RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR AN Y OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D - LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES.
Wireless Controller User Manual Table of Contents Chapter 1. Introduction ..........................9 About this User Manual .................... 9 Typographical Conventions ................... 10 Chapter 2. Configuring Your Network: ....................11 LAN Configuration....................11 2.1.1 LAN Configuration in an IPv6 Network ..............14 2.1.2 Configuring IPv6 Router Advertisements ............
Wireless Controller User Manual Access Point status ....................64 Global Status ......................69 Wireless Client Status .................... 75 AP Management ..................... 83 Associated Client Status/Statistics ............... 95 Chapter 5. Securing the Private Network .................... 97 Firewall Rules ......................97 Defining Rule Schedules ..................98 Configuring Firewall Rules ..................
Wireless Controller User Manual 8.3.1 WIDS AP configration .................... 154 8.3.2 WIDS Client Configuration ..................157 Chapter 9. Administration & Management ..................161 Remote Management ................... 161 CLI Access ......................161 SNMP Configuration ..................... 162 Configuring Time Zone and NTP ................ 163 Log Configuration ....................
Wireless Controller User Manual List of Figures Figure 1: Setup page for LAN TCP/IP settings ..................13 Figure 2: IPv6 LAN and DHCPv6 configuration ..................15 Figure 3: Configuring the Router Advertisement Daemon ..............18 Figure 4: IPv6 Advertisement Prefix settings ..................19 Figure 5: Adding VLAN memberships to the LAN .................
Wireless Controller User Manual Figure 33: Physical port statistics ......................61 Figure 34: List of current Active Firewall Sessions ................62 Figure 35: List of LAN hosts ........................63 Figure 36: List of current Active VPN Sessions ..................64 Figure 37: AP status ........................... 65 Figure 38: Managed AP status .........................
Figure 73: Export Approved URL list ..................... 114 Figure 74: The following example binds a LAN host’s MAC Address to an IP address served by DWC-1000. If there is an IP/MAC Binding violation, the violating packet will be dropped and logs will be captured ...................... 115 Figure 75: Protecting the controller and LAN from internet attacks ..........
Wireless Controller User Manual Figure 99: List of Available Applications for SSL Port Forwarding ............ 146 Figure 100: SSL VPN client adapter and access configuration ............147 Figure 101: Configured client routes only apply in split tunnel mode ..........148 Figure 102: SSL VPN Portal configuration ...................
1.1 About this User Manual This document is a high level manual to allow new D-Link Wireless Controller users to configure connectivity, WLAN configuration, setup VPN tunnels, establish firewall rules and AP management and perform general administrative tasks. Typical deployment and use case scenarios are described in each section.
1.2 Typographical Conventions The following is a list of the various terms, followed by an example of how that term is represented in this document: Product Name – D-Link Wireless Controller. o Model numbers DWC-1000 GUI Menu Path/GUI Navigation –...
Chapter 2. Configuring Your Network: It is assumed that the user has a machine for management connected to the LAN to the controller. The LAN connection may be through the wired Ethernet ports available on the controller, or once the initial setup is complete, the DWC may also be managed through its wireless interface as it is bridged with the LAN.
Wireless Controller User Manual To configure LAN Connectivity, please follow the steps below: In the LAN Setup page, enter the following information for your controller: IP address: (factory default: 192.168.10.1). If you change the IP address and click Save Settings, the GUI will not respond.
Wireless Controller User Manual Domain Name: Enter domain name WINS Server (optional): Enter the IP address for the WINS server or, if present in your network, the Windows NetBios server. Lease Time: Enter the time, in hours, for which IP addresses are leased to clients.
Wireless Controller User Manual 2.1.1 LAN Configuration in an IPv6 Network Advanced > IPv6 > IPv6 LAN > IPv6 LAN Config In IPv6 mode, the LAN DHCP server is enabled by default (similar to IP v4 mode). The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN.
Wireless Controller User Manual Figure 2: IPv6 LAN and DHCPv6 configuration If you change the IP address and click Save Settings, the GUI will not respond. Open a new connection to the new IP address and log in again. Be sure the LAN host (the machine used to manage the router) has obtained IP address from newly assigned pool (or has a static IP address in the router‘s LAN subnet) before accessing the router via changed IP address.
Wireless Controller User Manual The following settings are used to configure the DHCPv6 server: DHCP Mode: The IPv6 DHCP server is either state less or stateful. If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto-configured by this controller.
IPv6 network is required for stateless auto configuration of the IPv6 LAN. By configuring the Router Advertisement Daemon on this router, the DWC-1000 will listen on the LAN for router solicitations and respond to these L AN hosts with router advisements.
Wireless Controller User Manual Figure 3: Configuring the Router Advertisem ent Daemon Advertisement Prefixes Advanced > IPv6 > IPv6 LAN > Advertisement Prefixes The router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration. Router advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router.
Wireless Controller User Manual IPv6 Prefix Length: This value indicates the number contiguous, higher order bits of the IPv6 address that define up the network portion of the address. Typically this is 64. Prefix Lifetime: This defines the duration (in seconds) that the requesting node is allowed to use the advertised prefix.
Wireless Controller User Manual will allow traffic from LAN hosts belonging to this VLAN ID to pass through to other configured VLAN IDs that have Inter VLAN Routing enabled. Figure 5: Adding VLAN memberships to the LAN 2.2.1 Associating VLANs to ports In order to tag all traffic through a specific LAN port with a VLAN ID, you can associate a VLAN to a physical port.
Wireless Controller User Manual to the switch port on the controller will be tagged. Data passing through the phone from a connected device will be untagged. Figure 6: Port VLAN list In Access mode the port is a member of a single VLAN (and only one). All data going into and out of the port is untagged.
