D-Link DFL-700 Manual
  1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Firewall
  5. DFL-700 - Security Appliance
  6. Manual

D-Link DFL-700 Manual

Network security firewall
Hide thumbs Also See for DFL-700:
Table of Contents

Advertisement

Quick Links

Download this manual
D-Link DFL-700
Network Security Firewall
Manual
Building Networks for People
Ver.1.02
(20050419)

Advertisement

Table of Contents
loading

Related Manuals for D-Link DFL-700

Summary of Contents for D-Link DFL-700

  • Page 1 D-Link DFL-700 Network Security Firewall Manual Building Networks for People Ver.1.02 (20050419)

  • Page 2: Table Of Contents

    Introduction to Local Area Networking ... 8 LEDs ... 9 Physical Connections... 9 Package Contents ... 10 System Requirements ... 10 Managing D-Link DFL-700 ... 11 Resetting the DFL700 ...11 Administration Settings... 12 Administrative Access ... 12 Add ping access to an interface ...13 Add Admin access to an interface ...13...
  • Page 3 Change Administrative User Access level ...37 Change Administrative User Password ...37 Delete Administrative User ...38 Users... 39 The DFL-700 RADIUS Support ...39 Enable User Authentication via HTTP / HTTPS...40 Enable RADIUS Support ...40 Add User ...41 Change User Password ...41 Delete User ...42...
  • Page 4 MS-CHAP v1 ...49 MS-CHAP v2 ...49 MPPE, Microsoft Point-To-Point Encryption ...49 L2TP/PPTP Clients ...50 L2TP/PPTP Servers ...51 VPN between two networks ...53 VPN between two networks ...53 Creating a LAN-to-LAN IPSec VPN Tunnel ...53 VPN between client and an internal network ...54 Creating a Roaming Users IPSec VPN Tunnel...54 Adding a L2TP/PPTP VPN Client...55 Adding a L2TP/PPTP VPN Server ...55...
  • Page 5 Ping Example ...68 Dynamic DNS... 69 Add Dynamic DNS Settings ...69 Backup ... 70 Exporting the DFL-700’s Configuration...70 Restoring the DFL-700’s Configuration ...70 Restart/Reset ... 71 Restarting the DFL-700 ...71 Restoring system settings to factory defaults ...71 Upgrade ... 73 Upgrade Firmware ...73...
  • Page 6 Settings for the Windows XP client ...105 Settings for Main office ...113 Windows XP client and L2TP server ...115 Settings for the Windows XP client ...115 Settings for Main office ...117 Content filtering ...119 Intrusion detection and prevention ... 123 Traffic shaping...

  • Page 7: Introduction

    Introduction The DFL-700 provides three 10/100M Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. It also provides easily operated software WebUI that allows users to set system parameters or monitor network activities using a web browser.

  • Page 8: Introduction To Local Area Networking

    STP twisted pair wire.) On the other hand, wireless networks do not use wires; instead they communicate over radio waves. Each computer must have a Network Interface Card (NIC), which communicates the data between computers. A NIC is usually a 10Mbps network card, a 10/100Mbps network card or a wireless network card.

  • Page 9: Leds

    External Port (WAN): Use this port to connect to the external router, DSL modem, or Cable modem. Reset: Reset the DFL-700 to the original default settings. DC Power: connect one end of the power supply to this port, the other end to the...

  • Page 10: Package Contents

    AC Power adapter Note: Using a power supply with a different voltage rating than the one included with the DFL-700 will cause damage and void the warranty for this product. If any of the above items are missing, please contact your reseller.

  • Page 11: Managing D-Link Dfl-700

    Resetting the DFL700 To reset the DFL-700 to factory default settings you must hold the reset button down for at least 15 seconds after powering on the unit. You will first hear one beep, which will indicate that the firmware have started and the restoring have started, keep the button pressed in until you hear two consecutive beeps shortly after each other.

