1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Network Router
  5. DFL-1500
  6. User manual

D-Link DFL-1500 User Manual

D-link dfl-1500 vpn/firewall router
Hide thumbs Also See for DFL-1500:
Table of Contents

Advertisement

Quick Links

Download this manual
D-Link DFL-1500
VPN/Firewall Router
User Manual
D-Link
Building Networks for People

Advertisement

Table of Contents
loading

Related Manuals for D-Link DFL-1500

Summary of Contents for D-Link DFL-1500

  • Page 1 D-Link DFL-1500 VPN/Firewall Router User Manual D-Link Building Networks for People...
  • Page 2 © Copyright 2003 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc.

  • Page 3: Table Of Contents

    Typical Example Topology ............................13 Changing the LAN1 IP Address..........................13 2.2.1 From DMZ1 to configure DFL-1500 LAN1 network settings................14 2.2.2 From CLI (command line interface) to configure DFL-1500 LAN1 network settings........14 Chapter 3 Basic Setup ............................15 Demand ..................................15 Objectives.................................15 Methods..................................15 Steps ..................................15...
  • Page 4 9.1.4 IPSec Algorithms............................55 9.1.5 Key Management............................55 9.1.6 Encapsulation..............................56 9.1.7 IPSec Protocols............................... 57 Make VPN packets pass through DFL-1500 ......................57 Chapter 10 Virtual Private Network – IPSec ......................59 10.1 Demands................................... 59 10.2 Objectives................................. 59 10.3 Methods..................................59 10.4...
  • Page 5 11.4 Steps ..................................76 11.4.1 Setup PPTP Network Server ...........................76 11.4.2 Setup PPTP Network Client..........................77 Chapter 12 Virtual Private Network – L2TP ...................... 79 12.1 Demands...................................79 12.2 Objectives.................................79 12.3 Methods..................................79 12.4 Steps ..................................80 12.4.1 Setup L2TP Network Server ...........................80 Part IV Content Filters ............................
  • Page 6 20.4.2 Steps for EMERGENT factory reset......................121 20.5 Steps for Backup / Restore Configurations ......................122 Appendix A Command Line Interface (CLI) ....................123 Enable the port of DFL-1500......................123 CLI commands list..........................123 Appendix B Trouble Shooting........................125 Appendix C Packet Flow..........................129 Appendix D Glossary of Terms ........................131...

  • Page 8: Part I Basic Configuration

    D-Link Part I Part I Basic Configuration...

  • Page 9: Chapter 1 Quick Start

    Before You Begin Prepare a computer with an Ethernet adapter for configuring the DFL-1500. The default IP address for the DFL-1500 is 192.168.1.254 (LAN1, Port 4) with a Subnet Mask of 255.255.255.0. You will need to assign your computer a Static IP address within the same range as the DFL-1500’s IP address, say 192.168.1.2, to configure the DFL-1500.

  • Page 10: Wiring The Dfl-1500

    Wiring the DFL-1500 First, connect the power cord to the socket at the back panel of the DFL-1500 as in Figure 1-2 and then plug the other end of the power adapter to a wall outlet or power strip. The Power LED will turn ON to indicate proper operation.
  • Page 11 Figure 1-2 Back panel of the DFL-1500 Using an Ethernet cable, insert one end of the cable to the WAN port on the front panel of the DFL-1500 and the other end of the cable to a DSL or Cable modem, as in Figure 1-3.

  • Page 12: Default Architecture Of Dfl-1500

    Subnet Mask of 255.255.255.0 to be able to connect to the DFL-1500. This address range can be changed later. There are instructions in the DFL-1500 Quick Installation Guide, if you do not know how to set the IP address and Subnet...
  • Page 13 Quick Start DFL-1500 User Manual Step 1 ¡ Ð Login Connect to https://192.168.1.254 Type “admin” in the account field, “admin” in the Password field and click Login. Step 2 ¡ Ð Run Setup Wizard After login to https://192.168.1.254 BASIC SETUP > Wizard Click the Run Setup Wizard.
  • Page 14 BASIC SETUP > Wizard > Next > DHCP If Get IP Automatically (DHCP) is selected, DFL-1500 will request for IP address, netmask, and DNS servers from your ISP. You can use your preferred DNS by clicking the DNS IP Address and then completing the Primary DNS and Secondary DNS server IP addresses.

  • Page 15: Internet Connectivity

    The LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the DFL-1500 on your LAN. This is the IP address you will enter in the URL field of your web browser to connect to the DFL-1500. It is also the IP address that all of...

