Check Your Package Contents...........................5 1.1.1 DFL-900 ................................5 1.1.2 DFL-1500 .................................5 Hardware..................................6 Software Specifications .............................8 Five steps to configure DFL-900/1500 quickly .......................10 Wiring the DFL-900/1500 ............................12 Default Settings and architecture of DFL-900/1500 ....................13 Using the Setup Wizard ............................15 Internet Connectivity ...............................19 1.8.1 LAN1-to-WAN1 Connectivity........................19 1.8.2...
All the examples after Chapter 2 in this manual, which instruct you how to configure the VPN/Firewall Router, are taken from DFL-1500. The hardware and software specifications of the DFL-900 and DFL-1500 will be introduced in Chapter 1. You can refer the examples to configure your VPN/Firewall Router.
This section describes the enhancements that were made to DFL-900/1500 as compared to the previous version. It includes changes to the way that the DFL-900/1500 operates, some of which are reflected by changes to the WBI and others that were made to the DFL-900/1500 engine to improve performance and accuracy.
Check Your Package Contents 1.1.1 DFL-900 These are the items included with your DFL-900 purchase as Figure 1-2. They are the following items DFL-900 Device * 1 Ethernet cable (RJ-45) * 2 RS-232 console * 1...
Part I Overview Figure 1-2 All items in the DFL-1500 package Hardware Feature DFL-900 DFL-1500 Chassis Dimensions Rack mount 1U size Rack mount 1U size 146 mm (H) x 275 mm (D) x 203 mm 146 mm (H) x 275 mm (D) x 203 mm (W)(8''*5.75''*10'')
Page 15
DFL-900/1500 User Manual Chapter 1 Quick Start LAN port 1 port for connecting inbound LAN 2 ports for connecting inbound LAN RJ-45 connector RJ-45 connector IEEE 802.3 compliance IEEE 802.3 compliance IEEE 802.3u compliance IEEE 802.3u compliance Support Half/Full-Duplex operations Support Half/Full-Duplex operations Support backpressure at Half-Duplex operation.
Part I Overview Safety Approval TUV/GS TUV/GS T-mark T-mark Table 1-1 DFL-900/1500 Hardware Software Specifications Product DFL VPN/Firewall Router Model DFL-900 DFL-1500 Features Basic Setup ü ü Wizard ü ü Transparent Mode ü ü WAN1 IP (no default WAN Link) û...
Page 17
DFL-900/1500 User Manual Chapter 1 Quick Start ü ü Firewall Rule Firewall ü ü Anti-DoS ü ü Web Filter ü ü Content Filters Mail Filter ü ü FTP Filter ü ü ü ü Bandwidth Management Edit Actions ü ü Binding IP/MAC Binding ü...
Five steps to configure DFL-900/1500 quickly Let’s look at the common network topology without DFL-900/1500 applying like Figure 1-3. This is a topology which is almost used by all the small/medium business or SOHO use as their internet connectivity. Although that your topology is not necessarily the same diagram below, but it still can give you a guideline to configure DFL-900/1500 quickly.
Page 19
Quick Start Here we would like to alter the original IP Sharer with the DFL-900/1500 like Figure 1-4. If we hope to have DFL-900/1500 to replace the IP Sharer, we just need to simply execute the following five steps as Figure 1-5 showed. By these steps, we hope to build an image to tell you how to let DFL-900/1500 work basically.
Step 5. Virtual Server: If there is any server located inside the DFL-900/1500. You may hope these servers can provide services outside. So you should configure the Virtual Server which provides connections of WAN to LAN direction. For more information, please refer to section 1.8.2.
You should have an Internet account already set up and have been given most of the following information as Table 1-3. Fill out this table when you edit the web configuration of DFL-900/1500. DFL-900 has three ports inclusive of the WAN1 (port1), LAN1 (port2) and DMZ1 (port3) while DFL-1500 has five ports inclusive of the WAN1 (port1), WAN2 (port2), DMZ1 (port3), LAN1 (port4), and LAN2 (port5).
Page 22
____.____.____.____ DMZ1 IP Subnet Mask 255.255.255.0 ____.____.____.____ 255.255.255.0 ____.____.____.____ IP Address 192.168.1.254 ____.____.____.____ 192.168.1.254 ____.____.____.____ LAN1 IP Subnet Mask 255.255.255.0 ____.____.____.____ 255.255.255.0 ____.____.____.____ IP Address 192.168.2.254 ____.____.____.____ LAN2 IP Subnet Mask 255.255.255.0 ____.____.____.____ Table 1-3 DFL-900/1500 related network settings D-Link...
DFL-1500 in the basic appliances. We are going to introduce you how to configure the VPN/Firewall Router by the example of the DFL-1500 in this document. It is the same way to configure the DFL-900. For the related software specification, please refer to Table 1-2.
Page 24
NAT mode rules use network address translation to hide the addresses in a more secure network from users in a less NAT/Route mode secure network. Ÿ Route mode rules accept or deny connections between networks without performing address translation. D-Link...
Page 25
Transparent mode provides the same basic protection as NAT mode. Packets received by the DFL-900/1500 are intelligently forwarded or blocked according to firewall rules. The DFL-900/1500 can be inserted in your network at any point without the need to make any changes to your network or any of its components. However, VPN, NAT, Routing and some advanced firewall features (such as Authentication, IP/MAC Binding) are only available in NAT/Route mode.
Page 26
Please Note that an alert message box “When changing to none fixed ip mode, system will delete all ip alias!” will appear while you change Get IP Automatically (DHCP) or PPP over Ethernet but not Fixed IP Address as your WAN link. D-Link...
DFL-900/1500 User Manual Chapter 1 Quick Start Step 6. System Status BASIC SETUP > Wizard > Run Setup Wizard > Next > Next Here we select Fixed IP method in WAN1 port. Then the DFL-1500 provides a short summary of the system. Please check if anything mentioned above is properly set into the system.
Page 28
The rule Basic-LAN1 means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 192.168.1.254 / request will 255.255.255.0), translated into a public-source-IP requests, and then be forwarded to the destinations. D-Link...
DFL-900/1500 User Manual Chapter 1 Quick Start 1.8.2 WAN1-to-DMZ1 Connectivity This section tells you how to provide an FTP service with a server installed under your DMZ1 to the public Internet users. After following the steps, users at the WAN side can connect to the FTP server at the DMZ1 side.
Page 30
WAN side cannot connect to a private-IP (ex.10.1.1.5) through the internet. The data connections would be fail. After enabling this feature, the DFL-1500 will translate the private IP/port into an IP/port of its own. Thus the problem is gracefully solved. D-Link...
DFL-900/1500 User Manual Chapter 1 Quick Start ü Warning message After applying the virtual server rule, there will appear two messages as above diagrams. The purpose of the above two message boxes are trying to remind you to add firewall/NAT rules manually while you add a virtual server rule for your existing server.
Page 32
However, some advanced firewall features are only available in NAT/Route mode. Transparent mode will not support the following features currently: WAN PPPoE link Authentication VPN (IPSec / PPTP / L2TP) Routing IP/MAC Binding DDNS / DNS Proxy / DHCP Relay Interface change Show IPSec sessions VPN Logs D-Link...
DFL-900/1500 User Manual Chapter 2 System Overview Chapter 2 System Overview In this chapter, we will introduce the network topology for use with later chapters. Typical Example Topology In this chapter, we introduce a typical network topology for the DFL-1500. In Figure 2-1, the left half side is a DFL-1500 with one LAN, one DMZ, and one WAN link.
Use an IE at 192.168.1.1 to connect to https://192.168.1.254 Using a network line to connect DFL-1500 with LAN1 port. The PC which connected to DFL-1500 must be assigned 192.168.1.X address (LAN1 default IP address is 192.168.1.254/24). Type https://192.168.1.254 http://192.168.1.254:8080 configure DFL-1500 in the web browser. D-Link...
