D-Link DFL-200 - Manuals

LEDs Power: A solid light indicates a proper connection to the power supply. Status: System status indicators , The LED has a solid green, the device is working normally. If the LED is light off the unit is defective. WAN, DMZ & LAN ports: Ethernet port indicators, Green. The LED flickers when t...

Managing D-Link DFL-200 When a change is done to the configuration a new icon named Activate Changes will appear. When all changes and administrator would like to do is done the changes need to be saved and activated to take effect, this is done by clicking on the Activate Changes button on the Acti...

12 Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-200. Default if enabled is to allow anyone to ping the interface IP. Admin – If enabled allows all users with admin access to connect to the DFL-200 and change configuration, can be...

Add ping access to an interface To add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an interface. Step 1. Click on the interface you would like to add it to. Step 2. Enable the Ping checkbox. Step 3. Specify what networks are allowed to pin...

14 Add Read-only access to an interface To add read-only access click on the interface you would like to add it to, note that if you only have read-only access enable on an interface all users only get read-only access, even if they are administrators. Follow these steps to add read-only access to a...

System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN or DMZ interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list. Step 2. Fill in the IP a...

WAN Interface Settings – Using PPPoE Use the following procedure to configure the DFL-200 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill the usern...

18 WAN Interface Settings – Using PPTP PPTP over Ethernet connections are used in some DSL and cable modem networks. You need your account details, and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over. Your ISP should supply this information. ...

WAN Interface Settings – Using BigPond The ISP Telstra BigPond uses BigPond for authentication; the IP is assigned with DHCP. • Username – The login or username supplied to you by your ISP. • Password – The password supplied to you by your ISP. MTU Configuration To improve the performance of your In...

20 Routing Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like this: The Routes configuration section describes the firewall’s routing table. DFL-200 uses a slightly different way of describing routes compared ...

22 Logging Click on System in the menu bar, and then click Logging below it. Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-200 provides several options for logging its activity. The D-Link DFL-200 logs its activities by...

24 Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the rules. For more information about how to enable intrusion detection and prevention on a policy or port mapping, read more under Policies and Port Mappings in the Firewall section below.

Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand.

26 Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click the Apply button below to apply the setting or click Cancel to discard...

Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. When a new connection is being established through the firewall, the po...

Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4. Choose Prevention from the mode d...

32 Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It is also possible to use Intrusion Detection / Prevention on Port mapped services, these are done in the same way as on poli...

Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Delete mapping checkbox. Click the Apply button below to apply the cha...

34 Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. ...

Enable User Authentication via HTTP / HTTPS Follow these steps to enable User Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being ...

Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to change level of. Step 2. Enable the Delete user checkbox. Click the Apply button below to apply the setting or click Cancel to d...

38 Schedules It is possible to configure a schedule for policies to take affect. By creating a schedule, the DFL-200 is allowing the firewall policies to be used at those designated times only. Any activities outside of the scheduled time slot will not follow the policies and will therefore likely n...

Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, ...

40 Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named “IP ...

Protocol-independent settings Allow ICMP errors from the destination to the source – ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication...

42 VPN Introduction to IPSec This chapter introduces IPSec, the method, or rather set of methods used to provide VPN functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPSec bas...

44 Authentication Protocols PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS- CHAP v2 is supported. Which authentication protocol to use is negotiated during LCP negotiation. PAP PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme, which m...

MPPE encryption If MPPE encryption is going to be used, this is where the encryption level is configured. If L2TP or PPTP over IPSec is going to be used it has to be enabled and configured to either use a Pre-Shared Key or a Certificate.

48 VPN between two networks In the following example users on the main office internal network can connect to the branch office internal network vice versa. Communication between the two networks takes place in an encrypted VPN tunnel that connects the two DFLs Network Security Firewall across the I...

VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example trying to connect to a third party VPN Gateway. The different settings to set per tunnel is the following: Limit MTU Whit this setting it’s possible to li...

Certificates A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates. Before a VPN tunnel with cert...

54 Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from the Certifica...

Content Filtering DFL-200 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. You can configure URL blacklist to block all or just some of the pages on a website. Using this feature you can deny access to parts of a web site without de...

56 Edit the URL Global Whitelist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL whitelist Step 2. Add/edit or remove the URL that should never be checked with the Content Filtering. Click the Apply button below to apply the change o...