  • Page 16: Wan1-To-Dmz1 Connectivity

    DFL-1500 to assign IP addresses to the computers under LAN1. Specify the Pool Starting Address, Pool Size, Primary DNS, and Secondary DNS that will be assigned to them. Example: in the figure, the DFL-1500 will assign address from 192.168.1.100 192.168.1.120, together with the DNS server 192.168.1.254, to the LAN1 PC that requests...
  • Page 17 IP assigned by the ISP. Step 5 ¡ Ð Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The DFL-1500 has added three NAT rules. The rule Basic-DMZ1 (number 1) means that, when matching condition...
  • Page 18 Customize the rule name as the ftpServer. For any packets with its destination IP address equaling to the WAN1 IP (61.2.1.1) and destination port equaling to 44444. DFL-1500 will translate the packet’s destination IP/port into 10.1.1.5/21. Check the Passive FTP client to maximize the compatibility of the FTP protocol.

  • Page 19: Chapter 2 System Overview

    Typical Example Topology In this chapter, we introduce a typical network topology for the DFL-1500. In Figure 2-1, the left half side is a DFL-1500 with one LAN, one DMZ, and two WAN links. Notice there are five ports in DFL-1500. In this topology, we only use one LAN.

  • Page 20: From Dmz1 To Configure Dfl-1500 Lan1 Network Settings

    Part I and then logout the system. That will clean up the zombie left in the system so you will be able to login to the DFL-1500 from the LAN1 side after your computer’s IP is changed into the new subnet.

  • Page 21: Chapter 3 Basic Setup

    1. Select the PPPoE method in the DFL-1500 Basic Setup/WAN settings/WAN1 IP, and then configure the related account and password in order to connet to the internet. 2. Configure the related network settings in the pages of the DFL-1500 Basic Setup / DMZ settings / DMZ1 Status¡ B Basic Setup / LAN settings / LAN1 Status.

  • Page 22: Setup Wan1 Ip

    Assignment Default WAN link When Default WAN link is enabled. All the packets Enabled (Gateway/DNS) sent out from DFL-1500 will be via this port. Get DNS Automatically Get DNS related information from DHCP Server Get DNS Automatically or Get DNS...

  • Page 23: Setup Dmz1, Lan1 Status

    Basic Setup DFL-1500 User Manual Get DNS Automatically Get DNS related information from PPPoE ISP Get DNS Automatically / Get DNS DNS IP Address Automatically DNS IP Address manually specify these Primary and Secondary DNS Server information Through click Connect or Disconnect button to connect...
  • Page 24 D-Link Part I Primary DNS Server Specify the Primary DNS Server IP address of the DHCP information. 10.1.1.254 Secondary DNS Server Specify the Secondary DNS Server IP address of the DHCP information. Lease time(sec) Specify DHCP information lease time 7200...

  • Page 25: Setup Wan1 Ip Alias

    Basic Setup DFL-1500 User Manual 3.4.3 Setup WAN1 IP alias Step 1 ¡ Ð Add WAN1 IP alias BASIC SETUP > WAN Settings > IP Alias > Add Suppose you apply 8 IP addresses from ISP. The range of the ISP-given IP address is from 211.17.25.56 to 211.17.25.63.

  • Page 27: Chapter 4 System Tools

    1. Basic configurations for domain name, password, system time, timeout and services. 2. DDNS: Suppose the DFL-1500’s WAN uses dynamic IP but needs a fixed host name. When the IP is changed, it is necessary to have the DNS record updated accordingly. To use this service, one has to register the account, password, and the wanted host name with the service provider.
  • Page 28 Figure 4-1 DDNS mechanism chart 3. DNS Proxy: After activating the DNS proxy mode, the client can set its DNS server to the DFL-1500 (that is, send the DNS requests to the DFL-1500). The DFL-1500 will then make the enquiry to the DNS server and return the result to the client.
  • Page 29 Figure 4-4 Adjust DFL-1500 interface to fit present situation 6. As the following Figure 4-5 demonstrated, there is an embedded snmp agent in the DFL-1500. So you can use SNMP manager to monitor the DFL-1500 system status, network status ,etc. from either LAN or internet.

  • Page 30: Steps

    D-Link Part I Figure 4-5 It is efficient to use SNMP Manager to monitor DFL-1500 device Steps 4.4.1 General settings Step 1 ¡ Ð General Setup SYSTEM TOOLS > Admin Settings > General Enter the Host Name as DFL-1, Domain Name as the domain name of your company Click Apply.
  • Page 31 You can also enter an IP address instead. Check the Continuously (every 3 min) update system clock and click Apply. The DFL-1500 will immediately update the system time and will periodically update it. Check the Update system clock...

  • Page 32: Ddns Setting

    Step 1 ¡ Ð Setup DDNS SYSTEM TOOLS > Admin Settings > DDNS If the IP address of DFL-1500 WAN port is dynamic allocated. You may want to have the Dynamic DNS mechanism to make your partner always use the same domain name (like xxx.com) to connect to you.

  • Page 33: Dns Proxy Setting

    DNS server of the Default WAN link. Enable DNS Proxy Enabled When there is a response from DNS, DFL-1500 will forward it back to the host of the LAN/DMZ. Table 4-7 System Tools – DNS Proxy menu 4.4.4 DHCP Relay setting...

