet clients can access the server behind the dfl-1500 7.2 objectives 1. Let pc1_1~pc1_5 connect to the internet. 2. As the figure 7-2 illustrated, the clients will connect to the dfl-1500. Then dfl-1500 will forward the packet to the real server. So f...
Page 71
Dfl-900/1500 user manual chapter 7 nat 63 figure 7-3 dfl-1500 plays the role as virtual server as the above figure 7-3 illustrates, the server 10.1.1.5 provides ftp service. But it is located on the dmz region behind dfl-1500. And dfl-1500 will act as a virtual server role which redirects the packet...
Page 72
Part iii nat & routing d-link 64 field description range / format example network address translation mode determine what nat type you are using in your network topology. Refer more information in the section 7.5.5. None / basic / full feature basic button description reset nat rules reset nat rules...
Page 73
Dfl-900/1500 user manual chapter 7 nat 65 step 4. Customize nat rules in the full-feature mode, the rules can be further customized. Incoming packets from lan/dmz zones are top-down matched by the nat rules. Namely, nat implements first match. Select the rule item that you want to do with: insert a ...
Page 74
Part iii nat & routing d-link 66 step 5.B — insert an many-to-many rule if your isp has assigned a range of public ip to your company, you can tell dfl-1500 to translate the private ip addresses into the pool of public ip addresses. The dfl-1500 will use the first public ip until dfl-1500 uses up al...
Page 75
Dfl-900/1500 user manual chapter 7 nat 67 step 2. Client ip range enable the dhcp server if you want to use dfl-1500 to assign ip addresses to the computers under dmz1. Here we make the dhcp feature enabled. Step 3. Apply the changes click apply to save your settings. Step 4. Check nat status the de...
Page 76
Part iii nat & routing d-link 68 step 7. Setup server rules insert a virtual server rule by clicking the insert button. Advanced settings > nat > virtual servers step 8. Customize the rule customize the rule name as the ftpserver. For any packets with its destination ip equaling to the wan1 ip (61.2...
Page 77
Dfl-900/1500 user manual chapter 7 nat 69 redirect to internal server under the subnet which is located the virtual server. Lan / dmz regions dmz1 internal ip the ip address which is actually transferred to the internal dmz ipv4 format 10.1.1.5 action port the port number which is actually transferr...
Page 78
Part iii nat & routing d-link 70 as the above figure 7-4 illustrated, nat many-to-one type means that many local pcs are translated into only one public ip address when the packets are forwarded out through the dfl-1500. Take connection1 for example. Its ip address and port are translated from 192.1...
Page 79
Dfl-900/1500 user manual chapter 7 nat 71 7.5.3 one-to-one type figure 7-6 nat one-to-one type as the above figure 7-6 illustrated, nat one to one type means that each local pc is translated into a unique public ip address when the packets are forwarded out through the dfl-1500. Take connection1 for...
Page 80
Part iii nat & routing d-link 72 192.168.40.1:2933 to 61.2.1.1:2933 in both ways. Accordingly, the source ip address and port of the connection2 are translated from 192.168.40.100:7896 to 61.2.1.2:7896 in both ways. 7.5.5 nat modes & types the following three nat modes are supported by dfl-1500 now ...
Page 81: Chapter 8
Dfl-900/1500 user manual chapter 8 routing 73 chapter 8 routing this chapter introduces how to add static routing and policy routing entries to facilitate the explanation on how dfl-1500 implements routing and how to use it. We zoom in the left part of figure 2-1 into figure 8-1 and increase some de...
Page 82
Part iii nat & routing d-link 74 8.2 objectives 1. We need to let dfl-1500 knows how to forward the packets which is bound for financial department (192.168.50.0/24). 2. The network administrator plans to solve the problem by subscribing the second link (isp2). He hopes that all the packets from the...
Page 83
Dfl-900/1500 user manual chapter 8 routing 75 netmask the destination ip netmask of this static routing entry record. Ipv4 format 255.255.255.0 gateway the default gateway of this static routing entry record. Ipv4 format 192.168.40.253 table 8-1add a static routing entry step 3. View the result the ...
Page 84
Part iii nat & routing d-link 76 8.4.2 add a policy routing entry step 1. Setup the isp2 link we must add an ip alias record to the wan1 port because a new isp link has been applied. So. See section 3.4.3 for the full procedures. Here we add an ip alias of wan1 as 210.2.1.1/255.255.255.248. Basic se...
Page 85
Dfl-900/1500 user manual chapter 8 routing 77 field description range / format example activate this rule the policy routing rule is enabled or not. Enabled / disabled enabled status rule name the policy routing rule name. Text string genlmanaroom incoming packets from packets comes from which inter...
Page 86
Part iii nat & routing d-link 78 step 4. View the result after filling data completely, view the policy routing entries which have been set. Advanced settings > routing > policy route step 5. Add a nat rule if you would like to use policy route to accomplish static load balance as figure 8-1 illustr...
Page 87
Dfl-900/1500 user manual chapter 8 routing 79 8.5 the priority of the routing as we know, there are many choices according to your requirement in the routing settings. As the following table 8-3 indicates, the smaller priority sequence would be executed first when running routing policy. Priority se...
Page 88
Part iii nat & routing d-link 80 the number of each routing direction is indicated the example which is described in the above table 8-3. Figure 8-2 the routing decision of dfl-1500/dfl-900
Page 90
Part iv firewall & ip/mac binding d-link 82 part iv firewall & ip/mac binding.
Page 91: Chapter 9
Dfl-900/1500 user manual chapter 9 ip/services grouping 83 chapter 9 ip/services grouping this chapter introduces group functions and explains how to edit it. 9.1 demands 1. You hope to group some similar ip addresses to make it easier for editing the firewall rule. 2. You hope to group some similar...
Page 92
Part iv firewall & ip/mac binding d-link 84 field description range / format example define objects on __ select the interface which you are going to define address object. All the interfaces lan1 table 9-1 define the address objects step 2. Insert a new address object enter the address name. Select...
Page 93
Dfl-900/1500 user manual chapter 9 ip/services grouping 85 step 4. Address group settings you can add, edit, and delete all other addresses definition as required. You can also organize related addresses into address group to simplify firewall rule creation. Click the groups hyperlink. Select lan1 t...
Page 94
Part iv firewall & ip/mac binding d-link 86 step 6. View the address group result according to our setting as previous steps, the address group is shown as right diagram. Basic setup > books > address > group.