DFL-900/1500 User Manual Chapter 2 System Overview Step 2. Setup LAN1 IP information BASIC SETUP > LAN Settings > LAN1 Status Enter the IP Address and IP Subnet Mask with 192.168.40.254 / 255.255.255.0 and click Apply. Warning: After you apply the changed settings,...
Figure 2-2 You can select the functional area by the sequence in Web GUI If we want to configure DFL-1500, we can follow the sequence as the Figure 2-2 illustrated. Step1. Select Main-function Step2. Select Sub-function Step3. Select Tag Step4. Configure the real parameters D-Link...
DFL-900/1500 User Manual Chapter 2 System Overview 2.3.2 Rule principle Figure 2-3 The rule configuration is divided into three parts You may find many rules configuration in the DFL-1500. They are distributed in the respective feature. These rules include NAT rule...
Page 38
Part I Overview Figure 2-4 The rules in the page of the rule edition are also divided into three parts. D-Link...
BASIC SETUP > WAN Settings > WAN1 IP > Fixed IP Address Here we select Fixed IP Address method in WAN1 port. Fill in the IP Address, Subnet Mask, Gateway IP. And then enter the other DNS IP Address, Routing Protocol fields. Click Apply to finish this setting. D-Link...
DFL-900/1500 User Manual Chapter 3 Basic Setup IP Address FIELD DESCRIPTION Range / Format EXAMPLE Assignment Default WAN When Default WAN link is enabled. All the link packets sent out from DFL-1500 will be via Enable/Disable Enabled (Gateway/DNS) this port.
7200 None / RIPv1In / Determine to enable the dynamic routing protocol (RIP), to RIPv1In+out / Routing Protocol receive RIP message, to send out RIP message if the RIPv2In / None message is received or not. RIPv2In+out / OSPF D-Link...
Page 45
DFL-900/1500 User Manual Chapter 3 Basic Setup IPv4 format or digit string (Max OSPF Area ID Specify OSPF area ID number 9 bits) Table 3-2 Configure DMZ network settings Step 2. Setup LAN port BASIC SETUP > LAN Settings > LAN1 Status Here we are going to configure the LAN1 settings.
WAN interfaces WAN1 IP alias The alias IP address IPv4 format 61.2.1.2 Netmask The netmask of the IP alias netmask format 255.255.255.248 Alias size The size of IP alias address Max 60 Table 3-5 Add a IP alias record D-Link...
Page 47
DFL-900/1500 User Manual Chapter 3 Basic Setup Step 4. Edit, Delete IP alias record BASIC SETUP > WAN Settings > IP Alias You can easily add, edit, or delete IP alias records by the Add, Edit, or Delete button. FIELD...
DFL-900/1500 User Manual Chapter 4 System Tools Chapter 4 System Tools This chapter introduces System Management and explains how to implement it. Demands Basic configurations for domain name, password, system time, timeout and services. DDNS: Suppose the DFL-1500’s WAN uses dynamic IP but needs a fixed host name. When the IP is changed, it is necessary to have the DNS record updated accordingly.
Page 50
Figure 4-2 DNS Proxy mechanism chart DHCP Relay: Activate the DHCP relay mode of DFL-1500 so that the DFL-1500 will become the relay agent and relay the DHCP broadcast to the configured DHCP server. As the following Figure 4-3 described, DFL-1 redirects the DHCP D-Link...
Page 51
DFL-900/1500 User Manual Chapter 4 System Tools request from the preconfigured port (LAN1) to the real DHCP server (10.1.1.4). Besides, in this diagram, we can find that the PC of DMZ region communicated with the DHCP server directly. Figure 4-3 DHCP Relay mechanism chart As the following Figure 4-4 demonstrated, there is an embedded snmp agent in the DFL-1500.
Page 52
(3 WAN, 1 DMZ, 1 LAN). As the following Figure 4-5 demonstrated, there are three ISP connected onto DFL-1500. So we must adjust the interface up to 3 WAN ports to fit the current condition. Figure 4-5 Adjust DFL-1500 interface to fit present situation D-Link...
DFL-900/1500 User Manual Chapter 4 System Tools Steps 4.4.1 General settings Step 1. General Setup SYSTEM TOOLS > Admin Settings > General Enter the Host Name as DFL-1, Domain Name as the domain name of your company. Click Apply. FIELD...
Page 54
10 minutes after your last touching of it. FIELD DESCRIPTION EXAMPLE System Auto Timeout When system is idle for a specified time, system will force the people Lifetime who logins into the system will logout automatically. Table 4-4 System Tools – Timeout menu D-Link...
DFL-900/1500 User Manual Chapter 4 System Tools 4.4.2 DDNS setting Step 1. Setup DDNS SYSTEM TOOLS > Admin Settings > DDNS If the IP address of DFL-1500 WAN port is dynamic allocated, you may want to have the Dynamic DNS mechanism to make your partner always use the same domain name (like xxx.com)
DHCP server (different subnet from the network segment of the DHCP client). DHCP Server Current location of the DHCP server. 10.1.1.4 Relay Domain The locations of the DHCP clients. Enable LAN1 Table 4-7 System Tools – DHCP Relay menu D-Link...
DFL-900/1500 User Manual Chapter 4 System Tools 4.4.5 SNMP Control Step 1. Setup SNMP Control SYSTEM TOOLS > SNMP Control Through setting the related information in this page, we can use SNMP manager to monitor the system status, network status of DFL-1500.
You can specify WAN / LAN / DMZ for each port by your preference. Port1 ~ Port5 However, there must be one WAN and one LAN interface existing in the Port3 : WAN DFL-1500. Port4 : DMZ Port5 : LAN Table 4-9 Change the DFL-1500 interface setting D-Link...
DFL-900/1500 User Manual Chapter 5 Remote Management Chapter 5 Remote Management This chapter introduces remote management and explains how to implement it. Demands Administrators may want to manage the DFL-1500 remotely from any PC in LAN_1 with HTTP at port 8080, and from WAN_PC with TELNET.
Page 60
CLI commands “tcpdump”. The priority of Telnet SSH is equal with telnet method. For the CLI commands of SSH/Telnet, please refer Appendix A. HTTPS The priority of HTTPS is equal with HTTP. HTTP Table 5-2 Priorities of login method D-Link...
DFL-900/1500 User Manual Chapter 5 Remote Management Steps 5.4.1 Telnet Step 1. Setup Telnet SYSTEM TOOLS > Remote Mgt. > TELNET Enter 23 instead of the default 2323 in the field. Check the checkbox. Server Port WAN1 Click the Selected...
IP address for reading the SNMP MIBs at the DFL-1500. Finally click the Apply button. 5.4.6 ICMP Step 1. Setup ICMP SYSTEM TOOLS > Remote Mgt. > MISC Uncheck the WAN1 checkbox and make others checked. Then click the Apply button. D-Link...
DFL-900/1500 User Manual Chapter 6 Authentication Chapter 6 Authentication This chapter introduces user authentication and explains how to implement it. Demands DFL-1500 VPN/Firewall Router supports user authentication against the internal user database, a RADIUS server or a LDAP server. You can create a user account by adding username and password to the internal database to grant the user an access to Internet, etc.
Click Authentication Type as Pop3(s). Enter Server IP and Server Port. Check the Encryption as SSL if the server port is 995 (PoP3s). Click Apply to store the settings. FIELD DESCRIPTION EXAMPLE Server IP The IP address of the POP3(s) server. 10.1.1.1 D-Link...
DFL-900/1500 User Manual Chapter 6 Authentication The port which the data goes into or out of the POP3(s) server. For instance, Server Port POP3 service uses port 110 and POP3s service uses port 995. Encryption is the process of changing data into a form that can be read only by the intended receiver.
LDAP server. Please refer to Table 6-4 for details. FIELD DESCRIPTION EXAMPLE Server IP The IP address of the LDAP server. 192.168.40.66 ou=people,dc=yourcompany, The distinguished name used to look up entries on the LDAP server. For Base DN example: dc=com,dc=tw D-Link...
