D-Link DFL-1500
Contents
1. z i Zee A j Forward the matched packet Dont log the matched packe 66 Virtual Private Network IPSec DFL 1500 User Manual Step 7 View the result ADVANCED SETTINGS gt Firewall gt Edit Rules Now we have inserted a new rule before the Status Show Rules Attack Alert Summary default firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24 will l be allowed to pass through the DFL 1500 and successfully access the 192 168 88 0 24 Block v through the VPN tunnel Item Status SSS anti Action Mache Nama Dieclen SowcalP ddiem DesiP ditem Senica Aston Log AMES MAA AAA pas MA we gt es ie E de Joe Ji gt DES MD5 IPSec tunnel the Manual Key way In the previous section we have introduced IKE method Here we will introduce another method using Manual Key way instead of IKE to install DFL 1 At DFL 1 At the first we will use the Manual Key way to install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Check the Enable IPSec checkbox and click Apply item Status Condition Action Active Name LocalLAN Remote LAN Mechanism MyIP Security Gateway Step2 Add a Manual Key rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key Click the Manual Key hyperlink and click Add to L2TP add a new IPSec VPN tunnel endpoint Item Status Condition Action Active Name LocalLAN R2. Active Name Direction Source IP Address Dest IP Address Service Action Log 1 Y Default WAN to LAN1 Any Any Any Block Y Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Edit Rules Status Show Rules Attack Alert Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to WAN1 Firewall rule Activate this rule Rule name Allow yPNIKE rule Source IP 192 168 88 0 Dest IP 192 168 40 0 Netmask 255 255 255 0 Netmask 255 255 255 0 Service Any Configure dest port Type o Single Dest Port to FP 21 B Forward Y the matched packet Dont log the matched packet Range Copy To Dist 70 Virtual Private Network IPSec DFL 1500 User Manual Step 8 View the result ADVANCED SETTINGS gt Firewall gt Edit Rules Here we have a new rule before the default _ Status Show Rules Attack Alert Summa firewall rule This rule will allow packets from 192 168 88 0 255 255 255 0 pass through DFL 1500 And accomplish the VPN tunnel A 5 j establishment Block IM Item Status Condition Action N mame VE mama sam 2 Fa EEE A A ea Y bet Eu Die MeeBem Ji all At DFL 2 Second we will use the Manual Key way to install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Check the Enable IPSec checkbox and click Apply MENT nn Item Status Condition Action Active Name LocalLAN Remote LAN
3. Provides a framework for passing configuration information to hosts on a TCP IP network DHCP is based on BOOTP adding the capability of automatic allocation of reusable network addresses and additional configuration options DHCP captures the behavior of BOOTP relay agents and DHCP participants can interoperate with BOOTP participants DHCP consists of two components a protocol for delivering host specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts DMZ Demilitarized Zone From the military term for an area between two opponents where fighting is prevented DMZ Ethernets connect networks and computers controlled by different bodies They may be external or internal External DMZ Ethernets link regional networks with routers Firewall A device that protects and controls the connection of one network to another for traffic both entering and leaving Firewalls are used by companies that want to protect any network connected server from damage intentional or otherwise by those who log in to it This could be a dedicated computer equipped with security measures or it could be a software based protection IPSec IP Security IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet IPSec acts at the network layer protecting and authenticating IP packets between participating IPSec devices peers
4. L2TP Layer 2 Tunneling Protocol Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet Service Provider ISP to enable the operation of a Virtual Private Network VPN over the Internet L2TP merges the best features of two other tunneling protocols PPTP from Microsoft and L2F from Cisco Systems The two main components that make up L2TP are the L2TP Access Concentrator LAC which is the device that physically terminates a call and the L2TP Network Server LNS which is the device that terminates and possibly authenticates the PPP stream NAT Network Address Translation By the network address translation skill we can transfer the internal network private address of DFL 1500 to the public address for the Internet usage By this method we can use a large amount of private addresses in the enterprise 131 D Link Part VII POP3 Post Office Protocol 3 POP3 Post Office Protocol 3 is the most recent version of a standard protocol for receiving e mail POP3 is a client server protocol in which e mail is received and held for you by your Internet server Periodically you or your client e mail receiver check your mail box on the server and download any mail PPTP Point to Point Tunneling Protocol PPTP extends the Point to Point Protocol PPP standard for traditional dial up networking PPTP is best suited for the remote access applications of V
5. A Table A gt Step 2 Fill out the related field Advanced Settings gt Routing gt Static Route gt Add Fill in the destination and the netmask field with Policy Route Routing 140 116 53 0 and 255 255 255 0 Assign the next hop Gateway aS 61 216 120 148 the WAN2 IP address Click Add to proceed Net u 140 116 53 0 255 255 255 0 61 216 120 148 FIELD DESCRIPTION EXAMPLE T Determine this static routing entry record is multiple hosts Net or a single Net ype host Host Destination The destination IP address of this static routing entry record 140 116 53 0 Netmask The destination IP Netmask of this static routing entry record 255 255 255 0 Gateway The default gateway of this static routing entry record 61 216 120 148 Table 7 1Add a static routing entry 46 Routing Step 3 View the result The static route has been stored After filling data completely view the static routing entries which have been set 7 4 2 Add a policy routing entry Step 1 Insert a policy routing entry Click Insert button to add a policy routing entry Step 2 Fill out the related field For the General Manager Room department we need to set an extra policy routing entry for them So in the Status region make sure the Activate the rule is enabled Rule name field fill in GenlManaRoom n the Condition region we fill 192 168 40 192 in Source IP field Fill 255 255 255 192 in the Netmask field In the Action r
6. Chapter 10 Virtual Private Network IPSec This chapter introduces IPSec VPN and explains how to implemeni it As described in the Figure 2 1 we will extend to explain how to make a VPN link between LAN 1 and LAN 2 in this chapter The following Figure 10 1 is the real structure in our implemented process 10 1 Demands 1 When a branch office subnet LAN wants to connect with another branch office subnet LAN 2 through the public Internet instead of the expensive private leased lines VPN can provide encryption and authentication to secure the tunnel that connects these two LANS Organization 1 Organization 2 Private LANs Private LANs LAN1 IP WAN2_IP LAN2 IP 192 168 40 254 210 2 1 1 192 168 88 254 i internet PC1 1 192 168 40 1 DHCP Client N LAN 1 92 168 40 1 25 192 168 88 1 192 168 88 2 LAN 2 92 168 88 1 25 Figure 10 1 Organization_1 LAN_1 is making VPN tunnel with Organization_2 LAN_2 10 2 Objectives 1 Let the users in LAN_1 and LAN_2 share the resources through a secure channel established using the public Internet 10 3 Methods 1 Separately configure DFL 1 and DFL 2 which are the edge gateways of LAN_1 and LAN_2 respectively You have to determine a key management method between IKE Internet Key Exchange and Manual Key The following table compares the settings between IKE and Manual Key In the following we will describe them separately Local Address means
7. gt the default rule item Status Condition Action Active Name Direction Source IP Address Dest IP Address Service Action G1 Y Defautt ANY toLANT Ay A Any defelass FIELD DESCRIPTTON EXAMPLE Select the rule direction of rule which you are going to configure Edit ANY to LANI rules the previous page If there are more than one action rules you can press Next Page to go to the next page Table 17 4 Setup edit rules page of Bandwidth Management 109 D Link Step 6 Customize the Rules Enter a rule name such as inFTP enter the Source IP as 140 113 179 3 and the netmask as 255 255 255 255 Enter the Dest IP as 192 168 40 1 and the netmask as 255 255 255 255 Select the action to be inFTP In this way all FTP Server to PC1_1 packets will be put into the inFTP queue and scheduled out at 1019kbps bandwidth Click Apply to store the changes Repeat the same Part VI ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Rules gt Insert Status Edit Actions Status Condition Show Rules Summa 140 113 179 3 192 168 40 1 255 255 255 255 255 255 255 255 procedure for the inVideo class Activate this rule Source IP amp Netmask Dest IP amp Netmask Status Well known port Action o J nFTIP vw Bak Ay Ret FIELD DESCRIPTION EXAMPLE Enable this bandwidth management rule The bandwidth management rule name When source IP address of incoming packets conforms th
8. TANITIP LV 192 168 40 254 gt 192 168 40 1 253 t Figure 7 1 Add policy routing entry for the General Manager Room department 7 2 Objectives 1 The network administrator plans to solve the problem by subscribing the second link ISP2 He She wires the ISP2 to the WAN2 socket of the DFL 1 Now there are two WAN links connected to the DFL 1 He she hopes that all the packets destined to the subnet 140 116 53 0 255 255 255 0 will pass through the WAN2 link instead of the default WANI link In such a way the WAN2 link can offload the traffic 2 The same as the above However routing table can only be specified by destinations That is routing table can only direct some packets destined to somewhere through some link It cannot direct some packets from somewhere through some 45 D Link Part II link The policy route can solve this problem He she hopes that all the packets from the General Manager Room will pass through the WAN2 link instead of the default WANI link 7 3 Methods 1 Add a static routing entry to direct the packets towards 140 116 53 0 255 255 255 0 through the WAN link 2 Add a policy routing entry for the packets coming from General Manager Room department 192 168 40 192 255 255 255 192 through the WAN2 link 7 4 Steps 7 4 1 Add a static routing entry Step 1 Add a static routing entry Advanced Settings gt Routing gt Static Route Click the Add button to the next process Routing
9. indicated to finish these settings Condition 1234567890 Encrypt and Authenticate DES MD5 v 8500 o a DH1 Encrypt and Authenticate DES MD5 v 6800 gt 3 O Apply Reset FIELD DESCRIPTION EXAMPLE Utilize this field to select some packets which are Local to Remote Protocol destined for a specified port Dest Port or coming from Src Port Dest Port specified port Src Port can use IPSec feature The direction is from local to remote Condition TCP 0 80 62 Virtual Private Network IPSec DFL 1500 User Manual Remote to Local Protocol Utilize this field to select some packets which are Src Port Dest Port destined for specified port Dest Port or coming from specified port Src Port can use IPSec feature The direction 1s from remote to local Enable Replay Detection Whether s the Replay Detection enabled Phasel Negotiation Mode pai Main or Aggressive mode see Chapter 9 for Pre Shared Key a only it is set previously and can not be edited ANY 0 0 Encrypt and Encryption Algorithm Choose an encryption and authentication algorithm Authenticate DES MDS Set the IKE SA lifetime A value of 0 means IKE SA SA Life Time negotiation never times out See Chapter 9 for details Ne Key Group Choose a Diffie Hellman public key cryptography key DHI ction group Phase2 View only it is set previously and can not be edited again View only it is set previo
10. 31 40 2668713 FAX 31 40 2668666 URL www d link benelux nl amp www dlink benelux be E MAIL info dlink benelux nl info dlink benelux be D Link Norway Waldemar Thranesgate 77 0175 Oslo Norway TEL 47 22 99 18 90 FAX 47 22 20 70 39 SUPPORT 800 10 610 URL www dlink no D Link Russia Michurinski Prospekt 49 117607 Moscow Russia TEL 7 095 737 3389 amp 7 095 737 3492 FAX 7 095 737 3390 URL www dlink ru E MAIL vl dlink ru D Link International 1 International Business Park 03 12 The Synergy South Africa Spain Sweden Singapore 609917 TEL 6 6774 6233 FAX 6 6774 6322 E MAIL info dlink com sg URL www dlink intl com D Link South Africa Unit 2 Parkside 86 Oak Avenue Highveld Technopark Centurion Gauteng South Africa TEL 27 12 665 2165 FAX 27 12 665 2186 URL www d link co za E MAIL attie d link co za D Link Iberia Spain and Portugal Sabino de Arana 56 bajos 08028 Barcelona Spain TEL 34 93 409 0770 FAX 34 93 491 0795 URL www dlink es E MAIL info dlink es D Link Sweden P O Box 15036 S 167 15 Bromma Sweden TEL 46 8 564 61900 FAX 46 8 564 61901 URL www dlink se E MAIL info dlink se 140 Part VI Customer Support DFL 1500 User Manual Taiwan D Link Taiwan 2F No 119 Pao chung Road Hsin tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 URL www dlinktw com tw E MAIL dssqa tsc dlinktw com tw Turkey D Link Middle East Deniz Bilgisayar Buyukdere Cad
11. Apply button See the steps in the right diagram Subsequently we will continue to setup another class such as inVideo class Select the default class and click the Create Sub Class to create Action another sub class named inVideo from the th 66 95 left default class Enter 29 in the bandwidth field 7 dl As FIELD DESCRIPTION EXAMPLE Activate this class Enable the bandwidth management class for later using enabled Bandwidth How many percentage does this class occupy higher class When the bandwidth of other class 1s idle it will use the bandwidth of Borrow Enabled other class to increase bandwidth temporarily Back back to previous configuration page N A Apply Apply the settings which have been configured N A Reset Clean the filled data and restore the original one N A Table 17 3 Add new class in the bandwidth management feature Class name Bandwidth management class name 108 Bandwidth Management DFL 1500 User Manual Step 4 Partition into Classes ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Now there are two actions under the default SUb Class action Status Edit Rules Show Rules Summary Gree EM Step 5 Setup ANY to LAN1 Rules ADVANCED SETTINGS gt Bandwidth Mot gt Edit Rules Select ANY to LAN1 to display the rules There is Status Edit Actions a pre defined rule that matches all traffic into the default class Click Insert to insert a rule before
12. DFL 1500 sys reboot now Rebooting syncing disks done rebooting 20 4 2 Steps for EMERGENT factory reset Step 1 0 Enter the boot loader gt gt NetOS Loader i386 V1 1 Tue Dec 30 08 39 49 CST 2003 If you forget the password this is the only way to Press lt TAB gt to prompt recover your system Press lt tab gt or lt space gt Type boot rescue to load safe mode kernel to during the 2 second countdown process 1 rescue corrupted firmware 2 reset password for admin starting in 0 type or help for help gt 121 D Link Part VII Step 2 Enter the Safe Mode gt boot rescue Enter boot rescue to enter the emergency 6 1298 7888404 127552 0x84524c kernel In this kernel you can use tftp to fetch NetOS Ver1 40B WALL EMERGENCY 3 Thu Aug 28 06 02 07 CST 2003 another firmware to install or reset the cpu0 Intel null Celeron 686 class 1202 85 MHz configuration to default even you lost the total memory 255 MB password avail memory 228 MB Ethernet address 00 80 c8 50 fa 10 100 Mb s Ethernet address 00 80 c8 50 fa 10 100 Mb s Ethernet address 00 80 c8 50 fa 10 100 Mb s Ethernet address 00 80 c8 50 fa 10 100 Mb s Ethernet address 00 80 c8 50 fa 10 100 Mb s wd0 drive supports PIO mode 4 DFL 1500 gt Step 3 Factory reset DFL 1500 gt en Enter sys resetconf now to reset the firmware DFL 1500 sys resetconf now to factory default Then enter sys reboot n
13. Fixed IP WANI Port 1 Not initialized PPPoE DHCP IP Address Subnet Mask Gateway IP Primary DNS Secondary DNS PPPoE Username PPPoE Password Fixed IP WAN2 Not initialized Port 2 PPPoE DHCP IP Address 10 1 1 254 DMZ1 Port 3 IP Subnet Mask 255 255 255 0 IP Address 192 168 1 254 LAN1 Port 4 IP Subnet Mask 255 255 255 0 IP Address 192 168 2 254 LAN2 Port 5 IP Subnet Mask 255 255 255 0 Table 1 1 DFL 1500 related network settings 1 4 Wiring the DFL 1500 A First connect the power cord to the socket at the back panel of the DFL 1500 as in Figure 1 2 and then plug the other end of the power adapter to a wall outlet or power strip The Power LED will turn ON to indicate proper operation Quick Start DFL 1500 User Manual Figure 1 2 Back panel of the DFL 1500 B Using an Ethernet cable insert one end of the cable to the WAN port on the front panel of the DFL 1500 and the other end of the cable to a DSL or Cable modem as in Figure 1 3 C Computers with an Ethernet adapter can be directly connected to any of the LAN ports using a cross over Ethernet cable as in Figure 1 3 D Computers that act as servers to provide Internet services should be connected to the DMZ port using an Ethernet Cable as in Figure 1 3 Figure 1 3 Front end of the DFL 1500 D Link Part I 1 5 Default Architecture of DFL 1500 Organization_1 LAN_2 192 168 2 1 253 WAN1_IP ISPl modem Intern
14. The DFL 1500 can be manually configured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Table 6 1 Determine Network Address Translation Mode Step 2 Check NAT Rules ADVANCED SETTINGS gt NAT gt NAT Rules As described in the above the DFL 1500 has set HAT Visual the three rules for the LAN1 LAN2 and DMZ1 zones They all belong to the Many to One M 1 type that will map many private addresses to the automatically chosen public IP address EE Status Condition Action When the WAN interfaces change the IP these Active Name Direction Source IP Address Translate Src IP into Type rules do not require any manual modifications for the changed public IP addresses The rules will automatically reload the new settings In the Basic mode you cannot edit the rules in this page Step 3 Switch the NAT Mode Select the Full Feature from the list of NAT Server Sessions Sessions Network Address Translation Mode Click Apply After applying the setting the page will highlight a warning saying that the rules are no more automatically maintained by the DFL 1500 If you change the LAN DMZ IP settings you have to manually update related rules by yourself Otherwise hosts in your LAN DMZ cannot establish connections to the hosts in the WAN side to di N Note In Full Feature mode NAT if you modify LAN DMZ address settings you must manually reconfigure the
15. see Chapter 9 for Select the Encryption DES or 3DES and Authentication ESP Encryption MD5 or SHA1 Algorithm combination And enter the DES key either hex or string format separately Authentication MDS Incoming SPI ESP Encryption Authentication or AH Authentication Table 10 4 Add a IPSec Manual Key rule Step 4 Detail settings of IPSec Manual ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Key gt Advanced For the detailed setting in the Manual Key We can press the Advanced button in the previous page Then set the parameter separately Condition Action Back A Res FIELD DESCRIPTION EXAMPLE Use this field to select some packets which are destined Local to Remote Protocol for specified port Dest Port or coming from specified TCP 0 80 Src Port Dest Port port Src Port can use IPSec feature The direction 1s from local to remote Remote to Local Protocol Use this field to select some packets which are destined Src Port Dest Port for specified port Dest Port or coming from specified port Src Port can use IPSec feature The direction 1s from remote to local Enable Replay Detection Whether is the Replay Detection enabled Table 10 5 Setup Advanced feature in the IPSec Manual Key rule Condition ANY 0 0 69 D Link Step 5 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall r
16. 1 254 255 255 255 0 the request will be translated into a public source IP requests and then be forwarded to the destinations 1 7 2 WAN1 to DMZ1 Connectivity Part I BASIC SETUP gt LAN Settings gt LAN1 Status LAN1 Status LAN Status IP Alias LAN1 TCP IP IP Address 192 169 1 254 IP Subnet Mask 255 255 255 0 DHCP Setup v Enable DHCP Server IP Pool Starting Address 192 168 1 100 Pool Size 20 Primary DNS Server 192 168 1 254 Secondary DNS Server 0 0 0 0 7200 Routing Protocol None OSPF Area ID Note The IP Pool Starting Address must be on the same subnet specified inthe IP Address and the IP Subnet Mask field For example the addresses given by the 192 168 1 100 with a pool size of 20 192 168 1 100 192 168 1 120 are all within the same range of 192 168 1 254 2554255525540 ADVANCED SETTINGS gt NAT gt Status Status NAT Rules NAT Virtual Server Sessions Servers Sessions Network Address Translation Mode Basic v Network Address Translation NAT translates the IP port for 1 LAN DMZ to VVAN traffic map private src IPs and ports to the DFL 1500 s WAN public IPs and ports 2 LANAWAN to DMZ traffic map public dest IPs and ports to the DMZ servers private IPs and ports Modes 1 None The DFL 1500 is in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnets 3 Full Feature The DFL 1500 can be manually c
17. 1 254 DNS IP Address Primary DNS 1168 95 1 1 secondary DNS 0 0 0 0 Routing Protocol None OSPF Area ID BASIC SETUP gt Wizard gt Next gt PPPoE System Status System WAN1 IP Name IP Address Assignment PPP over Ethernet Default WAN link Gateway DNS Service Name Optional User Name 1234567 5 hinet net Password 00000000 Get DNS Automatically DHCP O DNS IP Address Primary DNS 0 0 0 0 Secondary DNS 0 0 0 0 Disconnected Quick Start DFL 1500 User Manual Step 5 System Status BASIC SETUP gt Wizard gt Next gt Next Here we select PPPoE method in WAN1 port Then System Want IP the DFL 1500 provides a short summary of the system Please check if anything mentioned above is properly set into the system Click Finish to close the wizard i PPPol E Not initialized OA rn 1 7 Internet Connectivity After setting up DFL 1500 with the wizard DFL 1500 can connect to the ISP In this chapter we introduce LAN1 to WAN1 Connectivity to explain how the computers under LANI can access the Internet at WANI through DFL 1500 Subsequently we introduce WANI to DMZ1 Connectivity to explain how the servers under DMZ1 can be accessed by the LAN users and other Internet users on the WAN side You MUST press Apply to proceed to the next page Once applying any changes the settings are immediately updated into the flash memory 1 7 1 LAN1 to WAN1 Connectivity The