  • Page 12: Administration Settings

    Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-700. Default if enabled is to allow anyone to ping the interface IP. Admin – If enabled allows all users with admin access to connect to the DFL-700 and change configuration, can be HTTPS or HTTP and HTTPS.

  • Page 13: Add Ping Access To An Interface

    Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.

  • Page 14: Add Read-Only Access To An Interface

    Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.

  • Page 15: System

    System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN or DMZ interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list. Step 2.

  • Page 16: Wan Interface Settings - Using Static Ip

    WAN Interface Settings – Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. You should probably not use the numbers displayed in these fields, they are only used as an example.

  • Page 17: Wan Interface Settings - Using Pppoe

    WAN Interface Settings – Using PPPoE Use the following procedure to configure DFL-700 interface to use PPPoE (Point-to-Point Protocol over Ethernet). configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill the username and password provided to you by your ISP.

  • Page 18: Wan Interface Settings - Using Pptp

    • PPTP Server IP – The IP of the PPTP server that DFL-700 connect to. Before PPTP can be used to connect to you ISP the physical (WAN) interface parameters need to be supplied, it’s possible to use either DHCP or Static IP, this depends on the type of ISP used and this information should be supplied by them.

  • Page 19: Wan Interface Settings - Using Bigpond

    DFL-700. For example, the policy for the web server might be given higher priority than the policies for most employees' computers.

  • Page 20: Mtu Configuration

    Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-700 and the Internet. If the packets the DFL-700 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.

  • Page 21: Routing

    Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like this: The Routes configuration section describes the firewall’s routing table. DFL-700 uses a slightly different way of describing routes compared to most other systems. However, we believe that this way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.

  • Page 22: Add A New Static Route

    Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown menu.

  • Page 23: Logging

    Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-700 provides several options for logging its activity. The D- Link DFL-700 logs its activities by sending the log data to one or two log receivers in the network.

  • Page 24: Enable Logging

    Step 2. Choose the sensitivity level. Step 3. In the SMPT Server field, fill in the SMTP server to which the DFL-700 should send email. Step 4. Specify up to three valid email addresses to receive the email alerts.
  • Page 25 Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the rules. For more information about how to enable intrusion detection and prevention on a policy or port mapping, read more under Policies and Port Mappings in the Firewall section below.

  • Page 26: Time

    Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand.

  • Page 27: Changing Time Zone

    Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click the Apply button below to apply the setting or click Cancel to discard changes.

  • Page 28: Firewall

    Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.

  • Page 29: Source And Destination Filter

    The IDS uses intrusion signatures, stored in the attack database, to identify the most common attacks. In response to an attack, the IDS protect the networks behind the DFL-700 by dropping the traffic. To notify of the attack the IDS sends an email to...

  • Page 30: Traffic Shaping

    Inspection Only or Prevention. Inspection Only will only inspect the traffic and if the DFL-700 sees anything it will log, email an alert (if configured) and pass on the traffic, if Prevention is used the traffic will be dropped and logged and if configured a email alert will be sent.

  • Page 31: Add A New Policy

    Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic name for the rule.

  • Page 32: Change Order Of Policy

    Change order of policy Follow these steps to change order of a policy. Step 1. Choose the policy list you would like do change order in from the available policy lists. Step 2. Click on the Edit link on the rule you want to delete. Step 3.

  • Page 33: Configure Intrusion Prevention

    Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4.

  • Page 34: Port Mapping / Virtual Servers

    Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It’s also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.

  • Page 35: Delete Mapping

    Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link on the rule you want to delete. Step 3.

  • Page 36: Administrative Users

    The first column show the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-700 and so on. The Read- only user can only look at the configuration. The second column shows the users in each access level.

  • Page 37: Change Administrative User Access Level

    Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen. From here you can change the access level choosing appropriate level from the drop-down menu. Access levels •...

  • Page 38: Delete Administrative User

    Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administrative User. Step 1. Click on the user you would like to change level of. Step 2.