  • Page 34: Change Dfl-1500 Interface

    Here we select 1 LAN (port1), 1 DMZ (port2) and 3 WAN (port3~5). And then press apply button to reboot DFL-1500. Note that the DMZ and LAN port IP addresses are going to be 10.1.1.254 and 192.168.1.254 after device finishes reboot.
  • Page 35 The community which can get the SNMP information. Here Set Community private-rw “community” is something like password. Trusted hosts The IP address which can get or set community from the DFL-1500. 192.168.1.5 The community which will send SNMP trap. Here “community” is Trap community trap-comm something like password.

  • Page 37: Chapter 5 Remote Management

    Administrators may want to manage the DFL-1500 remotely from any PC in LAN_1 with HTTP at port 8080, and from WAN_PC with TELNET. In addition, the DFL-1500 may be more secure if monitored by a trusted host (PC1_1). What is more, the DFL-1500 should not respond to ping to hide itself.

  • Page 38: Steps

    Client Address field. If you prefer indicated specified IP address. Just click the Selected, and enter the valid IP address for reading the SNMP MIBs at the DFL-1500. Here we click All for all no IP range limitation of clients. Finally click the Apply.

  • Page 40: Part Ii Nat¡ B Routing & Firewall

    D-Link Part II Part II NAT¡ B Routing & Firewall...

  • Page 41: Chapter 6 Nat

    Chapter 6 This chapter introduces NAT and explains how to implement it in DFL-1500. To facilitate the explanation on how DFL-1500 implements NAT and how to use it, we zoom in the left part of Figure 1-4 into Figure 6-1.

  • Page 42: Methods

    As the above Figure 6-2 illustrates, the server 10.1.1.5 provides FTP service. But it is located on the DMZ region behind DFL-1500. And DFL-1500 will act as a Virtual Server role which redirects the packets to the real server 10.1.1.5. And you can announce to the internet users that there exists a ftp server ip/port is 61.2.1.1/44444.
  • Page 43 DFL-1500 User Manual FIELD DESCRIPTION EXAMPLE None¡ G The DFL-1500 is in routing mode without performing any address translation. Basic¡ G The DFL-1500 automatically performs Many-to-One NAT for all Network Address Translation Basic LAN/DMZ subnets. Mode Full Feature¡ G The DFL-1500 can be manually configured with Many-to-One, and Many-to-Many, One-to-One, and bidirectional One-to-One rules to do policy-based NAT.
  • Page 44 IP address for being translated into, You can check the Auto choose IP from WAN ports. The DFL-1500 will automatically determine which WAN IP is to be translated into. FIELD...
  • Page 45 DFL-1500 to translate the private IP addresses into the pool of public IP addresses. The DFL-1500 will use the first public IP until DFL-1500 uses up all source ports for the public IP. DFL-1500 will then choose the second public...

  • Page 46: Setup Virtual Server For The Ftpserver1

    LAN to WAN. 6.4.2 Setup Virtual Server for the FtpServer1 Step 1 ¡ Ð Device IP Address BASIC SETUP > DMZ Settings > DMZ1 Status Setup the IP Address and IP Subnet Mask for the DFL-1500 of the DMZ1 interface.
  • Page 47 Step 5 ¡ Ð Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The DFL-1500 has added three NAT rules. The rule Basic-DMZ1 (number 1) means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 10.1.1.254/255.255.255.0), the request will...
  • Page 48 44444 If the Passive FTP client is checked, it will connect to the Passive FTP client internal DMZ FTP server of DFL-1500 when FTP client enabled uses passive mode. Otherwise, it will not work. The IP address which is actually transferred to the Translated dest IP 10.1.1.5...
  • Page 49 Step 9 ¡ Ð View the Result ADVANCED SETTINGS > NAT > Virtual Servers Now any request towards the DFL-1500’s WAN1 IP (61.2.1.1) with port 44444 will be translated into a request towards 10.1.1.5 with port 21, and then be forwarded to the 10.1.1.5. The FTP server listening at port 21 in 10.1.1.5 will...

  • Page 51: Chapter 7 Routing

    Routing This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how DFL-1500 implements routing and how to use it, we zoom in the left part of Figure 2-1 into Figure 7-1 Demands 1.

  • Page 52: Methods

    D-Link Part II link. The policy route can solve this problem. He/she hopes that all the packets from the General-Manager-Room will pass through the WAN2 link instead of the default WAN1 link. Methods 1. Add a static routing entry to direct the packets towards 140.116.53.0/255.255.255.0 through the WAN2 link.

  • Page 53: Add A Policy Routing Entry

    Routing DFL-1500 User Manual Step 3 ¡ Ð View the result Advanced Settings > Routing > Static Route The static route has been stored. After filling data completely, view the static routing entries which have been set. 7.4.2 Add a policy routing entry Step 1 ¡...
  • Page 54 D-Link Part II FIELD DESCRIPTION EXAMPLE Activate this rule The policy routing rule is enabled or not. enabled Status Rule name The policy routing rule name. GenlManaRoom Incoming packets from Packets comes from which interface LAN1 Verify if the incoming packets belong to the range of the Source 192.168.40.192 /...

