D-Link DFL-600, User Manual

Page 1: ...D Link DFL 600 Firewall VPN Manual Rev 4 0 Building Networks for People ...

Page 2: ...and Overview 9 Using the Configuration Utility 12 Setup Wizard 14 Home 20 WAN Settings 21 LAN Settings 27 DHCP Settings 29 NAT 33 DMZ 34 Advanced Settings 49 Connecting PCs to the DFL 600 Router 111 Networking Basics 114 Contacting Technical Support 128 Limited Warranty and Registration 129 ...

Page 3: ... missing please contact your reseller Using a power supply with a different voltage rating will damage the product and void the warranty System Requirements Internet Explorer 5 5 or higher or Netscape Navigator 7 1 or higher with JavaScript enabled One computer with an installed 10Mbps 100Mbps or 10 100 Mbps Ethernet adapter One RJ 45 DSL Cable Modem for Internet connection ...

Page 4: ... that 3 computers can share the benefits of the DFL 600 equipped network and 1 computer can be configured as a server for Internet applications that may conflict with the advanced protection from intrusion offered by your new DFL 600 For the price of one Internet account the DHCP capable DFL 600 will automatically provide unique IP Addresses for all the computers on the network DHCP stands for Dyn...

Page 5: ...od link is established Green LED will BLINK when packet is transmitting or receiving Act DMZ 10 100 Green Green LED will LIGHT when a 100 Mbps Link is established Green LED will NOT LIGHT when a 10 Mbps Link is established LAN 1 3 Link Act Green Green LED will LIGHT when link is established Link Green LED will BLINK when packet is transmitting or receiving Act LAN 1 3 10 100 Green Green LED will L...

Page 6: ...ings press the reset button Pressing the Reset button will clear the current configuration as reset the DFL 600 to the factory default settings Product Features VPN Provides Virtual Private Networking when communicating with a VPN server equipped office or with another DFL 600 equipped network Supports IPSEC PPTP L2TP and VPN pass through DSL Cable Modem support The DFL 600 can connect any Cable o...

Page 7: ...e added in the future High Performance 64 bit RISC CPU Engine With the most advanced 64 bit RISC CPU Engine DFL 600 guarantees full compatibility with future DSL Cable technologies IPSec Security DES 3DES MD5 SHA 1 Idle Timer Set a specified idle time before automatically disconnecting Dial on Demand Eliminates the need for Dial up Automatically logs in to your ISP Web Based Configuration No softw...

Page 8: ...llowing values from your ISP in order to install your router User Name Password The static IP settings for the PC Your PC s fixed IP address Your PC s subnet mask Your PC s default gateway Your PC s primary DNS IP address Note The router s default IP address setting is 192 168 0 1 with a subnet mask of 255 255 255 0 Dynamic IP Settings It is recommended that you allow your PC s IP settings be auto...

Page 9: ... IP address 192 168 0 0 is reserved The DFL 600 is assigned 192 168 0 1 on the LAN side and is configured from a computer again on the LAN side of your network using a web browser To connect to the DFL 600 s web based management utility type the IP address https 192 168 0 1 into the Address field of your web browser The https specifies the secure version of http The 192 168 1 0 network DMZ The por...

Page 10: ...wall VPN Router to think of the LAN side all computers or devices connected to the three LAN ports or the DMZ port and the WAN side all computers or devices connected to the WAN port the Internet The WAN side of the router is connected to some device that ultimately allows a connection to the Internet while the LAN side is connected to your computers or other network devices such as a switch or hu...

Page 11: ...booted If you do not know the appropriate method of obtaining the WAN side network address information contact your ISP or network administrator The Device IP Settings dialog box allows you to specify the IP address that computers on your LAN will use to access the DFL 600 s web based configuration utility The default is 192 168 0 1 with a subnet mask of 255 255 255 0 If it becomes necessary to ch...

Page 12: ...default User Name is admin and the default Password is also admin all lower case Click OK to open the Home menu Note Please make sure that the computer you will use to connect to and configure the DFL 600 is assigned an IP address that is in the same range as the DFL 600 The IP address of the DFL 600 is 192 168 0 1 All computers on your network must be within that range for instance the computer I...