  • Page 39: Users

    The DFL-700 RADIUS Support The DFL-700 can use RADIUS to verify users against for example Active Directory or Unix password-file. It is possible to configure up to two servers, if the first one is down it will try the second IP instead.

  • Page 40: Enable User Authentication Via Http / Https

    Enable User Authentication via HTTP / HTTPS Follow these steps Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being logged out by the firewall.

  • Page 41: Add User

    Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in User name; make sure you are not trying to add one that already exists.

  • Page 42: Delete User

    Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to change level of. Step Enable checkbox.

  • Page 43: Schedules

    Schedules possible configure a schedule for policies to take affect. By creating a schedule, the DFL-700 is allowing the firewall policies to used those designated times only. Any activities outside of the scheduled time slot will follow policies will therefore likely not be...

  • Page 44: Services

    Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not.

  • Page 45: Adding Ip Protocol

    Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named “IP Protocol Numbers”.

  • Page 46: Protocol-Independent Settings

    To solve this problem, DFL-700 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.

  • Page 47: Vpn

    IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPsec based VPN, such as DFL-700 VPN, is made up by two parts: •...

  • Page 48: Introduction To Pptp

    Link Control Protocols (LCP), to negotiate parameters, test and establish the link. • Network Control Protocol (NCP), to establish and negotiate different network layer protocols (DFL-700 only supports IP) • Data encapsulation, to encapsulate datagram’s over the link. To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test the data link.

  • Page 49: Authentication Protocols

    RFC 1994. CHAP uses a MD5 one-way encryption scheme to hash the response to a challenge issued by the DFL-700. CHAP is better then PAP in that the password is never sent over the link. Instead the password is used to create the one-way MD5 hash.

  • Page 50: L2Tp/Pptp Clients

    L2TP/PPTP Clients General parameters Name – Specifies a name for the PPTP/L2TP Client. Username Specify username PPTP/L2TP Client. Password/Confirm Password - The password to use for this PPTP/L2TP Client. Interface IP.- Specifies if the L2TP/PPTP Client should try to use a specified IP or get one from the server.

  • Page 51: L2Tp/Pptp Servers

    L2TP/PPTP Servers Name – Specifies a name for this PPTP/L2TP Server. Outer IP - Specifies the IP that PPTP/L2TP should listen on, leave it Blank for the WAN IP. Inner IP - Specifies the IP inside the tunnel, leave it Blank for the LAN IP.
  • Page 52 MPPE encryption If MPPE encryption is going to be used, this is where the encryption level is configured. If L2TP or PPTP over IPSec is going to be used it has to be enabled and configured to either use a Pre-Shared Key or a Certificate.

  • Page 53: Vpn Between Two Networks

    PSK make sure both firewalls use exactly the same PSK. Step 5. As Tunnel Type choose LAN-to-LAN tunnel and specify the network behind the other DFL-700 as Remote Net also specify the external IP of the other DFL-700, this can be an IP or a DNS name.

  • Page 54: Vpn Between Client And An Internal Network

    VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet. Communication between the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL and the roaming users across the Internet.

  • Page 55: Adding A L2Tp/Pptp Vpn Client

    Adding a L2TP/PPTP VPN Client Follow these steps to add a L2TP or PPTP VPN Client configuration. Step 1. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. Step 2.

  • Page 56: Vpn - Advanced Settings

    VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example trying to connect to a third party VPN Gateway. The different settings to set per tunnel is the following: Limit MTU Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.

  • Page 57: Proposal Lists

    Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports.

  • Page 58: Certificates

    HTTPS access. Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-700. Certificates of remote peers This is a list of all certificates of individual remote peers.

  • Page 59: Certificate Authorities

    Certificate Authorities This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add new. The following pages will allow you to specify a name for the CA certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page. Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list.

  • Page 60: Content Filtering

    Content Filtering DFL-700 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. You can configure URL blacklist to block all or just some of the pages on a website. Using this feature you can deny access to parts of a web site without denying access to it completely.