Page 95
Dfl-900/1500 user manual chapter 9 ip/services grouping 87 9.4.2 setup service step 1. Service settings the dfl-1500 predefined firewall services are listed as right diagram. You can add these services to any firewall rule or you can add a service if you need to create a firewall rule for a service ...
Page 96
Part iv firewall & ip/mac binding d-link 88 step 2. Insert a new service object enter the service name. Select which protocol type (tcp, udp, icmp) used by this service. Specify a source and destination port number range for the service. If this service uses single port, enter the number in the firs...
Page 97
Dfl-900/1500 user manual chapter 9 ip/services grouping 89 field description range / format example group name the service group name. Note that group name should be an alphanumeric value (including dash ‘-‘ and underscore ‘_’), can start with a letter only and, please note, it is case-sensitive! Sp...
Page 98
Part iv firewall & ip/mac binding d-link 90 start time the start time of the schedule object. 24-hour format 08:30 stop time the stop time of the schedule object. 24-hour format 12:00 table 9-7 the field of the schedule object step 3. Add a schedule group as step 2 indicated, you have already create...
Page 99: Chapter 10
Dfl-900/1500 user manual chapter 10 firewall 91 chapter 10 firewall this chapter introduces firewall and explains how to implement it. 10.1 demands 1. Administrators detect that pc1_1 in lan_1 is doing something that may hurt our company and should instantly block his traffic towards the internet. 2...
Page 100
Part iv firewall & ip/mac binding d-link 92 10.4 steps 10.4.1 block internal pc session (lan à wan) step 1. Setup nat check the enable stateful inspection firewall checkbox, and click the apply. Advanced settings > firewall > status field description range / format example enable stateful packet ins...
Page 101
Dfl-900/1500 user manual chapter 10 firewall 93 prev. Page if there are more than one rule pages, you can press prev. Page to back to the previous page. Next page if there are more than one action rules, you can press next page to go to the next page. Move page __ move to the indicated page. Insert ...
Page 102
Part iv firewall & ip/mac binding d-link 94 do not log / log the matched session if packet is matched the rule condition, log or don’t log this matched packet? Log / do not log log forward bandwidth class about this field description, please refer table 25-6 add a new bandwidth management rule for m...
Page 103
Dfl-900/1500 user manual chapter 10 firewall 95 log message description 6 2004-11-30 10:50:18 192.168.17.173,4161 140.112.1.1,1863 tcp lan2 wan1 block block-msn the firewall log is number 6. At the specified time ( 2004-11-30 10:50:18 ), the firewall blocked the packet which came from source ip addr...
Page 104
Part iv firewall & ip/mac binding d-link 96 denial of service thresholds tcp syn flooding the number of tcp syn packets that arrive at the same interface will block the further tcp connection attempts. 800 udp flooding the number of udp packets that arrive at the same interface will block the furthe...
Page 105: Chapter 11
Dfl-900/1500 user manual chapter 11 ip/mac binding 97 chapter 11 ip/mac binding this chapter introduces how to restrict local pc accessing according to their mac address 11.1 demands your company would like to protect some servers or users avoid their ip address snatched by others, and control the c...
Page 106
Part iv firewall & ip/mac binding d-link 98 button description reset clear all the predefined ip/mac binding rules. Table 11-1 enable ip/mac binding feature step 2. Leave ip/mac binding “allow” state select lan1 as the interface to edit the ip/mac binding rules. Because we do not add current mac add...
Page 107
Dfl-900/1500 user manual chapter 11 ip/mac binding 99 rule type the type of ip/mac “binding” is combined ip address with mac address together to decide packet is passed or blocked by the dfl-1500. Another type of ip/mac “allow range” depends on the ip range to permit whether packets can pass or not....
Page 108
Part iv firewall & ip/mac binding d-link 100 step 6. Change the ip/mac binding to “block” through the previous steps, we have configured two ip/mac rules for allowing passing through dfl-1500. In this step, we will change the ip/mac binding status to “block” to prohibit invalid ip address to pass th...
Page 109
Dfl-900/1500 user manual chapter 11 ip/mac binding 101 part v virtual private network.
Page 110: Chapter 12
Part v virtual private network d-link 102 chapter 12 vpn technical introduction this chapter introduces vpn related technology 12.1 vpn benefit if you choose to implement vpn technology in your enterprise, then it may bring the following benefits to your company. 1. Authentication ensure the data re...
Page 111
Dfl-900/1500 user manual chapter 12 vpn technical introduction 103 12.2.5 key management key management allows you to determine whether to use ike (isakmp) or manual key configuration in order to setup a vpn. Ø ike phases there are two phases to every ike (internet key exchange) negotiation – phase ...
Page 112
Part v virtual private network d-link 104 1024-bit (group 2 – dh2) diffie-hellman groups are supported. Upon completion of the diffie-hellman exchange, the two peers have a shared secret, but the ike sa is not authenticated. For authentication, use pre-shared keys. Ø perfect forward secrecy (pfs) en...
Page 113
Dfl-900/1500 user manual chapter 12 vpn technical introduction 105 an added feature of the esp is payload padding, which further protects communications by concealing the size of the packet being transmitted. 12.3 make vpn packets pass through dfl-1500 figure 12-1 enable the pass through feature of ...
Page 114
Part v virtual private network d-link 106 step 1. Enable ipsec if we need to setup dfl-1500 between the existed ipsec / pptp / l2tp connections. We need to open up the firewall blocking port of dfl-1500 in advance. Here we provide a simple way. You can through enable the ipsec / pptp / l2tp pass thr...
Page 115: Chapter 13
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 107 chapter 13 virtual private network – ipsec this chapter introduces ipsec vpn and explains how to implement it. As described in the figure 2-1, we will extend to explain how to make a vpn link between lan_1 and lan_2 in this chap...
Page 116
Part v virtual private network d-link 108 difference the “pre-shared key” must be the same at both dfl-1500s. The types and keys of “encryption” and “authenticate” must be set the same on both dfl-1500s. However, the “outgoing spi” at dfl-1 must equal to “incoming spi” at dfl-2, and the “outgoing sp...
Page 117
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 109 button description prev. Page if there are more than one action pages, you can press prev. Page to back to the previous page. Next page if there are more than one action pages, you can press next page to go to the next page. Add...