18. 1 32 els sl plo Apply Reset FIELD DESCRIPTION EXAMPLE Enable IDS Enable IDS feature of DFL 1500 Detect Attacks Towards Specified the IP address region of each DMZ LAN Server area Options This option is designed to memory efficient This has configurable memory usage and fragment timeout options It uses the default memory limit of 4194304 bytes 4 MB nn and a timeout period of 60 seconds The timeout period is used to determine a length of abe time that an unassembled fragment should be discarded This option provides TCP stream reassembly and stateful analysis capabilities Robust stream reassembly capabilities ignore stateless attacks such as stick It also gives Stateful Inspection large scale users the ability to track more than 256 simultaneous TCP streams It should enabled be able to scale to handle 32 768 simultaneous TCP connections in 1ts default configuration reassemble This option 1s used to process HTTP URI strings and convert their data to non obfuscated ASCII strings For example HTTP defines a hex encoding method for Normalize HTTP Requests characters such that the string 20 is interpreted as a single space ex Webservers are enabled TCP Stream Reassembly This item is collocating Stateful Inspection to increase prevention ability of packet designed to handle the myriad of clients available as well as being written to support many different standards Microsoft webservers handle additional types
19. 17 4 2 Outbound Traffic Management Step 1 Enable Bandwidth Management Check the Enable Bandwidth Management checkbox click the Apply Step 2 Setup the WANT Link Select ANY to WAN1 to setup traffic that will transmit by the WAN1 interface Enter the WAN1 interface bandwidth as 1544kbps Click the Apply button to enforce the WANT link bandwidth to be 1544kbps Then click Create Sub Class to partition the default class ADVANCED SETTINGS gt Bandwidth Mgt gt Status ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions Edit Rules Show Rules Su Defined Actions A WANI Interface Gee Sis 111 D Link Step 3 Partition into Classes Create a sub class named LANa to LANb from the default class Enter 65 in the bandwidth field check the Borrow button and click Apply Select the default class and click the Create Sub Class to create another sub class named outFTP from the default class Enter 30 in the bandwidth field and click Apply Now there are two actions under the default action They are separately LANa to LANb and outFTP class Step 4 Setup ANY to WAN1 Rules Select ANY to WAN1 to display the rules There is a pre defined rule that matches all traffic into the default class Click Insert to insert a rule before the default rule Step 5 Customize the Rules Enter a rule name such as outVPN enter the Source IP as 192 168 40 0 and the netmask as 255 255 255 0 Enter the Dest IP
20. 35 DFL 1500 User Manual Appendix E Index POP3 93 95 restore configuration 122 Routing 45 policy routing 45 static routing 45 SMTP 93 94 syslog 117 118 tftp upgrade 119 Virtual Server 12 36 40 42 VPN 55 AH 57 DH 56 Encapsulation 56 ESP 57 IKE 59 IPSec 55 59 Key Management 55 L2TP 79 Manual Key 59 PFS 56 PPTP 75 SA Security Association 55 VPN 55 Appendix F Hardware Detailed Description Hardware Chassis Dimensions Rack mount 1U size 146 mm H x 275 mm D x 203 mm W 8 5 75 10 Look amp feel D Link style Key Components CPU Intel Celeron 1 2G 256MB 168 P SDRAM 10 100M Ethernet MAC and PHY Intel 182559 PCI bridge Intel FW82801BA Storage Compact Flash 32MB San Disk FW82815EP Super I O hardware monitor IT8712F A Security processor Safenet 1141 VPN accelerator board Memory Memory control HUB Hardware monitor Port functions WAN port EN a a a a a a en ar o N N N N N mp CO N 501 EE M N 2 port for connecting to outbound WAN RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance Support Half Full Duplex operations Support backpressure at Half Duplex operation Support Auto MDI MDI X IEEE 802 3x Flow Control support for Full Duplex mode 2 port for connecting inbound LAN RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance Support Half Full Duplex operations Suppor
21. 5 with port 21 and then be forwarded to the 10 1 1 5 The FTP server listening at port 21 in 10 1 1 5 will pick up the request Step 10 View the WAN to LAN Sessions Click the Server Sessions to see the sessions between WAN to LAN DFL 1500 User Manual ADVANCED SETTINGS gt NAT gt Virtual Servers Sessions Sessions ir Status Condition Action Name Direction Dest IPAddress Service Translate dest IP port into CT ao ae a hel ae ee MER NEE Next Page ADVANCED SETTINGS gt NAT gt Server Sessions Sessions Servers Item Local Server DFL 1500 Remote Client 43 Routing DFL 1500 User Manual Chapter 7 Routing This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how DFL 1500 implements routing and how to use it we zoom in the left part of Figure 2 1 into Figure 7 1 7 1 Demands 1 The bandwidth subscribed from ISP1 is insufficient so that some important traffic say traffic towards the subnet 140 116 53 0 255 255 255 0 is blocked by the other traffic 2 The bandwidth subscribed from ISP1 is insufficient so that some important traffic say the traffic from PCs belonging to the General Manager Room department 192 168 40 192 255 255 255 192 is blocked by the other traffic Organization_1 Private LANs WebSe ert FipServeri DHCPServert 10 1 1 10 1 1 5 10 1 1 10 r Default CEMZI_P WAN1_IP 10 1 1 254 61 2 1 1 ag Internet
22. AllowVPNIKErule Source IP as 192 168 40 0 and Dest IP as 192 168 88 0 Click Apply to store this rule Part Ill ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add IPSec PPTP L2TP 1 If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address imask and the destination address mask of the firewall rules are 192 168 88 0 255 255 255 0 and 192 168 40 0 255 255 255 0 respectively ok ADVANCED SETTINGS gt Firewall gt Edit Rules Edit Rules Show Rules Attack Alert Status Summary Edit WANT Y to LAN Y rules Toa Mon Block Packets are top down matched by the rules Active Name Direction Source IP Address 1 Y Default WANT to LANT Any Any Any v viLog Apply Action Action Log Block Y Dest IP Address Service Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Edit Rules Show Rules Attack Alert Status Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to WAN1 Firewall rule Status _ i l Activate this rule Rule name Allow PNIKErule NOT Roel m Tg Condition Netmask 255 255 255 0 Netmask 255 255 255 0 Source IP 192 168 40 0 Dest IP 192 168 88 0 Service Any Y Configure dest port Single Type Range Dest Port to FTP 21 v Cory ToDist
23. Ans It is because there is someone logining into the DFL 1500 at the same time with the other IP address Please logout the system from that IP address first and then login with your IP address again You are definitely able to login into the DFL 1500 If the disconnection happens because of the modification of the WAN LAN DMZ IP address for example you login into the system from LANI and then modify the LANI IP address you can solve this problem by one of the following three ways a Wait for the DFL 1500 session timeout and then you can login into DFL 1500 again The default timeout is 5 minutes in the System Tools Admin Settings Timeout After session timeout happens we could login DFL 1500 another time 126 Trouble Shooting DFL 1500 User Manual b You can use supplied console to login into the DFL 1500 system and then logout the system That will clean up the zombie left in the system so you will be able to login to the DFL 1500 from the same side C The final way 1s to power off the DFL 1500 and then turn on the power After DFL 1500 reboot you can login into DFL 1500 again Firewall VPN Router DFL 1500 Firewall PN Router Please LOGIN first Configuration is locked by administrator from 192 168 40 153 Aeb configurator may be locked by another administrator from 192 168 40 153 gt Figure B 3 Login process 1s locked by the web configurator 8 Why does it always show the message as Figure B 4 indic
24. BASIC SETUP gt WAN Settings gt IP Alias gt Add Suppose you apply 8 IP addresses from ISP The _YWANLIE WANZ IE range of the ISP given IP address is from 211 17 25 56 to 211 17 25 63 Now you would like to add a WAN1 IP alias Select WAN1 in the Interface Enter the IP alias and Netmask with 211 17 25 62 255 255 255 248 And then click Apply Bak m Ren Noticd It s the same way to set IP alias in DMZ or LAN Table 3 4 Add a IP alias record Step 2 Edit Delete IP alias record BASIC SETUP gt WAN Settings gt IP Alias You can easily add edit or delete IP alias records by the Add Edit or Delete button Step 3 Add a static or policy routing In the Advanced Settings gt Routing pages setup the static or entry policy routing pages to share the outbound traffic load Refer to the Chapter 7 explanation 19 System Tools DFL 1500 User Manual 4 1 a Le 4 3 Chapter 4 System Tools This chapter introduces System Management and explains how to implement it Demand Basic configurations for domain name password system time timeout and services DDNS Suppose the DFL 1500 s WAN uses dynamic IP but needs a fixed host name When the IP is changed it is necessary to have the DNS record updated accordingly To use this service one has to register the account password and the wanted host name with the service provider DNS Proxy Shorten the time of DNS lookup performed b
25. By vetined Actions default the link is partitioned into two classes control class ct1_class and default class def_class The control class reserves bandwidth for control protocols such as ICMP TCP ACKs The default class is the default action of non matched packets The default class can be recursively partitioned into more classes The classes are organized as a tree Click Create Create Sub class Sub Class to partition the default class FIELD DESCRIPTION EXAMPLE Select the direction of action which you are going to configure one ze an WANI Interface Fill the real bandwidth which is located in the upper direction 1544 Bandwidth __ kbps If there are more than one action pages you can press Prev Page to back to the previous page Create Sub class Create a sub class from the indicated class 107 D Link Part VI Delete Delete the indicated class If there are more than one action pages you can press Next Page to g0 to Next Page pages y P 8 8 the next page Table 17 2 Setup edit actions page of Bandwidth Management Step 3 Add new classes ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Create a sub class named inFTP from the Sub class default class Enter 66 in the bandwidth field _ Status Edit Actions Edit Rules Show Rules Summa Make sure that Borrow button is checked and then inFTP class will enlarge the bandwidth from borrowing other unused bandwidth Finally click
26. LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the DFL 1500 on your LAN This is the IP address you will enter in the URL field of your web browser to connect to the DFL 1500 It is also the IP address that all of the computers and devices on your LAN will use as their Default Gateway D Link Step 1 Device IP Address Setup the IP Address and IP Subnet Mask for the DFL 1500 Step 2 Client IP Range Enable the DHCP server if you want to use DFL 1500 to assign IP addresses to the computers under LAN1 Specify the Pool Starting Address Pool Size Primary DNS and Secondary DNS that will be assigned to them Example in the figure the DFL 1500 will assign one IP address from 192 168 1 100 192 168 1 120 together with the DNS server 192 168 1 254 to the LAN1 PC that requests for an IP address Step 3 Apply the Changes Click Apply to save Now you can enable the DHCP clients on your LAN1 PCs to get an IP Step 4 Check NAT Status The default setting of NAT is in Basic Mode After completing Step 3 the NAT is automatically configured with three rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Step 5 Check NAT Rules The DFL 1500 has added three NAT rules The rule Basic LAN1 number 3 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 192 168
27. MAC mapping table ifconfig ip ifconfig INTF1 192 168 1 100 Configure the ip address of each port 2532532590 ip ping 202 11 22 33 Send ICMP messages tftp ip tftp upgrade all 1 2 3 4 preserve Upgrade Backup from to tftp server refer to Section 20 2 for detailed description Trace route to destination address or hostname Configure system parameters Change administrator password Reset system configuration to default settings Show system and network status Show DFL 1500 firmware version Table A 2 Privileged mode CLI commands 124 Trouble Shooting DFL 1500 User Manual Appendix B Trouble Shooting l If the power LED of DFL 1500 is off when I turn on the power Ans Check the connection between the power adapter and DFL 1500 power cord If this problem still exists contact with your sales vendor 2 How can I configure the DFL 1500 if I loss the account password of the DFL 1500 Ans Use the Console mode CLI to restore the factory setting refer to the procedure as prior section 20 4 2 3 I can t access DFL 1500 via the console port Ans Check the console line and make sure it is connected between your computer serial port and DFL 1500 Diagnostic RS 232 port Notice whether the terminal software parameter setting as follows No parity 8 data bits 1 stop bit baud rate 9600 bps The terminal type is VT100 4 IT can t ping DFL 1500 DMZ interface successfully Why Ans Follow below items to chec
28. Mechanism MyIP Security Gateway Step 2 Add a Manual Key rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key Click the Manual Key hyperlink and click Add to L2TP add a new IPSec VPN tunnel endpoint y Item Status Condition Action Active Name o LocalLAN Remote LAN Mechanism MyIP Security Gateway 71 D Link Step 3 Customize the rule Similar to those in DFL 1 except that you should interchange the Local IP Address with the Remote IP Address the My IP Address with the Security Gateway Addr and the Outgoing SPI with the Incoming SPI Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Part Ill ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add IPSec PPTP L2TP IPSec gt Manual Key gt Edit Rule Status A v Active Manual Key Rule Name ManualKeyrule Condition j Local Address Type Subnet Address IP Address 192 168 568 0 PrefixLen Subnet Mask 255 255 255 0 Remote Address Type Subnet Address IP Address 192 168 40 0 PrefixLen Subnet Mask 255 255 255 0 My IP Address 210 2 1 1 Security Gateway Addr 61 2 1 1 Outgoing SPI hex 1111 Incoming SPI hex v 2222 Encapsulation Mode Transport Tunnel ESP Encryption DES V des Sdes 64 192 bits
29. address of local site DFL 1500 Firewall VPN Router The IP address of remote site device like DFL 1500 Firewall VPN Router DFL 1500 User Manual ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add Status KErule Condition Subnet Address Y 92 168 40 0 55 255 255 0 Subnet Address Y 92 168 88 0 55 255 255 0 Action Main v Tunnel Y 1 21 10 2 1 1 Encrypt and Authenticate DES MD5 vw 1234567890 Advanced Apply Reset EXAMPLE IKFrule Subnet Address 192 168 40 0 255 255 255 0 DESCRIPTION Subnet Address 192 168 88 0 A IIN 61 D Link Part III ESP Algorithm may be grouped by the items of the Encryption and Authentication Algorithms or execute separately We can select below items the Encryption and Authentication Algorithm combination or the below item Encrypt and ESP Algorithm Authentication Algorithm singly Authenfieate DESU MDS Here Encryption Algorithms include DES 3DES and AES Authentication Algorithms include MD5 and SHA1 AH Algorithm Select Authentication Algorithm MD5 or SHA1 disabled Pre Shared Key The key which is pre shared with remote side 1234567890 Table 10 2 Related field explanation of adding a IPSec policy rule Step 4 Detail settings of IPSec IKE ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add gt In this page we will set the detailed value of IKE Advanced parameter Fill in the related field as Table 10 3
30. as 192 168 88 0 and the netmask as 255 255 255 0 Select the action to be LANa toLANb In this way all outbound packets to the LAN 2 area will be put into the LANa toLANb queue and scheduled out at 1003kbps bandwidth Click Apply to store the changes Repeat the same procedure for the outWebDownload class Part VI ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions gt Create Sub Class Status Edit Actions Edit Rules Show Rules Summary Bandwidth Management gt Edit Actions Edit ANY Y to WANT classes WANT Interface Bandwidth 1544 kbps Apply Item Defined Actions Active Name Borrow Bandwidth EI ON 1544 kbps 1544 kbps 77 kbps 1466 kbps 1003 kbps 463 kbps WANT Interface Y 00 root_class Br 5 ctl_class e 95 def class Y 65 LANa to LANb Y 30 outFTP Page 1 1 Create Sub class ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Rules Status Edit Actions Edit Rules Show Rules Summary Bandwidth Management gt Edit Rules Edit ANY Y to WANI Y rules Packets are top down matched by the rules tem Status TT Action Active Name Direction Source IP Address Dest IP Address Service Action 1 Y Default ANY to WANI Any Any Any def_class Page 1 1 ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Rules gt Insert Status Edit Actions Edit Rules Show Rules Summary Bandwidth Management gt Edit Rules gt Insert Insert a new ANY to WAN1 Bandwidth Management rule Activate this rule Rule n
31. change the filename extension from vbs to vbs bin A Mapped Name 94 Content Filtering Mail Filters DFL 1500 User Manual Step 3 Customize the local zones ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP You can configure to what range the filters will EXempt Zone apply to the local zones By default the web filters Web Filter apply to all computers so the Enforce web filter policies for all computers is selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by a click of the Add button to add one address range to the web filter Click Include and Apply if you want web filters to only apply to the specified ranges Click Exclude and Apply a N Mumin if you want web filters to apply to all computers except those specified ranges 14 5 Steps for POP3 Filters Step 1 Enable POP3 Filters ADVANCED SETTINGS gt Content Filters gt Mail Filters gt POP3 Check the Enable POP3 Proxy checkbox and Web Filter click Apply flename extension Y lis l OriginalName_ Mapped Name a Je FIELD DESCRIPTION EXAMPLE Enable POP3 Proxy Enable POP3 Proxy feature of DFL 1500 gt Filename extension When the filename extension of attachment file matches Filename Append bin to E mail extension add the bin extension to the atta
32. make TELNET SSH WWW HITPS SNMP others checked Then click the Apply button 32 D Link NAT Routing amp Firewall NAT DFL 1500 User Manual Chapter 6 NAT This chapter introduces NAT and explains how to implement it in DFL 1500 To facilitate the explanation on how DFL 1500 implements NAT and how to use it we zoom in the left part of Figure 1 4 into Figure 6 1 6 1 Demands 1 The number of public IP address allocated to each Internet subscribers is often very limited compared to the number of PCs in the LANI Additionally public IP hosts are directly exposed to the Internet and have more chances to be cracked by intruders 2 Internet servers provided by your company may open many ports in default that may be dangerous if exposed to the public Internet Organization_1 Private LANs DMZ_1 10 1 1 1 253 WebSeNer1 10 1 1 10 1 1 5 10 1 1 10 DMZ1 IP rig 1 254 WAN1_IP 61 2 1 switch A G lt DFL 1 Cl 1 192 168 40 1 DHCP Client LAN 1 92 168 40 1 25 Figure 6 1 Topology for explanations of the NAT examples 6 2 Objectives 1 LetPC1_1 PC1_5 connect to the Internet 2 Let FTPServerl be accessed by other Internet users 35 D Link Part II 6 3 Methods 1 Assign private IP addresses to the PC1_1 PC1_5 Setup NAT at DFL 1500 to map those assigned private hosts under LANI to the public IP address WAN_IP atthe WANI side 2 Assign a private IP address to the FTPServe
33. messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation m Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication phase 1 However the trade off is that fast speed limits its negotiating power and it also does not provide identity protection It is useful in remote access situation where the address of the initiator is not known by the responder and both parties want to use pre shared key authentication gt Pre Shared Key A pre shared key identifies a communicating party during a phase IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection gt Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys gt Perfect Forward Secrecy PFS Enabling PFS mean
34. must enable the remote management first Enable the specified port so that you can login from the configured port Step 1 Enable remote management SYSTEM Tools gt Remote Mgt gt TELNET TELNET SSH www HTTPS SNMP MISC Check the selected port located in the telnet function And customize the server port bss which is listened by telnet service d r gi Es hey Rest Step 2 Enable remote management SYSTEM Tools gt Remote Mgt gt TELNET SSH TELNET HTTPS SNMP MISC Check the selected port located in the ssh function And customize the server port which is listened by ssh service Apply A 2 CLI commands list Subsequently we can use the console ssh telnet to connect the DFL 1500 After logining the system successfully we can use the CLI commands to configure DFL 1500 The complete CLI commands are described as follows Non privileged mode Kani D Example Command description commands commands Fone Prien 123 D Link Part VII Table A 1 Non privileged mode CLI commands Note If you don t know what parameter is followed by the commands just type following the command Ex ip It will show all the valid suffix parameters from ip Privileged mode Main Sub oot Example Command description commands commands disable dis PY disable Turn off privileged mode command exit ex A 7 OO Exit command shell Configure IP related settings arp Show the ip
