D-Link DFL-1500
Contents
1. 155 HVE yd atch re cae hc RM EEE Means OE A AROMA ance nate 178 NA Pta a cia ENE 48 211 Appendix E Index Appendix E Index TESTS CONO aO EN ER M de 185 ROLE sl a e skini el akal B sl si izinli ika bd 61 POUL rUn KP EY SE ale 61 SENL ais etnies il bala al 61 SMTP dada lella elen ral ER 145 146 NO A adeateaniunretes 177 178 CHU WANS ear riche ml dee alsak bele Beye dk ne Balam 181 E Bs e a EE OY 14 49 54 55 DE ING e TLEER EAE e Me e e e OE e O 81 YE a ln ln e E b l lu ci 83 De esses de ni E e l alip nk ores ole G ue 82 A OI isa az an cated ikm aa Mi yasal lke i alli 83 FES s ai klima e dalma d nle ts 83 A O AMAN N TUN E E EMME RR e M N e 85 IPS Ecuador lde perc 81 85 102 109 121 Key Matasc mention 82 A A A A lafa sits 129 Manual Key coronada dll 85 PE A MANEN Ee ME e een 83 PPIP rs 125 SA Security Association janni adi aka a ila SUN Akal il Sale 81 VEN a laa da tata haves ilde nie GN adsl 81 Appendix F Appendix F Hardware Detailed Description Hardware 1 1 1 1 Dimensions Rack mount 1U size 146 mm H x 275 mm D x 203 mm W 8 5 75 10 1 1 1 2 D Link style 1 1 21 Jepu Opp ntel Celeron 1 2G Memory 256MB 168 P SDRAM Intel FW82801BA Storage CompactFlash32MB San Disk Hardware monitor Super O hardware monitor 118712F A Security processor Safenet 1141 VPN accelerator board WAN port LAN port 2 2 3 3 DMZ port2. 18 2 3 Tele stem prine PI ekmeli aska ca tates li aliil lala inal aida 19 2 341 Wep G Urdos e prime azar laa aa alim saad ayn e glam e aaa anda 19 pue Ps Ride DES D dd laos 19 Pat Baste Conta A Aa 21 Chapter gt Basto SCUD A A a Mai 23 3 1 en e lr T E E AT 23 32 COD CCU VES A A Re ae as 23 3 3 Method Sa a ga lam a bom sikin en Sallad dani ille ge lies nbellek 23 3 4 US Be ee ENE a A S be E eee eee e ak eye e e A naam Kem e beee 23 3 4 1 SECU MANN TD EP gis aa an B lapas 23 3 4 2 Setup DMA EAN e e AN KN e MM 25 3 4 3 SCUD Y N RPP sa ps dl do a 2 Chapter System 100 S aiii ICRA 29 4 1 DA e e PR o o A E e e 29 4 2 OD CCUG Ss tada ciones 29 4 3 4 a ke Aa 29 4 4 SLE DS een la a 0 an ts cae nt acide tamer as a ll ya ere setae asia ees aden dn ones Mi kala dal 33 4 4 1 CCIE Fall Scroll sanma da anl Gane E RE Sata 33 4 4 2 B P ie nls hope tree reer etn tener mreree ty Y PAR ciao 36 4 4 3 DNS Proxy Setenil lidia 37 4 4 4 ERC PR Clay Seta KK Ne m er Ee 37 4 4 5 NIV OTL RE sche ascent e Ri e RK ve e lp e 38 4 4 6 Change DELAS tite aCe mala Sl al AA e e aaa Ni lal maile Sallan dini 39 Chapter Remote Management apak iel daki aleni Jalal a 41 5 1 DAA satan d eilmi Dalai israil 41 I2 L N aa em tica 41 5 3 O E E er e E e N E e e e YOR ae 42 Table of Contents Ol A A E MA A E A ME MEME NR OMRE MK EY e MEM SM ER 42 5 3 2 IS ee tte alt MM a da 42 5 3 3 NM A il e E E E A E E EN 42 5 3 4
3. Insert a new LAN1 to WAN1 Firewall rule Rule name loutvPN Schedule Always gt Condition Source P L4N1_outYPN Service ANY Md Dest IP WAN1_outvPN Forward y and do not log 1 the matched session Forward bandwidth class LAN 1 to LAN 2 Reverse bandwidth class def class Back Apply ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Fitewall pene Rules Show LAN gt to WANI rules Packets are top down matched by the rules 0 GN 77 A FY Page 1 1 170 DFL 1500 User Manual Chapter 22 High Availability Chapter 22 High Availability This chapter introduces High Availability and explains how to implement it 22 1 Demands External Network A de a a 000090 AAA E a LAN1 IP LANZ IP 192 168 40 254 192 168 40 100 4k ak ki ice E b di F d gt 9000990000087 Ger ee pa milini Internal Network Figure 22 1 Use High Availability mechanism to let network connection continually 1 As the above Figure 22 1 illustrates your company is afraid that the firewall may be crashed someday so it needs a backup system to let the network connection continually High Availability makes it possible to let the network in your company operate smoothly 22 2 Objectives 1 Prepare two DFL 1500 devices and then let one as a primary firewall and the other a
4. 36 ea 2004 01 07 2 SNMP AgentX tcp request Attempted Information TCP 192 168 17 150 48968192 168 17 175 705 11 36 21 Leak Step 4 Update Attack Patterns System Tools gt Database Update gt Update IDS attack patterns require frequent updates because there are many new attacks every week Please go to System Tools gt Database Update gt update to update IDS attack patterns The DFL 1500 will connect to fwupdate dlinktw com tw to fetch any new signatures D Link 158 DFL 1500 User Manual Chapter 20 Intrusion Detection Systems 159 Part VII Bandwidth Management High Availability Part VII Bandwidth Management High Availability D Link 160 DFL 1500 User Manual Chapter 21 Bandwidth Management Chapter 21 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it 21 1 Demands m er aa gt DMZ 10 10 1 0 24 gt E Web Server ES 10 10 15 J T AE Vid o Stream Serv l y co Stream Server i switch EA gt Y vesika y MDA e gt A z7 af ree e A Actions ANY to LANI Web from DMZ 50 50 Mbps S LAN 1 gt 192 168 40 0 24 _ Other traffic 43 7 Figure 21 1 Use bandwidth management mechanism to shape the data flow on the downlink direction 1 As the above Figure 21 1 illustrated we hope LAN users can watch the Video Stream Server sm
5. IP Address 192 168 88 0 r te AS E o re FrgtixLen Subnet Mask 255 255 255 0 moo ooo Remote Address Type Subnet Address IP Address 192 1683 40 0 NS PrefixLen Subnet flask 255 255 255 A T a ei Figure B 3 DFL_B Inset a new IPSec policy The Local Address of DFL_A Status Efit Rules Show Rules Attack Alert Summary Firewal gt Hait Rules gt Edit Edit WAN1 to LAN1 Firewall rule number 1 Status eee Rule name lAllawIPSecPKtE Schedule Always gt urce IP WANI VPNB Dest IP LANI VPNB z aay Reverse bandwidth class def class Figure B 4 DFL_B Insert a new firewall rule in WAN to LAN 7 Why the Source IP field of System Logs is blank ANS One reason is that you may enter Host Name and following by a space like DFL 1500 And enter the Domain Name string like dlink com in the firmware version 1 391B Then the System Name will present as DFL 1500 dlink com After upgrading firmware to upper version ex 1 50R It will appear blank in the Source IP field of System Logs 8 When I ping the internet host from LAN DMZ I can t always finish the ping successfully Sometimes it is work But sometimes it fails to ping the outside host Ans This may cause there are more than one host in the LAN DMZ pinging the same host at the same time If one host Lan A is pinging internet host A ex 140 106 100 1 and at the same time
6. Table 3 2 Configure DMZ network settings Step 2 Setup LAN port BASIC SETUP gt LAN Settings gt LAN1 Status Here we are going to configure the LAN1 settings LAM Status LANZ Status IP Alias Setup IP Address and IP Subnet Mask and determine if you would like to enable the DHCP IP Addres fea 16640258 IP oS Mask 255 255 2550 Server And then select Routing Protocol Click Apply to finish this setting M Enable DHCF P Pool ddress 1192 168 40 100 cs None y i stale IPv4 format in the IP Pool Starting Address Specify the starting address of the DHCP IP address LANI address 192 168 40 100 range Pool Size max size 253 Specify the numbers of the DHCP IP address 1 253 Primary DNS Server P ony me A EY e aes IPv4 format 192 168 40 254 information Secondary DNS Server Specify the Secondary DNS Server IP address of the DHCP IPv4 format 0 0 0 0 information Specify DHCP information lease time 7200 None RIPvlin Determine to enable the dynamic routing protocol RIP to RIPvlin out Routing Protocol receive RIP message to send out RIP message if the RIPv2In None message is received or not RIPv2In out OSPF IPv4 format or OSPF Area ID Specify OSPF area ID number digit string Max N A 9 bits Table 3 3 Configure LAN network settings gi Leo ery 192 168 1 254 0 0 0 0 D Link 26 DFL 1500 User Manual Chapter 3 Basic Setup 3 4 3 Setup WANT IP alias Step 3 Add WANT IP alias BASIC SETU
7. Tips Type 7 anytime when you need helps Tips To recover from corrupted fi rmware setup IP address and use tftp to install the new firmware DFL 1500 gt _ DFL 1500 gt en DFL 1500 sys resetconf now System will reboot now syncing disks done rebooting 25 6 Save the current configuration Step 1 Backup the current configuration After finishing the settings of DFL 1500 be sure to Press the Save button in this page to keep the running configuration SYSTEM TOOLS gt System Utilities gt Save Configuration iquration Configuration Configuration 25 7 Steps for Backup Restore Configurations Step 1 Backup the current configuration Before backup your current configuration make sure you have saved your current configurations as described in Section 25 6 Then select page in the page of System Tools System Utilities Backup Configurations click Backup button to backup configuration file to local disk Step 2 configuration Restore the previous saving In the page of System Tools System Utilities Restore Configuration click the Browse button to select configuration file path first and then click Upload button to restore configuration SYSTEM TOOLS gt System Utilities gt Backup Configuration Configuration 1 Configuration Factory Reset SYSTEM TOOLS gt System Utilities gt Restore Configuration R ae A sia onfiguration Configuration CA2004031 6conf bin Upload 1
8. 10 1 1 1 253 140 114 17884 10 1 1 1 253 e 3 DHCPServer3 10 111 10 10 1 1 1 WANZ TP ape WANT IP 0244 X Le 61214 switch e VPN Tunnel so E a G ISP lt DFL1 SPI o Ga LANI IP P swWitdh 192 168 40 254 Internet JA 192 168 88 254 Wap S _ e switch SP2 Y WebServer3 MailServer FTPServer2 192 168 40 1 DHCP Client 140 112 1 4 140 112 1 3 14011215 192 168 88 1 192 168 88 2 LAN_1 N LAN 2 92 168 40 1 25 02 168 88 1 253 Figure 2 1 Typical topology for deploying DFL 1500 Continually we will introduce all the needed administration procedure in the following section D Link 16 DFL 1500 User Manual Chapter 2 System Overview 1 Part Basic Configuration How to configure the WAN DMZ LAN port settings and user authentication 2 Partlll NAT gt Routing amp Firewall Introducing the NAT Routing Firewall features 3 PartIV Virtual Private Network If you need to build a secure channel with your branch office or wish to access the inside company resource as usual while outside your company the Virtual Private Network VPN function can satisfy you 4 PartWV Content Filters If you hope to restrict the web contents mail attachments downloaded ftp file from intranet region try this feature to fit your requirement 5 Part VI Intrusion Detection System Use the Intrusion Detection System IDS to detect all the potential DoS attacks worms hackers from Internet 6 Par
9. Condition Netmask Source IP Netmask is matched or not IPv4 format 255 255 255 0 Many to One Determine what NAT method you are using in the Many to Many Type specified NAT rule One to One Many to One Refer more information in the section 7 5 One to One bidirectional Action ea Only work in Many to One type the public IP Enabled Auto choose IP i Enabled address will be assigned by the default wan link Disabled from WAN ports When NAT type is not Many to One we must apace ess specify IP address Netmask directly Veri Na Table 7 2 Adda NAT rule 53 Part III NAT gt Routing amp Firewall Step 5 b Rule If your ISP has assigned a range of public IP to your company you can tell DFL 1500 to translate the private IP addresses into the pool of public IP addresses The DFL 1500 will use the first public IP until DFL 1500 uses up all source ports for the public IP DFL 1500 will then choose the second public IP from the address pool Select Many to Many from the Type Enter the subnet with an IP addressandanetmask Other fields are the same with those of Many to One rules However the DFL 1500 will no longer choose the device IP for you It will choose the IP from the address pool you have entered Insert an Many to Many Step 5 c Insert an One to One Rule Though you may have many public IP address for translation you may want to make some private IP to always use a public IP In this
10. O O 7 oOoOSOO O O Outgoing Interface WANI y Peers IP Address 62141 Outgoing SPI hex Y 2222 Incoming SP hex lt li144 Encapsulation Mode Tunnel z f ESP Encryption DES x ides 3des 64 192 bits aes 1260 192 256 bits Key hex 1122534455667 766 Authentication MDS y imd5 sha1 128 160 bits Key hex f 111222233334444555566b67 77708000 C AH Authentication md5 shal 128 160 bits Key he al Advanced ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Pass IPSec VPN Hub VPN Spoke PPTP L2TP ae 1 If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 192 168 40 0 255 255 255 0 and 192 168 88 0 255 255 255 0 respectively ox 100 DFL 1500 User Manual Step 5 Adda Firewall rule Same as that in IKE method Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 6 Customize the Firewall rule Enter the Rule Name aS AllowVPN So
11. Step 2 Check NAT Rules ADVANCED SETTINGS gt NAT gt NAT Rules As described in the above the DFL 1500 has set stas the rules for the LAN DMz zones They all belong to the Many to One M 1 type that will map many private addresses to the automatically item Status Condition Action interfaces change the P these rules do not S Oei mame isdn scams Poe icat 01 Y BasiebMZE LANDMZIOWAN 10 1 1 2541255 255 2550 Auto device WANIP MA require any manual modifications for the changed BA Cal public IP addresses The rules will reload the new al uaa lr a Par settings automatically Besides you cannot Er insert edit any rules under the Basic mode Step 3 Switch the NAT Mode ADVANCED SETTINGS gt NAT gt Status Select the Full Feature from the list of status NATRules Virtual Network Address Translation Mode Click E Senes Apply After applying the setting the page will A A highlight a warning saying that the rules are no more automatically maintained by the DFL 1500 If you change the LAN DMZ IP settings you have to manually update related rules by yourself a imi man Otherwise hosts in your LAN DMZ cannot Reset Server rules establish connections to the hosts in the WAN side Reset NAT ie W gt T tya modify LAN DMZ a aldi ess settings you must manu rally reconfigure the D Link 52 DFL 1500 User Manual Chapter 7 NAT Step 4 Customize NAT Rules ADVANCED SETTINGS gt NAT gt NA
12. www nthu edu tw PC 1 PC1 2 140 114 x x 192 168 40 1 192 168 40 2 LAN 1 192 168 40 1 253 J E gt WebServer3 MailServer3 FTPServer3 140 112 14 140 112 1 3 140 112 1 5 Figure 18 1 Use SMTP POP3 filter functionality to avoid some sensitive e mail directly opened 147 Part V Content Filters 18 4 Stepsfor SMIP Filters Step 1 Enable SMTP Filters ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP Check the Enable SMTP Proxy checkbox and Web Filter click Apply filename extension S a T SE FIELD DESCRIPTION EXAMPLE Enable SMTP Proxy Enable SMTP Proxy feature of DFL 1500 Enabled Y Filename extension When the filename extension of attachment file matches Filename Append bin to E mail extension add the bin extension to the attachment file Filename extension attachments whose y Exact filename When the whole filename of attachment file matches Exact filename add the bin extension to the attachment file Table 18 1 Mail Filter SMTP setting page Step 2 Add a SMTP Filter ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP Select filename extension enter vbs and click Add to add a rule This rule will apply to all LAN to DMZ WAN SMTP connections All such SMTP traffic will be examined to change the filename extension from vbs to vbs bin Note that the filename to block cannot contain the marks such as l
13. 192 168 17 100 443 EID 21 Web filter keyword deleted CONTENT C19 Web filter keyword deleted by admin 192 168 17 100 443 EID 22 Enable web filter keyword CONTENT C20 Enable web filter keyword matching by admin matching 192 168 17 100 443 EID 23 Disable web filter keyword CONTENT C21 Disable web filter keyword matching by matching admin 192 168 17 100 443 EID 24 Updated POP3 filter exempt CONTENT C22 Updated POP3 filter exempt zone zone configuration configuration by admin 192 168 17 100 443 EID 25 POP3 filter exempt zone CONTENT C23 POP3 filter exempt zone added range from FIREWALL 140 126 1 1 to 140 126 1 255 by admin 192 168 17 100 443 EID 26 Enable POP3 filter CONTENT C24 Enable POP3 filter by admin 192 168 17 100 443 EID 27 Disable POP3 filter CONTENT C25 Disable POP3 filter by admin 192 168 17 100 443 EID 28 POP3 Filter blocking list CONTENT C26 POP3 Filter blocking list updated by admin updated 192 168 17 100 443 EID 29 Updated SMTP exempt zone CONTENT C27 Updated SMTP exempt zone configuration by configuration admin 192 168 17 100 443 EID 30 SMTP filter exempt zone CONTENT C28 SMTP filter exempt zone added range from added range from by admin 192 168 17 100 443 EID 31 Enable SMTP filter CONTENT C29 Enable SMTP filter by admin 192 168 17 100 443 EID 32 Disable SMTP filter CONTENT C30 Disable SMTP filter by admin 192 168 17 100 443 EID 33 SMTP Fil
14. 20 3 Methods 1 Specify where our Web server is located to let the IDS on the DFL 1500 focus more on the attacks 2 Setup logs to email to the specified email address when the log is full You can also set daily weekly emails to periodically monitor the IDS logs 157 Part V Intrusion Detection System 20 4 Steps Step 1 Enable IDS ADVANCED SETTINGS gt IDS gt IDS Status Check the Enable IDS checkbox and click the Apply button FIELD DESCRIPTION EXAMPLE Enable IDS feature of DFL 1500 When enabled the built in IDS will detect more than Enable IDS 2000 application level attacks from the default WAN link The attack signatures can be Enabled periodically updated Table 20 1 IDS option explanation Step 2 Setup Logs DEVICE STATUS gt Log Config gt Mail Logs Enter the Mail Server IP Address Mail Syslog Subject and the email address that you want JE to receive from Select the Log Schedule of emailing the logs to your email server Step 3 View logs DEVICE STATUS gt IDS Logs If there are attacks towards the WAN port from the public Internet there will be logs describing 2004 01 07 3 ICMP PING Undefined Misc activity ICMP o 19215817150 192 168 17 175 the details 11 36 18 Code 2004 01 07 3 ICMP Echo Reply Misc activity ICMP o 19216817175 192 168 17 150 11 36 19 Undefined Code 2004 01 07 2 SCAN SOCKS Proxy Attempted Information TCP 192 168 17 150 48968192 168 17 175 1080 11 36 20 attempt L
15. Appendix D Link 190 DFL 1500 User Manual Appendix A Command Line Interface CLI Appendix A Command Line Interface CLI You can configure the DFL 1500 through the web interface http https for the most time Besides you can use another method console ssh telnet method to configure the DFL 1500 in the emergency This is known as the Command Line Interface CLI By the way of CLI commands you can effectively set the IP addresses restore factory reset reboot shutdown system etc Here we will give you acomplete list to configure the DFL 1500 using the CLI commands A l Enable the port of DFL 1500 If you prefer to use CLI commands you can use it through console ssh telnet methods For using ssh telnet feature you must enable the remote management first Enable the specified port so that you can login from the configured port Step 1 Enable remote management SYSTEM Tools gt Remote Mgt gt TELNET TELNET TELNET www HTTPS SNMP MISC Check the selected port located in the telnet function And customize the server port which is listened by telnet service Step 2 Enable remote management SYSTEM Tools gt Remote Mot gt SSH SSH TELNET SSI www HOPS SNMP Check the selected port located in the ssh function And customize the server port which is listened by ssh service A 2 CLI commands list Normal Mode Subsequently we can use the console ssh telnet to connect the DFL 1500 After logining the s
16. Action Forward y and do not log 1 the matched session Forward bandwidth class det class Reverse bandwidth class def class gt Back Apply ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Show WAN y to LAN rules Packets are top down matched by the rules MT Sas AT LEO Schedule ALWAYS Dest IP LANT VPNA Name Source IP Service AllowVPN Action Log WANT VPNA Forward Page 1 1 105 Part IV Virtual Private Network At DFL 2 Here we will install the IPSec properties of DFL 2 Note that the Local Address and Remote address field are opposite to the DFL 1 and so are My IP Address and Peer s IP Address field Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Check the Enable IPSec checkbox and click Sec VPNHub VPNSpoke PPTP 121P Apply M Enable IPSec Apply EM Step 2 Add an IKE rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Click the IKE hyperlink and click Add to add a PSec poke pee e Pas new IPSec VPN tunnel endpoint M _ Apply item Status Condition Action nnn La DE D Link 106 DFL 1500 User Manual Step3 Customize the rule Check the Active checkbox Enter a name for this rule like IKErule Enter the Local IP Address 192 168 88 0 255 255 255 0 and the Remote IP Address 192 168 40 0 2
17. It means that if you use this port to connect to WWW ORAY NET it will be free charge FIELD DESCRIPTION EXAMPLE Enable DDNS for WANI Enable DDNS feature of DFL 1500 Enabled Interface Assign which public IP address of interface to the DDNS server WANI The domain address of DDNS server In the DFL 1500 we provide WWW DYNDNS ORG WWW DHS ORG WWW ORAY NET WWW CHANGEIP COM WWW ADSLDNS NET WWW NO IP COM WWW DNS2GO COM WWW 3322 ORG Service Provider WWW 8SIP NET and WWW HN ORG ten websites for choice WWW ORAY NET If you choose WWW ORAY NET as DDNS service provider it would register the source IP address which is connected to the DDNS server It means that the WANI IP address must be public address Hostname The registered Hostname in the DDNS server Username The registered username in the DDNS server Password The registered password in the DDNS server 123456 Port The default port number to connect to WWW ORAY NET for free charge 5050 Table 4 6 System Tools DDNS setting page D Link 36 DFL 1500 User Manual Chapter 4 System Tools 4 4 3 DNS Proxy setting Step 1 Setup DNS Proxy SYSTEM TOOLS gt Admin Settings gt DNS Proxy Check the Enable DNS Proxy and click the DNS Proxy Password Time Date Timeout Services Interface Apply to store the settings From now on your nable DNS Pre LAN DMZ PCs can use DFL 1500 as their DNS server as long as the DNS server for DFL 1500 has been set in its WAN settings F
18. LANI y rules Default action for this packet direction Block gt Log Apply Packets are top down matched by the rules Name Schedule Source IP Dest IP Service Action Log Page 1 1 111 Part IV Virtual Private Network Step 7 Customize the Firewall rule ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Enter the Rule Name aS AllowDS 601 Source IP as WAN1_ds601 61 64 148 197 and Dest IP as LAN1_VPNA 192 168 40 0 Click Apply to store this rule Status ne AllowDS 601 a IP WAN1_ds601 x Condition Action Step 8 View the result ADVANCED SETTINGS gt Firewall gt Edit Rules Here we have a new rule before the default Status Edit Rules Show Rules Attack Alert Summary firewall rule This rule will allow packets from en WAN1_ds601 61 64 148 197 255 255 255 255 pass through DFL 1500 And accomplish the e e LAN llos VPN tunnel establishment a lt m a 3 E ver SS e mer were fi At DS 601 VPN client Here we will introduce you how to setup DS 601 VPN client properties Before that please install the DS 601 VPN client into the remote client first D Link 112 DFL 1500 User Manual Chapter 13 Virtual Private Network DS 601 VPN client Step 1 Enter a Connection Name Configuration gt Profile Settings gt New Entry Enter DFL 1500 in the Name of the fin connection field and click Next to proceed Connection Name 2 gt Enter the name of the c
19. Lan B is also pinging 140 106 100 1 Then the pinging action of the Lan A and Lan B may fail But when each host Lan A or Lan B is finish pinging the other host can continue the pinging action D Link 198 DFL 1500 User Manual Appendix B Trouble Shooting 9 While Iam upgrading firmware from local disk the download is not complete but the network has been disconnected What will it happen in such situation Ans Under this circumstance the DFL 1500 will automatically reboot and all configurations will still remain as before 10 While I am upgrading firmware from local disk the download is complete After md5 checks the screen appears Upgrading kernel image What will it happen if the power is off suddenly Ans Almost all the cases will not cause firmware fail The DFL 1500 will automatically reboot and all configurations will still remain as before But sometimes it will make firmware fail If the firmware fails DFL 1500 will automatically enter rescue mode when it reboots You may need to do the factory reset and then restore your original configuration to DFL 1500 Refer to the factory reset procedure of DFL 1500 as Section 25 5 About restoring configuration procedure please refer to Section 25 7 11 While finishing the Content Filters gt Web Filter settings if I try to use browser to test why does not the web page result match with the web filter configuration Ans Be sure that you have cleaned all the file cac
20. Start the SYN Flooding protection by detecting statistical half open TCP connections 9 4 Steps 9 4 1 Setup Address Step 1 Address Settings BASIC SETUP gt Books gt Address gt Object Suppose you would like to configure a firewall an Schedule rule you must add addresses to the addresses EAS list for each interface first Click the Objects hyperlink and then select the Define Objects Click Insert to add a new address object Step 2 Insert anew Address object Enter the Address name Select which address type the address object will be And then enter the IP address Note that address name should begin with alphabet followed by alphabet digits dashes 1192 160 40 1 FIELD DESCRIPTION Range Format EXAMPLE Address mame Address mame The name of the address object 000 name of the address The name of the address object 000 ect PC1_1 Host Address Type E POOL Subnet Range Host 192 168 40 1 Table 9 1 The field of the Address object D Link 68 DFL 1500 User Manual Step 3 See the Address object settings After entering the new Address object it will show the result in the Object page Note It is the same way to setup address objects in the other interfaces Step 4 Address Group Settings You can add edit and delete all other addresses as required You can also organize related addresses into address group to simplify rule creation Click the Groups hyperlink Select WAN1
21. the matched session Forward bandwidth class def class Reverse bandwidth class defclass y Back Apply Step 8 View the result ADVANCED SETTINGS gt Firewall gt Edit Rules Here we have a new rule before the default Status Edit Rules Show Rules Attack Alert Summary firewall rule This rule will allow packets from Firewall gt Show Rules 192 168 88 0 255 255 255 0 pass through DFL 1500 And accomplish the VPN tunnel Show WANI gt to LANt rules Packets are top down matched by the rules establishment em E TS O Action EN Name Schedule Source IP Dest IP Semice Action Log e a AlwWEN ALWAYS WANI VPNA LANI VPNA Forward Page 1 1 At DFL 2 Here we will install the IPSec properties of DFL 2 Note that the Local Address and Remote address field are opposite to the DFL 1 and so are My IP Address and Peer s IP Address field D Link 92 DFL 1500 User Manual Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply Step 2 Add an IKE rule Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint Step3 Customize the rule Check the Active checkbox Enter a name for this rule like IKErule Enter the Local IP Address iO 168486407 2554255 255 0 and the Remote IP Address 192 168 40 0 255 255 255 0 Select the Outgoing interface of this VPN Firewall Router Enter the public IP of the opposite side VPN gateway 61
22. 192 168 1 119 are all within the same range of 192 168 1 254 AO ei Ol ADVANCED SETTINGS gt NAT gt Status Virtual Servers Lease time sec Status NAT Rules Network Address Translation Mode Basic v Network Address Translation NAT translates the IP port for 1 Internal to External traffic map the conditioned internal IPs ports into the specified external IPs ports Reset NAT rules 2 External to Internal traffic map the conditioned external IPs ports into the specified internal IPs ports Reset Server rules Modes 1 None The DFL 1500 is in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnet IP ranges 3 Full Feature The DFL 1500 performs routing and NAT simultaneously t performs several kinds of NAT on the conditioned IP subnet while performing routing on other IP subnets Total Configured NAT Rules 3 Vacant NAT Rules 197 Total Configured Server Rules 0 Vacant Server Rules 200 ADVANCED SETTINGS gt NAT gt NAT Rules Virtual NAT Rules Servers Status NAT gt Edit Rules Packets are top down matched by the rules E Name Direction Source IP Address Translate Src IP into Type Y Basic DMZ1 LAN DMZ to YYAN 10 1 1 254 255 255 255 0 Auto device WAN IP M 1 192 168 2 254 255 255 255 0 192 168 1 254 255 255 255 0 Ay Basic LAN2 LAN DMZ to WAN Auto device WAN IP M 1 Y Basic LAN1 LANIDMZ to WAN
23. 2 Sometimes one may want to reset the firmware to factory default due to loss of password firmware corrupted configuration corrupted Since DFL 1500 does not have a reset button to prevent careless pressing of it factory default has to be set with web GUI or console terminal Of course when you loss the password you have to use CLI only because you can never enter the web GUI with the lost password 3 Another issue is that after setup the DFL 1500 properly we might want to keep the current configuration to avoid the unknown accident Then we can recover the original state from the previous reserved configuration 25 2 Steps for TFTP Upgrade LANI DFL 1 192 168 40 254 tftp Server Upgrade firmware Backup firmware LEIP Server 192 168 40 4H Figure 25 1 Upgrade Backup firmware from TFTP server 183 Part VIII System Maintenance Step 1 Setup TFTP server Place the TFTP server TftpServer in the c directory and double click to run it Place all bin files in the c as well Set the PC to be 192 168 40 x to be in the same subnet with the DFL 1500 s LAN1 Login to DFL 1500 s console Enter en to enter privileged mode Configure the LAN1 address so that the DFL 1500 can connect to the TFIP server The CLI command to configure LAN interface is ip ifconfig INTF3 192 160 140 2541 255 255 2550 Step 2 Upgrade firmware Enter IP tftp upgrade image 192 168 40 x DFL 1500 lt ver gt bin Af
24. 9 4 2 Setup Service Step 1 Service Settings BASIC SETUP gt Books gt Service gt Objects The DFL 1500 predefined firewall services are Address Service o Schedule f Obj Groups listed as right diagram You can add these Muecsltraups services to any firewall rule or you can add a Service gt Objects service if you need to create a firewall rule for a yarra yaver MEN E service that is not in the predefined service list AOL TOPHALL 5190 5194 BGP TCP ALL gt 179 DHCP Relay UDPYALLS67 DNS TOP ALL gt 53 UDP ALL 53 FINGER TOP ALL gt 79 TCP ALL gt 21 TCP ALL gt 70 TOP ALL gt 1720 TCP ALL gt 1503 UDP ALL gt 1719 TCP ALLS80 TCP ALL gt 443 UDP ALLS500 IMAP TCPYALL gt 143 IRC TCP ALLSG660 6669 LDAP TCP ALL gt 389 NetMeeting TCP ALL gt 1720 NES TOP ALL gt 111 TCP ALL gt 2049 UDP ALL gt 111 UDP ALL gt 2049 NNTP TCP ALL gt 119 NTP TCP ALL gt 123 UDP ALL gt 123 PC Anywhere TCP ALL25531 UDP ALL gt 5632 PING ICMP POP3 TOP ALL gt 110 UDP ALL gt 110 PPTP TOP ALL gt 1723 QUAKE UDP ALL 26000 UDP ALL gt 27000 UDP ALL gt 27910 UDP ALL gt 27960 RAUDIO UDP ALL gt 7070 RLOGIN TOP ALL gt 513 RIP UDP ALL gt 520 SMTP TCP ALL gt 25 SNMP TCP ALL gt 161 162 UDP ALL gt 161 162 SSH TOP ALL gt 22 UDP ALL gt 22 SYSLOG UDP ALL gt 514 TALK UDP ALL 517 518 TCP TCP TELNET TCPXALL gt 23 TFTP UDP ALL gt 59 UDP UDP UUCP UDP ALL gt 540 VDOLIVE TCPALL gt 7000 7010 WAIS TOP ALL gt 210 WINFRAME TCP ALL gt 1494 XAWINDOWS TCP
25. ALL gt 6000 6063 Select Insert to add a new service Co a 0 UU mH a ME EN K M N E AN M K M N SE ax S K M N ME MIMI NNI N NMI NING A mi A lt a mali A mi SN OO a SV Ni CO 0 a eo se Nw a oO oOo wi Www we Ww WwW Bw WwW NM m O NO N KEN 3 O gt r r T C r T C M 21 e T C T r c r C e ew e D Link 70 DFL 1500 User Manual Chapter 9 Firewall Step 2 Insert a new service object BASIC SETUP gt Books gt Service gt Insert Enter the Service name Select which protocol Service Schedule type TCP UDP ICMP used by this service 7 Specify a Source and Destination Port number range for the service If this service uses single port enter the number in the first blank If the service has more than one port range select add to specify additional protocols and port range Select Apply to add a new service object Note that service name should begin with alphabet followed by alphabet digits dashes Table 9 2 The field of the Service object Step 3 Add a service group BASIC SETUP gt Books gt Service gt Groups gt Insert You can create groups of services to make it Address Service Schedule easier to add rules A service group can contain XX predefined services and custom services in any combination You cannot add service groups to SE Insert a new group for Service another service group top Name
26. Auto device WAN IP 1 Page 1 1 12 DFL 1500 User Manual Chapter Quick Start 1 6 2 WAN1 to DMZ1 Connectivity This section tells you how to provide an FTP service with a server installed under your DMZI to the public Internet users After following the steps users at the WAN side can connect to the FTP server at the DMZI side Step 1 Device IP Address Setup the IP Address and IP Subnet Mask for the DFL 1500 of the DMZ1 interface Step 2 Client IP Range Enable the DHCP server if you want to use DFL 1500 to assign IP addresses to the computers under DMZ1 Step 3 Apply the Changes Click Apply to save your settings Step 4 Check NAT Status The default setting of NAT is in Basic Mode After applying the Step 3 the NAT is automatically configured related rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Step 5 Check NAT Rules The DFL 1500 has added the NAT rules as the right diagram The rule Basic DMZ1 number 1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 10 1 1 254 255 255 255 0 the request will be translated into a public source IP requests and then be forwarded to the destinations BASIC SETUP gt DMZ Settings gt DMZ1 Status DMZ1 Status IP Alias DMZ1 TCP IP DHCP Setup MW Enable DHCP Server IP Pool Starting Address Witt Pool Size max size
27. D Link 84 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Chapter 11 Virtual Private Network IPSec This chapter introduces IPSec VPN and explains how to implement it As described in the Figure 2 1 we will extend to explain how to make a VPN link between LAN_1 and LAN 2 in this chapter The following Figure 11 1 is the real structure in our implemented process 11 1 Demands 1 When a branch office subnet LAN wants to connect with another branch office subnet LAN 2 through the public Internet instead of the expensive private leased lines VPN can provide encryption and authentication to secure the tunnel that connects these two LANs Organization_1 Organization_2 Private LANs Private LANs internet PC2 1 PC2 2 192 168 88 1 192 168 88 2 PC1 1 192 168 40 1 DHCP Client LAN_1 92 168 40 1 25 N LAN 2 192 168 88 1 25 Figure 11 1 Organization_1 LAN is making VPN tunnel with Organization 2 LAN 2 11 2 Objectives 1 Let the users in LAN I and LAN_2 share the resources through a secure channel established using the public Internet 11 3 Methods 1 Separately configure DFL 1 and DFL 2 which are the edge gateways of LAN and LAN_2 respectively You have to determine a key management method between IKE Internet Key Exchange and Manual Key The following table compares the settings between IKE and Manual Key In the following we will describe them separately Manual Key Local Ad
28. DESCRIPTION EXAMPLE Enable FTP Filter Enable FTP Filter feature of DFL 1500 Enabled Table 19 1 FTP Filter FTP setting page Step 2 Add an FTP Filter ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP gt Add Enter mp3 in the Name field and select Extension Name in the Blocked Type field Click the Add button to apply the change Now bep esemnt zena users in LANs can never download any mp3 files Add Blocked Nam Note that the filename to block cannot contain the ne marks such as lt gt Back FIELD DESCRIPTION EXAMPLE Fill n the ile extension or exact filename Extension Name When the extension filename of download file is matching the action is blocked download from FTP server Blocked Type Extension Name y Full Name When the exact filename of download file is matching the action is blocked download from FTP server Table 19 2 FTP Filter FTP adding filter entry D Link 152 DFL 1500 User Manual Chapter 19 Content Filtering FTP Filtering Step 3 View the result ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP We can see the specified record in this page Web Filter Mail Filter Step 4 Add an Exempt Zone ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Exempt Add a new Exempt Zone record It s IP address Zone gt Add range is between 192 168 40 10 to 192 168 40 30 192 168 40 10 ess 192 1684030 8 FIELD DESCRIPTIO