Page 13: ...f WAN connection you have entering your computer s host name if required by your ISP saving the configuration and restarting the router All other setup tasks can be accomplished using the configuration utility from your web browser To use the Setup Wizard click on the Run Setup Wizard link This will start the Setup Wizard ...

Page 14: ... through the most basic setup tasks for the DFL 600 All other configuration tasks can be accomplished through the web based manager The Home menu contains a Run Setup Wizard link Click on this button to run the Setup Wizard Click Next to continue ...

Page 15: ...etters here The user name admin will not be changed here Note If you choose to input a password please remember it If you lose your password you will have to manually reset the unit using the reset button on the rear panel of the unit Resetting the DFL 600 will return all configuration parameters to their factory default values so all of your settings will be lost and will need to be entered again...

Page 16: ...ction each time you log on and is therefore a dynamic IP address DHCP is referred to as Dynamic IP address on the DFL 600 The Setup Wizard will open a page with the appropriate fields for the entry of your ISP contact information depending upon which of the three options you choose The Static IP address click box is used to enter a permanent IP address that is assigned by your ISP If your ISP assi...

Page 17: ...lect Internet Connection Type WAN wizard screen above the following screen will open This screen will allow you to enter the static IP address information if your ISP has assigned a static IP address to your Internet account Your ISP must provide this information If you selected PPPoE Point to Point Protocol over Ethernet on the Select Internet Connection Type WAN screen above the following window...

Page 18: ...This screen will allow you to enter the PPPoE information if your ISP uses the PPPoE protocol for your Internet account Your ISP must provide this information Click Next to continue ...

Page 19: ... have completed the basic setup Wizard The configuration now needs to be entered into the DFL 600 s non volatile RAM Clicking Restart will save the configuration to non volatile RAM and restart the router ...

Page 20: ...Home The Home menu contains links to all of the setup menus for the DFL 600 Click on the WAN button ...

Page 21: ...by which your DFL 600 will receive its WAN network settings The settings listed under WAN Settings are the network settings currently in use by the DFL 600 The fields where you will enter the WAN Settings will change depending upon the choice you make in the IP Settings Mode drop down menu These settings are described below ...

Page 22: ... enter the necessary IP address information Use this setting if your ISP has permanently assigned an IP address to your connection PPPoE allows you to enter a Username and Password for a Point to Point Protocol over Ethernet PPPoE internet connection Use this setting if your ISP has provided you with an ADSL modem that operates in Bridge mode IP Address This is the current IP address used to ident...

Page 23: ...t the DFL 600 obtains its network settings from your Internet Service Provider ISP The entry fields on the page will change depending upon which of the following options you choose Dynamic IP Address Static IP Address and PPPoE Dynamic IP Address If your ISP uses the Dynamic Host Configuration Protocol DHCP to assign an IP address subnet mask default gateway and Domain Name Server DNS addresses ch...

Page 24: ...AC address when connecting to the cable modem Clicking on the Clone button will enable this function Remember to click the Apply button and then to save the changes using Tools System and the Save button ...

Page 25: ...c IP Address If your ISP has assigned you an IP address that will never change choose this option When this option is chosen the following fields appear to allow you to enter the network address information ...

Page 26: ...this option is chosen the following fields appear to allow you to enter the network address information Connect on Demand allows the PPPoE WAN connection to be active only when a computer on your LAN makes a connection request This is similar to the way a dial up modem initiates a connection ...

Page 27: ...no longer be able to connect to the DFL 600 from any of these computers In order to re establish the connection between a computer on the LAN side and the DFL 600 you will need to assign at least one computer on the LAN side an IP address from the same range as the IP address you assign to the DFL 600 As an alternative you can configure the DFL 600 s DHCP server to give IP addresses from the new I...

Page 28: ...cally and restart the computers connected to the LAN side of the DFL 600 they will automatically be assigned IP addresses from the range 192 168 0 2 to 192 168 0 100 As an alternative you could disable the DHCP server on the DFL 600 and manually update the IP address subnet mask and default gateway information for each computer on the LAN side of the DFL 600 It is recommended that if you need to c...