35. rule Source IP amp Netmask PCI 1 192 168 40 1 255 255 255 255 Enable the firewall rule for later using Status The name of the Firewall rule Compared with the incoming packets whether Source IP Netmask is matched or not 50 DFL 1500 User Manual Compared with the incoming packets whether Dest IP Netmask 0 0 0 0 Dest IP amp Netmask is matched or not 0 0 0 0 Firewall Service Verified the service of packet is belong to each TCP UDP Any ICMP Forward Block the If packet is matched the rule condition Forward or Block this matched packet matched packet Action Don t log Log the If packet is matched the rule condition Log or Don t log this matched packet matched packet Table 8 1 Insert a Firewall rule Step 4 View the Firewall Log DEVICE Status gt Firewall Logs gt Firewall Logs You can go to DEVICE Status gt Firewall Logs gt Firewall Logs to view the firewall logs If you prefer to download these logs please click the Download To Local button to save the logs to Alert Logs 2003 11 10 13 51 50 2003 11 10 13 51 53 2003 11 10 13 51 56 192 168 40 1 49161 192 168 40 1 49161 192 168 40 1 49161 140 113 1 1 21 140 113 1 1 21 140 113 1 1 21 Block Block Block 2003 11 10 13 51 59 2003 11 10 13 52 03 192 168 40 1 49161 192 168 40 1 49161 140 113 1 1 21 Block localhost 140 113 1 1 21 Block 8 4 2 Setup Alert detected attack Step 1 Setup Attack Alert
36. rule This rule will allow packets from 192 168 88 0 255 255 255 0 pass through DFL 1500 And accomplish the VPN tunnel establishment At DFL 2 Part Ill ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Edit WAN1 Y to LAN rules Deren farihien ur on Block v Log Apply Packets are top down matched by the rules item Status Condition UT Action Active Name Direction Source IP Address Dest IP Address Service Action Log 1 if Default Oo WANT to LAN Any Any Any Block ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Edit Rules Show Rules Attack Alert Page 1 1 Status Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to WAN1 Firewall rule Activate this rule Rule name Allow yPNIKE rule Source IP 192 168 88 0 Dest IP 192 168 40 0 Netmask 255 255 255 0 Netmask 255 255 255 0 Service Any Configure dest port Type o Single Dest Port to FTP 21 v Range Copy To Dist ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules Edit WANT Y to LAN rules Default action for this packet direction Block v vjLog Apply Packets are top down matched by the rules item Status Condition 0 mmm Actives R 3 Source IP Address Dest BS some tik WANT to Y AllowYPNIKE rule LANT 192 168 68 0 255 255 255 0 192 168 40 0 255 255 255
37. the DMZ1 IE Alias settings Setup IP Address andIP Subnet Mask and determine if you would like to enable the DHCP Server And then select Routing Protocol Click Apply to finish this setting Sl Apply LJ Reset IP Subnet Mask 255 255 255 0 IP Pool Starting Address 10 1 1 1 17 D Link Part I Primary DNS Server Specify the Primary DNS Server IP address of the DHCP information 10 1 1 254 Secondary DNS Server Specify the Secondary DNS Server IP address of the DHCP information Lease time sec Specify DHCP information lease time Determine to enable the dynamic routing protocol RIP to receive RIP Routing Protocol message to send out RIP message if the message is received or not OSPF Area ID Specify OSPF area ID number Table 3 2 Configure DMZ network settings Step 2 Setup LAN port BASIC SETUP gt LAN Settings gt LAN1 Status Here we are going to configure the LAN1 settings tus LAN Status IP Alias Setup IP Address and IP Subnet Mask and determine if you would like to enable the DHCP Server And then select Routing Protocol Click Apply to finish this setting 192 168 40 100 92 168 40 254 IP Subnet Mask 255 255 255 0 IP Pool Starting Address 192 168 40 100 Primary DNS Server 192 168 40 254 message to send out RIP message if the message is received or not Table 3 3 Configure LAN network settings 18 Bas c Setup DFL 1500 User Manual 3 4 3 Setup WAN1 IP alias Step 1 Add WANT IP alias
38. 0 Any Forward N Default Any Block Y Page 1 1 bet Edit Delete Move Before gi Here we will install the IPSec properties of DFL 2 Note that the Local Address and Remote address field are opposite to the DFL 1 and so are My IP Address and Security Gateway Addr field 64 Virtual Private Network IPSec Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply Step 2 Add an IKE rule Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint Step 3 Customize the rule Check the Active checkbox Enter a name for this rule like IKErule Enter the Local IP Address 192 168 8050 2002 20390 and the Remote IP Address 192 168 40 0 255 255 255 0 Enter the My IP Address as the public IP address of this Firewall VPN Router 210 2 1 1 Enter the public IP of the opposite side VPN gateway 61 2 1 1 in the Security Gateway Addr Click the ESP Algorithm and select Encrypt and Authenticate DES MD5 Enter the Pre Shared Key as 1234567890 Click the Apply button to store the settings Note in the Action region you should choose either ESP Algorithm or AH Algorithm or system will show error message DFL 1500 User Manual ADVANCED SETTINGS gt VPN Settings gt IPSec IPSec PPTP Y Enable IPS anual Key Edit Modify IPSec Security Associations Local LAN Remote LAN Active Name Mechanism My IP Security Gateway Edit Dele
39. 0 NAT rule for Basic DMZ1 added 2003 12 31 09 37 57 DFL 1500 SYSTEM 55 HTTP started 2003 12 31 09 37 58 DFL 1500 SYSTEM S6 HTTPS started 2003 12 31 09 42 58 192 168 17 170 AUTH 41 admin login success 192 168 17 172 443 2003 12 31 09 43 12 192 168 17 170 AUTH 42 admin logout 192 168 17 172 443 2003 12 31 09 43 19 CLI AUTH admin login from console success 2003 12 31 09 43 21 CMD CLI CLl enable Download To Locat 5 Resh Ger NaP Listfi0 z Per Page Page 1 3 0 0 Y0 MS Wh FIELD DESCRIPTION EXAMPLE e which is occurred by the specified system 2003 12 31 09 37 54 Source IP A type of the specified system events DFL 1500 Access Info The description of the system log SYSTEM S1 Wall Startup 117 D Link Part VII 19 4 2 Syslog amp Mail log Step 1 Setup Syslog Server DEVICE STATUS gt Log Config gt Syslog Server Setup Syslog Server by checking the Enable Syslog Server It Will let DFL 1500 send logs to the Syslog Server specified in the Syslog Server IP Address field Apply Rest Table 19 1 Setup the Syslog Server Step 2 Setup Mail Log method DEVICE STATUS gt Log Config gt Mail Logs Fill in the IP address of the Mail Server and Mail Subject Also fill your E Mail address for receiving logs Select the preferred Log Schedule to mail out logs Click the Apply button to finish the settings 10 1 1 1 Log Report mis dlink com Daily E Apply Rest Wh
40. 0 at 10 1 1 1 to connect to hitps 10 1 1 254 In the DMZ_1 region use a PC located 10 1 1 X to connect DFL 1500 DMZ1 port 10 1 1 254 Type https 10 1 1 254 to configure the DFL 1500 in the web browser Step2 Setup LAN1 IP information BASIC SETUP gt LAN Settings gt LAN1 Status Enter the IP Address and IP Subnet Mask with tus LAN2 Status IP Alias 192 168 40 254 255 255 255 0 and click Apply 192 168 40 254 255 255 255 0 192 168 40 100 192 169 40 254 0 0 0 0 7200 Apply D Reset 2 2 2 From CLI command line interface to configure DFL 1500 LAN1 network settings Step 1 Use Console port to configure PEL 1500 gt en DFL 1500 DFL 1500 ip ifconfig INTF3 192 168 40 254 255 255 255 0 Use the supplied console line to connect the PC to the Diagnostic RS 232 socket of the DFL 1500 PEL 1500 ip ifconfig INTF3 Start a new connection using the HyperTerminal with parameters No Parity 8 Data bits 1 stop bit and baud rate 9600 Enter admin for user name and admin for password to login After logging into DFL 1500 enter the commands LAN1 192 168 40 254 255 255 255 0 en to enter the privileged mode Enter the command ip ireontig INTF3 192 168 40 254 255 255 255 0 to change the IP of the LAN1 interface 14 Bas c Setup DFL 1500 User Manual 3 1 3 4 Chapter 3 Basic Setup In this chapter we will introduce how to setup network settings for each port separately Demand For the ex
41. 011852 ben Er Dee Morde J 12 System Overview DFL 1500 User Manual Chapter 2 System Overview In this chapter we will introduce the network topology for use with later chapters 2 1 Typical Example Topology In this chapter we introduce a typical network topology for the DFL 1500 In Figure 2 1 the left half side is a DFL 1500 with one LAN one DMZ and two WAN links Notice there are five ports in DFL 1500 In this topology we only use one LAN The right half side contains a DFL 1500 connected with one LAN one DMZ and one WAN In this architecture Organization_1 communicates with Organization_2 with a VPN tunnel established by the two DFL 1500 Firewall VPN routers The VPN tunnel secures communications between Organizations more safely On the Internet side there are Web server Mail server DHCP server and FTP server for testing the content filters and the bandwidth management system Organization_1 Organization_2 Private LANs Private LANs DMZ_1 DMZ_2 10 1 1 1 253 10 1 1 1 235 ic O q DHCPServer2 140 114 179 84 LENZI_P 10 1 1 254 VPN Tunnel HS Ee i pm ISP Es LAN1_IP 192 168 40 254 Internet WebServer3 MailServer 140 112 1 4 o 14011213 140 112 1 5 FTPServer2 PC2_1 PC2_2 192 168 40 1 DHCP Client 192 168 88 1 192 168 88 2 LAN 1 192 168 40 1 253 LAN 2 92 168 88 1 25 Figure 2 1 Typical
42. 10 1 1 1 DHCP feature Pool Size 20 Primary DNS Server 10 1 1 254 Step 3 O Apply the Changes secondary DNS Server 0 0 0 0 Click Apply to save your settings Lease time sec 7200 Routing Protocol None OSPF Area ID Apply Reset Step 4 Check NAT Status ADVANCED SETTINGS gt NAT gt Status The default setting of NAT is in Basic Mode Status NAT Rules NAT Virtual Server Sessions Servers Sessions After applying the Step 3 the NAT is automatically configured with three rules to let all Network Address Translation E gt private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Network Address Translation NAT translates the IP port for 1 LAN DMZ to VVAN traffic map private src IPs and ports to the DFL 1500 s WAN public IPs and ports 2 LANAVAN to DMZ traffic map public dest IPs and ports to the DMZ servers private IPs and ports Modes 1 None The DFL 1500 is in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ subnets 3 Full Feature The DFL 1500 can be manually configured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Total Configured Rules 3 Vacant Rules 197 Step 5 Check NAT Rules ADVANCED SETTINGS gt NAT gt NAT Rules The DFL 1500 has added three NAT rules The Status NAT Rules _ NAT Virtual Server Sessions Server
43. 16 Intrusion Detection Systems This chapter introduces Intrusion Detection System IDS and explains how to implement it 16 1 Demands Although Firewall settings are correct there may still be some crackers intrude our system Crackers hack into our system through Firewall allowed channels with sophisticated skills Most often they attack specific application servers such as SNMP Web and FTP services in your DMZ 16 2 Objectives 1 Detect any attacks towards our DMZ servers 2 Instantly notify our network administrators what attacks have been detected Organization_1 Private LANs DMZ_1 Internet 10 1 1 1 253 WebServer1 MailS rver1 ber 10 1 1 1 101 12 140 113 179 2 DMZ1_IP 10 1 1 254 switch LAN1_IP WANT IP 192 168 40 254 61 2 1 1 Figure 16 1 Some cracker in the Internet would try to hack our company 16 3 Methods 1 Specify where our Web server is located to let the IDS on the DFL 1500 focus more on the attacks 2 Setup logs to email to the specified email address when the log is full You can also set daily weekly emails to periodically monitor the IDS logs 101 D Link Part V 16 4 Steps Step 1 Enable IDS ADVANCED SETTINGS gt IDS gt IDS Status Check the Enable IDS checkbox Enter the DMZ IP subnet and the designated HTTP server The subnets are specified in the types like 192 168 40 0 24 and 10 1 1 1 32 Check all options and click the App1y button 192 168 40 0 24 10 1 1
44. 3kbps 17 3 Methods 1 Partition the inbound bandwidth 1 544Mbps into two classes the FTP and the Video classes Set the Video class to obtain 441kbps 29 Set the FTP class to obtain 1019kbps and set it to be able to borrow any available bandwidth from others 2 Partition the outbound bandwidth 1 544Mbps into two classes the LANa to LANb 65 1003kbps and the outFTP 30 463kbps classes Set the LANa to LAND to obtain 1Mbps and set it to be able to borrow from other bandwidth 106 Bandwidth Management DFL 1500 User Manual 17 4 Steps 17 4 1 Inbound Traffic Management Step 1 Enable Bandwidth ADVANCED SETTINGS gt Bandwidth Mgt gt Status Management Edit Actions Edit Rules Show Rules Summary Check the Enable Bandwidth Management m checkbox click the Apply FIELD DESCRIPTION EXAMPLE Enable Bandwidth Enable Bandwidth Management feature of DFL 1500 Management Apply Apply the settings which have been configured Clean the filled data and restore the original one Table 17 1 Setup status page of Bandwidth Management Step 2 Setup the LAN1 Link ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Actions Select ANY to LANI to setup traffic that will _ Status transmit by the LAN interface Enter the LAN1 interface bandwidth as 1544kbps Click the Apply button to enforce the LAN1 link bandwidth to be 1544kbps In the table the root class Aey J represents the whole bandwidth of the link
45. 500 is changed it will send requests to the DDNS server to refresh the DNS record As the following Figure 4 1 demonstrated the original DFL 1 has registered WANI ip address 61 2 1 1 on the DDNS server www dyndns org It s domain name address is me dyndns org If the WANI ip address is reassigned by the ISP DFL 1 will update the registered ip address 61 2 1 1 as the assigned one This is the base mechanism of the DDNS 21 D Link Part I Update me dyndns org 61 2 1 1 dynamic WANT IP 01 2 1 1 internet Oo u m Relresh the DNS Record Figure 4 1 DDNS mechanism chart 3 DNS Proxy After activating the DNS proxy mode the client can set its DNS server to the DFL 1500 that 1s send the DNS requests to the DFL 1500 The DFL 1500 will then make the enquiry to the DNS server and return the result to the cl ent Besides the caching mechanism performed by the DNS proxy can also help reduce possible duplicate DNS lookups As the following Figure 4 2 described DFL 1 redirects the DNS request from PCI to the real DNS server 140 113 1 1 51211 Internet Asa DNS proxy oo 140 113 1 1 DNS Server Figure 4 2 DNS Proxy mechanism chart 4 DHCP Relay Activate the DHCP relay mode of DFL 1500 so that the DFL 1500 will become the relay agent and relay the DHCP broadcast to the configured DHCP server As the following Figure 4 3 described DFL 1 redirects the DHCP reque
46. 8 50 fa bd Ethernet address 00 80 c8 50 fa be wd0 drive supports PIO mode 4 Initialized Security Association Processing Current WAN1 IP 192 168 17 87 Netmask Oxffffff00 WAN2 link has not been initialized 192 168 17 254 168 95 1 1 ba DD 10 100 Mb s 10 100 Mb s 10 100 Mb s 10 100 Mb s 10 100 Mb s IPsec Gateway Primary DNS Secondary DNS Resuming NAT RMS FW settings Starting Web based Configurator HTTP started HTTPS started Wed Sep 10 18 13 23 2003 NetOS i386 DFL 1500 tty00 login 120 System Maintenance DFL 1500 User Manual 20 3 Steps for Firmware upgrade from Web GUI Step 1 Download the newest firmware Firmware upgrade site from web site http fwupdate dlinktw com tw Step 2 Upgrade firmware In the System Tools Firmware Upgrade page Select the path of firmware through Browse button and check the Preserve Current System Settings to reserve original settings Click the Upload button to upgrade firmware CADFL 1500 1 43R ALL Upload 20 4 Steps for Factory Reset 20 4 1 Steps for NORMAL factory reset Step 3 Factory reset NetoS i386 DFL 1500 tty00 Enter sys resetconf now to reset the firmware to factory default Then enter sys reboot now to login admin instantly reboot the system Password Welcome to DFL 1500 Firewall VPN Router DFL 1500 gt en DFL 1500 sys resetconf now Resetting Configuration to default DONE Please reboot the system
47. Address 192 168 40 0 255 255 255 0 and the Remote IP Address 192 168 88 0 255 255 255 0 Enter the My IP Address as the public IP address of this Firewall VPN Router 61 2 1 1 Enter the public IP of the opposite side VPN gateway 210 2 1 1 inthe Security Gateway Addr Click the ESP Algorithm and select Encrypt and Authenticate DES MD5 Enter the Pre Shared Key as 1234567890 Click the Apply button to store the settings Note In the Action region lt should choose either ESP Algorithm or AH Algorithm or system will show error message If you hope to set the detailed item of IKE parameter Click the Advanced button in this page Otherwise it is ok to just leave the value default IKE Rule Name Local Address Type IP Address Prefix Len Subnet Mask Condition Pennie Addes ine Determine the method to connect to the local side of VPN Yp by using the remote subnet or the remote single host Status Determine the method to connect to the remote side of VPN by using the local subnet or the local single host The local IP address The local IP Netmask IP Address Prefix Len Subnet Mask Action Negotiation Mode Encapsulation Mode My IP Address Security Gateway Addr This field will activate this IPSec policy rule The name of this IPSec policy The remote IP address The remote IP Netmask Choose Main or Aggressive mode see Chapter 9 for details Choose Tunnel or Transport mode see Chapter 9 for details The IP
48. Click the Run Setup Wizard BASIC SETUP gt Wizard Welcome to the DFL 1500 Web Based Configurator Basic Setup Advanced Settings Connect to the Internet and configure your Intranet using Access the advanced features including IPSEC tunneling L2TP and the Setup Wizard WAN LAN and DMZ settings and DHCP PPTP Servers NAT Virtual Server Static Policy Routing Firewall Server settings Web Mail FTP Content Filters Intrusion Detection Bandwidth Management and Special Applications System Tools Perform firmware upgrade backup and restore settings to Device Status and from local hard drive load default settings and reboot Display Device IP MAC addresses and Firmware Version System your VPN router Log Routing Table Traffic Statistics NAT Sessions and VPN Traffic Statistics Help Get help about your VPN router Setup Wizard A step by step setup wizard will guide you to conggffre your VPN router to connetto your ISP Internet Service Provider Run Setup Wizard Step 3 System Name BASIC SETUP gt Wizard Enter the Host Name and the Domain Name WAN1 IP em followed by clicking the Next DFL 1 Step4 WAN Connectivity BASIC SETUP gt Wizard gt Next To setup the first WAN link make WAN1 as the NA System Default WAN link Gateway DNS Choose _ m ema the type of IP Address Assignment provided by iress Assignm your ISP to access the Internet Here we have four Se types to select This will determine how the I
49. D InkDFL 1500 VPN Firewall Router User Manual D Link Building Networks for People Copyright 2003 D Link Systems Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose w thout prior written permission of D Link Systems Inc DFL 1500 User Manual Version 0 4 January 30 2004 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS Table of Contents Part I B3as1 CONIL 2 Chapter T Quick Sara ED A aan 3 1 1 D RO O een ee Nee e m e 3 1 2 Check Your Packa 26 OM Sane kaza dle 3 1 3 Deu Sms ak ab e iel yaa aman Cees Tee rere anal ln ie RER rr ter et aka lie 3 1 4 a banka ay DRETS ae iR e e e e 4 1 5 Derault e el gre iye ot DEL 50022222 Ee e e e e ee 6 1 6 U sinssthe Setup Wizard esse A ee AT sicil seed lala semi 6 1 7 nternete ONCE L N YE aa Maia id 9 1 7 1 LANIO WANT OMMC CUI VIE Vi ietss ses a asa ea 9 1 7 2 WANE DMAIC OACI A EL ze 10 Chapter System OVVIO Wesens 13 2 1 Typical Example Topos see e 13 22 Chanem tie L N EA GELER ee E 13 2 21 From DMZ to configure DFL 1500 LANI network setting 14 2 22 From CLI command line interface to configure DFL 1500 LAN
50. E Sen Ga eek a lila la vi o ce aile e ik a akl lee ame bea lal eee 79 12 4 O YK e Y KN e NE 80 12 4 1 IAN P INC CW Ol o AAA PT 80 Part IV Content Filters ico cios 84 Chapter 13 Content Filtering Web illes ii ein 85 13 1 De mands RN 85 13 2 ODJ ECUN OS ee e del lts e e 86 13 3 MENOS tal oline 86 13 4 A ee HENRI EDDIE liess 87 Chapter IC ontent Biltering Mall Raters a se a ae dillal me lelii 93 14 1 A See a ean ee ee ee er 93 14 2 OD EV I I een 93 14 3 NIE VO Se E e e e ee 93 14 4 SUG STO ry MTE PIOS dl de 94 14 5 SLE PS TOK POPS Filters acess atin at RE eos 95 Chapter TS Content Filtering FIP File ee ei Le lee 97 15 1 mke e Ra e A ias 97 15 2 ODD CCE VS Sica os actos NIT es A EE E O E ais 97 15 3 MENOS O 97 15 4 ODS a RR Lee ee ee 98 Pare Intrusion Detection System anne nase 100 Chapter 16 Intrusion Detection 5 YELE MS inkl 101 16 1 Do a ee ee ee 101 16 2 OD ze ehe ea Bes san a sen ol e ee 101 16 3 MES lod da pie 101 16 4 E lc 102 Bare vi Bandwidth Manasement use aha 104 Chapter TC Bandwidth Mana ce menta o ans 105 17 1 DEMAS ais 105 17 2 A ee er Re e KSM e 106 17 3 IVICTI OCS od A dla 106 17 4 AR ER 107 17 4 1 bound Trato NLamac Md o ii 107 17 4 2 Ultbonnda Matic Management o riada 111 Part VII Sy Sle DIN AI ada era ohaas 114 Chapter 18 Sy Stem Status asus didas dante 115 18 1 PIE DIS re erir ee e eee e T eee err et ee 115 18 2 ODE GENE ne ee NR RE aa Sil e REN 115 18 3 Methods nen ee BEE u ee
51. EXAMPLE Check Enable keyword blocking and then the web pages will be blocked Enable keyword blocking ifthe keywords below you have added are appeared in the pages Limit Enabled limit at __ matches at 3 matches means that the webpages will be blocked as long as any of 3 matches the added keywords appear equal or more than three times sex Specify the keyword that you want to block violence pa mei oo Table 13 8 Web Filter Content Keywords setting page 92 Content Filtering Mail Filters DFL 1500 User Manual Chapter 14 Content Filtering Mail Filters This chapter introduces SMTP proxies and explains how to implement it 14 1 Demands Sometimes there are malicious scripts like vbs that may be attached in the email If the users accidentally open such files their computers may be infectious with virus 14 2 Objectives Modify the filename extension of the suspicious email attachments so that email receivers may notice that the file cannot be directly opened by the operating system because of the unrecognized filename extension 14 3 Methods 1 Setup SMTP filters for outgoing emails from PC_1 in LANI towards the mail server in DMZ1 or in WANI to append a bin to all vbs attachments Use PCI to send an email with vbs attachments to test the configuration 2 Setup POP3 filters for incoming emails from a mail server in WANI or in DMZ1 to PC in LANI to append a bin to all vbs attachments