29. Firewall NAT rules when you Apply this page so it will automatically add one NAT rule to transfer the IP address of virtual server when server responses packet back to the client Chapter 1 Quick Start ADVANCED SETTINGS gt NAT gt NAT Rules Eo Servers item Status Condition Action a 15 Part I Overview Chapter 2 System Overview In this chapter we will introduce the network topology for use with later chapters 2 1 Typical Example Topology In this chapter we introduce a typical network topology for the DFL 1500 In Figure 2 1 the left half side is a DFL 1500 with one LAN one DMZ and one WAN link We will demonstrate the administration procedure in the later chapters by using the below Figure 2 1 The right half side contains another DFL 1500 connected with one LAN one DMZ and one WAN You can imagine this is a branch office of Organization_1 In this architecture all the users under Organization can access sever reside in the Internet or DMZ region smoothly Besides Organization communicates with Organization 2 with a VPN tunnel established by the two DFL 1500 VPN Firewall routers The VPN tunnel secures communications between Organizations more safely We will focus on how to build up the topology using the DFL 1500 as the following Figure 2 1 In order to achieve this purpose we need to know all the administration procedure Organization_1 Organization_2 Private LANs Private LANs DMZ 1 DMZ 2
30. IP PPPoE 61 2 1 1 Internet www dyndns org MW DDNS Server a DFL 1500 will refresh the DNS Record with the updated WANI IP address every period time automatically Figure 4 1 DDNS mechanism chart 3 DNS Proxy After activating the DNS proxy mode the client can set its DNS server to the DFL 1500 that is send the DNS requests to the DFL 1500 The DFL 1500 will then make the enquiry to the DNS server and return the result to the client Besides the caching mechanism performed by the DNS proxy can also help reduce possible duplicate DNS lookups As the following Figure 4 2 described DFL 1 redirects the DNS request from PC1_1 to the real DNS server 140 113 1 1 DMZ 1 10 1 1 1 253 As a DNS proxy 61211 internet s te Relay DNS Request lt flo DNs Response ee ISP 140 113 1 1 DNS Server 192 168 40 1 253 Figure 4 2 DNS Proxy mechanism chart 4 DHCP Relay Activate the DHCP relay mode of DFL 1500 so that the DFL 1500 will become the relay agent and relay the DHCP broadcast to the configured DHCP server As the following Figure 4 3 described DFL 1 redirects the DHCP D Link 30 DFL 1500 User Manual Chapter 4 System Tools request from the preconfigured port LAN1 to the real DHCP server 10 1 1 4 Besides in this diagram we can find that the PC of DMZ region communicated with the DHCP server directly MZ 1 10 1 1 1 253 10 1 1 4 DHCP S
31. IP Spoke Action Forward and do not log the matched session Forward bandwidth class def class v Reverse bandwidth class def class y Back ADVANCED SETTINGS gt VPN Settings gt VPN Spoke gt Add Pass Through Spoke Name VPNAB Local Address Type Subnet Address IP Address 192 168 40 0 PrefixLen Subnet Mask 255 255 255 0 Remote Address Type Subnet Address IP Address 192 168 88 0 PrefixLen Subnet Mask 1255 255 255 0 IKEMain PN IPSec VPN Hub VPN Spoke PPTP L2TP Tunnel Back Apply 124 DFL 1500 User Manual Chapter 14 Virtual Private Network Hub and Spoke VPN Step 4 View the added VPN Spoke ADVANCED SETTINGS gt VPN Settings gt VPN Spoke You can view the added VPN spoke here IPSec VPN Hub WPN Spoke PPTP L2TP Pass Through Configuration YPN Spoke 0 EA Name Local LAN Remote LAN El VANAB 19216840 D24 19216868 024 IKEMainVE N Delete Configuring the VPN Spoke for the Branch 2 Step 1 Add a Firewall rule ADVANCED SETTINGS gt Firewall gt Edit Rules Suppose Brach 2 Office has already added a Status Edit Rules Show Rules Attack Alen Summary VPN tunnel to communicate with the Main Office Firewall gt Edit Rules Now the Branch_2 has to add a firewall rule to allow IPSec packets to come from internet Edit want to Lani_ rules Before adding a firewall rule please make sure to Default action for this pa
32. IP 10 1 1 1 Server Port 1143 Encryption IV SSL Apply 6 3 4 Radius Setting Step 1 Configure Radius Settings Basic Setup gt Authentication gt Authentication gt Radius If you have configured RADIUS support and a uthentication Exempt Host user is required to authenticate using a RADIUS EE server the DFL 1500 then will contact the Di mi ikiyi RADIUS server for authentication Tirneout min feo Enter Server IP Server Port and enter the i Authentication Type C Local C Pop3 s C Imapis Radius C LDAP RADIUS Server Secret Click Apply to store Sete PPLY RADIUS Setting Semer P 1921684060 the settings Server Port 11812 Secret wall Apply D Link 46 DFL 1500 User Manual Chapter 6 Authentication 6 3 5 LDAP Setting Step 1 Configure LDAP Settings Basic Setup gt Authentication gt Authentication gt LDAP If you have configured LDAP support and a user is required to authenticate using a LDAP server the DFL 1500 will then contact the LDAP server for authentication To authentication with the DFL 1500 the user enters a user name and password The DFL 1500 sends this user name thentic e oca ji is C F and password to the LDAP server If the LDAP Settin we server can authenticate the user the user is Soca successfully authenticated with the DFL 1500 Enter LDAP Server IP and then enter the distinguished name Base DN used to look up entries on the LDAP server For example you can
33. IPSec FIELD DESCRIPTION EXAMPLE IKE Use the IKE Internet Key Exchange method to negotiate the key used in Selected building IPSec tunnel Manual Key Use the key which you have been designated to build IPSec tunnel in peer Neasel cisa VPN device BUTTON DESCRIPTION Table 11 3 Add an IPSec policy rule Step 3 Customize the rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Check the Active checkbox Enter a name for PSe VPN Hub VPN Spoke N Hub VPN Spoke PPTP this rule like IKErule Enter the Local IP Address 192 160 10 07205 2592550 and the Remote IP Address Status 192 168 88 0 255 255 255 0 Select the M Active Outgoing Interface of this VPN Firewall IKE Rule Name KErule Router Enter the public IP of the opposite side Condition VPN gateway 210 2 1 1 in the Peer s IP Saf local IP ocal Address Type Address Click the ESP Algorithm and select Addes P Address Encrypt and Authenticate DES MD5 gt Prefixlen Subnet Mask Enter the Pre Shared Key aS 1234567890 aoe z Click the Apply button to store the settings Note The opposite li In the Action region It should choose either ESP side IP Address Algorithm Or AH Algorithm or system will PrefixLen Subnet Mask 255 255 255 0 show error message f you hope to set the Action detailed item of IKE parameter Click the MER Advanced button in this page Otherwise it is ok to Encapsulation Mode Tunnel z just leave the val
34. LAN1 VPNA 192 168 40 0 Click Apply to store this rule Step 8 View the result Here we have a new rule before the default firewall rule This rule will allow packets from 192 168 88 0 255 255 255 0 pass through DFL 1500 And accomplish the VPN tunnel establishment ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add IPSec VPN Hub PPTP L2TP Pass VPN Spoke Thema if you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets a The source address mask and the destination address mask of the firewall rules are 192 168 88 0 255 255 255 0 and 192 168 40 0 255 255 255 0 respectively ok ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Default action for this packet direction Block z m Log Apply Packets are top down matched by the rules A AAA Re Name Schedule SourceIP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to LAN1 Firewall rule Rule name AllowVPN Schedule Always gt Condition Source IP WANI _VPNA Service ANY Dest IP LAN1 VENA
35. NO NO a dh ee ee Ce ee k k i i MP PM M NM DY N O1 AJO NO 00 2 ports for connecting to outbound WAN RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance Support Half Full Duplex operations Support backpressure at Half Duplex operation IEEE 802 3x Flow Control support for Full Duplex mode 2 ports for connecting inbound LAN RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance Support Half Full Duplex operations Support backpressure at Half Duplex operation IEEE 802 3x Flow Control support for Full Duplex mode 1 port for connecting to server RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance Support Half Full Duplex operations Support backpressure at Half Duplex operation IEEE 802 3x Flow Control support for Full Duplex mode 1 3 Console port 5 DB 9 male connector B Asynchronous serial DTE with full modem controls LED indication Per Device 1 Power WwWww ww DID DD mw ww www www yu 1 1 3 5 Off Power Off Solid Orange Power On O O E NO D Link 212 DFL 1500 User Manual Appendix F Hardware Ethernet 10 100M Per ports 1 Link ACT LED Off No Link Solid Green Link Blinking Green Activity Power supply AT PS AC 90 230 V full range 45 63 Hz EL 3 Environmental Specifications 81 Operating Temperature 0 60 C 32 o Storage Temperature 25 70 C 838 O
36. Perfect Forward Secrecy PFS Enabling PFS means that the key is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not require such security so PFS is disabled None by default in the DFL 1500 Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 10 2 6 Encapsulation Y Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packets In Transport mode the IP packets contains the security protocol AH or ESP located after the original IP header and options but before any upper layer protocols contains in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protocol protection is extended forwa
37. Routing amp Firewall Step 4 View the result Advanced Settings gt Routing gt Policy Route After filling data completely view the policy SaticRowe routing entries which have been set Condition Action bem ER Dae Jrs Ji Step 5 View the routing table Device Status gt System Status gt Routing Table Active IPSec Finally click the Routing Table to see all the DHCP Table ge eee A current routing table information D Link 66 DFL 1500 User Manual Chapter 9 Firewall Chapter 9 Firewall This chapter introduces firewall and explains how to implement it 9 1 Demands 1 All rules require source and destination addresses You have to add addresses to the address list for each interface first if you would like to add an address to a rule between two interfaces These addresses must be valid addresses for the network connected to that interface 2 Suppose you would like to use services to control the types of communication accepted or denied by the firewall you can add any of the predefined services or created services to a rule 3 Suppose the MSN cannot be used in your company from Monday to Friday 9 00 12 00 13 00 17 30 but you can use it any time after work The administrator needs to create the schedules to meet the requirement 4 Your company would like to protect some servers or users avoid their IP address snatched by others and control the computers to let them accepted or denied
38. Source IP Dest IP Service Action Log fe MEN AllowPN ALWAYS WANT VPNB LANT VPNB Forward Page 1 1 94 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Y DES MD5 IPSec tunnel the Manual Key way In the previous section we have introduced IKE method Here we will introduce another method using Manual Key way instead of IKE to install DFL 1 At DFL 1 At the first we will use the Manual Key way to install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec the Enable IPSec checkbox and click Se poke PPTP L2TP MA pply Condition Action Step 2 Add a Manual Key rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key Click the Manual Key hyperlink and click Add to Sec VPNHub VPN Spoke PPTP L2TP add a new IPSec VPN tunnel endpoint Condition Action Brey Page Page Next Page Page 95 Part IV Virtual Private Network Step 3 Customize the rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Same as those in IKE But there is no pre shared PSec VPNHub VPN Spoke key in the manual key mode Enter the Key for encryption such aS 1122334455667788 Enter the Key for authentication such as Status 11112222333344445555666677778888 F Act Additionally the Outgoing SPI and Incoming Manual Key Rule Name ManualKeyrule SPI have to be manually specified Enter 2222 Condition and 111
39. VPN Settings NAT Routing Firewall Step 4 Configure the real parameters IDS Bandwidth Myt IP MAC Binding Step 2 Select Sub Function Availability Figure 2 2 You can select the functional area by the sequence in Web GUI If we want to configure DFL 1500 we can follow the sequence as the Figure 2 2 illustrated Stepl Select Main function Step2 Select Sub function Step3 Select Tag Step4 Configure the real parameters 2 3 2 Rule principle Status field Insert a new LAN to WAN Firewall ruli Describe the status and name of Status pers l a E ali pee his rule Rule name Block MSN yo mw ss l l i i L L 4 a 1 a 4 rT Li i i 4 4 i Condition field IP LANI MSN Tm What kind of characteristics ee MSN does packet hold And it will be Action gt captured by this rule ronnie e ike oo Action field soit a If the packet is captured by this a tule What action will this rule do i onditlon kee eee sz za Figure 2 3 The rule configuration is divided into three parts 19 Part I Overview You may find many rules configuration in the DFL 1500 They are distributed in the respective feature These rules include 1 NAT rule Virtual Server rule Firewall rule Policy route rule ae ee Bandwidth management rule The behavior of each rule is different and so are their con
40. Web Filter Customize setting page Step 5 Setup URL keyword blocking ADVANCED SETTINGS gt Content Filters gt Web Filter gt URL Filter Check the Enable Keyword Blocking to block iter Mail Filter FTP Filter any URLs that contains the entered keywords Add a key word by entering a word in the keyword field followed by a click of Add FIELD DESCRIPTION EXAMPLE Pave pone Eon Enable URL keyword blocking feature of web filter Enabled blocking Kevword If the Keyword appears in the URL when connect to the Internet using cae y browser The contents about the URL will be block BUTTON DESCRIPTION 141 Part V Content Filters Apply Apply the setting which configured on the checkbox Add Add the Keyword to the list Clean the filled data and restore the original one Delete the selected keyword from the list Table 17 4 Web Filter Domain Name setting page Step 6 Customize Categories ADVANCED SETTINGS gt Content Filters gt Web Filter gt Categories With the built in URL database DFL 1500 can Wet FTP Filter block web sessions towards several pre defined Neb Filter gt Categories Categories of URLs Check the items that you TAO A want to block or log Simply click the Block all categories will apply all categories Click Log IA OCIO amp Block Access if you want to block and log any EN ica ae matched traffic You can customize the Time of I Block all categorie Day to allow such traffic after the office h
41. Web filter URL keyword added by adimin added 192 168 17 100 443 EID 11 Web filter URL keyword CONTENT C09 Web filter URL keyword deleted by admin deleted 192 168 17 100 443 EID 12 Enable web filter url matching CONTENT C10 Enable web filter url matching by admin 192 168 17 100 443 EID 13 Disable web filter url CONTENT C11 Disable web filter url matching by admin matching 192 168 17 100 443 EID 14 Updated web filter exempt CONTENT C12 Updated web filter exempt zone configuration zone configuration by admin 192 168 17 100 443 EID 15 CONTENT C13 web filter exempt zone added range from 140 126 1 1 to 140 126 100 255 by admin 192 168 17 100 443 EID 16 Updated ftp filter exempt CONTENT C14 Updated ftp filter exempt zone configuration zone configuration by admin 192 168 17 100 443 EID 17 FTP filter exempt zone added CONTENT C15 FTP filter exempt zone added range from range 140 126 1 1 to 140 126 255 255 by admin 192 168 17 100 443 EID 18 io ftp filter blocked file CONTENT C16 Updated ftp filter blocked file configuration m by admin 192 168 17 100 443 EID 19 FTP Filter blocking list CONTENT C17 FTP Filter blocking list updated by admin updated 192 168 17 100 443 EID 20 BANDWIDTH Web filter exempt zone added range D Link 202 DFL 1500 User Manual Appendix C System Log Syntax Web filter keyword added CONTENT C18 Web filter keyword added by admin
42. a server SYN Flooding attack reaches 10 Check the Blocking time if you want to stop the traffic towards the server During this blocking time the server can digest the loading FIELD DESCRIPTION EXAMPLE Poate Allee inate detected a the firewall alert to detect Denial of Service DoS Enabled Denial of Service Thresholds This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of One Minute High new connection attempts rises above this number the DFL 1500 deletes half open sessions as required to accommodate new connection attempts This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of Maximum Incomplete High existing half open sessions rises above this number the 100 DFL 1500 deletes half open sessions as required to accommodate new connection requests This is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to the same destination host IP address Enter a number between and 999 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth TCP Maximum Incomplete D Link 78 DFL 1500 User Manual Chapter 9 Firewall When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you c
43. aa PE OO E A E E AE O 67 9 2 CSCS e ee ve e etets 67 9 3 INTEC Sis Ye e e e RR O e e 68 9 4 SODS BAE e as ie er O O O eee ee ee 68 9 4 1 AA ii b an Sayi lela bale seated he i ailece ln elo play ie mila mele ei 68 9 4 2 SDR e E E e A KA MAA AM em Ee ME ARMY E E A AE 70 9 4 3 Setup SC Essalud paz sia v mine lisan 72 9 4 4 SeLUp 2g 4 DA e ii Oise A RG A taneeecedees 73 9 4 5 Block internal PC session TAN T WAN sleek a a a 75 9 4 6 Setup leri ele Oi e AAC K aono on N a ON NA 78 Part iW Vural Piyale Net Or nt nd es 80 Chapter LOVEN Technical Int Ol as aaa e adli a al e i i api al yali sl ap gain 81 10 1 VENDEN a A da 81 10 2 Related Termnolosy Explanation casan a alel bein diodos 81 10 2 1 do e o aal szesi sad ai 81 10 2 2 AS e G re e ER OET a a NT D de gk b ein E ene 81 10 2 3 ele Li VAS SOCA O PE PE MA RE ROAR EDEP ISA REO 81 10 2 4 MP SEG OTIS ars cases EMME MR RMA YK EE pe MGR SYGM EY PES Re EEE Y GTA NE 81 10 2 5 Key Manace meni A id 82 10 2 6 EIC eo o 83 10 2 7 MP SEC Proto GO e E ee ei ee e e E NR 83 10 3 Make VPN packets pass tone DEL OO anla manal salmak ala lo Mak allel asal alp b labial 84 Chapter TL Virtual Private Network IDS 6G a ak amel bekki anales Teatinos een antes 85 11 1 PP O 85 11 2 IDE e e ee aT e a PR e 85 11 3 O 85 11 4 O 86 DES MD5 IPSeetunnele te IKE AY aaa 86 DES MD5 IPSec tunnel the Manual Key Way wisisc ccissscecsssacis essicaidesasacsevaessseecesdauvesteiessuacsaasesa
44. and how to use it We zoom in the left part of Figure 2 1 into Figure 8 1 and increase some devices for description 8 1 Demands 1 There is only one local area 192 168 40 0 24 inside the LANI port Now there is a new financial area 192 168 50 0 24 in the Figure 8 1 The financial area is connected with a router which is inside the LANI port of DFL 1500 So we need to add the configurations for the financial department 2 Refer to the Figure 8 1 description The bandwidth subscribed from ISP1 is insufficient so that some important traffic say the traffic from PCs belonging to the General Manager Room department 192 168 40 192 255 255 255 192 is blocked by the other traffic We hope that the employees of General Manager Room can have a dedicated bandwidth to improve the quality of connecting internet Organization_1 Private LANs DMZ 1 10 1 1 1 253 Normal routing gt Policy routing WebSenerl FtpServer1 DHCP Server Default WANT IP 10 1 1 10 115 40 1 1 10 cee 7 id TAMI 210 2 1 1 a gt ISP rita Internet 192 168 40 253 i P Router Switch ISP2 Financial Department 192 168 50 0 24 Figure 8 1 Add policy routing entry for the General Manager Room department 6l Part III NAT gt Routing amp Firewall 8 2 Objectives 1 We need to let DFL 1500 knows how to forward the packets which is bound for financial department 192 168 50 0 24 2 The network admi
45. device WAN IP Mi 1 Y Basic LAN1 LAN DMZ to WAN 192 168 1 254 255 255 255 0 Auto device WAN IP M 1 Page 1 1 13 Part I Overview Step 6 Server Step 7 Setup Server Rules Insert a virtual server rule by clicking the Insert button Setup IP for the FTP Customize the Rule the rule name as the ftpServer For any packets with its destination IP address equaling to the WANT IP 61 2 1 1 and destination port equaling to 44444 DFL 1500 will translate the packet s destination IP port into 10 1 1 5 21 Check the Passive FTP client to maximize the compatibility of the FTP protocol This is useful if you want to provide connectivity to passive FTP clients For passive FTP clients the server at DMZ will return them the private IP address 10 1 1 5 and the port number for the clients to connect back for data transmissions Since the FTP clients at the WAN side cannot connect to a private IP ex 10 1 1 5 through the internet The data connections would be fail After enabling this feature the DFL 1500 will translate the private IP port into an IP port of its own Thus the problem is gracefully solved Step 9 View the Result Now any request towards the DFL 1500 s WAN1 IP 61 2 1 1 with dest port 44444 will be translated into a request towards 10 1 1 5 with port 21 and then be forwarded to the 10 1 1 5 The FIP server listening at port 21 in 10 1 1 5 will pick up the request Step 8 Customize D Link A
46. dials in the DFL 1500 pet hOnionevee Assigned IP Range The End IP is the allocated ending IP address in the internal network after PPTP client dials in the DFL 1500 O The account which allow PPTP client user to dial in DFL 1500 PptpUsers The password which allow PPTP client user to dial in DFL 1500 Dif3wk Table 15 1 Setup PPTP Server Step 2 Setup Windows XP 2000 PPTP Configuring A PPTP Dial Up Connection clients Configuring a PPTP dial up connection Go to Start gt Control Panel gt Network and Internet Note that in the DFL 1500 release Il version both Connections gt Make new connection PPTP and L2TP can support MPPE In other words you can choose Require data encryption while a client computer running Windows XP 2000 However this release Il Select Virtual Private Network Connection and select Next version will not support MS CHAP you have to Me ek a a yi d like to gt Give a Name the connection and select Next require data encryption If the Public Network dialog box appears choose the Don t dial up initial connection and select Next In the VPN Server Selection dialog enter the public IP or hostname of the DFL 1500 to connect to and select Next Select Create a connection to the network of your workplace and select Next Set Connection Availability toOnly for myself and select Next Select Finish D Link 128 DFL 1500 User Manual Chapter 15 Virtual Private Network PP
47. dlink co in E MAIL service dlink india com tushars dlink india com Italy D Link Mediterraneo Srl D Link Italia Via Nino Bonnet n 6 B 20154 Milano Italy TEL 39 02 2900 0676 FAX 39 02 2900 1723 URL www dlink it E MAIL info dlink it J apan D Link J apan 10F 8 8 15 Nishi Gotanda Shinagawa ku Tokyo 141 apan TEL 81 3 5434 9678 FAX 81 3 5434 9868 URL www d link co jo E MAIL kida d link co jp N etherlands D Link Benelux Fellenoord 130 5611 ZB Eindhoven The Netherlands TEL 31 40 2668713 FAX 31 40 2668666 URL www d link benelux nl amp www dlink benelux be E MAIL info dlink benelux nl info dlink benelux be Norway D Link Norway Waldemar Thranesgate 77 0175 Oslo Norway TEL 47 22 99 18 90 FAX 47 22 20 70 39 SUPPORT 800 10 610 URL www dlink no Russia D Link Russia Michurinski Prospekt 49 117607 Moscow Russia TEL 7 095 737 3389 amp 7 095 737 3492 FAX 7 095 737 3390 URL www dlink ru E MAIL vi dlink ru Singapore D Link International 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 6 6774 6233 FAX 6 6774 6322 E MAIL info dlink com sg URL www dlink intl com South Africa D Link South Africa Unit 2 Parkside 86 Oak Avenue Highveld Technopark Centurion Gauteng South Africa TEL 27 12 665 2165 FAX 27 12 665 2186 URL www d link co za E MAIL attie d link co za Spain D Link Iberia Spain and Portugal Sabino de Arana 56 bajos 08028 Barcelona Spain TEL 34 93
48. from the Members list select the tunnels and select the left arrow Select Apply to add the VPN Hub Chapter 14 Virtual Private Network Hub and Spoke VPN ADVANCED SETT NGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WANT z to LANI y rules Default action for this packet direction Block M Log Apply Packets are top down matched by the rules KN A A eae Name Schedule Source IP Dest IP Semice Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewal gt Edit Rules gt Insert Insert a new WAN1 to LAN1 Firewall rule Rule name AllowvPN Schedule Always Condition Source IP Spokes Dest IP Hub Service ANY Action Forward y and do not log the matched session Forward bandwidth class def class v Reverse bandwidth class def class y Apply ADVANCED SETTINGS gt VPN Settings gt VPN Hub gt Add VPN Hub Pass IPSec Through PPTP Hub Name BranchAB Available Tunnels IKE VpnA VPN Spoke L2TP Members 123 Part IV Virtual Private Network Configuring the VPN Spoke for the Branch_1 Step 1 Adda Firewall rule Suppose Brach_1 Office has already added a VPN tunnel to communicate with the Main Office Now the Branch_1 has to add a firewall rule to allow IPSec packet
49. il ee the default class Enter 0 33 in the bandwidth Status Edit Acti field Make sure that Borrow button is unchecked and then web from WAN class will not enlarge the bandwidth from borrowing other unused bandwidth Finally click Apply button See the steps in the right diagram Status MV Activate t Subsequently we will continue to setup another Class name web from WAN two classes such as video from WAN class and Scion web from DMZ class Select the default class and click the Create Sub Class to create these two classes The setting procedure is the same as the web from WAN class described FIELD DESCRIPTION EXAMPLE Enable the bandwidth management class for later using Enable Disable Enabled Bandwidth management class name web from WAN 0 1 Max Value Bandwidth How many percentage does this class occupy higher class as red text described When the bandwidth of other class 1s idle it will use the bandwidth of other class to increase bandwidth temporarily M rai BUTTON DESCRIPTION back to previous configuration page Apply Apply the settings which have been configured Table 21 5 Add new class in the bandwidth management feature 165 Part VII Bandwidth Management High Availability Step 4 Partition into Classes ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Now there are three actions under the default SUb Class action dit Actio Cere se Step 5 Setup WAN1 to LAN1 Rule
50. network will be disconnected since the IP address is different between your pc and DFL 1500 LAN port 3 WAN Configure the WANI port of DFL 1500 You can refer to section 1 4 for the default network configurations of DFL 1500 4 NAT Configure the connection of LAN to WAN direction It will make all the client pc access the internet through DFL 1500 For more information please refer to section 1 6 1 5 Virtual Server If there is any server located inside the DFL 1500 You may hope these servers can provide services outside So you should configure the Virtual Server which provides connections of WAN to LAN direction For more information please refer to section 1 6 2 After you completely finished the above steps the connectivity function of DFL 1500 is probably well done 1 3 Wiring the DFL 1500 A First connect the power cord to the socket at the back panel of the DFL 1500 as in Figure 1 5 and then plug the other end of the power adapter to a wall outlet or power strip The Power LED will turn ON to indicate proper operation A Power Socket Figure 1 5 Back panel of the DFL 1500 B Using an Ethernet cable insert one end of the cable to the WAN port on the front panel of the DFL 1500 and the other end of the cable to a DSL or Cable modem as in Figure 1 6 C Computers with an Ethernet adapter can be directly connected to any of the LAN ports using a cross over Ethernet cable as in Figure 1 6 D Computers that
51. packets to the real server 10 1 1 5 And you can announce to the internet users that there exists a ftp server IP port is 61 2 1 1 44444 So all the internet users will just connect the 61 2 1 1 44444 to get ftp service 7 4 Steps 7 4 1 Setup Many to one NAT rules Step 1 Enable NAT ADVANCED SETTINGS gt NAT gt Status Select the Basic from the list of Network status NAT Rules 5 Address Translation Mode Click Apply IPR Now the DFL 1500 will automatically set the NAT rules for LAN DMZ zones Namely all internal networks can establish connections to the outside world if the WAN settings are correct Besi NAT rules Reset Server rules 51 Part III NAT gt Routing amp Firewall FIELD DESCRIPTION Range Format EXAMPLE Determine what NAT type you are using in your network None topology Basic Refer more information in the section 7 5 5 Full Feature BUTTON DESCRIPTION Reset NAT Rules Reset NAT rules to the default status Network Address Translation Mode Reset Reset Server Rules Reset Server Rules Clear all the Virtual Server rules all the Virtual Clear all the Virtual Server rules rules Clear A Clear all the active NAT Virtual Server sessions App Apply the settings which have been configured Apply the settings which have been configured settings which have been configured Clean the filled data and restore the original Table 7 1 Determine Network Address Translation Mode
52. since the network IP address you are logining is changed BASIC SETUP gt LAN Settings gt LAN1 Status 192 168 40 254 vd 7 192 168 40 254 192 168 40 1 0 0 0 0 7200 2 2 2 From CLI command line interface to configure DFL 1500 LAN1 network settings Step 1 Use Console port to configure DFL 1500 Use the supplied console line to connect the PC to the Diagnostic RS 232 socket of the DFL 1500 Start a new connection using the HyperTerminal with parameters No Parity 8 Data bits 1 stop bit and baud rate 9600 Enter admin for user name and admin for password to login After logging into DFL 1500 enter the commands en to enter the privileged mode Enter the command Tp ifconfig INTF3 192 168 40 254 255 255 255 0 to change the IP of the LAN1 interface D Link DFL 1500 gt en DFL 1500 ip ifconfig INTF3 192 168 40 254 255 259 259 0 DFL 1500 ip ifconfig INTF3 LAN1 flags 8843 lt UP BROADCAST RUNNING SIMPLEX MULTICAST gt mtu 1500 address 00 90 0b 02 99 69 media Ethernet autoselect none status no carrier inet 192 168 480 254 netmask Oxffffff00 broadcast 192 168 460 255 DFL 1586 18 DFL 1500 User Manual Chapter 2 System Overview 2 3 The design principle 2 3 1 Web GUI design principle D Link Building Networks for People p VPN Firewall Router Step 1 Select Main Function SYSTEM DEVICE TOOLS STATUS LOGOUT Mail Filter FTP Filter Step 3 Select Tag
53. that rule name should begin with alphabet followed by alphabet digits dashes Pe FIELD DESCRIPTION Range Format EXAMPLE E Enable the firewall rule for later using Enabled Disabled Enabled tatus The name of the Firewall rule PCI PCI 1 Source IP Compared with the incoming packets whether IPv4 format IPv4 192 168 40 1 Source IP is matched or not format 253 233 233 253 e WANI_ALL Condition Compared with the incoming packets whether IPv4 format IPv4 Dest IP i 0 0 0 0 Dest IP is matched or not format 0 0 0 0 Servi Verified the service of incoming packet is ANY ANY DA belong to each TCP UDP gt ICMP TCP UDP ICMP iaa de na If packet is matched the rule condition Forward Block Block Forward or Block this matched packet session OS If packet is matched the rule condition Log or the matched o log do not log log Action ion Don tlog this matched packet Forward l bni Forward the bandwidth class if any Reverse b n ee Reverse the bandwidth class if any Table 9 6 Insert a Firewall rule D Link 76 DFL 1500 User Manual Chapter 9 Firewall Step 4 View the Firewall Log DEVICE Status gt Firewall Logs gt Firewall Logs You can go to DEVICE Status gt Firewall Logs ia Alert Logs gt Firewall Logs to view the firewall logs If you No Time Erom To Protocol Service EromtInterface To Action Rule prefer to download these logs please click the 2004 07 14 09 58 52 192 168 17 105 399064 12 161 153 51
54. the default class Click Insert to insert a rule before the default rule Step 5 Customize the Rules Enter a rule name such as outVPN select the Source IP aS LANI outVEN 192 168 40 0 and Dest IP as WAN1_outVPN 192 168 88 0 Select the action to be LAN_1 to LAN_2 In this way all outbound packets to the LAN 2 area will be put into the LAN_1 to LAN_2 queue and scheduled out at 617 kbps bandwidth Click Apply to store the changes Repeat the same the outE Commerce rule procedure for Step 6 View the rules The DFL 1500 is configured to direct outE Commerce matched packets into the E Commerce queue 308 kbps outVPN matched packets into the LAN 1 to LAN 2 queue 617 kbps Here we reserve 40 WAN1 bandwidth for the LAN 1 to LAN 2 VPN data to guarantee the data communication between VPN The other traffic will be put into the def_class queue any available bandwidth D Link ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit LANI 7 to want gt rules Default action for this packet direction Forward Loy Apply Packets are top down matched by the rules item Condition O Action e R Name Schedule Source IP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Insert
55. the following steps Please refer to the Microsoft documentation for editing the Windows Registry 1 Use the registry editor regedit to locate the following key in the registry HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 2 Add the following registry value to this key e Value Name ProhibitIpSec e Data Type REG_DWORD e Value 1 3 Save your changes and restart the computer You must add the ProhibitIpSec registry value to each Windows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or Active Directory IPSec policy 133 Part IV Virtual Private Network Connecting to the L2TP VPN 1 Connect to your ISP 2 Start the dial up connection configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect D Link 134 Part V Content Filters Part V Content Filters D Link 136 DFL 1500 User Manual Chapter 17 Content Filtering Web Filters Chapter 17 Content Filtering Web Filters This chapter introduces web content filters and explains how to implement it 17 1 Demands The downloaded web page will be filtered with ActiveX Java Java Script Cookies componen
56. to setup the web filter now As we know there are many choices according to your requirement in the web filter settings Here we list the setting priorities for your reference As the following Table 17 8 indicates the smaller priority sequence would be executed first when running web filter Priorit o Restricted sequence Region Select which LAN region will apply the web filter settings There are Web Filter gt Exempt zone three items to choose enforce all computers include specified computers and exclude specified computers We can use the Customize domain to indicate the Trusted Forbidden destination There are two items for your choice We can specify Web Filter gt Customize which URL domain names are trusted and which ones are forbidden separately Internet web server Warning Customize will not work on the proxy connections 3 Web Filter gt URL Filter When an URL contains any keywords listed in the domain name it nternet web will be blocked server D Link 144 DFL 1500 User Manual Web Filter gt Categories Web Filter gt Features Web Filter gt Keyword Chapter 17 Content Filtering Web Filters We can use Database Update to update the latest URL database and then the Categories will be updated at the same time The URL which user request will be blocked if it matches the categories in the URL Database If the web page contains the components included activex java javascript cookie whi