Edit the URL Global Blacklist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL blacklist Step 2. Add/edit or remove the URL that should be checked with the Content Filtering. Click the Apply button below to apply the change or click C...

58 Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It’s possible to strip ActiveX, Flash, Java, JavaScript and VBScrip...

Servers DHCP Server Settings The DFL-200 contains a DHCP server; DHCP (Dynamic Host Configuration Protocol) is a protocol that lets network administrators to automatically assign IP numbers to computers on a network. The DFL-200 DHCP Server helps to minimize the work necessary to administer a networ...

DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-200 contains a DNS relayer that you can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself. Enable DNS Relayer Follow these steps to enable the DNS R...

62 Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes.

Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This behavior is the best one suited for diagnosing conn...

64 Ping Example In this example, the IP Address is 192.168.10.1 the Number of packets is five, after clicking on Apply the firewall will start to send the ICMP Echo Requests to the specified IP. After a few seconds the result will be shown, in this example only four out of five packets was received ...

Backup Click on Tools in the menu bar, and then click Backup below it. Here a administrator can backup and restore the configuration. The configuration file stores system settings, IP addresses of Firewall’s network interfaces, address table, service table, IPSec settings, port mapping and policies....

66 Restart/Reset Restarting the DFL-200 Follow these steps restart the DFL-200. Step 1 . Choose if you want to do a quick or full restart. Step 2 . Click Restart Unit and the unit will restart.

Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure will possibly change the DFL-200 firmware version to lower version if it has been upgraded. This procedure deletes all of the changes that you have ma...

Upgrade The DFL-200’s software, IDS signatures and system parameters are all stored on a flash memory card. The flash memory card is re-writable and re-readable. Upgrade Firmware To upgrade the firmware first download the correct firmware image from D-Link. After having the newest version of softwar...

70 Status In this section, the DFL-200 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear pr...

Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shows the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass via the policies. E...

74 DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default information about the LAN interface will be show, to see another one click on that interface. Interface – Name of the interfac...

76 How to read the logs Although the exact format of each log entry depends on how your syslog recipient works, most are very much alike. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on UNIX servers usually log to text files, line by line. Most ...

Open Example: Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.10 on the LAN interface is connecting to 64.7.210.132 ...

78 Step by step guides In the following guides example IPs, users, sites and passwords are used. You will have to exchange the IP addresses and sites to your own. Passwords used in these examples are not recommended for real life use. Passwords and keys should be chosen so that they are impossible t...

LAN-to-LAN VPN using IPsec Settings for Branch office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.10 LAN IP: 192.168.4.1 , Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24

80 PSK: 1234567890 (Note! You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the remote network Click Apply 3. Setup policies for the new tunnel, Firewall-...

4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.20 LAN IP: 192.168.1.1 , Subnet mask: 255.255.255.0 2. Setup IPsec tunnel, Firewall->VPN: Under IPsec tunnels click add new Name the tunnel ToBranchOffice L...

LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.10 LAN IP: 192.168.4.1 , Subnet mask: 255.255.255.0 2. Setup PPTP client, Firewall->VPN: Under PPTP/L2TP clients click Add new PPTP client Name the tunnel toMainOffice

Under MPPE encryption 128 bit should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. ...

86 Settings for Main office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.20 LAN IP: 192.168.1.1 , Subnet mask: 255.255.255.0 2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set cli...

88 4. Set up authentication source, Firewall->Users : Select Local database Click Apply 5. Add a new user, Firewall->Users : Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty (could als...

Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to-LAN VPN solution section in this chapter.

90 LAN-to-LAN VPN using L2TP Settings for Branch office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.10 LAN IP: 192.168.4.1 , Subnet mask: 255.255.255.0 2. Setup L2TP client, Firewall->VPN: Under L2TP / PPTP client click Add new L2TP client Name the server toMainOffice

4. Click Activate and wait for the firewall to restart Settings for Main office 1. Setup interfaces, System->Interfaces : WAN IP: 193.0.2.20 LAN IP: 192.168.1.1 , Subnet mask: 255.255.255.0 2. Setup L2TP server, Firewall->VPN: Under L2TP / PPTP Server click Add new L2TP server Name the server ...

A more secure LAN-to-LAN VPN solution Go get a more secure solution, policies should be created instead of allowing all traffic between the two offices. The following steps will show how to enable some common services. In this example we have a mail server, ftp server and a web server (intranet) in ...