52. Filter ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP gt Add Enter mp3 in the Name field and select Extension Name in the Blocked Type field Click the Add button to apply the change Now users in LANs can never download any mp3 files FIELD DESCRIPTION EXAMPLE Fil ia the file extension or exact flename gt Extension Name When the extension filename of download file is matching the action 1s blocked download from FTP server Blocked Type Extension Name gt Full Name When the exact filename of download file is matching the action 1s blocked download from FTP server Table 15 2 FTP Filter FTP adding filter entry 98 Content Filtering FTP Filtering DFL 1500 User Manual Step 3 Add an Exempt Zone ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Exempt Add a new Exempt Zone record It s IP address Zone gt Add range is between 192 168 40 10 to 192 168 40 30 192 168 40 10 192 163 40 30 FIELD DESCRIPTION EXAMPLE From Address Exempt zone record IP address from 192 168 40 10 To Address Exempt zone record IP address to 192 168 40 30 Table 15 3 FTP Filter add an exempt zone entry Step 4 Show the Exempt Zones ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Exempt Here we can discover that new added Exempt Zone record is appeared 99 D Lin Part V Intrusion Detection System 100 Intrusion Detection Systems DFL 1500 User Manual Chapter
53. I network settings 14 Chapter 3 Basie SEL sera id eg 15 3 1 De manga a a a ee teaeeees 15 3 2 HS 15 3 3 A A ee E ENE E AOE E ATEA 15 3 4 SEPS er ee ee ERITREA e e sauna 15 3 4 1 SEU AN a ee N a e le 16 3 4 2 SEWP DMZL BANT SUS la idos 17 3 4 3 AA alak z AA ee ee EEE 19 Chapter System Losa ee ae Reale 21 4 1 Demnaidtrci A E 21 4 2 OBEN SEE era len ke 21 4 3 INFECTIOUS rss een A ATA IE A I E A E E T 21 4 4 DES PEDA PAA O A A TE ee A oo E A TE E EEE Re 24 4 4 1 General semine ea nos 24 4 4 2 PONS SEMINE cd lid 26 4 4 3 DNS PrO YS INS ee a ee ee ee 21 4 4 4 DHCP Relay nica ld illa 21 4 4 5 Chance DEI SOO IE BE ee isa 28 4 4 6 SNMP C OMO largesi O A ee ee er 28 Chapter Remote Nama semental tios 31 5 1 Demong a ee 31 5 2 Methode asd Ses ohare ee ae ee ted tan Catena e e e 31 3 O ENE E AE Sal dazlak alameti A A E E A AA DER mada aleme 32 33 Ten essen o e e 32 3 2 e e leo o e il e ae 32 3 33 NN A A A NEM ESYA EY AED E YE A KED 32 5 3 4 IEM tt A id 32 Parti Nati Route Errantes 34 Chapter O NAT nae EK add 35 6 1 Demand ke merece O O A 35 6 2 OD ECUVES A A E alel ismin deme 35 6 3 KIEO GR e KE ea E E A 36 6 4 LS Dal e a E sel ee EEE 36 6 4 1 Setup MIMA OnE NAT WIESE 22er iss 36 6 4 2 Setup V trtal Server FORTHE POSE VEL cos 40 Chapter Route nido li yekpare 45 7 1 D ia ee A dee ee 45 1 2 AR RR 45 ha Methods ns elle u Maved latins 46 7 4 te sa e Gl li 46 7 4 1 Add
54. Key hex 1122334455667788 Authentication MDS Y md5 shaf 128 160 bits Key hex 11112222333344445555666677778888 OAH Authentication md sha1 126 160 bits Key Advanced Apply ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add IPSec PPTP L2TP If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 192 168 88 0 255 255 255 0 and 192 168 40 0 255 255 255 0 respectively ok 12 Virtual Private Network IPSec Step 5 Add a Firewall rule Same as that in IKE method Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 6 Customize the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPNIKErule Source IP as 192 168 40 0 and Dest IP as 192 168 88 0 Click Apply to store this rule Step 7 View the result Now we have inserted a new rule before the default firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24
55. LAN1 1 Yo AllowYPNIKErule 192 168 40 0 255 255 255 0 192 169 59 0 255 255 255 0 Any Forward N E Y Default Any Any Any Block Y Page 1 1 y 73 Virtual Private Network PPTP DFL 1500 User Manual Chapter 11 Virtual Private Network PPTP This chapter introduces PPTP and explains how to implement it 11 1 Demands l One employee in our company may sometimes want to connect back to our coporate network to work on something His PC is PC1_1 in LAN_l instead of DMZ so he cannot directly access the host by simply with virtual server settings This causes inconvenience for the employee to work remotely 2 In our branch office we need to provide PPTP connection methods to connect back to headquater for the internal company employees 11 2 Objectives 1 With PPTP tunneling emulate the mobile employee as a member in LAN after he dials in the corporate network Then he can access all computers in LAN just as if he stays in the office covered by LANI 2 Make sure every employee in the branch office can use the network resource in the headguater Suppose they are in the same internal network and keep the communication security Internet Y a PPTP IP lt DFL 1 ISP 192 168 40 180 Gu ANTP sritdh _192 168 40 254 Mobile employee 211 54 63 PC1_1 i 192 168 40 1 DHCP Client LAN_1 92 168 40 1 25 Figure 11 1 PPTP method connection 11 3 Methods 1 Setup the PPTP server at DFL 1500 Setup th
56. N side lv MZ 10 1 1 1 253 61 214 internet DMZ1 IP 10 1 1 254 WANT IP DFL 1 ote 140 25 1 LAN1_IP Remote Manager 192 168 40 254 a SP2 192 T6840 253 Figure 5 1 Some management method of DFL 1500 31 D Link Part I 5 3 Steps 5 3 1 Telnet Step 1 Setup Telnet SYSTEM TOOLS gt Remote Mgt gt TELNET Check the WANI checkbox Click the Selected _ SSH WWW HTTPS SNMP MSC of Secure Client IP Address and then enter the specified IP address 140 2 5 1 for accessing DFL 1500 And click the Apply 140 2 5 1 li 5 3 2 WWW Step 1 Setup WWW SYSTEM TOOLS gt Remote Mgt gt WWW Check the LAN1 checkbox and enter the new _ TELNET SSH server port 8080 that will be accessed by the user s browser http 192 168 40 254 8080 And click the Apply If you are configuring the DFL 1500 with HTTP your browser will then automatically be directed to the new server port Reset 5 3 3 SNMP Step 1 Setup SNMP SYSTEM TOOLS gt Remote Mgt gt SNMP Check the LAN1 checkbox In the Secure IENEI Client Address field If you prefer indicated specified IP address Just click the Selected and enter the valid IP address for reading the SNMP MIBs at the DFL 1500 Here we click All for all no IP range limitation of clients Finally click the Apply 5 3 4 ICMP Step 1 Setup ICMP SYSTEM TOOLS gt Remote Mgt gt MISC Uncheck the WAN1 WAN2 checkbox and
57. NAT rules by yourself 37 D Link Step 4 Customize NAT Rules In the full feature mode the rules can be further customized Incoming packets from LAN DMZ zones are top down matched by the NAT rules Namely NAT implements first match Select the rule item that you want to do with insert a new rule before it delete It move It before the list box chosen item Part Il ADVANCED SETTINGS gt NAT gt NAT Rules NAT Sessions Virtual Servers Server Status Sessions Item Status Condition Action Active Name Direction Source IP Address Translate Src IP into Type G1 Y BasieDMZI LANDMZIOWAN 10 1 1 254 255 255 255 0 Auto device WANIP MM 02 Y BasieLAN2 LANDMZtOWAN 192 168 2 254 255 255 255 0 Auto device WANIP MI 03 XV BasieLANt LAN DMZtoWAN 192 168 40 254255 255 256 0 Auto device WANIP Mi Step 5 Insert NAT Rule Step 5 a Insert an Many to One Rule As described in the above Many to One NAT is the default NAT rule type in the Basic mode If you have other alias LAN DMZ subnets you can manually add a Many to One NAT rule for them First select the Type as Many to One check the x Activate this rule enter a Rule name for this rule enter the private IP subnet an IP address with a netmask to be translated and enter the public IP address for being translated into You can check the Auto choose IP from WAN ports The DFL 1500 will automatically determine which WAN IP is to be translat
58. Naci Kasim Sk No 5 Mecidiyekoy Istanbul Turkey TEL 90 212 213 3400 FAX 90 212 213 3420 E MAIL smorovati dlink me com U A E D Link Middle East CHS Aptec Dubai P O Box 33550 Dubai United Arab Emirates TEL 971 4 366 885 FAX 971 4 355 941 E MAIL Wxavier dlink me com U K D Link Europe United Kingdom Ltd 4th Floor Merit House Edgware Road Colindale London NW9 5AB United Kingdom TEL 44 020 8731 5555 SALES 44 020 8731 5550 FAX 44 020 8731 5511 SALES 44 020 8731 5551 BBS 44 0 181 235 5511 URL www dlink co uk E MAIL info dlink co uk U S A D Link U S A 17595 Mt Herrmann Street Fountain Valley CA 92708 USA TEL 1 714 885 6000 FAX 1 866 743 4905 INFO 1 877 453 5465 URL www dlink com E MAIL tech dlink com amp support dlink com 141
59. No Encryption from the Data Encryption and click Apply 4 Selectthe Properties gt Networking tab 5 Select L2TP VPN from the VPN Type Make sure the following are selected TCP IP Qos Packet Scheduler 6 Select Apply Editing Windows Registry The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows 2000 Registry as described in the following steps Please refer to the Microsoft documentation for editing the Windows Registry 1 Use the registry editor regedit to locate the following key in the registry HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 2 Add the following registry value to this key e Value Name ProhibitIpSec e Data Type REG_DWORD e Value 1 3 Save your changes and restart the computer You must add the ProhibitIpSec registry value to each Windows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or Active Directory IPSec policy 81 D Link Part III Connecting to the L2TP VPN 1 Connect to your ISP 2 Start the dial up connection configured in the previous procedure 3 Enter your L2TP VPN User Name an
60. P ine address of WAN1 is obtained Click Next to proceed i 9 168 95 1 1 0 0 0 0 D Link Step 4 a DHCP client Get IP Automatically DHCP is selected DFL 1500 will request for IP address netmask and DNS servers from your ISP You can use your preferred DNS by clicking the DNS IP Address and then completing the Primary DNS and Secondary DNS server IP addresses Click Next to proceed Step 4 b Fixed IP f Fixed IP Address is selected enter the ISP given IP Address Subnet Mask Gateway IP Primary DNS and Secondary DNS IP Click Next to proceed Step 4 c PPPOE client If PPP over Ethernet is selected enter the ISP given User Name Password and the optional Service Name Click Next to proceed Notice On the current firmware version if you select PPPoE method as the WAN link connection The bandwidth management feature will not be supported Part I BASIC SETUP gt Wizard gt Next gt DHCP System Status System WAN1 IP Name IP Address Assignment Get IP Automatically DHCP V Default WAN link Gateway DNS Get DNS Automatically DNS IP Address Primary DNS 1168 95 1 1 Secondary DNS 0 0 0 0 Routing Protocol None y OSPF Area ID BASIC SETUP gt Wizard gt Next gt Fixed IP System System Name WANT IP Status IP Address Assignment Fixed IP Address M Default WAN link Gateway DNS IP Address 51211 Subnet Mask 255 255 255 0 Gateway IP 61 2
61. PNs but it also supports LAN internetworking PPTP operates at Layer 2 of the OSI model OSPF Open Shortest Path First Open Shortest Path First OSPF is a routing protocol used to determine the correct route for packets within IP networks It was designed by the Internet Engineering Task Force to serve as an Interior Gateway Protocol replacing RIP SMTP Simple Mail Transfer Protocol SMTP Simple Mail Transfer Protocol is a TCP IP protocol used in sending and receiving e mail However since it s limited in its ability to queue messages at the receiving end it s usually used with one of two other protocols POP3 or Internet Message Access Protocol that let the user save messages in a server mailbox and download them periodically from the server VPN Virtual Private Network The key feature of a VPN however is its ability to use public networks like the Internet rather than rely on private leased lines VPN technologies implement restricted access networks that utilize the same cabling and routers as a public network and they do so without sacrificing features or basic security 132 Index backup configuration 122 Bandwidth Management 105 bidirectional 37 38 40 Content Filter FTP Filter 97 Mail Filter 93 Web Filter 85 DDNS 21 DHCP 8 10 16 17 DHCP Relay 21 DNS Proxy 21 factory reset 121 Firewall 49 firmware upgrade 121 IDS Intruction Dection System 101 mail log 118 NAT
62. Select the Properties gt Networking tab 5 Select PPTP VPN from the VPN Type Make sure the following are selected TCP LLP Qos Packet Scheduler 6 Select Apply Connecting to the PPTP VPN 1 Connect to your ISP 2 Start the dial up connection configured in the previous procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect ADVANCED SETTINGS gt VPN Settings gt PPTP gt Client Es PptpUsers Ber Apply Reset Table 11 2 Setup PPTP Client settings 14 Virtual Private Network L2TP DFL 1500 User Manual Chapter 12 Virtual Private Network L2TP This chapter introduces L2TP and explains how to implement it 12 1 Demands l One employee in our company may sometimes want to connect back to our coporate network to work on something His PC is PCI Tin LAN instead of DMZI so he cannot directly access the host by simply with virtual server settings This causes inconvenience for the employee to work remotely 12 2 Objectives 1 With L2TP tunneling emulate the mobile employee as a member in LAN after he dials in the corporate network Then he can access all computers in LAN just as if he stays in the office covered by LAN WANT IP Brett Internet AS 3 e E L2TP IP DFL 1 ISP 192 168 40 200 n gt LANTAP VPN Tunnel 192 163 40 254 Mobile employee 211 54 63 192 168 40 1 DHCP Client LAN 1 192 168 40 1 253 Figure 12 1 L2
63. TP method connection 12 3 Methods 1 Setup the L2TP server at DFL 1500 LNS L2TP Network Server After dialing up to DFL 1500 DFL 1500 will assign a private IP which falls in the range of the settings in the L2TP server at DFL 1500 Suppose the range is defined as 192 168 40 200 192 168 40 253 the remote host may get an IP of 192 168 40 200 and logically become a member in LAN_1 19 D Link Part III 12 4 Steps 12 4 1 Setup L2TP Network Server Step 1 Enable L2TP LNS ADVANCED SETTINGS gt VPN Settings gt L2TP gt LNS Check the Enable L2TP LNS checkbox enter the LANI IP of the DFL 1 192 168 40 254 inthe Local IP and enter the IP range that will be assigned to the L2TP clients in the Start IP and the End IP fields Enter the IP range in the LAC Start IP and the LAC End IP that will NT the real IP of the remote users In our case since the employee uses 211 54 63 1 so we can fill 211 54 63 1 211 54 63 5 to cover 211 54 63 1 Enter the Username and L2tpUsers oossoo Password that will be used by the an employees during dial up Click the Apply to Apply Reset finish configurations FIELD DESCRIPTION EXAMPLE Enable L2TP LNS Enable L2TP LNS feature of DFL 1500 The Local IP is the allocated IP address in the internal network after default man gateway of L2TP client dials in the DFL 1500 en The Start IP is the allocated starting IP address in the internal network after The End IP is the allocated endin
64. UNE sent out from DFL 1500 will be via this port aan Ethernet ISP vendor Optional So Net The user name of PPPoE account Hey The password of PPPoE account G54688 16 Bas c Setup DFL 1500 User Manual Get DNS Automatically gt Get DNS related Get DNS Automatically information from PPPoE ISP Get DNS DNS IP Address DNS IP Address gt manually specify these Primary Automatically and Secondary DNS Server information Through click Connect or Disconnect button to connect Disconnected Click Connect or disconnect PPPoE line Table 3 1 Detailed information of setup WAN port configuration Step 2 Show the Warning message BASIC SETUP gt WAN Settings gt WANT IP gt PPPoE Note that if you have already enabled Microsoft Internet Explorer bandwidth management ADVANCED SETTINGS gt Bandwidth Mgt gt Enable Bandwidth AN Bandwidth management disabled Bandwidth management will support PPPoE in the future release Management and then select PPPoE in BASIC SETUP gt WAN Settings gt WAN1 IP gt PPPoE as your internet connection it will show you a message indicated as right column to tell you that Bandwidth management will not support PPPoE in this version If you still like to use bandwidth management please try to use another method such as DHCP or Fixed IP to connect Internet 3 4 2 Setup DMZ1 LAN1 Status Step 1 Setup DMZ port BASIC SETUP gt DMZ Settings gt DMZ1 Status Here we are going to configure
65. Use PC1_1 to retrieve an email with vbs attachments to test the configuration imz switch aie jae TANI IP Internet www nthu edu tw 192 168 40 1 192 168 40 2 140 114 x x LAN 1 WebServer3 MailServer3 FTPServer3 140 112 1 4 140 112 1 3 14011215 97 168 40 1 2533 Figure 14 1 Use SMTP POP3 filter functionality to avoid some sensitive e mail directly opened 93 D Link Part IV 14 4 Steps for SMTP Filters Step 1 Enable SMTP Filters ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP Check the Enable SMTP Proxy checkbox and Web Filter Maili ETP Filter click Apply or flename extension ig _n_ l OriginalName Type Mapped Name FIELD DESCRIPTION EXAMPLE Enable SMTP Proxy Enable SMTP Proxy feature of DFL 1500 gt Filename extension When the filename extension of attachment file matches Filename Append bin to E mail extension add the bin extension to the attachment file Filename extension attachments whose gt Exact filename When the whole filename of attachment file matches Exact filename add the bin extension to the attachment file Table 14 1 Mail Filter SMTP setting page Step 2 Add a SMTP Filter ADVANCED SETTINGS gt Content Filters gt Mail Filters gt SMTP Select filename extension enter vbs and click Ada to add a rule This rule will apply to all LAN to DMZ WAN SMTP connections All such SMTP traffic will be examined to
66. With the Firewall enabled the DFL 1500 is status already equipped with an Anti DoS engine within it Normal DoS attacks will show up in the log when detecting and blocking such traffic However Flooding attacks require extra parameters to recognize Check the Enable Alert when attack detected checkbox Enter 100 inthe One Minute High means that DFL 1500 starts to generate alerts and delete the half open states if 100 half open states are established in the last minute Enter 100 in the Maximum Incomplete High means that DFL 1500 starts to generate alerts and delete ADVANCED SETTINGS gt Firewall gt Attack Alert Edit Rules Show Rules half open states if the current number of half open states reaches 100 Enter 10 in the TCP Maximum Incomplete means that DFL 1500 starts to generate alerts and delete half open states if the number of half open states towards a server SYN Flooding attack reaches 10 Check the Blocking time if you want to stop the traffic towards the server During this blocking time the server can digest the loading FIELD DESCRIPTION EXAMPLE Bas Ale ei nn the firewall alert to detect Denial of Service DoS Enabled 51 D Link Part II Denial of Service Thresholds This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of One Minute High new connection attempts rises above this number the DFL 1500 deletes half open sessions as req
67. a St uc ar OLUM S ML Yama erkenne et asien 46 7 4 2 Add a POliCy FOUN UV oc 47 Chapter Ss Pr Wale O O e e e Eeee sacs Ye e YY 49 8 1 Banani S AEE E E E T A AR 49 8 2 OD E Soa er E TR TA A O A N 49 8 3 MeMO O e er ee e ep 49 8 4 UD Sene AE Slam E A de lada E da 50 8 4 1 Block intemal PC session EAN gt WAN 2 222 ii 50 8 4 2 Setup Alert detected UAC essen esse era 51 Part Virtual Pryate Ne WO AS E 54 Chapter S VPN Technical Introducido 55 9 1 Terminoloey ERA ers 39 9 1 1 WEN ee ee ee se le ee er rennen 55 9 12 IPS A od 55 9 1 3 SECUELAS Alca sic 55 9 1 4 PP SCC Al CO mtn ee A A EEE 55 9 1 5 IAE lernen ia eigenes 55 9 1 6 ENCAPSULADO E E gel 56 9 1 7 FP SEC Protocol a RE RER 57 9 2 Make VPN packets pass through DEE TS ae ee u a 57 Chapter LO Virtual Private Network IPSE Eau sa 59 10 1 Demands sense ER eu een 59 10 2 O 59 10 3 DONS ssa trae occ am ee e b es ne ee ee 59 10 4 O A ON 60 DES MD gt IPSec tunnel the IKE Way ee ec a 60 DES MD5 IPSec tunnel the Manual Key Way riosca ela daa kala ayl ld ama lana baka lo alna anes 67 Chapter 11 Virtual Private Network PPTP ene hademe deal in ae ea ae el 75 11 1 Dean A NS 75 11 2 RC CUI CS ver ee ee da 75 11 3 MIST SA e eats 75 11 4 1 Set p PP TEP Network Severin a ae Ins 76 11 4 2 Setup PPIP Network Client a e 71 Chapter 12 Y rtlal Private N Work PDT Peer 79 12 1 PA O aaa nal mmamilalade 79 122 OEE ME A ae es KE occa ee 79 12 3 NE L N
68. ains a high performance stateful packet inspection SPI Firewall policy based NAT ASIC based wire speed VPN upgradeable Intrusion Detection System Dynamic Routing Content Filtering Bandwidth Management WAN Load Balancer and other solutions in a single box It is one of the most cost effective all in one solutions for enterprises 1 1 Before You Begin Prepare a computer with an Ethernet adapter for configuring the DFL 1500 The default IP address for the DFL 1500 is 192 168 1 254 LAN1 Port 4 with a Subnet Mask of 255 255 255 0 You will need to assign your computer a Static IP address within the same range as the DFL 1500 s IP address say 192 168 1 2 to configure the DFL 1500 1 2 Check Your Package Contents These are the items included with your DFL 1500 purchase as Figure 1 1 They are the following items 1 DFL 1500 Device 1 2 Ethernet cable RJ 45 3 RS 232 console 1 4 CD include User s manual and Quick Guide 1 5 Power code 1 If any of the items are missing please contact your reseller aa gt Figure 1 1 All items in the DFL 1500 package 1 3 Default Settings You should have an Internet account already set up and have been given most of the following information as Table 1 1 Fill out this table when you edit the web configuration of DFL 1500 D Link Part I Default value New value Password admin IP Address Subnet Mask Gateway IP Primary DNS Secondary DNS PPPoE Username PPPoE Password