57. uses that SA to negotiate SAa for IPSec In phase you must n Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Choose an authentication algorithm Choose a Diffie Hellman public key cryptography key group DH1 or DH2 o eee o 2 Set the IKE SA lifetime This field allows you to determine how long IKE SA negotiation should proceed before it times out A value of 0 means IKE SA negotiation never times out If IKE SA negotiation times out then both IKE SA and IPSec SA must be renegotiated In phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Choose whether to enable Perfect Forward Security PFS using Diffie Hellman public key cryptography Choose Tunnel mode or Transport mode ua oy SS Set the IPSec SA lifetime This field allows you to determine how long PSec SA setup should proceed before it times out A value of 0 means IPSec SA never times out If IPSec SA negotiation times out then the IPSec SA must be renegotiated but not the IKE SA Y Negotiation Mode The phase Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations n Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in thre
58. 0 NAT rule for Basic DMZ1 added 2004 04 27 16 23 27 DFL 1500 SYSTEM S5 HTTP started 2004 04 27 16 23 28 DFL 1500 SYSTEM S6 HTTPS started 2004 04 27 16 53 18 192 168 2 170 AUTH 41 admin login success 192 168 2 254 443 2004 04 27 16 53 35 192 166 2 170 SYSTEM 58 WANT IP address 61 2 1 1 255 255 255 248 EventlD 3 2004 04 27 16 53 35 192 168 2 170 SYSTEM 53 WANT Gateway IP 61 2 1 6 EventiD 3 2004 04 27 16 53 35 192 166 2170 SYSTEM 53 WANT Set default WAN link from WAN1 to WAN1 Y Download To Local Refresh List 10 vPer Page Page 1 12 For the detailed information of System Logs please refer Appendix C OOnN OMS Wh Mere gt The description of the system log Include Component Type Log ID Log Description and Event ID optional Table 24 1 System log description 179 Part VIII System Maintenance 24 4 2 Syslog amp Mail log Step 1 Setup Syslog Server DEVICE STATUS gt Log Config gt Syslog Server Setup Syslog Server by checking the Enable Syslog Server It will let DFL 1500 send logs to the Syslog Server specified in the Syslog Server IP Address field Notice If the logs were sent out to the syslog server they will still keep a copy in the DFL 1500 FIELD DESCRIPTION Enable Syslog Server Enable the Syslog Server feature of DFL 1500 EXAMPLE Enabled 10 1 1 20 BUTTON DESCRIPTION Apply Apply the configuration in this page Reset Restore the original configuration in thi
59. 00 You hope to connect the whole ISP links to the DFL 1500 Objectives Configure the general properties such as domain name password system time and connection timeout correctly Besides we can configure the prefered service name as the service name numeric mapping list DDNS By using the DDNS Dynamic DNS the DFL 1500 will send the request for modification of the corresponding DNS record to the DDNS server after the IP is changed DNS Proxy Reduce the number of DNS requests and the time for DNS lookup DHCP Relay Enable the DHCP client to contact with the DHCP server located in different domain and get the required IP Through the SNMP manager we can easily monitor the device status We hope to customize the interface of DFL 1500 to fit our requests Methods Configure the domain name password system time connection timeout and service name DDNS Configure the DFL 1500 so that whenever the IP of the DFL 1500 is changed it will send requests to the DDNS server to refresh the DNS record As the following Figure 4 1 demonstrated the original DFL 1 has registered WANI IP address 61 2 1 1 on the DDNS server www dyndns org It s domain name address is me dyndns org If the WANI IP address is reassigned by the ISP DFL 1 will update the registered IP address 61 2 1 1 as the assigned one This is the base mechanism of the DDNS 29 Part Il Basic Configuration Update me dyndns org 61 2 1 1 dynamic WANT
60. 1 100 192 168 1 119 together with the DNS server 192 168 1 254 to the LAN1 PC that requests for an IP address Step 3 Apply the Changes Click Apply to save Now you can enable the DHCP clients on your LAN1 PCs to get an IP Step 4 Check NAT Status The default setting of NAT is in Basic Mode After completing Step 3 the NAT is automatically configured related rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Step 5 Check NAT Rules The DFL 1500 has added the NAT rules as the right diagram The rule Basic LANI means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 192 168 1 254 255 255 255 0 the request will be translated into a public source IP requests and then be forwarded to the destinations D Link BASIC SETUP gt LAN Settings gt LAN1 Status IP Alias LAN1 Status LAN Status LAN1 TCP IP IP Address 1192 168 1 254 IP Subnet Mask 1255 255 255 0 DHCP Setup MW Enable DHCP Server IP Pool Starting Address 1921681100 Pool Size max size 253 po Primary DNS Server 1921681254 Secondary DNS Server 0000 yoo Routing Protocol None OSPF Area ID Apply Es Note The IP Pool Starting Address must be on the same subnet specified in the IP Address and the IP Subnet Mask field For example the addresses given by the 192 168 1 100 with a pool size of 20 192 168 1 100
61. 1 255 255 255 248 SD GO a ev on fo Advanced Settings gt Routing gt Policy Route Static Route Policy Route Policy Routing gt Edit Rules Packets are top down matched by the rules Active Name Forward to next hop Through Direction Source IP Address Dest IP Address Service Page 1 1 Advanced Settings gt Routing gt Policy Route gt Insert Static Route Policy Route Policy Routing gt Edit Rules gt Insert Insert a new Policy Routing rule V Activate this rule Rule name GeniManaRoom Condition Incoming sa LANI Source IP 192 168 40 192 Netmask 255 255 255 192 Dest IP 0 0 0 0 Netmask 0 0 0 0 Service Any Configure src port I Type Single Range Src Port Po to b o Configure dest port T Type Single Range Dest Port lo to lo FTP 21 r Copy To Dest Port Action z PE Forward to WANT v with next hop gateway IP 210 2 1 6 Back Apply 64 DFL 1500 User Manual Status Condition Action FIELD DESCRIPTION Range Format l i l l Enabled The policy routing rule is enabled or not Disabled The policy routing rule name text string a packets Packets comes from which interface EN ua from regions Verify if the incoming packets belong to the range Boule ce of the Source IP Netmask in the policy routing IPv4 format IPv4 format Netmask Chapter 8 Routing EXAMPLE Enabled GenlManaRoo m L
62. 1 respectively to the Outgoing SPI and cal Address Type the Incoming SPI Click Apply to store the rule IP Address Action alre zl EEE MAH Po FIELD DESCRIPTION Range Format EXAMPLE This field will activate this IPSec policy rule Enable Disable Enabled Status oct beye The name of this IPSec policy text string ManualKeyrule Teli e N Determine the method to connect to the remote Subnet Addresses Tyne side of VPN by using the local subnet or the local Subnet Address yp single host Single Address IP Address The local IP address IPv4 format 192 168 40 0 Condition PrefixLen The local IP Netmask IPv4 format 255 255 255 0 Subnet Mask Determine the method to connect to the local side Subnet Address oe ae of VPN by using the remote subnet or the remote Subnet Address Type single host Single Address IP Address The remote IP address IPv4 format 192 168 88 0 PretixLen The remote IP Netmask IPv4 format ZII LIO Subnet Mask D Link 96 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Outgoing The WAN interface you are going to build IPSec WAN interfaces WANI Interface tunnel with The IP address of remote site device like Peer s IP Address DFL 1500 VPN Firewall Router IPv4 format 210 2 1 1 The Outgoing SPI Security Parameter Index hex 600 600000 ex Gi Outgoing SPI value dec 1500 6300000 hex 2222 The Incoming SPI Security Parameter Index hex 600 600000 i e
63. 2 1 1 in the Peer s IP Address Click the ESP Algorithm and select Encrypt and Authenticate DES MD5 Enter the Pre Shared Key aS 1234567890 Click the Apply button to store the settings Note in the Action region you should choose either ESP Algorithm or AH Algorithm or system will show error message Chapter 11 Virtual Private Network IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Pass VPN Hub Through IPSec PPTP VPN Spoke Enable IPSec Apply IKE Manual Key Edit Modify IPSec Security Associations l item Stats Condton l Ado Active Name LocalLAN Remote LAN Mechanism MyiP PeersiP ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Pass L2TP Through IPSec VPN Hub PPTP VPN Spoke Enable IPSec Apply IKE Manual Key Edit Modify IPSec Security Associations item Status Condiin ion DR Active Name LocalLAN Remote LAN Mechanism MyIP PeersiP ADVANCED SETT NGS gt VPN Settings gt IPSec gt IKE gt Add Pass IPSec Through VPN Hub PPTP L2TP VPN Spoke IPSec gt IKE gt Edit Rule iv Active IKE Rule Name liKErule Condition Local Address Type Subnet Address y IP Address 192168880 PrefixLen Subnet Mask 255 255 255 0 Remote Address Type Subnet Address IP Address 192168400 PrefixLen Subnet Mask 255 255 2550 Negotiation Mode Main gt Encapsulation Mode Tunnel y Out
64. 2 168 40 100 7896 to 61 2 1 2 7896 uniquely Figure 7 6 NAT One to One type As the above Figure 7 6 illustrated NAT One to One type means that each local PC is translated into a unique public IP address when the packets are forwarded out through the DFL 1500 Take Connection for example Its IP address and port are translated from 192 168 40 1 2933 to 61 2 1 1 2933 But when the packets of Connection are forwards out the source IP address is translated to another dedicated public IP address 61 2 1 2 7896 7 5 4 One to One bidirectional type Conl 192 168 40 1 2933 gt 61 2 1 1 2933 WAN11P 61 2 1 1 IP alias 61 2 1 2 IP alias 61 2 1 3 IP alias 61 2 1 4 The IP address of Connection is changed from 192 168 40 1 2933 to 61 2 1 1 2933 in both directions Qe The IP address of Connection is changed from 192 168 40 100 7896 to 61 2 1 2 7896 in both directions Figure 7 7 NAT One to One bidirectional type As the above Figure 7 7 illustrated NAT One to One bidirectional type means that each local PC is translated into a unique public IP address when the packets are forwarded out through the DFL 1500 Besides when packets came from internet to LAN they were 59 Part II NAT gt Routing amp Firewall translated to the same private IP address too Take Connection for example Its IP address and port are translated from 192 168 40 1 2933 to 61 2 1 1 2933 in both ways Accordingly the source IP add
65. 253 WANT IP ISP modem Internet ISP modem WANZ IP PCL 1 PC 5 19216811 DHCP Client Figure 1 7 The default settings of DFL 1500 As the above diagram Figure 1 7 illustrated this diagram shows the default topology of DFL 1500 And you can configure the DFL 1500 by connecting to the LAN1_IP 192 168 1 254 from the PC1_1 192 168 1 1 In the following sections we will teach you how to quickly setup the DFL 1500 in the basic appliances Part I Overview 1 5 Using the Setup Wizard A computer on your LAN1 must be assigned an IP address and Subnet Mask from the same range as the IP address and Subnet Mask assigned to the DFL 1500 in order to be able to make an HTTPS connection using a web browser The DFL 1500 is assigned an IP address of 192 168 1 254 with a Subnet Mask of 255 255 255 0 by default The computer that will be used to configure the DFL 1500 must be assigned an IP address between 192 168 1 1 and 192 168 1 253 with a Subnet Mask of 255 255 255 0 to be able to connect to the DFL 1500 This address range can be changed later There are instructions in the DFL 1500 Quick Installation Guide if you do not know how to set the IP address and Subnet Mask for your computer Step 1 Login Connect to https 192 168 1 254 Type admin in the account field admin in D P E the Password field and click Login T Link VPN Firewall Router Note Please do not access web Ul through proxy or the login m
66. 253 b hoii secondary DNS Server a E Routing Protocol None OSPF Area ID Apply ADVANCED SETTINGS gt NAT gt Status Virtual Servers Network Address Translation Mode Basic Mi Primary ONS Server Lease time sec Status NAT Rules Network Address Translation NAT translates the IP port for 1 Internalto External traffic map the conditioned internal IPs ports into the specified external IPs ports Reset NAT rules 2 External to nternal traffic map the conditioned external IPs ports into the specified internal IPs ports Reset Server rules Modes 1 None The DFL 1500 is in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnet IP ranges 3 Full Feature The DFL 1500 performs routing and NAT simultaneously t performs several kinds of NAT on the conditioned IP subnet while performing routing an other IP subnets Total Configured NAT Rules 3 Vacant NAT Rules 197 Total Configured Server Rules 0 Vacant Server Rules 200 ADVANCED SETTINGS gt NAT gt NAT Rules Virtual NAT Rules Servers Status NAT gt Edit Rules Packets are top down matched by the rules Status e Action ooo Active Name Direction Source IP Address Translate Src IP into Type 1 Y Basic DMZ1 LANIDMZ to YAN 10 1 1 254 255 255 255 0 Auto device WAN IP hl 1 Y Basic LAN2 LANIDMZ to WAN 192 168 2 254 255 255 255 0 Auto
67. 3CLI commands list Rescue Mode The Full tftp commands are described in the following Table A 3 ung am a Postfix command Example Command description command command command ip tftp upgrade config Upgrade configuration file KAY NR conf 0101 192 168 1 170 image from tftp server upgrade ip tftp upgrade image image a ey lt FILENAME gt 192 168 1 170 me oe mags irom P preserve P ip tftp ip tftp backup config Backup configuration file WORD 192 168 1 170 image to tftp server backup ip tftp backup image Backup system image to tftp one 192 168 1 170 server Table A 3 ip tftp commands description In the Postfix command the meanings of keywords are listed here WORD tftp server IP address FILENAME Upgrade configuration file image name preserve string preserve this is optional A 3 CLI commands list Rescue Mode If the original firmware was damaged by some accidents you may need to recover it with the factory reset process in the rescue mode Boot the DFL 1500 and press lt tab gt or lt space gt during the 2 second countdown process You may refer Section 25 5 3 for details Non privileged mode Main Sub AE i Example Command description commands commands lt lt Configure P related settings DN awo ESTE e mode name a m vason T erin a yer ce tirme enn Table A 4 Non privileged mode of rescue mode Note If you don t know what parameter is followed by the commands just type
68. 4090770 FAX 34 93 491 0795 URL www dlink es E MAIL info dlink es Sweden D Link Sweden P O Box 15036 S 167 15 Bromma Sweden TEL 46 8 564 61900 FAX 46 8 564 61901 URL www dlink se E MAIL info dlink se D Link 218 DFL 1500 User Manual Taiwan Turkey U A E U K U S A D Link Taiwan 2F No 119 Pao chung Road Hsin tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 URL www dlinktw com tw E MAIL dssga tsc dlinktw com tw D Link Middle E ast Deniz Bilgisayar Buyukdere Cad Naci Kasim Sk No 5 Mecidiyekoy Istanbul Turkey TEL 90 212 213 3400 FAX 90 212 213 3420 E MAIL smorovati dlink me com D Link Middle East CHS Aptec Dubai P O Box 33550 Dubai United Arab Emirates TEL 971 4 366 885 FAX 971 4 355 941 E MAIL Wxavier dlink me com D Link Europe U nited Kingdom Ltd 4th Floor Merit House Edgware Road Colindale London NW9 5AB United Kingdom TEL 44 020 8731 5555 SALES 44 020 8731 5550 FAX 44 020 8731 5511 SALES 44 020 8731 5551 BBS 44 0 181 235 5511 URL www dlink co uk E MAIL info dlink co uk D Link U S A 17595 Mt Herrmann Street Fountain Valley CA 92708 USA TEL 1 714 885 6000 FAX 1 866 743 4905 INFO 1 877 453 5465 URL www dlink com E MAIL tech dlink com support dlink com 219 Appendix H Customer Support
69. 5 Enter the Pre Shared Key as 1234567890 Click the Apply button to store the The opposite settings Note In the Action region It should side IP Address choose either ESP Algorithm Or AH Algorithm or system will show error message If you hope to set the detailed item of IKE Negotiation Mode Mzin parameter Click the Advanced button in this Encapsulation Mosa Tunnel page Otherwise it is ok to just leave the value Outgoing Interface WANT default EX SENT My Identifier IP Address x Auto Ass Remote Address Type Single Address y A Peer s Identifier IP Address gt Auto Assigned ESP Algorithm Encrypt and Authenticate DES MDS CAH Algorithm Authenticate MD5 7 Pre Shared Key 11234567890 Back Apply D Link 110 DFL 1500 User Manual Step 4 Detailed settings of IPSec IKE In this page we will set the detailed value of IKE parameter Step 5 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 6 Adda Firewall rule Beforehand please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Inse
70. 500 via WAN I port from my pc all the time why Ans a Be sure that you can ping the WANI port please check the procedure as question 4 description b Make sure that the WANI IP address of DFL 1500 is not duplicated with other existent IP address You can take off the network line connected on the WANI port Then try to ping the IP address which setup on the WANI port If it is still successful the IP address which setup on the WANI port is duplicated with the existent IP address C Notice that you must check System Tools gt Remote Met gt HTTPS gt WANI The default enabled port is only LAN port 6 I can t build the VPN IPSec connection with another device at the another side all the time why 195 Appendix B Ans Please make sure if you follow the setting method as follows a b D Link Check your IPSec Setting Please refer to the settings in the Section 11 4 Step 3 Make sure if you have already added a WAN to LAN policy in the Advanced Settings Firewall to let the PSec packets pass through the DFL 1500 The default value from WAN to LAN is block When you add a Firewall rule the Source IP and Netmask are the IP address PrefixLen Subnet Mask in the pages of the Remote Address Type And the Dest IP and Netmask arethe IP Address PrefixLen Subnet Mask in the pages of the Local Address Type 196 DFL 1500 User Manual Appendix B Trouble Shooting The following Figure B 1 Figure B 2 indicated
71. 55 255 255 0 Be sure to select Aggressive mode to match the DFL 1 settings Select the Outgoing interface of this VPN Firewall Router Enter the public IP of the opposite side VPN gateway 61 2 1 1 in the Peer s IP Address Click the ESP Algorithm and select Encrypt and Authenticate DES MD5 Enter the Pre Shared Key as 1234567890 Select User FQDN mailbox and enter dlink com in My Identifier field Click the Apply button to store the settings Note in the Action region you should choose either ESP Algorithm or AH Algorithm or system will show error message Note that one of the Peer s IP Addresses is Static IP and the other must be the Dynamic IP while using Dynamic IPSec VPN type to establish the VPN tunnel Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Chapter 12 Virtual Private Network Dynamic IPSec ADVANCED SETT NGS gt VPN Settings gt IPSec gt IKE gt Add Pass YEN Hub Through IPSec PPTP L2TP VPN Spoke IPSec gt IKE gt Edit Rule MV Active IKE Rule Name iKErule Condition Local Address Type Subnet Address IF Address 192 168 88 0 PrefixLen Subnet Mask 255 255 755 0 Remote Address Type Subnet Address The opposite IP Address 192 168 40 0 side IP Address PrefixLen Subnet
72. 7 Pre shared key ma gt P as the Type and ID in the Local identity area EN Bala SATENE in A shared secret or pre shared key is used to encrypt the connection this then needs to be indentically on bath sides WPN client und VPN gateway Enter the appropriate value for the IRE 1D according to the selected ID type Pre shared key Shared secret Confirm secret passes pe Local identity Type IP Address ID 61 64 148 197 coa D Link 114 DFL 1500 User Manual Chapter 13 Virtual Private Network DS 601 VPN client Step 5 General information After finishing the previous setting we can view RARA ral the general information here IPSec General Settings Profile name Identities eS Profile name IF Address Assignment DFL 1500 Remote Networks Firewall Settings Communication media LAN over IF ls a eee Step 6 IPSec General Settings Configuration gt Profile Settings gt Configure gt IPSec General Check if the Gateway IP is correct and then click Settings the Policy editor to edit IKE and IPSec policy Profile Settings DEL S N IPSec General Settings j IPSec General Settings Me Balewa EE 35231114 Identities IPF Address Assignment ST O Remote Networks Halles 5 Firewall Settings a IEE policy automatic mode IPSec policy automatic mode Policy lifetimes Policy editor Advanced options wy Exch mode Aggressive Mode PFS group M
73. 8 40 1 2933 gt 61 2 1 1 2933 WAN1 IP 61 2 1 1 IP alias 61 2 1 2 IP alias 61 2 1 3 IP alias 61 2 1 4 Con2 192 168 40 100 7896 gt 61 2 1 2 7896 The IP address of Connection is changed to 61 2 1 1 2933 randomly The IP address of Connection2 is changed to 61 2 1 2 7696 randomly Figure 7 5 NAT Many to Many type As the above Figure 7 5 illustrated NAT Many to Many type means that many local PCs are translated into multiple public IP addresses when the packets are forwarded out through the DFL 1500 Take Connection for example Its IP address and port are translated from 192 168 40 1 2933 to 61 2 1 1 2933 Until DFL 1500 uses out of all source ports of the public 61 2 1 1 DFL 1500 will then choose the second public IP such as 61 2 1 2 from the address pool For example Connection2 are forwarded out the source IP address will be translated into the second public IP address 61 2 1 2 from the public IP address pools So the translated IP address 61 2 1 2 7896 is different from Connectionl one 61 2 1 1 2933 D Link 58 DFL 1500 User Manual Chapter 7 NAT 7 5 3 One to One type Conl 192 168 40 1 2933 gt 61 2 1 1 2933 WANT IP 61 2 1 1 IP alias 61 2 1 2 IP alias 61 2 1 3 IP alias 61 2 1 4 Con2 192 168 40 100 7896 gt 61 2 1 2 7896 The IP address of Connection is changed from ei 192 168 40 1 2933 to 61 2 1 1 2933 uniquely AAA The IP address of Connection2 is changed from 19
74. 87 Part VIII System Maintenance 25 8 Steps for Reset password Step 1 Enter the boot loader If you forget the password you can use the following way to reset the password Press lt tab gt Or lt space gt during the 2 second countdown process Step 2 Enter boot I command as right side When screen shows Enter Initial Key you can consult with your local technical supporter to get the Initial Key You will need to tell the local technical Supporter all the MAC address value Then you will get the Initial Key To reset admin password Get the Initial Key D Link gt gt NetOS Loader 1386 V1 5 Fri Feb 20 10 25 11 CST 2004 Press lt TAB gt to prompt starting in O Type boot rescue to load safe mode kernel to 1 rescue corrupted firmware 2 reset password for admin type or help for help gt gt boot 998681 10753736 329772 74 85936 64524 1 0xbaba08 NetOS Ver1 529 DLINK 0 Wed Apr 7 00 38 02 CST 2004 cpu Intel null Celeron 686 class 1202 84 MHz total memory 255 MB avail memory 224 MB Ethernet address 00 90 0b 02 eb ac 107100 Mb s Ethernet address 00 90 0b 02 eb ad 107 100 Mb s Ethernet address 00 90 0b 02 eb ae 107 100 Mb s Ethernet address 00 90 0b 02 eb af 107 100 Mb s Ethernet address 00 90 0b 02 eb b0 107 100 Mb s wd drive supports PIO mode 4 IPSec Initialized Security Association Processing Enter Initial Key 188 Part VIII System Maintenance
75. 9 Customize the rule Setup the web from DMZ rule Here we select DMZ1_ALL LAN1_ALL inthe Source IP Dest IP field It means that if the packets come from DMZ and targeted LAN1 region we do not need to care about its source dest IP If the packets request for web traffic source port HTTP 80 it will be put into the web from DMZ queue by DFL 1500 bandwidth management feature Not In the Action region the web from DMZ class was edited in the previous Step 4 before Step 10 View the results We can see the result of our settings at the DMZ to LAN rule direction D Link ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Show WAN to LANI rules Packets are top down matched by the rules MK en Schedule Source IP Service Action Page 1 1 ADVANCED SETT NGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Packets are top down matched by the rules item Status E Action Name Schedule Source IP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Firewall gt Edit Rules gt Insert Summary Insert a new DMZ1 to LAN1 Firewall rule Ss ee ee Se Rule name web from DMZ Schedule Always Source P JDMZ1 ALL v Dest IP LAN1_ALL y Service
76. 90 TCP LAN fxp3 WAN1Block Default 2004 07 14 09 58 5310 1 1 1 123 129 6 15 28 123 UDP DMZ1 fxp4 WAN1Block Default Download To Local button to save the logs to 2004 07 14 09 58 5310 1 1 254 10 1 1 1 ICMP 3 DMZ1 fxp4 DMZ1 Block RM MISC localhost 2004 07 14 09 58 53192 168 17 190 139 192 168 175 1 1042 TCP LAN fxp3 WAN1Block Default 2004 07 14 09 58 53 192 168 17 242 1683140 113 66 155 9100 TCP LAN fxp3 WAN1Block Default 2004 07 14 09 58 5410 1 1 1 123 210 59 157 30 125 UDP DMZ1 fxp4 WANTBlock Default 2004 07 14 09 56 54 10 1 1 254 10 1 1 1 ICMP 3 DMZ1 fxpd DMZ1 Block RM MISC 2004 07 14 09 58 5510 1 1 1 22 218 164 166 219 4893TCPASSH DMZ1 fxpd WAN1Block Default 2004 07 14 09 58 5510 1 1 254 10 1 1 1 ICMP S DMZ1 fxp4 DMZ1 Block RM MISC 2004 07 14 09 56 56 192 168 17 190 159 192 165 152 1 1041 TCP LAN fxp3 WAN1Block Default ElDownload To Local P Refresh Clear Next Page Listfl0 _ Per Page Page 1 14 FIELD DESCRIPTION The indicated firewall log sequence number The record time of indicated firewall log 10 0 Y00420N The source IP address include port which the indicated log event come from Te The destination IP address include port for the indicated log event bound Protocol Service The record log is TCP UDP or ICMP which service it will be The firewall log direction is OUT or IN The direction is based on the DFL 1500 For example Direction OUT means the pack
77. ANI 192 168 40 192 255 239 259 192 rule DestIP amp Verify if the incoming packets belong to the range IPv4 format Netmask of the Dest IP Netmask in the policy routing rule IPv4 format l l ANY TCP 9 Verify what is the service of this packet UDP ICMP Configure src port Type Src If the service is TCP or UDP we can choose to Enabled configure or not to configure source port Disabled port If we decide to configure source port we must i choose the port to be single or range u eae If we select single at above field we just have to fill a port in the first blank space If we select Pey BON range at above field we need to fill the range of ee the ports Configure dest port Type Dest If the service is TCP or UDP we can choose to Enabled configure or not to configure destination port Disabled port If we decide to configure destination port we must choose the port to be single or range ON Range If we select single at above field we just have to fill a port in the first blank space If we select ee On range at above field we need to fill the range of a the ports If the packet is matched to this rule which l interface does this packet sent out to e Nexthop gateway The next gateway IP address of forwarding Pl tara IP interface Table 8 2 Add a policy routing entry 65 0 0 0 0 0 0 0 0 Any O N A N A N A N A WANI 210 2 1 6 O Part III NAT gt
78. ANY TCP packets are not the specified protocol will not be allowed to pass through IPSec tunnels Transport Layer Condition Protocol UDP If the pee Repay Whether is the Replay Detection enabled NO YES Detection Table 11 7 Setup Advanced feature in the IPSec Manual Key rule Step 5 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 6 Adda Firewall rule Same as that in IKE method Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 7 Customize the Firewall rule Enter the Rule Name aS AllowVPN Source IP as WAN1_VPNA 192 168 88 0 and Dest IP as LAN1 VPNA 192 168 40 0 Click Apply to store this rule D Link ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Pass IPSec Through VPN Hub PPTP L2TP VPN Spoke 1 If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled pack
79. Address field If you prefer indicated specified IP address Just click the Selected and enter the valid IP address for reading the SNMP MIBs at the DFL 1500 Finally click the Apply button D Link SYSTEM TOOLS gt Remote Mgt gt WWW TELNET SSH ANANA HTTPS SNMP MISC Warming If you are connecting to this Firewall with HTTPS this action may disconnect your session Please remember the settings and reconnect to the irewall again Are you sure to apply this action SYSTEM TOOLS gt Remote Mgt gt SNMP 42 DFL 1500 User Manual Chapter 5 Remote Management 5 3 4 ICMP Step 1 Setup ICMP SYSTEM TOOLS gt Remote Mgt gt MISC Uncheck the WAN1 checkbox and make others checked Then click the Apply button 43 Part Il Basic Configuration Chapter 6 Authentication This chapter introduces user authentication and explains how to implement it 6 1 Demands DFL 1500 VPN Firewall Router support user authentication to the DFL 1500 user database to a RADIUS server or to a LDAP server You can add username and password to allow the user to authenticate using the internal database or connect to the internet You can also add the name of a Radius server and select Radius to allow the user to authenticate using the selected Radius server 6 2 Methods Remember that you can only use web browser to do the authentication in order for you to pass through the DFL 1500 If you cannot pass the authentication you can access n
80. After entering the IP alias address it will i T show the result in the WAN1 IP page Warning f you select Fixed IP Address as your WAN link type and set any IP alias the previous set IP aliases will disappear when you try to exchange the WAN link type to other type such as DHCP or PPPOE D Link 28 DFL 1500 User Manual Chapter 4 4 1 4 2 gt gt dike 4 3 System Tools Chapter 4 System Tools This chapter introduces System Management and explains how to implement it Demand Basic configurations for domain name password system time timeout and services DDNS Suppose the DFL 1500 s WAN uses dynamic IP but needs a fixed host name When the IP is changed it is necessary to have the DNS record updated accordingly To use this service one has to register the account password and the wanted host name with the service provider DNS Proxy Shorten the time of DNS lookup performed by applications DHCP Relay It is to solve the problem that when the DHCP client is not in the same domain with the DHCP server the DHCP broadcast will not be received by the server If the client is in the LAN 192 168 40 X while the server is located in the DMZ 10 1 1 4 the server will not receive any broadcast packet from the client The System Administrator would like to monitor the device from remote side efficiently Suppose our company applies three ISPs but there are just two default WAN ports in the DFL 15
81. Click Groups hyperlink and then click Insert to add a new service group Enter a Group Name to identify the group Select the services from the available services list and click right arrow to copy them to the Members list If you would like to remove the services from the members list just select the services and then click left arrow to remove them Note that group name should begin with alphabet followed by alphabet digits dashes 71 Part III NAT gt Routing amp Firewall 9 4 3 Setup Schedule Step 1 Schedule Settings BASIC SETUP gt Books gt Schedule gt Objects Use scheduling to control when rules are active or hedi inactive yy Select Insert to add anew service Name Step 2 Inserta new schedule object Enter the Schedule name Select the Day you would like to active or inactive a firewall rule and then select the Start Stop time Click Apply to add the schedule object 2 name Block MSN1 Suppose using MSN is forbidden in your company from 08 30 12 00 13 00 17 30 during Monday to Friday you have to add two schedule ranges 08 30 12 00 and 13 00 17 30 and then group them together in order for your company to make a firewall rule to block the MSN service Note that schedule name should begin with alphabet followed by alphabet digits dashes Table 9 3 The field of the Schedule object D Link 72 DFL 1500 User Manual Step 3 Adda Schedule group As Step 2 indicated you have already create
82. D Link DFL 1500 VPN Firewall Router User Manual D Link Building Networks for People Copyright 2003 D Link Systems Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of D Link Systems Inc DFL 1500 User Manual Version 2 000 September 15 2004 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS II Part I O 2 Chapter SOU Misa NY YE 3 1 1 Check Your Package COn ts 3 12 Fvestepstoconn sure DEL 1500 quier i 3 1 3 Wine the B el Wea ninia 5 1 4 Default Settings and architecture of DEPL 1300 oooonnnnonnnonononoocnncononcnnncnnncnononononnnnnnnnnnnnnnn nono nono conc cnn nnnn cnn no nnnnannnos 6 1 5 Usine he sep Will os lacio 8 1 6 Internet COMME CE in lada 11 1 6 1 LAN T2002 W ANIC OnneCevily A iS adanada Meleke enin 11 1 6 2 WAN lIsto DNEZA Comnecu vivaldi blabla 13 Chapter 2 5 yS eI OVEIN IOW ua i gala Aa 16 gt Typical Example Topless iii ici 16 2 2 Chancing tie LANP Address lia 17 224 From LAN to configure DFL 1500 LAN network settings 17 222 From CLI command line interface to configure DFL 1500 LAN1 network settings
83. Ds because you may change different settings in the same apply action The Event ID is a sequence number It means that the same Log ID would not be assigned the same Event ID every time So if you apply any button while setting DFL 1500 every time an Event will occur immediately And the Event will be displayed in the System log 2004 05 14 11 08 39 192 168 17 170 LOG 1107 TE system log txt cleanup 2004 05 14 11 06 45 192 168 117 170 SYSTEM 59 LAN1 IP Address Assignment 192 168 1 254 255 255 255 0 MORE 2004 05 14 11 06 46 192 168 17 170 SYSTEM 54 Enable DHCP server on LAN1 by admin 192 168 17 179 443 MORE 2004 05 14 11 06 46 192 168 17 170 SYSTEM S4 IP Pool Starting Address 192 168 1 1 Pool Size 20 Eve MORE 2004 05 14 11 08 46 192 168 17 170 SYSTEM 543 NAT rule for Basic LAN added 2004 05 14 11 08 46 192 168 17 170 SYSTEM pe NAT rule for Ease LANZ added e A E 192 168 17 170 SYSTEM 343 AT for Te A A ROUTING R3 OLANI Routing Protocol None EventID 247 Component type Log ID Log description Event ID Figure D 1 All the system log descriptions are following the same format as above In the following table we list all the system logs for reference AUTH AO1 User Login AUTH A01 admin login success 192 168 17 102 443 AUTH A01 admin login fail miss password 192 168 17 102 443 AUTH A01 admin login fail configuration is locked by adminis
84. Enter MV Activate this rule Rule name as LANI DHCP Select Allow Rule name LANI DHCP Range in the Rule Type field and enter the Start Condtion IP as 192 168 40 101 and End IP as Rule Type Allow Range 192 168 40 120 Click Apply to store this Start IP 19216840101 End IF setting a Note that rule name should begin with alphabet Apply followed by alphabet digits dashes FIELD DESCRIPTION Range Format EXAMPLE Activate the IP MAC binding rule Enabled Disabled Enabled Rule Type The type of the IP MAC binding rule is binding or IP Binding Allow Range Range IP MAC e ial It should be 12 characters such 000000000000 IP Range The IP range of the DHCP server IPv4 format Table 9 4 The field of the Schedule object Step 4 Show the IP MAC binding rule Advanced Setting gt IP MAC binding gt Show Rules After finishing the setting you can view the result Status Edit Rules Show Rule as the right diagram shown Status Condition habs mare dere ro D Link 74 DFL 1500 User Manual Chapter 9 Firewall 9 4 5 Block internal PC session LAN WAN Step 1 Setup NAT ADVANCED SETTINGS gt Firewall gt Status Check the Enable Stateful Inspection Status Edit Rules Show Rules Attack Alert Summary Firewall checkbox and click the Apply I Enable State Reset Rules FIELD DESCRIPTION Range Format EXAMPLE EDS da Enable Firewall feature of DFL 1500 ee 4 Enabled Inspection Firewall Disabled Enable th