  • Page 55: Chapter 8 Firewall

    1. Administrators detect that PC1_1 in LAN_1 is doing something that may hurt our company and should instantly block his traffic towards the Internet. 2. A DMZ server was attacked by SYN-Flooding attack and requires the DFL-1500 to protect it. Objectives 1.

  • Page 56: Steps

    D-Link Part II Steps 8.4.1 Block internal PC session (LAN WAN) Step 1 ¡ Ð Setup NAT ADVANCED SETTINGS > Firewall > Status Check the Enable Stateful Inspection Firewall checkbox, and click the Apply. Step 2 ¡ Ð Add a Firewall Rule ADVANCED SETTINGS >...

  • Page 57: Setup Alert Detected Attack

    Check the Enable Alert when attack detected checkbox. Enter 100 in the One Minute High means that DFL-1500 starts to generate alerts and delete the half-open states if 100 half-open states are established in the last minute. Enter 100 in the...
  • Page 58 This is the rate of new half –open sessions that causes the firewall to start deleting half open sessions. When the rate of One Minute High new connection attempts rises above this number, the DFL-1500 deletes half-open sessions as required to accommodate new connection attempts.

  • Page 60: Part Iii Virtual Private Network

    D-Link Part III Part III Virtual Private Network...

  • Page 61: Chapter 9 Vpn Technical Introduction

    VPN Technical Introduction DFL-1500 User Manual Chapter 9 VPN Technical Introduction This chapter introduces VPN related technology Terminology Explanation 9.1.1 VPN A VPN (Virtual Private Network) logically provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of encryption, tunneling, authentication, and access control used to transport traffic over the Internet or any insecure TCP/IP networks.

  • Page 62: Encapsulation

    This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the DFL-1500. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

  • Page 63: Ipsec Protocols

    Step 1 ¡ Ð Enable IPSec ADVANCED SETTINGS > VPN Settings > Pass Through If we need to setup DFL-1500 between the existed IPSec / PPTP / L2TP connections. We need to open up the Firewall blocking port of DFL-1500 in advance. Here we provide a simple way.

  • Page 65: Chapter 10 Virtual Private Network - Ipsec

    Virtual Private Network – IPSec DFL-1500 User Manual Chapter 10 Virtual Private Network – IPSec This chapter introduces IPSec VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a VPN link between LAN_1 and LAN_2 in this chapter.

  • Page 66: Steps

    D-Link Part III Difference The “Pre-Shared Key” must be the same at both The types and keys of “Encryption” and “Authenticate” DFL-1500s. must be set the same on both DFL-1500s. However, the “Outgoing SPI” at DFL-1 must equal to “Incoming SPI”...
  • Page 67 Choose Tunnel or Transport mode, see Chapter 9 for Encapsulation Mode Tunnel details. The IP address of local site DFL-1500 Firewall/VPN My IP Address 61.2.1.1 Router The IP address of remote site device, like DFL-1500 Security Gateway Addr 210.2.1.1 Firewall/VPN Router.
  • Page 68 D-Link Part III ESP Algorithm may be grouped by the items of the Encryption and Authentication Algorithms or execute separately. We can select below items, the Encryption and Authentication Algorithm combination or the below item Encrypt and Authentication Algorithm singly.
  • Page 69 Virtual Private Network – IPSec DFL-1500 User Manual Remote to Local Protocol Utilize this field to select some packets which are / Src Port / Dest Port destined for specified port (Dest Port) or coming from ANY / 0 / 0 specified port (Src Port) can use IPSec feature.
  • Page 70 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through DFL-1500. And accomplish the VPN tunnel establishment. At DFL-2: Here we will install the IPSec properties of DFL-2. Note that the “Local Address” and “Remote address” field are opposite to...
  • Page 71 Virtual Private Network – IPSec DFL-1500 User Manual Step 1 ¡ Ð Enable IPSec ADVANCED SETTINGS > VPN Settings > IPSec Check the Enable IPSec checkbox and click Apply. Step 2 ¡ Ð Add an IKE rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
  • Page 72 D-Link Part III Step 4 ¡ Ð Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.

  • Page 73: Des/Md5 Ipsec Tunnel: The Manual-Key Way

    192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the DFL-1500 and successfully access the 192.168.88.0/24 through the VPN tunnel. DES/MD5 IPSec tunnel: the Manual-Key way In the previous section, we have introduced IKE method. Here we will introduce another method using Manual-Key way instead of IKE to install DFL-1.
  • Page 74 The remote IP address 192.168.88.0 Prefix Len/Subnet Mask The remote IP Netmask 255.255.255.0 The IP address of local site DFL-1500 Firewall/VPN Action My IP Address 61.2.1.1 Router The IP address of remote site device, like DFL-1500 Security Gateway Addr 210.2.1.1 Firewall/VPN Router.
  • Page 75 Virtual Private Network – IPSec DFL-1500 User Manual The Outgoing SPI (Security Parameter Index) value. Notice¡ G HEX SPI must be a value between 600 and Outgoing SPI 2222 600000.Or DEC SPI must be a value between 1500 and 6300000.
  • Page 76 D-Link Part III Step 5 ¡ Ð Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.
  • Page 77 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through DFL-1500. And accomplish the VPN tunnel establishment. At DFL-2: Second, we will use the Manual-Key way to install the IPSec properties of DFL-1.
  • Page 78 D-Link Part III Step 3 ¡ Ð Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add Similar to those in DFL-1, except that you should interchange the Local IP Address with the Remote IP Address, the My IP Address with...
  • Page 79 ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the DFL-1500 and successfully access the 192.168.88.0/24 through the VPN tunnel.

