D-Link DFL-500 - Manual

DFL-500 User Manual 10 Getting started This chapter describes unpacking, setting up, and powering on your DFL-500 NPG. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to run your DFL-500 NPG in NAT/Route mode, go to NAT/Route mode i...

DFL-500 User Manual 11 Dimensions • 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm) Weight • 1.5 lb. (0.68 kg) Power requirements • DC input voltage: 5 V • DC input current: 3 A Environmental specifications • Operating temperature: 32 to 104 ° F (0 to 40 ° C) • Storage temperature: -13 to 158 ° F (-25...

DFL-500 User Manual 12 Front and back view of the DFL-500 NPG Initial configuration When the DFL-500 NPG is first powered on, it is running in NAT/Route mode and has the basic configuration listed in DFL-500 NPG initial power on settings . DFL-500 NPG initial power on settings Operating mode: NAT/Ro...

DFL-500 User Manual 13 • Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the DFL-500 NPG to the computer ethernet connection. • Start Internet Explorer and browse to the address https://192.168.1.99 . The DFL-500 login appears. • Type admin in the Name fie...

DFL-500 User Manual 14 Data bits 8 Parity None Stop bits 1 Flow control None • Press Enter to connect to the DFL-500 CLI. The following prompt appears: DFL-500 login: • Type admin and press Enter. The following prompt appears: Type ? for a list of commands. For information on how to use the CLI, see...

DFL-500 User Manual 15 NAT/Route mode installation This chapter describes how to install your DFL-500 NPG in NAT/Route mode. If you want to install the DFL-500 NPG in Transparent mode, see Transparent mode installation . This chapter includes: • Preparing to configure NAT/Route mode • Using the setu...

DFL-500 User Manual 16 Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP: _____._____._____._____ The DFL-500 NPG contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network...

DFL-500 User Manual 18 DFL-500 NPG network connections Configuring your internal network If you are running the DFL-500 NPG in NAT/Route mode, your internal network must be configured to route all internet traffic to the address of the internal interface of the DFL-500 NPG. This means changing the d...

DFL-500 User Manual 19 Transparent mode installation This chapter describes how to install your DFL-500 NPG in Transparent mode. If you want to install the DFL-500 NPG in NAT/Route mode, see NAT/Route mode installation . This chapter includes: • Preparing to configure Transparent mode • Using the se...

DFL-500 User Manual 20 Starting the setup wizard • Select Easy Setup Wizard (the button in the upper right corner of the web-based manager). • Use the information that you gathered in Transparent mode settings to fill in the wizard fields. Select the Next button to step through the wizard pages. • C...

DFL-500 User Manual 21 The CLI lists the Management IP address and netmask. Configure the Transparent mode default gateway • Login to the CLI if you are not already logged in. • Set the default route to the Default Gateway that you recorded in Transparent mode settings . Enter: set system route numb...

DFL-500 User Manual 23 Firewall configuration By default, the users on your internal network can connect through the DFL-500 NPG to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal...

DFL-500 User Manual 24 NAT/Route mode and Transparent mode The first step in configuring firewall policies is to configure the mode for the firewall. The firewall can run in NAT/Route mode or Transparent mode. NAT/Route mode Run the DFL-500 NPG in NAT/Route mode to protect a private network from a p...

DFL-500 User Manual 27 Adding a NAT/Route Int -> Ext policy Adding Transparent mode policies Add Transparent mode policies to control the network traffic that is allowed to pass through the firewall when you are running the it in Transparent mode. • Go to Firewall > Policy . • Select a policy ...

DFL-500 User Manual 29 Adding a Transparent mode Int -> Ext policy Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific...

DFL-500 User Manual 30 Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. Changing the order of policies in a policy list • Go to Firewall > Policy . • Select the ...

DFL-500 User Manual 31 Adding addresses • Go to Firewall > Address . • Select the interface to which to add the address. The list of addresses added to that interface is displayed. • Select New to add a new address to the selected interface. • Enter an Address Name to identify the address. The na...