Wireless Controller User Manual Figure 7: Configuring VLAN membership for a port 2.3 Configurable Port: DMZ Setup This controller supports one of the physical ports to be configured as a secondary WAN Ethernet port or a dedicated DMZ port. A DMZ is a subnetwork that is open to the public but behind the firewall.
Wireless Controller User Manual Figure 8: DMZ configuration In order to configure a DMZ port, the controller configurable port must be set to Setup > Internet Settings > Configurable Port DMZ in the page. 2.4 Universal Plug and Play (UPnP) Advanced >...
Wireless Controller User Manual Advertisement Period: This is the frequency that the controller broadcasts UPnP information over the network. A large value will minimize network traffic but cause delays in identifying new UPnP devices to the network. Advertisement Time to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded.
These users are present in the local or external user database and have had their login credentials approved for internet access. A ‗Disconnect‘ button allows the DWC-1000 admin to selectively drop an authenticated user. Figure 10: Active Runtime sessions 2.6 WLAN global configuration Setup >...
Wireless Controller User Manual Disabling the WLAN controller does not affect non-WLAN features on the controller, such as VLAN or STP functionality. WLAN Controller Operational Status: Shows the operational status of the controller . The status can be one of the following values: •...
Wireless Controller User Manual installed and enabled, this is the IP address of the routing or loo pback interface you configure for the controller features. AP MAC Validation Method: Add the MAC address of the AP to the Valid AP database, which can be kept locally on the controller or in an external RADIUS server.
Wireless Controller User Manual 2.6.1 Wireless Discovery configuration The wireless controller can discover, validate, authenticate, or monitor the following system devices: • Peer wireless controllers • APs • Wireless clients • Rogue APs • Rogue wireless clients Setup > AP Management > Poll List The wireless controller can discover peer wireless controller and APs regardless of whether these devices are connected to each other, located in the same Layer 2 broadcast domain, or attached to different IP subnets.
Figure 12: Configuring the Wireless Discovery L2/VLAN Discovery: The D-Link Wireless Device Discovery Protocol is a good discovery method to use if the controller and APs are located in the same Layer 2 multicast domain. The wireless controller periodically sends a...
Wireless Controller User Manual Wireless Discovery status Status > Global Info > IP Discovery The IP Discovery list can contain the IP addresses of peer controller and APs for the UWS to discover and associate with as part of the WLAN IP Address: Shows the IP address of the device configured in the IP Discovery list Status: The wireless discovery status is in one of the following states: •...
Wireless Controller User Manual 2.6.2 AP Profile Global Configuration Advanced > AP Profile Access Point Profile Summary page, you can Add, Copy, Edit, Delete AP profiles. To add a new profile, click Add in AP Profile Summary page. In the AP Profile Global Configuration page, enter the name of the profile in the Profile Name field, select Hardware type and enter the valid VLAN ID and then click Submit.
Wireless Controller User Manual Wired Network Discovery VLAN ID: Enter the VLAN ID that the controller uses to send tracer packets in order to detect APs connected to the wired network. AP Profile Advanced > AP Profile Access point configuration profiles are a useful feature for large wireless networks with APs that serve a variety of different use rs.
Wireless Controller User Manual Figure 15: AP Profile List For each AP profile, you can configure the following features: • Profile settings (Name, Hardware Type ID, Wired Network Discovery VLAN ID) • Radio settings • SSID settings Profile: The Access Point profile name you added. Use 0 to 32 characters.
Wireless Controller User Manual During this process the APs reset, and all wireless clients are disassociated from the AP. • Configured: The profile is configured, but no APs managed by the controller currently use this profile. Associate a profile with an AP. Entry of the AP is valid and available in database of the controller.
Wireless Controller User Manual Chapter 3. Connecting to the Internet: WAN Setup This contoller has two WAN ports that can be used to establish a connection to the internet. The following ISP connection types are supported: DHCP, Static, PPPoE, PPTP, L2TP (via USB modem). It is assumed that you have arranged for internet service with your Internet Service Provider (ISP).
Wireless Controller User Manual button, which confirms the settings by establishing a link with the ISP. Once connected, you can move on and configure other features in this controller. 3.2 WAN Configuration Setup > Internet Settings > Option1 Setup You must either allow the controller to detect WAN connection type automatically or configure manually the following basic settings to enable Internet connectivity: ...
Wireless Controller User Manual Server IP Address: Enter the IP address of the PPTP or L2TP server. 3.2.1 WAN Port IP address Your ISP assigns you an IP address that is either dynamic (newly generated each time you log in) or static (permanent). The IP Address Source option allows you to define whether the address is statically provided by the ISP or should be received dynamically at each login.
Figure 17: Manual Option1 configuration 3.2.4 PPPoE Setup > Internet Settings The PPPoE ISP settings are defined on the WAN Configuration page. There are two types of PPPoE ISP‘s supported by the DWC-1000: the standard username/password PPPoE and Japan Multiple PPPoE.
For some ISP‘s, most popular in Japan, the use of ―Japanese Multiple PPPoE‖ is required in order to establish concurrent primary and secondary PPPoE connections between the DWC-1000 and the ISP. The Primary connection is used for the bulk of data and internet traffic and the Secondary PPPoE connection carries ISP specific...
Each session has a DNS server source for domain name lookup, this can be assigned by the ISP or configured through the GUI The DWC-1000 acts as a DNS proxy for LAN users Only HTTP requests that specifically identify the secondary connection‘s domain name (for example *.flets) will use the secondary profile to access the content available...
Wireless Controller User Manual When Japanese multiple PPPoE is configured and secondary connection is up, some predefined routes are added on that interface. These routes are needed to access the internal domain of the ISP where he hosts various services. These routes can even be configured through the static routing page as well.