98 4. Setup the new rule: Name the new rule: allow_pop3 Select action: Allow Select service: pop3 Select schedule: Always We don’t want any Intrusion detection for now, so leave this option unchecked. Click Apply

100 Settings for Main office 1. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Disable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 2. Now is it possible to create policies for the VPN interfaces. Select from toBranchOf...

Windows XP client and PPTP server Settings for the Windows XP client 1. Open the control panel (Start button -> Control panel). 2. If you are using the Category view, click on the Network and Internet Connections icon. Then click Create a connection to the network on your workplace and continue t...

102 5. Select Connect to the network at my workplace and click Next

6. Select Virtual Private Network connection and click Next

104 7. Name the connection MainOffice and click Next

8. Select Do not dial the initial connection and click Next

11. Type user name HomeUser and password 1234567890 (Note! You should use a password that is hard to guess) 12. Click Properties

108 13. Select the Networking tab and change Type of VPN to PPTP VPN . Click OK . All settings needed for the XP client is now done. When we have set up the server on the firewall you can click Connect to establish the connection to the Main office

110 Leave static client IP empty (could also be set to eg 192.168.1.200. If no IP is set here the IP pool from the PPTP server settings are used). Click Apply 6. Click Activate and wait for the firewall to restart. This example will allow all traffic from the client to the main office network. To ge...

Windows XP client and L2TP server The Windows XP client to L2TP server setup is quite similar to the PPTP setup above. Settings for the Windows XP client To setup a L2TP connection from Windows XP to the Main office firewall, you can follow the steps in the PPTP guide above for the client side. The ...

112 2. Select the Security tab and click IPsec Settings 3. Check Use pre-shared key for authentication , type the key and click OK

Content filtering To enable content filtering, follow these steps: 1. Update the content filtering settings, Firewall->Content Filtering : Select what content that should be filtered out. ActiveX, Java applets, JavaScript/VBScript and cookies can be blocked or filtered out. Note that some web pag...

116 2. Make sure the http-outbound service exists and is using the HTTP ALG, Firewall->Services : Find the http-outbound service in the list and click Edit . If there is no service with that name you will have to create one by clicking Add new at the bottom of the list. TCP / UDP Service should b...

Intrusion detection and prevention Intrusion detection and prevention can be enabled for both policies and port mappings. In this example we are using a port mapping. The policy setup is quite similar. In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 is connecte...

122 Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields. Type Name Code Description Reference 0 E...

124 Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword Description Reference 1 ICMP Internet Control Message RFC792 2 IGMP Internet Group Management RFC1112 3 GGP Gateway-to-Gateway RFC823 4 IP IP in IP (enc...

LIMITED WARRANTY D-Link provides this limited warranty for its product only to the person or entity who originally purchased the product from D-Link or its authorized reseller or distributor. Limited Hardware Warranty: D-Link warrants that the hardware portion of the D-Link products described below ...

126 the product is purchased and/or licensed. The addresses/telephone/fax list of the nearest Authorized D-Link Service Office is provided in the back of this manual. FAILURE TO PROPERLY COMPLETE AND TIMELY RETURN THE REGISTRATION CARD MAY AFFECT THE WARRANTY FOR THIS PRODUCT. Submitting A Claim. An...

USE OF THE PRODUCT, RELATING TO WARRANTY SERVICE, OR ARISING OUT OF ANY BREACH OF THIS LIMITED WARRANTY, EVEN IF D-LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE SOLE REMEDY FOR A BREACH OF THE FOREGOING LIMITED WARRANTY IS REPAIR, REPLACEMENT OR REFUND OF THE DEFECTIVE OR NON-CONFORM...

128 einzusetzen. Trademarks Copyright . 2002 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors. Copyright Statement No part of this publication m...

130 Offices AUSTRALIA D-LINK AUSTRALIA 1 Giffnock Ave,North Ryde, NSW 2113, Australia TEL: 61-2-8899-1800 FAX: 61-2-8899-1868 TOLL FREE: 1800-177-100 (Australia), 0800-900900 (New Zealand) E-MAIL: [email protected], [email protected] URL: www.dlink.com.au BENELUX D-LINK BENELUX Fellenoord 130, 56...