D-Link DFL-600 - Manual

Rearview Power (5V 2.5A DC) Connects the DC power adapter to the Power port WAN Connects DSL/Cable modem to the WAN Ethernet port Ports 1-3 Connect networked devices such as computers and ftp servers to the three LAN ports. All LAN ports support auto crossover. DMZ Connects a networked device to the...

IP Address Settings and Computer Settings In order to install the DFL-600 you will need to check your computer’s settings and the values from your ISP. The information offered by your ISP: • Dynamic IP settings • Your fixed IP address for the gateway • Your subnet mask for the gateway • Your default...

Introduction and Overview The DFL-600 Firewall/VPN Router creates two separate networks on the LAN side of your network − by default, a 192.168.0.0 subnet and a 192.168.1.0 subnet (both with a subnet mask of 255.255.255.0). The DFL-600 routes packets between these two subnets and the Internet (or th...

Using the Configuration Utility Launch your web browser and type the device IP address ( https:// 192.168.0.1 ) in the browser’s address box. This is the default IP address of your DFL-600. Press Enter. The following dialog-box will appear to prompt you to enter the DFL-600’s default User Name and P...

The Setup Wizard will guide you the most basic setup tasks, such as setting an administrative password, selecting the type of WAN connection you have, entering your computer’s host name (if required by your ISP), saving the configuration and restarting the router. All other setup tasks can be accomp...

Setup Wizard The Setup Wizard will guide you through the most basic setup tasks for the DFL-600. All other configuration tasks can be accomplished through the web-based manager. The Home menu contains a Run Setup Wizard link. Click on this button to run the Setup Wizard. Click Next to continue.

This menu allows you to select the type of connection your ISP provides. Many ISPs use the PPPoE (Point-to-Point Protocol over Ethernet) for DSL connections, while many Cable ISPs use DHCP (Dynamic Host Configuration Protocol). DHCP assigns an IP address for your Internet connection each time you lo...

Some ISPs require you to use an assigned host name for your Internet connection. If your ISP requires this, you can enter the assigned host name in the Host Name field. If you selected Static IP Address on the Select Internet Connection Type (WAN) wizard screen above, the following screen will open:...

You have completed the basic setup Wizard. The configuration now needs to be entered into the DFL-600’s non-volatile RAM. Clicking Restart will save the configuration to non-volatile RAM and restart the router.

Home The Home menu contains links to all of the setup menus for the DFL-600. Click on the WAN button:

WAN Settings The WAN Settings menu allows you to view the current configuration for your DFL-600, and to choose the protocol by which your DFL-600 will receive its WAN network settings. The settings listed under WAN Settings are the network settings currently in use by the DFL-600. The fields where ...

Default Gateway This is the IP address of a device at your ISP’s office where packets destined for the Internet − from your home network − are sent, before being forwarded to their final destination. For the DFL-600, the Default Gateway address is provided by your ISP. For computers on your home net...

MAC address when connecting to the cable modem. Clicking on the Clone button will enable this function. Remember to click the Apply button and then to save the changes using Tools , System , and the Save button.

Static IP Address − If your ISP has assigned you an IP address that will never change, choose this option. When this option is chosen, the following fields appear to allow you to enter the network address information:

PPPoE − If your ISP uses Point-to-Point Protocol over Ethernet ( PPPoE ), choose this option. When this option is chosen, the following fields appear to allow you to enter the network address information: Connect on Demand − allows the PPPoE WAN connection to be active only when a computer on your L...

LAN Settings The LAN Settings allows you to view the current IP address and subnet mask assigned to the DFL-600. It also allows you to change these settings. If it is necessary to change the IP Address or Subnet Mask assigned to the DFL-600, enter the new values in the appropriate fields, and press ...

As an example, if your LAN network is to be a 192.168.0.x network with a subnet mask of 255.255.255.0, you might assign the DFL-600 an IP address of 192.168.0.1 and configure the DFL-600’s DHCP server to assign addresses in the range between 192.168.0.2 to 192.168.0.100. The default gateway setting ...

DHCP Settings DHCP (Dynamic Host Configuration Protocol) is a method of automatically assigning IP addresses, subnet masks, default gateway and DNS server IP address to computers on the LAN side of the DFL-600. The DFL-600 can be a DHCP server for your LAN, assigning IP addresses, etc. to computers ...

the IP address assigned to the DFL-600 be contained in the range of IP addresses available for the DFL-600 to assign. In this case, the IP address of the DFL-600 is 192.168.0.1, so the first IP address in the range is 192.168.0.2. IP addresses can range from 0.0.0.0 to 255.255.255.255, but in the DF...