Wireless Controller User Manual Figure 21: Russia L2TP ISP configuration 3.2.6 WAN Configuration in an IPv6 Network Advanced > IPv6 > IPv6 Option1 Config For IPv6 WAN connections, this controller can have a static IPv6 address or receive connection information when configured as a DHCPv6 client. In the case where the ISP assigns you a fixed address to access the internet, the static configuratio n settings must be completed.
Wireless Controller User Manual When the ISP allows you to obtain the WAN IP sett ings via DHCP, you need to provide details for the DHCPv6 client configuration. The DHCPv6 client on the gateway can be either stateless or stateful. If a stateful client is selected the gateway will connect to the ISP‘s DHCPv6 server for a leased address.
Wireless Controller User Manual When IPv6 is PPPoE type, the following PPPoE fields are enabled. Username: Enter the username required to log i n to the ISP. Password: Enter the password required to login to the ISP. Authentication Type: The type of Authentication in use by the profile: Auto - Negotiate/PAP/CHAP/MS-CHAP/MS-CHAPv2.
Wireless Controller User Manual Figure 23: Connection Status information of Option1 The WAN status page allows you to Enable or Disable static WAN links. For WAN settings that are dynamically received from the ISP, you can Renew or Release the link parameters if required.
The configured failure detection method is used at regular intervals on all configured WAN ports when in Load Balancing mode. DWC-1000 currently support three algorithms for Load Balancing: Round Robin: This algorithm is particularly useful when the connection speed of one WAN port greatly differs from another.
Wireless Controller User Manual and let low-volume background traffic (such as SMTP) go over the lower speed link. Protocol binding is explained in next section. Spill Over: If Spill Over method is selected, WAN1 acts as a dedicated link till a threshold is reached.
Wireless Controller User Manual Figure 24: Load Balancing is available when multiple WAN ports are configured and Protocol Bindings have been defin ed 3.3.3 Protocol Bindings Advanced > Routing > Protocol Bindings Protocol bindings are required when the Load Balancing feature is in use. Choosing from a list of configured services or any of the user -defined services, the type of traffic can be assigned to go over only one of the available WAN ports.
Wireless Controller User Manual applicable when load balancing mode is enabled and more than one WAN is configured. Figure 25: Protocol binding se tup to associate a service and/or LAN source to a WAN and/or destination network 3.4 Routing Configuration Routing between the LAN and WAN will impact the way this controller handles traffic that is received on any of its physical interfaces.
Wireless Controller User Manual NAT is a technique which allows several computers on a LAN to share an Internet connection. The computers on the LAN use a "private" IP address range while the WAN port on the controller is configured with a single "public" IP address.
Wireless Controller User Manual 3.4.2 Dynamic Routing (RIP) Setup > Internet Settings > Routing Mode Dynamic routing using the Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that is common in LANs. With RIP this controller can exchange routing information with other supported controllers in the LAN and allow for dynamic adjustment of routing tables in order to adapt to modifications in the LAN without interrupting traffic flow.
Wireless Controller User Manual 3.4.3 Static Routing Advanced > Routing > Static Routing Advanced > IPv6 > IPv6 Static Routing Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another. There is no communication between this controller and other devices to account for changes in the path;...
Wireless Controller User Manual Figure 27: Static route configuration fields 3.5 WAN Port Settings Advanced > Advanced Network > Option Port Setup The physical port settings for each WAN link can be defin ed here. If your ISP account defines the WAN port speed or is associated with a MAC address, this information is required by the controller to ensure a smooth connection with the network.
The Status page allows you to get a detailed overview of the system configuration. The settings for the wired and wireless interfaces are displayed in the DWC-1000 Status page, and then the resulting hardware res ource and controller usage details are summarized on the controller Dashboard.
Wireless Controller User Manual Figure 30: Device Status display (continued) 4.1.2 Resource Utilization Status > Device Info > Dashboard The Dashboard page presents hardware and usage statistics. The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the controller.
Wireless Controller User Manual 4.2 Traffic Statistics 4.2.1 Wired Port Statistics Status > Traffic Monitor > Device Statistics Detailed transmit and receive statistics for each physical port are presented here. Each interface (WAN1, WAN2/DMZ, LAN, and VLANs) have port specific packet level information provided for review.
Wireless Controller User Manual The statistics table has auto-refresh control which allows display of the most current port level data at each page refresh. The default auto-refresh for this page is 10 seconds. Figure 33: Physical port statistics 4.3 Active Connections 4.3.1 Sessions through the controller Status >...
Wireless Controller User Manual 4.3.2 LAN Clients Status > LAN Client Info >LAN Clients The LAN clients to the controller are identified by an ARP scan through the LAN switch. The NetBios name (if available), IP address and MAC address of discovered LAN hosts are displayed.
Wireless Controller User Manual Figure 36: List of current Active VPN Sessions All active SSL VPN connections, both for VPN tunnel and VP N Port forwarding, are displayed on this page as well. Table fields are as follows. Field Description The SSL VPN user that has an active tunnel or port forwarding session to this User Name controller.
Wireless Controller User Manual To configure an Authentication Failed AP to be managed by the controller the next time it is discovered, select the check box next to the MAC address of the AP and\click Manage. You will be presented with the V alid Access Point Configuration page.
Wireless Controller User Manual • Rogue—The AP has not attempted to contact the controller and the MAC address of the AP is not in the Valid AP database. Radio: Shows the wireless radio mode the AP is using. Channel: Shows the operating channel for the radio. This page includes the following buttons: •...
Wireless Controller User Manual Figure 38: Managed AP status MAC Address: The Ethernet address of the controller-managed AP. IP Address: The network IP address of the managed AP. Age: Time since last communication between the Controller and the AP. Status The current managed state of the AP.
Wireless Controller User Manual • View AP details — Shows detailed status information collected from the AP. • View Radio details — Shows detailed status for a radio interface • View Neighbor details — Shows the neighbour APs that the specified AP has discovered through periodic RF scans on the selected radio interface •...