DFL-500 User Manual 32 Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies. For example, if you add three addresses, and then add them to an address group, you only have to add one policy for the address group rather than ...

DFL-500 User Manual 33 • Predefined services • Providing access to custom services • Grouping services Predefined services To view the list of predefined services, go to Firewall > Service > Pre-defined . You can add predefined services to any policy. Providing access to custom services Add a ...

DFL-500 User Manual 34 Adding a service group • To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list. • To remove services from the service group, select a service from the Members list and select the left a...

DFL-500 User Manual 35 • Set the Start date and time for the schedule. Set Start and Stop times to 00 for the schedule to cover the entire day. • Set the Stop date and time for the schedule. One-time schedules use the 24-hour clock. • Select OK to add the one-time schedule. Creating recurring schedu...

DFL-500 User Manual 36 create an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on your internal network. To allow connections from the Internet to the web...

DFL-500 User Manual 37 Adding a static NAT virtual IP • In the Map to IP field, enter the real IP address on the more secure network, for example, the IP address of a web server on your internal network. The firewall translates the source address of outbound packets from the host with the Map to IP ...

DFL-500 User Manual 38 Adding a Port Forwarding virtual IP • Enter the External Service Port number for which to configure port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Interne...

DFL-500 User Manual 39 Destination Select the virtual IP. Schedule Select a schedule as required. Service Select the service that matches the Map to Service that you selected for the port-forwarding virtual IP. Action Set action to ACCEPT to accept connections to the internal server. You can also se...

DFL-500 User Manual 42 Viewing the dynamic IP/MAC list • Go to Firewall > IP/MAC Binding > Dynamic IP/MAC . Enabling IP/MAC binding • Go to Firewall > IP/MAC Binding > Setting . • Select Enable IP/MAC binding going through the firewall to turn on IP/MAC binding for packets that could be ...

DFL-500 User Manual 43 Users and authentication DFL-500 NPGs support user authentication to the DFL-500 user database or to a RADIUS server. You can add user names to the DFL-500 user database and then add a password to allow the user to authenticate using the internal database. You can also add the...

DFL-500 User Manual 44 • Select New to add a new user name. Adding a user name • Enter the user name. The user name can contain numbers (0-9) and uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. • Select one of the f...

DFL-500 User Manual 45 Deleting the user name deletes the authentication configured for the user. Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the DFL-500 NPG contacts the RADIUS server for authentication. When using a...

DFL-500 User Manual 46 Configuring user groups Use the following information to add user groups to your DFL-500 configuration. You can add user names and RADIUS servers to user groups. You can then add user groups to: • Policies that require authentication ( Adding NAT/Route mode policies , and Addi...

DFL-500 User Manual 47 Adding a user group • To remove users or RADIUS servers from the user group, select a user or RADIUS server from the Members list and select the left arrow to remove the name or RADIUS server from the group. • Select OK. Deleting user groups You cannot delete user groups that ...

DFL-500 User Manual 48 IPSec VPNs Using IPSec Virtual Private Networking (VPN), you can securely join two or more widely separated private networks or computers together through the Internet. For example, if you are away from home, you can use a VPN to securely connect through your DFL-500 NPG to yo...

DFL-500 User Manual 49 • ESP security in tunnel mode • DES and 3DES (TripleDES) encryption • Diffie-Hellman groups 1, 2, and 5 • HMAC MD5 authentication/data integrity or HMAC SHA1 authentication/data integrity • Aggressive and Main Mode • NAT Traversal • Replay Detection • IPSec Redundancy • Perfec...

DFL-500 User Manual 54 Mode. Enter the IP address of the dialup user or the domain name of the dialup user (for example, domain.com). If you do not add a local ID, the DFL-500 external interface automatically becomes the Local ID. For information about the Local ID, see About dialup VPN authenticati...