NAT Network Address Translation Note: NAT is automatically applied between the WAN and the LAN sides of the DFL-600. It does not require any user configuration. Network Address Translation (NAT) is a routing protocol that allows your network to become a private network that is isolated from, yet con...

to connections to the WAN or Internet. The IP address must be from the same range as the IP address of the DMZ port. The default DMZ IP address is 192.168.1.1, so DMZ Servers must be from the IP address range from 192.168.1.2 to 192.168.1.254, with a subnet mask of 255.255.255.0. DMZ host IP address...

Time Settings The DFL-600 can be set to obtain and distribute the correct time to computers on your LAN using the Simple Network Time Protocol (SNTP). Click on the Time button to open the following page: System Date Time Displays the current system date and time. Time Zone This drop-down menu allows...

Set Type This drop-down menu allows you to select either the IP address of an SNTP server, or the Domain Name (URL) of an SNTP server that the DFL-600 will contact to obtain the correct date and time. IP address Enter the IP address of an SNTP server here. Domain Name Enter the Domain Name (URL) of ...

If you have some PCs (or other network devices) that do not require RADIUS user authentication to access the WAN (Internet), you can enable 802.1x, and then enter the IP Address and IP (subnet) Mask of these devices under the Edit link (which will appear when you enable 802.1x). PCs and network devi...

RADIUS server will use to connect to PCs on your LAN for the RADIUS accounting function. The default port number for accounting is 1813. Secret Key Enter the shared key used between PCs on your LAN and the RADIUS server. Accounting Service Use the drop-down menu to enable or disable the RADIUS accou...

Clicking on the Edit link (which appears when you enable 802.1x) will open the 802.1x Device Configuration page, as shown below. If you have PCs on your LAN that do not require RADIUS user authentication to access the Internet (or other networks through your ISP), you can use Enable 802.1x, and then...

802.1X 802.1x is a standard for passing the Extensible Authentication Protocol (EAP) over a LAN. You should enable this only if there are 802.1x devices between the DFL-600 and the RADIUS server on the WAN. Clicking on the Edit link (which appears when you enable 802.1x) will open the 802.1x Device ...

Clicking the LDAP click box will open the following page: LDAP Server IP Enter the IP address of your LDAP server here. Your ISP should provide you with this address. Server Port This is the TCP port number that the LDAP server will use to communicate with PCs on your LAN. Port 389 is the ‘well know...

Advanced Settings NAT Network Address Translation Network Address Translation (NAT) is a routing protocol that allows your network to become a private network that is isolated from, yet connected to the Internet. It does this by changing the IP address of packets from a global IP address − assigned ...

Application Gateway (ALG) Some applications (programs running on a PC on your LAN) require multiple TCP or UDP ports to function properly. Applications such as Internet gaming, video conferencing, and Internet telephony are some examples of applications that often require multiple connections. These...

firmware and can be selected here from the drop-down menu. Selecting one of the listed applications is the equivalent of entering the correct settings in the fields above for the specific application. For example, the Netmeeting application requires a Trigger Port Range of 1720 – 1720, a Trigger Typ...

Destination IP Network This is the IP address of the remote network that the DFL-600 will route service requests to. Subnet Mask This is the corresponding subnet mask for the remote network. Gateway IP Address This is the IP address of the gateway on the remote network that will provide the connecti...

LAN RIP interface will disable the routing function of your router. Network Address This is the IP address of either the LAN or WAN side of your DFL-600. Subnet Mask This is the subnet mask corresponding to the Network Address above. Interface Name This is the name of the interface corresponding to ...

In the case shown above, the DFL-600’s WAN port was connected to a 10.0.0.0 network − with a subnet mask of 255.0.0.0. The LAN ports used the default 192.168.0.0 network addresses, and the DMZ port used the default 192.168.1.0 network addresses − both with a subnet mask of 255.255.255.0. The 0.0.0.0...

Policy (Firewall) Configuration Some Examples Your DFL-600 allows you to make policy rules and then group these rules into a policy that will limit the types of access PCs on your LAN can have to the WAN (Internet). In addition, you can create a Schedule that will determine at what times and days of...