Page 29: ...er for your LAN assigning IP addresses etc to computers on your network from a range of addresses you specify below DHCP Server Status This allows you to Enable or Disable the DHCP Server feature on the DFL 600 The default is Enabled Starting IP Address This is the first IP address in a range that the DFL 600 will assign to a computer on your network This IP address can not be the same as the IP a...

Page 30: ...een 192 168 0 2 to 192 168 0 100 gives 99 different IP addresses that the DFL 600 can assign to the computers on your network Lease Time This is the length of time any computer on you network that is assigned network settings by the DFL 600 through the DHCP protocol can keep its network settings If the lease expires while a computer is logged on to your network that computer will request a new set...

Page 31: ...g text URLs into IP address for sites on the Internet The IP address of this server is provided by your ISP Secondary DNS Server This is the IP address of a second DNS server to be used in case of a problem with the Primary DNS Server above A secondary DNS server IP address is optional DHCP Static Map The DFL 600 allows you to identify PCs on your LAN by their MAC addresses and then to specify wha...

Page 32: ... using DHCP IP Address This is the IP address you want to assign the PC identified by its MAC address above using DHCP DHCP Client This identifies the PC as either a DHCP client or not This allows you to check to see if the specified MAC address has already been assigned an IP address using DHCP ...

Page 33: ...ce the costs associated with Internet access and helps alleviate the current shortage of Internet IP addresses Secondly the NAT process creates an added degree of security by hiding your private computers behind one IP address The NAT function will normally only allow incoming packets that are generated in response to a request from a computer on the LAN NAT is automatically applied between the IP...

Page 34: ...ct the DMZ device and other computers and devices on the LAN that may be exposed It may be wise to run some sort of firewall software on these computers and devices For example if you want to use video conferencing and still use NAT you can use the DMZ port and DMZ IP address In this case you must have a PC or server through which video conferencing will take place and that computer is assigned th...

Page 35: ...ss to the DFL 600 s DMZ port that is within the range 192 168 1 1 to 192 168 1 254 Subnet Mask This is the subnet mask corresponding to the DMZ IP address specified above It must be the same subnet mask as assigned to the LAN ports DMZ Host Settings The DMZ port maps one global IP address an IP address that is valid on the Internet usually assigned by your ISP to one local IP address from the IP a...

Page 36: ...8 1 2 to 192 168 1 254 with a subnet mask of 255 255 255 0 DMZ host IP address This is the IP address you have assigned to your DMZ computer You will need to manually configure the IP address settings for each computer you connect to the DFL 600 s DMZ port It must be from the same IP address range as you assigned to the DMZ port The DFL 600 s default IP address range for the DMZ port is 192 168 1 ...

Page 37: ...e Displays the current system date and time Time Zone This drop down menu allows you to select the time zone in which your DFL 600 is located Time Set Type This drop down menu allows you to specify the method the DFL 600 will use to obtain the date and time Manual allows you to manually enter the date and time SNTP allows the DFL 600 to obtain the date and time automatically from an SNTP server as...

Page 38: ...nth day format HH MM SS These fields allow you to manually enter the time using an hour minute second format Authentication The Authentication button opens the User Management page as shown below This page allows you to control how users on your LAN are authorized and to manage the bandwidth available to users on your LAN You can choose from the LDAP POP3 RADIUS Local or 802 1X authentication prot...

Page 39: ...Clicking the Enable click box opposite the User Control table entry will open the rest of the User Management page including the Bandwidth control and Management Type table entries ...

Page 40: ...u to enable or disable the bandwidth control feature of your DFL 600 Use the drop down menu to set the maximum data rate that the DFL 600 will allow between PCs on your LAN and the WAN the Internet Management Type This allows you to choose and configure the protocol that the DFL 600 will use to authenticate users You can choose between the LDAP POP3 RADIUS Local or 802 1X authentication protocols ...

Page 41: ...r name Enter a User name here Password Enter a Password corresponding to the User name entered above POP3 The Post Office Protocol version 3 POP3 is used to access and retrieve e mail from a mailbox on a server that is usually located at your ISP s facility Choosing POP3 will allow the DFL 600 to connect PCs on your LAN to the POP3 e mail server on the WAN to view and retrieve e mail Clicking the ...