  • Page 61: Edit The Url Global Whitelist

    Edit the URL Global Whitelist Follow these steps to add or remove a url. Step Firewall and Content Filtering and choose Edit global whitelist Step 2. Add/edit or remove the URL that should never checked with Content Filtering. Click Apply button below to apply change click...

  • Page 62: Edit The Url Global Blacklist

    Edit the URL Global Blacklist Follow these steps to add or remove a url. Step Firewall and Content Filtering and choose Edit global blacklist Step 2. Add/edit or remove the URL that should be checked with Content Filtering. Click Apply button below to apply change click...

  • Page 63: Active Content Handling

    Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It’s possible to strip ActiveX, Flash, Java, JavaScript and VBScript, it’s also possible to block cookies.

  • Page 64: Servers

    Note: Leases are remembered over a re-configure or reboot of the firewall. The DFL-700 also includes a DHCP Relayer. A DHCP relayer is a form of gateway between a DHCP Server and its users. The relayer intercepts DHCP queries from the users and forwards them to a DHCP server while setting up dynamic routes based on leases.

  • Page 65: Enable Dhcp Server

    Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Available interfaces list. Step 2.

  • Page 66: Dns Relayer Settings

    DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-700 contains a DNS relayer that you can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself.

  • Page 67: Disable Dns Relayer

    Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes.

  • Page 68: Tools

    Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This behavior is the best one suited for diagnosing connectivity problems.

  • Page 69: Dynamic Dns

    Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name. When this function is enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP.

  • Page 70: Backup

    System Administrators can restore the firewall’s configuration file with the one stored on disc. Exporting the DFL-700’s Configuration Follow these steps to export the configuration. Step 1. Under the Tools menu and the Backup section, click on the Download configuration button.

  • Page 71: Restart/Reset

    Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure will possibly change the DFL-700 firmware version to lower version if it has been upgraded. This procedure deletes all of the changes that you have made to the DFL-700 configuration and reverts the system to its original configuration including resetting interface addresses.
  • Page 72 Step 2. Click OK in the dialog to reset the unit to factory default, or press Cancel to cancel. You can restore your system settings by uploading a previously downloaded system configurations file to the DFL-700 if a backup of the device has been done.

  • Page 73: Upgrade

    Upgrade IDS Signature-database To upgrade the signature-database first download the newest IDS signatures from D-Link. After having the newest version of software connect to the firewall’s WebUI, enter Upgrade on the Tools menu, click Browse in the Upgrade Unit’s signature-database section and choose the file name of the newest version of the IDS signatures, then click Upload signature database.

  • Page 74: Status

    Status In this section, the DFL-700 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear providing some information about the DFL-700.

  • Page 75: Interfaces

    Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the DFL-700. By default information about the LAN interface will be show, to see another one click on that interface (WAN or DMZ).

  • Page 76: Vpn

    Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections done in the DFL-700. By default information about the first VPN tunnel will be show, to see another one click on that VPN tunnels name.

  • Page 77: Connections

    Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shows the last 100 connections opened through firewall. Connections created when traffic is permitted to pass via the policies.

  • Page 78: Dhcp Server

    DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default information about the LAN interface will be show, to see another one click on that interface.

  • Page 79: Users

    Users Click on Status in the menu bar, and then click Users below it. A window will appear providing user information. Currently authenticated users – users logged in using HTTP/HTTPS authentication, users logged in on PPTP and L2TP servers will be listed here. Users can be forced to log out by clicking logout.

  • Page 80: How To Read The Logs

    Oct 20 2003 09:45:23 gateway This is followed by the text the sender has chosen to send. All log entries from DFL-700 are prefaced with "EFW:" and a category, e.g. "DROP:" Oct 20 2003 09:45:23 gateway EFW: DROP: Subsequent text is dependent on the event that has occurred.
  • Page 81 One event will be generated when a connection is established. This event will include information about protocol, receiving interface, source IP address, source port, destination interface, destination IP address and destination port. Open Example: Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.10 on the LAN interface is connecting to 64.7.210.132 on...