DFL-500 User Manual 55 For each variation, the remote gateway field of the dialup server remote gateway configuration must be set to dialup user and all of the clients must have their remote gateway or equivalent set to the static IP address of the remote gateway server. The following sections descr...

DFL-500 User Manual 56 Aggressive mode with no user group Field Server Clients User Group None N/A Mode Aggressive Aggressive Authentication Key The server and the clients must have the same authentication key. Local ID empty empty Aggressive mode with a user group selected In this configuration, th...

DFL-500 User Manual 57 About NAT traversal NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The DFL-500 NPG uses NAPT (Network Address Port Translation), in which both IP addresses and ports are mapped. Mapping both components allows multiple private...

DFL-500 User Manual 58 Autokey Keep Alive Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed. Concentrator Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, Adding a VPN concentrator to add...

DFL-500 User Manual 59 The DFL-500 NPG sends an alert email when replay detection detects a replay packet. To receive the alert email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or violations". For information about alert email, see Configu...

DFL-500 User Manual 63 Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. Inbound NAT The DFL-500 NPG translates the source address of incoming packets to the IP address of the DFL-500 interface connected to the source address network. Outbound NAT T...

DFL-500 User Manual 64 AutoIKE key tunnel status Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy...

DFL-500 User Manual 66 PPTP and L2TP VPNs Using PPTP and L2TP Virtual Private Networking (VPN), you can create a secure connection between a client computer running Microsoft Windows and your internal network. PPTP is a Windows VPN standard. You can use PPTP to connect computers running Windows to a...

DFL-500 User Manual 67 PPTP VPN between a Windows client and the DFL-500 NPG Configuring the DFL-500 NPG as a PPTP gateway • Create a user group for your PPTP users. See Users and authentication . • Go to VPN > PPTP > PPTP Range . • Select Enable PPTP. • Enter the Starting IP and the Ending IP...

DFL-500 User Manual 69 L2TP VPN configuration L2TP clients must be able to authenticate with the DFL-500 NPG to start a L2TP session. To support L2TP authentication, you must add a user group to the DFL-500 NPG configuration. This user group can contain users added to the DFL-500 NPG user database, ...

DFL-500 User Manual 71 Web content filtering Use DFL-500 web content filtering for: • Enabling web content Filtering • Blocking web pages that contain unwanted content • Blocking access to URLs • Removing scripts from web pages • Exempting URLs from content or URL blocking Enabling web content Filte...

DFL-500 User Manual 72 The DFL-500 NPG is now configured to block web pages containing words and phrases added to the banned word list. • Select New to add a word or phrase to the banned word list. • Choose a language or character set for the banned word or phrase. You can choose Western, Chinese Si...

DFL-500 User Manual 73 • Select Backup Banned Word List . The DFL-500 NPG downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. You can make changes to the text file and upload it f...

DFL-500 User Manual 74 URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com . Instead, you can use firewall policies to deny FTP connections. • Select Enable to block the URL. • Select ...

DFL-500 User Manual 75 You can add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard blacklists, available at http://www.squidguard.org/blacklist/ as a starting point for creating your own URL block list. Three times a week, the squidGua...

DFL-500 User Manual 76 • Clearing the Exempt URL list • Downloading the Exempt URL list • Uploading an Exempt URL list Adding URLs to the Exempt URL List • Go to Web Filter > Exempt URL . • Select New to add an entry to the Exempt URL list. • Type the URL to exempt. Enter a complete URL, includin...

DFL-500 User Manual 77 Uploading an Exempt URL list You can create an Exempt URL list in a text editor and then upload the text file to the DFL-500 NPG. Add one URL to each line of the text file. You can follow the URL with a space and then a 1 to enable or a zero (0) to disable the URL. If you do n...

DFL-500 User Manual 78 Logging and reporting You can configure the DFL-500 NPG to record 3 types of logs: • Traffic logs record all traffic that attempts to connect through the DFL-500 NPG. • Event logs record management and activity events. You can also use Log & Report to configure the DFL-500...