Wireless Controller User Manual Figure 39: AP RF Scan Status 4.5 Global Status Peer Controller Status Status > Global Info > Peer Controller > Status The Peer Controller Status page provides information about other Wireless Controllers in the network. Peer wireless controllers within the same cluster exchange data about themselves, their managed APs, and clie nts.
Wireless Controller User Manual Software Version: The software version for the given peer controller. Protocol Version: Indicates the protocol version supported by the software on the peer controller. Discovery Reason: The discovery method of the given peer controller, which can be through an L2 Poll or IP Poll Managed AP Count: Shows the number of APs that the controller currently manages.
Wireless Controller User Manual Peer IP Address: Shows the IP address of each peer wireless controller in the cluster that received configuration information. Configuration Controller IP Address: Shows the IP Address of the controller that sent the configuration information. Configuration: Identifies which parts of the configuration the controller received from the peer controller.
Wireless Controller User Manual Peer Controller IP: Shows the IP address of the peer controller that manages the AP. This field displays when ―All‖ is selected from the drop -down menu. Location: The descriptive location configured for the managed AP. AP IP Address: The IP address of the AP.
Wireless Controller User Manual • Saving Configuration, • Applying AP Profile Configuration • Success • Failure - Invalid Code Version • Failure - Invalid Hardware Version • Failure - Invalid Configuration Last Configuration Received: Peer controller IP Address indicates the last controller from which this controller received any wireless configuration data.
Wireless Controller User Manual 4.6 Wireless Client Status Assocaited Client Status Status > Wireless Client Info> Associated Clients > Status You can view a variety of information about the wireless clients that are associated with the APs the controller manages. MAC Address: The Ethernet address of the client station.
Wireless Controller User Manual • View SSID Details— Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access • View VAP Details — Shows information about the VAPs on the managed AP that have associated wireless clients •...
Wireless Controller User Manual Assocaited Client VAP Status Status > Wireless Client Info> Associated Clients > VAP Status Each AP has 16 Virtual Access Points (VAPs) per radio, and every VAP has a unique MAC address (BSSID).The VAP Associated Client Status page which shows information about the VAPs on the ma naged AP that have associated wireless clients.
Wireless Controller User Manual Controller Assocaited Client Status Status > Wireless Client Info> Associated Clients > Controller Status This shows information about the controller that manages the AP to which the client is associated Controller IP Address: Shows the IP address of the controller that manages the AP to which the client is associated.
Wireless Controller User Manual Client Name: Shows the name of the client, if available, from the Known Client Database. If client is not in the database then the field is blank. Client Status: Shows the client status, which can be one of the following: •...
Wireless Controller User Manual • Acknowledge All Rogues — Clear the rogue status of all clients listed as rogues in the Detected Client database, The status of an acknowledge client is returned to the status it had when it was first detected. If the detected client fails any of the tests that classify it as a threat, it will be listed as a Rogue again •...
Wireless Controller User Manual Figure 49: Pre-Auth History This page includes the following button: • Refresh—Updates the page with the latest information. Detected Client Roam History Status > Wireless Client Info> Roam History The wireless system keeps a record of clients as they roam from one managed AP to another managed AP.
Wireless Controller User Manual Figure 50: Detected Client Ro am History This page includes the following button: • Refresh—Updates the page with the latest information. • Purge History— To purge the history when the list of entries is full. • View Details — Shows the details of the detected clients.
Wireless Controller User Manual 4.7 AP Management Valid Access Point Configuration Setup > AP Management > Valid AP MAC Address This field shows the MAC address of the AP. To change this field, you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid Aps Location: To help you identify the AP, you can enter a location.
Wireless Controller User Manual This page has the following buttons : • Edit - To edit AP details in Valid AP pa ge. • Delete - To delete a valid AP provide valid MAC address in Valid AP page. • Add - To add an AP in Valid AP page. Figure 52: Add a Valid Access Point MAC Address: This field shows the MAC address of the AP.
Wireless Controller User Manual Location: To help you identify the AP, you can enter a location. This field accepts up to 32 alphanumeric characters. Authentication Password: You can require that the AP authenticate itself with the controller upon discovery. Edit option and enter the password in this field. The valid password range is between 8 and 63 alphanumeric characters.
Wireless Controller User Manual The controller contains a channel plan algorithm that automatically de termines which RF channels each AP should use to minimize RF interference. When you enable the channel plan algorithm, the controller periodically evaluates the operational channel on every AP it manages and changes the channel if the current channel is noisy Channel Plan: Each AP is dual-band capable of operating in the 2.4 GHz and 5 GHz frequencies.
Wireless Controller User Manual Figure 53: RF configuration Channel Plan History Depth: The channel plan history lists the channels the controller assigns each of the APs it manages after a channel plan is applied. Entries are added to the history regardless of in terval, time, or channel plan mode.
Wireless Controller User Manual not be adjusted below the value in the AP profile. The settings in the local database and RADIUS server always override power set in the profile setting. If you manually set the power, the level is fixed and the AP will not use the automatic power adjustment algorithm.
Wireless Controller User Manual previous iterations cannot be assigned new channels in the next iteration to prevent the same APs from being changed time after time. Last Algorithm Time: Shows the date and time when the channel plan algorithm last ran. AP MAC Address: This table displays the channel assigned to an AP in an iteration of the channel plan (Location, Radio,Iteration, Channel) Figure 54: Channel Plan History...
Wireless Controller User Manual • Algorithm Complete: The channel plan algorithm has finished running. A table displays to indicate proposed channel assignments. Each entry shows the AP along with the current and new channel. To accept the proposed channel change, click Apply. You must manually apply the channel plan for the proposed assignments to be applied.
Wireless Controller User Manual RF Management (Manual Power Adjustment Plan) Setup > AP Management > RF Management > Manual Power Adjustment Plan If you select Manual as the Power Adjustment Mode on the Configuration tab, you can manually initiate the power adjustment algorithm on the Manual Power Adjustments page.