  • Page 82: Step By Step Guides

    Step by step guides In the following guides example IPs, users, sites and passwords are used. You will have to exchange the IP addresses and sites to your own. Passwords used in these examples are not recommended for real life use. Passwords and keys should be chosen so that they are impossible to guess or find out by eg a dictionary attack.

  • Page 83: Lan-To-Lan Vpn Using Ipsec

    LAN-to-LAN VPN using IPsec Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Note! You should use a key that is hard to guess)
  • Page 84 Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply...

  • Page 85: Settings For Main Office

    4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! You should use a key that is hard to guess) Retype PSK: 1234567890...
  • Page 86 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable “Automatically add a route for the remote network” Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.

  • Page 87: Lan-To-Lan Vpn Using Pptp

    LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup PPTP client, Firewall->VPN: Under PPTP/L2TP clients click Add new PPTP client Name the tunnel toMainOffice...
  • Page 88 Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface IP: leave blank Remote gateway: 192.0.2.20 Remote net: 192.168.1.0/24 Dial on demand: leave unchecked Under authentication MSCHAPv2 should be the only checked option.
  • Page 89 Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.

  • Page 90: Settings For Main Office

    Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 –...
  • Page 91 Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply...
  • Page 92 4. Set up authentication source, Firewall->Users: Select Local database Click Apply 5. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used).
  • Page 93 Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to-LAN VPN solution section in this chapter.

  • Page 94: Lan-To-Lan Vpn Using L2Tp

    LAN-to-LAN VPN using L2TP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup L2TP client, Firewall->VPN: Under L2TP / PPTP client click Add new L2TP client Name the server toMainOffice...
  • Page 95 Username: BranchOffice Password: 1234567890 (Note! You should use a password that is hard to guess) Retype password: 1234567890 Interface IP: leave blank Remote gateway: 192.0.2.20 Remote net: 192.168.1.0/24 Dial on demand: leave unchecked Under authentication only MSCHAPv2 should be checked...
  • Page 96 Under MPPE encryption only None should be checked Check Use IPsec encryption Enter key 1234567890 (Note! You should use a key that is hard to guess) Retype key 1234567890 Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply...

  • Page 97: Settings For Main Office

    4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP: 193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup L2TP server, Firewall->VPN: Under L2TP / PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 –...
  • Page 98 Leave WINS settings blank Under authentication MSCHAPv2 should be the only checked option. Under MPPE encryption None should be the only checked option. Check Use IPsec encryption Enter key 1234567890 (Note! You should use a key that is hard to guess) Retype key 1234567890 Click Apply...
  • Page 99 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Set up authentication source, Firewall->Users: Select Local database Click Apply...
  • Page 100 5. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the L2TP server settings are used).

  • Page 101: A More Secure Lan-To-Lan Vpn Solution

    A more secure LAN-to-LAN VPN solution Go get a more secure solution, policies should be created instead of allowing all traffic between the two offices. The following steps will show how to enable some common services. In this example we have a mail server, ftp server and a web server (intranet) in the main office that we want to access from the branch office.
  • Page 102 4. Setup the new rule: Name the new rule: allow_pop3 Select action: Allow Select service: pop3 Select schedule: Always We don’t want any Intrusion detection or traffic shaping for now, so leave these options unchecked. Click Apply...
  • Page 103 5. The first policy rule is now created. Repeat step 4 to create services named allow_imap, allow_ftp and allow_http. The services for these policies should be imap, ftp_passthrough and http. The policy list for LAN->toMainOffice should now look like this. 6.

  • Page 104: Settings For Main Office

    Settings for Main office 1. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Disable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 2. Now is it possible to create policies for the VPN interfaces. Select from toBranchOffice to LAN and click Show.