85. FE 211 78 4 48 ER 211 78 4 1 7922 Step 6 Active Sessions Current Sessions 9 Local Client IP Address 192 168 17 188 192 168 17 188 192 168 17 188 192 168 17 188 192 168 17 188 192 168 17 188 192 168 17 188 203 69 36 107 192 168 17 105 211 78 4 70 2080 211 78 4 1 130086 140 112 20 199 124 168 95 1 1 465 e elie e ele le je le o wi o a swim alt Current Sessions 9 Page 1 1 Step 7 Top20 Sessions DEVICE STATUS gt System Status gt Top20 Sessions Click the Top20 Sessions to see the front 20 amom ra DHCP Table Puy ae oe sessions of transmitted bytes amount These E front 20 sessions were sorted by the amount of transmitted bytes Clear eee Remote Server gt Page 1 1 Traffic Statistics Current Sessions 15 EEE ROT EON Tana ere Item Local Client ME MEM Mi Mi Me Mi Mi Bi Mer Mi Br je Current Sessions 15 DE NO EE BE Ni a 3 IP Address 192 168 17 188 192 168 17 188 192 168 17 55 192 168 17 55 192 168 17 55 192 168 17 55 192 168 17 55 192 168 17 213 203 69 36 107 10 1 1 1 192 168 17 105 168 95 192 156 192 168 17 141 168 95 192 144 168 95 192 158 177 IP Address 211 79 36 245 211 79 36 245 207 46 107 194 202 39 162 230 65 54 183 198 61 219 38 89 168 95 1 1 10 1 1 1 140 112 20 199 192 168 17 190 168 95 1 1 10 1 1 1 10 1 1 1 10 1 1 1 10 1 1 1 Move P age 367 351 307 307 Page 1 1 Part VIII System Maintenance Step 8 IPS
86. HTTP y and do not log Y the matched session Reverse bandwidth class def class y Back Apply ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Show DMZ to LAN rules Packets are top down matched by the rules ME GE A SN Name Schedule Source IP Dest IP Service Action Log web from DMZ ALWAYS DMZ1 ALL LANT ALL HTTP Forward Page 1 1 168 DFL 1500 User Manual Chapter 21 Bandwidth Management 21 4 2 Outbound Traffic Management Step 1 Enable Bandwidth Management Check the Enable Bandwidth Management checkbox click the Apply Step 2 Setup the WAN1 Link Select ANY to WAN1 to setup traffic that will be transmitted by the WANT interface Enter the WAN1 interface bandwidth as 1544kbps Click the Apply button to enforce the WAN1 link bandwidth to be 1544kbps Then click Create Sub Class to partition the default class Step 3 Partition into Classes Create a sub class named LAN 1 to LAN 2 from the default class Enter 40 in the bandwidth field uncheck the Borrow button and click Apply Select the default class and click the Create Sub Class to create another sub class named E Commerce from the default class Enter 20 in the bandwidth field check the Borrow button and click Apply Now there are two actions under the default action They are separately LAN 1 to LAN 2 and E Commerce class as the right diagr
87. IELD DESCRIPTION EXAMPLE When the host which resides at the LAN DMZ region sends a DNS Request to the DNS server DFL 1500 DFL 1500 will request for Enable DNS Proxy forwarding it to the assigned DNS server When there is a response from Enabled assigned DNS server then DFL 1500 will forward it back to the host of the LAN DMZ Table 4 7 System Tools DNS Proxy menu 4 4 4 DHCP Relay setting Step 1 Setup DHCP Relay SYSTEM TOOLS gt Admin Settings gt DHCP Relay Check the Enable DHCP Relay Enter the IP General DDNS DHCP Relay Password Time Date Timeout Services Interface address of your DHCP server Here we enter the DHCP Server address 10 1 1 4 Check the relay domain of DFL 1500 that needs to be relayed Namely check the one where the DHCP clients are located And click the Apply button finally Notice the DHCP Server can not be located with the subnet range of Relay Domain FIELD DESCRIPTION EXAMPLE When the host of the LAN DMZ in the DFL 1500 internal network sends a DHCP request DFL 1500 will forward it automatically to the specified DHCP server different subnet from the network segment of the DHCP client DHCP Server Current location of the DHCP server 10 1 1 4 Relay Domain The locations of the DHCP clients Enable LANI Enable DHCP Relay Enabled Table 4 8 System Tools DHCP Relay menu 37 Part Il Basic Configuration 4 4 5 SNMP Control Step 1 Setup SNMP Control SYSTEM TOOLS
88. IP address of incoming Dest IP packets conforms the Dest IP Netmask IPv4 format LANI ALL settings do the Action Verify if the service of packet belongs to Forward Block the If packet is matched the rule condition Forward Block Forward matched session Forward or Block this matched packet Don t log Log the If packet is matched the rule condition Log or Don t log this matched packet logu dont log Be o def class web from DMZ a dtE Forward the bandwidth class if any web from W AN class video from W AN web from W AN l def class Ni bandwidth Reverse the bandwidth class if any E Commerce def_class LAN_1 to LAN_2 BUTTON DESCRIPTION Back to previous configuration page Apply Apply the settings which have been configured Table 21 7 Add a new Bandwidth Management rule 167 Part VII Bandwidth Management High Availability Step 7 View the rules Now we can see that there are existed two customized rules in the queue of WAN1 to LAN1 direction In the No 1 rule The DFL 1500 is configured to direct video from WAN packets into the video from WAN queue 300kbps In the No 2 rule The DFL 1500 will direct web from WAN packets into the web from WAN queue 1000kbps In the No 3 rule The other traffic will be put into the def_class queue any available bandwidth Step 8 Add DMZ to LAN1 rule Here we will add another rule web from DMZ Select DMZ1 to LAN1 direction Step
89. KE Advanced parameter For the related field please refer to IPSec VPN Hub VPN Spoke PPTP Table 11 5 indicated IPSec gt IKE gt Edit Rule gt Advanced Transport Layer Protocol ANY Enable Replay Detection NO Phase 1 Negotiation Mode Aggressive Pre Shared Key 1234557890 pp Encryption Algorithm Encrypt and Authenticate DES MD5 y SA Life Time 6800 see Cimin C hour Key Group DH2 Phase 2 Encapsulation Tunnel Active Protocol ESP Encryption Algorithm Encrypt and Authenticate DES MD5 SA Life Time 28800 sec EC min hour Perfect Forward Secrecy PFS DHI Back Apply D Link 104 DFL 1500 User Manual Chapter 12 Virtual Private Network Dynamic IPSec Step 5 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 6 Adda Firewall rule Beforehand please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 7 Customize the Firewall rule Enter the Rule Name aS AllowVPN Source IP as WAN1_VPNA 192 168 88 0 and Dest IP as
90. L 1500 sys resetconf now Resetting Configuration to default DONE System will reboot now syncing disks done rebooting 25 5 3 Steps for EMERGENT factory reset Step 1 Enter the boot loader gt gt NetOS Loader 1386 V1 5 Fri Feb 20 10 25 11 CST 2004 If the original firmware is damaged you may need Press lt TAB gt to prompt starting in O to recover the firmware with the factory default Type boot rescue to load safe mode kernel to countdown process 2 reset password for admin type or help for help gt D Link 186 Step 2 Enter the Safe Mode Enter boot rescue to enter the emergency kernel In this kernel you can use tftp to fetch another firmware to install or reset the configuration to default even though you lost the password Step 3 Factory reset Enter sys resetconf now to reset the firmware to factory default Then system will reboot automatically gt boot rescue 691354 7888404 12 7584 0x84528c NetOS Ver1 529 RESCUE 1 Wed Apr 7 00 54 55 CST 2004 cpu Intel null Celeron 686 class 1202 85 MHz total memory 255 MB avail memory 228 MB Ethernet address 00 90 0b 02 eb ac 107100 Mb s Ethernet address 00 90 0b 02 eb ad 107 100 Mb s Ethernet address 00 90 0b 02 eb ae 107 100 Mb s Ethernet address 00 90 0b 02 eb af 107 100 Mb s Ethernet address 00 90 0b 02 eb b8 10 100 Mb s wd drive supports PIO mode 4 Software Serial Number 606235 76436828 722326
91. LAN2 DMZ interfaces may be blocked 2 If you would like to change the operation mode from NAT Route mode to Transparent mode you have to backup the configuration file and then do the factory reset first Transparent mode Step 5 WAN Connectivity BASIC SETUP gt Wizard gt Next gt WAN1 IP Choose the type of IP Address Assignment a provided by your ISP to access the Internet Here we have four types to select This will A determine how the IP address of WANT is N link G ZEMLER obtained Click Next to proceed 3 Part I Overview Step 5 a DHCP client BASIC SETUP gt Wizard gt Next gt DHCP If Get IP Automatically DHCP Is System Operation yway p System selected DFL 1500 will reguest for IP address a netmask and DNS servers from your ISP You IP Address Assignment Get IP Automatically DHCP y can use your preferred DNS by clicking the DNS M Default WAN link Gateway DNS IP Address and then completing the Primary DNS and Secondary DNS server IP addresses Pes his imei Click Next to proceed CONSID AMG Primary DNS 1168 95 1 1 Secondary ONS 0 0 0 0 Routing Protocol None gt OSPF Area ID Name Mode Status Back Next Step 5 b Fixed IP BASIC SETUP gt Wizard gt Next gt Fixed IP Fixed IP Address is selected enter the System Operation yay p System Name Mode Status ISP given IP Address Subnet Mask Gateway IP Primary DNS and secondary IP Address Ass
92. LI WAN al PC21 PC22 DFL O F Z 192 168 88 1 192 168 88 2 192 168 40 1 192 168 40 2 ey ii 192 168 1 254 192 168 40 1 233 192 168 88 1 253 PCA 5 192 168 1 1 DHCP Client 192 168 1 1 253 Main Office Private LANs Figure 14 2 The Topology of the VPN Hub Main Office and VPN Spoke Branch offices 14 2 Objectives 1 Using the VPN hub we can create a hub and spoke VPN configuration to direct traffic through a central DFL 1500 from one VPN tunnel to another VPN tunnel Each VPN tunnel provides connectivity to a different remote VPN gateway All of the VPN Hub member tunnels can establish VPN connections with any of the other member VPN tunnels 14 3 Methods Configuring the IKE tunnels Configuring the WANI to LANI Firewall Rule Configuring the VPN Hub for the Main Office Configuring the VPN spoke for the Branch Offices pa oS 121 Part IV Virtual Private Network 14 4 Steps In the following we will introduce you how to setup the Hub and Spoke VPN between main office and two branch offices Configuring the IPSec IKE tunnels For the main office the hub we have to create the IKE tunnels and then create VPN hub and add tunnels to it as members For the VPN settings please refer to Chapter 11 for details Use the information in the following Table 14 1 to configure IKE tunnels After finishing the IPSec VPN setting please remember to add a WAN to LAN firewall rule ESP Algorithm Encrypt and E
93. Link DEVICE STATUS gt System Status gt CPU amp Memory CPU amp Network DHCP Table Memory Status Top20 Sessions Active Sessions Routing Table System Status 5 system 20 interrupt 46 memory utilization DEVICE STATUS gt System Status gt DHCP Table System CPU amp Status Memory Active Sessions Network Status Top20 Sessions Routing DHCP Table Table IP Address Hostname MAC Address Leases Expires 1 192168 1 20 pc101 00 40 F 4 64 89 4D 2024 05 29 16 02 32 DEVICE STATUS gt System Status gt Routing Table Network Status CPU amp Memory Active Sessions Routing Table Top20 Sessions System Status DHCP Table Destination Netmask Gateway Interface 10 1 1 254 612 11 192 168 2 254 192 166 40 254 DMZ1 WANI LAN2 LAN 10 1 1 0 255 255 255 0 61 2 1 0 255 255 255 248 192 168 2 0 255 255 255 0 192 168 40 0 255 255 255 0 Prey Pase 176 DFL 1500 User Manual Chapter 23 System Status DEVICE STATUS gt System Status gt Active Sessions Click the Active Sessions to see all the System Network CPU amp DHCP Table Routing Active Top20 IPSec Status Status Memory gt Table Sessions Sessions Sessions current sessions of DFL 1500 The Active Sessions Include all the outbound and inbound Refresh Clear Page 1 1 sessions Remote Server Traffic Statistics IP Address Bytes 211 78 4 48 yen 211 78 4 48 Vane 211 78 4 48
94. Mask 1255255 2650 Negotiation Mode Aggressive y Encapsulation Mode Tunnel Outgoing Interface WANT y Peers IP Address Static 1IP___ 1161 2 1 1 My Identifier FADN domain name y dlink com Peer s Identifier IP Address Auto Assiqnel Self local IP Address ESP Algorithm Encrypt and Authenticate DES MD5 gt CAH Algorithm Authenticate MD5 gt Pre Shared Key 11234567890 Back Apply ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Pass IPSec Through VPN Hub VPN Spoke PPTP L2TP 1 If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 192 168 40 0 255 255 255 0 and 192 168 88 0 255 255 255 0 respectively ox 107 Part IV Virtual Private Network Step 5 Adda Firewall rule Same as at DFL 1 We need to add an extra firewall rule to allow IPSec packets to come from internet So here we select WANI to LANI direction and click Insert button Step 6 Customize the Firewall rule Enter the Rule Name aS AllowVPN Source IP as WAN1_VPNB 192 168 40 0 and Dest IP as LAN1 VPNB 192 168 88 0 Click Apply to store this rule Step 7 View the result Now we have inserted a new rule before the default
95. N tab Sara E E E A O 43 Chapter oA the Ul G NE sesin ea ips A EEN OA NAER 44 6 1 Demand nacinane aS a lela dal a ll al al OS 44 6 2 A o TS E YAN EE YOR e ME FEN 44 6 3 O maa aka a e A da ela m mm dn a dadanan dama O b aaa sala emk Mi en bead ami mi Sac 44 6 3 1 ERAS O 44 6 3 2 POPS OIS NE ao nes 46 6 3 3 a a ei e e ve 46 6 3 4 Radius SEM iaa 46 6 3 5 LDAP SMA ico 4 6 3 6 Exempt e b e Re e InO ep me e e 47 Pan ME NAL Romin o ite Wald ii B naat ala bam aaa e 48 Bs e a e e e ea i E eee YE RA RR RS RA err 49 7 1 Demand N e e e a e ee Ke 49 7 2 AA E E E E E E E E E E e e E e E e e e e Ye 50 7 3 MA O O 50 7 4 OD alak gi a al ala akin malak os tea olle lann smd o arenosa adenine let ens 51 7 4 1 Setup Man toone NAT TUS a a ot 51 7 4 2 Setup Virtual Server for he PipSery Cel stand ers gt 7 5 NAT modes 1 FOU CHION EK Pe PRE M e KR ia 57 7 5 1 Many OOE y PO E Pp Pei YE e e e Re 57 1 52 Many EOS N YE A a iii yeicepdmeyi bayimeli a Mei Bombus nenism li mein 58 TD Onco OME e a a e e adem adde 59 7 5 4 One to One bidirectional type rma aml aT E eee add sansli adim 59 13 3 NAT MOdS e LV DOS ka ak ima iii ic 60 k ee a e a MN e e jas 6l 8 1 Dora Sa dai A E E AAEE OE N EEE E A OEE 61 8 2 CD COLIN CS st dias 62 8 3 Method O O 62 8 4 A q all na ul een a la la a Se aile eee ln lala 62 8 4 1 Add Me Pa Pen e i roun ne oi loca 62 8 4 2 Add APO MC POULIN Git Yerel ao 64 Chapler Ee yal sakiz nez o laik lale ios 67 9 1 DEANS
96. N EXAMPLE From Address Exempt zone record IP address from 192 168 40 10 To Address Exempt zone record IP address to 192 168 40 30 Table 19 3 FTP Filter add an exempt zone entry 153 Part V Content Filters Step 5 Show the Exempt Zones ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Exempt Here we can discover that new added Exempt Zone Zone record is appeared Web Filter Mail Filter D Link 154 Part V Intrusion Detection System Part V Intrusion Detection System D Link 156 DFL 1500 User Manual Chapter 20 Intrusion Detection Systems Chapter 20 Intrusion Detection Systems This chapter introduces Intrusion Detection System IDS and explains how to implement it 20 1 Demands Although Firewall settings are correct there may still be some crackers intrude our system Crackers hack into our system through Firewall allowed channels with sophisticated skills Most often they attack specific application servers such as SNMP Web and FTP services in your DMZ 20 2 Objectives 1 Detect any attacks towards our DMZ servers 2 Instantly notify our network administrators what attacks have been detected Organization_1 Private LANs DMZ 1 nternet 10 1 1 1 253 WebSen ert MailS rver1 Cracker 10 1 1 1 1 1 1 2 140 113 179 2 DNZ1 IP 10 1 1 254 o TON DFL 1 LAN1_IP WANT IP 192 168 40 254 61 2 1 1 Figure 20 1 Some cracker in the Internet would try to hack our company
97. OG L04 Disable syslog server by admin 192 168 17 102 443 LOG L05 Enable Disable Mail Log LOG L05 Enable mail logs to tom hotmail com by admin 192 168 17 102 443 LOG L05 Disable mail logs by admin 192 168 17 102 443 Send Mail Log LOG L06 mail logfile to tom hotmail com Log Cleanup LOG L07 logfile is cleanup LOG L08 Mail configuration updated by admin Update 192 168 17 102 443 Virwat Server Pe saicRowe S Policy Route ROUTING R3 WANI OSPF Area ID 15 EventID 15 Routing Protocol ROUTING R3 WANI Routing Protocol RIPv2 In Out ROUTING RIPv2 In Out EventID 15 Routing Protocol ROUTING R3 WANI Routing Protocol RIPv1 In Out RIPv1 In Out EventID 15 Routing Protocol RIPv2 In ROTUING R3 WANI Routing Protocol RIPv2 In EventID 15 ROUTING R3 WANI Routing Protocol RIPv1 In F 04 L01 L02 L03 L L L L 06 07 08 09 NO1 N02 N03 ROI RO2 Routing Protocol RIPv1 In EventID 15 ae gt Routing Protocol None ROUTING R3 WANI Routing Protocol None EventID 15 SYSTEM Wall Startup SYSTEM S01 Wall Startup Wall Shutdown SYSTEM S02 Wall Shutdown D Link 204 DFL 1500 User Manual Appendix C System Log Syntax S03 Interface Configuration SYSTEM S03 WANI IP Address Assignment Get IP Automatically by admin 192 168 17 102 443 SYSTEM S03 WANI IP Address Assignment Fixed IP Address by admin 192 168 17 102 443 S
98. P gt WAN Settings gt IP Alias gt Add Suppose you apply 8 IP addresses from ISP The IP Altes range of the ISP given IP address is from gt Alias Add WAL 61 2 1 0 to 61 2 1 7 Now you would like to add three WAN1 IP aliases Select WAN1 in the E Interface field Enter the IP alias and Netmask P alias 255 255 255 240 with 61 2 1 2 255 255 255 248 Key in 3 into the aa Alias size field And then click Apply Notice It s the same way to set IP alias in DMZ or LAN Alias size The size of IP alias address Table 3 4 Add a IP alias record Step 4 Edit Delete IP alias record BASIC SETUP gt WAN Settings gt IP Alias You can easily add edit or delete IP alias records by the Add Edit or Delete button FIELD DESCRIPTION EXAMPLE Prev Page If there are more than one IP alias pages you can press Prev Page to N A back to the previous page Add Insert a new IP alias record N A Edit Edit the properties of the existent record N A Delete Delete the indicated record N A 27 Part Il Basic Configuration If there are more than one action records you can press Next Page to go Next Page y P e 8 N A to the next page Table 3 5 Show the entered IP alias records Maximize IP alias records LE DMZ port Table 3 6 IP alias limitation of each port Step 5 See the IP alias setting in the BASIC SETUP gt WAN Settings gt WANT IP gt Fixed IP Address WANT IP page VANTIB WANZIP P Alias
99. PN client Chapter 13 Virtual Private Network DS 601 VPN client This chapter introduces IPSec VPN using DS 601 VPN client and explains how to implement it As described in the Figure 2 1 we will extend to explain how to make a VPN link between LAN_1 and a remote client in this chapter The following Figure 13 1 is the real structure in our implemented process 13 1 Demands 1 When someone is on a business trip and need to connect back to the company by using VPN function If he uses the DS 601 VPN client to make IPSec VPN tunnel with Organization I LAN please refer to the following diagram to configure the settings Organization_1 Private LANs LAN1_IP 192 168 40 254 WAN1_IP 220 136 231 114 e ISP DFL 1 as il Internet L DS 601 61 64 148 197 ES PCA 1 PC1 5 192 168 40 1 DHCP Client LAN 1 192 168 40 1 23 x Figure 13 1 The client DS 601 is making IPSec VPN tunnel with Organization I LAN 13 2 Objectives 1 Let the users in LAN_1 and the client DS 601 share the resources through a secure channel established using the IPSec 13 3 Methods 1 Separately configure DFL 1 and DS 601 VPN client to make IPSec VPN tunnel 13 4 Steps In the following we will introduce you how to setup the IPSec between Organization_1 LAN and DS 601 VPN client 109 Part IV Virtual Private Network At DFL 1 At the first we will install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED
100. PPTP method connection 15 3 Methods 1 Setup the PPTP server at DFL 1500 Setup the remote PC as the PPTP client After dialing up to DFL 1 DFL 1 will assign a private IP which falls in the range of the settings in the PPTP server at DFL 1 Suppose the range is defined as 192 168 40 180 192 168 40 199 the remote host may get an IP of 192 168 40 180 and logically become a member in LANI 2 Setup the DFL 1500 as the PPTP client Let all the client PCs behind the DFL 1500 They can connect to the network behind PPTP Server by passing through DFL 1500 It sounds like no Internet exists but can connect with each other 127 Part IV Virtual Private Network 15 4 Steps 15 4 1 Setup PPTP Network Server Step 1 Enable PPTP Server Check the Enable PPTP checkbox enter the LAN1 IP of the DFL 1 192 168 40 254 in the Local IP and enter the IP range that will be assigned to the PPTP clients in the Start IP and the End IP fields Enter the Username and Password that will be used by the Resigned IP Range employees during dial up Click the Apply to Stan 192 168 40 180 End finish configurations F Jsername PptpUsers Password f Apply FIELD DESCRIPTION EXAMPLE Enable PPTP Server Enable PPTP feature of the DFL 1500 Enabled The Local IP is the allocated IP address in the internal Network after PPTP aie client dials in the DFL 1500 as ean The Start IP is the allocated starting IP address in the internal network after PPTP client
101. PSec Proposals Policy name DFL 1500 DES MD5 Protocol Transform Protocol Tianzlatm Authentication Step 10 IPSec advanced options Configuration gt Profile Settings gt Configure gt IPSec Geneneral In the Advanced options area please select Main Settings gt Advanced Options Mode in the Exch mode and DH Group 1 768 EMEA sms naam Bit inthe PFS group IPSec General Settings PSec General Settings 20138231114 CO lle gl Gatemap 220 136 291 114 IPF Address Assignment A gt Remate Networks pea Firewall Settings E IKE policy DFL 500 DES MDS gt IP See policy DFL 500 DES MD5 gt Policy lifetimes Poleyueditor Advanced options dr Exch mode Main Mode 5 EFS group DH Group 1 768 Bit UselP compression L25 i T Disable DPD Dead Peer Detection se Y ces 117 Part IV Virtual Private Network Step 11 View Identities Check if the Local Identity and the HEM TEn xl Pre shared key are correct or not f yes click OK to finish the settings Identities Local identity IP Address Assignment A ie IF Address Remote Networks e E1 BA 148 197 Firewall Settings Pre shared kep A Shared secret Gaz J Conti secret fr 000 Use extended authentication PAUTH QS Username Password Step 12 IP Address Assignment Configuration gt Profile Settings gt Configure gt IP Address Select Use local IP addres
102. SETTINGS gt VPN Settings gt IPSec Check the Enable IPSec checkbox and click IPSec VPNHub VPN Spoke PPTP Pass Through Apply V Enable IPSec Apply IKE Manual Key Edit Modify IPSec Security Associations ken Stats Conditin Aton Active Name LocalLAN RemotelAN Mechanism NyiP PeersiP Step 2 Add an IKE rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Click the IKE hyperlink and click Add to add a IPSec VPN Hub VPN Spoke PPTP L2TP Fe rend new IPSec VPN tunnel endpoint M Enable IPSec Apply IKE Manual Key Edit Modify IPSec Security Associations item Stats Conditi Action Active Name LocalLAN RemotelAN Mechanism MyIP PeersiP Step 3 Customize the rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Check the Active checkbox Enter a name for IPSec VPNHub VPNSpoke PPTP L2TP aoe this rule like ds601 Enter the Local IP Address 192 168 40 0 255 255 255 0 E o and the Remote EE Address Seats 61 64 148 197 255 255 255 255 Select Active the Outgoing Interface of this VPN Firewall KE Rule Name ds601 Router Enter the public IP of the opposite side condition VPN gateway 61 64 148 197 in the Peer s Self local IP Local Address Type Subnet Address gt IP Address Click the ESP Algorithm and Addex IP Address select Encrypt and Authenticate DES PrefixLen Subnet Mask 255 255 255 0 MD
103. Sec VPN Connection gt Connect Click Connect to establish the IPSec VPN tunnel 3 ii with Orgainization 1 LAN 1 If connection is D D Link YPN Client established you can view it like right diagram Connection Configuration Log Profile Outside Line DFL 1500 m _ m 3 a m Connection is eztabilsrsri Server Statistics Time online OO 33 27 Timeout 360 0 sec Data Tin KByte 6 44 Direction ot Data Rx in KByte 1 015 Link Type LAN CLAM Speed KByte s 0 000 Encryption DES D Link 120 DFL 1500 User Manual Chapter 14 Virtual Private Network Hub and Spoke VPN Chapter 14 Virtual Private Network Hub and Spoke VPN This chapter introduces Hub and Spoke VPN and explains how to implement it As described in the Figure 2 1 we will extend to explain how to make a VPN link between Main Office the hub and the branches in this chapter The following Figure 14 1 is the real structure in our implemented process 14 1 Demands 1 Suppose that your company has a main office and two branch offices which communicates using a hub and spoke VPN configuration The main office is the hub where the VPN tunnels terminate while Branch 1 and Branch_2 are the spokes The Main office has a VPN tunnel to each branch office Branch_1 and Branch 2 has its own VPN tunnel to the hub Branch_1 Branch_2 Private LANs Private LANs ds Losas gt z4 pen ra es ie rae 5 E A MN
104. Settings gt Routing gt Static Route The static route has been stored After filling data Policy Route completely view the static routing entries which have been set Step 4 View the routing table You can notice there is an extra routing entry in the routing table The indicated routing entry as right diagram is produced by static routing rule 63 Part III NAT gt Routing amp Firewall 8 4 2 Add a policy routing entry Step 1 Setup the ISP2 link We must add an IP alias record to the WANI port because a new ISP link has been applied So See section 3 4 3 for the full procedures Here we add an IP alias of WANI as 210 2 1 1 255 255 255 248 Step 2 Inserta policy routing entry Click Insert button to add a policy routing entry Step 3 Fill out the related field For the General Manager Room department we need to set an extra policy routing entry for them So in the Status region make sure the Activate this rule is enabled and then fill in GenlManaRoom in the Rule name field In the Condition region we fill 192 168 40 192 in Source IP field Fill 255 255 255 192 in the Netmask field n the Action region fill forward to WAN1 with next hop gateway 210 2 1 6 After setting as above the packets which match the condition they will follow the predefined action to forward to the next hop D Link Basic Setup gt WAN Settings gt IP Alias WAN1 IP WAN IP IP Alias nterface Aliases Netmask 210 2 1
105. Shortest Path First OSPF is a routing protocol used to determine the correct route for packets within IP networks It was designed by the Internet Engineering Task Force to serve as an Interior Gateway Protocol replacing RIP SMTP Simple Mail Transfer Protocol SMTP Simple Mail Transfer Protocol is a TCP IP protocol used in sending and receiving e mail However since it s limited in its ability to queue messages at the receiving end it s usually used with one of two other protocols POP3 or Internet Message Access Protocol that let the user save messages in a server mailbox and download them periodically from the server VPN Virtual Private Network The key feature of a VPN however is its ability to use public networks like the Internet rather than rely on private leased lines VPN technologies implement restricted access networks that utilize the same cabling and routers as a public network and they do so without sacrificing features or basic security D Link 210 DFL 1500 User Manual DbaCkUp COMMS ULAN A A 185 Bandwidth Management 159 169 DIE OM A sess KN A O KN MEL 52 53 59 Conen Piers cert isa ai 134 FLP FE e A EE MA 149 Mimle eme Bale Bel Gm a k slam 145 Web EN e e AR e 135 DON uta adas 30 DHCP da MAY 9 12 24 25 DACP REU ss A di 30 DNS PORY dida dt 30 PACIORY TES lll 184 A A A 67 Hwa UP OtACC ores rt a cacaos 182 183 IDS Intruction Dection System
106. System Status gt System Status Here we can see the system information ystem Network CPUS pcp Table Routing Active Top20 IPSec statu Status Memory Table Sessions Sessions Sessions include system name firmware version and the full list of each port settings Step 2 Network Status DEVICE STATUS gt System Status gt Network Status We can know the port status here whether the Stem ae O Sa oe Status e Sessions Sessions Sessions port is up or down and view the amount of the transmitted packets or received packets in each port 175 Part VIII System Maintenance Step 3 CPU amp Memory We can know the device information include system user interrupt and memory utilization through the graphic interface Note If you can not view the graphic correctly the situation may result from that you don t install the java virtual machine JVM onto your browser Simply go to the following link http ava sun com j2se 1 4 2 download html And then download the Java 2 Platform Standard Edition JRE to your platform ex windows After installing JRE properly you will see the CPU amp Memory graphic as right side Step 4 DHCP Table Through the DHCP Table we can recognize which IP has been allocated by the DHCP server And know which pc MAC address has been leased this IP address Step 5 Routing Table Click the Routing Table to see the routing table information of DFL 1500 D
107. T 100 4 I can t ping DFL 1500 WANI interface successfully Why Ans Follow below items to check if ready or not a Check Basic Setup gt WAN Settings gt WANI status fields Verify whether any data is correctly b Check Device Status gt System Status gt Network Status WAN status is UP If the status is DOWN check if the network line is connectionless cC Check System Tools gt Remote Met gt MISC gt WANI Verify if WANI port checkbox is enabled The default enabled port is only LAN port d Check whether virtual server rule Dest IP WANI IP address port 1 65535 exists or not If existing any virtual server rule like this type it will make all the connections from WANI port outside relay to another server Actually what you have pinged is another server not DFL 1500 e Check whether NAT One to One bidirectional rule Translated Src IP WANI IP address port 1 65535 exists or not If existing any virtual server rule like this type it will make all the connections from WAN 1 port outside relay to another server Actually what you have pinged is another server not DFL 1500 f Ifall the above items have checked try to change a new network line This is almost resulting from the network line problem Please neglect the LED status because it will confuse your judgment sometimes 5 Ihave already set the WANI ip address of DFL 1500 the same subnet with my pc but I can t use https to login DFL 1
108. T Rules In the full feature mode the rules can be further Status AT Rt customized Incoming packets from LAN DMZ zones are top down matched by the NAT rules Namely NAT implements first match Select the rule item that you want to do with insert anew item _ Status Condition Action rule before it delete it move it before the Name Direction Source IP Address TramslateSiciPimto Type list box Ci item O47 e an e mi Sie 71 wa Op 8 D De AO GE ES T Yo Step 5 a Insert an Many to One ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert Rule MN Virtual As described in the above Many to One NAT is the default NAT rule type in the Basic mode If you have other alias LAN DMZ subnets you can manually add a Many to One NAT rule for them Status First select the Type as Many to One check the Activate this rule Activate this rule enter a Rule name for this rule enter the private IP subnet an IP address with a netmask to be translated and Condition P 1192 168 400 Netmask 255 255 2550 Action enter the public IP address for being translated Type Many to One zl into You can check the Auto choose IP from WAN ports The DFL 1500 will automatically determine which WAN IP is to be translated into Pe FIELD DESCRIPTION Range Format EXAMPLE m em The NAT rule is enabled or not Enabled Enabled Status Disabled o Source IP Compared with the incoming packets whether 192 168 40 0
109. TP Customize the VPN Connection 1 Right click the icon that you have created 2 Select Properties gt Security gt Advanced gt Settings 3 Select No Encryption from the Data Encryption and click Apply 4 Selectthe Properties gt Networking tab 5 Select PPTP VPN from the VPN Type Make sure the following are selected TCP IP 009 Packer scheduler 6 Select Apply Connecting to the PPTP VPN 1 Connect to your ISP 2 Start the dial up connection configured in the previous procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 15 4 2 Setup PPTP Network Client Step 1 Enable PPTP Client ADVANCED SETTINGS gt VPN Settings gt PPTP gt Client Fill in the IP address of PPTP Server and PPP mrp Eas allocates Username Password When connecting a to the PPTP Server successfully it will appear the allocated IP address for the PPTP client in the Assigned IP field So Table 15 2 Setup PPTP Client settings 129 DFL 1500 User Manual Chapter 16 Virtual Private Network L2TP Chapter 16 Virtual Private Network L2TP This chapter introduces L2TP and explains how to implement it 16 1 Demands 1 One employee in our company may sometimes want to connect back to our coporate network to work on something His PC is PC1_1 in LANI instead of DMZI so he cannot directly access the host by simply with virtual server settings This causes inconvenience for the employee to work r
110. VPN Virtual Private Network logically provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of encryption tunneling authentication and access control used to transport traffic over the Internet or any insecure TCP IP networks 10 2 2 IPSec Internet Protocol Security IPSec is a standard based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 10 2 3 Security Association A Security Association SA is an agreement between two parties indicating what security parameters such as keys and algorithms they will use 10 2 4 IPSec Algorithms There are two types of the algorithms in the IPSec including 1 Encryption Algorithms such as DES Data Encryption Standard and 3DES Triple DES algorithms and 2 Authentication Algorithms such as HMAC MD5 RFC 2403 and HMAC SHAI RFC 2404 81 Part IV Virtual Private Network 10 2 5 Key Management Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration in order to setup a VPN IKE Phases There are two phases to every IKE Internet Key Exchange negotiation phase 1 Authentication and phase 2 Key Exchange A phase exchange established an IKE SA and the second one
111. YSTEM S03 WANI Got PPPoE IP Address F63 255 255 255 0 S04 Startup Shutdown DHCP SYSTEM S04 Enable DHCP server on LAN by admin Server 192 168 17 102 443 SYSTEM S04 Disable DHCP server on LANI Startup Shutdown HTTP SYSTEM S05 HTTP started Server SYSTEM S05 HTTP stopped Startup Shutdown HTTPS SYSTEM S06 HTTPS started Server Set Interface IP Address SYSTEM S08 WANI IP Address 192 168 17 102 255 255 255 0 192 168 17 102 443 IP Alias SYSTEM S09 LAN1 Add IP address alias 192 168 1 2 255 255 255 0 by admin 192 168 17 102 443 SYSTEM S09 LAN1 Delete IP address alias 192 168 1 2 255 255 255 0 by admin 192 168 17 102 443 SYSTEM S09 LANI Change IP address alias 192 168 1 2 255 255 255 0 to 192 168 1 3 255 255 255 0 by admin 192 168 17 102 443 Set Host Name SYSTEM S10 HostName DFL 1500 set by admin 192 168 17 102 443 Set Domain Name SYSTEM S11 Domain Name dlink com set by admin 192 168 17 102 443 Enable Disable DDNS SYSTEM S12 Enable Dynamic DNS with hostname wall adsldns org on WANI by admin 192 168 17 102 443 SYSTEM S12 Disable Dynamic DNS on WANI by admin 192 168 17 102 443 S13 Enable Disable DNS Proxy SYSTEM S13 Enable DNS proxy by admin 192 168 17 102 443 SYSTEM S13 Disable DNS proxy by admin 192 168 17 102 443 S14 Enable Disable DHCP Relay SYSTEM S14 Enable DHCP relay by admin 192 168 17 102 443 SYSTEM S14 Disable DHCP relay by adm
112. act as servers to provide Internet services should be connected to the DMZ port using an Ethernet Cable as in Figure 1 6 Part I Overview D DMZ Port B WAN Ports For connecting the DFL 1500 to a DSL or Cable Modem supplied by your ISP to access the Internet Left to right WANT WANZ For connecting computers that act as servers for Internet users C LAN Ports Console Port For connecting computers and For managing the DFL 1500 network devices to your LAN with CLI commands Left to right LAN 1 LAN Figure 1 6 Front end of the DFL 1500 1 4 Default Settings and architecture of DFL 1500 You should have an Internet account already set up and have been given most of the following information as Table 1 1 Fill out this table when you edit the web configuration of DFL 1500 IP Address Subnet Mask Fixed IP Gateway IP Primary DNS Secondary DNS Not initialized WAN1 Port 1 PPPoE Username PPPoE aj Password Primary DNS Secondary DNS D Link 6 e ns rg l IN ta tcs ts tato eae eet ae eee WAN2 Address Not initialized Port 2 Subnet Mask Fixed IP Gateway IP DFL 1500 User Manual Chapter PPPoE DHCP mens cts Quick Start 255 255 255 0 192 168 1 254 LAN1 Port 4 255 255 255 0 192 168 2 254 LAN2 Port 5 255 255 255 0 Table 1 1 DFL 1500 related network settings Organization_1 DMZ 1 gt 1 1 1 253 LAN2 N 192 168 2 1