Wireless Controller User Manual Figure 56: Manual Power Adjustment Plan Access Point Software Download Setup > AP Management > Software Download The wireless controller can upgrade software on the APs that it manages. Server Address: Enter the IP address of the host where the upgrade file is located.
Wireless Controller User Manual To download all images, make sure you specify the file path and file name for both images in the appropriate File Path and File Name fields . Managed AP: The list shows all the APs that the controller manages. If the controller is the Cluster Controller, then the list shows the APs managed by all controllers in the cluster.
Wireless Controller User Manual The first byte of the OUI must have the least significant bit set to 0. For example 02:FF:FF is a valid OUI, but 03:FF:FF is not . OUI Description: Enter the organization name associated with the OUI. The name can be up to 32alphanumeric characters..
Wireless Controller User Manual 4.8 Associated Client Status/Statistics Managed AP Statistics Status > Traffic Monitor > Managed AP Statistics The managed AP statistics page shows information about traffic on the wired and wireless interfaces of the access point. This information can help diagnose network issues, such as throughput problems.
Wireless Controller User Manual • View VAP details — Shows summary information about the virtual access points (VAPs) for the selected AP and radio interface on the APs that the controller manages • Refresh—Updates the page with the latest information WLAN Assoicated Clients Status >...
Wireless Controller User Manual Chapter 5. Securing the Private Network You can secure your network by creating and applying rules that your controller uses to selectively block and allow inbound and outbound Internet traffic. You then specify how and to whom the rules apply. To do so, you must define the following: ...
Wireless Controller User Manual may use the IP address if a static address is ass igned to the WAN port, or if your WAN address is dynamic a DDNS (Dynamic DNS) name can be used. Outbound (LAN/DMZ to WAN) rules restrict access to traffic leaving your network, selectively allowing only specific local users to access specific outside resou rces.
Wireless Controller User Manual Figure 62: List of Available Schedules to bind to a firewall rule 5.3 Configuring Firewall Rules Advanced > Firewall Settings > Firewall Rules All configured firewall rules on the controller are displayed in the Firewall Rules list. This list also indicates whether the rule is enabled (active) or not, and gives a summary of the From/To zone as well as the services or users that the rule affects.
Wireless Controller User Manual Service: ANY means all traffic is affected by this rule. For a specific service the drop down list has common services, or you can select a custom defined service. Action & Schedule: Select one of the 4 actions that this rule defines: BLOCK always, ALLOW always, BLOCK by schedule otherwise ALLOW, or ALLOW by schedule otherwise BLOCK.
Wireless Controller User Manual External IP address: The rule can be bound to a specific WAN interface by selecting either the primary WAN or configurable port WAN as the source IP address for incoming traffic. This controller supports multi-NAT and so the External IP address does not necessarily have to be the WAN address.
Wireless Controller User Manual Figure 64: The firewall rule configuration page allows you to define the To/From zone, service, action, schedules, and specify source/destination IP addresses as needed. 5.3.1 Firewall Rule Configuration Examples Example 1: Allow inbound HTTP traffic to the DMZ Situation: You host a public web server on your local DMZ network.
Wireless Controller User Manual Service HTTP Action ALLOW always Send to Local Server (DNAT IP) 192.168.5.2 (web server IP address) Destination Users Never Example 2: Allow videoconferencing from range of outside IP addresses Situation: You want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses (188.8.131.52 - 184.108.40.206), from a branch office.
Wireless Controller User Manual Web server host in the DMZ, IP address: 192.168.12.222 Access to Web server: (simulated) public IP address 10.1.0.52 Parameter Value From Zone Insecure (WAN1/WAN2) To Zone Public (DMZ) Service HTTP Action ALLOW always Send to Local Server (DNAT IP) 192.168.12.222 ( web server local IP address) Destination Users Single Address...
Wireless Controller User Manual Figure 65: Schedule configuration for the above example. Since we are trying to block HTTP requests, it is a service with To Zone: Insecure (WAN1/WAN2) that is to be blocked according to schedule ―Weekend‖. Select the Action to ―Block by Schedule, otherwise allow‖. This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates/times.
Wireless Controller User Manual The last step is to enable this firewall rule. Select the rule, and click ―enable‖ below the list to make sure the firewall rule is active 5.4 Security on Custom Services Advanced > Firewall Settings > Custom Services Custom services can be defined to add to the list of services available during firewall rule configuration.
Wireless Controller User Manual Figure 67: Available ALG support on the controller. 5.6 VPN Passthrough for Firewall Advanced > Firewall Settings > VPN Passthrough This controller‘s firewall settings can be configured to allow encrypted VPN traffic for IPsec, PPTP, and L2TP VPN tunnel connections between the LAN and internet. A specific firewall rule or service is not appropriate to introduce this passthrough support;...
Wireless Controller User Manual Figure 68: Passthrough options for VPN tunnels 5.7 Application Rules Advanced > Application Rules > Application Rules Application rules are also referred to as port triggering. This feature allows devices on the LAN or DMZ to request one or more ports to be forwarded to them. Port triggering waits for an outbound request from the LAN/DMZ on one of the defined outgoing ports, and then opens an incoming port for that specified type of traffic.
Wireless Controller User Manual ports. The controller has a list of common applications and games with corresponding outbound and inbound ports to open. You can also specify a port triggering rule by defining the type of traffic (TCP or UDP) and the range of incoming and outgoing ports to open when enabled.
Wireless Controller User Manual Figure 70: Content Filtering used to blo ck access to proxy servers and prevent ActiveX controls from being downloaded 5.8.2 Approved URLs Advanced > Website Filter > Approved URLs The Approved URLs is an acceptance list for all URL domain names. Domains added to this list are allowed in any form.