69. ame outyPN Condition Source IP 192 168 40 0 Dest IP 192 168 88 0 Netmask 255 255 255 0 Netmask 255 255 255 0 Service Any Y Configure src port Type Single Src Port to Range Configure dest port Type Single Dest Port to FTP 21 v Range Queue the matched packets in c hs 112 Bandwidth Management Step 6 View the rules The DFL 1500 is configured to direct outFtpUpload matched packets into the outFTP queue 463kbps outVPN matched packets into the LANa to LANb queue 1003kbps Here we reserve 65 WAN1 bandwidth for the LANa to LANb VPN data to guarantee the data communication between VPN The other traffic will be put into the def_class queue any available bandwidth DFL 1500 User Manual ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Rules _ Status _ Edit Actions ME Status Condition Action Name Direction Source IP Address Dest IP Address Service Action CHE ka SE L Em O2 Y outvPN ANY to WANT 192 168 40 0 255 255 255 0 19216980 02662652550 Any LANatoLAND 03 Y Defaut ANY to WANT An Ay Any el elas 113 Part VII System Maintenance System Status DFL 1500 User Manual Chapter 18 System Status 18 1 Demands l Since we have finished the settings of DFL 1500 we need to gather the device information quickly Then we can have a overview of the system status 18 2 Objectives l We can know the current situation easily through an integrated interface 18 3 Method
70. amp fateen dlink me com D Link Finland Pakkalankuja 7A FIN 0150 Vantaa Finland TEL 358 9 2707 5080 FAX 358 9 2707 5081 URL www dlink fi com D Link France Le Florilege No 2 Allee de la Fresnerie 78330 Fontenay le Fleury France TEL 33 1 3023 8688 FAX 33 1 3023 8689 139 D Link Germany India Italy Japan Netherlands Norway Russia Singapore URL www dlink france fr E MAIL info dlink france fr D Link Central Europe D Link Deutschland GmbH Schwalbacher Strasse 74 D 65760 Eschborn Germany TEL 49 6196 77990 FAX 49 6196 7799300 URL www dlink de BBS 49 0 6192 971199 analog BBS 49 0 6192 971198 ISDN INFO 00800 7250 0000 toll free HELP 00800 7250 4000 toll free REPAIR 00800 7250 8000 E MAIL info dlink de D Link India Plot No 5 Bandra Kurla Complex Rd Off Cst Rd Santacruz East Mumbai 400 098 India TEL 91 022 652 6696 657 8 6623 FAX 91 022 652 8914 8476 URL www dlink india com amp www dlink co in E MAIL service dlink india com amp tushars dlink india com D Link Mediterraneo Srl D Link Italia Via Nino Bonnet n 6 B 20154 Milano Italy TEL 39 02 2900 0676 FAX 39 02 2900 1723 URL www dlink it E MAIL info dlink it D Link Japan 10F 8 8 15 Nishi Gotanda Shinagawa ku Tokyo 141 Japan TEL 81 3 5434 9678 FAX 81 3 5434 9868 URL www d link cojp E MAIL kida d link co jp D Link Benelux Fellenoord 130 5611 ZB Eindhoven The Netherlands TEL
71. ated when I try to enable bandwidth management feature of DFL 1500 Status Bandwidth management will support PPPoE in the future release Figure B 4 Bandwidth management feature can not cooperate with PPPoE feature Ans For the present design you can not turn on bandwidth management in the PPPoE enabled condition If you need to enable bandwidth management please choose the WAN connection method ex DHCP fixed IP 9 Why the Source IP field of System Logs is blank Ang One reason 1s that you may enter Host Name and following by a space like DFL 1500 And enter the Domain Name string like dlink com in the firmware version 1 391B Then the System Name will present as DFL 1500 dlink com After upgrading firmware to upper version ex 1 50R It will appear blank in the Source IP field of System Logs 127 Packet Flow DFL 1500 User Manual Appendix C Packet Flow LAN DMZ C WAN Side LAN DMZ to WAN Outbound Traffic Side poncy route Fi rewall INAT ho is i sniff a Local pane mi AWA i i WAN to DMZ LAN Inbound Traffic Figure C 1 Packet flow diagrams 129 Glossary of Terms DFL 1500 User Manual Appendix D Glossary of Terms CF Content Filter A content filter is one or More pieces of software that work together to prevent users from viewing material found on the Internet This process has two components DHCP Dynamic Host Configuration Protocol
72. ave poor quality Here we will make sure that PC1_2 has the smooth stream quality that must have at least 400 kbps speed rate 105 D Link Part VI DMZ 1 10 1 1 0124 ae vi a FTP Server ge 140 113 179 3 a A e A m Lt n er ISP Router 192 168 40 0 24 492 168 88 0 24 LANa to I JAND 65 1003 kbps Figure 17 2 Use bandwidth management mechanism to shape the data flow on the uplink direction 2 As the above Figure 17 2 illustrates PCa 10 1 1 1 is uploading files to the FTP Server 140 113 79 3 causing the blocking of the VPN transfer from LAN_1 to LAN_2 We want to make sure that the VPN tunnel links is reserved at least 1000 kbps speed rate And the nonuse bandwidth of LANa to LANb will raise the bandwidth of PCa uploading files 17 2 Objectives 1 Guarantee the video quality of the PC1_2 192 168 40 2 The remaining bandwidth can be utilized by the PC1_1 192 168 40 1 to download the mp3 files from FTP Server 140 113 179 3 However when the movie is over the whole bandwidth can be utilized by the PC1_1 2 Reserve at least 1Mbps for the LANa to LAND transfer The DMZ_1 PCs can share the remaining 463kbps for uploading files However when the LANa to LANb traffic has only 300kbps theDMZ PCs can occupy the remaining bandwidth from LANa toLANb 1003kbps 300kbps and add the original bandwidth 463kbps So the total bandwidth is 1 166kbps 1003kbps 300kbps 46
73. chment file Filename extension attachments whose gt Exact filename When the whole filename of attachment file matches Exact filename add the bin extension to the attachment file Table 14 2 Mail Filter SMTP setting page 95 D Link Step 2 Add a POP3 Filter Select filename extension enter vbs and click Ada to add a rule This rule will apply to all DMZ WAN to LAN POP3 connections All such POP3 traffic will be examined to change the filename extension from vbs to vbs bin Step 3 Customize the local zones You can configure to what range the filters will apply to the local zones By default the web filters apply to all computers so the Enforce web filter policies for all computers is selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by a click of the Ada button to add one address range to the web filter Click Include and Apply if you want web filters to only apply to the specified ranges Click Excl1ude and Apply if you want web filters to apply to all computers except those specified ranges Part IV ADVANCED SETTINGS gt Content Filters gt Mail Filters gt POP3 ADVANCED SETTINGS gt Content Filters gt Mail Filters gt POP3 Exempt Zone FTP Filter 192 168 40 100 192 168 40 130 10 1 1 1 10 1 1 254 96 Content Fil
74. ctivate this rule checkbox Enter the rule name as PC1_1 and enter the IP address Of PC1_1 192 168 40 1 255 255 255 255 Select Block and Log to block and log the matched traffic Click the App1 y to apply the changes ADVANCED SETTINGS gt Firewall gt Status Status Edit Rules Show Rules Attack Alert Summary V Enable Stateful Inspection Firewall The firewall protects against Denial of Service DoS attacks when it is enabled Total Configured Rules 26 Vacant Rules 2974 Apply L Be ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firewall Edit LANI to WANT Y rule Default action Tor this packet direction Forward v Log Apply Packets are top down matched by the rules item Status TIO Action Active Name Direction Source IP Address Dest IP Address Service Action Log 1 Y Default LANT to WANT Any Any Any Forward N Page 1 1 ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Status Edit Rules Show Rules Attack Alert Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to WAN1 Firewall rule Activate this rule Rule name PC1_1 Source IP 192 168 40 1 Netmask 255 255 255 255 Dest IP 0 0 0 0 Netmask 0 0 0 0 Service Any Y Configure dest port Type Single Dest Port to FTP 21 Range Copy To Dist Block the matched packet Log v the matched packet FIELD DESCRIPTION EXAMPLE Activate this
75. d Password 4 Select Connect 82 Part IV Content Filters Content Filtering Web Filters DFL 1500 User Manual Chapter 13 Content Filtering Web Filters This chapter introduces web content filters and explains how to implement it 13 1 Demands The downloaded web page will be filtered with ActiveX Java Java Script Cookies components WebServer3 140 112 14 Ji Er Internet PC1 2 192 168 40 2 Figure 13 1 Use web filter functionality to avoid users browsing the forbidden web site l Asthe above Figure 13 1 illustrates someone PC1_1 is browsing the web pages at the WebServer3 The contents of the web pages may include cookies Java applets Java scripts or ActiveX objects that may contain malicious program of users information So we wish to prohibit the user PC1_1 from downloading the forbidden components 85 D Link Part IV The web page which comes from forbidden web site will be filtered out WebServer3 140 112 1 4 Internet Figure 13 2 Use web filter functionality to avoid users view the forbidden web site 2 As the above Figure 13 2 illustrates someone PC1_1 is browsing forbidden web pages on office hours The contents of the web pages may include stock markets violence or sex that will waste the bandwidth of the Internet access link while degrading the efficiency of normal working hours So we wish to prohibit the user PC1_1 from viewing the page on the
76. d or not The policy routing rule name GenlManaRoom Verify 1f the incoming packets belong to the range of the Dest IP Netmask in the policy routing rule 0 0 0 0 0 0 0 0 Service Verify what 1s the service of this packet Configure src port Type Src port Configure dest port Type Dest port Nexthop gateway IP O bii If the packet is matched to this rule which interface does this packet WAN Action sent out to Step 3 View the result Incoming packets from Packets comes from which interface LANI Verify if the incoming packets belong to the range of the Source 192 168 40 192 a E TSE IP Netmask in the policy routing rule 255 259 299 192 Condition Check the dest port of the incoming packets If checked what is the N Check the source port of the incoming packets If checked what is No the range of the port range of the port The next gateway IP address of forwarding interface 61 216 120 148 Table 7 2 Add a policy routing entry Advanced Settings gt Routing gt Policy Route After filling data completely view the policy i Routing routing entries which have been set Step 4 Show the routing table Table Item Status Condition Action pp ie eds eek ner See PP A Advanced Settings gt Routing gt Routing Table Finally click the Routing Table to see all the current routing table information 48 Firewall DFL 1500 User Manual Chapter 8 Firewall This chapter introd
77. d technology 9 1 Terminology Explanation 9 1 1 VPN A VPN Virtual Private Network logically provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of encryption tunneling authentication and access control used to transport traffic over the Internet or any insecure TCP IP networks 9 1 2 IPSec Internet Protocol Security IPSec is a standard based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec 1s built around a number of standardized cryptographic technigues to provide confidentiality data integrity and authentication at the IP layer 9 1 3 Security Association A Security Association SA is an agreement between two parties indicating what security parameters such as keys and algorithms they will use 9 1 4 IPSec Algorithms There are two types of the algorithms in the IPSec including 1 Encryption Algorithms such as DES Data Encryption Standard and 3DES Triple DES algorithms and 2 Authentication Algorithms such as HMAC MDS RFC 2403 and HMAC SHAI RFC 2404 9 1 5 Key Management Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration in order to setup a VPN gt IKE Phases There are two phases to every IKE Internet Key Exchange negotiation phase 1 Authentication and phase 2 Key Exchange A phase exchange established an IKE SA an
78. d the second one uses that SA to negotiate SAa for IPSec In phase 1 you must mM Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Choose an authentication algor thm Choose a Diffie Hellman public key cryptography key group DHI or DH2 Set the IKE SA lifetime This field allows you to determine how long IKE SA negotiation should proceed before it times out A value of 0 means IKE SA negotiation never times out If IKE SA negotiation times out then both IKE SA and IPSec SA must be renegotiated 55 D Link Part III In phase 2 you mustl mM Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Choose whether to enable Perfect Forward Security PFS using Diffie Hellman public key cryptography Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long IPSec SA setup should proceed before it times out A value of 0 means IPSec SA never times out If IPSec SA negotiation times out then the IPSec SA must be renegotiated but not the IKE SA gt Negotiation Mode The phase Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations mM Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6
79. ded forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process gt Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal system Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communication have two sets of IP headers mM Outside header The outside IP header contains the destination IP address of the VPN gateway M Inside header The inside IP header contains the destination IP address of the final system behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 9 1 7 IPSec Protocols The ESP and AH protocols are necessary to create a Security Association SA the foundation of an IPSec VPN An SA is built from the authentication provided by AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transport of data may commence gt AH Authentication Header Protocol AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was desi
80. e Source IP Netmask settings do the Action When destination IP address of incoming packets conforms the Dest IP Netmask settings do the Action Enabled InFTP 140 113 179 3 2332539253235 192 168 40 1 255 255 255 255 i Verify f the service of packet belongs to TCP UDP or Service An Saz ICMP type Condition Configure src port Configure dest port Queue the matched packets n class Apply Apply the settings which have been configured Table 17 5 Add a new Bandwidth Management rule If the service is TCP or UDP we can setup the range of the source ports When selecting the range of source ports 1t can be a single port or a range of ports If the service is TCP UDP we can setup the range of the destination ports When selecting the range of the destination ports 1t can be single port or a range of ports y disabled disabled Allocate these packets which conform this rule to the inFTP classes of the previous setting 110 Bandwidth Management Step 7 View the rules The DFL 1500 is configured to direct inFTP matched packets into the inFTP queue 1019kbps inVideo matched packets into the inVideo queue 447kbps The other traffic will be put into the def class queue any available bandwidth DFL 1500 User Manual ADVANCED SETTINGS gt Bandwidth Mgt gt Edit Rules _ Status _ Edit Actions ltem Status Condition Action ie Ei Dee Mord Ji
81. e objects of Restricted Features to Mail File ETP Filter block the objects Click the Apply button at the bottom of this page Use PC1_1 to browse the web page to see if the objects are blocked If the objects still exist the objects may be cached by the browser Please clear the cache in the web browser close the browser reopen the browser and connect to the web page again Microsoft Internet Explorer 87 D Link Part IV If enabling the Web Proxy all the web pages pass through proxy Only Web Proxy port 3128 will also be verified by DFL 1500 If disabling the Web enabled Proxy all the web pages through will bypass the verification Apply Apply the settings which have been configured Clean the filled data and restore the original Table 13 2 Web Filter setting page Step 4 Customize Categories ADVANCED SETTINGS gt Content Filters gt Web Filter gt Categories With the built in URL database DFL 1500 can Mail Filter FTP Filter _ block web sessions towards several pre defined Categories Of URLs Check the items that you want to block or log Simply click the Block all categories will apply all categories Click Log le amp Block Access If you want to block and log any Ai matched traffic You can customize the Time of di Day to allow such traffic after the office hours such as 9 30 to 17 30 o a ho es FIELD DESCRIPTION EXAMPLE Determine how to deal with the URL types in th
82. e remote PC as the PPTP client After dialing up to DFL 1 DFL 1 will assign a private IP which falls in the range of the settings in the PPTP server at DFL 1 Suppose the range is defined as 192 168 40 180 192 168 40 199 the remote host may get an IP of 192 168 40 180 and logically become a member in LANI 2 Setup the DFL 1500 as the PPTP client Let all the client PCs behind the DFL 1500 They can connect to the network behind PPTP Server by passing through DFL 1500 It sounds like no Internet exists but can connect with each other 75 D Link Part III 11 4 Steps 11 4 1 Setup PPTP Network Server Step 1 Enable PPTP Server ADVANCED SETTINGS gt VPN Settings gt PPTP Check the Enable PPTP checkbox enter the LAN1_IP of the DFL 1 192 168 40 254 in the Local IP and enter the IP range that will be assigned to the PPTP clients in the Start IP and the End IP fields Enter the Username 192 168 40 254 and Password that will be used by the 3 employees during dial up Click the Apply to finish configurations Apply Reset FIELD DESCRIPTION EXAMPLE Enable PPTP Server Enable PPTP feature of the DFL 1500 The Local IP is the allocated IP address in the internal Network after PPTP m client dials in the DFL 1500 nn The Start IP is the allocated starting IP address in the internal network after The End IP is the allocated ending IP address in the internal network after mi PPTP client dials in the DFL 1500
83. ected Exempt Computers rad us button Add the specified IP range which filled in the above Range From N A field Clean the filled data and restore the original one Delete the specified IP range which filled n the above Range From Delete field Table 13 5 Web Filter Exempt Zone setting page Step 7 Further Customize the remote ADVANCED SETTINGS gt Content Filters gt Web Filter gt Customize sites _ Mail Filter FTP Filter Check the Enable Filter List Customization to allow all accesses to the Trusted Domains while disallowing all accesses to the Forbidden Domains Check the Disable all traffic except for trusted domains if you want to only allow the access to the Trusted Domains However if the web objects are set to be blocked by the DFL 1500 in step 3 these allowed accesses will FEE PEE never be able to retrieve these objects Check the www dlink com Don t block to allow the objects for these trusted domains The domains are maintained by enter the address in the Domain field with a click of the Add button To delete a domain click the domain with a click of the Delete button waw stackmarket com FIELD DESCRIPTION EXAMPLE Enable Filter List Enable the Filter List Customization feature of web filter Enabled Customization Disable all web traffic Except the following specified domain range specified by the trusted Enabled except for trusted domains domain All the othe
84. ed into ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert NAT Virtual Server Sessions Sessions Servers Status Condition 192 168 40 0 Many to One v 61 2 1 1 255 255 255 0 Action Apply EXAMPLE enabled Rule Status 192 168 40 0 o Compared with the incoming packets whether Source Condition Source IP Netmask 255 255 255 0 IP Netmask 1s matched or not Map a pool of private IP addresses to a single public IP address chosen from the WAN ports Map a pool of private IP addresses to a pool of public IP pasty la addresses chosen from the WAN ports Map a single private IP address to a single public IP Many to One address chosen from the WAN ports An internal host is fully mapped to a WAN IP address Notice that you must add a firewall rule to forward WAN to LAN DMZ traffic One to One One to One bidirectional 38 NAT DFL 1500 User Manual Auto choose IP from WAN ports Only work in Many to One type the default WAN link is the default source interface for NAT translation Only when all ports are used it will use the next NAT interface Translated Src IP Auto choose IP from WAN ports Another way 1s to specify IP address Netmask by self Step 5 b Rule If your ISP has assigned a range of public IP to your company you can tell DFL 1500 to translate the private IP addresses into the pool of public IP addresses The DFL 1500 will use the first public IP unt
85. egion fill forward to WAN2 with next hop gateway 61 216 120 148 After setting as above the packets which match the condition they will follow the predefined action to forward to the next hop DFL 1500 User Manual Advanced Settings gt Routing gt Static Route Routing Static Route Policy Route Table Type Destination Netmask Gateway Activated Net 140 116 53 0 255 255 255 0 61 216 120 148 Yes Advanced Settings gt Routing gt Policy Route Static Route Policy Route Routing Table Policy Routing gt Edit Rules Packets are top down matched by the rules Status _ Condition i Active Name Direction Source IP Address Dest IP Address Service Forward to next hop Through Advanced Settings gt Routing gt Policy Route gt Insert Routing Table Page 1 1 Static Route Policy Route Policy Routing gt Edit Rules gt Insert Insert a new Policy Routing rule Status _ Y Activate this rule Rule name GenlManaRoom Condition 5 Incoming packets jay from Source IP 192 168 40 192 Netmask 255 255 255 192 Dest IP 0 0 0 0 Netmask 0 0 0 0 Service Any Configure src port Type Single Range Src Port to Configure dest port Type Single Range Dest Port to Forward to WAN Y with next hop gateway IP 61 216 120 148 dl Ne emi 4 D Link Part Il BE FIELD DESCRIPTION EXAMPLE Activate this rule Status Rule name Dest IP amp Netmask The policy routing rule is enable