Page 118
Part v virtual private network d-link 110 prefix len/subnet mask the local ip netmask ipv4 format 255.255.255.0 remote address type determine the method to connect to the local side of vpn by using the remote subnet or the remote single host. Subnet address / single address subnet address ip address...
Page 119
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 111 esp algorithm esp algorithm may be grouped by the items of the encryption and authentication algorithms or execute separately. We can select below items, the encryption and authentication algorithm combination or the below item ...
Page 120
Part v virtual private network d-link 112 step 4. Detail settings of ipsec ike in this page, we will set the detailed value of ike parameter. Fill in the related field as table 13-5 indicated to finish these settings. Advanced settings > vpn settings > ipsec > ike > add > advanced field description ...
Page 121
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 113 key group choose a diffie-hellman public-key cryptography key group dh1 / dh2 / dh5 dh2 phase2 encapsulation view only, it is set previously and can not be edited again. Can not be edited tunnel active protocol view only, it is ...
Page 122
Part v virtual private network d-link 114 step 6. Add a firewall rule beforehand, please make sure that the firewall is enabled. Select wan1-to-lan1 to display the rules of this direction. The default action of this direction is block with logs. We have to allow the vpn traffic from the wan1 side to...
Page 123
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 115 step 1. Enable ipsec check the enable ipsec checkbox and click apply . Advanced settings > vpn settings > ipsec step 2. Add an ike rule click the ike hyperlink and click add to add a new ipsec vpn tunnel endpoint. Advanced setti...
Page 124
Part v virtual private network d-link 116 step 4. Remind to add a firewall rule after finishing ipsec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule. Just press the ok button to add a firewall rule. Advanced settings > vpn se...
Page 125
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 117 step 7. View the result now we have inserted a new rule before the default firewall rule. Any packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the dfl-1500 and successfully access the 192.168.88.0/...
Page 126
Part v virtual private network d-link 118 step 3. Customize the rule same as those in ike. But there is no pre-shared key in the manual-key mode. Enter the key for encryption, such as 1122334455667788. Enter the key for authentication, such as 11112222333344445555666677778888 . Additionally, the out...
Page 127
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 119 outgoing interface the wan interface you are going to build ipsec tunnel with. Wan interfaces wan1 peer’s ip address the ip address of remote site device, like dfl-1500 vpn/firewall router. Ipv4 format 210.2.1.1 outgoing spi the...
Page 128
Part v virtual private network d-link 120 field description range / format example condition transport layer protocol utilize this field to select some packets which are specified protocol (any, tcp, udp). If the packets are not the specified protocol will not be allowed to pass through ipsec tunnel...
Page 129
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 121 step 8. View the result here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through dfl-1500. And accomplish the vpn tunnel establishment. Advanced settin...
Page 130
Part v virtual private network d-link 122 step 3. Customize the rule similar to those in dfl-1, except that you should interchange the local ip address with remote ip address in the condition part and the outgoing spi with the incoming spi in the action part. Besides, set the peer ’s ip address with...
Page 131
Dfl-900/1500 user manual chapter 13 virtual private network – ipsec 123 step 5. Add a firewall rule same as that in ike method. Please make sure that the firewall is enabled. Select wan1-to-lan1 to display the rules of this direction. The default action of this direction is block with logs. We have ...
Page 133: Chapter 14
Dfl-900/1500 user manual chapter 14 virtual private network –dynamic ipsec 125 chapter 14 virtual private network –dynamic ipsec this chapter introduces dynamic ipsec vpn and explains how to implement it. In the previous chapter, we have introduced static address method of ipsec. In this chapter, we...
Page 134
Part v virtual private network d-link 126 at dfl-1: at the first, we will install the ipsec properties of dfl-1. For the related explanation, please refer to chapter 12 and chapter 13. Step 8. Enable ipsec check the enable ipsec checkbox and click apply . Advanced settings > vpn settings > ipsec ste...
Page 135
Dfl-900/1500 user manual chapter 14 virtual private network –dynamic ipsec 127 step 11. Detail settings of ipsec ike in this page, we will set the detailed value of ike parameter. For the related field, please refer to table 13-5 indicated. Advanced settings > vpn settings > ipsec > ike > add > adva...
Page 136
Part v virtual private network d-link 128 step 14. Customize the firewall rule enter the rule name as allowvpn, source ip as wan1_vpna (192.168.88.0), and dest. Ip as lan1_vpna (192.168.40.0). Click apply to store this rule. Advanced settings > firewall > edit rules > insert step 15. View the result...
Page 137
Dfl-900/1500 user manual chapter 14 virtual private network –dynamic ipsec 129 step 2. Add an ike rule click the ike hyperlink and click add to add a new ipsec vpn tunnel endpoint. Advanced settings > vpn settings > ipsec > ike step 3. Customize the rule check the active checkbox. Enter a name for t...
Page 138
Part v virtual private network d-link 130 step 5. Add a firewall rule same as at dfl-1. We need to add an extra firewall rule to allow ipsec packets to come from internet. So here we select wan1-to-lan1 direction, and click insert button. Advanced settings > firewall > edit rules step 6. Customize t...
Page 139: Chapter 15
Dfl-900/1500 user manual chapter 15 virtual private network – hub and spoke vpn 131 chapter 15 virtual private network – hub and spoke vpn this chapter introduces hub and spoke vpn and explains how to implement it. As described in the figure 2-1, we will extend to explain how to make a vpn link betw...
Page 140
Part v virtual private network d-link 132 15.4 steps in the following, we will introduce you how to setup the hub and spoke vpn between main office and two branch offices. Configuring the ipsec ike tunnels for the main office (the hub), we have to create the ike tunnels, and then create vpn hub and ...
Page 141
Dfl-900/1500 user manual chapter 15 virtual private network – hub and spoke vpn 133 configuring the vpn hub for main office step 1. Add a firewall rule suppose main office has already added two vpn tunnels to communicate with two branch offices. Now, the main office has to add a firewall rule to all...
Page 142
Part v virtual private network d-link 134 step 4. Add a vpn hub select add to add a vpn hub. Enter a name in the hub name field. To add tunnels to the vpn hub, select a vpn tunnel from the available tunnels list and select the right arrow. To remove tunnels from the members list, select the tunnels ...
Page 143
Dfl-900/1500 user manual chapter 15 virtual private network – hub and spoke vpn 135 step 3. Add a vpn spoke in branch_1 select add to add a vpn spoke. Enter a name in the spoke name field. Enter the local ip address/subnet mask and remote address ip address/subnet mask. Select the vpn tunnel which i...