  • Page 81: Chapter 11 Virtual Private Network - Pptp

    11.3 Methods 1. Setup the PPTP server at DFL-1500. Setup the remote PC as the PPTP client. After dialing up to DFL-1, DFL-1 will assign a private IP which falls in the range of the settings in the PPTP server at DFL-1. Suppose the range is defined as 192.168.40.180 ~ 192.168.40.199, the remote host may get an IP of 192.168.40.180 and logically become a member in...

  • Page 82: Steps

    The End IP is the allocated ending IP address in the internal network after End IP 192.168.40.199 PPTP client dials in the DFL-1500. Username The account which allow PPTP client user to dial in DFL-1500. PptpUsers Password The password which allow PPTP client user to dial in DFL-1500. Dif3wk Table 11-1 Setup PPTP Server Step 2 –...

  • Page 83: Setup Pptp Network Client

    IP address for the PPTP client in the “Assigned IP” field. FIELD DESCRIPTION EXAMPLE Enable PPTP Client Enable PPTP Client feature of DFL-1500 enabled Server IP The IP address of PPTP server. 61.2.1.1 Username The designed account which allows PPTP client to dial in.

  • Page 85: Chapter 12 Virtual Private Network - L2Tp

    1. Setup the L2TP server at DFL-1500 (LNS: L2TP Network Server). After dialing up to DFL-1500, DFL-1500 will assign a private IP which falls in the range of the settings in the L2TP server at DFL-1500. Suppose the range is defined as 192.168.40.200 ~ 192.168.40.253, the remote host may get an IP of 192.168.40.200 and logically become a member in...

  • Page 86: Steps

    The IP address ending range which is allowed user to dial in LNS server by LAC End IP 211.54.63.5 using L2TP protocol. Username The account which allows L2TP client user to dial in DFL-1500. L2tpUsers Password The password which allows L2TP client user to dial in DFL-1500. Dif3wk...
  • Page 87 6. If the Public Network dialog box appears, choose the Don’t dial up initial connection and select Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the DFL-1500 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next.
  • Page 88 D-Link Part III Connecting to the L2TP VPN 1. Connect to your ISP. 2. Start the dial-up connection configured in the previous procedure. 3. Enter your L2TP VPN User Name and Password. 4. Select Connect.

  • Page 90: Part Iv Content Filters

    D-Link Part IV Part IV Content Filters...

  • Page 91: Chapter 13 Content Filtering - Web Filters

    Content Filtering – Web Filters DFL-1500 User Manual Chapter 13 Content Filtering – Web Filters This chapter introduces web content filters and explains how to implement it. 13.1 Demands Figure 13-1 Use web filter functionality to avoid users browsing the forbidden web site 1.

  • Page 92: Objectives

    D-Link Part IV Figure 13-2 Use web filter functionality to avoid users view the forbidden web site 2. As the above Figure 13-2 illustrates, someone (PC1_1) is browsing forbidden web pages on office hours. The contents of the web pages may include stock markets, violence, or sex that will waste the bandwidth of the Internet access link while degrading the efficiency of normal working hours.

  • Page 93: Steps

    FIELD DESCRIPTION EXAMPLE Restricted Features Select the below items that will verified by Web Filter of DFL-1500. ActiveX filter the web page that includes ActiveX enabled Java filter the web page that includes Java...
  • Page 94 Part IV If enabling the “Web Proxy”, all the web pages pass through proxy (Only Web Proxy port 3128) will also be verified by DFL-1500. If disabling the “Web enabled Proxy”, all the web pages through will bypass the verification.
  • Page 95 Update the Built-in Database ADVANCED SETTINGS > Content Filters > Web Filter > Database Update Click the Download button to ask DFL-1500 to instantly download the database from the fwupdate.dlinktw.com.tw. The DFL-1500 can be set to automatically check the site for any...
  • Page 96 Trusted Domains. However, if the web objects are set to be blocked by the DFL-1500 in step 3, these allowed accesses will never be able to retrieve these objects. Check the “Don’t block …” to allow the objects for these trusted domains.
  • Page 97 Content Filtering – Web Filters DFL-1500 User Manual Don't block In the following domain range of the trusted domains. If there are include Java/ActiveX/Cookies/Web Java/ActiveX/Cookies/Web Proxy components in the web page, the Enabled Proxy to trusted domain action is setting not to block.
  • Page 98 D-Link Part IV Step 9 ¡ Ð Setup contents keyword ADVANCED SETTINGS > Content Filters > Web Filter > Keyword blocking Check the Enable Keyword Blocking to block any Web pages that contain the entered keywords. Add a key word by entering a word in the Keyword field and then click Add to proceed.