DFL-900/1500 User Manual Chapter 6 Authentication In OpenLDAP: entry1: uid=mary,ou=people,dc= yourcompay,dc=com entry2: uid=jack,ou=people,dc= yourcompay,dc=com Base DN: ou=people,dc=yourcompany,dc=com UID : uid In Windows AD (special case): entry1: cn=mary,dc= yourcompay,dc=com entry2: cn=jack ,dc= yourcompay,dc=com Base DN: cn=Users,dc=yourcompany,dc=com UID: cn UID is the field name and used to look up entries on LDAP server. Please refer to the above description.
DFL-900/1500 User Manual Chapter 7 Chapter 7 This chapter introduces NAT and explains how to implement it in DFL-1500. To facilitate the explanation on how DFL-1500 implements NAT and how to use it, we zoom in the left part of Figure 1-10 into Figure 7-1.
LAN1 to the public IP address WAN_IP at the WAN1 side. Assign a private IP address to the FTPServer1. Setup Virtual Server at DFL-1500 to redirect “any connections towards some port of WAN1” to the port 21 at the FTPServer1. D-Link...
DFL-900/1500 User Manual Chapter 7 Figure 7-3 DFL-1500 plays the role as Virtual Server As the above Figure 7-3 illustrates, the server 10.1.1.5 provides FTP service. But it is located on the DMZ region behind DFL-1500. And DFL-1500 will act as a Virtual Server role which redirects the packets to the real server 10.1.1.5. And you can announce to the internet users that there exists a ftp server IP/port is 61.2.1.1/44444.
Page 72
DFL-1500. If you change the LAN/DMZ IP settings, you have to manually update related rules by yourself. Otherwise, hosts in your LAN/DMZ cannot establish connections to the hosts in the WAN side. D-Link...
Page 73
DFL-900/1500 User Manual Chapter 7 Step 4. Customize NAT Rules ADVANCED SETTINGS > NAT > NAT Rules In the full-feature mode, the rules can be further customized. Incoming packets from LAN/DMZ zones are top-down matched by the NAT rules. Namely, NAT implements first match. Select the rule item that you want to do with: insert a new rule before it;...
Always use Virtual Server rules first. 7.4.2 Setup Virtual Server for the FtpServer1 Step 1. Device IP Address BASIC SETUP > DMZ Settings > DMZ1 Status Setup the IP Address and IP Subnet Mask for the DFL-1500 of the DMZ1 interface. D-Link...
Page 75
DFL-900/1500 User Manual Chapter 7 Step 2. Client IP Range Enable the DHCP server if you want to use DFL-1500 to assign IP addresses to the computers under DMZ1. Here we make the DHCP feature enabled. Step 3. Apply the Changes Click Apply to save your settings.
Page 76
If the Passive FTP client is checked, it will Passive FTP connect to the internal DMZ FTP server of Enabled / Disabled Enabled client DFL-1500 when FTP client uses passive mode. Otherwise, it will not work. D-Link...
DFL-900/1500 User Manual Chapter 7 Redirect to LAN / DMZ internal server The subnet which is located the virtual server. DMZ1 regions under The IP address which is actually transferred to Internal IP IPv4 format 10.1.1.5 the internal DMZ Action The port number which is actually transferred to the internal DMZ.
IP (such as 61.2.1.2) from the address pool. For example, Connection2 are forwarded out, the source IP address will be translated into the second public IP address (61.2.1.2) from the public IP address pools. So the translated IP address (61.2.1.2:7896) is different from Connection1 one (61.2.1.1:2933). D-Link...
DFL-900/1500 User Manual Chapter 7 7.5.3 One-to-One type Figure 7-6 NAT One-to-One type As the above Figure 7-6 illustrated, NAT One to One type means that each local PC is translated into a unique public IP address when the packets are forwarded out through the DFL-1500. Take Connection1 for example. Its IP address and port are translated from 192.168.40.1:2933 to 61.2.1.1:2933.
WAN to LAN/DMZ traffic. firewall rule to allow WAN to LAN (or DMZ) traffic forward. Then you can finish the settings. Be careful to use this type, or it will endanger your network security. Table 7-5 The NAT type comparison D-Link...
DFL-900/1500 User Manual Chapter 8 Routing Chapter 8 Routing This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how DFL-1500 implements routing and how to use it. We zoom in the left part of Figure 2-1 into Figure 8-1 and increase some devices for description.
FIELD DESCRIPTION Range / Format EXAMPLE Determine this static routing entry record is multiple hosts Type Net / Host (Net) or a single host (Host)。 Destination The destination IP address of this static routing entry record. IPv4 format 192.168.50.0 D-Link...
DFL-900/1500 User Manual Chapter 8 Routing The destination IP Netmask of this static routing entry Netmask IPv4 format 255.255.255.0 record. Gateway The default gateway of this static routing entry record. IPv4 format 192.168.40.253 Table 8-1Add a static routing entry Step 3.
Source IP field. Fill 255.255.255.192 in the Netmask field. In the Action region, fill forward to WAN1 with next-hop gateway 210.2.1.6. After setting as above, the packets which match the condition, they will follow the predefined action to forward to the next hop. D-Link...
Page 85
DFL-900/1500 User Manual Chapter 8 Routing FIELD DESCRIPTION Range / Format EXAMPLE Activate this rule The policy routing rule is enabled or not. Enabled / Disabled Enabled Status Rule name The policy routing rule name. text string GenlManaRoom Incoming packets...
Page 86
Finally click the “Routing Table” to see all the current routing table information. Note that the information of the policy routing entries will not be shown in this screen. It will just appear in the policy routing page as the previous step. D-Link...
DFL-900/1500 User Manual Chapter 8 Routing The priority of the routing As we know, there are many choices according to your requirement in the routing settings. As the following Table 8-3 indicates, the smaller priority sequence would be executed first when running routing policy.
Page 88
Part III NAT & Routing The number of each routing direction is indicated the example which is described in the above Table 8-3. Figure 8-2 The routing decision of DFL-1500/DFL-900 D-Link...
DFL-900/1500 User Manual Chapter 9 IP/Services grouping Chapter 9 IP/Services grouping This chapter introduces group functions and explains how to edit it. Demands You hope to group some similar IP addresses to make it easier for editing the firewall rule.
Page 92
BASIC SETUP > Books > Address > Objects settings After entering Address object, subsequently we add the other two address objects. The result is shown in the “Object” page. Note: It is the same way to setup address objects in the other interfaces. D-Link...
Page 93
DFL-900/1500 User Manual Chapter 9 IP/Services grouping Step 4. Address Group Settings BASIC SETUP > Books > Address > Group You can add, edit, and delete all other addresses definition as required. You can also organize related addresses into address group to simplify firewall rule creation.
Page 94
Part IV Firewall & IP/MAC Binding Step 6. view the address group result BASIC SETUP > Books > Address > Group According to our setting as previous steps, the address group is shown as right diagram. D-Link...
DFL-900/1500 User Manual Chapter 9 IP/Services grouping 9.4.2 Setup Service Step 1. Service Settings BASIC SETUP > Books > Service > Objects The DFL-1500 predefined firewall services are listed as right diagram. You can add these services to any firewall rule or you can add a service if you need to create a firewall rule for a service that is not in the predefined service list.
Page 96
Select the services from the available services list and click right arrow to copy them to the Members list. If you would like to remove the services from the members list, just select the services and then click left arrow to remove them. D-Link...
DFL-900/1500 User Manual Chapter 9 IP/Services grouping FIELD DESCRIPTION Range / Format EXAMPLE The service group name. Note that group name should be an alphanumeric value (including dash ‘-‘ and underscore ‘_’), can start with a letter Group Name text string...
Page 98
Spaces and other special characters are not allowed. BUTTON DESCRIPTION -> Add the selected address object to the schedule group. <- Remove the selected address object from schedule group. Table 9-8 Define the schedule group D-Link...