Page 144
Part v virtual private network d-link 136 step 2. Customize a firewall rule enter the rule name as allowvpn, source ip as hub-spoke1 [hub (192.168.1.0), spoke_1 (192.168.40.0)] , and dest. Ip as spoke_2 (192.168.88.0). Click apply to store this rule. Advanced settings > firewall > edit rules > inser...
Page 145: Chapter 16
Dfl-900/1500 user manual chapter 16 pptp client with pptp server 137 chapter 16 pptp client with pptp server this chapter introduces how to build a site to site vpn using pptp client and pptp server. 16.1 demands 1. In our branch office, we need to provide secure connection methods to connect back t...
Page 146
Part v virtual private network d-link 138 16.4 steps Ø the dfl-1500 of lan_1 step 1. Enable pptp server fill the related field in this page. For the field description of this page, please refer section17.4. Advanced settings > vpn settings > pptp Ø the dfl-1500 of lan_2 step 1. Enable pptp client en...
Page 147
Dfl-900/1500 user manual chapter 16 pptp client with pptp server 139 step 2. Add a static routing entry add a static routing entry. For all the packets which are destinated to the 192.168.40.0/255.255.255.255.0 , route these packets through the assigned ip address (192.168.40.180). For the field des...
Page 149: Chapter 17
Dfl-900/1500 user manual chapter 17 remote access vpn – pptp 141 chapter 17 remote access vpn – pptp this chapter introduces pptp and explains how to implement it. 17.1 demands 1. One employee in our company may sometimes want to connect back to our corporate network to work on something. His pc is ...
Page 150
Part v virtual private network d-link 142 17.4 steps step 1. Enable pptp server check the enable pptp checkbox, enter the lan1_ip of the dfl-1(192.168.40.254) in the local ip , and enter the ip range that will be assigned to the pptp clients in the start ip and the end ip fields. Enter the username ...
Page 151
Dfl-900/1500 user manual chapter 17 remote access vpn – pptp 143 customize the vpn connection 1. Right-click the icon that you have created. 2. Select properties > security > advanced > settings. 3. Select no encryption from the data encryption and click apply. 4. Select the properties > networking ...
Page 153: Chapter 18
Dfl-900/1500 user manual chapter 18 remote access vpn – l2tp 145 chapter 18 remote access vpn – l2tp this chapter introduces l2tp and explains how to implement it. 18.1 demands 1. One employee in our company may sometimes want to connect back to our corporate network to work on something. His pc is ...
Page 154
Part v virtual private network d-link 146 18.4 steps 18.4.1 setup l2tp network server step 1. Enable l2tp lns check the enable l2tp lns checkbox, enter the lan1_ip of the dfl-1 (192.168.40.254) in the local ip, and enter the ip range that will be assigned to the l2tp clients in the start ip and the ...
Page 155
Dfl-900/1500 user manual chapter 18 remote access vpn – l2tp 147 configuring a l2tp dial-up connection 1. Configure a l2tp dial-up connection 2. Go to start > control panel > network and internet connections > make new connection . 3. Select create a connection to the network of your workplace and s...
Page 156
Part v virtual private network d-link 148 connecting to the l2tp vpn 1. Connect to your isp. 2. Start the dial-up connection configured in the previous procedure. 3. Enter your l2tp vpn user name and password. 4. Select connect..
Page 157: Chapter 19
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 149 chapter 19 remote access vpn – ds-601 vpn client this chapter introduces remote access vpn using ds-601 vpn client and explains how to implement it. As described in the figure 2-1, we will extend to explain how to make a v...
Page 158
Part v virtual private network d-link 150 at dfl-1: at the first, we will install the ipsec properties of dfl-1. Step 1. Enable ipsec check the enable ipsec checkbox and click apply . Advanced settings > vpn settings > ipsec step 2. Add an ike rule click the ike hyperlink and click add to add a new ...
Page 159
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 151 step 4. Detailed settings of ipsec ike in this page, we will set the detailed value of ike parameter. Advanced settings > vpn settings > ipsec > ike > add > advanced step 5. Remind to add a firewall rule after finishing ip...
Page 160
Part v virtual private network d-link 152 step 7. Customize the firewall rule enter the rule name as allowds-601, source ip as wan1_ds601 (61.64.148.197), and dest. Ip as lan1_vpna (192.168.40.0). Click apply to store this rule. Advanced settings > firewall > edit rules > insert step 8. View the res...
Page 161
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 153 step 1. Enter a connection name enter dfl-1500 in the name of the connection field and click next to proceed. Configuration > profile settings > new entry step 2. Select link type select lan (over ip) in the communication ...
Page 162
Part v virtual private network d-link 154 step 3. Setup vpn gateway enter the vpn gateway ip (220.136.231.114) which is also the dfl-1 ’s wan1 ip. Click next to proceed. Configuration > profile settings > new entry step 4. Pre-share key enter 1234567890 in the shared secret field and retype it in th...
Page 163
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 155 step 5. General information after finishing the previous setting, we can view the general information here. Configuration > profile settings > configure > general step 6. Ipsec general settings check if the gateway ip is c...
Page 164
Part v virtual private network d-link 156 step 7. Policy editor click ike policy to edit the ike policy. Configuration > profile settings > configure > ipsec geneneral settings > policy editor step 8. Setup ike policy enter dfl-1500[des-md5] as the ike policy name . Select des/md5/dh-group 2 [1024 b...
Page 165
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 157 step 9. Setup ipsec policy enter dfl-1500[des-md5] as the ipsec policy name . Select des and md5 in the transform and authentication field. Click ok to finish the settings. Configuration > profile settings > configure > ip...
Page 166
Part v virtual private network d-link 158 step 11. View identities check if the local identity and the pre-shared key are correct or not. If yes, click ok to finish the settings. Configuration > profile settings > configure > identities step 12. Ip address assignment select use local ip address and ...
Page 167
Dfl-900/1500 user manual chapter 19 remote access vpn – ds-601 vpn client 159 step 13. Setup remote networks enter the ip network address 192.168.40.0 and subnet masks 255.255.255.0, and then click ok to finish the settings. Configuration > profile settings > configure > remote networks step 14. Fir...
Page 168
Part v virtual private network d-link 160
Page 169: Chapter 20
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 161 chapter 20 remote access vpn – windows client this chapter introduces remote access vpn using windows client and explains how to implement it. 20.1 demands suppose an employee often works at home, he will have the requirement...