  • Page 99: Chapter 14 Content Filtering - Mail Filters

    Content Filtering – Mail Filters DFL-1500 User Manual Chapter 14 Content Filtering – Mail Filters This chapter introduces SMTP proxies and explains how to implement it. 14.1 Demands Sometimes there are malicious scripts like *.vbs that may be attached in the email. If the users accidentally open such files, their computers may be infectious with virus.

  • Page 100: Steps For Smtp Filters

    Check the Enable SMTP Proxy checkbox and click Apply. FIELD DESCRIPTION EXAMPLE Enable SMTP Proxy Enable SMTP Proxy feature of DFL-1500 enabled Filename extension When the filename extension of attachment file matches “Filename extension”, add the “.bin” extension to the attachment file. Append ".bin" to E-mail...

  • Page 101: Steps For Pop3 Filters

    Check the Enable POP3 Proxy checkbox and click Apply. FIELD DESCRIPTION EXAMPLE Enable POP3 Proxy Enable POP3 Proxy feature of DFL-1500 enabled Filename extension When the filename extension of attachment file matches “Filename extension”, add the “.bin” extension to the attachment file. Append ".bin" to E-mail...
  • Page 102 D-Link Part IV Step 2 – Add a POP3 Filter ADVANCED SETTINGS > Content Filters > Mail Filters > POP3 Select filename extension, enter vbs, and click Add to add a rule. This rule will apply to all DMZ/WAN-to-LAN POP3 connections. All such POP3 traffic will be examined to change the filename extension from vbs to vbs.bin.

  • Page 103: Chapter 15 Content Filtering - Ftp Filtering

    Content Filtering – FTP Filtering DFL-1500 User Manual Chapter 15 Content Filtering – FTP Filtering This chapter introduces FTP proxies and explains how to implement it. 15.1 Demands 1. Some users in LAN1 use FTP to download big MP3 files and cause waste of bandwidth.

  • Page 104: Steps

    FIELD DESCRIPTION EXAMPLE Enable FTP Filter Enable FTP Filter feature of DFL-1500 enabled Table 15-1 FTP Filter FTP setting page Step 2 ¡ Ð Add an FTP Filter ADVANCED SETTINGS > Content Filters > FTP Filter > FTP > Add Enter mp3 in the Name field and select Extension Name in the Blocked Type field.
  • Page 105 Content Filtering – FTP Filtering DFL-1500 User Manual Step 3 ¡ Ð Add an Exempt Zone ADVANCED SETTINGS > Content Filters > FTP Filter > FTP Exempt Zone > Add Add a new Exempt Zone record. It’s IP address range between 192.168.40.10...

  • Page 106: Part V Intrusion Detection System

    D-Link Part V Part V Intrusion Detection System...

  • Page 107: Chapter 16 Intrusion Detection Systems

    Methods 1. Specify where our Web server is located to let the IDS on the DFL-1500 focus more on the attacks. 2. Setup logs to email to the specified email address when the log is full. You can also set daily/weekly emails to periodically...

  • Page 108: Steps

    Apply button. FIELD DESCRIPTION EXAMPLE Enable IDS Enable IDS feature of DFL-1500 enabled Detect Attacks Towards Specified the IP address region of each DMZ/LAN, Server area. Options This option is designed to memory efficient. This has configurable memory usage and fragment timeout options.
  • Page 109 Intrusion Detection Systems DFL-1500 User Manual This option will normalize telnet control protocol characters from the session data. It Normalize Telnet accepts a list of ports to run on as arguments. It defaults to running on ports 21, 23, 25,...

  • Page 110: Part Vi Bandwidth Management

    D-Link Part VI Part VI Bandwidth Management...

  • Page 111: Chapter 17 Bandwidth Management

    Bandwidth Management DFL-1500 User Manual Chapter 17 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it. 17.1 Demands Figure 17-1 Use bandwidth management mechanism to shape the data flow on the downlink direction 1. As the above diagram Figure 17-1 illustrates, PC1_1 is downloading the MP3 files from the FTP Server (140.113.179.3).

  • Page 112: Objectives

    D-Link Part VI Figure 17-2 Use bandwidth management mechanism to shape the data flow on the uplink direction 2. As the above Figure 17-2 illustrates, PCa (10.1.1.1) is uploading files to the FTP Server (140.113.79.3), causing the blocking of the VPN transfer from LAN_1 to LAN_2. We want to make sure that the VPN tunnel links is reserved at least 1000 kbps speed rate.