DFL-900/1500 User Manual Chapter 10 Firewall Chapter 10 Firewall This chapter introduces firewall and explains how to implement it. 10.1 Demands Administrators detect that PC1_1 in LAN_1 is doing something that may hurt our company and should instantly block his traffic towards the Internet.
Edit __ to __ rules configure. WAN1 rules WAN/LAN/DMZ Default action for this Decide the default policy of firewall rule. Forward / Block Forward packet direction Decide the default log policy of firewall rule. Log / Don’t log Don’t log BUTTON DESCRIPTION D-Link...
Page 101
DFL-900/1500 User Manual Chapter 10 Firewall If there are more than one rule pages, you can press Prev. Page to back to the previous page. Prev. Page Next Page If there are more than one action rules, you can press Next Page to go to the next page.
Page 102
“RM-<method>” means the log is produced by remote management function (Almost it is the Rule illegal user who wants to use the Non-Opened remote management functions. “Rule-Name” The log is produced by which firewall rule. Table 10-4 Firewall log field description D-Link...
DFL-900/1500 User Manual Chapter 10 Firewall Log Message Description The firewall log is number 6. At the specified time ( 2004-11-30 10:50:18 the firewall the packet which came from source IP address/port 6 2004-11-30 10:50:18 blocked 192.168.17.173,4161 destination address/port 192.168.17.173:4161 140.112.1.1,1863 TCP LAN2 WAN1...
Page 104
Table 10-6 Setup the thresholds of Anti-DoS Step 2. View Anti-DoS Logs DEVICE Status > Firewall Logs > Anti-DoS Logs While there are any DoS attackts through DFL Firewall, it will block the attacked packets and log it as right diagram. D-Link...
DFL-900/1500 User Manual Chapter 11 IP/MAC Binding Chapter 11 IP/MAC Binding This chapter introduces how to restrict local pc accessing according to their MAC address 11.1 Demands Your company would like to protect some servers or users avoid their IP address snatched by others, and control the computers to let them accepted or denied by the IP/MAC rules.
Page 106
FIELD DESCRIPTION Range / Format EXAMPLE Activate this rule Activate the IP/MAC binding rule. Enabled/Disabled Enabled The name of the IP/MAC binding rule. Rule name text string MyPC Note that rule name should begin with alphabet, followed by alphabet/digits/dashes. D-Link...
Page 107
DFL-900/1500 User Manual Chapter 11 IP/MAC Binding The type of IP/MAC “Binding” is combined IP address with MAC address together to decide packet is passed or blocked by the DFL-1500. Binding/Allow Rule Type Binding Another type of IP/MAC “Allow range” depends on the IP Range range to permit whether packets can pass or not.
Page 108
IP/MAC binding status to “Block” to prohibit invalid IP address to pass through DFL-1500. Step 7. Show the IP/MAC binding rule Advanced Setting > IP/MAC binding > Show Rules After finishing the setting, you can view the result as the right diagram shown. D-Link...
12.2.4 IPSec Algorithms There are two types of the algorithms in the IPSec, including (1) Encryption Algorithms such as DES (Data Encryption Standard), and 3DES (Triple DES) algorithms, and (2) Authentication Algorithms such as HMAC-MD5 (RFC 2403), and HMAC-SHA1 (RFC 2404). D-Link...
DFL-900/1500 User Manual Chapter 12 VPN Technical Introduction 12.2.5 Key Management Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to setup a VPN. Ø IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange established an IKE SA and the second one uses that SA to negotiate SAa for IPSec.
The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated. D-Link...
DFL-900/1500 User Manual Chapter 12 VPN Technical Introduction An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. 12.3 Make VPN packets pass through DFL-1500 Figure 12-1 Enable the Pass Through feature of DFL-1500 Sometimes there are some VPN devices existing in your network topology.
Page 114
/ L2TP pass through checkbox on this page. Then the VPN connections of IPSec / PPTP / L2TP will pass through DFL-1500. As well as DFL-1500 will play the middle forwarding device role. For the IPSec/PPTP/L2TP description, please refer the later individual chapter discussion. D-Link...
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Chapter 13 Virtual Private Network – IPSec This chapter introduces IPSec VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a VPN link between LAN_1 and LAN_2 in this chapter.
DESCRIPTION EXAMPLE Use the IKE (Internet Key Exchange) method to negotiate the key used in Selected building IPSec tunnel. Use the key which you have been designated to build IPSec tunnel in peer Manual Key Non selected VPN device. D-Link...
Page 117
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec BUTTON DESCRIPTION Prev. Page If there are more than one action pages, you can press Prev. Page to back to the previous page. Next Page If there are more than one action pages, you can press Next Page to go to the next page.
Page 118
User FQDN (mail box) IP Address / Fill the information of peer VPN device in this FQDN (domain Peer’s Identifier field. The filled information will be provided name) / IP Address for the IPSec tunnel establishment. User FQDN (mail box) D-Link...
Page 119
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Encrypt and Authenticate (DES, MD5) / Encrypt and Authenticate (DES, SHA1) / Encrypt and Authenticate ESP Algorithm may be grouped by the items (3DES, MD5) / Encryption Authentication Encrypt and Algorithms or execute separately.
Page 120
(3DES, MD5) / Encrypt and Authenticate (3DES, SHA1) 0~86400000 sec Set the IKE SA lifetime. A value of 0 means IKE SA Life Time SA negotiation never times out. See Chapter 12 0~1440000 min 28800 sec for details. 0~24000 hour D-Link...
Page 121
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Choose Diffie-Hellman public-key Key Group DH1 / DH2 / DH5 cryptography key group Phase2 View only, it is set previously and can not be Encapsulation Can not be edited Tunnel edited again.
Page 122
DFL-1500. And accomplish the VPN tunnel establishment. At DFL-2: Here we will install the IPSec properties of DFL-2. Note that the “Local Address” and “Remote address” field are opposite to the DFL-1, and so are “My IP Address” and “Peer’s IP Address” field. D-Link...
Page 123
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > IPSec Check the Enable IPSec checkbox and click Apply. Step 2. Add an IKE rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
Page 124
Enter the Rule Name as AllowVPN, Source IP as WAN1_VPNB (192.168.40.0), and Dest. IP as LAN1_VPNB (192.168.88.0). Click Apply to store this rule. If you have not yet configured the Source IP, Dest IP or Service objects. Please refer Chapter 9 for the setting information first. D-Link...
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Step 7. View the result ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will...
Page 126
Subnet Address / Remote Address of VPN by using the remote subnet or the remote Subnet Address Type Single Address single host. IP Address The remote IP address IPv4 format 192.168.88.0 PrefixLen The remote IP Netmask IPv4 format 255.255.255.0 Subnet Mask D-Link...
Page 127
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Outgoing The WAN interface you are going to build IPSec WAN interfaces WAN1 Interface tunnel with. The IP address of remote site device, like Peer’s IP Address IPv4 format 210.2.1.1 DFL-1500 VPN/Firewall Router.
Page 128
Step 7. Customize the Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Enter the Rule Name as AllowVPN, Source IP as WAN1_VPNA (192.168.88.0), and Dest. IP as LAN1_VPNA (192.168.40.0). Click Apply to store this rule. D-Link...
Page 129
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Step 8. View the result ADVANCED SETTINGS > Firewall > Edit Rules Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through DFL-1500.
Page 130
ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule. Just press the OK button to add a firewall rule. D-Link...
Page 131
DFL-900/1500 User Manual Chapter 13 Virtual Private Network – IPSec Step 5. Add a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules Same as that in IKE method. Please make sure that the Firewall is enabled. Select WAN1-to-LAN1 to display the rules of this direction. The default action of this direction is Block with Logs.
DFL-900/1500 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Chapter 14 Virtual Private Network –Dynamic IPSec This chapter introduces Dynamic IPSec VPN and explains how to implement it. In the previous chapter, we have introduced static address method of IPSec. In this chapter, we will extend to explain how to make a dynamic VPN link between LAN_1 and LAN_2.