Page 170
Part v virtual private network d-link 162 2. Create an ipsec policy, please refer 20.4.3 description. 3. Add a filter rule from winxp to dfl-1500, please refer 20.4.4 description. 4. Add a filter rule from dfl-1500 to winxp, please refer 20.4.5 description. 5. Configure a rule for winxp client to df...
Page 171
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 163 step 2. Edit the detailed settings of ipsec rule filled the detailed settings as the diagram of right side. And then click apply to finish the ipsec rule edition. For the field description, please refer table 13-5 for more in...
Page 172
Part v virtual private network d-link 164 step 5. Add firewall rule settings additionally, because the traffic of wan to lan default is blocked. So we must add a firewall rule to allow the local area of remote side to pass through the dfl firewall. Please refer the section 13.4.1 for the full descri...
Page 173
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 165 step 4. Add “computer management” snap-in in the add standalone snap-in dialog box, click computer management, and then click add . Step 5. Verify the local computer is selected verify that local computer (default setting) is...
Page 174
Part v virtual private network d-link 166 step 8. Add “certificates” snap-in in the add standalone snap-in dialog box, click certificates, and then click add. Step 9. Select computer account in the certificates snap-in dialog box, select computer account, and click next. Step 10. Verify the local co...
Page 175
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 167 step 12. Finish the mmc console creation after finishing the previous steps, we have selected three snap-in components in the mmc console. 20.4.3 create an ipsec policy step 1. Run secpol.Msc from windows desktop, go to start...
Page 176
Part v virtual private network d-link 168 step 4. Uncheck the item uncheck active the default response rule check box, and click next step 5. Finish the ip security policy creation keep the edit properties check box selected and click finish. Step 6. Edit policy properties a dialog window will bring...
Page 177
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 169 step 8. Delete the extra items in this diagram, we are going to specify the phase1 parameter of ipsec rule at the winxp. We setup dfl-1500 ipsec phase1 with des-md5-dh1 (please refer section 20.4.1 ), therefore we delete the ...
Page 178
Part v virtual private network d-link 170 step 2. Add an ip filter list on the ip filter list tab, click add to add an ip filter list . Step 3. Edit ip filter list type a name for the filter list (e.G., winxp to dfl-1500), uncheck use add wizard check box, and click add. Step 4. Edit the address of ...
Page 179
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 171 step 5. Edit the protocol of filter properties click the protocol tab. Leave the protocol type to any. Step 6. Edit the description of filter properties click the description tab. You can give a name for this filter list. The...
Page 180
Part v virtual private network d-link 172 20.4.5 add a filter rule from dfl-1500 to winxp step 1. Add a new filter rule click the ip filter list tab, and then click add to add an ip filter list. Step 2. Edit ip filter list type a name for the filter list (e.G., dfl-1500 to winxp), uncheck use add wi...
Page 181
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 173 step 4. Edit the protocol of filter properties click the protocol tab. Leave the protocol type to any. Step 5. Edit the description of filter properties click the description tab. You can give a name for this filter list. The...
Page 182
Part v virtual private network d-link 174 20.4.6 configure a rule for winxp client to dfl-1500 step 1. Select the first ip filter list now there are two ip filter lists for the winxp ipsec use. Select the first filter list you have created above from the ip filter list, such as winxp to dfl-1500. St...
Page 183
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 175 step 4. Edit filter action of winxp to dfl-1500 ip filter list click filter action tab, click add to add a new filter action . Step 5. Set the properties of security methods leave negotiate security as checked, and uncheck ac...
Page 184
Part v virtual private network d-link 176 step 7. Custom security method settings select the data integrity encryption (esp) . Select md5 integrity algorithms and des encryption algorithm. Fill the new key generation rate (ex. 28800 sec). Note that the settings of this page must match the settings o...
Page 185
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 177 step 10. Authentication methods click the authentication methods tab, and then click add. Step 11. Select the authentication methods select use this string (pre-shared key) option. And enter the string 1234567890 in the text ...
Page 186
Part v virtual private network d-link 178 20.4.7 configure a rule for dfl-1500 to winxp client step 1. Add a new ip filter rule now we are going to configure the rule of dfl-1500 to winxp client. Click add to add a new ip filter rule. Step 2. Select ip filter list click the ip filter list tab. Selec...
Page 187
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 179 step 4. Connection type click connection type tab, and then click all network connections . Step 5. Filter action click filter action tab, and then select the filter action (des-md5) you just created. Step 6. Authentication m...
Page 188
Part v virtual private network d-link 180 step 7. Finish the rules edition the ip security rule of dfl-1500 to winxp is configured completely as the figure listing. Click close to finish the settings. 20.4.8 enable the security settings step 1. Assign the security policy use the pop-up menu to assig...
Page 189
Dfl-900/1500 user manual chapter 20 remote access vpn – windows client 181 part vi content filters.
Page 191: Chapter 21
Dfl-900/1500 user manual chapter 21 content filtering – web filters 183 chapter 21 content filtering – web filters this chapter introduces web content filters and explains how to implement it. 21.1 demands figure 21-1 use web filter functionality to avoid users browsing the forbidden web site 1. As ...
Page 192
Part vi content filters d-link 184 figure 21-2 use web filter functionality to avoid users view the forbidden web site 2. As the above figure 21-2 illustrates, someone (pc1_1) is browsing forbidden web pages on office hours. The contents of the web pages may include stock markets, violence, or sex t...
Page 193
Dfl-900/1500 user manual chapter 21 content filtering – web filters 185 21.4 steps step 1. Enable web filter check the enable web filter checkbox and click the apply right on the right side. Advanced settings > content filters > web filter > web field description range / format example enable web fi...
Page 194
Part vi content filters d-link 186 step 2. Further customize the local zones you can configure to what range the filters will apply to the local zones. By default, the web filters apply to all computers so the “enforce web filter policies for all computers ” is selected, and the range is 0.0.0.0 – 2...
Page 195
Dfl-900/1500 user manual chapter 21 content filtering – web filters 187 step 3. Customize the specified sites check the enable filter list customization to allow all accesses to the trusted domains while disallowing all accesses to the forbidden domains. Check the disable all web traffic except for ...
Page 196
Part vi content filters d-link 188 button description add add the trusted/forbidden domains ip range to the list. Delete delete the trusted/forbidden domains ip range from the list. Apply apply the setting which configured on the checkbox. Table 21-3 web filter customize setting page step 4. Setup u...