Wireless Controller User Manual Figure 71: Two trusted domains added to the Approved URLs List 5.8.3 Blocked Keywords Advanced > Website Filter > Blocked Keywords Keyword blocking allows you to block all website URL‘s or site content that contains the keywords in the configured list. This is lower priority than the Approved URL List;...
Wireless Controller User Manual Figure 72: One keyword added to the block list 5.8.4 Export Web Filter Advanced > Website Filter > Export Export Approved URLs: Feature enables the user to export the URLs to be allowed to a csv file which can then be downloaded to the local host. The user has to click the export button to get the csv file.
Wireless Controller User Manual Figure 73: Export Approved URL list 5.9 IP/MAC Binding Advanced > IP/MAC Binding Another available security measure is to only allow outbound traffic (from the LAN to WAN) when the LAN node has an IP address matching the MAC address bound to it. This is IP/MAC Binding, and by enforcing the gateway to validate the source traffic‘s IP address with the unique MAC Address of the configured LAN node, the administrator can ensure traffic from that IP address is not spoofed.
Wireless Controller User Manual Figure 74: The following example binds a LAN host’s MAC Address to an IP address served by DWC-1000. If there is an IP/MAC Binding violation, the violating packet will be dropped and logs will be captured 5.10 Protecting from Internet Attacks...
Wireless Controller User Manual Chapter 6. IPsec / PPTP / L2TP VPN A VPN provides a secure communication channel (―tunnel‖) between two gateway controller or a remote PC client. The following types of tunnels can be created: Gateway-to-gateway VPN: to connect two or more controller to secure traffic between remote sites.
Wireless Controller User Manual 6.1 VPN Wizard Setup > Wizard > VPN Wizard You can use the VPN wizard to quickly create both IKE and VPN policies. Onc e the IKE or VPN policy is created, you can modify it as required. Figure 78: VPN Wizard launch screen To easily establish a VPN tunnel using VPN Wizard, follow the steps below: Select the VPN tunnel type to create...
Wireless Controller User Manual Configure Remote and Local WAN address for the tunnel endpoints Remote Gateway Type: identify the remote endpoint of the tunnel by FQDN or static IP address Remote WAN IP address / FQDN: This field is enabled only if the peer you are trying to connect to is a Gateway.
Wireless Controller User Manual Parameter Default value from Wizard Exchange Mode Aggressive (Client policy ) or Main (Gateway policy) ID Type FQDN Local WAN ID wan_local.com (only applies to Client policies) Remote WAN ID wan_remote.com (only applies to Client policies) Encryption Algorithm 3DES Authentication Algorithm...
Wireless Controller User Manual Figure 79: IPsec policy configuration Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase 1 / Phase 2 negotiation to use for the tunnel. This is covered in the IPsec mode setting, as the policy can be Manual or Auto.
Auto policies with IKE are preferred as in some IPsec implementations the SPI (security parameter index) values require conversion at each endpoint. DWC-1000 supports VPN roll-over feature. This means that policies configured on primary WAN will rollover to the secondary WAN in case of a link failure on a primary WAN.
Wireless Controller User Manual Figure 81: IPsec policy configuration continued (Auto / Manual Phase 2) 6.2.1 Extended Authentication (XAUTH) You can also configure extended authentication (XAUTH). Rather than configure a unique VPN policy for each user, you can configure the VPN gateway controller to authenticate users from a stored list of user accou nts or with an external authentication server such as a RADIUS server.
Wireless Controller User Manual 6.3 Configuring VPN clients Remote VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel that the client wishes to use: encrypti on, authentication, life time, and PFS key-group. Upon establishing these authentication parameters, the VPN Client user database must also be populated with an account to give a user access to the tunnel.
Wireless Controller User Manual Figure 82: PPTP tunnel configuration – PPTP Client Figure 83: PPTP VPN connection status Setup > VPN Settings > PPTP > PPTP Server A PPTP VPN can be established through this controller. Once enabled a PPTP server is available on the controller for LAN and WAN PPTP client users to access.
Wireless Controller User Manual Figure 84: PPTP tunnel configuration – PPTP Server 6.4.2 L2TP Tunnel Support Setup > VPN Settings > L2TP > L2TP Server A L2TP VPN can be established through this controller. Once enabled a L2TP server is available on the controller for LAN and WAN L2TP client users to access. Once the L2TP server is enabled, L2TP clients that are within the range of configured IP addresses of allowed clients can reach the controller‘s L2TP server.
Wireless Controller User Manual Figure 85: L2TP tunnel configuration – L2TP Server 6.4.3 OpenVPN Support Setup > VPN Settings > OpenVPN > OpenVPN Configuration OpenVPN allows peers to authenticate each other using a pre -shared secret key, certificates, or username/password. When used in a multiclient -server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority.
Wireless Controller User Manual Port: The port number on which openvpn server(or Access Server) runs. Tunnel Protocol: The protocol used to communicate with the remote host. Ex: Tcp, Udp. Udp is the default. Encryption Algorithm: The cipher with which the packets are encrypted. Ex: BF-CBC, AES-128,AES-192 and AES-256.
Chapter 7. SSL VPN The controller provides an intrinsic SSL VPN feature as an alternate to the standard IPsec VPN. SSL VPN differs from IPsec VPN mainly by removing the requirement of a pre-installed VPN client on the remote host. Instead, users can securely login through the SSL User Portal using a standard web browser and receive access to configured network resources within the corporate LAN.
Wireless Controller User Manual 7.1 Groups and Users Advanced > Users > Groups The group page allows creating, editing and deleting groups. The groups are associated to set of user types. The lists of available groups are displayed in the ―List of Group‖...
Wireless Controller User Manual Guest User (read-only): The guest user gains read only access to the GUI to observe and review configuration settings. The guest does not have SSL VPN access. Captive Portal User: These captive portal users has access through the controller.