Page 134
Advanced button in this page. Otherwise it is ok to just leave the value default. Note that Peers Identifier must NOT be IP Address type in the Dynamic IP type. So, you have to select FQDN (domain name) or user FQDN (mailbox) as the Peer’s Identifier. D-Link...
Page 135
DFL-900/1500 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 11. Detail settings of IPSec IKE ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Advanced In this page, we will set the detailed value of IKE parameter.
Page 136
Here we will install the IPSec properties of DFL-2. Note that the “Local Address” and “Remote address” field are opposite to the DFL-1, and so are “My IP Address” and “Peer’s IP Address” field. Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > IPSec Check the Enable IPSec checkbox and click Apply. D-Link...
Page 137
DFL-900/1500 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 2. Add an IKE rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
Page 138
ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the DFL-1500 and successfully access the 192.168.88.0/24 through the VPN tunnel. D-Link...
DFL-900/1500 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Chapter 15 Virtual Private Network – Hub and Spoke VPN This chapter introduces Hub and Spoke VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a VPN link between Main Office (the hub) and the branches in this chapter.
Encrypt and Encrypt and Encrypt and Authenticate (DES, Authenticate (DES, Authenticate (DES, Authenticate (DES, MD5) MD5) MD5) MD5) AH Algorithm Not selected Not selected Not selected Not selected Pre-Shared Key 1234567890 1234567890 1234567890 1234567890 Table 15-1 The IKE tunnel configuration D-Link...
Page 141
DFL-900/1500 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Configuring the VPN Hub for Main Office Step 1. Add a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules Suppose Main Office has already added two VPN tunnels to communicate with two branch offices.
Page 142
Customize a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Enter the Rule Name as AllowVPN, Source IP as Hub-Spoke2 [Hub (192.168.1.0), Spoke_2 (192.168.88.0)], and Dest. IP as Spoke_1 (192.168.40.0). Click Apply to store this rule. D-Link...
Page 143
DFL-900/1500 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 3. Add a VPN Spoke in Branch_1 ADVANCED SETTINGS > VPN Settings > VPN Spoke > Add Select Add to add a VPN Spoke. Enter a name in the Spoke Name field.
Page 144
Please Table 15-1 refer the IPSec tunnel information. Step 4. View the added VPN Spoke ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Advanced You can view the added VPN spoke here. D-Link...
DFL-900/1500 User Manual Chapter 16 PPTP Client with PPTP Server Chapter 16 PPTP Client with PPTP Server This chapter introduces how to build a site to site VPN using PPTP client and PPTP server. 16.1 Demands In our branch office, we need to provide secure connection methods to connect back to headquater for the internal company employees.
The designed account which allows PPTP client to dial in. PptpUsers Password The designed password which allows PPTP client to dial in. Dif3wk Assigned IP The allocated IP address when PPTP client connects to the PPTP server. 192.168.40.180 Table 16-1 Setup PPTP Client settings D-Link...
Page 147
DFL-900/1500 User Manual Chapter 16 PPTP Client with PPTP Server Step 2. Add a static routing entry ADVANCED SETTINGS > Routing > Static Route Add a static routing entry. For all the packets which destinated route 192.168.40.0/255.255.255.255.0, these packets through the assigned IP address (192.168.40.180).
DFL-900/1500 User Manual Chapter 17 Remote Access VPN – PPTP Chapter 17 Remote Access VPN – PPTP This chapter introduces PPTP and explains how to implement it. 17.1 Demands One employee in our company may sometimes want to connect back to our corporate network to work on something. His PC is PC1_1 in LAN_1 instead of DMZ_1 so he cannot directly access the host by simply with virtual server settings.
Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the DFL-1500 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next. 9. Select Finish. D-Link...
Page 151
DFL-900/1500 User Manual Chapter 17 Remote Access VPN – PPTP Customize the VPN Connection 1. Right-click the icon that you have created. 2. Select Properties > Security > Advanced > Settings. 3. Select No Encryption from the Data Encryption and click Apply.
DFL-900/1500 User Manual Chapter 18 Remote Access VPN – L2TP Chapter 18 Remote Access VPN – L2TP This chapter introduces L2TP and explains how to implement it. 18.1 Demands One employee in our company may sometimes want to connect back to our corporate network to work on something. His PC is PC1_1 in LAN1 instead of DMZ1 so he cannot directly access the host by simply with virtual server settings.
The IP address ending range which is allowed user to dial in LNS server by 211.54.63.5 using L2TP protocol. Username The account which allows L2TP client user to dial in DFL-1500. L2tpUsers Password The password which allows L2TP client user to dial in DFL-1500. Dif3wk Table 18-1 Setup L2TP LNS Server settings D-Link...
Page 155
DFL-900/1500 User Manual Chapter 18 Remote Access VPN – L2TP Step 2. Setup Windows XP/2000 L2TP Configuring A L2TP Dial-Up Connection clients 1. Configure a L2TP dial-up connection Note that in the DFL-1500 release II version, both 2. Go to Start > Control Panel > Network and Internet PPTP and L2TP can support MPPE.
Page 156
Part V Virtual Private Network Connecting to the L2TP VPN 1. Connect to your ISP. 2. Start the dial-up connection configured in the previous procedure. 3. Enter your L2TP VPN User Name and Password. 4. Select Connect. D-Link...
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Chapter 19 Remote Access VPN – DS-601 VPN client This chapter introduces Remote Access VPN using DS-601 VPN client and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a VPN link between LAN_1 and a remote client in this chapter.
Page 158
IP Address choose either Algorithm Algorithm, or system will show error message. If you hope to set the detailed item of IKE parameter. Click the Advanced button in this page. Otherwise it is ok to just leave the value default. D-Link...
Page 159
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Step 4. Detailed settings of IPSec IKE ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Advanced In this page, we will set the detailed value of IKE parameter.
Page 160
WAN1_ds601 (61.64.148.197 / 255.255.255.255) pass through DFL-1500. And accomplish the VPN tunnel establishment. At DS-601 VPN client: Here we will introduce you how to setup DS-601 VPN client properties. Before that, please install the DS-601 VPN client into the remote client first. D-Link...
Page 161
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Step 1. Enter a Connection Name Configuration > Profile Settings > New Entry Enter DFL-1500 Name connection field and click Next to proceed. Step 2. Select Link Type Configuration >...
Page 162
Pre-share Key Configuration > Profile Settings > New Entry Enter 1234567890 in the Shared secret field and retype it in the Confirm secret field. Select IP Address and enter 61.64.148.197 as the Type and ID in the Local identity area. D-Link...
Page 163
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Step 5. General information Configuration > Profile Settings > Configure > General After finishing the previous setting, we can view the general information here. Step 6. IPSec General Settings Configuration >...
Page 164
Configuration > Profile Settings > Configure > IPSec Geneneral Settings > Policy editor > IKE Policy Enter DFL-1500[DES-MD5] as the IKE Policy name. Select DES/MD5/DH-Group 2 [1024 Bit] in the Encryption/Hash/DH Group field. Click OK to finish the settings. D-Link...
Page 165
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Step 9. Setup IPSec Policy Configuration > Profile Settings > Configure > IPSec Geneneral Settings > Policy editor > IPSec Policy Enter IPSec DFL-1500[DES-MD5] Policy name. Select DES and MD5 in the Transform and Authentication field.
Page 166
Pre-shared key are correct or not. If yes, click OK to finish the settings. Step 12. IP Address Assignment Configuration > Profile Settings > Configure > IP Address Assignment Select Use local IP address and then click OK to finish this settings. D-Link...
Page 167
DFL-900/1500 User Manual Chapter 19 Remote Access VPN – DS-601 VPN client Step 13. Setup Remote Networks Configuration > Profile Settings > Configure > Remote Networks Enter the IP network address 192.168.40.0 and subnet masks 255.255.255.0, and then click OK to finish the settings.