Page 197
Dfl-900/1500 user manual chapter 21 content filtering – web filters 189 step 5. Customize categories with the built-in url database, dfl-1500 can block web sessions towards several pre-defined categories of urls. Check the items that you want to block or log. Simply click the block all categories wi...
Page 198
Part vi content filters d-link 190 msn over http filter msn application which is through http proxy. Note this feature supports msn under version 6.0 (include) currently. Enable/disable disabled table 21-6 web filter setting page ü note after finishing the above feature settings, you can use pc1_1 t...
Page 199
Dfl-900/1500 user manual chapter 21 content filtering – web filters 191 21.5 priority of web filter functions the priority of web filter functions are shown as the following figure 21-3 illustrated. From the left feature (exempt zone) to the right feature (keyword). Their priority is high to low. No...
Page 200
Part vi content filters d-link 192 5. Web filter > features web filter > keyword if the web page contains the components included activex/java/javascript/cookie which indicated in “web filter > features ”, or the keywords indicated in “web filter > keyword ”. The forbidden components will be taken o...
Page 201: Chapter 22
Dfl-900/1500 user manual chapter 22 content filtering – mail filters 193 chapter 22 content filtering – mail filters this chapter introduces smtp proxies and explains how to implement it. 22.1 demands sometimes there are malicious scripts like *.Vbs that may be attached in the email. If the users ac...
Page 202
Part vi content filters d-link 194 22.4 steps 22.4.1 smtp filters step 1 – enable smtp filters check the enable smtp proxy checkbox and click apply. While enabling the smtp filter feature. All the configured firewall rules (lan à wan smtp) will be disabled immediately. Subsequently the lan user acce...
Page 203
Dfl-900/1500 user manual chapter 22 content filtering – mail filters 195 step 3 – customize the local zones you can configure to what range the filters will apply to the local zones. By default, the web filters apply to all computers so the “enforce smtp filter policies for all computers ” is select...
Page 204
Part vi content filters d-link 196 step 2 – add a pop3 filter select filename extension, enter vbs, and click add to add a rule. This rule will apply to all dmz/wan-to-lan pop3 connections. All such pop3 traffic will be examined to change the filename extension from vbs to vbs.Bin. Note that the fil...
Page 205: Chapter 23
Dfl-900/1500 user manual chapter 23 content filtering – ftp filtering 197 chapter 23 content filtering – ftp filtering this chapter introduces ftp proxies and explains how to implement it. 23.1 demands 1. Some users in lan1 use ftp to download big mp3 files and cause waste of bandwidth. 23.2 objecti...
Page 206
Part vi content filters d-link 198 23.4 steps step 1. Enable ftp filter check the enable ftp filter checkbox and click the nearby apply button to enable this feature. Click the add button to add a new ftp filter. Advanced settings > content filters > ftp filter > ftp field description range / format...
Page 207
Dfl-900/1500 user manual chapter 23 content filtering – ftp filtering 199 step 3. View the result we can see the specified record in this page. The advanced settings > content filters > ftp filter > ftp field description range / format example from address exempt zone record ip address from ipv4 for...
Page 208
Part vi content filters d-link 200 step 5. Show the exempt zones here we can discover that new added exempt zone record is appeared. Advanced settings > content filters > ftp filter > ftp exempt zone field description range / format example ftp exempt computers determine which ip range will exempt t...
Page 210
Part vii intrusion detection system d-link 202 part vii intrusion detection system.
Page 211: Chapter 24
Dfl-900/1500 user manual chapter 24 intrusion detection systems 203 chapter 24 intrusion detection systems this chapter introduces intrusion detection system (ids) and explains how to implement it. 24.1 demands even though we have already configured the firewall rules, it is still not enough. Cracke...
Page 212
Part vii intrusion detection system d-link 204 24.4 steps step 1 – enable ids check the enable ids checkbox, and click the apply button. Notice, the ids can just detect default wan interfaces currently. Advanced settings > ids > ids status field description range / format example enable ids enable i...
Page 213
Dfl-900/1500 user manual chapter 24 intrusion detection systems 205 step 4 – update attack patterns ids attack patterns require frequent updates because there are many new attacks every week. Please go to system tools > database update > update to update ids attack patterns. The dfl-1500 will connec...
Page 214
Part viii bandwidth management、high availability d-link 206 part viii bandwidth management、high availability.
Page 215: Chapter 25
Dfl-900/1500 user manual chapter 25 bandwidth management 207 chapter 25 bandwidth management this chapter introduces bandwidth management and explains how to implement it. 25.1 demands figure 25-1 use bandwidth management mechanism to shape the data flow on the downlink direction 1. As the above fig...
Page 216
Part viii bandwidth management、high availability d-link 208 figure 25-2 use bandwidth management mechanism to shape the data flow on the uplink direction 2. As the above figure 25-2 illustrated, lan_1 pcs are using the e-commerce service from the e-commerce server (140.113.79.3), causing the blockin...
Page 217
Dfl-900/1500 user manual chapter 25 bandwidth management 209 the remaining bandwidths are named other traffic. They are reserved for other any to lan1 data transmission which don’t list in the above figure 25-1 diagram. 2. Reserve at least 600kbps for the lan_1 to lan_2 transfer. The lan_1 pcs can s...
Page 218
Part viii bandwidth management、high availability d-link 210 25.4 steps 25.4.1 inbound traffic management step 1. Enable bandwidth management check the enable bandwidth management checkbox, click the apply. Advanced settings > bandwidth mgt. > status field description range/format example enable band...
Page 219
Dfl-900/1500 user manual chapter 25 bandwidth management 211 button description prev. Page if there are more than one action pages, you can press prev. Page to back to the previous page. Next page if there are more than one action pages, you can press next page to go to the next page. Create-sub-cla...
Page 220
Part viii bandwidth management、high availability d-link 212 step 4. Partition into classes now there are three actions under the default action. Advanced settings > bandwidth mgt. > edit actions > create sub-class step 5. Setup wan1-to-lan1 rules select wan1 to lan1 to display the rules. There is a ...
Page 221
Dfl-900/1500 user manual chapter 25 bandwidth management 213 step 6. Customize the rule enter a rule name such as web-from-wan, select the source ip as wan1_all and dest. Ip as lan1_all besides, make sure the service is http (port 80) because of this is web service. Select the action to be web-from-...