  • Page 113: Steps

    Check the Enable Bandwidth Management checkbox, click the Apply. FIELD DESCRIPTION EXAMPLE Enable Bandwidth Enable Bandwidth Management feature of DFL-1500 enabled Management Apply Apply the settings which have been configured. Reset Clean the filled data and restore the original one.
  • Page 114 D-Link Part VI Delete Delete the indicated class. If there are more than one action pages, you can press Next Page to go to Next Page the next page. Table 17-2 Setup edit actions page of Bandwidth Management Step 3 ¡ Ð...
  • Page 115 Bandwidth Management DFL-1500 User Manual Step 4 ¡ Ð Partition into Classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-Class Now there are two actions under the default action. Step 5 ¡ Ð Setup ANY-to-LAN1 Rules ADVANCED SETTINGS > Bandwidth Mgt. > Edit Rules Select ANY to LAN1 to display the rules.
  • Page 116 D-Link Part VI Step 6 ¡ Ð Customize the Rules ADVANCED SETTINGS > Bandwidth Mgt. > Edit Rules > Insert Enter a rule name such as inFTP, enter the Source IP as 140.113.179.3 and the netmask as 255.255.255.255. Enter the Dest. IP as 192.168.40.1...

  • Page 117: Outbound Traffic Management

    Bandwidth Management DFL-1500 User Manual Step 7 ¡ Ð View the rules ADVANCED SETTINGS > Bandwidth Mgt. > Edit Rules DFL-1500 configured direct inFTP-matched packets into the inFTP queue (1019kbps), inVideo-matched packets into the inVideo queue (447kbps). The other traffic will be put into the def_class queue (any available bandwidth).
  • Page 118 D-Link Part VI Step 3 ¡ Ð Partition into Classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-Class Create a sub-class named LANa-to-LANb from the default class. Enter 65% in the bandwidth field, check the Borrow button, and click Apply.
  • Page 119 Bandwidth Management DFL-1500 User Manual Step 6 ¡ Ð View the rules ADVANCED SETTINGS > Bandwidth Mgt. > Edit Rules DFL-1500 configured direct outFtpUpload matched packets into the outFTP queue (463kbps), outVPN matched packets into the LANa-to-LANb queue (1003kbps). Here we...

  • Page 120: Part Vii System Maintenance

    D-Link Part VII Part VII System Maintenance...

  • Page 121: Chapter 18 System Status

    Chapter 18 System Status 18.1 Demands 1. Since we have finished the settings of DFL-1500, we need to gather the device information quickly. Then we can have a overview of the system status. 18.2 Objectives 1. We can know the current situation easily through an integrated interface.
  • Page 122 D-Link Part VII Step 3 ¡ Ð CPU & Memory DEVICE STATUS > System Status > CPU & Memory We can know the device information (include system, user, interrupt and memory utilization) through the graphic interface. Note: If you can not view the graphic correctly, the situation may result from that you don’t...

  • Page 123: Chapter 19 Log System

    1. Through tracking the system logs, you can distinguish which administrated action is valid or not. 2. Use the syslog server to receive mail. Or edit the “Mail Logs” page of DFL-1500. Make the log mailed out automatically every periodic time.

  • Page 124: Syslog & Mail Log

    Step 1 ¡ Ð Setup Syslog Server DEVICE STATUS > Log Config > Syslog Server Setup Syslog Server by checking the Enable Syslog Server. It will let DFL-1500 send logs to the Syslog Server specified in the “Syslog Server IP Address” field. FIELD...

  • Page 125: Chapter 20 System Maintenance

    This chapter introduces how to do system maintenance. 20.1 Demands 1. DFL-1500 is designed to provide upgradeable firmware and database to meet the upcoming dynamics of the Internet. New features, new attack signatures, new forbidden URLs, and new virus definitions require timely updates to the DFL-1500.
  • Page 126 DFL-1500‘s LAN1. Login to DFL-1500’s console. Enter en to enter privileged mode. Configure the DFL-1500> en LAN1 address so that the DFL-1500 can connect to the TFTP server. The CLI command to DFL-1500# ip ifconfig INTF3 192.168.1.254 255.255.255.0 configure LAN1 interface is ip ifconfig INTF3 192.168.1.254 255.255.255.0.

  • Page 127: Steps For Firmware Upgrade From Web Gui

    Enter sys resetconf now to reset the firmware to factory default. Then enter sys reboot now to login: admin instantly reboot the system. Password: Welcome to DFL-1500 Firewall/VPN Router! DFL-1500> en DFL-1500# sys resetconf now Resetting Configuration to default... DONE Please reboot the system DFL-1500# sys reboot now Rebooting...

  • Page 128: Steps For Backup / Restore Configurations

    PIO mode 4 DFL-1500> Step 3 ¡ Ð Factory reset DFL-1500> en DFL-1500# sys resetconf now Enter sys resetconf now to reset the firmware to factory default. Then enter sys reboot now to Resetting Configuration to default... DONE instantly reboot the system.