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Chapter 20 Remote Access VPN – Windows client This chapter introduces Remote Access VPN using Windows client and explains how to implement it. 20.1 Demands Suppose an employee often works at home, he will have the requirement to access the resource inside the company. The topology is illustrated in the Figure 20-1.
Enter the related IPSec parameter in the suitable field. For the field description, please refer Table 13-4 for details. Note that because the remote client is just a single WinXP machine, so we select Single Address in the Remote Address Type field. D-Link...
Page 171
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 2. Edit the detailed settings of ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > IPSec rule Advanced Filled the detailed settings as the diagram of right side.
From Windows desktop, go to Start > Run, and in the Open textbox type mmc, click OK. Step 2. Add Snap-in On the Console window, click Add/Remove Snap-In. Step 3. Add a Standalone Snap-in In the Add/Remove Snap-In dialog box, click Add. D-Link...
Page 173
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Add “Computer Management” Step 4. snap-in In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add. Step 5. Verify the Local Computer is selected Verify that Local Computer (default setting) is selected, and click Finish.
Page 174
Step 10. Verify the Local Computer is selected Verify that Local Computer (default setting) is selected, and click Finish. Step 11. Close the Add/Remove Snap-in windows Close the Add Standalone Snap-in dialog box. And then close the Add/Remove Snap-in dialog box. D-Link...
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 12. Finish console creation After finishing the previous steps, we have selected three snap-in components in the mmc console. 20.4.3 Create an IPSec policy Step 1. Run secpol.msc From Windows desktop, go to Start >...
Page 176
Edit policy properties A dialog window will bring up for you to configure two filter rules for this policy. Click General tab and click Advanced button to setup IPSec phase1 parameters. Step 7. Key Exchange Settings Click Methods to proceed. D-Link...
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 8. Delete the extra items In this diagram, we are going to specify the phase1 parameter of IPSec rule at the WinXP. setup DFL-1500 IPSec phase1 with DES-MD5-DH1 (please refer Section 20.4.1 ),...
Page 178
Address, and enter the IP address of WinXP (ex. 211.54.27.6). Destination address, choose A specific IP Subnet, and enter the IP address and Subnet mask of the local subnet (ex. 192.168.40.0/255.255.255.0). Uncheck Mirror check box. Click OK to next. D-Link...
Page 179
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 5. Edit protocol filter properties Click the Protocol tab. Leave the protocol type to Any. Step 6. Edit the description of filter properties Click the Description tab. You can give a name for this filter list.
In the Source address, choose A specific IP Subnet, and enter the IP address and Subnet local subnet (ex. mask 192.168.40.0/255.255.255.0). Destination address, choose A specific IP Address, and enter the IP address of WinXP (ex. 211.54.27.6). Uncheck Mirror check box. Click OK to next. D-Link...
Page 181
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 4. Edit protocol filter properties Click the Protocol tab. Leave the protocol type to Any. Step 5. Edit the description of filter properties Click the Description tab. You can give a name for this filter list.
WinXP to DFL-1500. Step 2. Tunnel Settings Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is DFL-1500 (61.2.1.1). Step 3. Connection Type Click Connection Type tab, and then click All network connections. D-Link...
Page 183
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 4. Edit filter action of WinXP to DFL-1500 IP filter list Click Filter Action tab, click Add to add a new Filter Action. Step 5. Set the properties of Security...
Page 184
IPSec phase2 at DFL-1500. Step 8. New Filter Action Properties Click the General tab. Give a name to the filter action. For example, DES-MD5, and click OK. Step 9. Filter Action Select the filter action (DES-MD5) you just created. D-Link...
Page 185
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 10. Authentication Methods Click the Authentication Methods tab, and then click Add. Step 11. Select authentication methods Select Use this string (pre-shared key) option. And enter the string 1234567890 in the text box.
Click the IP Filter List tab. Select the filter list you created above from the IP Filter List (DFL-1500 to WinXP). Step 3. Tunnel Settings Click Tunnel Setting tab, and then enter the remote endpoint. For this filter list, the remote IPSec endpoint is WinXP (211.54.27.6). D-Link...
Page 187
DFL-900/1500 User Manual Chapter 20 Remote Access VPN – Windows client Step 4. Connection Type Click Connection Type tab, and then click All network connections. Step 5. Filter Action Click Filter Action tab, and then select the filter action (DES-MD5) you just created.
Use the pop-up menu to assign the security rule which we have configured. Step 2. Finish all the settings of WinXP After the above configurations, now you can use WinXP to connect back to the local company behind the DFL-1500 device. D-Link...
DFL-900/1500 User Manual Chapter 21 Content Filtering – Web Filters Chapter 21 Content Filtering – Web Filters This chapter introduces web content filters and explains how to implement it. 21.1 Demands Figure 21-1 Use web filter functionality to avoid users browsing the forbidden web site As the above Figure 21-1 illustrates, someone (PC1_1) is browsing the web pages at the WebServer3.
Setup content filtering for web objects such as cookies and Java applets. Setup content filtering for URL requests. For each URL, check the pre-defined upgradeable URL database, self-entered forbidden domains, and self-entered keywords to check if the URL is allowed. D-Link...
DFL-900/1500 User Manual Chapter 21 Content Filtering – Web Filters 21.4 Steps Step 1. Enable Web Filter ADVANCED SETTINGS > Content Filters > Web Filter > Web Check the Enable Web Filter checkbox and click the Apply right on the right side.
Page 194
Apply the above selected “Exempt Computers” radius button. Apply Add the specified IP range which filled in the above “Range From” field. Delete the specified IP range which filled in the above “Range From” field. Delete Table 21-2 Web Filter Exempt Zone setting page D-Link...
Page 195
DFL-900/1500 User Manual Chapter 21 Content Filtering – Web Filters Step 3. Customize the specified sites ADVANCED SETTINGS > Content Filters > Web Filter > Customize Check Enable Filter List Customization to allow all accesses to the while disallowing Trusted Domains accesses to the Forbidden Domains.
Page 196
Internet using browser. The contents about the URL will be text string block. BUTTON DESCRIPTION Apply Apply the setting which configured on the checkbox. Add the Keyword to the list. Delete Delete the selected keyword from the list. Table 21-4 Web Filter Domain Name setting page D-Link...
Page 197
DFL-900/1500 User Manual Chapter 21 Content Filtering – Web Filters Step 5. Customize Categories ADVANCED SETTINGS > Content Filters > Web Filter > Categories With the built-in URL database, DFL-1500 can block web sessions towards several pre-defined Categories of URLs. Check the items that you want to block or log.
Page 198
English language. blood BUTTON DESCRIPTION Apply Apply the settings which have been configured. Add the Keyword to the list. Delete Delete the Keyword from the list. Table 21-7 Web Filter Content Keywords setting page D-Link...
DFL-900/1500 User Manual Chapter 21 Content Filtering – Web Filters 21.5 Priority of web filter functions The priority of web filter functions are shown as the following Figure 21-3 illustrated. From the left feature (Exempt Zone) to the right feature (Keyword). Their priority is high to low.
Page 200
Web Filter > Features Web page Features”, or the keywords indicated in “Web Filter > contents Web Filter > Keyword Keyword”. The forbidden components will be taken off from the web page by web filter. Table 21-8 web filter features priority D-Link...
DFL-900/1500 User Manual Chapter 22 Content Filtering – Mail Filters Chapter 22 Content Filtering – Mail Filters This chapter introduces SMTP proxies and explains how to implement it. 22.1 Demands Sometimes there are malicious scripts like *.vbs that may be attached in the email. If the users accidentally open such files, their computers may be infectious with virus.
LAN-to-DMZ/WAN SMTP connections. All such SMTP traffic will be examined to change the filename extension from vbs to vbs.bin. Note that the filename to block cannot contain the marks such as “ /, \, *, ?, “, <, >, | ”. D-Link...