113. am ADVANCED SETTINGS gt Bandwidth Mgt gt Status Status V Enable Bandwidth Management The bandwidth manager protects mission critical traffic when it is enabled Step 1 Enable the bandwidth management system Step 2 Edit actions to be imposed on each link Step 3 Choose the preferred action during editing firewall rules Reset Bandwidth Management Edit Actions ADVANCED SETTINGS gt Bandwidth Mot gt Edit Actions Status Edit Actions Bandwidth Management gt Edit Actions Edit ANY y te WANI y classes WANI Interface Bandwidth 1544 kbps Apply item fined Actions S Active Name Borrow Bandwidth WANT Interface 1544 kbps 100 root class 1544 kbps 5 ctl_class 77kbps 95 def class 14665 kbps Page 1 1 Create Sub class ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Sub Class Status Edit Actions Bandwidth Management gt Edit Actions Edit ANY y to WANI y classes WANI Interface Bandwidth 1544 kbps Apply Item Defined Actions Name Borrow Bandwidth 1544 kbps 1544 kbps 77 kbps 1466 kbps WANT Interface a 00 root class N 5 ctl_class Y 95 def class lor Y N Pa e 1 1 Create Sub class 169 Part VII Bandwidth Management High Availability Step 4 Setup LAN1 to WAN1 Rules Select LANI to WANI to display the rules There is a pre defined rule that matches all traffic into
114. ame Mode Status Enter the Host Name and the Domain Name System Operation any jp System followed by clicking the Next Host Name DFL Domain Name fdlink com D Link 8 DFL 1500 User Manual Chapter Quick Start Step 4 Operation Mode BASIC SETUP gt Wizard gt Next DFL 1500 VPN Firewall Router can operate in 3 ation ayy ip System NAT Router mode Or Transparent mode Choose which operation Mode for this device to fee Operation Mod Status In NAT Route mode you can create NAT mode rules and Route mode rules For the related information please refer to Chapter 6 and Chapter 7 NAT Route mode u NAT mode rules use network address translation to hide the addresses in a more secure network from users in a less secure network Route mode rules accept or deny connections between networks without performing address translation Transparent mode provides the same basic protection as NAT mode Packets received by the DFL 1500 are intelligently forwarded or blocked according to firewall rules The DFL 1500 can be inserted in your network at any point without the need to make any changes to your network or any of its components However VPN NAT Routing and some advanced firewall features such as Authentication IP MAC Binding are only available in NAT Route mode Note 1 You cannot connect the LAN1 LAN2 DMZ interfaces to the same Hub while using Transparent mode otherwise the traffic from the PCs under LAN1
115. ane Use IP compression LZ5 Disable DPD Dead Peer Detection 115 Part IV Virtual Private Network Step 7 Policy editor Configuration gt Profile Settings gt Configure gt IPSec Geneneral Click IKE Policy to edit the IKE policy Settings gt Policy editor Pec Continuation io Di Eds SDES SH amp DHe T 31 OFL 80 3DES SH DH2 New Entry 7 DFL 900 3DES 5HA DH2 7 DFL 1500 3DES 5H4 DH2 Duplicate 7 DFL 300 3DES 5HA DH2 37 DFL 500 3DES 5HA DH2 BT DFL I00 SDES MD5 DH2 En IPSec Policy Step 8 Setup IKE Policy Configuration gt Profile Settings gt Configure gt IPSec Geneneral Enter DFL 1500 DES MD5 as the IKE Policy Settings gt Policy editor gt IKE Policy name Select DES MD5 DH Group 2 1024 RAAR Bit in the Encryption Hash DH Group field z Click OK to finish the settings KE Proposals Policy name DFL 1500 DES MDS Preshared Key DES MES DH Group 4 1024 Bt Authentication Preshared Key Add ER YEN DES Remas Hash MES DH Group DH Group 2 1024 Bit y D Link 116 DFL 1500 User Manual Chapter 13 Virtual Private Network DS 601 VPN client Step 9 Setup IPSec Policy Configuration gt Profile Settings gt Configure gt IPSec Geneneral Enter DFL 1500 DES MD5 as the IPSec Settings gt Policy editor gt IPSec Policy Policy name Select DES and MD5 in the are Transform and Authentication field Click gt OK to finish the settings M I
116. apability of automatic allocation of reusable network addresses and additional configuration options DHCP captures the behavior of BOOTP relay agents and DHCP participants can interoperate with BOOTP participants DHCP consists of two components a protocol for delivering host specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts DMZ Demilitarized Zone From the military term for an area between two opponents where fighting is prevented DMZ Ethernets connect networks and computers controlled by different bodies They may be external or internal External DMZ Ethernets link regional networks with routers Firewall A device that protects and controls the connection of one network to another for traffic both entering and leaving Firewalls are used by companies that want to protect any network connected server from damage intentional or otherwise by those who log in to it This could be a dedicated computer equipped with security measures or it could be a software based protection IPSec IP Security IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet IPSec acts at the network layer protecting and authenticating IP packets between participating IPSec devices peers L2TP Layer 2 Tunneling Protocol Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Pr
117. arily all the domains in the Forbidden Domain will be blocked by the DFL 1500 Enabled D Link 140 DFL 1500 User Manual Chapter 17 Content Filtering Web Filters Disable all web traffic Except the following specified domain range specified by the trusted Enabled except for trusted domains domain All the other URL domain IP addresses are all blocked access Don t block Java Java In the following domain range of the trusted domains If there are include Script ActiveX Cookies to Java Java Script ActiveX Cookies components in the web page the Enabled trusted domain sites action is setting not to block Here we can specify the Trusted Domains for the above item using You can enter either domain name or IP address Note if the domain name can Trusted Domains not be resolved by the DNS server the domain name entry will be www dlink com tw Domain ignored www dlink com Another issue 1s that if there are a lot of domain names in Customize area name resolving will take longer time on Web Filter starting up Here we can specify the Forbidden Domains for the above item using You can enter either domain name or IP address Note if the domain Forbidden Domains name can not be resolved by the DNS server the domain name entry will WWW Sex com Domain be ignored www stockmarket com Another issue 1s that if there are a lot of domain names in Customize area name resolving will take longer time on Web Filter starting up Table 17 3
118. as aaa ll da a akladiliin bakla aan eli 185 DD SGP fOr lea WNC SE eee albeni sela NU aday beladan seli s n AE dali 186 25 1 Step Or Factory TESE Under web OU susan S A 186 25 2 Step tor NORMA D Tactory TES 186 25 5 3 Steps tor EMERGENT Tacto Tes O nnen e seeageticedussarteadneutcantcaatladancogStasenvactounsendlsedewinsacasdadagetoass 186 25 6 Save Me Cuento CON LE LE AMON aaa 187 25 1 Steps tor Backup Restore Configurations aliil a E A sale il E A 187 25 8 Steps fOr Reset pass WO O OY ee 188 APPENA saaa a a RTE aaa ei edi s Ke mai al T 190 Appendix A Command Line Interface CLD oerien e ts 191 A l Enable the porter DFE OO sucio 191 A 2 e ELcommanda l t Normal Mode jenar e e iy m a Lt 191 A 3 CEECOmmands 1st Rescue Mode isinde maliye ladin el Mean Sml ii tiara daki 193 Appendix B Trouble SOON Essen means msn a A ilanda lu a alandn ahli ine pie 195 Zppend E System Loo SYNI mas elem ayla Mina E Mint dani al ac lamel yanal am Gael 201 Appendix Glossa y OF TeS idas 209 APP E b ae op Gee e ee yere Gel eRe EM eS eve entree e Yep YAREN ee Vee Ee Ye ACEM ey een ei Ye AT 211 Appemd xE Hard Water aaa di 212 Appendix G VersilonofSoftwareandFirmware 215 Appendix H Customer Support D Li nk Overview DFL 1500 User Manual Chapter 1 Quick Start Chapter 1 Quick Start This chapter introduces how to quick setup the DFL 1500 DFL 1500 is an integrated all in one solut
119. at the LANI side Do not respond to ICMP ECHO packets at the WAN side a ae a E lt DMZ gt 10 1 1 1 253 DMZ1_IP 10 1 1 254 Slak Internet E DFL1 Ves E ISP 140 2 5 1 emote Manager Figure 5 1 Some management methods of DFL 1500 41 Part Il Basic Configuration 5 3 Steps 5 3 1 Telnet Step 2 Setup Telnet Enter 23 instead of the default 2323 in the Server Port field Check the WAN1 checkbox Click the Selected of Secure Client IP Address and then enter the specified IP address 140 2 551 for accessing DFL 1500 And click the Apply SYSTEM TOOLS gt Remote Mgt gt TELNET jected 140 2 5 1 5 3 2 WWW Step 1 Setup WWW Check the LAN1 checkbox and enter the new Server Port 8080 that will be accessed by the users browser http 192 168 40 254 8080 Here we click A11 for all no IP range limitation of clients And click the Apply button Note that the Secure Client IP Address is the IP address which can be used to configure DFL 1500 Step 2 Warming message If you click the Selected of Secure Client IP Address and then enter the specified IP address a warning message will appear to notice you that Warming If you are connecting to this Firewall with HTTP this action may disconnect your session Please remember the settings and reconnect to the firewall again after applying the settings 2 3 3 SNMP Step 1 Setup SNMP Check the LAN1 checkbox In the Secure Client
120. at you have to configure the Secondary device as Standby mode and the IP address Login Password of the Primary device so High Availability can work then The IP address of the other HA device 192 168 40 100 DESCRIPTION Apply the settings which have been configured Table 22 1 Setup status page of High Availability D Link 172 DFL 1500 User Manual Step 2 Show the result in Web After you apply the High Availability feature the Primary device will show the message to tell you that Sync configuration file successfully the will rebooting now and stay in standby mode device Step 3 Show the message in Console When Primary device crashed the messages like the right diagram will appear to tell you that this device will be in Standby mode after rebooting Step 4 Check the Device status You can see the status of the device in Standby mode here Chapter 22 High Availability ADVANCED SETTINGS gt High Availability gt Status D Link Building Networks for People VPN Firewall Router Nee HELP LOGOUT Mieroroti Internal Explorer j xj A Box cortiemeticn 2d sucio the devica wi aboot cow and say lo tarde cda login syncing disks done rebooting gt gt NetOS Loader 1386 ue 9 ron Jul 19 18 54 37 CST 2004 Press lt TAB gt to prompt starting in 8 1453120 10732452 2439344 159 113696 98988 xe a8c Net0S Ver2 000 WALL 0 Thu Sep 9 05 46 41 CST 2004 total memory 255 H ava
121. ay be locked by others or the original user DFL 1500 Please login User name 1 admin Password esos C Remember my password Step 2 Run Setup Wizard After login to https 192 168 1 254 Click the Run Setup Wizard BASIC SETUP gt Wizard Welcome to the DFL 1500 Web Based Configuration Basic Setup Advanced Settings Connect to the Internet and configure your Intranet with the Access advanced features including IPSec L2TP PPTP YPNs VPN Setup Wizard WAN LAN and DMZ settings routing pass through NAT virtual servers static policy route firewall attack protocol and DHCP server settings alert web mail ftp filters intrusion detection and bandwidth management System Tools Setup DDNS DNS proxy DHCP relay system Device Status password time dateftimeouts protocol services interface Display system name firmware version interface P settings network types perform firmware upgrade save running status CPU memory utilization DHCP Routing table configurations backup restore configurations reset to activeftop20 IPSec sessions Setup logging systems including factory defaults customize remote management and systemj firewallADS content filter VPN logs SNMP schedule database update Help Get help about your VPN Firewall Router A step by step setup wizard will guide you to configure yo Phe awall Router to connect to your ISP Internet Service Provider Step 3 System Name BASIC SETUP gt Wizard N
122. by the firewall rule IP MAC binding protects the DFL 1500 unit and your network from IP spoofing attacks IP spoofing attempts to use the IP address of a trusted computer to connect to or through the DFL 1500 unit from a different computer The IP address of a computer can easily be changed to a trusted address but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed 5 Administrators detect that PC1_1 in LAN is doing something that may hurt our company and should instantly block his traffic towards the Internet 6 A DMZ server was attacked by SYN Flooding attack and requires the DFL 1500 to protect it 9 2 Objectives Block the traffic from PCI linLANI to the Internet in WANI 2 Start the SYN Flooding protection Organization_1 Private LANs DMZ_1 10 1 1 1 253 WebSerfver1 MailS rvert 10 1 1 10 1 1 2 DMZ1 IP User define Which ded s ve drl LAN to WAN traffic should block VPN Tunnel m AA PCI A D N e I NEA N PANT a User define Which e g telnet f lt 2 QP WAN to LAN traffic AN lci forward PC1 1 PC1 2 192 168 40 1 192 168 40 2 LAN_1 92 168 40 1 25 Default Forward all LAN to WAN traffic Default Block all WAN to LAN traffic 67 Part III NAT gt Routing amp Firewall Figure 9 1 Setting up the firewall rule 9 3 Methods Configure the Address Service Schedule first Add a LANI to WANI Firewall rule to block PC1_1 3
123. case you can select One to One from the Type and enter the private public IP address pair in the Source IP and the Translated Source IP fields Step 5 d Insert a One to One Bidirectional Rule The above three modes allow LAN DMZ to WAN sessions establishment but do not allow WAN to LAN DMZ sessions WAN to LAN DMZ sessions are allowed by Virtual Server rules You can make the One to One NAT in the above to incorporate the WAN to LAN DMZ feature by selecting the One to One Bidirectional from the Type Note that WAN to LAN DMZ traffic will be blocked by the Firewall in default You have to add a Firewall rule to allow such traffic If you expect a LAN DMZ host to be fully accessed by public Internet users use this mode Note that this mode is extremely dangerous because the host is fully exposed to the Internet and may be cracked Always use Virtual Server rules first D Link ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert Virtual NAT Rules S ervers Status NAT gt Edit Rules gt Insert Insert a new LAN DMZ to WAN NAT rule MV Activate this rule Rule name Rule Condition Source IP 192 168 40 0 Netmask 255 255 255 0 Type Many to Many Translated Src IP Auto choose IP from WAN ports le1 2 1 1 Netmask 255 255 255 252 Back Apply Action ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert Marm Virtual Status S e ervers NAT gt Edit Rules gt Insert I
124. ch indicated in Web Filter gt Features or the keywords indicated in Web Filter gt Keyword The forbidden components will be taken off from the web page by web filter Table 17 8 web filter features priority 145 Internet web server Web page contents Chapter 18 DFL 1500 User Manual Content Filtering Mail Filters Chapter 18 Content Filtering Mail Filters This chapter introduces SMTP proxies and explains how to implement it 18 1 Demands Sometimes there are malicious scripts like vbs that may be attached in the email If the users accidentally open such files their computers may be infectious with virus 18 2 Objectives Modify the filename extension of the suspicious email attachments so that email receivers may notice that the file cannot be directly opened by the operating system because of the unrecognized filename extension 18 3 Methods 1 Setup SMTP filters for outgoing emails from PC_1 in LAN1 towards the mail server in DMZ1 or in WANI to append a bin to all vbs attachments Use PCI to send an email with vbs attachments to test the configuration Setup POP3 filters for incoming emails from a mail server in WANI or in DMZ1 to PC in LANI to append a bin to all vbs attachments Use PCI to retrieve an email with vbs attachments to test the configuration Pees switch A JE Internet _DFL 1 LAN1_IP WANT P Ste 192 168 40 254 612 11 ES 1
125. cket direction Block z I Log _Apaly i Packets are top down matched by the rules SCE AESSR O m BE Name Schedule Source IP Dest IP o Service Action Log Please make sure that the Firewall is enabled Page 1 1 Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 2 Customize a Firewall rule ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Enter the Rule Name as AllowVPN Source IP Status Edit Rules Show Rules Attack Alert Summary as Hub 1 92 168 1 0 and Dest IP as Firewall gt Edit Rules gt Insert Spoke_2 192 168 88 0 Click Apply to store this rule Insert a new WAN1 to LAN1 Firewall rule Rule name AllowVPN Schedule Always gt Condition Source P Hub Dest IP Spoke 2 Service JANY Action Forward and do not log gt the matched session Forward bandwidth class def class Reverse bandwidth class defclass y Back Apply 125 Part IV Virtual Private Network Step 3 Add a VPN Spoke in Branch 2 ADVANCED SETTINGS gt VPN Settings gt VPN Spoke gt Add Select Add to add a VPN Spoke Enter a name in the Spoke Name field Enter the Local IP Address Subnet Mask and Remote Address IP Address Subnet Mask
126. d two schedule objects to block the MSN service You can group them to make it easier to block the MSN service while you would like to make a firewall rule Click Groups hyperlink and then click Insert to add a new schedule group Enter a Group Name to identify the group Select the schedules from the available schedules list and click right arrow to copy them to the Members list If you would like to remove the schedules from the members list just select the schedules and then click left arrow to remove them Note that group name should begin with alphabet followed by alphabet digits dashes 9 4 4 Setup IP MAC binding Step 1 Enable IP MAC binding Check the Enable IP MAC Binding checkbox and then click Apply to apply the setting Note that the IP MAC binding locks IP address for specific MACs It achieves the purpose by the following steps Step 1 Initialize default action Pass Block Step 2 Setup each IP MAC binding with a rule Step 3 Setup a wildcard rule to exclude a range of IP for the DHCP IP range Step 2 Select LAN1 as the interface to edit the IP MAC binding rules Suppose the default setting for this interface iS Block click Insert to add a rule Edit a IP MAC binding rule Note that you have to add an IP MAC binding rule aS Allow for your computer to pass the firewall rule before you block the LAN1 ANY direction otherwise you will be block by that rule Chapter 9 Firewall BASIC SETUP
127. dress means the local LAN subnet Remote Address means the remote LAN subnet My IP Address means the WAN IP address of the local VPN gateway while the Peer s IP Address means the WAN IP address of the other VPN gateway 85 Part IV Virtual Private Network Difference The Pre Shared Key must be the same at both The types and keys of Encryption and Authenticate DFL 1500s must be set the same on both DFL 1500s However the Outgoing SPI at DFL 1 must equal to Incoming SPP at DFL 2 and the Outgoing SPI at DFL 2 must equal to Incoming SPI at DFL 1 Table 11 1 Compared IKE and Manual Key methods 11 4 Steps In the following we will separately explain the ways to set up a secure DES MDS tunnel with IKE and Manual key Y DES MD5 IPSec tunnel the IKE way At DFL 1 At the first we will install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Pass Check the Enable IPSec checkbox and click Sec VPN Hub VPN Spoke Apply item Status Condition Action Table 11 2 Enable the IPSec feature Step 2 Add an IKE rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Click the IKE hyperlink and click Add to add a IPSec VPN Hub VPN Spoke new IPSec VPN tunnel endpoint m m m lt lt lt A item Status Condition Action D Link 86 DFL 1500 User Manual Chapter 11 Virtual Private Network
128. dress SYSTEM S33 WANI DNS IP Address 168 95 1 1 SYSTEM S33 WANI Get DNS Automatically SYSTEM S34 Syslogd stop SYSTEM S34 Syslogd start SYSTEM S34 Syslogd restart SYSTEM S35 Enable Ipmon SYSTEM S35 Disable Ipmon rem Gem pe SS SYSTEM S37 Disable Multicast on interface WAN SYSTEM S37 Update Multicast on interface WANI to xxx SYSTEM S37 Update Multicast on interface WANI to xxx S38 Update WAN NAT settings SYSTEM S38 Update WAN NAT settings to FULL feature Update WAN NAT settings SYSTEM S38 Update WAN NAT settings to Basic operation S34 S35 S36 37 S Disable Multicast Update Multicast D Link 206 DFL 1500 User Manual Appendix C System Log Syntax Disable WAN NAT feature SYSTEM S38 Disable WAN NAT feature VPN Update pass through settings VPN V1 Update pass through settings Deactivated IPSec VPN V2 Deactivated IPSec Activated IPSec Table D 1 All the System Log descriptions 207 DFL 1500 User Manual Appendix D Glossary of Terms Appendix D Glossary of Terms CF Content Filter A content filter is one or more pieces of software that work together to prevent users from viewing material found on the Internet This process has two components DHCP Dynamic Host Configuration Protocol Provides a framework for passing configuration information to hosts on a TCP IP network DHCP is based on BOOTP adding the c
129. e 1 40808 2004 08 09 16 17 Update Update IDS signatures yi 40809 2004 08 09 16 17 Update Center Ifuupdate dlinktw com tw Update Schedule On unday lo lo Auto URL update Auto IDS update Apply SYSTEM TOOLS gt Firmware Upgrade gt Firmware Upgrade Update Status Auto Update 185 URL database 1 40303 2004 08 09 16 17 Update IDS signatures 1 40809 2004 08 09 16 17 Update Update Center fwupdate dlinktw com tw Update Schedule On Sunday gt lo lo y Auto URL update iv Auto IDS update Iv Part VIII System Maintenance 25 5 Steps for Factory Reset 25 5 1 Step for factory reset under web GUI Step 1 Factory reset SYSTEM TOOLS gt System Utilities gt Factory Reset In the Web GUI mode Follow the path of right side We can make DFL 1500 configuration restored to the factory defaults with simply clicking the Apply button i Backup Restore Configuration Configuration Configuration Warning Be careful to use this function It will make all your present configurations disappear And the configuration will restore to the factory default Apply 25 5 2 Step for NORMAL factory reset Step 1 Factory reset NetOS i386 DFL 1500 tty00 In the CLI mode Enter sys resetconf now to reset the firmware to factory default Then the login admin system will reboot automatically Password Welcome to DFL 1500 VPN Firewall Router DFL 1500 gt en DF
130. e information of peer VPN device in this FODN domain Peer s Identifier field The filled information will be provided for name IP Address the IPSec tunnel establishment User FODN mail box Local Address Subnet Address Condition side of VPN by using the remote subnet or the Subnet Address D Link 86 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Encrypt and Authenticate DES MDS Encrypt and Authenticate DES SHA1 Encrypt and Authenticate ESP Algorithm may be grouped by the items of 3DES MDS the Encryption and Authentication Algorithms E or execute separately ncrypt and l Authenticate We can select below items the Encryption and 3DES SHA1 Authentication Algorithm combination or the Eaceypeatid below item Authentication Algorithm singly Encrypt and 8 8y Authenticate YP ESP Algorithm AES MDS Authenticate DES MDS Here Encryption Algorithms include Encrypt and DES 64 bits 3DES 192 bits and Authenticate AES 128 192 256 bits AES SHA Authentication Algorithms include Encrypt only MD5 128 bits and SHA1 160 bits DES Encrypt only 3DES Encrypt only AES Authenticate only MDS Authenticate only SHA1 Authenticate tol MDS AH Algorithm Select Authentication Algorithm Disabled Authenticate SHA1 Pre Shared Key The key which is pre shared with remote side 1234567890 Table 11 4 Related field explanati
131. e round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation n Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication phase 1 However the trade off is that fast speed limits its negotiating power and it also does not provide identity protection It is useful in remote access situation where the address of the initiator is not known by the responder and both parties want to use pre shared key authentication y Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Y Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys D Link 82 DFL 1500 User Manual Chapter 10 VPN Technical Introduction y O
132. ec Sessions If we use the IPSec to establish VPN with other device then we can view the IPSec tunnel information in this page D Link 178 DFL 1500 User Manual Chapter 24 Log System Chapter 24 Log System 24 1 Demands 1 The System Administrator wants to know all the actions of administration in the past So it can avoid illegal system administration 2 The System Administrator needs to check the logs of VPN IDS Firewall and Content Filter everyday But he she feels inconvient to verify the DFL 1500 logs He She hopes to decrease the checking procedure 24 2 Objectives 1 The System Administrator wants to know all actions of administration in the past 2 The System administrator would like to view the daily log report of DFL 1500 24 3 Methods 1 Through tracking the system logs you can distinguish which administrated action is valid or not 2 Use the syslog server to receive mail or edit the Mail Logs page of DFL 1500 Make the log mailed out automatically every periodic time 24 4 Steps 24 4 1 System Logs Step 1 View System Logs DEVICE STATUS gt System Logs All the system administrated actions will be log in System l Access Logs this page No Time Source IP Access Info 2004 04 27 16 23 23 DFL 1500 Firewall Reload all rules at startup 2004 04 27 16 23 23 DFL 1500 NAT rule for Basic LAN1 added 2004 04 27 16 23 24 o DFL 1500 NAT rule for Basic LAN2 added 2004 04 27 16 23 24 o DFL 150
133. eck whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 192 168 40 0 255 255 255 0 and 192 168 88 0 255 255 255 0 respectively ox ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WANT y to LANI y rules Default action for this packet direction Block y P Log Apply Packets are top down matched by the rules HE Sas IO TO Action Log Page 1 1 Name Schedule Source IP Dest IP Service ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Edit Edit WAN1 to LAN1 Firewall rule number 1 Rule name Allow PN Schedule Always Condition Source IP WAN1 VPNB Service ANY Dest IP LAN1_VPNB Action Forward and do not log 7 the matched session Forward bandwidth class def class v Reverse bandwidth class def class Md Back Apply ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Show WAN to LAN y rules Packets are top down matched by the rules item Sas TT Action EH Name Schedule
134. ed network settings in the pages of the DFL 1500 Basic Setup DMZ settings DMZI Status Basic Setup LAN settings LAN Status 3 Configure the IP alias in WANI port 3 4 Steps 3 4 1 Setup WAN1 IP Step 1 Setup WANT port BASIC SETUP gt WAN Settings gt WANT IP gt Fixed IP Address Here we select Fixed IP Address method in WAN IP Alias WAN1 port Fill in the IP Address Subnet e E or Mask Gateway IP And then enter the other pd a DNS IP Address Routing Protocol fields zine Click Apply to finish this setting P Address 1 211 Subnet Mask vi ateway LNs DNS IP Addres Primary DNS 168 95 1 1 condary DNS 0 0 0 0 23 Part I Basic Configuration LE AOS eS FIELD DESCRIPTION Range Format EXAMPLE Assignment Default WAN link Gateway DNS Get DNS Automatically DNS IP Address Get IP Automatically DHCP Routing Protocol Default WAN link Gateway DNS DNS IP Address Primary DNS Fixed IP Address Secondary DNS Routing Protocol OSPF Area ID Default WAN link Gateway DNS PPP over Ethernet Service Name User Name Password D Link OSPF Area ID When Default WAN link is enabled All the packets sent out from DFL 1500 will be via Enable Disable Enabled this port Get DNS Automatically Get DNS related information from DHCP Server Get DNS DNS IP Address manually specify these Automatically Primary and Secondary DNS Server DNS IP Addr
135. either external internet nor internal resouces By default servers under DMZ interface can access internet without the authentication PCs under both LANI and LAN2 interface has to pass the authentication first and then they can access the internet or internal resouces under other interfaces LANI LAN2 or DMZ If a PC under LANI or LAN2 inteface will access internet or internal resources without the authentication you can add this PC s IP address into the Exempt Host list There are fore steps to configure the authentication 1 Setting authentication timeout 2 Configuring the Authentication Type 3 Configuring the Authentication Setting 4 Configuring the Exempt Host 6 3 Steps 6 3 1 Local Setting Step 1 Enable Authentication Basic Setup gt Authentication gt Authentication Check the Enable Authentication checkbox Authenticatior Set Auth timeout to control how long authenticated firewall connections are valid The default authentication timeout is 30 minutes Select the Authentication Type D Link AA DFL 1500 User Manual Step2 Configure Local Settings Enter the Username and Password and then click Add to add it to user s list If you would like to delete a user just click that username and then click Delete to remove it Click Apply to finish the settings Step 3 Show the Authentication After applying Local setting there will be an Authentication dialog to ask you to enter the Username and Password
136. eka E Mn eat azal 132 16 4 1 SCPE LE NEO ER Sef VOT eee aa la O o A A 132 Part Vv Content Eer dci 136 Chapter 17 Content Filtering Web Eller curia 137 17 1 Bomini ge e a E E Noe 137 17 2 OD sena eee POPE E PRE E EEE OE SKE KE ERME eter reer 0 OE eee rer KERMESE KEEP PE Pepe Ee MER eter eter te cer rere GERE AD 138 17 3 WEL N Sans e nee AS 138 17 4 DUS BYE e eee aaa De K e e ee e Ye bel MN OR e e 139 17 5 Le L aka e Le IIE Ger O O a Se e Ke e Yy 144 Chapter 15 Content Filtetms Mail Filters sess edi A ll i ade las ya la la 147 18 1 BS VE ee EY aa ein ae aecte Ge Sr RR OR Ke KR acute 147 18 2 ODE pe Ye EM oo O RO O een tl ono PARE KERRE e A 147 18 3 Methode asociados aoa 147 18 4 lo NS A O KAY RED NY 148 18 5 StepstOr POPS Pte ee eee MEM ee e EM Re ve e ees ome ev 149 Chapter 19 Content Filtetime FTP FIENDE ass ie 151 19 1 Ye e io 151 19 2 OD E O O E REO M LE die E RR RE KEL ME MOL A 151 19 3 NE M POR o yama akan tan nee el anamda alaka ik yaam se aka a an dll me 151 19 4 NR 152 Part VE Intr sio n Detection SY Stem sia 156 Chapter 20n on Detection gt yema 157 20 1 DEANS a ama o Jana salan in asly go dlbepeie A uaabsaannbacainmsbeoadsaswesenanaus Godlez iii 157 20 2 nee Be e a e eee eee eee GP Ge ei e e MN 157 20 3 Method e E e NK Oa neuen A 157 20 4 SICDS e e ee Be et ae ase eee aes 158 Part VII Bandwidth Management High Availability 160 Chapter 21 Bandwidth Mana
137. emotely 16 2 Objectives 1 With L2TP tunneling emulate the mobile employee as a member in LAN after he dials in the corporate network Then he can access all computers in LAN just as if he stays in the office covered by LAN_1 Internet S L2TP IP j DEL 1 ISP 192 168 40 200 se CANT IP VEN Tunnel Mobile employee 211 54 63 arity 192 168 40 254 192 168 40 1 DHCP Client LAN_1 92 168 40 1 25 Figure 16 1 L2TP method connection 16 3 Methods 1 Setup the L2TP server at DFL 1500 LNS L2TP Network Server After dialing up to DFL 1500 DFL 1500 will assign a private IP which falls in the range of the settings in the L2TP server at DFL 1500 Suppose the range is defined as 192 168 40 200 192 168 40 253 the remote host may get an IP of 192 168 40 200 and logically become a member in LAN 131 Part IV Virtual Private Network 16 4 Steps 16 4 1 Setup L2TP Network Server Step 1 Enable L2TP LNS ADVANCED SETTINGS gt VPN Settings gt L2TP Check the Enable L2TP LNS checkbox enter IPSec iz Pass the LANI IP of the DFL 1 192 168 40 254 we in the Local IP and enter the IP range that will ble L2TP LNS be assigned to the L2TP clients inthe Start IP EEN and the End IP fields Enter the IP range in the O Mala LAC Start IP and the LAC End TP that will cover Stan 192 168 40 200 eng the real IP of the remote users In our case since Secure Client IP Range the employee us
138. erver DHCP Res SE PC1_1 s DHCP Client e e a internet Figure 4 3 DHCP Relay mechanism chart 5 As the following Figure 4 4 demonstrated there is an embedded snmp agent in the DFL 1500 So you can use SNMP manager to monitor the DFL 1500 system status network status etc from either LAN or internet 31 Part Il Basic Configuration DFL 1 SNMP agent Internet SNMP Manager Figure 4 4 It is efficient to use SNMP Manager to monitor DFL 1500 device 6 We can adjust the DFL 1500 interface in the SYSTEM TOOLS gt Admin Settings gt Interface in according to our preference and requirement 3 WAN 1 DMZ 1 LAN As the following Figure 4 5 demonstrated there are three ISP connected onto DFL 1500 So we must adjust the interface up to 3 WAN ports to fit the current condition DFL 1500 Internet Figure 4 5 Adjust DFL 1500 interface to fit present situation D Link oe DFL 1500 User Manual Chapter 4 System Tools 4 4 Steps 4 4 1 General settings Step 1 General Setup SYSTEM TOOLS gt Admin Settings gt General Enter the Host Name as DFL 1 Domain Name General Password Time Date Timeout Services Interface as the domain name of your company Click e paname P O O O O O OO Apply FIELD DESCRIPTION EXAMPLE The host name of the DFL 1500 device DFL 1 Table 4 1 System Tools General Setup menu Step 2 Change Password SYSTEM TOOLS gt Admin Settings gt Passwo
139. es 211 54 63 1 so we can Start 21154631 End 211 54635 fill 211 54 63 1 211 54 63 5 to cover 211 54 63 1 Enter the Username and E Password that wil be used by the Apply employees during dial up Click the Apply to finish configurations FIELD DESCRIPTION EXAMPLE Enable L2TP LNS Enable L2TP LNS feature of DFL 1500 Enabled The Local IP is the allocated IP address in the internal network after default Li gateway of L2TP client dials in the DFL 1500 Emon The Start IP is the allocated starting IP address in the internal network after L2TP client dials in the DFL 1500 DO Assigned IP Range The End IP is the allocated ending IP address in the internal network after ni L2TP client dials in the DFL 1500 Pcp OOo Start The IP address starting range which is allowed user to dial in LNS server 211 54 63 1 Secure Client IP by using L2TP protocol OS Range End The IP address ending range which is allowed user to dial in LNS server by 21154635 using L2TP protocol _ Username The account which allows L2TP client user to dial in DFL 1500 L2tpUsers Password The password which allows L2TP client user to dial in DFL 1500 Dif3wk Table 16 1 Setup L2TP LNS Server settings D Link 132 DFL 1500 User Manual Step 2 Setup Windows XP 2000 L2TP clients Note that in the DFL 1500 release Il version both PPTP and L2TP can support MPPE In other words you can choose Require data encryption while a client computer running Wind
140. ess Get DNS Automatically information None Determine to enable the dynamic routing RIP 1 In protocol to receive RIP message to send out RIPv1 In Out the RIP message if the RIP message is received RIPy2 In or not RIPv2 In Out OSPF IPv4 format or Specify OSPF area ID number digit string Max 9 bits None When Default WAN link is enabled All the packets sent out from DFL 1500 will be via Enable Disable this port Enabled IP Address Specified IP address IPv4 format 61 2 1 1 Subnet Mask Specified subnet mask IPv4 format 255 255 255 248 Gateway IP Default gateway IP address IPv4 format 61 2 1 6 Primary DNS Specified Primary and Secondary DNS Server IPv4 format 168 95 1 1 address Secondary DNS 0 0 0 0 None Determine to enable the dynamic routing RIPv1 In protocol to receive RIP message to send out RIPv1 In Out the RIP message if the RIP message is received RIPv2 In or not RIPv2 In Out OSPF IPv4 format or Specify OSPF area ID number digit string Max 9 bits None When Default WAN link is enabled all the packets sent out from DFL 1500 will be via Enable Disable this port The password of PPPoE account G54688 Enabled 24 DFL 1500 User Manual Chapter 3 Basic Setup Get DNS Automatically Get DNS related Get DNS information from PPPoE ISP Get DNS Automatically DNS IP Address manually specify these Automatically DNS IP Address Primary and Seconda