Timeout: The timeout period for reaching the authentication server. Retries: The number of retries to authenticate with the authentication server after which the DWC-1000 stops trying to reach the server. Figure 90: SSLVPN Settings Login Policies To set login policies for the group, select the corresponding group click ―Login...
Wireless Controller User Manual Disable Login: Enable to prevent the users of this group from logging into the devices management interface(s) Deny Login from WAN interface: Enable to prevent the users of this group from logging in from a WAN (wide area network) interface. In this case only login through LAN is allowed.
Wireless Controller User Manual Figure 92: Browser policies options Policy by IP To set policies bye IP for the group, select the corresponding group click ―Policy by IP‖. The following parameters are configured: Group Name: This is the name of the group that can have its login policy edited ...
Wireless Controller User Manual Figure 93: IP policies options Login Policies, Policy by Browsers, Policy by IP are applicable SSL VPN user only. Advanced > Users > Users The users page allows adding, editing and deleting existing groups. The user are associated to configured groups.
Wireless Controller User Manual Figure 94: Available Users with login status and asso ciated Group 7.1.1 Users and Passwords Advanced > Users > Users The user configurations allow creating users associated to group. The user settings contain the following key components: ...
Wireless Controller User Manual Figure 95: User configuration options 7.2 Using SSL VPN Policies Setup > VPN Settings > SSL VPN Server > SSL VPN Policies SSL VPN Policies can be created on a Global, Group, or User level. User level policies take precedence over Group level policies and Group level policies take precedence over Global policies.
Wireless Controller User Manual Figure 96: List of SSL VPN polices (Global filter) To add a SSL VPN policy, you must first assign it to a user, group, or make it global (i.e. applicable to all SSL VPN users). If the policy is for a group, the available configured groups are shown in a drop down menu and one must be selected.
Available Groups and Available Users drop down. Apply policy to: This refers to the LAN reso urces managed by the DWC-1000, and the policy can provide (or prevent) access to network resources, IP address, IP network, etc.
Wireless Controller User Manual the starting and ending port range blank corresponds to all UDP and TCP traffic. Service: This is the SSL VPN service made available by this policy. services offered are VPN tunnel, port forwardin g or both. ...
Wireless Controller User Manual Figure 98: List of conf igured resources, which are available to assign to SSL VPN policies 7.3 Application Port Forwarding Setup > VPN Settings > SSL VPN Server > Port Forwarding Port forwarding allows remote SSL users to access specified network applications or services after they login to the User Portal and launch the Port Forwarding service.
Wireless Controller User Manual VNC (virtual network computing) 5900 or 5800 As a convenience for remote users, the hostname (FQDN) of the network server can be configured to allow for IP address resolution. This host name resolution provides users with easy-to-remember FQDN‘s to access TCP applications instead of error - prone IP addresses when using the Port Forwarding service through the SSL User Portal.
Wireless Controller User Manual Figure 99: List of Available Applications for SSL Port Forwarding 7.4 SSL VPN Client Configuration Setup > VPN Settings > SSL VPN Client > SSL VPN Client An SSL VPN tunnel client provides a point -to-point connection between the browser- side machine and this controller.
Enable Split Tunnel Support: With a split tunnel, only resources which are referenced by client routes can be accessed over the VPN tunnel. With full tunnel support (if the split tunnel option is disabled the DWC-1000 acts in full tunnel mode) all addresses on the private network are accessible over the VPN tunnel.
Wireless Controller User Manual Setup > VPN Settings > SSL VPN Client > Configured Client Routes If the SSL VPN client is assigned an IP addr ess in a different subnet than the corporate network, a client route must be added to allow access to the private LAN through the VPN tunnel.
Wireless Controller User Manual The controller administrator creates and edits portal layouts from the configuration pages in the SSL VPN menu. The portal name, title, banner name, and banner contents are all customizable to the intended user s for this portal. The portal name is appended to the SSL VPN portal URL.
8.1 USB Device Setup Setup > USB Settings > USB Status The DWC-1000 Wireless controller has a USB interface for printer access, file sharing. There is no configuration on the GUI to enable USB device support. Upon inserting your USB storage device, printer cable the DWCwill automatically detect the type of connected peripheral.
Wireless Controller User Manual Figure 103: USB Device Detection 8.2 Authentication Certificates Advanced > Certificates This gateway uses digital certificates for IPsec VPN authentication as well as SSL validation (for HTTPS and SSL VPN authentication). You can obtain a digital certificate from a well-known Certificate Authority (CA) such as VeriSign, or generate and sign your own certificate using functionality available on this gateway.
Wireless Controller User Manual A self certificate is a certificate issued by a CA identifying your de vice (or self- signed if you don‘t want the identity protection of a CA). The Active Self Certificate table lists the self certificates currently loaded on the gateway. The following information is displayed for each uploaded self certificate: ...
Wireless Controller User Manual Figure 104: Certificate summary for IPsec and HTTPS management 8.3 WIDS Security 8.3.1 WIDS AP configration Advanced > WIDS Security > AP The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network.
Wireless Controller User Manual Managed SSID from an unknown AP: This test checks whether an unknown AP is using the managed network SSID. A hacker may set up an AP with managed SSID to fool users into associating with the AP and revealing password and other secure information.
Wireless Controller User Manual AP is operating on an illegal channel: The purpose of this test is to detect hackers or incorrectly configured devices that are operating on channels that are not legal in the country where the wireless system is set up. Note: In order for the wireless system to detect this threat, the wireless network must contain one or more radios that operate in sentry mode.
8.3.2 WIDS Client Configuration Advanced > WIDS Security > Client The D-Link Wireless Controller Wireless Intrusion Detection System (WIDS) can help detect intrusion attempts into the wireless network and take automatic actions to protect the network. The settings you configure on the WIDS Client Configuration page help determine whether a detected client is classified as a rogue.