DFL-900/1500 User Manual Chapter 22 Content Filtering – Mail Filters Step 3 – Customize the local zones ADVANCED SETTINGS > Content Filters > Mail Filters > SMTP Exempt Zone You can configure to what range the filters will apply to the local zones. By default, the web filters apply to all computers so the “Enforce SMTP...
Page 204
Click “Include …… “ and Apply if you want web filters to only apply to the specified ranges. Click “Ex “ and Apply clude…… if you want web filters to apply to all computers except those specified ranges. D-Link...
DFL-900/1500 User Manual Chapter 23 Content Filtering – FTP Filtering Chapter 23 Content Filtering – FTP Filtering This chapter introduces FTP proxies and explains how to implement it. 23.1 Demands Some users in LAN1 use FTP to download big MP3 files and cause waste of bandwidth.
FTP server. Extension Name / Blocked Type Extension Name Ø Full Name Full Name When the exact filename of download file is matching, the action is blocked download from FTP server. Table 23-2 FTP Filter FTP adding filter entry D-Link...
Page 207
DFL-900/1500 User Manual Chapter 23 Content Filtering – FTP Filtering Step 3. View the result ADVANCED SETTINGS > Content Filters > FTP Filter > FTP We can see the specified record in this page. FIELD DESCRIPTION Range / Format EXAMPLE...
Page 208
If there is more than one page, you can press Next Page to go to the next page. Apply Apply the configured settings. Create an exempt zone. Delete Delete the indicated exempt zone. Table 23-5 Add FTP filter exempt zone D-Link...
DFL-900/1500 User Manual Chapter 24 Intrusion Detection Systems Chapter 24 Intrusion Detection Systems This chapter introduces Intrusion Detection System (IDS) and explains how to implement it. 24.1 Demands Even though we have already configured the firewall rules, it is still not enough. Crackers may hack into our system through Firewall-allowed channels with sophisticated skills.
Select the Log Schedule of emailing the logs to your email server. Step 3 – View logs DEVICE STATUS > IDS Logs If there are attacks towards the WAN port from the public Internet, there will be logs describing the details. D-Link...
Page 213
DFL-900/1500 User Manual Chapter 24 Intrusion Detection Systems Step 4 – Update Attack Patterns System Tools > Database Update > Update IDS attack patterns require frequent updates because there are many new attacks every week. Please go to System Tools > Database Update >...
DFL-900/1500 User Manual Chapter 25 Bandwidth Management Chapter 25 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it. 25.1 Demands Figure 25-1 Use bandwidth management mechanism to shape the data flow on the downlink direction As the above Figure 25-1 illustrated, we hope LAN_1 users can watch the Video Stream Server smoothly. Besides, we...
PCs of LAN_1 have the smooth stream quality that must have at least 1% of LAN1 total bandwidth (1000 kbps) speed rate. Besides, we have another web server located at DMZ region. Because the web server is located at local area, so we can assign larger bandwidth for this direction (web traffic from DMZ à LAN). D-Link...
DFL-900/1500 User Manual Chapter 25 Bandwidth Management The remaining bandwidths are named Other traffic. They are reserved for other ANY to LAN1 data transmission which don’t list in the above Figure 25-1 diagram. Reserve at least 600kbps for the LAN_1 to LAN_2 transfer. The LAN_1 PCs can share about 20% (308kbps) for using E-Commerce Services.
ANY to Edit ANY to LAN1 Edit __ to __ classes going to configure one. WAN/LAN/DMZ classes LAN1 Interface Bandwidth Fill the real bandwidth which is located in the 10 to 100000 kbps 100000 kbps __ kbps upper direction. D-Link...
Page 219
DFL-900/1500 User Manual Chapter 25 Bandwidth Management BUTTON DESCRIPTION Prev. Page If there are more than one action pages, you can press Prev. Page to back to the previous page. Next Page If there are more than one action pages, you can press Next Page to go to the next page.
Page 220
Click Insert to insert a rule before the default rule. ü Note Regarding the above field description, please refer to Table 10-2 Add a firewall rule for details. D-Link...
Page 221
DFL-900/1500 User Manual Chapter 25 Bandwidth Management Step 6. Customize the Rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Enter a rule name such as web-from-WAN, select the Source IP as WAN1_ALL and Dest. IP as LAN1_ALL Besides, make sure the service is HTTP (port 80) because of this is web service.
Page 222
Note: In the Action region, the web-from-DMZ class was edited in the previous Step 4 before. Step 10. View the results ADVANCED SETTINGS > Firewall > Edit Rules We can see the result of our settings at the DMZ-to-LAN rule direction. D-Link...
DFL-900/1500 User Manual Chapter 25 Bandwidth Management 25.4.2 Outbound Traffic Management Step 1. Enable Bandwidth ADVANCED SETTINGS > Bandwidth Mgt. > Status Management Check the Enable Bandwidth Management checkbox, click the Apply. Step 2. Setup the WAN1 Link ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions Select ANY to WAN1 to setup traffic that will be transmitted by the WAN1 interface.
Page 224
LAN_1-to-LAN_2 queue (617 kbps). Here we reserve 40% WAN1 bandwidth for the LAN_1 to LAN_2 VPN data, to guarantee the data communication between VPN. The other traffic will be put into the def_class queue (any available bandwidth). D-Link...
DFL-900/1500 User Manual Chapter 26 High Availability Chapter 26 High Availability This chapter introduces High Availability and explains how to implement it. 26.1 Demands Figure 26-1 Use High Availability mechanism to let network connection continually As the above Figure 22-1 illustrates, your company is afraid that the firewall may be crashed someday, so it needs a backup system to let the network connection continually.
The interface which the HA devices will connect to. LAN1/LAN2/DMZ LAN1 IP Address The IP address of the other HA device. IPv4 format 192.168.40.100 BUTTON DESCRIPTION Apply Apply the settings which have been configured. Table 26-1 Setup status page of High Availability D-Link...
DFL-900/1500 User Manual Chapter 26 High Availability Step 2. Show the result in Web ADVANCED SETTINGS > High Availability > Status After you apply the High Availability feature, the Primary device will show the message to tell you “Sync that...
DFL-900/1500 User Manual Chapter 27 System Status Chapter 27 System Status 27.1 Demands Since we have finished the settings of DFL-1500, we need to gather the device information quickly. Then we can have a overview of the system status. 27.2 Objectives We can know the current situation easily through an integrated interface.
Page 230
MAC Address The MAC address of the specified host which gets the IP address by DHCP. Leases Expires The expired lease time of the specified host which gets the IP address by DHCP. Table 27-2 field description of DHCP table D-Link...
Page 231
DFL-900/1500 User Manual Chapter 27 System Status Step 5. Routing Table DEVICE STATUS > System Status > Routing Table Click the Routing Table to see the routing table information of DFL-1500. FIELD DESCRIPTION The type of this specified routing entry.
Page 232
Source Address/Port Destination IP Address/Port. Step 8. IPSec Sessions DEVICE STATUS > System Status > IPSec Sessions If we use the IPSec to establish VPN with other device, then we can view the IPSec tunnel information in this page. D-Link...
DFL-900/1500 User Manual Chapter 28 Log System Chapter 28 Log System 28.1 Demands The System Administrator wants to know all the actions of administration in the past. So it can avoid illegal system administration. The System Administrator needs to check the logs of VPN, IDS, Firewall, and Content Filter everyday. But he / she feels inconvient to verify the DFL-1500 logs.
/ Immediately The schedule which the mail logs will be sent out. Note if you choose “Immediately”, it will increase the load of the / Hourly Log Schedule Daily DFL-1500 device, especially, many logs will be producing. /Daily /Weekly D-Link...
Page 235
DFL-900/1500 User Manual Chapter 28 Log System When selecting Weekly in the “Log Schedule” field, we have to choose which day the mail logs will be sent out in Day for Sending Logs Monday ~ Sunday Monday the “Day for Sending Logs” field.