86. emoteLAN Mechanism MyIP Security Gateway wel aa es Dee 67 D Link Part III Step 3 Customize the rule ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add Same as those in IKE But there is no pre shared key in the manual key mode Enter the Key for encryption such as 1122334455667788 Enter cane the Key for authentication such as 3 11112222333344445555666677778888 Additionally the Outgoing SPI and Incoming ar SPI have to be manually specified Enter 2222 and 1111 respectively to the Outgoing SPI and the Incoming SPI Click Apply to store the rule 192 168 40 0 255 255 255 0 Subnet Address Y 192 168 88 0 255 255 255 0 Action 1 2 1 3 10237 hex 2222 hex vl o 1122334455667788 hex v ADS h Py Apply O o esen Tm Condition ei My IP Address The IP address of local site DFL 1500 Firewall VPN 61211 Router l The IP address of remote site device like DFL 1500 Security Gateway Addr Firewall VPN Router 210 2 1 1 68 Virtual Private Network IPSec DFL 1500 User Manual The Outgoing SPI Security Parameter Index value Outgoing SPI Notice HEX SPI must be a value between 600 and 2222 600000 Or DEC SPI must be a value between 1500 and 6300000 The Incoming SPI Security Parameter Index value Notice HEX SPI must be a value between 600 and 1111 600000 Or DEC SPI must be a value between 1500 and 6300000 Encapsulation Mode re Tunnel or Transport mode
87. en selecting Weekly in the Log Schedule field we have to choose Day for Sending Logs which day the mail logs will be sent out in the Day for Sending Logs field Apply Apply the configuration in this page Restore the original configuration in this page test the mail logs configuration in this page Table 19 2 Setup the Mail Logs 118 System Maintenance DFL 1500 User Manual Chapter 20 System Maintenance This chapter introduces how to do system maintenance 20 1 Demands l DFL 1500 is designed to provide upgradeable firmware and database to meet the upcoming dynamics of the Internet New features new attack signatures new forbidden URLs and new virus definitions require timely updates to the DFL 1500 This chapter introduces how to upgrade your system with TFTP and Web UI respectively 2 Sometimes one may want to reset the firmware to factory default due to loss of password firmware corrupted configuration corrupted Since DFL 1500 does not have a reset button to prevent careless pressing of it factory default has to be set with web GUI or console terminal Of course when you loss the password you have to use CLI only because you can never enter the web GUI with the lost password 20 2 Steps for TFTP Upgrade 192 168 1 254 There is an inside tftp client embedded in the DFL 1500 device ER aS Figure 20 1 Upgrade Backup firmware from TFTP server 119 D Link Step 1 Setup TFTP server Place
88. et SEL NG ISP2 modem WAN2_IP 192 168 1 1 DHCP Client Figure 1 4 The default settings of DFL 1500 The factory default settings for the DFL 1500 are in the Figure 1 4 and Table 1 1 You can configure the DFL 1500 by connecting to the LAN1 IP 192 168 1 254 from the PC1_1 192 168 1 1 The following section will teach you how to quickly setup the DFL 1500 based on Figure 1 4 1 6 Using the Setup Wizard A computer on your LAN1 must be assigned an IP address and Subnet Mask from the same range as the IP address and Subnet Mask assigned to the DFL 1500 in order to be able to make an HTTPS connection using a web browser The DFL 1500 is assigned an IP address of 192 168 1 254 with a Subnet Mask of 255 255 255 0 by default The computer that will be used to configure the DFL 1500 must be assigned an IP address between 192 168 1 1 and 192 168 1 253 with a Subnet Mask of 255 255 255 0 to be able to connect to the DFL 1500 This address range can be changed later There are instructions in the DFL 1500 Quick Installation Guide if you do not know how to set the IP address and Subnet Mask for your computer Quick Start DFL 1500 User Manual Step 1 Login Connect to https 192 168 1 254 Type admin in the account field admin in the li DFL 1500 Password field and click Login Firewall VPN Router DFL 1500 Firewall DM Route Please E first Step 2 Run Setup Wizard After login to https 192 168 1 254
89. forbidden web site 13 2 Objectives 1 Remove the cookies Java applet Java scripts ActiveX objects from the web pages 2 Prevent users from connecting to the forbidden sites 13 3 Methods 1 Setup content filtering for web objects such as cookies and Java applets 2 Setup content filtering for URL requests For each URL check the pre defined upgradeable URL database self entered forbidden domains and self entered keywords to check 1f the URL is allowed 86 Content Filtering Web Filters DFL 1500 User Manual 13 4 Steps Step 1 Enable Web Filter ADVANCED SETTINGS gt Content Filters gt Web Filter Check the Enable Web Filter checkbox and er Mai Ei click the Apply right on the right side FIELD DESCRIPTION EXAMPLE Enable Web Filter Enable Web Filter feature of DFL 1500 Table 13 1 Enable Web Filter Step 2 Warning of Firewall ADVANCED SETTINGS gt Content Filters gt Web Filter This is awarning saying that if you block any web traffic from LAN to WAN in Firewall the access control is shift to the Web Filter Namely if you A Note that all LAN to WAN initiated WWW sessions are controlled by web filter now Firewall will not block these block someone to access the web at the WAN Ve ERAN side after enabling the web filter he can resume ET accessing the web until you set a content filter rule to block it Step 3 Customize Objects ADVANCED SETTINGS gt Content Filters gt Web Filter Check th
90. g IP address in the internal network after mn L2TP client dials in the DFL 1500 nn LAC Start IP The IP address starting range which is allowed user to dial in LNS server by 21154631 using L2TP protocol LAC End IP The IP address ending range which is allowed user to dial in LNS server by 21154635 using L2TP protocol The account which allows L2TP client user to dial in DFL 1500 L2tpUsers The password which allows L2TP client user to dial in DFL 1500 Dif3wk Table 12 1 Setup L2TP LNS Server settings 192 168 40 254 80 Virtual Private Network L2TP DFL 1500 User Manual Step 2 Setup Windows XP 2000 L2TP Configuring A L2TP Dial Up Connection clients Configure a L2TP dial up connection Goto Start gt Control Panel gt Network and Internet Connections gt Make new connection Select Create a connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Give a Name the connection and select Next lf the Public Network dialog box appears choose the Don t dial up initial connection and select Next Inthe VPN Server Selection dialog enter the public IP or hostname of the DFL 1500 to connect to and select Next Set Connection AvailabilitytoOnly for myself and select Next Select Finish Customize the VPN Connection 1 Right click the icon that you have created 2 Select Properties gt Security gt Advanced gt Settings 3 Select
91. gned In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator gt ESP Encapsulating Security Payload Protocol The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH ESP authenticating properties are limited compared to the AH due to the non inclusion of the IP header information during the authentication process However ESP is sufficient if only the upper layer protocols need to be authenticated An added feature of the ESP is payload padding which further protects communications by concealing the size of the packet being transmitted 9 2 Make VPN packets pass through DFL 1500 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt Pass Through If we need to setup DFL 1500 between the existed IPSec PPTP L2TP connections We need to open up the Firewall blocking port of DFL 1500 in advance Here we provide a simple way You can through enable the IPSec PPTP L2TP pass through checkbox on this page Then the VPN connections of IPSec PPTP L2TP will pass through DFL 1500 As well as DFL 1500 will play the middle forwarding device role 57 Virtual Private Network IPSec DFL 1500 User Manual
92. gt Content Filters gt Web Filter gt Exempt Zone zones Mail Filter ETP Filter You can configure to what range the filters will apply to the local zones By default the web filters apply to all computers so the Enforce web filter policies for all computers S selected and the range is 0 0 0 0 255 255 255 255 Delete the default range by clicking the range item and the Delete button Enter the IP range in the Range fields followed by a click of the Add button to add one address range to the web filter Click Include and a a Apply if you want web filters to only apply to the specified ranges Click Exclude and Apply if you want web filters to apply to all computers except those specified ranges FIELD DESCRIPTION EXAMPLE Exempt Computers Determine which IP range will exempt the verification by the web filter Enforce web filter policies Web filter actives at all the computers not limit range of the IP disabled for all computers addresses 89 D Link Part IV Include specified address ranges in the web filter Web filter will only active at below specified computers enabled enforcement Bau es Except below specified IP address ranges All the other IP address ranges from the web filter disabled range Web filter w ll active totally enforcement 10 1 1 1 10 1 1 254 Rance To bie setup the IP address range for the above Exempt 192 168 40 100 men 192 168 40 130 Apply Apply the above sel
93. he One to One NAT in the above to incorporate the WAN to LAN DMZ feature by selecting the One to One Bidirectional from the Type Note that WAN to LAN DMZ traffic will be blocked by the Firewall in default You have to add a Firewall rule to allow such traffic If you expect a LAN DMZ host to be fully accessed by public Internet users use this mode Note that this mode is extremely dangerous because the host is fully exposed to the Internet and may be cracked Always use Virtual Server rules first ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert NAT Sessions Virtual Servers Status 192 168 40 0 One to One bidirectional Y n 61 2 1 1 Condition Action Au Men How to determine which NAT type is best choice for you Here we have some suggestions as the following table description If the public IP addresses of your company 1s insufficient and you prefer to increase the node which can connect to the internet You can just choose the Many to One type to fit your request If the public IP address of your company is not only one node ex you have applied extra one ISP You Many to Many may use the Many to Many type to make the multiple public addresses shar ng the inbound bandwidth So your inbound and outbound traffic will be more flexible If you just wish one local IP address to connect to the internet and prohibit others to connect to the internet You can specify the One to One type One t
94. il DFL 1500 uses up all source ports for the public IP DFL 1500 will then choose the second public IP from the address pool Select Many to Many from the Type Enter the subnet with an IP address and a netmask Other fields are the same with those of Many to One rules However the DFL 1500 will no longer choose the device IP for you It will choose the IP from the address pool you have entered Insert an Many to Many Insert an One to One Rule Though you may have many public IP address for translation you may want to make some private IP to always use a public IP In this case you can select One to One from the Type and enter the private public IP address pair in the Source IP and the Translated Source IP fields Step 5 c Table 6 2 Add a NAT rule ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert NAT Sessions Server Sessions Virtual Status ervers Status v 192 168 40 0 Many to Many v Condition 255 255 255 0 Action 61 2 1 1 255 255 255 252 Back AAN ADVANCED SETTINGS gt NAT gt NAT Rules gt Insert Sessions Virtual Servers Server Sessions Status FI Rule Be A Re Condition Action 39 Part Il D Link Step 5 d Insert a One to One Bidirectional Rule The above three modes allow LAN DMZ to WAN sessions establishment but do not allow WAN to LAN DMZ sessions WAN to LAN DMZ sessions are allowed by Virtual Server rules You can make t
95. ill in the IP Address Subnet Mask Gateway IP And then enter the other DNS IP Address Routing Protocol fields Click Apply to finish this setting 61 2 1 254 168 95 1 1 0 0 0 0 None Ay Res ra an FIELD DESCRIPTION EXAMPLE Default WAN link When Default WAN link is enabled All the packets Enabled Gateway DNS sent out from DFL 1500 will be via this port Get DNS Automatically gt Get DNS related Get IP Get DNS Automatically or information from DHCP Server Get DNS DNS IP Address DNS IP Address gt manually specify these Primary Automatically Automatically and Secondary DNS Server information DHCP Determine to enable the dynamic routing protocol to Routing Protocol receive RIP message to send out the RIP message if the None RIP message is received or not OSPF Area ID Specify OSPF area ID number MN When Default WAN link is enabled All the packets Sau ey sent out from DFL 1500 will be via this port ae es 61 2 1 1 IP Address Subnet Mask Specified IP address and subnet mask 255 255 255 0 Fixed IP Gateway IP Default gateway IP address 61 2 1 254 Address DNS IP Address Specified Primary and Secondary DNS Server address 168 95 1 1 Determine to enable the dynamic routing protocol to Routing Protocol receive RIP message to send out the RIP message if the None RIP message is received or not OSPF Area ID Specify OSPF area ID number Le PPP over When Default WAN link is enabled All the packets DEUTZ
96. is page Log Log Block A arouae amp Block Access Log Only Block Only Access Block all categories Make all categories below enabled disabled Violence Profanity Gross Depictions Oak ecir yonyoulli icn bi Enable the checked Militant Extremist etc items ones Time of Day The me which was set for Web Filter 09 30 17 30 Apply Apply the settings which have been configured N A Reset Clean the filled data and restore the original one N A Table 13 3 Web Filter Categories setting page 88 Content Filtering Web Filters DFL 1500 User Manual Step 5 Update the Built in Database ADVANCED SETTINGS gt Content Filters gt Web Filter gt Database Click the Download button to ask DFL 1500 to Update instantly download the database from the fwupdate dlinktw com tw The DFL 1500 can be set to automatically check the site for any new updates by checking the Automatic Download You can also configure how frequently the DFL 1500 checks for the updates Click Apply to store the changes From now on any traffic matched with the URLs in the database will be blocked by the DFL 1500 y Mail Filter FTP Filter FIELD DESCRIPTION EXAMPLE List Server Determine the URL database website to download from default is frrupdatedlinktw comitw fwupdate dlinktw com tw Automatic Download enabled Update Schedule On Sunday At 03 00 Table 13 4 Web Filter database update Step 6 Further Customize the local ADVANCED SETTINGS
97. ity ICMP 19216817175 192 168 17 150 11 36 19 Undefined Codel 2004 01 07 2 SCAN SOCKS Proxy Attempted Information TCP 192 168 17 150 48958192 168 17 175 1080 11 36 20 attempt Leak 2004 01 07 2 SNMP Agent tcp request Attempted Information TCP 192 168 17 150 48966192 168 17 175 705 11 36 21 Leak Step 4 Update Attack Patterns ADVANCED SETTINGS gt IDS gt Update Rule IDS attack patterns require frequent updates because there are many new attacks every week Please check your DNS settings and click Apply The DFL 1500 will connect to fwupdate dlinktw com tw to fetch any new signatures 103 Part VI Bandwidth Management Bandwidth Management DFL 1500 User Manual Chapter 17 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it 17 1 Demands FT p in e Video Sirin Server _ 40 113 199 7 140 113 179 4 Internet ger a gt in Y 7 i gt r a e ete PEA HE H F f u j PF i 4 ine ee Download file Watch video Se LAN_1 if gt 192 168 40 0 24 lt Figure 17 1 Use bandwidth management mechanism to shape the data flow on the downlink direction As the above diagram Figure 17 1 illustrates PC1_1 is downloading the MP3 files from the FTP Server 140 113 179 3 This occupies the bandwidth of PC1_2 who is watching the video provided by the Video Stream Server 140 113 179 4 causing the video to be blocked and to h
98. ive FTP client to maximize e the compatibility of the FTP protocol This is useful if you want to provide connectivity to nn passive FTP clients For passive FTP clients the server will return them the private IP address and the port number for them to connect back to do data transmissions Since the private IP from them cannot be routed to our zone the data connections would fail After enabling this feature Welk sucwnipert the DFL 1500 will translate the private IP port into ae an IP port of its own Thus the problem is gracefully solved Click Apply to proceed PO A y EI OS FIELD DESCRIPTION EXAMPLE E Activate this rule The Virtual Server rule 1s enabled or not tatus Rule name The Virtual Server rule name The public IP address and IP netmask of the Virtual 61 2 1 1 eS Service Any TOP or UDP Dest Port The port number in the internet 44444 If the Passive FTP client is checked it will connect to the Passive FTP client internal DMZ FTP server of DFL 1500 when FTP client enabled uses passive mode Otherwise t will not work The port number which is actually transferred to the Translated dest port internal DMZ Table 6 4 Adda Virtual Server rule Translated dest IP The IP address which is actually transferred to the 10115 internal DMZ Action 42 NAT Step 9 View the Result Now any request towards the DFL 1500 s WAN1 IP 61 2 1 1 with port 44444 will be translated into a request towards 10 1 1
99. k if ready or not a Check Basic Setup gt DMZ Settings gt DMZI status fields Verify whether any data is correctly b Check Device Status gt System Status gt Network Status DMZI status is UP If the status is DOWN check if the network line is connectionless C Check System Tools gt Remote Mgt gt DMZ1 Verify if DMZ1 port checkbox is enabled The default enabled port is only LAN port 5 Ihave already set the WANI ip address the same subnet with my pc configurator but I can t use https to login DFL 1500 via WANI port all the time why Ans a Be sure that you can ping the WANI port please check the procedure as question 4 description b Notice that you must check System Tools gt Remote Mgt gt HTTPS gt WANI The default enabled port is only LAN port 6 can t build the VPN IPSec connection with another device at the another side all the time why Ansl Please make sure if you follow the setting method as follows a Check your IPSec Setting Please refer to the settings in the Section Step 3 b Make sure if you have already added a WAN to LAN policy in the Advanced Settings Firewall to let the IPSec packets pass through the DFL 1500 The default value from WAN to LAN is block When you add a Firewall rule the Source IP and Netmask are the IP address Subnet Mask in the pages of the Remote Address Type And the Dest IP and Netmask are the IP Address Subnet Mask in the pages of
100. min update system clock and proceed by entering the target date FIELD DESCRIPTION EXAMPLE NTP time server address Use NTP time server to auto update date time value Continuously every 3 min System will update system date time value every 3 minutes to NTP time Enabled update system clock sever Update system clock using System will update system date time value to the NTP time server at boot disabled the time server at boot time time Manual Time Setup Manual setting Time amp Date value Table 4 3 System Tools Time Data menu SE Step 4 Setup Timeout SYSTEM TOOLS gt Admin Settings gt Timeout Select the target timeout e g 10 min fromthe General DDNS DNS Proxy DHCP Relay Password Time Date T System Auto Timeout Lifetime Click the Apply button Now the browser will not timeout for the following 10 minutes after your last touching of it O w e 105 25 D Link Part I FIELD DESCRIPTION EXAMPLE System Auto Timeout When system is idle for a specified time system will force the people Lifetime who logins into the system will logout automatically Table 4 4 System Tools Timeout menu Step 5 Configure Services SYSTEM TOOLS gt Admin Settings gt Services We can configure the service name and numeric General PONS Fassword Time ate Timeout Interface port number as the same group so you can simply use the domain name for the configuration in the DFL 1500 If you wan
101. mn m The account which allow PPTP client user to dial in DFL 1500 PptpUsers The password which allow PPTP client user to dial in DFL 1500 Dif3wk Table 11 1 Setup PPTP Server Step 2 Setup Windows XP 2000 PPTP Configuring A PPTP Dial Up Connection clients Configuring a PPTP dial up connection Goto Start gt Control Panel gt Network and Internet Connections gt Make new connection Select Create a connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Give a Name the connection and select Next Ifthe Public Network dialog box appears choose the Don t dial up initial connection and select Next Inthe VPN Server Selection dialog enter the public IP or hostname of the DFL 1500 to connect to and select Next Set Connection AvailabilitytoOnly for myself and select Next Select Finish 16 Virtual Private Network PPTP 11 4 2 Setup PPTP Network Client Step 1 Enable PPTP Client Fill in the IP address of PPTP Server and allocates Username Password When connecting to the PPTP Server successfully it will appear the allocated IP address for the PPTP client in the Assigned IP field DFL 1500 User Manual Customize the VPN Connection 1 Right click the icon that you have created 2 Select Properties gt Security gt Advanced gt Settings 3 Select No Encryption from the Data Encryption and click Apply 4
102. nmark Egypt Finland France D Link Australia 1 Giffnock Avenue North Ryde NSW 2113 Sydney Australia TEL 61 2 8899 1800 FAX 61 2 8899 1868 TOLL FREE Australia 1800 177100 URL www dlink com au E MAIL support dlink com au amp info dlink com au D Link Brasil Ltda Edificio Manoel Tabacow Hydal Rua Tavares Cabral 102 Sala 31 05423 030 Pinheiros Sao Paulo Brasil TEL 55 11 3094 2910 to 2920 FAX 55 11 3094 2921 E MAIL efreitas dlink cl D Link Canada 2180 Winston Park Drive Oakville Ontario L6H 5W1 Canada TEL 1 905 829 5033 FAX 1 905 829 5095 TOLL FREE 1 800 354 6522 URL www dlink ca FTP ftp dlinknet com E MAIL techsup dlink ca D Link South America Sudamerica Isidora Goyenechea 2934 Of 702 Las Condes Fono 2323185 Santiago Chile S A TEL 56 2 232 3185 FAX 56 2 232 0923 URL www dlink cl E MAIL ccasassu dlink cl tsilva dlink cl D Link China 15 Floor Science amp Technology Tower No 11 Baishigiao Road Haidan District 100081 Beijing China TEL 86 10 68467106 FAX 86 10 68467110 URL www dlink com cn E MAIL liweiiOdigitalchina com cn D Link Denmark Naverland Denmark Naverland 2 DK 2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 URL www dlink dk E MAIL info dlink dk D Link Middle East 7 Assem Ebn Sabet Street Heliopolis Cairo Egypt TEL 202 245 6176 FAX 202 245 6192 URL www dlink me com E MAIL support dlink me com