You can change the times and days entered for a Schedule by clicking on the link below the Schedule View heading. This will open the Schedule Rules page for the corresponding Schedule Name , and allow you to make changes. Setting the Policy Rules Now you need to configure the DFL-600 to block PCs on...

range to PCs that you want the Policy Rule to apply to, and leave PCs with IP addresses outside the range free to access web-pages on the WAN (Internet). For simplicity in this example, we are going to specify Any in both the Source IP Range and Destination IP Range fields. This will mean that any P...

Enter a name for the Policy group in the Policy Name field. This name will be used to reference this Policy group. In this case, we have named this Policy group StudyTime . The schedule we created previously will appear in the Assign to Schedule drop-down menu and is selected as the times and days o...

Under the Rule Filter heading, click Enabled , and then click the “Outbound Firewall Rule” link. This will open a page that contains all of the Policy Rules that apply to Outbound packets, as shown below.

Click the box under the Add heading to add the BlockWeb Policy Rule to the StudyTime Policy group. Click the Apply button to make the entry current. Click the Back button to return to the Policy Add page. Setting the Policy Global Status Now we need to configure the Global Policy Status . Click the ...

Remember to save the Policy configuration into the DFL-600’s non-volatile RAM using the Save button (under the Tools tab, click the System button to see the Save options). This will ensure that the DFL-600 will retain the Policy configurations when it is restarted or if the AC power is interupted. E...

The next step is to specify if you want the policy rule to apply to Inbound or Outbound packets. Inbound here means from the WAN to your LAN, while Outbound means from your LAN to the WAN. The Direction drop-down menu allows you to choose which direction the DFL-600 will filter packets that meet the...

Policy Status page, “ Default allow all ” means that the DFL-600 will allow all packets except those that meet the criteria established in the policy rules. “ Default deny all ” means that the DFL-600 will deny (filter) all packets except those that meet the criteria established in the policy rules....

Enter a name for the new group of policy rules in the Policy Name field. This name is used to reference the group of policy rules. You can also assign this group of policy rules to a schedule (which is either Always or a schedule you can create below). Finally, you can choose to Allow or Deny access...

Enter a domain name you want to limit access to in the Domain Name field. Click the Apply button to add this domain name to the list. Blocking Keywords The DFL-600 will allow you to make a list of keywords for which packets will be filtered Clicking on the Keywords Add link on the Policy Rules page ...

Blocking MAC Addresses The DFL-600 will allow you to make a list of MAC addresses for which packets will be filtered. MAC (Media Access Control) addresses are the physical addresses that are assigned to networking devices by their respective manufacturers. These addresses are 12 hexadecimal digits l...

IPSec Settings IPSec (IP Secure) is a group of IP extensions developed by the Internet Engineering Task Force (IETF) to provide security services that are compatible with the existing IP standard. IPSec provides authentication, integrity, access control, and confidentially. The data and information ...

SPI An IKE VPN i VPN o configure a Manual Key VPN, click the Manual Key link to open the s to maintain the IPSec connection. s generally considered more secure than a Manual Key because IKE can generate new keys and SPIs randomly during the negotiation phase. Tpage shown below.

Add/New Tunnel The following fields will identify the VPN tunnel on the DFL-600. Tunnel Name Enter a name by which this IPSec VPN tunnel configuration can be referrenced. Peer Tunnel Type You can choose the type of remote peer that

addresses of computers on the remote LAN to ote that the IP addresses192.168.2.0 and IPthat will be allowed to access the VPN. In this case, the entire subnet of IP addresses from192.168.2.1 to 192.168.2.254 will be allowedaccess the VPN. N192.168.2.255 are reserved for use on the remote network. Su...

tion. the ore more likely to be IKE encryption algorithm that will be used to encrypt the messages passed between the VPN tunnel endpoints during the Phase 1 negotiaYou can choose between DES and 3DES encryption methods. The key length for 3DES algorithm is three times as long as the DES key, and is...

gs ing a n the DFL-600. VPN-L2TP Settin The Layer 2 Tunneling Protocol (L2TP) is another method of establishsecure tunnel between your DFL-600 and a remote gateway. The L2TP Status page allows you to enable or disable L2TP o L2TP Pass Through Click Enable to allow L2TP packets to pass n through the ...