Page 42: ...own or default port used for the POP3 protocol RADIUS The Remote Access Dial in User Service RADIUS is one of the most common protocols used to carry authorization authentication and configuration information between a RADIUS server on the WAN and PCs on your LAN Choosing RADIUS will allow the DFL 600 to connect PCs on your LAN to a RADIUS server on the WAN If RADIUS user authentication is enabled...

Page 43: ... devices under the Edit link which will appear when you enable 802 1x PCs and network devices that have their IP Address and IP subnet Mask entered on the 802 1x Device Configuration page will be allowed to access the WAN Internet by the DFL 600 without any RADIUS user authentication effectively bypassing the RADIUS user authentication step Clicking the RADIUS click box will open the following pag...

Page 44: ...your LAN that do not require RADIUS user authentication to access the Internet or other networks through your ISP you can use Enable 802 1x and then click the Edit link This will allow you to enter the IP Address and IP subnet Mask of PCs on your LAN that need to bypass the RADIUS user authentication PCs and network devices whose IP Addresses and IP subnet Masks are entered on the 802 1x Device Co...

Page 45: ...rop down menu to enable or disable the RADIUS accounting service Authentication Method Use the drop down menu to enable or disable the RADIUS accounting service Clicking the 802 1x Enable click box and then Edit link will open the following page 802 1x is a standard for passing the Extensible Authentication Protocol EAP packets over a LAN You should enable this if there are any 802 1x devices betw...

Page 46: ...ternet or other networks through your ISP you can use Enable 802 1x and then click the Edit link This will allow you to enter the IP Address and IP subnet Mask of PCs on your LAN that need to bypass the RADIUS user authentication PCs and network devices whose IP Addresses and IP subnet Masks are entered on the 802 1x Device Configuration page will be allowed to access the Internet without RADIUS u...

Page 47: ...on menu that PC will not be allowed to access the Internet without being authorized by a RADIUS server PCs on your LAN that have their IP Address and IP Mask entered into the 802 1x Device Configuration table will be allowed to access the Internet without being authorized by a RADIUS server IP Segment Address Enter the IP address of an 802 1x device between the DFL 600 and the RADIUS server on the...

Page 48: ... server here Your ISP should provide you with this address Server Port This is the TCP port number that the LDAP server will use to communicate with PCs on your LAN Port 389 is the well known or default port used for LDAP while Secure LDAP uses port 636 Base DN This is the Distinguished Name used for LDAP ...

Page 49: ... usable on the Internet to a local IP address assigned by you usable on your private network but not on the Internet Virtual Servers Virtual Servers allow remote users to access services on your LAN such as FTP for file transfers or SMTP and POP3 for e mail The DFL 600 will accept remote requests for these services at a Global IP Address you specify using the specified TCP or UDP protocol and port...

Page 50: ...Transport Type You can select the transport protocol TCP or UDP that the application on the virtual server will use for its connections The choice of this protocol is dependent on the application that is providing the service If you do not know which protocol to choose check your application s documentation ...

Page 51: ...ons often conflict with NAT and therefore require special handling The Special Applications page allows you to configure your DFL 600 to allow computers on your LAN to access servers on the WAN that require multiple TCP or UDP connections Application Name This is a reference usually the name of the application In the above example Netmeeting is the application and this is used to name this entry T...

Page 52: ...hained should be set to Enabled for this type of application Address Replacement This option is used in Network Address Translation NAT to translate a binary IP address in a TCP UDP packet When a TCP or UDP packet is received by the DFL 600 the IP address in this packet will be translated between the WAN and LAN side of the DFL 600 if this option is enabled Replacement Format This drop down menu a...

Page 53: ...ort Range of 1720 1720 a Trigger Type of TCP and so on The correct settings for the applications listed in this drop down menu have been entered into the DFL 600 s firmware for your convenience Static Routing Your DFL 600 can automatically discover routes to destinations on both your LAN and the WAN Internet In addition you can add entries to the DFL 600 s routing table that will be saved to flash...