Page 222
Part viii bandwidth management、high availability d-link 214 step 8. Add dmz to lan1 rule here we will add another rule (web from dmz). Select dmz1 to lan1 direction. Advanced settings > firewall > edit rules step 9. Customize the rule setup the web-from-dmz rule. Here we select dmz1_all / lan1_all i...
Page 223
Dfl-900/1500 user manual chapter 25 bandwidth management 215 25.4.2 outbound traffic management step 1. Enable bandwidth management check the enable bandwidth management checkbox, click the apply. Advanced settings > bandwidth mgt. > status step 2. Setup the wan1 link select any to wan1 to setup tra...
Page 224
Part viii bandwidth management、high availability d-link 216 step 4. Setup lan1-to-wan1 rules select lan1 to wan1 to display the rules. There is a pre-defined rule that matches all traffic into the default class. Click insert to insert a rule before the default rule. Advanced settings > firewall > ed...
Page 225: Chapter 26
Dfl-900/1500 user manual chapter 26 high availability 217 chapter 26 high availability this chapter introduces high availability and explains how to implement it. 26.1 demands figure 26-1 use high availability mechanism to let network connection continually 1. As the above figure 22-1 illustrates, y...
Page 226
Part viii bandwidth management、high availability d-link 218 26.3 methods there are five steps to configure high availability feature. Step 1. You have to setup two dfl-1500 devices first. Remember to set the action mode for primary device as active mode and secondary device as standby mode. Step 2. ...
Page 227
Dfl-900/1500 user manual chapter 26 high availability 219 step 2. Show the result in web after you apply the high availability feature, the primary device will show the message to tell you that “sync configuration file successfully, the device will rebooting now and stay in standby mode. ” advanced ...
Page 228
Part ix system maintenance d-link 220 part ix system maintenance.
Page 229: Chapter 27
Dfl-900/1500 user manual chapter 27 system status 221 chapter 27 system status 27.1 demands 1. Since we have finished the settings of dfl-1500, we need to gather the device information quickly. Then we can have a overview of the system status. 27.2 objectives 1. We can know the current situation eas...
Page 230
Part ix system maintenance d-link 222 field description port the interface of dfl-1500. Status the interface status of dfl-1500. The possible value is either “up” or “down”. Txpkts the amount of packets which are transferred from this interface in bytes. Rxpkts the amount of packets which are receiv...
Page 231
Dfl-900/1500 user manual chapter 27 system status 223 step 5. Routing table click the routing table to see the routing table information of dfl-1500. Device status > system status > routing table field description type the type of this specified routing entry. ”net” means that the routing entry is g...
Page 232
Part ix system maintenance d-link 224 step 7. Top20 sessions click the top20 sessions to see the front-20 sessions of transmitted bytes amount. These front-20 sessions were sorted by the amount of current transmitted bytes. Note: here traffic statistics are calculated by the transmitted bytes from t...
Page 233: Chapter 28
Dfl-900/1500 user manual chapter 28 log system 225 chapter 28 log system 28.1 demands 1. The system administrator wants to know all the actions of administration in the past. So it can avoid illegal system administration. 2. The system administrator needs to check the logs of vpn, ids, firewall, and...
Page 234
Part ix system maintenance d-link 226 28.4.2 syslog & mail log step 1. Setup syslog server setup syslog server by checking the enable syslog server. It will let dfl-1500 send logs to the syslog server specified in the “syslog server ip address ” field. Notice: if the logs were sent out to the syslog...
Page 235
Dfl-900/1500 user manual chapter 28 log system 227 day for sending logs when selecting weekly in the “log schedule” field, we have to choose which day the mail logs will be sent out in the “day for sending logs” field. Monday ~ sunday monday button description test test the mail logs configuration i...
Page 237: Chapter 29
Dfl-900/1500 user manual chapter 29 system maintenance 229 chapter 29 system maintenance this chapter introduces how to do system maintenance. 29.1 demands 1. Dfl-1500 is designed to provide upgradeable firmware and database to meet the upcoming dynamics of the internet. New features, new attack sig...
Page 238
Part ix system maintenance d-link 230 step 1. Setup tftp server place the tftp server tftpserver in the c:\ directory and double click to run it. Place all bin files in the c:\ as well. Set the pc to be 192.168.40.X to be in the same subnet with the dfl-1500 ‘s lan1. Login to dfl-1500’s console. Ent...
Page 239
Dfl-900/1500 user manual chapter 29 system maintenance 231 step 2. Upgrade firmware in the system tools / firmware upgrade page. Select the path of firmware through browse button, and check the preserve saved configurations to reserve original settings. Click the upload button to upgrade firmware. S...
Page 240
Part ix system maintenance d-link 232 step 2. Auto update we can also update database automatically. Fill the database server in the update center field. Choose what date/time we would like to update the database, and then check which databases we would like to update. Click apply button to finish t...
Page 241
Dfl-900/1500 user manual chapter 29 system maintenance 233 29.5.2 normal factory reset step 1. Factory reset in the cli mode. Enter sys resetconf now to reset the firmware to factory default. Then the system will reboot automatically. Netos/i386 (dfl-1500) (tty00) login: admin password: welcome to d...
Page 242
Part ix system maintenance d-link 234 29.6 save the current configuration step 1. Backup the current configuration after finishing the settings of dfl-1500, be sure to press the save button in this page to keep the running configuration. System tools > system utilities > save configuration 29.7 back...
Page 243
Dfl-900/1500 user manual chapter 29 system maintenance 235 29.8 reset password step 1. Enter the boot loader if you forget the password, you can use the following way to reset the password. Press or during the 2-second countdown process. >> netos loader (i386), v1.5 (fri feb 20 10:25:11 cst 2004) pr...
Page 244
Part ix system maintenance d-link 236.
Page 245: Appendix A
Dfl-900/1500 user manual appendix a command line interface (cli) 237 appendix a command line interface (cli) you can configure the dfl-1500 through the web interface (http/https) for the most time. Besides you can use another method, console/ssh/telnet method to configure the dfl-1500 in the emergen...
Page 246
A.2 d-link 238 status (st) sys status show system and network status version (ver) sys version show dfl-1500 firmware version table a-1 non-privileged mode of normal mode note: if you don’t know what parameter is followed by the commands, just type “?” following the command. Ex “ip ?”. It will show ...