  • Page 105: Windows Xp Client And Pptp Server

    Windows XP client and PPTP server Settings for the Windows XP client 1. Open the control panel (Start button -> Control panel). If you are using the Classic view, click on the Network Connections icon. 3. Under Network task, click Create a new connection 4.
  • Page 106 5. Select Connect to the network at my workplace and click Next...
  • Page 107 6. Select Virtual Private Network connection and click Next...
  • Page 108 7. Name the connection MainOffice and click Next...
  • Page 109 8. Select Do not dial the initial connection and click Next...
  • Page 110 9. Type the IP address to the server, 194.0.2.20, and click Next 10. Click Finish...
  • Page 111 11. Type user name HomeUser and password 1234567890 (Note! You should use a password that is hard to guess) 12. Click Properties...
  • Page 112 13. Select the Networking tab and change Type of VPN to PPTP VPN. Click OK. All settings needed for the XP client is now done. When we have set up the server on the firewall you can click Connect to establish the connection to the Main office...

  • Page 113: Settings For Main Office

    Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 –...
  • Page 114 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic from the client to the main office network.

  • Page 115: Windows Xp Client And L2Tp Server

    Windows XP client and L2TP server The Windows XP client to L2TP server setup is quite similar to the PPTP setup above. Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall, you can follow the steps in the PPTP guide above for the client side.
  • Page 116 2. Select the Security tab and click IPsec Settings 3. Check Use pre-shared key for authentication, type the key and click OK...

  • Page 117: Settings For Main Office

    Settings for Main office 1. Setup interfaces, System->Interfaces: WAN IP:193.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. Setup L2TP server, Firewall->VPN: Under L2TP / PPTP Server click Add new L2TP server Name the server l2tpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 –...
  • Page 118 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic from the client to the main office network.

  • Page 119: Content Filtering

    Content filtering To enable content filtering, follow these steps: 1. Update the content filtering settings, Firewall->Content Filtering: Select what content that should be filtered out. ActiveX, Java applets, JavaScript/VBScript and cookies can be blocked or filtered out. Note that some web pages don’t work very well if these options are enabled.
  • Page 120 2. Make sure the http-outbound service exists and is using the HTTP ALG, Firewall->Services: Find the http-outbound service in the list and click Edit. If there is no service with that name you will have to create one by clicking Add new at the bottom of the list. TCP / UDP Service should be selected and protocol should be set to TCP.
  • Page 121 4. Edit the new policy we just created Name the rule allow_http Enter position 2 Select action Allow Select service http-outbound Select schedule Always Click Apply...
  • Page 122 The new policy should now be added to position two in the list (if not, it can be moved to the right position by clicking on the up and down arrows). 5. Click Activate and wait for the firewall to restart.

  • Page 123: Intrusion Detection And Prevention

    Intrusion detection and prevention Intrusion detection and prevention can be enabled for both policies and port mappings. In this example we are using a port mapping. The policy setup is quite similar. In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 is connected to the DMZ interface on the firewall.
  • Page 124 2. Set up the newly created port mapping: Name the rule map_www Select service http-in-all Enter pass to IP: 192.168.2.5 (the IP of the web server) Check the Intrusion detection / prevention option Select mode Prevention Enable email alerting by checking the Alerting box Click Apply...
  • Page 125 The new mapping is now in the list. 3. Setup email server and enable alerting, System->Logging: Check Enable E-mail alerting for IDS/IDP events Select sensitivity Normal Enter SMTP server IP (email server): 192.168.2.4 Enter sender: idsalert@examplecompany.com Enter E-mail address 1: webmaster@examplecompany.com Enter E-mail address 2: steve@examplecompany.com Click Apply 4.

  • Page 126: Traffic Shaping

    Traffic shaping In these examples we assume that the WAN port of the firewall is connected to Internet with an up and downstream bandwidth of 2 mbps. Limit bandwidth to a service To limit bandwidth a service (in this case FTP) can use, follow these steps: 1.