Page 54: ...provide the connection between your DFL 600 and servers on the remote network Dynamic Routing Your DFL 600 can automatically discover routes to destinations on both your LAN and the WAN Internet You can choose either RIP1 RIP2 or None RIP2 Routing Information Protocol version 2 adds support for variable length subnet masks and is generally the best choice Choosing None will disable the routing fun...

Page 55: ...ation Protocol version 2 adds support for variable length subnet masks and is generally the best choice Choosing None will disable the routing function of your router as will choosing Disabled for the WAN or LAN RIP interface RIP Enabled Interface These two click boxes allow you to enable or disable RIP for either the LAN or WAN interface Choosing Disabled for the WAN or ...

Page 56: ...FL 600 will update its routing table The default is 30 seconds Timeout Timer This allows you to specify how long a route discovered by the DFL 600 will remain in its memory without being used The default is 180 seconds Garbage Collection Timer This allows you to specify the period of time between the collection of garbage routes The default is 120 seconds Routing Information Your DFL 600 can autom...

Page 57: ... default 192 168 1 0 network addresses both with a subnet mask of 255 255 255 0 The 0 0 0 0 IP address signifies the Broadcast address the address within the DFL 600 where all packets that have an unknown destination address are forwarded The DFL 600 then relates the 0 0 0 0 IP address to the WAN s gateway address of 10 254 254 251 This route is labeled as the Default route and leads to the Intern...

Page 58: ... to Virtual Servers and Application ALGs on your LAN can be granted to PCs on the WAN Internet The DFL 600 offers many preset options for making these policies and rather than describing them individually a series of examples may be most informative Example 1 Limiting Web page Access In this example you will deny any PC on your LAN from accessing web pages on the WAN Internet between the hours of ...

Page 59: ...le into the Schedule Table You can enter up to 15 Schedules but two default schedules are automatically maintained by the DFL 600 Always and None You can make changes to the None Schedule but the Always Schedule is intended for policies that should always be enforced To check the entered schedules click the Schedule Table link This will open the Schedule Table as shown below ...

Page 60: ...n order to block PCs on your LAN from downloading web pages from the WAN Internet you need to select the HTTP Hyper Text Transfer Protocol from the Protocol drop down menu HTTP is the protocol that the World Wide Web uses to transfer web pages from the Internet to a PC on your LAN The HTTP protocol uses TCP port 80 to make connections to PCs but the necessary parameters for a Policy Rule are alrea...

Page 61: ... we are going to specify Any in both the Source IP Range and Destination IP Range fields This will mean that any PC on your LAN will be denied access to web pages on the WAN Internet regardless of that PC s IP address Adding the Policy Rule to a Policy Group After clicking the Apply button to add the BlockWeb Policy Rule to the Service Rules table the page appears as shown below ...

Page 62: ...Now that the Policy Rule Block Web is configured we want to add this Policy Rule to a Policy group Click on the Policies link to open the Policy Add page as shown below ...

Page 63: ...previously will appear in the Assign to Schedule drop down menu and is selected as the times and days of the weed this Policy will be enforced We want to deny access to PCs on our LAN so in the Action drop down menu we select Deny Clicking the Apply button will enter the Policy into the Policy group table as shown above Clicking on the icon under the Edit heading will open the following page ...

Page 64: ...Under the Rule Filter heading click Enabled and then click the Outbound Firewall Rule link This will open a page that contains all of the Policy Rules that apply to Outbound packets as shown below ...

Page 65: ...Policy group Click the Apply button to make the entry current Click the Back button to return to the Policy Add page Setting the Policy Global Status Now we need to configure the Global Policy Status Click the Global Policy Status link from the Policy Add page to open the following page ...

Page 66: ...se HTTP packets All other packets will be forwarded to their destination If we had selected Deny all except policy settings then the DFL 600 would forward only HTTP packets All other packet types would be dropped filtered This Policy configuration will block HTTP packets using TCP port 80 the default port number for the HTTP protocol from being sent from PCs on your LAN to the WAN Internet between...

Page 67: ...ple 2 Limiting Access to Internet Domains Policy Rules The DFL 600 allows you to specify rules that it will use to limit access filter packets to and from PCs on your LAN A policy rule on the DFL 600 establishes what information packets must contain before an action is taken by the router The action taken when a packet is read by the DFL 600 is specified on the subsequent web pages described below...