141. et is forwarded out to the internet IN means the packet is forwarded into intranet The status of indicated firewall log is Block or Forward The log is produced by which firewall rule Default means the default rule of the selected firewall direction Rule RM XXX means the log is produced by remote management function Almost it is the illegal user who wants to use the Non Opened remote management functions Other condition it will be marked at the rule number ex RuleO Rulel Table 9 7 Firewall log field description T1 Part III NAT gt Routing amp Firewall 9 4 6 Setup Alert detected attack Step 1 Setup Attack Alert With the Firewall enabled the DFL 1500 is already equipped with an Anti DoS engine within it Normal DoS attacks will show up in the log when detecting and blocking such traffic However Flooding attacks require extra parameters to recognize Check the Enable Alert when attack detected checkbox Enter 100 inthe One Minute High means that DFL 1500 starts to generate alerts and delete the half open states if 100 half open states are established in the last minute Enter 100 in the Maximum Incomplete High means that DFL 1500 starts to generate alerts and delete half open states if the current number of half open states reaches 100 Enter 10 in the TCP Maximum Incomplete means that DFL 1500 starts to generate alerts and delete half open states if the number of half open states towards
142. ets 3 The source address mask and the destination address mask of the firewall rules are 192 168 88 0 255 255 255 0 and 192 168 40 0 255 255 255 0 respectively ox ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WANT y to LANI y rules Default action for this packet direction Block y v Log Apply Packets are top down matched by the rules SS A RA Schedule SourcelP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to LAN1 Firewall rule Rule name AllowvPN Schedule Always Condition Source IP WANT VPNA Dest IP Service ANY LANI VPNA Action Forward and do not log the matched session Forward bandwidth class def class Reverse bandwidth class def class y Back Apply 98 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Step 8 View the result ADVANCED SETTINGS gt Firewall gt Edit Rules Here we have a new rule before the default how Rules Attack Alert Summary firewall rule This rule will allow packets from 192 168 88 0 255 255 255 0 pass through DFL 1500 And accomplish the VPN tunnel establishment Condition Peyk nebe wre fiz At DFL 2 Second we
143. figuration parameters But the designed principle of each rule is the same The configuration is divided into three parts as Figure 2 3 illustrated You just need to enter the necessary information onto each part according to your requirement As for the definitions of the three part configuration please refer to the following description 1 Status Describe the status and name of this rule 2 Condition What kind of characteristics does packet hold And it will be captured by this rule 3 Action If the packet is captured by this rule What action will this rule do As the Figure 2 4 illustrated the page of the rule edition is also divided into three parts Their definitions are also the same as we have discussed in Figure 2 3 Additionly please note that there is a button named Move Before in the Figure 2 4 If you are not satisfied with the current rule sequence you can adjust the rule sequence by using the Move Before button a a OOO MAMAS e Status field Fats imei ee me emdim ii y What kind ot characteristics g the packet Is captured by this ee tdoes packet hold And it will be trule What action will this rule this rule t e r Lana F 7 mm a this i soca sdo nni Status E 5 Show Rules Attack Alert A s Mi Status Conditior Action ih aia a l a a en l haa gt eee ee eo Tf you are not satished with the current rule sequence you can adjust the
144. firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24 will be allowed to pass through the DFL 1500 and successfully access the 192 168 88 0 24 through the VPN tunnel D Link ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Default action for this packet direction Block Packets are top down matched by the rules A Name Schedule Source IP Dest IP Serice Action Log z M Log Apply Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Edit Edit WAN1 to LAN1 Firewall rule number 1 Rule name AllowVPN Schedule Always Condition Source IP WANI VPNB Service ANY Dest IP LAN1 VPNB Action Forward and do not log the matched session Forward bandwidth class def class Reverse bandwidth class def class y Back Apply ADVANCED SETT NGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Show Rules Show want y to LANI y rules Packets are top down matched by the rules eml Se O Action Hi Name Source IP Dest IP Semice Action Log Name Allow VPN WAN1_VPNB LANI VPNB Forward Schedule ALWAYS Page 1 1 108 DFL 1500 User Manual Chapter 13 Virtual Private Network DS 601 V
145. following the command Ex ip It will show Ge 29 all the valid suffix parameters from ip 193 A 3 Privileged mode Main a Sub commands Example Command description commands JU IO sehememi INN Ce ifconfig ip ifconfig INTFI 192 168 1 100 Configure the ip address of each port 25255 239 0 ip ping 202 11 22 33 Send ICMP echo request messages tftp ip tftp upgrade image Upgrade firmware from tftp server lt FILENAME gt 192 168 1 170 A coa spare Table A 5 Privileged mode CLI commands D Link 194 DFL 1500 User Manual Appendix B Trouble Shooting Appendix B Trouble Shooting 1 Ifthe power LED of DFL 1500 is off when I turn on the power Ans Check the connection between the power adapter and DFL 1500 power cord If this problem still exists contact with your sales vendor 2 How can I configure the DFL 1500 if I forget the admin password of the DFL 1500 Ans You can gather all the MAC addresses values of DFL 1500 and contact the local technical supporter Then we will give you an initial key Please refer to the Section 25 8 described to reset the admin password 3 can t access DFL 1500 via the console port Ans Check the console line and make sure it is connected between your computer serial port and DFL 1500 Diagnostic RS 232 port Notice whether the terminal software parameter setting as follows No parity 8 data bits 1 stop bit baud rate 9600 bps The terminal type is V
146. g the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 10 1 1 254 255 255 255 0 the request will be translated into a public source IP requests and then be forwarded to the destinations Step 5 BASIC SETUP gt DMZ Settings gt DMZ1 Status DMZ1 Status IP Alias DMZ1 TCP IP DHCP Setup M Enable DHCP Server IP Pool Starting Address TES Pool Size max size 253 po Primary DNS Server 10 1 1 254 lt 0 secondary DNS Server a KE Oooo o Routing Protocol None OSPF Area ID aa Apply ADVANCED SETTINGS gt NAT gt Status Virtual Servers Network Address Translation Mode Basic Lease time sec Status NAT Rules Network Address Translation NAT translates the IP port for 1 Internal to External traffic map the conditioned internal IPs ports into the specified external IPs ports Reset NAT rules 2 External to Internal traffic map the conditioned external IPs ports into the specified internal IPs ports Reset Server rules Modes 1 None The DFL 1500 is in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnet IP ranges 3 Full Feature The DFL 1500 performs routing and NAT sirnultaneously lt performs several kinds of NAT on the conditioned IP subnet while performing routing on other IP subnets Total Configured NAT Rules 3 Vacant NAT Rules 197 Total Configured Se
147. going Interface WANT v Peers IP Address Static IP gt 61 2 4 1 My Identifier o IP Address Auto Ast Peer s Identifier IP Address Auto As Self local IP Address The opposite side IP Address ESP Algorithm Encrypt and Authenticate DES MDS AH Algorithm Authenticate MDE Pre Shared Key 11234567890 Advanced Back Apply 93 Part IV Virtual Private Network Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 5 Adda Firewall rule Same as at DFL 1 We need to add an extra firewall rule to allow IPSec packets to come from internet So here we select WAN1 to LAN1 direction and click Insert button Step 6 Customize the Firewall rule Enter the Rule Name aS AllowVPN Source IP as WAN1_VPNB 192 168 40 0 and Dest IP as LAN1 VPNB 192 168 88 0 Click Apply to store this rule Step 7 View the result Now we have inserted a new rule before the default firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24 will be allowed to pass through the DFL 1500 and successfully access the 192 168 88 0 24 through the VPN tunnel D Link ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Pass IPSec Through VPN Hub PPTP L2TP VPN Spoke 1 If you enable the firewall please ch
148. gt Books gt Schedule gt Groups gt Insert Address Service Schedule Objects Groups Schedule gt Groups gt Add Insert a new group for Schedule Group Name Block MSN MSN Block2 Advanced Settings gt IP MAC Binding gt Status Edit Rules Show Rules Y Enable IP MAC ii Status The IP MAC binding locks IP address for specific MACs It achieves the purpose by the following steps Step 1 Initialize default action Pass Block Step 2 Setup each IP MAC binding with a rule Step 3 Setup a wildcard rule to exclude a range of IP for the DHCP IP range You can setup access control rules among the interfaces Reset Apply Advanced Settings gt IP MAC Binding gt Edit Rules Status Edit Rules Show Rules IP MAC C Binding gt Edit Rules Edit LAN M IP MAC binding rules Default setting for this interface Block V Loy Apply E tem Sas Condition ction G Active Name Direction Source IP Address MAC Action Log fal y Default LANLANY 192 168 40 0 192 168 40 255 Any Block Y Page 1 1 73 Part III NAT gt Routing amp Firewall Step 3 Add a new IP MAC binding rule Advanced Setting gt IP MAC binding gt Edit Rules gt Insert Suppose default Setting for LAN1 interface is Status Edit Rules Show Rules Block and ony DHCP IP range ROA 192 168 40 101 to 192 168 40 120 will be allowed by this rule Status Check Activate this rule checkbox
149. gt SNMP Control Through setting the related information in this page we can use SNMP manager to monitor the system status network status of DFL 1500 hs GO munity public ro muni FIELD DESCRIPTION EXAMPLE Enable SNMP Enable the SNMP function or not Enabled System Name The device name of DFL 1500 DFL 1 dlink com System Location The settled location of DFL 1500 Contact Info The person who takes charge of the DFL 1500 f The community which can get the SNMP information Here E Get community Ni E o public ro community is something like password The community which can get the SNMP information Here Set community E da private rw community is something like password Trusted hosts The IP address which can get or set community from the DFL 1500 192 168 1 5 The community which will send SNMP trap Here community is Trap community ey trap comm something like password Trap destination The IP address which will send SNMP trap from the DFL 1500 192 168 1 5 D Link 38 DFL 1500 User Manual Chapter 4 System Tools 4 4 6 Change DFL 1500 interface Step 1 Change Interface definition SYSTEM TOOLS gt Admin Settings gt Interface The default port settings are 2 WAN ports 1 DMZ port and 2 LAN ports But in order to fit our General DONS DNS Proxy DHCP Relay Password Time Date Timeout Services requirement Here we select 3 WAN port1 3 1 DMZ port4 1 LAN port5 And then press appl
150. he in the browser and try to connect the internet web server If the web page result still does not match with the web filter configuration you may close your browser and reopen it 12 While finishing the edition of DFL 1500 settings and pressing apply button the LAN DMZ to WAN network connection telnet ssh ftp msn fails why Ans This is a normal situation When you finish the following settings all the active network connection will be disconnected So you must reconnect it again SYSTEM TOOLS gt Remote Met ADVANCED SETTINGS gt VPN Settings gt IPSec ADVANCED SETTINGS gt VPN Settings gt PPTP gt Client ADVANCED SETTINGS gt VPN Settings gt Pass Through ADVANCED SETTINGS gt NAT e ME FE 199 DFL 1500 User Manual Appendix C System Log Syntax Appendix C System Log Syntax In the DFL 1500 all the administration action will be logged by the system You can refer all your management process through System log DEVICE STATUS gt System Logs gt System Access Logs Besides all the system log descriptions are following the Same syntax format In the below diagram you can view the example of system log The amplified system log example can be divided into 4 parts The first part is Component type second part is Log ID third part is log description and final part is Event ID When you applied each setting in the DFL 1500 you had been issued an Event So the same Event ID may have many different Log I
151. he web filter disabled range Web filter will active totally enforcement 10 1 1 1 10 1 1 254 bae Pom a i a setup the IP address range for the above Exempt 192 168 40 100 Seemann 192 168 40 130 Delete the specified IP range which filled in the above Range From field Table 17 2 Web Filter Exempt Zone setting page Step 4 Customize the specified sites ADVANCED SETTINGS gt Content Filters gt Web Filter gt Customize Check the Enable Filter List WebFilte Customization to allow all accesses to the ter gt Custa Trusted Domains while disallowing all accesses to the Forbidden Domains Check the Disable all web traffic except for trusted domains if you want to only allow the access to the Trusted Domains However if the web objects are set to be blocked by the DFL 1500 in step 3 these allowed accesses will Jamai never be able to retrieve these objects Check the dlink com tw Don t block to allow the objects for these ii trusted domains The domains are maintained by enter the address in the Domain field with a click of the Add button To delete a domain click the domain with a click of the Delete button aes i at E AS veww sex com va stockmarket com FIELD DESCRIPTION EXAMPLE Enable the Filter List Customization feature of web filter If you only Enable Filter List enable it all the domains in the Trusted Domains will be allowed to Customization pass through DFL 1500 Contr
152. heck Blocking Time any new sessions will be blocked for the length Blocking Time of time you specified in the next field min and all old disabled incomplete sessions will be cleared during this period If you want strong security it is better to block the traffic for a short time as will give the server some time to digest the loading Table 9 8 Setup the Denial of Service Thresholds of attack alert 79 Part IV Virtual Private Network Part IV Virtual Private Network D Link 80 DFL 1500 User Manual Chapter 10 VPN Technical Introduction Chapter 10 VPN Technical Introduction This chapter introduces VPN related technology 10 1 VPN benefit If you choose to implement VPN technology in your enterprise then it may bring the following benefits to your company 1 Authentication Ensure the data received 1s the same as the data that was sent and that the claimed sender is in fact the actual sender 2 Integrity Ensure that data is transmitted from source to destination without undetected alteration 3 Confidentiality Guarantee the intended recipients know what was being sent but unintended parties cannot determine what was sent This is almost provided by data encryption 4 Non repudiation The receiver being able to prove that the sender of some data did in fact send the data even though the sender might later desire to deny ever having sent that data 10 2 Related Terminology Explanation 10 2 1 VPN A
153. hose y Exact filename When the whole filename of attachment file matches Exact filename add the bin extension to the attachment file Table 18 2 Mail Filter SMTP setting page 149 Part V Content Filters Step 2 Add a POP3 Filter Select filename extension enter vbs and click Add to add a rule This rule will apply to all DMZ WAN to LAN POP3 connections All such POP3 traffic will be examined to change the filename extension from vbs to vbs bin Note that the filename to block cannot contain the marks such as lt gt Step 3 Customize the local zones You can configure to what range the filters will apply to the local zones By default the web filters apply to all computers so the Enforce POP3 filter policies for all computers S selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by a click of the Add button to add one address range to the web filter Click Include and Apply if you want web filters to only apply to the specified ranges Click Exclude and Apply if you want web filters to apply to all computers except those specified ranges D Link ADVANCED SETTINGS gt Content Filters gt Mail Filters gt POP3 flenams extension RAM Original Name Type Mapped Name a emen n amet ADVANCED SETTINGS gt Conten
154. ignment Fixed IP Address gt DNS IP Click Next to proceed M Default WAN link Gateway DNS IP Address 61 2 1 1 subnet Mask 255 255 255 248 Gateway IP 161 2 1 6 DNS IP Address Primary DNS 1168 95 1 1 Secondary DNS 0 0 0 0 Routing Protocol None OSPF Area D Back Next Step 5 c PPPoE client BASIC SETUP gt Wizard gt Next gt PPPoE PPP over Ethernet Is selected enter the System Operation yway jp System Name Mode Status ISP given User Name Password and the optional Service Name Click Next to IP Address Assignment PPP over Ethernet gt vV Default WAN link Gateway DNS service Name Optional User Name Hey Password pi C Get DNS Automatically DNS IP Address Primary DNS 1168 95 192 1 Secondary DNS 1168 95 1 1 Disconnected proceed D Link 10 DFL 1500 User Manual Chapter Quick Start Step 5 d Alert Message Microsoft Internet Explorer Please Note that an alert message box When i changing to none fixed ip mode system NO A e Gu will delete all ip alias will appear AN When changing to none fixed ip mode system will delete all ip altas while you change Get IP Automatically 7 DHCP Or PPP over Ethernet but not Fixed IP Address as your WAN link Step 6 System Status Here we select Fixed IP method in WAN1 port Then the DFL 1500 provides a_ short summary of the system Please check if anything mentioned above is properly set into the
155. il memory 235 M cpu Intel Celeron 686 class 1202 79 MHz ASIC IPSec Enabled Ethernet address 00 80 c8 50 fb 87 Ethernet address 00 80 c8 50 fb 88 Ethernet address 00 80 c8 50 fb 89 Ethernet address 00 80 c8 50 fb 8a Ethernet address 00 80 c8 50 fb 8b IPsec Initialized Security Association Processing Software Serial Number dde de eledi Installing Modules don Startup High Availability Standby mode Net0S 1386 HA Standby mode tty00 id Ox6b4 login Welcome to DFL 1500 YPN Firewall Router DFL 1500 gt en DFL 1500 sys st System Name Firmware Version Net0S Ver2 000 WALL 0 Thu Sep 9 05 46 41 CST 2004 Software Serial Number 3968612239565626400 7 NAT Router Secondary DNS Operation Mode Default Gateway Primary DNS 11 24AM up 1 min 0 users DFL 1500 _ load averages 1 10 0 37 0 14 173 Part VIII System Maintenance Part VIII System Maintenance D Link 174 DFL 1500 User Manual Chapter 23 System Status Chapter 23 System Status 23 1 Demands 1 Since we have finished the settings of DFL 1500 we need to gather the device information quickly Then we can have a overview of the system status 23 2 Objectives 1 We can know the current situation easily through an integrated interface 23 3 Methods 1 Through DEVICE STATUS gt System Status path we can get the needed information 23 4 Steps Step 1 System Status DEVICE STATUS gt
156. in 192 168 17 102 443 Set Date Time SYSTEM S15 System time update with NTP server tock usno navy mil set by admin 192 168 17 102 443 SYSTEM S15 System time update to 2003 10 10 13 33 25 set by admin 192 168 17 102 443 Set System Auto Timeout SYSTEM S16 System auto timeout changed to 45 minutes by Lifetime admin 192 168 17 102 443 205 Appendix C S17 Interface PORTS Configuration WAN LAN DMZ Backup Configuration SYSTEM S18 Backup configuration file by admin 192 168 17 102 443 Restore Configuration SYSTEM S19 Restore configuration file by admin 192 168 17 102 443 Factory Reset SYSTEM S20 Factory Reset to default settings by admin 192 168 17 102 443 Firmware Upgrade SYSTEM S21 Firmware upgraded by admin 192 168 17 102 443 Sn WAN nr o o Setup HTTPS Server Setup SNMP Server MISC Setup Enable Disable SNMP SYSTEM S28 Enable SNMP by admin 192 168 17 104 443 SYSTEM S28 System Location Building A SYSTEM S28 Contact Info 886 2 28826262 SYSTEM S28 Disable SNMP Update remote management SYSTEM S31 Update remote management TELNET Server settings settings by admin 192 168 17 102 443 Set Gateway SYSTEM S32 WANI Gateway IP 192 167 17 254 SYSTEM S32 WANI Got PPPoE Gateway IP 210 58 28 91 SYSTEM S33 WANI Clear DNS IP Address S18 S19 S20 S21 S22 S23 S24 S25 S26 27 28 S S29 S30 S31 S32 33 S Set DNS IP Ad
157. ion that can facilitate the maximum security and the best resource utilization for the enterprises It contains a high performance stateful packet inspection SPI Firewall policy based NAT ASIC based wire speed VPN upgradeable Intrusion Detection System Dynamic Routing Content Filtering Bandwidth Management WAN Load Balancer High Availability and other solutions in a single box It is one of the most cost effective all in one solutions for enterprises 1 1 Check Your Package Contents These are the items included with your DFL 1500 purchase as Figure 1 1 They are the following items 1 DFL 1500 Device 1 Ethernet cable RJ 45 1 RS 232 console 1 CD include User s manual and Quick Guide 1 Power cord 1 al e Figure 1 1 All items in the DFL 1500 package 1 2 Five steps to configure DFL 1500 quickly Let s look at the common network topology without DFL 1500 applying like Figure 1 2 This is a topology which is almost used by all the small medium business or SOHO use as their internet connectivity Although that your topology 1s not necessarily the same diagram below but 1t still can give you a guideline to configure DFL 1500 quickly Part I Overview Now you can pay attention at the IP Sharer inthe diagram The IP Sharer can provide you with NAT Network Address Translation PAT Port Address Translation and other functions Server Switch ADSL Modem Figure 1 3 The example after DFL 1500 a
158. is feature will block the fragmented packets by the li eee firewall of DFL 1500 Warning Enable this feature will oo 4 Disabled packets e Disabled cause problem in some applications BUTTON DESCRIPTION Apply Apply the settings which have been configured Table 9 5 Configure Firewall status Step 2 Add a Firewall Rule ADVANCED SETTINGS gt Firewall gt Edit Rules Select LAN1 to WAN1 traffic direction The Show Rules Attack Alert Summary default action of this direction is to forward all traffic without logging anything Click Insert to add a Firewall block rule before the default rule to stop iit LANT Z to want rutes 7 Status Condition Action y O me wee 7 73 Part III NAT gt Routing amp Firewall Step 3 Customize the rule ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Before adding a new firewall you have to set the Status Edit Rules Show Rules Attack Alert Summary _ Books in the Basic gt Books gt Addresses Services Schedules first After configuring the settings you can then add a new firewall rule Status Enter the rule name as Pc1 1 and select EE i a Schedule Select Source IP as PC1_1 ya 192 168 40 0 7 255 255 255 255 and select Dest IP aS WAN1_ALL Select Service as ANY TCP UDP and ICMP Select Block and Log to the matched session And choose the Forward bandwidth class Or Reverse bandwidth class if any Click the Apply to apply the changes Action Note
159. k China 15th Floor Science Technology Tower No 11 Baishigiao Road Haidan District 100081 Beijing China TEL 86 10 68467106 FAX 86 10 68467110 URL www dlink com cn E MAIL liweli digitalchina com cn D Link Denmark Naverland Denmark Naverland 2 DK 2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 URL www dlink dk E MAIL info dlink dk D Link Middle E ast 7 Assem Ebn Sabet Street Heliopolis Cairo Egypt TEL 202 245 6176 FAX 202 245 6192 URL www dlink me com E MAIL support dlink me com amp fateen dlink me com D Link Finland Pakkalankuja 7A FIN 0150 Vantaa Finland TEL 358 9 2707 5080 FAX 358 9 2707 5081 URL www dlink fi com D Link France Le Florilege No 2 All e de la Fresnerie 78330 Fontenay le F leury France TEL 33 1 3023 8688 FAX 33 1 3023 8689 URL www dlink france fr E MAIL info dlink france fr 217 Appendix H Germany D Link Central Europe D Link Deutschland GmbH Schwalbacher Strasse 74 D 65760 E schborn Germany TEL 49 6196 77990 FAX 49 6196 7799300 URL www dlink de BBS 49 0 6192 971199 analog BBS 49 0 6192 971198 ISDN INFO 00800 7250 0000 toll free HELP 00800 7250 4000 toll free REPAIR 00800 7250 8000 E MAIL info dlink de India D Link India Plot No 5 Bandra Kurla Complex Rd Off Cst Rd Santacruz East Mumbai 400 098 India TEL 91 022 652 6696 65 78 6623 FAX 91 022 652 8914 8476 URL www dlink india com amp www
160. lications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator y ESP Encapsulating Security Payload Protocol The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH ESP authenticating properties are limited compared to the AH due to the non inclusion of the IP header information during the authentication process However ESP is sufficient if only the upper layer protocols need to be authenticated An added feature of the ESP is payload padding which further protects communications by concealing the size of the packet being transmitted 83 Part IV Virtual Private Network 10 3 Make VPN packets pass through DFL 1500 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt Pass Through If we need to setup DFL 1500 between the IPsec VPN Hub poke PPP LZIP gn existed IPSec PPTP L2TP connections We need to open up the Firewall blocking port of DFL 1500 in advance Here we provide a simple way You can through enable the IPSec PPTP L2TP pass through checkbox on this page Then the VPN connections of IPSec PPTP L2TP will pass through DFL 1500 As well as DFL 1500 will play the middle forwarding device role
161. ll KE Rule Name iKErule Router Select Dynamic IP in the Peers IP Condition Address Be sure to select Aggressive mode Self local IP Local Address Type Subnet Address for the dynamic remote gateway address type Address IP Address 192 168 40 0 Click the ESP Algorithm and select Encrypt PrefixLen Subnet Mask 255 255 255 0 and Authenticate DES MD5 Enter the Pre Shared Key as 1234567890 Click the The opposite Apply button to store the settings Note In the side IP Addes daa ERLER Action region It should choose either ESP e E Algorithm or AH Algorithm or system will Negotiation Mode Aggressive Y Remote Address Type Subnet Address show error message If you hope to set the detailed item of IKE parameter Click the ooo Sl Advanced button in this page Otherwise it is ok to Outgoing Interface WAN1 x just leave the value default Dynan al My Identifier IP Address Auto Assigned Note that Peers Identifier must NOT be IP Peer s identifier FQDN domain name dlink com Address type in the Dynamic IP type So you have to select FQDN domain name or user ESP Algorithm Encrypt laa mi DES MDS yl 1 1 e Authenticate MDS 7 FQDN mailbox as the Peer s Identifier AH Algorithm Authenticate D5 Pre Shared Key 11234567890 Advanced Step 4 Detail settings of IPSec IKE ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add gt In this page we will set the detailed value of I
162. ncrypt and Encrypt and Encrypt and Authenticate DES Authenticate DES Authenticate DES Authenticate DES MD5 MD5 MDS MD5 Pre Shared Key 1234567890 1234567890 1234567890 1234567890 Table 14 2 The IKE tunnel configuration D Link 122 DFL 1500 User Manual Configuring the VPN Hub for Main Office Step 1 Adda Firewall rule Suppose Main Office has already added two VPN tunnels to communicate with two branch offices Now the Main Office has to add a firewall rule to allow IPSec packets to come from internet Before adding a firewall rule please make sure to add the addresses first And then organize related addresses to group them together It will make it easier to add a firewall rule Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 2 Customize a Firewall rule Enter the Rule Name aS AllowVPN Source IP as Spokes Spoke_1 192 168 40 0 Spoke 2 192 168 88 0 and Dest IP as Hub 192 168 1 0 Click Apply to store this rule Step 3 Add a VPN Hub Select Add to add a VPN Hub Enter a name in the Hub Name field To add tunnels to the VPN Hub select a VPN tunnel from the Available Tunnels list and select the right arrow To remove tunnels
163. nistrator plans to solve the problem by subscribing the second link ISP2 He hopes that all the packets from the General Manager Room 192 168 40 192 26 will pass through the ISP2 link instead of the default ISP1 link 8 3 Methods 1 Add a static routing entry to direct the packets towards 192 168 50 0 24 through the router 192 168 40 253 2 Adda policy routing entry for the packets coming from General Manager Room department 192 168 40 192 255 255 255 192 through the ISP2 link 8 4 Steps 8 4 1 Add a static routing entry Step 1 Add a static routing rule Advanced Settings gt Routing gt Static Route Click the Add button to the next process Step 2 Fill out the related field Advanced Settings gt Routing gt Static Route gt Add Fill in the Destination and the Netmask field with 192 168 50 0 and 255 255 255 0 Assign the next hop Gateway as 192 168 40 253 Router IP address Click 2 Add to proceed 255 255 2550 192 16840253 FIELD DESCRIPTION Range Format EXAMPLE Determine this static routing entry record is multiple hosts The destination IP address of this static routing entry record IPv4 format 192 168 50 0 D Link 62 DFL 1500 User Manual Chapter 8 Routing ed A IP Netmask of this static routing entry IPv4 format 255 955 9550 Gateway The default gateway of this static routing entry record IPv4 format 192 168 40 253 Table 8 1Add a static routing entry Step3 View the result Advanced
164. nsert a new LAN DMZ to WAN NAT rule V Activate this rule Rule name Rule Source IP 192 168 40 0 Netmask 255 Type One to One Translated Src IP T Auto choose IP from WAN ports 61 2 1 1 Netmask 295 255 255 252 ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert Virtual NAT Rules Servers Status NAT gt Edit Rules gt Insert Insert a new LAN DMZ to WAN NAT rule Activate this rule Rule name Rue sts Condition Source 1P 192 165 40 0 Netmask 295 255 255 252 Translated Src IP Auto choose IP from WAN ports 61 2 1 1 ction Netmask 205 256 25 5 290 54 DFL 1500 User Manual Chapter 7 NAT 7 4 2 Setup Virtual Server for the FtpServer1 Step 1 Device IP Address Setup the IP Address and IP Subnet Mask for the DFL 1500 of the DMZ1 interface Step 2 Client IP Range Enable the DHCP server if you want to use DFL 1500 to assign IP addresses to the computers under DMZ1 Here we make the DHCP feature enabled Step 3 Apply the Changes Click Apply to save your settings Step 4 Check NAT Status The default setting of NAT is in Basic Mode After applying the Step 3 the NAT is automatically configured with the rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Check NAT Rules The DFL 1500 has added the NAT rules automatically as right diagram described The rule Basic DMZ1 number 1 means that when matchin
165. o two classes the LAN_1 to LAN_2 40 617 kbps and the E commerce 20 308kbps classes Besides set the E Commerce to be able to borrow from other bandwidth if any bandwidth is available limited bandwidth LAN 1toLAN 2 40 617kb Disabled MAX 617kbps guaranteed bandwidth E C 20 308kb Enabled Eee EPPS i Gi Table 21 2 Bandwidth management action assignment from ANY to WANI 163 Part VII Bandwidth Management High Availability 21 4 Steps 21 4 1 Inbound Traffic Management Step 1 Enable Bandwidth ADVANCED SETTINGS gt Bandwidth Mot gt Status Management Status Edit Actions Check the Enable Bandwidth Management checkbox click the Apply Reset Bandwidth Management FIELD DESCRIPTION EXAMPLE Enable Bandwidth Enable Bandwidth Management feature of DFL 1500 Enable Disable Enabled Management BUTTON DESCRIPTION a yn Reset all the bandwidth management rules to default status Management Apply Apply the settings which have been configured Clean the filled data and restore the original one Table 21 3 Setup status page of Bandwidth Management Step 2 Setup the LAN1 Link ADVANCED SETTINGS gt Bandwidth Mot gt Edit Actions Select ANY to LAN1 to setup traffic that will be dit Acti transmitted by the LAN1 interface Enter the LAN1 interface bandwidth as 100000kbps 100Mbps Click the Apply button to enforce the mt BILAN eme LAN1 link bandwidth to be specified bandwidth In LANI in
166. on of adding an IPSec policy rule 89 Part IV Virtual Private Network Step 4 Detail settings of IPSec IKE ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add gt In this page we will set the detailed value of IKE Advanced parameter Fill in the related field as Table 11 5 indicated to finish these settings Condition Action 1234567690 itham Encrypt and Authenticate DES MD5 Encrypt and Authenticate DES MD5 28800 sec min hou Po FIELD DESCRIPTION Range Format EXAMPLE Utilize this field to select some packets which are oe Transport Layer specified protocol ANY TCP UDP If the Conan Protocol packets are not the specified protocol will not be AD e E allowed to pass through IPSec tunnels TCP Action eee Sony Whether is the Replay Detection enabled NO YES Detection Phasel Negotiation Mode we Y ony Holset PREY IS ano Ca NOrve Can not be edited Main edited again Pre Shared Key No dl an A E Can not be edited 1234567890 edited again Encrypt and Authenticate DES MDS Encrypt and Authenticate Encryption Choose a type of encryption and authentication DES SHA1 Algorithm algorithm combination Encrypt and Authenticate 3DES MDS Encrypt and Authenticate 3DES SHA1 Encrypt and Authenticate DES MDS Set the IKE SA lifetime A value of 0 means IKE 0 9999999999 SA Life Time SA negotiation never times out See Chapter 10 28800 sec e sec min ho
167. onnection F im The connection may be given a descriptive name enter a name in the following field Name of the connection DFL 1500 Step 2 Select Link Type Configuration gt Profile Settings gt New Entry Select LAN over IP in the Communication Destination Assistant media field and the click Next to proceed Link type Dial up configuration e ii Select the media type of the connection _ Imn Determine how the connection to the corporate network should be established If the internet ts to be used via modem set the communication media to modem and then select the appropriate modem Back sew Cancel 113 Part IV Virtual Private Network Step 3 Setup VPN gateway Configuration gt Profile Settings gt New Entry Enter the VPN gateway IP 220 136 231 114 Me E xx which is also the DFL 1 s WANT IP Click Next to proceed VPN gateway parameters l y Li Ta which VPN gateway should the connection be established _ NER Enter the DNS name Le vanserver domain cam or the official IP address LE 2127 0 17 29 of the VPN gateway pou want to connect to l l i l Gateway 220 136 231 114 M Useegtended authentication ALTA og Username Password Password Confirm pa Step 4 Pre share Key Configuration gt Profile Settings gt New Entry Enter 1234567890 in the Shared secret field fp heron DA xj and retype it in the Confirm secret field o Select IP Address and enter 61 64 148 19
168. ontinuously every 3 min System will update system date time value every 3 minutes to NTP time Enabled update system clock sever Update system clock using System will update system date time value to the NTP time server at boot disabled the time server at boot time time Manual Time Setup Manual setting Time amp Date value Table 4 3 System Tools Time Data menu I Update system cloc Step 4 Setup Timeout SYSTEM TOOLS gt Admin Settings gt Timeout Select the target timeout e g 10 min from the General DDNS DNS Proxy DHCP Relay Password Time Date Timeout Services Interface System Auto Timeout Lifetime Click the N TERETE Apply button Now the browser will not timeout a m AAA ee for the following 10 minutes after your last system Auto Timeout Lifetime 10 z mi touching of it FIELD DESCRIPTION EXAMPLE System Auto Timeout When system is idle for a specified time system will force the people Lifetime who logins into the system will logout automatically Table 4 4 System Tools Timeout menu D Link 34 DFL 1500 User Manual Chapter 4 System Tools Step 5 Configure Services SYSTEM TOOLS gt Admin Settings gt Services We can configure the service name and numeric General DDNS DNS Proxy DHCP Relay Password Time Date Timeout Services Interface port number as the same group so you can simply use the domain name for the configuration in the DFL 1500 If you want to add edit delete the ser