DFL-500 User Manual 79 Example log settings Selecting what to log Use the following procedure to configure the type of information recorded in DFL-500 logs. • Go to Log&Report > Log setting . • Select Log All Internal Traffic To Firewall to record all connections to the internal interface. Th...

DFL-500 User Manual 81 Administration This chapter describes how to use the web-based manager to administer and maintain the DFL-500 NPG. It contains the following sections: • System status • Upgrading the DFL-500 NPG firmware • Displaying the DFL-500 NPG serial number • Backing up system settings •...

DFL-500 User Manual 82 • Shutting down the DFL-500 NPG If you log into the web-based manager with any other administrator account, you can go to System > Status to view the system settings including: • Displaying the DFL-500 NPG serial number All administrative users can also go to System > St...

DFL-500 User Manual 87 System status monitor At the top of the display, the system status monitor shows: CPU usage The current CPU usage statistics of the DFL-500 NPG. Memory usage The percentage of available memory being used by the DFL-500 NPG. Up time The number of days, hours, and minutes since ...

DFL-500 User Manual 88 Configuring the internal interface To configure the internal interface: • Go to System > Network > Interface . • For the internal interface, select Modify . • Change the IP address and Netmask as required. • Select the management Access methods for the internal interface...

DFL-500 User Manual 90 Configuring the external interface Configuring the external interface for PPPoE Use the following procedure to configure the external interface to use PPPoE. This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. • Go to Syste...

DFL-500 User Manual 92 Configuring the management interface (Transparent mode) In Transparent mode, you can configure the management interface for management access to the DFL-500 NPG. • Go to System > Network > Management . • Change the Management IP and Mask as required. These must be valid ...

DFL-500 User Manual 93 If you select dead gateway detection you can also configure ping target, detection interval, and Fail-over detection for the routing gateway. • Set Ping Target to the IP address that the DFL-500 NPG should ping to test connectivity with the gateway. The ping target could be th...

DFL-500 User Manual 94 • Select OK to save the new route. Arrange routes in the routing table from more specific to more general. To arrange routes in the routing table, see Configuring the routing table . Configuring the routing table As you add routes, they appear on the routing table. The routing...

DFL-500 User Manual 96 Sample DHCP settings Viewing the dynamic IP list If you have configured your DFL-500 NPG as a DHCP server, you can view a list of IP addresses that the DHCP server has added, their corresponding MAC addresses and the expiry time and date for these addresses. The DFL-500 NPG ad...

DFL-500 User Manual 98 • Specify how often the DFL-500 NPG should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minutes for the DFL-500 NPG to synchronize its time once a day. • Select Apply. Changing web-based manager options You can change the web-based manager idl...

DFL-500 User Manual 99 • Select New to add an administrator account. • Type a login name for the administrator account. The login name must be at least 6 characters long and can contain numbers (0-9), and upper case and lowercase letters (A-Z, a-z), and the special characters - and _. Other special ...

DFL-500 User Manual 101 Glossary Connection : A link between machines, applications, processes, and so on that can be logical, physical, or both. DNS, Domain Name Service : A service that converts symbolic node names to IP addresses. Ethernet : A local-area network (LAN) architecture that uses a bus...

DFL-500 User Manual 104 Index A action policy option ActiveX removing from web pages address adding editing group IP/MAC binding virtual IP address group example address name admin administrator account administrator account adding admin editing netmask trusted host aggressive mode remote gateway al...

DFL-500 User Manual 117 Registration Card Print, type or use block letters. Your name: Mr./Ms _____________________________________________________________________________ Organization: ________________________________________________ Dept. ____________________________ Your title at organization: __...

DFL-500 User Manual 119 Limited Warranty D-Link Systems, Inc. (“D-Link”) provides this 1-Year warranty for its product only to the person or entity who originally purchased the product from: • D-Link or its authorized reseller or distributor. • Products purchased and delivered with the fifty United ...

DFL-500 User Manual 122 Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.com/sales/reg