Wireless Controller User Manual In order to help determine whether a client is posing a threat to the network by flooding the network with management traffic, the system keeps track of the number of times the AP received each message type and the highest message rate detected in a single RF Scan report.
Wireless Controller User Manual Rogue Detected Trap Interval: Specify the interval, in seconds, between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database. If you set the value to 0, the trap is never sent. De-Authentication Requests Threshold Interval : Specify the number of seconds an AP should spend counting the DE authentication messages sent by wireless clients.
Wireless Controller User Manual Chapter 9. Administration & Management 9.1 Remote Management Both HTTPS and telnet access can be restricted to a subset of IP addresses. The controller administrator can define a known PC, single IP address or range of IP addresses that are allowed to access the GUI with HTTPS.
Wireless Controller User Manual 9.3 SNMP Configuration Tools > Admin > SNMP SNMP is an additional management tool that is useful when multiple controller in a network are being managed by a central Master system. When an external SNMP manager is provided with this controller Management Information Base (MIB) file, the manager can update the controller hierarchal variables to view or update configuration parameters.
Wireless Controller User Manual Figure 109: SNMP system information f or this controller 9.4 Configuring Time Zone and NTP Tools > Date and Time You can configure your time zone, whether or not to adjust for Daylight Savings Time, and with which Network Time Protocol (NTP) server to synchronize the date and time.
Wireless Controller User Manual Figure 110: Date, Time, and NTP server setup 9.5 Log Configuration This controller allows you to capture log messages for traffic through the firewall, VPN, and over the wireless AP. As an administrator you can monitor the type of traffic that goes through the controller and also be notified of potential attacks or errors when they are detected by the controller.
Wireless Controller User Manual 9.5.1 Defining What to Log Tools > Log Settings > Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the controller. There are three core components of the controller, referred to as Facilities: ...
Wireless Controller User Manual Figure 111: Facility settings for Logging The display for logging can be customized based on where the logs are sent, either Status > Logs the Event Log viewer in the GUI (the Event Log viewer is in the page) or a remote Syslog server for later review.
Wireless Controller User Manual Example: If Accept Packets from LAN to WAN is enabled and there is a firewall rule to allow SSH traffic from LAN, then whenever a LAN machine tries to make an SSH connection, those packets will be accepted and a message will be logged.
Wireless Controller User Manual Figure 112: Log configuration options for traffic through controller 9.5.2 Sending Logs to E-mail or Syslog Tools > Log Settings > Remote Logging Once you have configured the type of logs that you want the controller to collect, they can be sent to either a Syslog server or an E -Mail address.
Wireless Controller User Manual send a valid e-mail that is accepted by one of the configured ―send -to‖ addresses. Up to three e-mail addresses can be configured as log recipients. In order to establish a connection with the configured SMTP port and server, define the server‘s authentication requirements.
Wireless Controller User Manual Figure 113: E-mail configuration as a Remote Logging option An external Syslog server is often used by network administrator to collect and store logs from the controller. This remote device typically has less memory constraints than the local Event Viewer on the controller GUI, and thus can collect a considerable number of logs over a sustained period.
Wireless Controller User Manual Figure 114: Syslog server configuration for Remote Logging ( continued) 9.5.3 Event Log Viewer in GUI Status > Logs > View All Logs The controller GUI lets you observe configured log messages from t he Status menu. Whenever traffic through or to the controller matches the settings determined in the Tools >...
Wireless Controller User Manual Figure 115: VPN logs displayed in GUI event viewer 9.6 Backing up and Restoring Configuration Settings Tools > System You can back up the controller custom configuration settings to restore them to a different device or the same controller after some other changes. During backup, your settings are saved as a file on your host.
Wireless Controller User Manual To restore your saved settings from a backup file, click Browse then locate the file on the host. After clicking Restore, the controller begins importing the file‘s saved configuration settings. After the restore, the controller reboots automatically with the restored settings. To erase your current settings and revert to factory default settings, click the Default button.
By clicking the Check Now button in the notification section, the controller will check a D-Link server to see if a newer firmware version for this controller is available for download and update the Status field below.
Wireless Controller User Manual directed to the correct IP address. When you set up an account with a DDNS service, the host and domain name, username, password and wildcard support will be provided by the account provider. Figure 118: Dynamic DNS configuration 9.9 Using Diagnostic Tools Tools >...
Wireless Controller User Manual Figure 119: Controller diagnostics tools available in the GUI 9.9.1 Ping This utility can be used to test connectivity between this controller and another device on the network connected to this controller. Enter an IP address and click PING.
The static and dynamic routes configured on this controller can be shown by clicking Display for the corresponding routing table. Clicking the Packet Trace button will allow the controller to capture and display traffic through the DWC-1000 between the LAN and WAN interface as well. T his information is often very useful in debugging traffic and routing issues.
Wireless Controller User Manual Appendix A. Glossary Address Resolution Protocol. Broadcast protocol for mapping IP addresses to MAC addresses. CHAP Challenge-Handshake Authentication Protocol. Protocol for authenticating users to an ISP. Dynamic DNS. System for updating domain names in real time. Allows a domain name to be DDNS assigned to a device with a dynamic IP address.
Wireless Controller User Manual Point-to-Point Protocol over Ethernet. Protocol for connecting a network of hosts to an ISP PPPoE without the ISP having to manage the allocation of IP addresses. Point-to-Point Tunneling Protocol. Protocol for creation of VPNs for the secure transfer of data PPTP from remote clients to private servers over the Internet.
Appendix B. Factory Default Settings Feature Description Default Setting User login URL http://192.168.10.1 Device login User name (case sensitive) admin Login password (case sensitive) admin WAN MAC address Use default address Internet WAN MTU size 1500 Connection Port speed Autosense IP address 192.168.10.1 IPv4 subnet mask...