  • Page 127: Guarantee Bandwidth To A Service

    Now all FTP traffic from 192.168.1.125 on the LAN network will be limited to 400kbit/s in both directions. If more than one IP is required, a comma-separated list or a network can be entered (eg 192.168.1.125, 192.168.1.126 or 192.168.1.0/24). Guarantee bandwidth to a service To set up traffic shaping to guarantee a service a certain amount of bandwidth, follow these steps: 1.
  • Page 128 Select service: ftp_outbound Schedule should be always Check the Traffic shaping box and enter 1000 as up and downstream guarantee. Click Apply 3. Click Activate and wait for the firewall to restart. FTP traffic from LAN to WAN will now be guaranteed half of the total bandwidth to the Internet, 1mbit/s of 2mbit/s.

  • Page 129: Appendixes

    Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields. Type Name Echo Reply...
  • Page 130 Echo Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Traceroute Datagram Conversion Error Photuris Source: http://www.iana.org/assignments/icmp-parameters Redirect Datagram for the Host Redirect Datagram for the Type of Service and Network Redirect Datagram for the Type of Service and Host No Code...

  • Page 131: Appendix B: Common Ip Protocol Numbers

    Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword ICMP IGMP IPComp VRRP L2TP Source: http://www.iana.org/assignments/protocol-numbers Description Internet Control Message Internet Group Management Gateway-to-Gateway IP in IP (encapsulation) Stream Transmission Control...

  • Page 132: Limited Warranty

    Such repair or replacement will be rendered by D-Link at an Authorized D-Link Service Office. The replacement Hardware need not be new or of an identical make, model or part; D-Link may in its discretion may replace the defective Hardware (or any part thereof) with any reconditioned product that D-Link reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

  • Page 133: Limitation Of Liability

    Submitting A Claim. Any claim under this limited warranty must be submitted in writing before the end of the Warranty Period to an Authorized D-Link Service Office. The claim must include a written description of the Hardware defect or Software nonconformance in sufficient detail to allow D-Link to confirm the same.
  • Page 134 PRODUCT RETURNED TO D-LINK FOR WARRANTY SERVICE) RESULTING FROM THE USE OF THE PRODUCT, RELATING TO WARRANTY SERVICE, OR ARISING OUT OF ANY BREACH OF THIS LIMITED WARRANTY, EVEN IF D-LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE SOLE REMEDY FOR A BREACH OF THE FOREGOING LIMITED WARRANTY IS REPAIR, REPLACEMENT OR REFUND OF THE DEFECTIVE OR NON-CONFORMING PRODUCT.

  • Page 135: Ce Mark Warning

    6A und einem Gerätegewicht gr ßer 3kg ist eine Leitung nicht leichter als H05VV-F, 3G, 0.75mm2 einzusetzen. Trademarks Copyright .2002 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors.
  • Page 136 -Consult the dealer or an experienced radio/ TV technician for help. VCCI Warning...
  • Page 137 JAPAN D-LINK JAPAN 10F, 8-8-15 Nishi-Gotanda, Shinagawa-ku, Tokyo 141, Japan TEL: 81-3-5434-9678 FAX: 81-3-5434-9868 E-MAIL: kida@d-link.co.jp URL: www.d-link.co.jp NORWAY D-LINK NORWAY Waldemar Thranesgt. 77, 0175 Oslo, Norway TEL: 47-22-991890 FAX: 47-22-207039 RUSSIA D-LINK RUSSIA 129626 Russia, Moscow, Graphskiy per., 14...
  • Page 138 S. AFRICA D-LINK SOUTH AFRICA 102-106 Witchhazel Avenue, Einetein Park 2, Block B, Highveld Technopark Centurion, South Africa TEL: 27(0)126652165 FAX: 27(0)126652186 E-MAIL: attie@d-link.co.za URL: www.d-link.co.za SWEDEN D-LINK SWEDEN P.O. Box 15036, S-167 15 Bromma Sweden TEL: 46-(0)8564-61900 FAX: 46-(0)8564-61901 E-MAIL: info@dlink.se URL: www.dlink.se...

This manual is also suitable for:

Dfl-1100Netdefend dfl-700

Table of Contents