169. oothly Besides we hope LAN users can access the web server located at DMZ region more faster 161 Part VII Bandwidth Management High Availability E Commerce Serve 140 113 179 3 aaa gg oo LAN 1 to LAN 2 40 617 kbps E Commerce 20 308 kbps Other trattic 35146 ISP Router LAN Ito LAN 2 A DFL_ 2 fa 4 Yanl Phy 492 168 88 0 24 Figure 21 2 Use bandwidth management mechanism to shape the data flow on the uplink direction 2 As the above Figure 21 2 illustrated LAN_1 PCs are using the E Commerce service from the E Commerce Server 140 113 79 3 causing the blocking of the VPN transfer from LAN to LAN_2 So we want to make sure that the VPN tunnel links is reserved at least 600 kbps speed rate And the free bandwidth will raise the transmission bandwidth of LAN_1 PCs access the E Commerce service 21 2 Objectives 1 As the above diagram Figure 21 1 illustrates LAN PCs are browsing the web pages from the Web Server of Internet This occupies the bandwidth of PCs who are watching the video provided by the Video Stream Server 140 113 179 4 causing the video to be blocked and to have poor quality So we hope to guarantee the video quality of the LAN PCs which are accessing Video Stream Server The total bandwidth of ANY to LAN direction is 100 Mbps The bandwidth of LAN interface is 100 Mbps Here we will make sure that PCs of LAN have the smo
170. oth stream quality that must have at least 1 of LANI total bandwidth 1000 kbps speed rate Besides we have another web server located at DMZ region Because the web server is located at local area so we can assign larger bandwidth for this direction web traffic from DMZ LAN D Link 162 DFL 1500 User Manual Chapter 21 Bandwidth Management The remaining bandwidths are named Other traffic They are reserved for other ANY to LANI data transmission which don t list in the above Figure 21 1 diagram 2 Reserve at least 600kbps for the LAN_1 to LAN_2 transfer The LAN PCs can share about 20 308kbps for using E Commerce Services However when the LAN to LAN_2 traffic less then 40 617kbps the E Commerce service can occupy the free bandwidth from LAN_1 toLAN_2 and the remaining bandwidth from default class 21 3 Methods 1 As the following Table 21 1 listed partition the inbound bandwidth total 1OOMbps into three classes web from WAN video from WAN and web from DMZ class The remaining bandwidth is assigned to other services which are not listed here limited bandwidth Web f WAN 0 3 300kb Disabled MAX 300kbps guaranteed bandwidth Video from WAN 1 1000kb Enabled At Teast 1000kbps ee da guaranteed bandwidth Web from DMZ 50 50Mb Enabled Table 21 1 Bandwidth management action assignment from ANY to LANI 2 As the following Table 21 2 listed Partition the outbound bandwidth total 1 544Mbps int
171. otocol PPTP used by an Internet Service Provider ISP to enable the operation of a Virtual Private Network VPN over the Internet L2TP merges the best features of two other tunneling protocols PPTP from Microsoft and L2F from Cisco Systems The two main components that make up L2TP are the L2TP Access Concentrator LAC which is the device that physically terminates a call and the L2TP Network Server LNS which is the device that terminates and possibly authenticates the PPP stream NAT Network Address Translation By the network address translation skill we can transfer the internal network private address of DFL 1500 to the public address for the Internet usage By this method we can use a large amount of private addresses in the enterprise POP3 Post Office Protocol 3 209 Appendix D POP3 Post Office Protocol 3 is the most recent version of a standard protocol for receiving e mail POP3 is a client server protocol in which e mail is received and held for you by your Internet server Periodically you or your client e mail receiver check your mail box on the server and download any mail PPTP Point to Point Tunneling Protocol PPTP extends the Point to Point Protocol PPP standard for traditional dial up networking PPTP is best Suited for the remote access applications of VPNs but it also supports LAN internetworking PPTP operates at Layer 2 of the OSI model OSPF Open Shortest Path First Open
172. ours Pre artial A such as 9 30to 17 30 FIELD DESCRIPTION EXAMPLE Determine how to deal with the URL types in this page Log Log amp Block A Data nabe amp Block Access Log Only Block Only Access Block all categories Make all categories below enabled disabled Violence Profanity Gross Depictions Gekko ci ul bi Enable the checked Militant Extremist etc items ones Time of Day The time which was set for Web Filter 09 30 17 30 BUTTON DESCRIPTION Apply Apply the settings which have been configured Table 17 5 Web Filter Categories setting page Step 7 Customize Objects ADVANCED SETTINGS gt Content Filters gt Web Filter gt Features Check the objects of Restricted Features to Web Filte ETP Filter block the objects Click the Apply button at the bottom of this page After finish settings you can use PC1_1 to browse the web page to see if the objects are blocked If the objects still exist the objects may be cached by the browser Please clear the cache in the web browser close the browser reopen the browser and connect to the web page again D Link 142 DFL 1500 User Manual Chapter 17 Content Filtering Web Filters FIELD DESCRIPTION EXAMPLE Table 17 6 Web Filter setting page Step 8 Setup contents keyword ADVANCED SETTINGS gt Content Filters gt Web Filter gt Keyword blocking Web Filter Mail Filter FTP Filter Check the Enable Keyword Blocking to block any Web pages that contain
173. ows XP 2000 However this release Il version will not support MS CHAP you have to check MS CHAPv2 checkbox if you would like to require data encryption Chapter 16 Virtual Private Network L2 TP Configuring A L2TP Dial Up Connection Configure a L2TP dial up connection Goto Start gt Control Panel gt Network and Internet Connections gt Make new connection Select Create a connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Give a Name the connection and select Next fthe Public Network dialog box appears choose the Don t dial up initial connection and select Next In the VPN Server Selection dialog enter the public IP or hostname of the DFL 1500 to connect to and select Next Set Connection Availability to Only for myself and select Next Select Finish Customize the VPN Connection 1 Right click the icon that you have created 2 Select Properties gt Security gt Advanced gt Settings 3 Select No Encryption from the Data Encryption and click Apply 4 Select the Properties gt Networking tab 5 Select L2TP VPN from the VPN Type Make sure the following are selected TCP IP QoS Packet Scheduler 6 Select Apply Editing Windows Registry The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows 2000 Registry as described in
174. perating Humidity 5 95 non condensing 4 EMC amp Safety Certification 4 1 EMC Approval FCC class A VCCI class A CE class A C Tick class A Safety Approval 213 DFL 1500 User Manual Appendix G Version of Software and Firmware Appendix G Version of Software and Firmware DFL 1500 VPN Firewall Router Version of Components Firmware v 2 000 215 DFL 1500 User Manual Appendix H Customer Support Appendix H Customer Support D Link Offices Australia Brazil Canada Chile China Denmark E gypt Finland France D Link Australia 1 Giffnock Avenue North Ryde NSW 2113 Sydney Australia TEL 61 2 8899 1800 FAX 61 2 8899 1868 TOLL FREE Australia 1800 177100 URL www dlink com au E MAIL support dlink com au amp info dlink com au D Link Brasil Ltda Edificio Manoel Tabacow H ydal Rua Tavares Cabral 102 Sala 31 05423 030 Pinheiros Sao Paulo Brasil TEL 55 11 3094 2910 to 2920 FAX 55 11 3094 2921 E MAIL efreitas dlink cl D Link Canada 2180 Winston Park Drive Oakville Ontario L6H 5W1 Canada TEL 1 905 829 5033 FAX 1 905 829 5095 TOLL FREE 1 800 354 6522 URL www dlink ca FTP ftp dlinknet com E MAIL techsup dlink ca D Link South America Sudam rica Isidora Goyenechea 2934 Of 702 Las Condes Fono 2323185 Santiago Chile S A TEL 56 2 232 3185 FAX 56 2 232 0923 URL www dlink cl E MAIL ccasassu dlink cl tsilva dlink cl D Lin
175. posed to the public Internet As the Figure 7 2 illustrated we make the real servers hide behind the DFL 1500 And all the internet clients can still access the service of servers 49 Part III NAT gt Routing amp Firewall Organization_1 Private LANs LANT IP 192 168 40 254 Internet Client PC1 5 192 168 40 1 DHCP Client Figure 7 2 Internet clients can access the server behind the DFL 1500 7 2 Objectives Let PC1_1 PC1_5 connect to the Internet 2 As the Figure 7 2 illustrated the clients will connect to the DFL 1500 Then DFL 1500 will forward the packet to the real server So FTPServerl 10 1 1 5 will be accessed by other Internet users 7 3 Methods 1 Assign private IP addresses to the PC1_1 PC1_5 Setup NAT at DFL 1500 to map those assigned private hosts under LANI to the public IP address WAN IP at the WAN side 2 Assign a private IP address to the FTPServerl Setup Virtual Server at DFL 1500 to redirect any connections towards some port of WAN1 to the port 21 at the FTPServerl D Link 50 DFL 1500 User Manual Chapter 7 NAT Intranet DMZ 1 10 1 1 1 24 dedirect to FTP Server 10 1 1 5 21 FTP request port 44444 Figure 7 3 DFL 1500 plays the role as Virtual Server As the above Figure 7 3 illustrates the server 10 1 1 5 provides FTP service But it is located on the DMZ region behind DFL 1500 And DFL 1500 will act as a Virtual Server role which redirects the
176. pplies on it Figure 1 2 The example before DFL 1500 applies on it Here we would like to alter the original IP Sharer with the DFL 1500 like Figure 1 3 If we hope to have DFL 1500 to replace the IP Sharer we just need to simply execute the following five steps as Figure 1 4 showed By these steps we hope to build an image to tell you how to let DFL 1500 work basically Server 3 WAN dani ADSL Modem Switch 4 NAT Virtual Server Figure 1 4 Five steps to configure DFL 1500 As the Figure 1 4 illustrated with the five step configurations DFL 1500 will have the same functions with the original IP Sharer Please see the following description of the five step configurations D Link 4 DFL 1500 User Manual Chapter 1 Quick Start 1 Setup Install three physical lines inclusive of the power cord outbound link connected WANI port and inbound direction connected LANI port For the details please refer section 1 3 Continually we will connect to the web GUI of DFL 1500 So you must make sure that you have a PC which 1s located in the same subnet with DFL 1500 before this step Note The default LANI port is 192 168 1 254 255 255 255 0 Refer to section 1 5 for more information 2 LAN Configure the LANI port of DFL 1500 You can refer to section 1 4 for the default network configurations of DFL 1500 Note If you were connected from LAN1 port and changed the LANI IP address settings of DFL 1500 The
177. r web objects such as cookies and Java applets 2 Setup content filtering for URL requests For each URL check the pre defined upgradeable URL database self entered forbidden domains and self entered keywords to check if the URL is allowed D Link 138 DFL 1500 User Manual Chapter 17 Content Filtering Web Filters 17 4 Steps Step 1 Enable Web Filter ADVANCED SETTINGS gt Content Filters gt Web Filter gt Web Check the Enable Web Filter checkbox and Web Filter Mail Filter FTP Filter click the Apply right on the right side FIELD DESCRIPTION EXAMPLE Enable Web Filter Enable Web Filter feature of DFL 1500 Enabled If enabling this feature all the web pages pass through proxy Only port Enable Web Proxy Filtering 3128 will also be verified by DFL 1500 If disabling the Web Proxy all Disabled the web pages through will bypass the verification BUTTON DESCRIPTION Apply Apply the settings which have been configured Table 17 1 Enable Web Filter Step 2 Warning of Firewall ADVANCED SETTINGS gt Content Filters gt Web Filter gt Web This is a warning saying that if you block any web traffic from LAN to WAN in Firewall the access f control is shift to the Web Filter Namely if you A Note that all LAN to WAN initiated WWW sessions are controlled by web filter now Firewall will not block these block someone to access the web at the WAN ei side after enabling the web filter he can resume CEET accessing
178. rd Enter the current password in the Old Password _ General _DNS Proxy DHCP Relay Password Time Date Timeout Services Interface field Enter the new password in the New e Password and retype it in the Confirm Password field Click Apply ld Password Jeeeee Table 4 2 Enter new password 33 Part Il Basic Configuration Step 3 Setup Time Date SYSTEM TOOLS gt Admin Settings gt Time Date Select the Time Zone where you are located General DDNS DNS Proxy DHCP Relay Password Time Dat Interface Enter the nearest NTP time server in the NTP time server address Note that your DNS VARAS DED must be set if the entered address requires GMT 08 00 Beijing Hong Kong Perth Singapore Taipei domain name lookup You can also enter an IP address instead Check the Continuously in Di e every 3 min update system clock and NTP time server address ftock usno navy mil click Apply The DFL 1500 will immediately Continuously every 3 min update system clock update the system time and will periodically POT eee pt en ers N update it Check the Update system glock ime MMS Ju ie a using the time server at boot timeand click Apply if you want to update the clock at each boot If you want to manually change the system time uncheck the Continuously every 3 min update system clock and proceed by entering the target date FIELD DESCRIPTION EXAMPLE NTP time server address Use NTP time server to auto update date time value C
179. rd into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process Y Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal system Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communication have two sets of IP headers n Outside header The outside IP header contains the destination IP address of the VPN gateway n Inside header The inside IP header contains the destination IP address of the final system behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 10 2 7 IPSec Protocols The ESP and AH protocols are necessary to create a Security Association SA the foundation of an IPSec VPN An SA is built from the authentication provided by AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transport of data may commence y AH Authentication Header Protocol AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In app
180. red to the internal DMZ If you filled O in this field it means that the real connected port is the same as the translated destination port Ne Table 7 3 Add a Virtual Server rule Step 9 View the Result Now any request towards the DFL 1500 s WAN1 IP 61 2 1 1 with port 44444 will be translated into a request towards 10 1 1 5 with port 21 and then be forwarded to the 10 1 1 5 The FTP server listening at port 21 in 10 1 1 5 will pick up the request 7 5 NAT modes introduction 7 5 1 Many to One type ADVANCED SETTINGS gt NAT gt Virtual Servers NAT Rules item Status Condition Action Prey Page Next Page Move Page MIO ER Morte Ji ee Conl 192 168 40 1 2933 gt 61 2 1 1 2933 The IP address of Connection is changed to 61 2 1 1 2933 uniquely The IP address of Connection 1s changed to 61 2 1 1 7896 uniquely eee ee eens a Figure 7 4 NAT Many to One type 57 Part III NAT gt Routing amp Firewall As the above Figure 7 4 illustrated NAT Many to One type means that many local PCs are translated into only one public IP address when the packets are forwarded out through the DFL 1500 Take Connection for example Its IP address and port are translated from 192 168 40 1 2933 to 61 2 1 1 2933 In the same way when the packets of Connection2 are forwarded out its IP address is still translated to the same public IP address 61 2 1 1 7896 7 5 2 Many to Many type Conil 192 16
181. ress and port of the Connection2 are translated from 192 168 40 100 7896 to 61 2 1 2 7896 in both ways 7 5 5 NAT modes amp types The following three NAT modes are supported by DFL 1500 now as the following Table 7 4 The DFL 1500 is in routing mode without performing any address translation The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnets Full Feature The DFL 1500 can be manually configured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Table 7 4 NAT modes overview If you choose Full Feature mode of NAT at Table 7 4 you may need to edit the rule by yourself Then you must determine the NAT type in the NAT rule What meaning does each NAT type represent How to determine which NAT type is best choice for you You can lookup the explanations and suggestions at Table 7 5 Many to One Many to Many One to One One to One bidirectional D Link Map a pool of private IP addresses to a single public IP address chosen from the WAN ports Map a pool of private IP addresses to a subnet range of public IP addresses chosen from the WAN ports Only when all ports of the first public IP are used it will then use the next public IP address for transferring by all private IPs Map a single private IP address to a single public IP address chosen from the WAN ports This was useful when you have multiple public IPs in the WAN ports And yo
182. rt button to add a Firewall rule before the default rule Chapter 13 Virtual Private Network DS 601 VPN client ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add gt Advanced IPSec VPN Hub PPTP VPN Spoke IPSec gt IKE gt Edit Rule gt Advanced Condition Transport Layer Protocol ANY Enable Replay Detection NO gt Phase 1 Main Pre Shared Key 1234567890 s Encryption Algorithm Encrypt and Authenticate DES MD5 gt SA Life Time 28800 sec min C hour DH2 Negotiation Mode Key Group Phase 2 Tunnel ESP Encrypt and Authenticate DES MD5 28800 sec C min hour Encapsulation Active Protocol Encryption Algorithm SA Life Time Perfect Forward Secrecy PFS DHI Back Apply ADVANCED SETT NGS gt VPN Settings gt IPSec gt IKE gt Add Pass IPSec Through VPN Hub PPTP L2TP VPN Spoke f if you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 61 64 148 197 255 255 255 255 and 192 168 40 0 255 255 255 0 respectively ox ADVANCED SETTINGS gt Firewall gt Edit Rules Edit Rules Show Rules Attack Alert Status Summary Firewall gt Edit Rules Edit WANT y to
183. rule sequence by using the Move Before button Figure 2 4 The rules in the page of the rule edition are also divided into three parts D Link 20 DFL 1500 User Manual Chapter 2 System Overview Part Il Basic Configuration 21 DFL 1500 User Manual Chapter 3 Basic Setup Chapter 3 Basic Setup In this chapter we will introduce how to setup network settings for each port separately 3 1 Demand 1 For the external network suppose your company uses DSL to connect Internet via fixed IP By this way you should setup WAN port of the DFL 1500 in advance 2 There are some adjustment within your company so the original network stucture has been changed Now you should modify the configuration between the internal network DMZ LAN 3 Your company needs more network bandwidth if it is insufficent for your company to connect to the external network Suppose there are many public IPs in your commpany You would like to specify an unique public IP to a local server 3 2 Objectives 1 Configure the network settings of the DFL 1500 WANI port 2 Configure the network settings of the DFL 1500 DMZI and LAN ports 3 We hope to assign another IP address to the same WAN port we have configured an existed IP address before 3 3 Methods 1 Select the Fixed IP Address method in the DFL 1500 Basic Setup WAN settings WANI IP and then configure the related account and password in order to connet to the internet 2 Configure the relat
184. rules item _ Name Source IP Dest IP Semice Action Log 4 AlowVPN WANT VENB LANI VPNB ANY Forward Schedule ALWAYS Page 1 1 101 Part IV Virtual Private Network Chapter 12 Virtual Private Network Dynamic IPSec This chapter introduces Dynamic IPSec VPN and explains how to implement it As described in the Figure 2 1 we will extend to explain how to make a dynamic VPN link between LAN 1 and LAN_2 in this chapter The following Figure 12 1 is the real structure in our implemented process 12 1 Demands 1 When a branch office subnet LAN wants to connect with another branch office subnet LAN_2 through the public Internet instead of the expensive private leased lines VPN can provide encryption and authentication to secure the tunnel that connects these two LANs If the remote VPN peer has a dynamically assigned IP address DHCP or PPPoE like Organization 2 we have to use the Dynamic IPSec for the tunnel connection Organization_1 Organization_2 Private LANs Private LANs LAN1_IP WAN2_IP LAN2 IP 192 168 40 254 DHCP PPPoE 192 168 88 254 WANT IP internet PC2 2 192 168 88 1 192 168 88 2 PC1_1 PC1 5 192 168 40 1 DHCP Client LAN 1 92 168 40 1 23 LAN_2 92 168 88 1 25 Figure 12 1 Organization_1 LAN is making dynamic VPN tunnel with Organization_2 LAN 2 12 2 Objectives 1 LettheusersinLAN Il and LAN_2 share the resources thro
185. rver Rules O Vacant Server Rules 200 ADVANCED SETTINGS gt NAT gt NAT Rules NAT Rules Virtual Status Servers NAT gt Edit Rules Packets are top down matched by the rules item Status Condition lt lt Active Name Direction Source IP Address Translate Src IP into Type 1 ye Basic DMZ1 LAN DMZ to WAN 10 1 1 254 255 255 255 0 Auto device WAN IP id 1 Y Basic LAN2 LAN DMZ to WAN 192 168 2 254 255 255 255 0 Auto device WAN IP M 1 Y Basic LAN1 LAN DMZ to WAN 192 168 40 254 255 255 255 0 Auto device WAN IP M 1 Page 1 1 55 Part III NAT gt Routing amp Firewall Step 6 Setup IP for the FTP Server Assign an IP of 10 1 1 1 255 255 255 0 to the FTP server under DMZ1 Assume the FTP Server is at 10 1 1 5 And it is listening on the well known port 21 Step 7 Setup Server Rules ADVANCED SETTINGS gt NAT gt Virtual Servers Insert a virtual server rule by clicking the Insert NAT Rules button p Status Condition Action Active Name Direction Dest IP Address Service Redirectto through Step 8 Customize the Rule ADVANCED SETTINGS gt NAT gt Virtual Servers gt Insert Customize the rule name as the ftpServer For Status NAT Rules any packets with its destination IP equaling to the WAN1 IP 61 2 1 1 and destination port equaling to 44444 ask DFL 1500 to translate the packet s destination IP port into 10 1 1 5 21 Status Check the Passive FTP client to maximize M Activate this r
186. ry DNS Server DNS IP Address Get DNS Automatically information Disconnect Through click Disconnect button to disconnect Dedi Cie Disconnect button PPPoE link Table 3 1 Detailed information of setup WAN port configuration 3 4 2 Setup DMZ1 LAN1 Status Step 1 Setup DMZ port BASIC SETUP gt DMZ Settings gt DMZ1 Status Here we are going to configure the DMZ1 atus IP Alias settings Setup IP Address and IP Subnet Mask and determine if you would like to enable P Address ons IP EN A Mask 255 255 2550 the DHCP Server And then select Routing Protocol Click Apply to finish this setting iC W Enable DHCP Serve IPv4 format in the IP Pool Starting Address Specify the starting address of the DHCP IP address DMZ address 10 1 1 1 range Pool Size max size 253 Specify the numbers of the DHCP IP address 1 253 Primary DNS Server Specify the Primary DNS Server IP address of the DHCP Pod Torna 1011254 information Secondary DNS Server Specify the Secondary DNS Server IP address of the DHCP IPv4 format 0 0 0 0 information Specify DHCP information lease time 7200 None RIPvlin Determine to enable the dynamic routing protocol RIP to RIPv1 In out Routing Protocol receive RIP message to send out RIP message if the RIPv2In None message is received or not RIPv2In out OSPF 25 Part Il Basic Configuration IPv4 format or OSPF Area ID Specify OSPF area ID number digit string Max 9 bits
187. s ADVANCED SETTINGS gt Firewall gt Edit Rules Select WAN1 to LAN1 to display the rules There is a pre defined rule that matches all traffic into the default class Click Insert to insert a rule before the default rule Item Status Condition Action FIELD DESCRIPTION EXAMPLE Select the rule direction of rule which you are going to nee Edit WANI to configure WAN LAN DMZ LANI rules Table 21 6 Setup edit rules page of Bandwidth Management Edit to rules D Link 166 DFL 1500 User Manual Chapter 21 Bandwidth Management Step 6 Customize the Rule ADVANC ETTINGS gt Firewall gt Edit Rules gt Insert Enter a rule name such as web from WAN Status Edit Rules select the Source IP aS WAN1_ALL and Dest rewa IP as LAN1_ALL Besides make sure the service s HTTP port 80 because of this is web service Select the action to be web from WAN In this way all inbound web traffic from WAN1 will be put Schedule into the web from WAN queue and scheduled Condition out at 300kbps bandwidth Click Apply to store Source IP want ALL zl the changes Service HTTP y Action t Show Rules Attack Alert Summar Status Repeat the same procedure for the video from WAN class E Enable this firewall rule Enable Disable Enabled tatus When source IP address of incoming Source IP packets conforms the Source IP settings IPv4 format WANI_ALL do the Action Condition When destination
188. s MO o 161 21 1 Demands eor Re a 161 21 2 ODIECUVE S ek steep tessa A lm al ln 162 2153 O 163 21 4 A A ie E 164 21 4 1 Inbound ratte Mana se mentadas licitaci n 164 21 4 2 Outbound Trafe Minas emy ai oes grade Riana ated ere kalesi 169 Chapter 22 Ebola va ADE eid sip enli hak anes E ilmin pull sgm icini 171 221 O 171 22 2 CWDS C VE Se O nl e dani bae o ise dai ilem aa adan si 171 22 3 MODO tato e e Se eee MN OE veee Geym ee Re em TT 172 22 4 DLE D E aaa Dai a A ilm la ala imal see alda dana 172 22 4 1 Setup His A Vala DUG ys ccs a alli Canine anl a 172 Part VIII System Malin e er Ye ee pe ee eee 174 Chapter 2 55 stem talla iia gin 175 23 1 e Yag e ai ai 175 23 2 EL VS ala e al ae lez aaa e al aa Bk enine lem alel 175 233 IVC Loya Sanam O OE O 175 23 4 S yates te ae eee gatas EMEN a Segond PR E Me Me Fem E e AMR e RE e PP 175 Chapter 24 106 Syse M salik eli lee li allel elledi ola elinle lll 179 24 1 ana a e e e e e Ee e A e GE e 179 24 2 ODI CC a e e eek EN PA e Ke ee e e eee e e Ge 179 24 3 RO 179 24 4 O ON 179 244 1 S A BL A A KE YA E ested ee EY KE 179 24 4 2 SIOC A M IN yanmak A ii l anama amda sal alama danas e ES 180 Chapter 25 Systemi M ain tende E sitas 183 22 1 De miid e KR e Re e e e MR Ke e yeme 183 232 Stepsior a e ez PR ceso eo P eee Caren dado ee 183 25 5 Steps tor Firmware uperade Irom Web CU seri e den Hamd en dai pia ailesi nl cil 184 25 4 Steps tor Database Update from Web Clamp ia Kal
189. s a secondary firewall While the primary firewall is crashed you can replace it with secondary firewall 171 Part VII Bandwidth Management High Availability 22 3 Methods There are five steps to configure High Availability feature Step 1 You have to setup two DFL 1500 devices first Remember to set the Action Mode for primary device as Active mode and secondary device as Standby mode Step 2 When the primary device crashed the secondary device will replace it within 30 seconds while detecting by ping command Step 3 The secondary device will immediately load the configuration under primary device and then change its action mode to Active mode Step 4 After rebooting the primary device will automatically change its action mode to Standby mode if it detects the secondary device in active mode already Step 5 If both of primary and secondary devices crashed simultaneously the one which reboots faster will action as Active mode and the other will be in Standby mode 22 4 Steps 22 4 1 Setup High Availability Step 1 Enable High Availability ADVANCED SETTINGS gt High Availability gt Status Check the Enable High Availability checkbox Select the Action Mode as Act ive if it is the primary device and Standby for the 3 secondary device And then configure the other Action Made fActwe e HA device Select which interface to connect to Enter IP Address and Login Password Address 192 168 40 100 Note th
190. s and then click OK Assignment to finish this settings rotil Setines DEL 1500 i x IP Address Assignment IPSec General Settings UselkE Config Mode Identities La A eal tesa IP Address Assignment 2 e Use local IP address Remote Networks C Manual IP address Firewall Settings IF address 0 0 0 0 Subnet mask 255 255 255 0 DNS WINS servers DNS server pa WINS server 0 0 0 0 D Link 118 DFL 1500 User Manual Chapter 13 Virtual Private Network DS 601 VPN client Step 13 Setup Remote Networks Enter the IP network address 192 168 40 0 AA xj and subnet masks 255 255 255 0 and then Fiemate Networks click OK to finish the settings IPSec General Settings Enter the P networks the tunnel should be used for Identities Without entries tunneling will always be used IP Address Assignment EE Network addresses Subnet masks ay s246840 0 0 255 255 255 0 baoo pooo o poli tnnelma seniii for local nebworles Step 14 Firewall Settings In order to avoid any conflict we recommend you eleri ri SR A a to disable the Stateful Inspection Filewall Settinas General is IPSec General Settings Identities IP Address Assignment Remote Metuork Firewall Settings Enable Stateful Inspection eee M Gale commurneatcr ta he tunnel permitted With firewall settings activated packets from other hosts will be discarded 119 Part IV Virtual Private Network Step 15 Connect the IP
191. s page Syslog Server IP Address The IP Address which Syslog Server located Table 24 2 Setup the Syslog Server Step 2 Setup Mail Log method DEVICE STATUS gt Log Config gt Mail Logs Fill in the IP address of the Mail Server and S fail Lo Mail Subject Also fill your E Mail address for receiving logs Select the preferred Log Schedule to mail out logs Click the App1 y button Notice If the logs were sent out to the mail Mail Subject server they will be deleted by the DFL 1500 E mail Logs T jmis dlink com E mail address to finish the settings here You can also specify how frequently you want to receive logs When selecting Weekly in the Log Schedule field we have to choose Day for Sending Logs which day the mail logs will be sent out in the Day for Sending Logs field D Link 180 DFL 1500 User Manual Chapter 24 Log System BUTTON DESCRIPTION Apply Apply the configuration in this page test the mail logs configuration in this page Table 24 3 Setup the Mail Logs 181 Chapter 25 System Maintenance This chapter introduces how to do system maintenance 25 1 Demands 1 DFL 1500 is designed to provide upgradeable firmware and database to meet the upcoming dynamics of the Internet New features new attack signatures new forbidden URLs and new virus definitions require timely updates to the DFL 1500 This chapter introduces how to upgrade your system with TFTP and Web UI respectively
192. s to come from internet Before adding a firewall rule please make sure to add the addresses first Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 2 Customize a Firewall rule Enter the Rule Name aS AllowVPN Source IP as Hub 192 168 1 0 and Dest IP as Spoke 1 192 168 40 0 Click Apply to store this rule Step 3 Add a VPN Spoke in Branch 1 Select Add to add a VPN Spoke Enter a name in the Spoke Name field Enter the Local IP Address Subnet Mask and Remote Address IP Address Subnet Mask D Link ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WAN to LA LAN rules Default action for this packet direction Block M Log Apply Packets are top down matched by the rules A Ss a ET Name Schedule Source IP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewal gt Edit Rules gt Insert Insert a new WAN1 to LAN1 Firewall rule Rule name AllowVPN Schedule Always Condition Source IP Hub Service ANY v Dest
193. sedvensdoaaccovass 95 Chapter 12 Virtual Private Network DynamiciPSec 102 12 1 Demand iss e ek vee KAN isis e e 102 12 2 OD ere MP e dda tach YY TR O ee e 102 12 3 ua Kaf a e e e Ee Ne Mer e PA ee tone e e M R ep e jaca ek 102 12 4 ED a cate ll atte da Da a amin sa isos sia arda im tol Dalai 103 Chapter 13 Virtual Private Network DS 601 VPNclient 109 13 1 TNA acne 109 13 2 COD CLV e e RR PA e m eke e e Re E e a a 109 13 3 ua ala e a A E A ld aah e e 109 13 4 LOPS m Sai a alan y n ll aaa tact ceria alin lela nani bab ladin a ilmi olana ie ilanla end ei 109 Chapter 14 Virtual Private Network HubandSpokeVPN 121 14 1 PP RE SE ER NT KOL YK e P E RR YEM EEE Ae e MENEM e Ye 121 14 2 OD eN RR NK YMY e ee ovomnmases 121 14 3 MEMOS its 121 14 4 O 122 Chapter 15 Virtual Pryate Netw ok PP TP lidad 127 15 1 Demand sai to 127 152 ODEON NE KK A KK e M ee 127 15 3 Method et bee SS 127 15 4 A A e e ee e e ee 128 15 4 1 Setup PPT P NTW Server al 128 15 4 2 Setup ye PP Netw ge RE EM lali dns 129 Chapter To Virtual Pry ate Network L DP een skllnse lioiall as 131 16 1 DP a e e Ke A e O 131 16 2 COD CCV ES satamaz olanla amel laaan namal land amasan apeme dele nle ialakanmak sa Sonl am Bilekli lm adima lila 131 16 3 Medio 131 16 4 ALE See eme sa e a Sa Mae e y
194. ssign an IP of 10 1 1 5 255 255 255 0 to the FTP server under DMZ1 Assume the FTP Server is at 10 1 1 5 And it is listening to the well known port 21 ADVANCED SETTINGS gt NAT gt Virtual Servers Virtual NAT Rules Servers Status Virtual Server gt Edit Rules Packets are top down matched by the rules AAA A A A _ A Active Name Direction Dest IP Address Service Redirect to through Page 1 1 ADVANCED SETTINGS gt NAT gt Virtual Servers gt Insert Virtual Status e Servers NAT Rules Virtual Server gt Edit Rules gt Insert Insert a new Virtual Server rule V Activate this rule Rule name ftpServer Condition Sessions from nternet connecting to WANT External IP 61 2 1 1 Service TCP Type Single Range Dest Port 44444 V Passive FTP client cf Redirect to internal server under DMZ1 gt Internal IP 10 1 15 Port 121 Apply ADVANCED SETTINGS gt NAT gt Virtual Servers Virtual Status EEE Servers NAT Rules Virtual Server gt Edit Rules Packets are top down matched by the rules item ET IO ction ooo Active Name Direction Dest IP Address Service Redirect to through 1 ig fipServer From WANT 61 2 1 1 255 255 259 255 TCP 44444 10 1 1 5 21 DMZ1 Page 1 1 Insert mt Delete Move Before 1 14 DFL 1500 User Manual Step 10 View the NAT Rules In the previous Step 8 we have already checked Auto update to
195. system Click Finish to close the wizard WANT Static IP Dri2 WAN2 Not initialized ek Finis 1 6 Internet Connectivity After setting up DFL 1500 with the wizard DFL 1500 can connect to the ISP In this chapter we introduce LAN1 to WAN1 Connectivity to explain how the computers under LAN can access the Internet at WANI through DFL 1500 Subsequently we introduce WAN1 to DM71 Connectivity to explain how the servers under DMZI can be accessed by the LAN users and other Internet users on the WANI side You MUST press Apply to proceed to the next page Once applying any changes the settings are immediately updated into the flash memory 1 6 1 LAN1 to WAN1 Connectivity The LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the DFL 1500 on your LAN This 1s the IP address you will enter in the URL field of your web browser to connect to the DFL 1500 It is also the IP address that all of the computers and devices on your LAN will use as their Default Gateway 11 Part I Overview Step 1 Device IP Address Setup the IP Address and IP Subnet Mask for the DFL 1500 Step 2 Client IP Range Enable the DHCP server if you want to use DFL 1500 to assign IP addresses to the computers under LAN1 Specify the Pool Starting Address Pool Size Primary DNS and Secondary DNS that will be assigned to them Example in the figure the DFL 1500 will assign one IP address from 192 168
196. t gt D Link 148 DFL 1500 User Manual Chapter 18 Content Filtering Mail Filters Step 3 Customize the local zones ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP You can configure to what range the filters will Exempt Zone apply to the local zones By default the web filters WebFilter Mail Filte apply to all computers so the Enforce SMTP filter policies for all computers Is selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by a click of the Add button to add one address range to the web filter Click Include and Apply if you want web filters to only apply to the specified ranges Click Exclude and Apply e el e if you want web filters to apply to all computers except those specified ranges 18 5 Steps for POP3 Filters Step 1 Enable POP3 Filters ADVANCED SETTINGS gt Content Filters gt Mail Filters gt POP3 Check the Enable POP3 Proxy checkbox and Web Filter click Apply a IEA Original Name Mapped Name FIELD DESCRIPTION EXAMPLE Enable POP3 Proxy Enable POP3 Proxy feature of DFL 1500 Enabled Y Filename extension When the filename extension of attachment file matches Filename Append bin to E mail extension add the bin extension to the attachment file Filename extension attachments w