103. ny Table 4 1 System Tools General Setup menu Step 2 Change Password SYSTEM TOOLS gt Admin Settings gt Password Enter the Current password in the Old Password General DDNS Time Date Timeout Services Interface field Enter the new password in the New Password and retype it in the Retype to Confirm field Click Apply 24 System Tools DFL 1500 User Manual FIELD DESCRIPTION EXAMPLE Old Password The or ginal password of administrator The new selected password 12345 Confirm Password Double confirm the new selected password 12345 Table 4 2 Enter new password Step 3 Setup Time Date SYSTEM TOOLS gt Admin Settings gt Time Date Select the Time Zone where you are located _Seneral DDNS DNS Proxy DHCP Relay Password Timeout Services Interface Enter the nearest NTP time server in the NTP time server address Note that your DNS must be set if the entered address requires GMT 08 00 Beijing Hong Kong Perth Singapore Taipei domain name lookup You can also enter an IP address instead Check the Continuously every 3 min update system clock and click Apply The DFL 1500 will immediately update the system time and will periodically update it Check the Update system clock ho bo using the time server at boot time and 2003 m click Apply if you want to update the clock at each boot If you want to manually change the Apply Reset system time uncheck the Continuously every 3
104. o One bidirectional If you wish to expose the local pc onto the internet and open all internet services outside You can specify the One to One bidirectional type This will make the local pc you specified fully exposed to the internet Additionally you must add a firewall rule to allow WAN to LAN traffic forward Then you can finish the settings Be careful to use this type or 1t will endanger your network security Table 6 3 The NAT type comparison Step 6 View the LAN to WAN Sessions ADVANCED SETTINGS gt NAT gt NAT Sessions Virtual Servers Server Sessions Click the NAT Sessions to see the sessions between LAN to WAN Status NAT Rules DFL 1500 Remote Server Item Local Client 6 4 2 Setup Virtual Server for the FtpServer1 Step 1 Device IP Address BASIC SETUP gt DMZ Settings gt DMZ1 Status Setup the IP Address and IP Subnet Mask for the DFL 1500 of the DMZ1 interface 40 NAT Step 2 Client IP Range Enable the DHCP server if you want to use DFL 1500 to assign IP addresses to the computers under DMZ1 Here we make the DHCP feature enabled Step 3 Apply the Changes Click Apply to save your settings Step 4 Check NAT Status The default setting of NAT is in Basic Mode After applying the Step 3 the NAT is automatically configured with three rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP Step 5 Check NAT Rule
105. of encodings as well as some specific bugs This option normalizes RPC multiple fragmented records into a single unfragmented record It does this by normalizing the packet into the the packet buffer If Stateful Inspection option is enabled it will only process client side traffic It defaults to running on ports 111 and 32771 Back Orifice Detector This option will enable the detection of Back Orifice Normalize RPC Traffic enabled 102 Intrusion Detection Systems DFL 1500 User Manual This option will normalize telnet control protocol characters from the session data It accepts a list of ports to run on as arguments It defaults to running on ports 21 23 25 enabled and 119 ARP Spoof Detection This option will enable the detection of ARP Spoof Table 16 1 IDS option list explanation Normalize Telnet Negotiation String Step 2 Setup Logs DEVICE STATUS gt Log Config gt Mail Logs Enter the Mail Server IP Address Mail esse Subject andthe email address that you want to receive from Select the Log Schedule of emailing the logs to your email server 10 1 1 1 DS mis dlink com Hourly Y Step 3 View logs DEVICE STATUS gt IDS Logs If there are attacks towards the WAN port from the public Internet there will be logs describing 2004 01 07 3 ICMP PING Undefined Misc activity ICMP 192 168 17 150 192 168 17 175 the details 11 36 18 Code 2004 01 07 3 ICMP Echo Reply Misc activ
106. onfigured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Total Configured Rules 3 Vacant Rules 197 ADVANCED SETTINGS gt NAT gt NAT Rules NAT Virtual Sessions Servers Server NAT Rules Sessi essions Status NAT gt Edit Rules Packets are top down matched by the rules tem Status Condition ction Active Name Direction Source IP Address Translate Src IP into Type Ml Y Basic DMZ1 LAN DMZto WAN 10 1 1 254 255 255 2550 Auto device WAN IP M1 Basic LAN2 LAN DMZ to WAN 192 168 2 254 255 255 255 0 Auto device WAN IP M 1 Basic LAN1 LAN DMZ to WAN 192 168 1 254 255 255 255 0 Auto device WAN IP M 1 Page 1 1 This section tells you how to provide an FTP service with a server installed under your DMZI to the public Internet users After following the steps users at the WAN side can connect to the FTP server at the DMZ side 10 Quick Start DFL 1500 User Manual Step 1 Device IP Address BASIC SETUP gt DMZ Settings gt DMZ1 Status Setup the IP Address and IP Subnet Mask for PMZI Status 1P Alias the DFL 1500 of the DMZ1 interface DMZ1 TCP IP Step 2 Client IP Range IP Address 10 1 1 254 IP Subnet Mask 255 255 255 0 Enable the DHCP server if you want to use DHCP Setup DFL 1500 to assign IP addresses to the v Enable DHCP Server computers under DMZ1 Here we do not enable IP Pool Starting Address
107. ow to Resetting Configuration to default DONE instantly reboot the system Please reboot the system DFL 1500 sys reboot now Rebooting 20 5 Steps for Backup Restore Configurations Step 1 Backup the current SYSTEM TOOLS gt System Utilities gt Backup Configuration configuration In the System Tools System Utilities Backup Configurations page click Backup button to backup configuration file to local disk Step 2 Restore the previous saving SYSTEM TOOLS gt System Utilities gt Restore Configuration configuration In the System Tools System Utilities Restore Configurations page First click the Browse button to select firmware path and then click Upload button to restore configuration CAcont20031103 bin Upload 122 Command Line Interface CLI DFL 1500 User Manual Appendix A Command Line Interface CLI You can configure the DFL 1500 through the web interface http https for the most time Besides you can use another method console ssh telnet method to configure the DFL 1500 in the emergency This is known as the Command Line Interface CLI By the way of CLI commands you can effectively set the IP addresses restore factory reset reboot shutdown system etc Here we will give you a complete list to configure the DFL 1500 using the CLI commands A1 Enable the port of DFL 1500 If you prefer to use CLI commands you can use it through console ssh telnet methods For using ssh telnet feature you
108. r URL domain IP addresses are all blocked access 90 Content Filtering Web Filters DFL 1500 User Manual zen nr In the following domain range of the trusted domains If there are include Java ActiveX Cookies Web Java ActiveX Cookies Web Proxy components in the web page the Enabled Proxy to trusted domain ened ae action 1s setting not to block Trusted Domains www dlink com tw Here we can specify the Trusted Domains for the above item using Domain www dlink com Forbidden Domains www sex com Here we can specify the Forbidden Domains for the above item using Domain www stockmarket com Table 13 6 Web Filter Customize setting page Step 8 Setup URL keyword blocking ADVANCED SETTINGS gt Content Filters gt Web Filter gt Domain Check the Enable Keyword Blocking to block Name any URLs that contains the entered keywords Add a key word by entering a word in the keyword field followed by a click of Add browser The contents about the URL will be block Table 13 7 Web Filter Domain Name setting page 91 D Link Part IV Step 9 Setup contents keyword ADVANCED SETTINGS gt Content Filters gt Web Filter gt Keyword blocking Mail Filter ETP Filter Check the Enable Keyword Blocking to block any Web pages that contain the entered keywords Add a key word by entering a word in the Keyword field and then click Add to proceed Note that you can add the keywords as many as you like FIELD DESCRIPTION
109. r to monitor the system status network status of DFL 1500 28 System Tools DFL 1500 User Manual Ge The community which can get the SNMP information Here il y community is something like password P T The community which can get the SNMP information Here a y community is something like password P Trusted hosts The IP address which can get or set community from the DFL 1500 192 168 1 5 The community which will send SNMP trap Here community is Trap community ee trap comm something like password Trap destination The IP address which will send SNMP trap from the DFL 1500 192 168 1 5 29 Remote Management DFL 1500 User Manual Chapter 5 Remote Management This chapter introduces remote management and explains how to implement it 5 1 Demands Administrators may want to manage the DFL 1500 remotely from any PC in LAN_1 with HTTP at port 8080 and from WAN_PC with TELNET In addition the DFL 1500 may be more secure 1f monitored by a trusted host PC1_1 What s more the DFL 1500 should not respond to ping to hide itself The remote management function in DFL 1500 devices 1s implemented by hidden Firewall rules 5 2 Methods Only allow management by WAN_PC 140 2 5 1 atthe WANI side Administrators can use browsers to connect to http 192 168 40 254 8080 for management Allow SNMP monitoring by PC1_1 192 168 40 1 at the LANI side Do not respond to ICMP ECHO packets at the WANI WA
110. rl Setup Virtual Server at DFL 1500 to redirect any connections towards some port of WANT to the port 21 at the FTPServerl Intranet DMZ_1 10 1 1 1 24 j direct to FTP Server 10 1 1 5 21 or gt Internet 61 2 1 1 44444 A FTP request port 44444 Figure 6 2 DFL 1500 plays the role as Virtual Server As the above Figure 6 2 illustrates the server 10 1 1 5 provides FTP service But it is located on the DMZ region behind DFL 1500 And DFL 1500 will act as a Virtual Server role which redirects the packets to the real server 10 1 1 5 And you can announce to the internet users that there exists a ftp server ip port is 61 2 1 1 44444 So all the internet users will just connect the 61 2 1 1 44444 to get ftp service 6 4 Steps 6 4 1 Setup Many to one NAT rules Step 1 Enable NAT ADVANCED SETTINGS gt NAT gt Status Select the Basic from the list of Network Sessions Servers Sessions Address Translation Mode Click Apply Now the DFL 1500 will automatically set the NAT rules for LAN DMZ zones Namely all internal networks can establish connections to the outside world if the WAN settings are correct 36 NAT DFL 1500 User Manual FIELD DESCRIPTION EXAMPLE None The DFL 1500 is in routing mode without performing any address translation Basic The DFL 1500 automatically performs Many to One NAT for all Network Address Translation Mode LAN DMZ subnets Full Feature
111. rovide connectivity to passive FTP clients For passive FTP clients the server at DMZ will return them the private IP address 10 1 1 5 and the port number for the clients to connect back for data transmissions Since the FTP clients at the WAN side cannot connect to a private IP ex 10 1 1 5 through the internet The data connections would be fail After enabling this feature the DFL 1500 will translate the private IP port into an IP port of its own Thus the problem is gracefully solved Click Apply to proceed Step 9 View the Result Now any request towards the DFL 1500 s WANT IP 61 2 1 1 with dest port 44444 will be translated into a request towards 10 1 1 5 with port 21 and then be forwarded to the 10 1 1 5 The FTP server listening at port 21 in 10 1 1 5 will pick up the request Part I ADVANCED SETTINGS gt NAT gt Virtual Servers Status NAT Rules S NAT E A essions essions Item Status Condition Action _ Active Name Direction Dest IP Address Service Translate dest IP port into A insert 4 7 hw Delete ADVANCED SETTINGS gt NAT gt Virtual Servers gt Insert Sessions Server essions Condition 255 255 255 255 5 mm Well known port Action ADVANCED SETTINGS gt NAT gt Virtual Servers Sessions Sessions item Status Condition Action Active Name Direction DestIPAddress Service Translate dest IP port into 1 Y frene LANMWANIODMZ 6121 1 255 2552550 Tram 1
112. s 1 Through DEVICE STATUS gt System Status path we can get the needed information 18 4 Steps Step 1 System Status DEVICE STATUS gt System Status gt System Status Here we can see the system information include Meme DHCP Table system name firmware version and the full list of each port settings Step 2 Network Status DEVICE STATUS gt System Status gt Network Status We can know the port status here whether the port is up or down and view the amount of the transmitted packets or received packets in each port 115 D Link Step 3 CPU 8 Memory We can know the device information include system user interrupt and memory utilization through the graphic interface Note If you can not view the graphic correctly the situation may result from that you don t install the java virtual machine JVM onto your browser Simply go to the following link http java sun com 2se 1 4 2 download html And then download the Java 2 Platform Standard Edition JRE to your platform ex windows After installing JRE properly you will see the CPU amp Memory graphic as right side Step 4 DHCP Table Through the DHCP Table we can recognize which IP has been allocated by the DHCP server And know which pc MAC address has been leased this IP address DEVICE STATUS gt System Status gt CPU 8 Memory System Status Status DEVICE STATUS gt System Status gt DHCP Table System Ne
113. s The DFL 1500 has added three NAT rules The rule Basic DMZ1 number 1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 10 1 1 254 255 255 255 0 the request will be translated into a public source IP requests and then be forwarded to the destinations Step 6 Setup IP for the FTP Server Assign an IP of 10 1 1 1 255 255 255 0 to the FTP server under DMZ1 Assume the FTP Server is at 10 1 1 5 And it is listening on the well known port 21 DFL 1500 User Manual DMZ1 Status IP Alias DMZ1 TCP IP IP Address 10 1 1 254 IP Subnet Mask 255 255 255 0 DHCP Setup Y Enable DHCP Server IP Pool Starting Address 10 1 1 1 Pool Size 20 Primary DNS Server 10 1 1 254 0 0 0 0 7200 Secondary DNS Server Lease time sec Routing Protocol None OSPF Area ID Apply ADVANCED SETTINGS gt NAT gt Status NAT Sessions Virtual Servers Server Status Sessions NAT Rules Network Address Translation Mode Basic v Network Address Translation NAT translates the IP port for 1 LAN DMZ to WAN traffic map private src IPs and ports to the DFL 1500 s WAN public IPs and ports 2 LANAVAN to DMZ traffic map public dest IPs and ports to the DMZ servers private IPs and ports Modes 1 None The DFL 1500 s in routing mode without performing any address translation 2 Basic The DFL 1500 automatically performs Many to One NAT for all LAN DMZ
114. s gt DNS Proxy Check the Enable DNS Proxy and click the _ General BONS N xy DHCP Relay Password Time Date Timeout Services Interface Apply to store the settings From now on your MM e o ___ LAN DMZ PCs can use DFL 1500 as their DNS server as long as the DNS server for DFL 1500 gt has been set in its WAN settings ME ee emdi FIELD DESCRIPTION EXAMPLE When the host ofthe LAN DMZ sends a DNS Request DFL 1500 will request for forwarding it to the DNS server of the Default WAN link When there is a response from DNS DFL 1500 will forward it back to the host of the LAN DMZ Enable DNS Proxy Enabled Table 4 7 System Tools DNS Proxy menu 4 4 4 DHCP Relay setting Step 1 Setup DHCP Relay SYSTEM TOOLS gt Admin Settings gt DHCP Relay Check the Enable DHCP Relay Enter the IP Generali DDNS DM Relay Password Time Date Timeout Services Interface address of your DHCP server Check the relay domain of DFL 1500 that needs to be relayed gt Namely check the one where the DHCP server o resides and the one where DHCP clients are located Click the App1 y button Apply Reset FIELD DESCRIPTION EXAMPLE When the host of the LAN DMZ in the DFL 1500 internal network sends a DHCP request DFL 1500 will forward it automatically to the specified DHCP server different subnet from the network segment of the DHCP client Enable DHCP Relay Enabled 21 D Link Par
115. s Sessions rule Basic DMZ1 number 1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP Packets are top down matched by the rules falling in the range of 10 1 1 254 EMM TT O 255 255 255 0 the request will be translated Active Name Direction Source IP Address Translate Src IP into Type l Y Basic DMZ1 LAN DMZ to WAN 10 1 1 254 255 255 255 0 Auto device WAN IP M 1 into a public source IP requests and then be Peer a A Mi El Na Y Basic LAN2 LAN DMZ to WAN 192 168 2 254 255 255 255 0 Auto device WAN IP M 1 forwarded to the destinations ate Mn OUER Basic LANI LAN DMZ to WAN 192 168 1 254 255 255 255 0 Auto device WAN IP M 1 NAT gt Edit Rules Page 1 1 Step 6 Setup IP for the FTP Server Assign an IP of 10 1 1 5 255 255 255 0 to the FTP server under DMZ1 Assume the FTP Server is at 10 1 1 5 And it is listening on the well known port 21 11 D Link Step 7 Setup Server Rules Insert a virtual server rule by clicking the Insert button Step 8 Customize the Rule Customize the rule name as the ftpServer For any packets with its destination IP address equaling to the WAN1 IP 61 2 1 1 and destination port equaling to 44444 DFL 1500 will translate the packets destination IP port into 10 1 1 5 21 Check the Passive FTP client to maximize the compatibility of the FTP protocol This is useful if you want to p
116. s that the key is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key 1s compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not require such security so PFS is disabled None by default in the DFL 1500 Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 9 1 6 Encapsulation gt Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packets In Transport mode the IP packets contains the security protocol AH or ESP located after the original IP header and options but before any upper layer protocols contains in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data 56 VPN Technical Introduction DFL 1500 User Manual With the use of AH as the security protocol protection is exten
117. sense 115 18 4 SIEB Der ee a ee e een Re 115 Chapter 19 106 SM ie 117 19 1 Demand a a les es lo 117 19 2 ON 117 19 3 A A II nle li ii 117 19 4 RR LR 117 19 4 1 System EOS Sea a ee ee ee ee ee ee 117 19 4 2 USOS Mail los ER ASS 118 Chapter 20 System Maintenance ee 119 20 1 POST ass E E A II A el S ERA E RE T E 119 20 2 Steps tor TEEPU perde en iaa 119 20 3 steps tor Firmware Up erage from Web BUT A a BE u 121 20 4 STEPS IOF Facloty RES iaa decreci 121 20 4 1 Steps for NORMA Ts Tact ryresel ii 121 20 4 2 Steps for EMERGENT facl ryreset ee Ra 121 20 5 steps Tor Backtip Restore CONSUL all on re ee een selektieren 122 Appendix A Command Line Intertace CMa er a Eee 123 A l Enable the port of DEE TS Wiese ie aan enden 123 A 2 CErcommands Us RER 123 Appendix B Trouble SOON nina id ae 125 Appendix Packet Flow in ici ae ee nein 129 Append x D Glossary Ol Termica dt ee ea ee au ea 131 Appendix E Md eure bd 133 Appendix Sar Wy Ale eich editor is eek ale ade 135 Appendix G VerslonofSoftwareandfirmware rr 137 Appendix A Customer SUPPoll er an a ae ee ua li 139 IV D Lin Part I Basic Configuration Quick Start DFL 1500 User Manual Chapter 1 Quick Start This chapter introduces how to quick setup the DFL 1500 DFL 1500 is an integrated all in one solution that can facilitate the maximum security and the best resource utilization for the enterprises It cont
118. st from the preconfigured port LANI DMZ 1 to the real DHCP server 210 176 25 3 22 System Tools DFL 1500 User Manual DMZ 1 10 1 1 1 253 WANT IP 61 2 1 1 ES ISP Internet 210 176 25 3 DHCP Server 192 1684071 253 Figure 4 3 DHCP Relay mechanism chart 5 We can adjust the DFL 1500 interface in the SYSTEM TOOLS gt Admin Settings gt Interface in according to our preference and requirement 3 WAN 1 LAN 1 DMZ As the following Figure 4 4 demonstrated there are three ISP connected onto DFL 1500 So we must adjust the interface up to 3 WAN ports to fit the current condition Internet Figure 4 4 Adjust DFL 1500 interface to fit present situation 6 As the following Figure 4 5 demonstrated there is an embedded snmp agent in the DFL 1500 So you can use SNMP manager to monitor the DFL 1500 system status network status etc from either LAN or internet 23 D Link Part I There is an embedded SNMP agent in the DFL 1500 Figure 4 5 It is efficient to use SNMP Manager to monitor DFL 1500 device 4 4 Steps 4 4 1 General settings Step 1 General Setup SYSTEM TOOLS gt Admin Settings gt General Enter the Host Name aS DFL 1 Domain Name Password Time Date Timeout Services Interface as the domain name of your company Click Apply Any Reset FIELD DESCRIPTION EXAMPLE Host Name The host name of the DFL 1500 device DFL 1 Domain Name Fill in the domain name of compa
119. subnets 3 Full Feature The DFL 1500 can be manually configured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Total Configured Rules 3 Vacant Rules 197 ADVANCED SETTINGS gt NAT gt NAT Rules NAT Sessions Virtual Servers Server NAT Rules Sessions Status NAT gt Edit Rules Packets are top down matched by the rules Active Name Direction Source IP Address 1 Basic DMZ1 LAN DMZ to WAN 10 1 1 254 255 255 255 0 Basic LAN2 LAN DMZ to WAN 192 169 2 254 255 255 255 0 Basic LANI LAN DMZ to WAN 192 165 40 254 255 255 255 0 Translate Src IP into Type Auto device WAN IP M 1 Auto device WAN IP M 1 Auto device WAN IP M 1 Page 1 1 4 D Link Part II Step 7 Setup Server Rules ADVANCED SETTINGS gt NAT gt Virtual Servers Insert a virtual server rule by clicking the Insert Status NAT Rules NAT Eon Y Sessions essions Item Status Condition Action Active Name Direction Dest IP Address Translate dest IP portinto EZRA Step 8 Customize the Rule ADVANCED SETTINGS gt NAT gt Virtual Servers gt Insert Customize the rule name as the ftpServer For Status NAT Rules lt M Server essions Sessions any packets with its destination IP equaling to the WAN1 IP 61 2 1 1 and destination port equaling to 44444 ask DFL 1500 to translate the packets destination IP port into 10 1 1 5 21 Status Check the Pass