DFL-900/1500 User Manual Chapter 29 System Maintenance Chapter 29 System Maintenance This chapter introduces how to do system maintenance. 29.1 Demands DFL-1500 is designed to provide upgradeable firmware and database to meet the upcoming dynamics of the Internet. New features, new attack signatures and new forbidden URLs require timely updates to the DFL-1500. This chapter introduces how to upgrade your system with TFTP and Web UI respectively.
29.3 Firmware upgrade from Web GUI Step 1. Download the newest firmware Firmware upgrade site: from web site http://fwupdate.dlinktw.com.tw/ If a new firmware issued, we can download it from the web site (fwupdate.dlinktw.com.tw) to the local computer. D-Link...
DFL-900/1500 User Manual Chapter 29 System Maintenance Step 2. Upgrade firmware SYSTEM TOOLS > Firmware Upgrade > Firmware Upgrade In the System Tools / Firmware Upgrade page. Select the path of firmware through Browse button, check Preserve Saved Configurations to reserve original settings.
We can make DFL-1500 configuration restored to the factory defaults with simply clicking the Apply button. Warning: Be careful to use this function. It will make all your present configurations disappear. And the configuration will restore to the factory default. D-Link...
DFL-900/1500 User Manual Chapter 29 System Maintenance 29.5.2 NORMAL factory reset Step 1. Factory reset NetOS/i386 (DFL-1500) (tty00) In the CLI mode. Enter sys resetconf now to reset the firmware to factory default. Then the login: admin system will reboot automatically.
The DFL-1500 powered off or The configuration restoring will fail. After rebooting the DFL-1500, it will remain the rebooted. original configuration. It seems that there is no configuration restoring before. Table 29-2 The result while an accident happens during the configuration restoring. D-Link...
DFL-900/1500 User Manual Chapter 29 System Maintenance 29.8 Reset password >> NetOS Loader (i386), V1.5 (Fri Feb 20 10:25:11 CST 2004) Step 1. Enter the boot loader Press <TAB> to prompt - starting in 0 If you forget the password, you can use the following way to reset the password.
DFL-900/1500 User Manual Appendix A Command Line Interface (CLI) Appendix A Command Line Interface (CLI) You can configure the DFL-1500 through the web interface (http/https) for the most time. Besides you can use another method, console/ssh/telnet method to configure the DFL-1500 in the emergency. This is known as the Command Line Interface (CLI). By the way of CLI commands, you can effectively set the IP addresses, restore factory reset, reboot/shutdown system etc.
Page 246
Show system and network status tcpdump (tc) sys tcpdump INTF0 host 10.1.1.1 Capture the information of specified packets which pass through the indicated interface. version (ver) sys version Show DFL-1500 firmware version Table A-2 Privileged mode of normal mode D-Link...
DFL-900/1500 User Manual A.3CLI commands list (Rescue Mode) The Full tftp commands are described in the following Table A-3. Prefix Postfix command Example Command description command command command ip tftp upgrade config Upgrade configuration file config FILENAME WORD conf-0101 192.168.1.170 image from tftp server.
Page 248
Reboot system resetconf sys resetconf now Reset system configuration to default settings status (st) sys status Show the mode name and firmware version. version (ver) sys version Show the firmware version Table A-5 Privileged mode CLI commands D-Link...
DFL-900/1500 User Manual Appendix B Trouble Shooting Appendix B Trouble Shooting If the power LED of DFL-1500 is off when I turn on the power? Ans: Check the connection between the power adapter and DFL-1500 power cord. If this problem still exists, contact with your sales vendor.
Page 250
When you add a Firewall rule, the Source IP and Netmask are the IP address, PrefixLen/Subnet Mask in the pages of the Remote Address Type. And the Dest IP and Netmask are the IP Address, PrefixLen/Subnet Mask in the pages of the Local Address Type. D-Link...
DFL-900/1500 User Manual Appendix B Trouble Shooting The following Figure B-1, Figure B-2 indicated the DFL_A IPSec and Firewall setting. The Figure B-3, Figure B-4 indicated the opposite side DFL_B IPSec and Firewall setting. When you configure an IPSec policy, please be sure to add a rule to let the packets of the IPSec pass from WAN to LAN.
Page 252
Lan-A and Lan-B may fail. But when each host (Lan-A or Lan-B) is finish pinging, the other host can continue the pinging action. While I am upgrading firmware from local disk, the download is not complete but the network has been disconnected. What will it happen in such situation? D-Link...
Page 253
DFL-900/1500 User Manual Appendix B Trouble Shooting Ans: Under this circumstance, the DFL-1500 will automatically reboot and all configurations will still remain as before. While I am upgrading firmware from local disk, the download is complete. After md5 checks, the screen appears “Upgrading kernel image”.
DFL-900/1500 User Manual Appendix C Rule entry limitation Appendix C Rule entry limitation For the DFL-1500 web configuration, there is a limitation of permitted maximum entering rule. Here we provide a list for your reference. Permitted Maximum Classification Item Refer section...
DFL-900/1500 User Manual Appendix D System Log Syntax Appendix D System Log Syntax In the DFL-1500, all the administration action will be logged by the system. You can refer all your management process through System log (DEVICE STATUS > System Logs > System Access Logs). Besides, all the system log descriptions are following the same syntax format.
Page 258
CONTENT: [C16] Updated ftp filter blocked file configuration configuration by admin (192.168.17.100:443). EID=19 FTP Filter blocking list CONTENT: [C17] FTP Filter blocking list updated by admin updated (192.168.17.100:443). EID=20 Web filter keyword added CONTENT: [C18] Web filter keyword added by admin (192.168.17.100:443). EID=21 D-Link...
DFL-900/1500 User Manual Appendix D System Log Syntax Web filter keyword deleted CONTENT: [C19] Web filter keyword deleted by admin (192.168.17.100:443). EID=22 Enable web filter keyword CONTENT: [C20] Enable web filter keyword matching by admin matching (192.168.17.100:443). EID=23 Disable web filter keyword...
Page 260
SYSTEM: [S03] WAN1: Got PPPoE IP Address F63/255.255.255.0. Startup/Shutdown DHCP SYSTEM: [S04] Enable DHCP server on LAN1 by admin Server (192.168.17.102:443) SYSTEM: [S04] Disable DHCP server on LAN1. Startup/Shutdown HTTP SYSTEM: [S05] HTTP started. Server SYSTEM: [S05] HTTP stopped. D-Link...
Page 261
DFL-900/1500 User Manual Appendix D System Log Syntax Startup/Shutdown HTTPS SYSTEM: [S06] HTTPS started. Server Startup TELNET Server Set Interface IP Address SYSTEM: [S08] WAN1: IP Address: 192.168.17.102/255.255.255.0. (192.168.17.102:443). IP Alias SYSTEM: [S09] LAN1: Add IP address alias 192.168.1.2/255.255.255.0 by admin (192.168.17.102:443).
Page 262
SYSTEM: [S38] Update WAN NAT settings to Basic operation Disable WAN NAT feature SYSTEM: [S38] Disable WAN NAT feature Update pass-through settings VPN: [V1] Update pass-through settings VPN: [V2] Deactivated IPSec Deactivated IPSec Activated IPSec Table D-2 All the System Log descriptions D-Link...
DFL-900/1500 User Manual Appendix E Glossary of Terms Appendix E Glossary of Terms CF (Content Filter) – A content filter is one or more pieces of software that work together to prevent users from viewing material found on the Internet. This process has two components.
Page 264
The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely on private leased lines. VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic security. D-Link...
DFL-900/1500 User Manual Appendix G Customer Support Appendix G Customer Support Offices Australia D-Link Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Sydney, Australia TEL: 61-2-8899-1800 FAX: 61-2-8899-1868 TOLL FREE (Australia): 1800-177100 URL: www.dlink.com.au E-MAIL: support@dlink.com.au & info@dlink.com.au Brazil D-Link Brasil Ltda.