Remote Access n the WAN (Internet) that will be allowed to access the configuration utility. the e allowed to ccess the DFL-600’s configuration utility. The Remote Access page allows you to enter the IP addresses of computers oIf you do not enter any IP addresses on this page, then no IP address onW...

Tools − Firmware The Firmware Upgrade page allows you to upgrade the DFL-600’s firmfrom a new firmware file stored on your local hard drive. ware In addition, you can choose to load the DFL-600’s current VPN or Firewall ive on a local computer. Clicking on the OK button will d er. settings to a hard...

on your LAN, or between computers on your LAN and the WAN) because t ia pre-d ed intrusion method, are recorshown below: hey meet the criter efined at the factory as being a commonly usded here, in the Intrusion Detection Log , as Intrusion Type A brief statement of the type of intrusion that was at...

Transport Type otocol used to make the connection Source The prattempt is displayed here. The IP address and the TCP/UDP port number ofthe of c Destination: port computer or device that was the destination onnection attempt to the DFL is displayed here. Blocking Reason A brief statement of why the c...

l connection between the WAN and the LAN. These statistics can be iewed on the IPSEC Statistics table, as shown below: IPSec Log The DFL-600 maintains a table containing statistics concerning the IPSec protocov Index This displays the sequence of the IPSec log. HED There are five categories of statu...

Sys Log The DFL-600 can save or transmit Syslog messages to aid in network administration. You must have a Syslog application on one of the computers on your LAN to take advantage of this feature. configuration page, as Clicking on the Sys Log link will open the Sys Log shown below. Save Location Ch...

Status − Traffic Log Y eeps a log transmitted on to and from displayed by clicking on th affic Statistics page, as shown below. our DFL-600 k of the total number of bytes received and the LAN and WAN. This information can be e Traffic button to display the Tr

g PCs to the DFL-600 Router ed to elect Settings then select Control Panel. ouble-click the Network icon. TCP/IP line listed, Connectin If you do not wish to set the static IP address on your PC, you will ne configure your PC to request an IP address from the gateway. Click the Start button, sDIn th...

Click the Properties button, then choose the IP Address tab. Select Obtain an IP address automatically . g OK , windows might ask you to restart the PC. Click S IP CONFIGURATION o tools which are great for finding out a com configuration: MAC address and default gateway. G (for Windows 95/98) Inside...

• IPCONFIG and press Enter . Your PC IP wn below. IPCONFIG (for Windows 2000/NT/XP) In the DOS command prompt type information will be displayed as sho

tablish a network at home or work, http://www.homenethelp.com Networking Basics Using the Network Setup Wizard in Windows XP In this section you will learn how to esusing Microsoft Windows XP. Note: Please refer to websites such as and http://www.microsoft.com/windows2000 for information about K CON...

(optional.) Click Next Enter a Computer description and a Computer nam Click Next e

puter. e a few minutes. When the changes are complete, Click Next . Please wait while the wizard configures the comThis may tak

ple, “Create a You will run this disk on each of the In the window below, select the best option. In this examNetwork Setup Disk” has been selected. computers on your network. Click Next . :” Insert a disk into the Floppy Disk Drive, in this case drive “A

ormat the disk if you wish, and Click Next . F Please wait while the wizard copies the files. how in the screen below. After you e the Network Setup Disk to puters on your Please read the information under Here’s complete the Network Setup Wizard you will usrun the Network Setup Wizard once on each ...

e your computer Naming your Computer Naming your computer is optional. If you would like to namplease follow these directions: • Select the Computer Name Tab in the System Properties window. You m puter description if In Windows XP: Click START (in the lower left corner of the screen) Right-click on...

ssigning a Static IP Address ote: Residentia atically assign IP Addresses to the com ic Host Gateway/Router you will not need If you are not usin to assign a Sta A N l Gateways/Broadband Routers will autom puters on the network, using DHCP (Dynam Configuration Protocol) technology. If you are using ...

Right-click on Local Area Connections . perties Double-click Pro Highlight Internet Protocol (TCP/IP) Click Properties

the assignment of a Static IP Address. (You do not need assign a Static IP Address if you have a DHCP-capable Gateway/Router.) You have completed to

ebsite. D-Link provides free technical support for customers within the United States for the duration of the warranty period on this product. U.S. customers can contact D-Link technical support through our web site, or by phone. D-Link Technical Support over the Telephone: (800) 758-5489 24 hours a...