197. t Filters gt Mail Filters gt POP3 Exempt Zone Web Filter a ter FTP Filter 192 168 40 100 192 168 40 130 110 1 1 1 10 1 1 254 150 DFL 1500 User Manual Chapter 19 Content Filtering FTP Filtering Chapter 19 Content Filtering FTP Filtering This chapter introduces FTP proxies and explains how to implement it 19 1 Demands 1 Some users in LANI use FTP to download big MP3 files and cause waste of bandwidth 19 2 Objectives 1 Forbid PC1_1 from downloading MP3 files with FTP 19 3 Methods 1 Setup the filename extension of the forbidden types of file that are not allowed to be transmitted using standard FTP port 2 Let PC1_1 download a MP3 file from the FTPServer3 to see if the session is blocked switch AA Internet SE FL switch N1_IP 192 168 40 254 1 WANT IP 61211 iel ES Forbidden Domain T www nthu edu tw www netu edu tw 192 16840 1 192 168 402 140 114 x x 140 1 aos LAN 1 WebServer3 MailServer3 ETPServer3 14011214 o 14011213 140 112 1 5 192 168 40 1 2535 Figure 19 1 Use FTP filter functionality to avoid user download forbidden file type 151 Part V Content Filters 19 4 Steps Step 1 Enable FTP Filter ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Check the Enable FTP Filter checkbox and Web Filter Mail Filter click the nearby Apply button to enable this feature Click the Add button to add a new FTP filter FIELD
198. t VII Bandwidth Management High Availability If you wish to make your inbound outbound bandwidth utilized more efficiently you may use the Bandwidth Management feature to manage your bandwidth 7 Part VIII System Maintenance In this part we provide some useful skills to help you to justify DFL 1500 more securely and steadily 2 2 Changing the LAN1 IP Address The default settings of DFL 1500 are listing in Table 1 1 However the original LANI setting is 192 168 1 254 255 255 255 0 instead of 192 168 40 254 255 255 255 0 as in Figure 2 1 We will change the LANI IP of the DFL 1500 to 192 168 40 254 We provide two normal ways to configure the LANI IP address One is to configure the LANI IP from LAN port The other way 1s to configure the LANI IP through console 2 2 1 From LAN1 to configure DFL 1500 LAN1 network settings Step 1 Connect to the DFL 1500 Use an IE at 192 168 1 1 to connect to hitps 192 168 1 254 Using a network line to connect DFL 1500 with LAN1 port The PC which connected to DFL 1500 must be assigned 192 168 1 X address LAN1 default IP address is 192 168 1 254 24 Type https 192 168 1 254 or http 192 168 1 254 8080 to configure the DFL 1500 in the web browser 17 Part I Overview Step 2 Setup LAN1 IP information Enter the IP Address and IP Subnet Mask with 192 168 40 254 255 255 255 0 andclick Apply Warning After you apply the changed settings the network will be disconnected instantly
199. ter blocking list CONTENT C31 SMTP Hilter blocking list updated by admin updated 192 168 17 100 443 EID 34 Enable SMTP AntiVirus CONTENT C32 Enable SMTP AntiVirus by admin 192 168 17 100 443 EID 35 Disable SMTP AntiVirus CONTENT C33 Disable SMTP AntiVirus by admin 192 168 17 100 443 EID 36 AntiVirus module cannot CONTENT C34 AntiVirus cannot download signatures by download signatures admin 192 168 17 100 443 EID 37 AntiVirus signatures updated CONETNT C35 AntiVirus signatures updated by admin 192 168 17 100 443 EID 38 Enable WEB filter CONTENT C36 Enable WEB filter by admin 192 168 17 100 443 EID 39 Disable WEB filter CONTENT C37 Disable WEB filter by admin 192 168 17 100 443 EID 40 Enable Disable Firewall FIREWALL F01 Activated firewall by admin 192 168 17 102 443 added range FIREWALL F01 Deactivated firewall by admin 192 168 17 102 443 203 Appendix C F03 Attack Alert Setup FIREWALL F03 Enable Alert when attack detected by admin 192 168 17 102 443 FIREWALL F03 Disable Alert when attack detected by admin 192 168 17 102 443 Reload Firewall Rules FIREWALL F04 WANI Reload all NAT Firewall rules for new WAN IP Logfile is Full LOG L01 logfile is full Mail Log LOG L02 mail logfile to tom hotmail com L04 Enable Disable Syslog LOG L04 Enable syslog server at 192 168 17 100 by admin Forward to Remote Syslog 192 168 17 102 443 Server L
200. ter this procedure DFL 1500 device will reboot automatically Notice if you want to preserve the previous configuration add the preserve keyword to the end Refer Appendix A for the details Step 3 Check if OK Check whether the system status is working properly or not NetOS i386 DFL 1500 tty00 admin Password Welcome to DFL 1500 VPN Firewall Router login DFL 1500 gt en DFL 1500 ip ifconfig INTF3 192 168 40 254 255 255 255 0 DFL 1500 DFL 1500 ip tftp upgrade image DFL 1500 1 530p5 ALL bin 192 168 1 170 preserve Fetching from 192 168 40 170 for DFL 1500 1 530p5 ALL bin tftp gt tftp gt Verbose mode on tftp gt getting from 192 168 40 170 DFL 1500 1 530p5 ALL bin to DFL 1500 1 530p5 ALL bin octet DFL 1500 sys st System Name DFL 1500 Firmware Version Net0S Ver1 530 DLINK 0 Sun Apr 25 02 26 26 CST 2004 Default Gateway 61 2 1 6 Primary DNS 168 95 1 1 Secondary DNS Default WAN Link Gateway DNS WANI 299 209 299 248 UP Static IP DOWN Not initialized 299 299 209 0 299 299 299 0 299 299 299 0 10 1 1 254 192 168 408 254 192 168 2 254 4 55PM up 33 mins 1 user load averages 0 26 0 26 0 19 DFL 15008 _ 25 3 Steps for Firmware upgrade from Web GUI Step 1 Download the newest firmware from web site If a new firmware issued we can download it from the web site fwupdate dlinktw com tw to the local computer D Link Firmware upgrade site ht
201. terface Bandwidth 100000 kbps Arety the table the root class represents the whole Defined Actions bandwidth of the link By default the link is ibid partitioned into two classes control class ctl class and default class def class The control class reserves bandwidth for control protocols such as ICMP TCP ACKs The default class is the default action of non matched packets The default class can be recursively partitioned into more classes The classes are ri A organized as a tree Click Create Sub Class to i See partition the default class FIELD DESCRIPTION EXAMPLE Bie is Select the direction of action which you are ANY to Edit ANY to LANI going to configure one WAN LAN DMZ classes LANI Interface Bandwidth Fill the real bandwidth which is located in the 10 to 100000 kbps 100000 kbps __ kbps upper direction D Link 164 DFL 1500 User Manual Chapter 21 Bandwidth Management BUTTON DESCRIPTION If there are more than one action pages you can press Prev Page to back to the previous page If there are more than one action pages you can press Next Page to go to the next page Create Sub class Create a sub class from the indicated class Edit the properties of the existent class Delete the indicated class Table 21 4 Setup edit actions page of Bandwidth Management Step 3 Add new classes ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Create a sub class named web from WAN from
202. the DFL_A IPSec and Firewall setting The Figure B 3 Figure B 4 indicated the opposite side DFL_B IPSec and Firewall setting When you configure an IPSec policy please be sure to add a rule to let the packets of the IPSec pass from WAN to LAN For the IP address of firewall rules please refer to the Figure B 2 Figure B 4 Pass Through IPSec PPTP L TP IPsec FIKE gt Edit Rule Active KE Rule Name IKErules amp sd Local Address Tape Subnet Address vd ee Coe gee oa IP Address 192 168 40 0 m E o e pi Prafyben i Subnet Mask 255 255 255 1 O eee A O ye yi Address ess ype sub Subnet Ad Address v ell Ada a 192 168 88 o o The Local Address Np xLen Subnet Mask 255 255 255 0 of DFL_B tefxten 5 ubne ask Ni 2 EEE e e Figure B 1 DFL A Inset a new IPSec policy Status Edit Rules Show Rules Attack Alert Summary Fireveall gt Aidit Rules gt Edit Edit WAN1 to LAN1 Firewall rule number 1 Rule name AllowlPSecPktA Schedule Always Condition ce IP WAN VENA Dest IF LANI VPNA gt oe ccccccces oervice ANY Reverse bandwidth class def class Figure B 2 DFL_A Insert a new firewall rule in WAN to LAN 197 Appendix B IPSec PPTP L2TP Pass i Through IPSec IKE gt Edit Rule Active KE Rule Name IKEruleB Local Address Type Subnet Address
203. the entered keywords Add a key word by entering a word in the Keyword field and then click Add to proceed Note that you can add the keywords as many as you like FIELD DESCRIPTION EXAMPLE Check Enable keyword blocking and then the web pages will be blocked Enable keyword blocking if the keywords below you have added are appeared in the pages Limit Enabled limit at __ matches at 3 matches means that the webpages will be blocked as long as any of 3 matches the added keywords appear equal or more than three times Sex Keyword Specify the keyword that you want to block violence blood Table 17 7 Web Filter Content Keywords setting page 143 Part V Content Filters 17 5 Setting priorities The function priority of web filter is shown as the following Figure 17 3 illustrated From the left feature Exempt Zone to the right feature Keyword Their priority is high to low Notice The Restricted features of Web Filter Web page is lowest priority but it is located at the most left side Web Filter Mail Filter FIP Filter Veo Filter gt keyword Exempt Zone Web High Priority Block web content which contain these keywords Enable keyword blocking limit at E matches Keyword Customize URL Filter Categories Features Keyword Low Priority Apply Add Delete Figure 17 3 web filter features priority from High to Low According to the priorities of web filter we have the guiding principle
204. the web until you set a content filter rule to block it Step 3 Further Customize the local ADVANCED SETTINGS gt Content Filters gt Web Filter gt Exempt Zone zones Web Filter Mail Filter FTP Filter You can configure to what range the filters will apply to the local zones By default the web filters apply to all computers so the Enforce web filter policies for all computers is selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by range Framf Tol a click of the Ada button to add one address Microsoft Internet Explorer E 17 17 f O fier oy gt 4 range to the web filter Click Include and ka an Apply if you want web filters to only apply to the specified ranges Click Exclude and Apply if you want web filters to apply to all computers except those specified ranges 139 Part V Content Filters FIELD DESCRIPTION EXAMPLE Exempt Computers Determine which IP range will exempt the verification by the web filter Enforce web filter policies Web filter actives at all the computers not limit range of the IP disabled for all computers addresses Include specified address ranges in the web filter Web filter will only active at below specified computers Enabled enforcement n e peas Except below specified IP address ranges All the other IP address ranges from t
205. to define Address Groups and then click Insert to proceed Step 5 Add a address group Enter a Group Name to identify the address group Select the addresses from the available address list and click right arrow to add them to the Members list To remove addresses from address group please select addresses from the Members list and then click left arrow Note that group name should begin with alphabet followed by alphabet digits dashes You can add address groups to any interface The address group can only contain addresses from that interface Address group cannot have the same names as individual addresses If an address group is included in a rule it cannot be deleted unless it is first removed from the firewall rule Chapter 9 Firewall BASIC SETUP gt Books gt Address gt Objects Address Service pales Groups Address gt Objects Define Objects on LANI r KA AN 7 A Name Type Value PC1 4 Host 192 168 40 1 LAN1 ALL 0 0 0 0 0 0 0 0 Schedule Subnet BASIC SETUP gt Books gt Address gt Group Address Service Objects Groups Address Groups Schedule Define Address Groups on LAN e tte Name Content BASIC SETUP gt Books gt Address gt Group gt Insert Address Objects Groups Service Schedule Address gt Groups gt Add Insert a new group for LAN 7 Group Name P lt _Sroupl 69 Part III NAT gt Routing amp Firewall
206. tp fwupdate dlinktw com tw 184 Step 2 Upgrade firmware In the System Tools Firmware Upgrade page Select the path of firmware through Browse button and check the Preserve Saved Configurations to reserve original settings Click the Upload button to upgrade firmware SYSTEM TOOLS gt Firmware Upgrade gt Firmware Upgrade Firmware Upgrade Caution Upgrading firmware with browser takes at least 2 minute and may fail occasionally due to users interrupt We suggest firmware upgrade with the CLI command ip tftp upgrade image FILENAME X X X X to a TFTP server To upgrade the internal system firmware browse to the location of the binary BIN upgrade file and click UPLOAD Download BIN files from http fwupdate dlinktw com tw In some cases you may need to reconfigure the system after upgrading File Path DADlink DeviceyDFL 15 Browse Preserve Saved Configurations Upload 25 4 Steps for Database Update from Web GUI Step 3 Update database manually If a new firmware issued we can download it by clicking the Update button Then we will see the database version shown on the left side Step 4 Auto Update We can also update database automatically Fill the database server in the Update Center field Choose what date time we would like to update the database and then check which databases we would like to update Click Apply button to finish the settings Auto Update URL databas
207. trator from Console 192 168 17 102 443 AUTH A01 admin login fail configuration is locked by another user from 192 168 17 100 192 168 17 102 443 AUTH A02 admin logout 192 168 17 102 443 201 Appendix C Change Password AUTH A03 admin change system password 192 168 17 102 443 BANDWIDTH B01 Enable bandwidth management by admin 192 168 17 100 443 Enable Disable Bandwidth Management BANDWIDTH B01 Disable bandwidth management by admin 192 168 17 100 443 BANDWIDTH B01 WANI Disable bandwidth management with PPPoE connection CONTENT Web filter categories CONTENT C01 Web filter categories configuration update by configuration updated admin 192 168 17 100 443 EID 6 Web filter added trusted host CONTENT C02 Web filter add trusted host by admin 192 168 17 100 443 EID 6 Web filter deleted trust host CONTENT C03 Web filter deleted trust host by admin 192 168 17 100 443 EID 6 Web filter added forbidden CONTENT C04 Web filter added forbidden domain by admin domain 192 168 17 100 443 EID 7 Web filter deleted forbidden CONTENT C05 Web filter deleted forbidden domain by admin domain 192 168 17 100 443 EID 8 Enable web filter access CONTENT C06 Enable web filter access by admin control 192 168 17 100 443 EID 9 Disable web filter access CONTENT C07 Disable web filter access control by admin control 192 168 17 100 443 EID 10 Web filter URL keyword CONTENT C08
208. ts WebServers 4 140 112 1 4 i internet PC1 1 PC1 2 192 168 40 1 192 168 402 LAN 1 92 1068 40 1 2 Figure 17 1 Use web filter functionality to avoid users browsing the forbidden web site 1 As the above Figure 17 1 illustrates someone PC1_1 is browsing the web pages at the WebServer3 The contents of the web pages may include cookies Java applets Java scripts or ActiveX objects that may contain malicious program of users information So we wish to prohibit the user PC1_1 from downloading the forbidden components 137 Part V Content Filters The web page which comes from forbidden web site will be filtered out WebServer3 140 112 1 4 e internet a PC 1 12210840 192 168 40 2 LAN 1 22 168 40 1 25 Figure 17 2 Use web filter functionality to avoid users view the forbidden web site 2 As the above Figure 17 2 illustrates someone PC1_1 is browsing forbidden web pages on office hours The contents of the web pages may include stock markets violence or sex that will waste the bandwidth of the Internet access link while degrading the efficiency of normal working hours So we wish to prohibit the user PC1_1 from viewing the page on the forbidden web site 17 2 Objectives 1 Remove the cookies Java applet Java scripts ActiveX objects from the web pages 2 Prevent users from connecting to the forbidden sites 17 3 Methods 1 Setup content filtering fo
209. u intended to map each local server to a unique public IP on the WAN port An internal host is fully mapped to a WAN IP address Notice that you must add a firewall rule to forward WAN to LAN DMZ traffic If the public IP addresses of your company is insufficient and you prefer to increase the node which can connect to the internet You can just choose the Many to One type to fit your request If the public IP address of your company is not only one node ex you have applied extra one ISP You may use the Many to Many type to make the multiple public addresses sharing the outbound bandwidth So your inbound and outbound traffic will be more flexible If you wish to specify a unique internal IP address to transfer a fixed external IP address You can specify the One to One type If you wish to expose the local pc onto the internet and open all internet services outside You can specify the One to One bidirectional type This will make the local pc you specified fully exposed to the internet Additionally you must add a firewall rule to allow WAN to LAN or DMZ traffic forward Then you can finish the settings Be careful to use this type or it will endanger your network security Table 7 5 The NAT type comparison 60 DFL 1500 User Manual Chapter 8 Routing Chapter 8 Routing This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how DFL 1500 implements routing
210. ue default Jutgoing Interface WAN NN EEE Peer s Identifier IP Address jAuto_Assigned ESP Algorithm Encrypt and Authenticate DES MDS hd re Shared Key 11234567890 Apply OS FIELD DESCRIPTION Range Format EXAMPLE E This field will activate this IPSec policy rule Enable Disable Enabled tatus IKE Rule Name The name of this IPSec policy IKErule 87 Part IV Virtual Private Network Determine the method to connect to the remote side of VPN by using the local subnet or the pupae Address Type Single Address local single host IP Address The local IP address IPv4 format 192 168 40 0 Prefix The local IP Netmask ER e dos Determine the method to connect to the local Sube A ei remote single host i IP Address The remote IP address IPv4 format 192 168 88 0 Prefix The remote IP Netmask l Negotiation Choose Main or Aggressive mode see Chapter Main l SOR 10 for details Aggressive Mam Encapsulation Choose Tunnel or Transport mode see Chapter Tunnel Mei Mode 10 for details Transport Outgoing The WAN interface you are going to build IPSec WAN lere WANI Interface tunnel with A The IP address of remote VPN device The IP Static IP AS address may be fixed Static or dynamic Dynamic IP PA IP Address Fill your information in this field The filled FODN domain My Identifier information will be provided for the IPSec name IP Address tunnel establishment User FODN mail box IP Address Fill th
211. ugh a secure channel established using the dynamic IPSec VPN 12 3 Methods 1 Separately configure DFL 1 and DFL 2 which are the edge gateways of LAN_1 and LAN_2 respectively D Link 102 DFL 1500 User Manual Chapter 12 Virtual Private Network Dynamic IPSec 12 4 Steps In the following we will separately explain how to set up a secure DES MDS tunnel with the dynamic remote gateway IP address type At DFL 1 At the first we will install the IPSec properties of DFL 1 For the related explanation please refer to Chapter 10 and Chapter 11 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec l Pass Check the Enable IPSec checkbox and click Apply iv item Status Condition Action A Active Name LocalLAN RemoelAN Mechanism MyiP PeersiP New Page Step 2 Add an IKE rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Click the IKE hyperlink and click Add to add a PSec VPNHub VPNSpoke PPTP L2TP new IPSec VPN tunnel endpoint Condition Action E 103 Part IV Virtual Private Network Step 3 Customize the rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Check the Active checkbox Enter a name for IPSec VPNHub VPNSpoke PPTP L21P idi this rule like IKErule Enter the Local IP Address 192 168 40 0 255 255 255 0 A and the Remote IP Address A ee 192 168 88 0 255 255 255 0 Select the M Active Outgoing Interface of this VPN Firewa
212. ule the compatibility of the FTP protocol This is Bs name fipSemer useful if you want to provide connectivity to ane passive FIP clients For passive FTP clients the server will return them the private IP address and the port number for them to connect back to do data transmissions Since the private IP from them cannot be routed to our zone the data connections would fail After enabling this feature the DFL 1500 will translate the private IP port into an IP port of its own Thus the problem is gracefully solved Click Apply to proceed Action Pe FIELD DESCRIPTION Range Format EXAMPLE Activate this rule The Virtual Server rule is enabled or not Enabled Enabled Status Disabled The Virtual Server rule name text string ftpServer ek emet nom interface does the connected session come WAN interfaces connecting to Dest Port The TCP UDP port number which is provided by 1 65534 AAAAA the real server D Link 56 DFL 1500 User Manual Chapter 7 NAT If the Passive FTP client is checked it will Passive FTP client connect to the internal DMZ FTP server of DFL 1500 when FTP client uses passive mode Enabled Disabled b Otherwise it will not work Redirect to internal server under Action The subnet which is located the virtual server LAN DMZ regions Internal IP The IP address which is actually transferred to the IPv4 format 10115 internal DMZ The port number which is actually transfer
213. ur D Link 90 DFL 1500 User Manual Chapter 11 Virtual Private Network IPSec Kev Grou Choose a Diffie Hellman public key DHI DH DHS DH y P cryptography key group Phase2 Encapsulation we dl ony IIS REPRE VIOUS ane Ca NOEDE Can not be edited Tunnel edited again Active Protocol Mos Ml ony OS Can not be edited ESP edited again Encrypt and Authenticate DES MDS Encrypt and Authenticate DES SHA1 Encrypt and Authenticate 3DES MDS Encrypt and Authenticate 3DES SHAT Encrypt and Choose a type of encryption and authentication Encrypt and Authenticate Authenticate algorithm combination or singly AES MDS Encrypt and Authenticate Encryption Algorith oe DES MDS AES SHA Encrypt only DES Encrypt only 3DES Encrypt only AES Authenticate only MD5 Authenticate only SHA1 Set the IPSec SA lifetime A value of 0 means SA Life Time IKE SA negotiation never times out See Chapter 10 for details Perfect Forward Enabling PFS means that the key is transient This None DH1 DH2 DHI Secrecy PFS extra setting will cause more security DH5 Table 11 5 Setup Advanced feature in the IPSec IKE rule 0 9999999999 sec min hour 28800 sec Step 5 Remind to add a Firewall rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add After finishing IPSec rule settings we need to add PSec VPNHub VPN Spoke PPTP L2TP en a firewall rule Here s
214. urce IP as WAN1_VPNB 192 168 40 0 and Dest TP as LAN1 VPNB 192 168 88 0 Click Apply to store this rule Step 7 View the result Now we have inserted a new rule before the default firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24 will be allowed to pass through the DFL 1500 and successfully access the 192 168 88 0 24 through the VPN tunnel Chapter 11 Virtual Private Network IPSec ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WANT y to LANI y rules Default action for this packet direction Block y Log Apply Packets are top down matched by the rules R Name Schedule Source IP Dest IP Service Action Log Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Edit Edit WAN1 to LAN1 Firewall rule number 1 Rule name AllowVPN Schedule Always gt Condition Source IP VVANI VPNB Service ANY Dest IP LAN1_VPNB Action Forward and do not log the matched session Forward bandwidth class def class Reverse bandwidth class def class y Apply ADVANCED SETT NGS gt Firewall gt Edit Rules Status Summary Edit Rules Show Rules Attack Alert Firewall gt Show Rules Show WAN to LANI r Packets are top down matched by the
215. use the Base DN like ou accouts dc dlink dc com where ou is organization unit and dc is domain component Enter the common name identifier as UID it may be named as cn for the LDAP server 6 3 6 Exempt Host Step 2 Configuring the Exempt Host Basic Setup gt Authentication gt Exempt Host Enter the exempt host IP Address and Click AuthenticationExempt Hos Add to add an IP address When enabling om authentication the exempt IP address list will pass the authentication 47 Part II NAT Routing amp Firewall DFL 1500 User Manual Chapter 7 NAT Chapter 7 NAT This chapter introduces NAT and explains how to implement it in DFL 1500 To facilitate the explanation on how DFL 1500 implements NAT and how to use it we zoom in the left part of Figure 1 7 into Figure 7 1 7 1 Demands 1 The number of public IP address allocated to each Internet subscribers is often very limited compared to the number of PCs in the LANI Additionally public IP hosts are directly exposed to the Internet and have more chances to be cracked by intruders As the Figure 7 1 illustrated you hope all the pcs located at LAN1 and DMZ1 can connect internet through limited IP address 61 2 1 1 Organization_1 Private LANs Figure 7 1 All the internal PCs can connect internet through limited WAN IP address by using NAT technology 2 Internet servers provided by your company may open many ports in default that may be dangerous if ex
216. value dec 1500 6300000 Encapsulation Choose Tunnel or Transport mode see Chapter Encryption DES 64bits Action 3DES 192bits Select the Encryption DES 3DES AES or Null AES 128 192 256bits and Authentication MD5 SHAI or NULL NULL ESP ESP Algorithm combination And enter the key either Mahi e Encryption hex or string form separately Encryption MD5 128bits DES Authentication SHA1 160bits Notice You can not select both Encryption and NULL Authentication NULL type Input format hex 0 9 a f A F str text string MD5 128bits SHA1 160bits Input format Disabled hex 0 9 a f A F str text string Authentication MDS AH Use the Authentication method only And enter Authentication the key either hex or string form Table 11 6 Add a IPSec Manual Key rule Step 4 Detail settings of IPSec Manual ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Key gt Advanced For the detailed setting in the Manual Key We IPSec VPNHub VPN Spoke PPTP can press the Advanced button in the previous page Then set the parameter separately IPSec gt Manual Key gt Edit Rule gt Advanced Transport Layer Protocol ANY Enable Replay Detection NO Back Apply 97 Part IV Virtual Private Network Po FIELD DESCRIPTION Range Format EXAMPLE oo Utilize this field to select some packets which are specified protocol
217. vice record just click the below button to add edit delete it n Service Name FTP SSH Telnet SMTP DNS HTTP WWW POP3 SNMP HTTPS IMAPS POP3S MSN Remember that when you add a service it will be sorted by the port number And also the service name is top down matched by the port number when the logs record the service in the firewall logs page O oN o Pp Mm da VEN ai Table 4 5 Setup the service name record 35 Part Il Basic Configuration 4 4 2 DDNS setting Step 1 Setup DDNS SYSTEM 1O09 gt Admin Settings gt DDNS If the IP address of DFL 1500 WAN port is Seneral DDNS y DHCP Relay Time Date Timeout Services Interface _ dynamic allocated you may want to have the nable DDNS for WAN4 Dynamic DNS mechanism to make your partner always use the same domain name like xxx com to connect to you Select a WAN interface to update the DDNS record Here we supply three DDNS Service Providers Fill in the Host Name Username Password supplied by the DDNS web site Please refer to the DDNS web site for the detailed information Click Apply to activate the settings Before setting the DDNS information in this page Make sure that you have registered an account in the indicated Service Provider Then you can enter the related information in the DDNS page Note f you choose www ORAY NET as your DDNS service provider a default port number 5050 will show in the Port field
218. when you would like to connect to the internet And then click Login Step 4 Show the time left When you pass the authentication a message box will appear to tell you how long the connection will remain Chapter 6 Authentication Basic Setup gt Authentication gt Authentication gt Local Authentication Exempt Host NV Enable Authentication Timeout min oO Authentication Type f Local Pop3fs C Imapis Radius LDAP Username susan Password Se O Delete LOCAL Setting Apply Authentication Lisername susan Password fi 45 Part Il Basic Configuration 6 3 2 PoP3 s Setting Step 1 Configure Pop3 s Settings Basic Setup gt Authentication gt Authentication gt Pop3 s Enter Server IP and Server Port Check the AuthenticationExempt Host Encryption as SSL Click Apply to store the V Enable Authentication settings Timeout min 60 Authentication Type Local Pop3 s Imapis Radius LDAP POP3 s Setting Server P 10 1 1 1 Server Port 1110 Eneryption V SSL Apply 6 3 3 Imap s Setting Step 1 Configure Imap s Settings Basic Setup gt Authentication gt Authentication gt Imap s Enter Server IP and Server Port Check the AuthenticationExempt Host Encryption as ssL Click Apply to store the 5 ye settings Y Enable Authentication Timeout min leo Authentication Type Local Pop3 s Imapisi C Radius C LDAP IMAP Setting Server
219. will use the Manual Key way to install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec TE Pass Check the Enable IPSec checkbox and click Apply M Er Apply Step 2 Add a Manual Key rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key Click the Manual Key hyperlink and click Add to Sec VPNHub VPN Spoke PPTP L2TP add a new IPSec VPN tunnel endpoint amp ction 99 Part IV Virtual Private Network Step 3 Customize the rule Similar to those in DFL 1 except that you should interchange the Local IP Address with Remote IP Address in the Condition part and the Outgoing SPI with the Incoming SPI in the Action part Besides set the Peer s IP Address with the WAN1 IP address of DFL 1 Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule D Link ADVANCED SETT NGS gt VPN Settings gt IPSec gt Manual Key gt Add Pass Through IPSec VPN Hub YPN Spoke PPTP L2TP IPSec gt Manual Key gt Edit Rule IV Active Manual Key Rule Name ManualKeyrule Local Address Type Subnet Address IP Address 192 168 88 0 Prefixken Subnet Mask 255 255 255 0 Remote Address Type Subnet Address y IP Address 1192 168 40 0 PrefixLen Subnet Mask 1255 255 255 0 Action
220. y button to reboot DFL 1500 Note that the DMZ el yla ey ce ey and LAN port IP addresses are going to be e y LAM a a nlp OUA SMMM 10 1 1 254 and 192 168 1 254 after device finishes reboot Besides there should be at least one WAN port and one LAN port existing in the DFL 1500 You are not allowed to casually change the interface to the state which has no LAN port or WAN port FIELD DESCRIPTION EXAMPLE Portl WAN You can specify WAN LAN DMZ for each port by your preference Port2 WAN Portl Port5 However there must be one WAN and one LAN interface existing in the Port3 WAN DFL 1500 Port4 DMZ Port5 LAN Table 4 9 Change the DFL 1500 interface setting 39 DFL 1500 User Manual Chapter 5 Remote Management Chapter 5 Remote Management This chapter introduces remote management and explains how to implement it 5 1 Demands Administrators may want to manage the DFL 1500 remotely from any PC in LAN with HTTP at port 8080 and from WAN PC with TELNET In addition the DFL 1500 may be more secure if monitored by a trusted host PC1_1 What is more the DFL 1500 should not respond to ping to hide itself The remote management function in DFL 1500 devices is implemented by hidden Firewall rules 2 2 Methods Only allow management by WAN PC 140 2 5 1 at the WANI side Administrators can use browsers to connect to http 192 168 40 254 8080 for management Allow SNMP monitoring by PC1_1 192 168 40 1
221. ype Subnet Address Action Step 4 View the added VPN Spoke ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add gt You can view the added VPN spoke here Advanced Biti Name Local LAN Remote LAN Tunnel D Link 126 DFL 1500 User Manual Chapter 15 Virtual Private Network PPTP Chapter 15 Virtual Private Network PPTP This chapter introduces PPTP and explains how to implement it 15 1 Demands 1 One employee in our company may sometimes want to connect back to our coporate network to work on something His PC is PCI Il in LAN_1 instead of DMZ_1 so he cannot directly access the host by simply with virtual server settings This causes inconvenience for the employee to work remotely 2 In our branch office we need to provide PPTP connection methods to connect back to headquater for the internal company employees 15 2 Objectives 1 With PPTP tunneling emulate the mobile employee as a member in LAN after he dials in the corporate network Then he can access all computers in LAN just as if he stays in the office covered by LANI 2 Make sure every employee in the branch office can use the network resource in the headquater Suppose they are in the same internal network and keep the communication security ae Aa 1Y2 168 40 180 fs LAN1_IP 192 168 40 254 Mobile employee 211 54 63 1 PC1_5 DHCP Client LAN 1 92 168 40 1 253 192168401 Figure 15 1
222. ystem shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule 91 Part IV Virtual Private Network Step 6 Add a Firewall rule ADVANCED SETTINGS gt Firewall gt Edit Rules Beforehand please make sure that the Firewall is Status JEG Rules Show Rules Attack Alert Summary enabled Select WAN1 to LAN1 to display the rules FirewalksEdit Rules of this direction The default action of this direction is Block with Logs We have to allow eai wani tof Lavi rates want so fLANt_ rules the VPN traffic from the WAN1 side to enter our Default action for this packet direction Block y M Log Apply i i k d l LAN1 side So we click the Insert button to add acess are top down matched by the rules fe eo ees a Firewall rule before the default rule Name Schedule SourcelP Dest IP Service Action Log Page 1 1 Step 7 Customize the Firewall rule ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Enter the Rule Name as AllowVPN Source IP Status Edit Rules Show Rules Attack Alert Summary as WAN1_VPNA 192 168 88 0 and Dest Firewall gt Edit Rules gt Insert IP as LAN1 VPNA 192 168 40 0 Click E Apply to store this rule Insert a new WAN1 to LAN1 Firewall rule Rule name AllowVPN Schedule Always Condition Source IP WANI_VPNA Dest IP LAN1_VPNA Service lany Action Forward y and do not log 7
223. ystem successfully we can use the CLI commands to configure DFL 1500 The complete CLI commands are described as follows Non privileged mode Main Sub Example Command description commands commands pf Configure P related settings 2 pf Configure system parameters O O O 191 A 2 Table A 1 Non privileged mode of normal mode Note If you don t know what parameter is followed by the commands just type following the command Ex ip It will show 0 99 all the valid suffix parameters from ip Privileged mode Main Sub commands commands C o e amme e Tumor vgs m mam emen ETT w O O er ri o sona mappia ifconfig ip ifconfig INTFI 192 168 1 100 Configure the 1p address of each port 255 253 2500 ip ping 202 11 22 33 Send ICMP echo request messages ip tftp upgrade image Upgrade Backup firmware configuration from to tftp upgrade backup lt FILENAME gt 192 168 1 170 server About the full description please refer to Section A 3 traceroute Trace route to destination address or hostname A Configure system parameters Change administrator password Reset system configuration to default settings Save running configuration Show system and network status tcpdump tc sys tcpdump INTFO host 10 1 1 1 Capture the information of specified packets which pass through the indicated interface Table A 2 Privileged mode of normal mode Sys D Link 192 DFL 1500 User Manual A
Download Pdf Manuals
Related Search