Page 247
Dfl-900/1500 user manual a.3cli commands list (rescue mode) 239 the full tftp commands are described in the following table a-3. Prefix command 2th command 3th command postfix command example command description config filename word ip tftp upgrade config conf-0101 192.168.1.170 upgrade configuratio...
Page 248
A.3 d-link 240 privileged mode main commands sub commands example command description ? ? Show the help menu disable (dis) disable turn off privileged mode command exit (ex) exit exit command shell ip configure ip related settings arp ip arp status show the ip/mac mapping table dns ip dns query www....
Page 249: Appendix B
Dfl-900/1500 user manual appendix b trouble shooting 241 appendix b trouble shooting 1. If the power led of dfl-1500 is off when i turn on the power? Ans： check the connection between the power adapter and dfl-1500 power cord. If this problem still exists, contact with your sales vendor. 2. How can ...
Page 250
Appendix b d-link 242 ans： please make sure if you follow the setting method as follows. A. Check your ipsec setting. Please refer to the settings in the section 13.4- step 3. B. Make sure if you have already added a wan to lan policy in the advanced settings/firewall to let the ipsec packets pass t...
Page 251
Dfl-900/1500 user manual appendix b trouble shooting 243 the following figure b-1, figure b-2 indicated the dfl_a ipsec and firewall setting. The figure b-3, figure b-4 indicated the opposite side dfl_b ipsec and firewall setting. When you configure an ipsec policy, please be sure to add a rule to l...
Page 252
Appendix b d-link 244 figure b-3 dfl_b - inset a new ipsec policy figure b-4 dfl_b - insert a new firewall rule in wan to lan 7. Why the source-ip field of system logs is blank? Ans： one reason is that you may enter host name and following by a space like “dfl-1500 “. And enter the domain name strin...
Page 253
Dfl-900/1500 user manual appendix b trouble shooting 245 ans： under this circumstance, the dfl-1500 will automatically reboot and all configurations will still remain as before. 10. While i am upgrading firmware from local disk, the download is complete. After md5 checks, the screen appears “upgradi...
Page 255: Appendix C
Dfl-900/1500 user manual appendix c rule entry limitation 247 appendix c rule entry limitation for the dfl-1500 web configuration, there is a limitation of permitted maximum entering rule. Here we provide a list for your reference. Classification item permitted maximum rule entry refer section ip al...
Page 256
Appendix c d-link 248 pop3 exempt zone entries 256 section 22.4.2 ftp blocking list entries 40 section 23.4 ftp filter ftp exempt zone entries 20 section 23.4 bandwidth management bandwidth management action entries 200 section 25.4 system access logs 256 section 28.4.1 firewall logs 256 section 10....
Page 257: Appendix D
Dfl-900/1500 user manual appendix d system log syntax 249 appendix d system log syntax in the dfl-1500, all the administration action will be logged by the system. You can refer all your management process through system log (device status > system logs > system access logs). Besides, all the system...
Page 258
Appendix d d-link 250 a03 change password auth: [a03] admin change system password (192.168.17.102:443). Bandwidth: [b01] enable bandwidth management by admin (192.168.17.100:443). Bandwidth b01 enable/disable bandwidth management bandwidth: [b01] disable bandwidth management by admin (192.168.17.10...
Page 259
Dfl-900/1500 user manual appendix d system log syntax 251 c19 web filter keyword deleted content: [c19] web filter keyword deleted by admin (192.168.17.100:443). Eid=22 c20 enable web filter keyword matching content: [c20] enable web filter keyword matching by admin (192.168.17.100:443). Eid=23 c21 ...
Page 260
Appendix d d-link 252 l04 enable/disable syslog forward to remote syslog server log: [l04] enable syslog server at 192.168.17.100 by admin (192.168.17.102:443). Log: [l04] disable syslog server by admin (192.168.17.102:443). L05 enable/disable mail log log: [l05] enable mail logs to tom@hotmail.Com ...
Page 261
Dfl-900/1500 user manual appendix d system log syntax 253 s06 startup/shutdown https server system: [s06] https started. S07 startup telnet server s08 set interface ip address system: [s08] wan1: ip address: 192.168.17.102/255.255.255.0. (192.168.17.102:443). S09 ip alias system: [s09] lan1: add ip ...
Page 262
Appendix d d-link 254 s23 setup ssh server s24 setup www server s25 setup https server s26 setup snmp server s27 misc setup s28 enable/disable snmp system: [s28] enable snmp by admin (192.168.17.104:443) system: [s28] system location: building-a. System: [s28] contact info: +886-2-28826262. System: ...
Page 263: Appendix E
Dfl-900/1500 user manual appendix e glossary of terms 255 appendix e glossary of terms cf (content filter) – a content filter is one or more pieces of software that work together to prevent users from viewing material found on the internet. This process has two components. Dhcp (dynamic host configu...
Page 264
Appendix e d-link 256 pop3 (post office protocol 3) is the most recent version of a standard protocol for receiving e-mail. Pop3 is a client/server protocol in which e-mail is received and held for you by your internet server. Periodically, you (or your client e-mail receiver) check your mail-box on...
Page 265: Appendix F
Dfl-900/1500 user manual appendix f index 257 appendix f index b backup configuration ................................................................... 236 bandwidth management ...................................................... 209, 219 bidirectional ..............................................
Page 267: Appendix G
Dfl-900/1500 user manual appendix g customer support 259 appendix g customer support offices australia d-link australia 1 giffnock avenue, north ryde, nsw 2113, sydney, australia tel: 61-2-8899-1800 fax: 61-2-8899-1868 toll free (australia): 1800-177100 url: www.Dlink.Com.Au e-mail: support@dlink.Co...
Page 268
Appendix g d-link 260 tel: 33-1-3023-8688 fax: 33-1-3023-8689 url: www.Dlink-france.Fr e-mail: info@dlink-france.Fr germany d-link central europe (d-link deutschland gmbh) schwalbacher strasse 74, d-65760 eschborn, germany tel: 49-6196-77990 fax: 49-6196-7799300 url: www.Dlink.De bbs: 49-(0) 6192-97...
Page 269
Dfl-900/1500 user manual appendix g customer support 261 url: www.Dlink.Se e-mail: info@dlink.Se taiwan d-link taiwan 2f, no. 119 pao-chung road, hsin-tien, taipei, taiwan tel: 886-2-2910-2626 fax: 886-2-2910-1515 url: www.Dlinktw.Com.Tw e-mail: dssqa@tsc.Dlinktw.Com.Tw turkey d-link middle east den...