120. t I DHCP Server Current location of the DHCP server Relay Domain The locations of the DHCP clients Table 4 8 System Tools DHCP Relay menu 4 4 5 Change DFL 1500 interface Step 1 Change Interface definition SYSTEM TOOLS gt Admin Settings gt Interface The default port settings are 2 WAN ports 1 DMZ Seneral DDNS DNS Proxy DHCP Relay Password Time Date Timeout Services _ port and 2 LAN ports But in order to fit our requirement Here we select 1 LAN port1 1 Note After interface modified system will be rebooted automatically All DMZ po rt2 and 3 WAN po rt3 5 And then configuration information will be e ed and return the system to its facto press apply button to reboot DFL 1500 Note that the DMZ and LAN port IP addresses are going to be 10 1 1 254 and 192 168 1 254 after device finishes reboot Besides there should be at least one WAN port and one LAN port existing in the DFL 1500 You are not allowed to casually change the interface to the state which has no LAN port or WAN port FIELD DESCRIPTION EXAMPLE You can specify WAN LAN DMZ for each port by your preference Portl Port5 However there must be one WAN and one LAN interface existing n the WAN LAN DMZ DFI 1500 Table 4 9 Change the DFL 1500 interface setting 4 4 6 SNMP Control Step 1 Setup SNMP Control SYSTEM TOOLS gt SNMP Control Through setting the related information in this page we can use SNMP manage
121. t backpressure at Half Duplex operation Support Auto MDI MDI X IEEE 802 3x Flow Control support for Full Duplex mode 1 port for connecting to server RJ 45 connector IEEE 802 3 compliance IEEE 802 3u compliance LAN port DMZ port Support Half Full Duplex operations Support backpressure at Half Duplex operation Support Auto MDI MDI X IEEE 802 3x Flow Control support for Full Duplex mode 1 1 3 4 Console port bB 9 male connector Asynchronous serial DTE with full modem controls N ak N N 135 D Link Part VII 1 1 3 5 LED indication Per Device 1 Power Off Power Off Solid Green Power On Ethernet 10 100M Per ports 1 Link ACT LED Off No Link Solid Green Link Blinking Green Activity 21 Powersupply AT PS AC 90 230 V full range 45 63 Hz Power dissipation 180 W 3 Environmental Specifications 81 Operating Temperature 0 60 C 82 Storage Temperature 25 70 C 3 3 Operating Humidity 5 95 non condensing 4 EMC amp Safety Certification EMC Approval Safety Approval FCC class A VCCI class A CE class A C Tick class A 136 Version of Software and Firmware DFL 1500 User Manual Appendix G Version of Software and Firmware DFL 1500 VPN Firewall Router Version of Components Firmware v 1 5IR 137 Customer Support D Link Offices DFL 1500 User Manual Appendix H Customer Support Australia Brazil Canada Chile China De
122. t to add edit delete the service record just click the below button to add edit delete it e 6 6 666660 O mw mo TR Table 4 5 Setup the service name record 4 4 2 DDNS setting Step 1 Setup DDNS SYSTEM TOOLS gt Admin Settings gt DDNS If the IP address of DFL 1500 WAN port is ES Password Time Date Timeout Services Interface dynamic allocated You may want to have the Dynamic DNS mechanism to make your partner always use the same domain name like xxx com m to connect to you Select a WAN interface to AAN update the DDNS record Here we supply two DDNS Service Providers Fill in the Host Name Username Password supplied by the DDNS web site Please refer to the DDNS web site for the detail information Click Apply to activate the settings abc corn MT elem 26 System Tools DFL 1500 User Manual FIELD DESCRIPTION EXAMPLE Enable DDNS for WANI Enable DDNS feature of DFL 1500 Enabled Interface Ass gn which public IP address of interface to the DDNS server WANI The domain address of DDNS server In the DFL 1500 we provide SEIEN WWW DYNDNS ORG and WWW DHS ORG two websites for choice WWW DEN ORG Hostname The registered Hostname in the DDNS server Username The registered username in the DDNS server Password The registered password in the DDNS server 1234567 Table 4 6 System Tools DDNS setting page 4 4 3 DNS Proxy setting Step 1 Setup DNS Proxy SYSTEM TOOLS gt Admin Setting
123. te ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE Pass IPSec Through ViEnable IPSec Apply IKE Manual Key Edit Modify IPSec Security Associations Active Name Local LAN Remote LAN Mechanism My IP C Edit Delete ADVANCED SETTINGS gt VPN Settings gt IPSec gt IKE gt Add IPSec PPTP L2TP Security Gateway IPSec gt IKE gt Edit Rule E Status v Active IKE Rule Name IKErule Condition Local Address Type Subnet Address IP Address 192 168 88 0 PrefixLen Subnet Mask 255 255 255 0 Remote Address Type Subnet Address Y IP Address 192 168 40 0 PrefixLen Subnet Mask 255 255 255 0 Negotiation Mode Main Encapsulation Mode Tunnel My IP Address 202713 Security Gateway Addr 61 2 1 1 ESP Algorithm Encrypt and Authenticate DES MD5 OAH Algorithm Pre Shared Key 1234567890 Advanced Back Apply 65 D Link Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 5 Add a Firewall rule Same as at DFL 1 We need to add an extra firewall rule to allow IPSec packets to come from internet So here we select WANI to LANI direction and click Insert button Step 6 Customize the Firewall rule Check the Activate this rule Enter the Rule Name as
124. tering FTP Filtering DFL 1500 User Manual Chapter 15 Content Filtering FTP Filtering This chapter introduces FTP proxies and explains how to implement it 15 1 Demands 1 Some users in LANI use FTP to download big MP3 files and cause waste of bandwidth 15 2 Objectives 1 Forbid PC1_1 from downloading MP3 files with FTP 15 3 Methods 1 Setup the filename extension of the forbidden types of file that are not allowed to be transmitted using standard FTP port 2 Let PC1_1 download a MP3 file from the FTPServer3 to see if the session is blocked switch A Internet zZ A F Pe LAN1_IP WANT P i 192 168 40 254 61 2 1 1 switc BE nm gt PARAS www nthu edu tw www nctu edu tw PC1_1 PC1 2 19 168 40 192 168 402 140 114 x x 140 1 KER LAN 1 99 168 40 1 253 BE 22 168 0 2 WebServer3 MailServer3 FTPServer3 140 112 4 4 140 112 1 3 14011215 Figure 15 1 Use FTP filter functionality to avoid user download forbidden file type 97 D Link Part IV 15 4 Steps Step 1 Enable FTP Filter ADVANCED SETTINGS gt Content Filters gt FTP Filter gt FTP Check the Enable FTP Filter checkbox and Web Filter Mail Filter click the nearby Apply button to enable this feature Click the Add button to add a new FTP filter DESCRIPTION EXAMPLE Enable FTP Filter Enable FTP Filter feature of DFL 1500 Table 15 1 FTP Filter FTP setting page Step 2 Add an FTP
125. ternal network suppose your company uses DSL to connect Internet via PPPoE By this way you should setup WAN port of the DFL 1500 in advance There are some adjustment within your company so the original network stucture has been changed Now you should modify the configuration between the internal network DMZ LAN Your company needs more network bandwidth if 1t is insufficent for your company to connect to the external network Objectives Configure the network settings of the DFL 1500 WANI port Configure the network settings of the DFL 1500 DMZI and LANI ports Suppose your company applys another ISP and hope that the applied Network IP can configure in the same WAN port of DFL 1500 Methods Select the PPPoE method in the DFL 1500 Basic Setup WAN settings WANI IP and then configure the related account and password in order to connet to the internet Configure the related network settings in the pages of the DFL 1500 Basic Setup DMZ settings DMZ1 Status Basic Setup LAN settings LAN Status Configure the IP alias in WANI port Steps Notice Do not try to configure the port network setting from the same port you login Or the network will be terminated and system will be locked in the original IP address 15 D Link Part I 3 4 1 Setup WAN1 IP Step 1 Setup WANT port BASIC SETUP gt WAN Settings gt WAN1 IP gt Fixed IP Address Here we select Fixed IP Address method in WAN2 IP IP Alias WAN1 port F
126. the Local Address Type As Figure and Figure indicated when we configure an IPSec policy please be sure to add a rule to let the packets of the IPSec pass from WAN to LAN For the setting of the IP address please refer to the Figure 125 D Link Part VII IPSec PPTP L2TP IP Sec gt IKE gt Edit Rule Status Active KE Rule Name IKErule Condition Local Address Type pubnet Address dd e ve e IP Address 192 168 40 0 ie Te RrefigLen Subnet Mask 255 255 255 0 1 ALTE L ee Cocccceceneeeeee Remote Address Type Subnet Address mn zum EE IP Address 1192 168 30 0 Mw refixLen Subnet Mask 255 255 255 0 ED a qua Figure B 1 Inset a new IPSec policy Status Adit Rules Show Rules Attack Alert Summary Firewall gt Bdit Rules gt Insert Insert a new Firewall rule SS Activate this rule Rule name AllowiPSecPkt Source IP 192 168 30 0 Netmask 255 255 255 0 00000000000 e gt Dest IP 192 168 40 0 Netmask 255 255 255 0 Service Any Y Configure dest port Type Single Range Dest Port of Jhe matched packet Dont log the matched packet Back Apply Reset Figure B 2 Insert a new firewall rule in WAN to LAN 7 When l try to login into the DFL 1500 t showed up the following information as the Figure indicated and couldn t login successfully
127. the TFTP server T ftpServer exe in the c directory and double click to run it Place all bin files in the c as well Set the PC to be 192 168 1 x to be in the same subnet with the DFL 1500 s LAN1 Login to DFL 1500 s console Enter en to enter privileged mode Configure the LAN1 address so that the DFL 1500 can connect to the TFTP server The CLI command to configure LAN1 interface is ip ifconfig INTF3 1925168412252 255 7255 25520 Step 2 Upgrade firmware Enter IP tftp upgrade combo 192 168 1 x lt date gt DFL 1500 lt ver gt bin Notice if you want to preserve the add the preserve keyword to the end previous configuration Step 3 Reboot the system Enter sys reboot now to instantly reboot the system Step 4 Check if OK Part VI NetOS i386 DFL 1500 tty00 admin Password Welcome to DFL 1500 Firewall VPN Router login DFL 1500 gt en DFL 1500 ip ifconfig INTF3 192 168 1 254 255 255 255 0 DFL 1500 DFL 1500 ip tftp upgrade combo 192 168 1 2 20030910 DFL 1500 1 50R bin Fetching from 192 168 1 2 for 20030910 DFL 1500 1 50R bin tftp gt tftp gt Verbose mode on tftp gt getting from 192 168 1 2 20030910 DFL 1500 1 50R bin to 20030910 DFL 1500 1 50R bin octet DFL 1500 sys reboot now Rebooting syncing disks done rebooting ASIC IPSec Enabled Ethernet address 00 80 c8 50 fa Ethernet address 00 80 c8 50 fa Ethernet address 00 80 c8 50 fa bc Ethernet address 00 80 c
128. the local LAN subnet Remote Address means the remote LAN subnet My IP Address means the WAN IP address of the local VPN gateway while the Security Gateway Address means the WAN IP address of the other VPN gateway 59 D Link Part III Difference The Pre Shared Key must be the same at both The types and keys of Encryption and Authenticate DFL 1500s must be set the same on both DFL 1500s However the Outgoing SPI at DFL 1 must equal to Incoming SPI at DFL 2 and the Outgoing SPI at DFL 2 must equal to Incoming SPI at DFL 1 Table 10 1 Compared IKE and Manual Key methods 10 4 Steps In the following we will separately explain the ways to set up a secure DES MDS tunnel with IKE and Manual key gt DES MDS5 IPSec tunnel the IKE way At DFL 1 At the first we will install the IPSec properties of DFL 1 Step 1 Enable IPSec ADVANCED SETTINGS gt VPN Settings gt IPSec Check the Enable IPSec checkbox and click Apply Item Status Condition Action Active Name LocallAN RemoteLAN Mechanism MyIP Security Gateway Step 2 Add an IKE rule Click the IKE hyperlink and click Add to add a Pass Through Item Status Condition Action a a ar gt gt new IPSec VPN tunnel endpoint 60 Virtual Private Network IPSec Step 3 Customize the rule Check the Active checkbox Enter a name for this rule like IKErule Enter the Local IP
129. topology for deploying DFL 1500 2 2 Changing the LAN1 IP Address The default settings of DFL 1500 are listing in Table 1 1 However the original LAN setting is 192 168 1 254 255 255 255 0 instead of 192 168 40 254 255 255 255 0 as in Figure 2 1 We will change the LANI IP of the DFL 1500 to 192 168 40 254 Notice that you cannot change the LAN1 IP from the LANI interface because your configuration session to LAN1 will be terminated as long as the LANI IP address is changed If you do change the IP from the LANI port you will have to reboot the system change your computer s IP to the new subnet and reconnect to the new LANI IP address You can also use console to login into the system 13 D Link Part I and then logout the system That will clean up the zombie left in the system so you will be able to login to the DFL 1500 from the LANI side after your computer s IP is changed into the new subnet We provide two normal ways to configure the LANI IP address One is to configure the LANI IP from another port such as DMZ1 or LAN2 The other is to configure the LANI IP through console Note that when setting the IP address from console the settings are updated into run time system but not stored into the flash Namely the settings will be lost after you reboot the system So it is best to use the first method for setting the LANI IP address 2 2 1 From DMZ1 to configure DFL 1500 LAN1 network settings Step 1 Check NAT Status Use an IE 6
130. twork Status Status Rech 116 Part VII Log System DFL 1500 User Manual Chapter 19 Log System 19 1 Demands 1 The System Administrator wants to know all the actions of administration in the past So it can avoid illegal system administration 2 The System Administrator needs to check the logs of VPN IDS Firewall and Content Filter everyday But he she feels inconvient to verify the DFL 1500 logs He She hopes to decrease the checking procedure 19 2 Objectives l The System Administrator wants to know all actions of administration in the past 2 The System administrator would like to view the daily log report of DFL 1500 19 3 Methods l Through tracking the system logs you can distinguish which administrated action is valid or not 2 Use the syslog server to receive mail Or edit the Mail Logs page of DFL 1500 Make the log mailed out automatically every periodic time 19 4 Steps 19 4 1 System Logs Step 1 View System Logs DEVICE STATUS gt System Logs Setup Syslog Server by checking the Enable System Access Logs Syslog Server It will let DFL 1500 send logs No Time Source IP Access Info ifi i s 1 2003 12 31 09 37 54 DFL 1500 SYSTEM 51 Wall Startup to the Syslog Server specified in the Syslog 2003 12 31 09 37 55 DFL 1500 Firewall Reload all rules at startup Server IP Address field 2003 12 31 09 37 55 DFL 1500 NAT rule for Basic LAN2 added 2003 12 31 09 37 55 DFL 150
131. uces firewall and explains how to implement it 8 1 Demands 1 Administrators detect that PC1_1 in LAN_1 is doing something that may hurt our company and should instantly block his traffic towards the Internet 2 A DMZ server was attacked by SYN Flooding attack and requires the DFL 1500 to protect it 8 2 Objectives 1 Block the traffic from PC1_1 in LANI to the Internet in WANI 2 Start the SYN Flooding protection Organization_1 Private LANs DMZ_1 10 1 1 1 253 User define Which LAN to WAN traffic should block O e g PCI _ u User define Which kiii WAN to LAN traffic should forward G eero Default Forward all 192 168 40 1 192 168 40 2 LAN to WAN traffic LAN_1 92 168 40 1 25 Default Block all WAN to LAN traffic Figure 8 1 Setting up the firewall rule 8 3 Methods 1 AddaLANI to WANI Firewall rule to block PCI 2 Start the SYN Flooding protection by detecting statistical half open TCP connections 49 D Link 8 4 Steps Part Il 8 4 1 Block internal PC session LAN gt WAN Step 1 Setup NAT Check the Enable Stateful Inspection Firewall checkbox and click the Apply Step 2 Add a Firewall Rule Select LAN1 to WANT traffic direction The default action of this direction is to forward all traffic without logging anything Click Insert to add a Firewall block rule before the default rule to stop the bad traffic Step 3 Customize the rule Check the A
132. uired to accommodate new connection attempts This 1s the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of Maximum Incomplete High existing half open sessions rises above this number the 100 DFL 1500 deletes half open sessions as required to accommodate new connection requests This 1s the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 250 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length Blocking Time of time you specified in the next field min and all old disabled incomplete sessions will be cleared during this period If you want strong security it s better to block the traffic for a short time as will give the server some time to digest the loading Enter the length of Blocking Time in minutes Table 8 2 Setup the Denial of Service Thresholds of attack alert TCP Maximum Incomplete 52 Part Ill Virtual Private Network VPN Technical Introduction DFL 1500 User Manual Chapter 9 VPN Technical Introduction This chapter introduces VPN relate
133. ule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule Step 6 Add a Firewall rule Same as that in IKE method Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 7 Customize the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPNIKErule Source IP as 192 168 88 0 and Dest IP 3 192 168 40 0 Click Apply to store this rule Part Ill ADVANCED SETTINGS gt VPN Settings gt IPSec gt Manual Key gt Add IPSec PPTP L2TP 1 If you enable the firewall please check whether these firewall rules would block packets in tunnel 2 Packets are blocked by default in the WAN to LAN direction please add a rule to forward these tunneled packets 3 The source address mask and the destination address mask of the firewall rules are 192 168 88 0 255 255 255 0 and 192 168 40 0 255 255 255 0 respectively oK ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Edit WANT Y to LAN Y rules Deffweiisnfocihisnacksieireeffon Block v Y Log eply Packets are top down matched by the rules item Status a U Action
134. usly and can not be edited Active Protocol Be y p y ESP Encrypt and Encryption Algorithm Choose an encryption and authentication algorithm Authenticate DES MD5 Set the IPSec SA lifetime A value of O means IKE SA SA Life Time negotiation never times out See Chapter 9 for details 28800 sec Perfect Forward Enabling PFS means that the key is transient This extra DHI Secrecy PFS setting will cause more security Table 10 3 Setup Advanced feature in the IPSec IKE rule Step5 Remind to add a Firewall rule ADVANCED SETT NGS gt VPN Settings gt IPSec gt IKE gt Add After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule 63 D Link Step 6 Add a Firewall rule Beforehand please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule Step 7 Customize the Firewall rule Check the Activate this rule Enter the Rule Name aS AllowVPNIKErule Source IP as 192 168 88 0 and Dest IP as 192 168 40 0 Click Apply to store this rule Step 8 View the result Here we have a new rule before the default firewall
135. will be allowed to pass through the DFL 1500 and successfully access the 192 168 88 0 24 through the VPN tunnel DFL 1500 User Manual ADVANCED SETTINGS gt Firewall gt Edit Rules Status Edit Rules Show Rules Attack Alert Summary Firey Edit WANT Y to LAN v rules Dalia ihis en Block O WlLog Apply Packets are top down matched by the rules item Status TIO Action Active Name Direction Source IP Address Dest IP Address Service Action Log 1 y Default Oo WANT to LAN1 Any Any Any Block Y ADVANCED SETTINGS gt Firewall gt Edit Rules gt Insert Edit Rules Show Rules Attack Alert Page 1 1 Status Summary Firewall gt Edit Rules gt Insert Insert a new WAN1 to WAN1 Firewall rule Activate this rule Rule name Allow yPNIKE rule Condition Source IP 192 168 40 0 Dest IP 192 168 858 0 Netmask 255 255 255 0 Netmask 255 255 255 0 Service Any Y Configure dest port Type Single Dest Port to FTP 21 Y Forward the matched packet Dont log the matched packet ADVANCED SETTINGS gt Firewall gt Edit Rules Edit Rules Show Rules Attack Alert Range Copy To Dist Status Summary Firewall gt Edit Rules Edit WANT Y to LAN Y rules Default action for this packet direction Block v v Log 4eply Packets are top down matched by the rules Item Status AA UTA Active Name Direction Source IP Address Dest IP Address Service Action Log WANT to LAN1 WAN to
136. y applications DHCP Relay It is to solve the problem that when the DHCP client is not in the same domain with the DHCP server the DHCP broadcast will not be received by the server If the client is in the LAN 192 168 40 X while the server is located in the DMZ 10 1 1 10 the server will not receive any broadcast packet from the client Suppose our company applies three ISPs but there are just two default WAN ports in the DFL 1500 You hope to connect the whole ISP links to the DFL 1500 The System Administrator would like to monitor the device from remote side efficiently Objectives Configure the general properties such as domain name password system time and connection timeout correctly Besides we can configure the prefered service name as the service name numeric mapping list DDNS By using the DDNS Dynamic DNS the DFL 1500 will send the request for modification of the corresponding DNS record to the DDNS server after the IP s changed DNS Proxy Reduce the number of DNS requests and the time for DNS lookup DHCP Relay Enable the DHCP client to contact with the DHCP server located in different domain and get the required IP We hope to customize the interface of DFL 1500 to fit our requests Through the SNMP manager we can easily monitor the device status Methods Configure the domain name password system time connection timeout and service name DDNS Configure the DFL 1500 so that whenever the IP of the DFL 1
Download Pdf Manuals
Related Search