  • Page 129: Appendix A Command Line Interface (Cli)

    Command Line Interface (CLI) You can configure the DFL-1500 through the web interface (http/https) for the most time. Besides you can use another method, console/ssh/telnet method to configure the DFL-1500 in the emergency. This is known as the Command Line Interface (CLI). By the way of CLI commands, you can effectively set the IP addresses, restore factory reset, reboot/shutdown system etc.
  • Page 130 Show system and network status version (ver) sys version Show DFL-1500 firmware version Table A-1 Non-privileged mode CLI commands Note: If you don’t know what parameter is followed by the commands, just type “?” following the command. Ex “ip ?”. It will show all the valid suffix parameters from “ip”.

  • Page 131: Appendix B Trouble Shooting

    Check System Tools > Remote Mgt. > DMZ1. Verify if DMZ1 port checkbox is enabled. The default enabled port is only LAN port. I have already set the WAN1 ip address the same subnet with my pc (configurator), but I can’t use https to login DFL-1500 via WAN1 port all the time, why¡ H Ans¡...
  • Page 132 It is because there is someone logining into the DFL-1500 at the same time with the other IP address. Please logout the system from that IP address first and then login with your IP address again. You are definitely able to login into the DFL-1500.
  • Page 133 Ans¡ G One reason is that you may enter Host Name and following by a space like “DFL-1500 “. And enter the Domain Name string like “dlink.com” in the firmware version 1.391B. Then the System Name will present as “DFL-1500 .dlink.com”. After upgrading...

  • Page 135: Appendix C Packet Flow

    Packet Flow DFL-1500 User Manual Appendix C Packet Flow Figure C-1 Packet flow diagrams...

  • Page 137: Appendix D Glossary Of Terms

    NAT (Network Address Translation) – By the network address translation skill, we can transfer the internal network private address of DFL-1500 to the public address for the Internet usage. By this method, we can use a large amount of private...
  • Page 138 D-Link Part VII POP3 (Post Office Protocol 3) – POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail.

  • Page 139: Appendix E Index

    Index DFL-1500 User Manual Appendix E Index backup configuration, 122 POP3, 93, 95 Bandwidth Management, 105 bidirectional, 37, 38, 40 restore configuration, 122 Routing, 45 Content Filter policy routing, 45 FTP Filter, 97 static routing, 45 Mail Filter, 93 Web Filter, 85...

  • Page 141: Appendix F Hardware

    Hardware DFL-1500 User Manual Appendix F Hardware Item Feature Detailed Description 1. Hardware 1.1.1 Chassis 1.1.1.1 Dimensions Rack mount 1U size 146 mm (H) x 275 mm (D) x 203 mm (W)(8''*5.75''*10'') Look & feel 1.1.1.2 D-Link style Key Components 1.1.2...
  • Page 142 D-Link Part VII 1.1.3.5 LED indication Per Device: Power, Off – Power Off Solid Green – Power On Ethernet 10/100M Per ports: 1. Link/ACT LED Off – No Link Solid Green – Link Blinking Green – Activity 2. Power Power supply...

  • Page 143: Appendix G Version Of Software And Firmware

    Version of Software and Firmware DFL-1500 User Manual Appendix G Version of Software and Firmware DFL-1500 VPN/Firewall Router Version of Components: Firmware: v. 1.51R...

  • Page 145: Appendix H Customer Support

    Customer Support DFL-1500 User Manual Appendix H Customer Support Offices Australia D-Link Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Sydney, Australia TEL: 61-2-8899-1800 FAX: 61-2-8899-1868 TOLL FREE (Australia): 1800-177100 URL: www.dlink.com.au E-MAIL: support@dlink.com.au & info@dlink.com.au Brazil D-Link Brasil Ltda.
  • Page 146 D-Link Part VII URL: www.dlink-france.fr E-MAIL: info@dlink-france.fr Germany D-Link Central Europe (D-Link Deutschland GmbH) Schwalbacher Strasse 74, D-65760 Eschborn, Germany TEL: 49-6196-77990 FAX: 49-6196-7799300 URL: www.dlink.de BBS: 49-(0) 6192-971199 (analog) BBS: 49-(0) 6192-971198 (ISDN) INFO: 00800-7250-0000 (toll free) HELP: 00800-7250-4000 (toll free) REPAIR: 00800-7250-8000 E-MAIL: info@dlink.de...
  • Page 147 CHS Aptec (Dubai), P.O. Box 33550 Dubai, United Arab Emirates TEL: 971-4-366-885 FAX: 971-4-355-941 E-MAIL: Wxavier@dlink-me.com U.K. D-Link Europe (United Kingdom) Ltd Floor, Merit House, Edgware Road, Colindale, London NW9 5AB United Kingdom TEL: 44-020-8731-5555 SALES: 44-020-8731-5550 FAX: 44-020-8731-5511 SALES: 44-020-8731-5551 BBS: 44 (0) 181-235-5511 URL: www.dlink.co.uk E-MAIL: info@dlink.co.uk...

Table of Contents