Page 68: ...e LAN The rule was constructed using the Protocol drop down menu and then selecting the telnet 23 entry to specify the TELNET protocol TCP transport type and TCP port number 23 Most of the commonly used protocols on the Internet are listed in the Protocol drop down menu Their transport types and port numbers are automatically entered when you select one of these protocols If you need to configure ...

Page 69: ...ally eliminate a given protocol from being used to across the DFL 600 You can specify a range of TCP or UDP ports using the Port Range field Selecting Any will prevent any port from being used In addition you can specify a range of IP addresses as either a source or a destination that the policy rule will be applied to Once you have configured the policy rule and clicked on the Apply button the ru...

Page 70: ... Default deny all means that the DFL 600 will deny filter all packets except those that meet the criteria established in the policy rules Policies Policy Add Once you have defined what type of packets you want the DFL 600 to look for you need to assign those rules to a policy Clicking on the Policies link will open the Policy Add page as shown below ...

Page 71: ...this group of policy rules to a schedule which is either Always or a schedule you can create below Finally you can choose to Allow or Deny access Blocking Internet Domains The DFL 600 will allow you to make a list of Domain names for which packets will be filtered Clicking on the Domain Add link on the Policy Rules page will open the following page ...

Page 72: ...ocking Keywords The DFL 600 will allow you to make a list of keywords for which packets will be filtered Clicking on the Keywords Add link on the Policy Rules page will open the following page Enter a key word you want the DFL 600 to examine packets for in the Key Word field Click the Apply button to enter this key word into the list ...

Page 73: ...ctive manufacturers These addresses are 12 hexadecimal digits long and are in the form 01 23 45 67 89 AB where the numerals 0 9 and the letters A F are used Clicking on the MAC Add link on the Policy Rules page will open the following page Enter a MAC Address that you want the DFL 600 to scan for and filter packets that have that MAC address as their destination address Click the Apply button to e...

Page 74: ...and replay protection The ESP Encapsulating Security Payload header addresses the same features and also includes data confidentiality or encryption capabilities By default IPSec uses the AH as a minimum security level If data confidentiality is desired the AH is replaced with an ESP header for the encryption feature and the authentication and data integrity components that the AH offer as well Th...

Page 75: ...nternet Key Exchange IKE The difference between Manual Key and IKE is how the encryption keys and SPI are determined For a Manual Key VPN the encryption key authentication key if required and SPIs are predetermined by a Network Administrator when configuring the connection The differences between Manual Key and IKE can be summarized as a al Ke on key if adm For an IKE VPN the keys and SPIs are neg...

Page 76: ...nual Key VPN click the Manual Key link to open the s to maintain the IPSec connection s generally considered more secure than a Manual Key because IKE can generate new keys and SPIs randomly during the negotiation phase T page shown below ...

Page 77: ... of your DFL 600 when establishing a VPN tunnel Remote SPI Refers to the SPI of the remo which the VPN tunnel will be te peer toward established IPSec Operation This drop down menu a kind of encryption that will be app packets that are sent between the tw of a VPN tunnel ESP specifies that the en encrypted by the DES or 3DES algorithm selected below and authenticated by the MD5 or SHA algorithm as...

Page 78: ... d made in the drop down menu above You must select the exact same Encryption ke on both ends of a VPN tunnel ESP Auth lect the on method that will be used when een Null no uthorization MD5 using MD5 message ou must select the exact same ESP This drop down menu allows you to se authenticati ESP is selected in the IPSec Operation drop down menu above You can choose betw a digest authentication and ...

Page 79: ...e key wi vary depending upon the choice of AH Transform in the drop down menu above Y Authorization key on both ends of a V tunnel Type p down menu allows you to select the al only the Subnet type is pported This dro type of network definition for the range of IP addresses on the remote LAN that will be allowed to access the VPN At the time of the writing of this manu su Starting Target Host N In ...

Page 80: ...n IKE VPN is generally c Manual Key VPN ecause IKE can generate new keys and SPIs randomly during the negotiation phase o configure an IPSec VPN using IKE click the Tunnel Settings link to c exchanging the encryption decryption keys nual Key and IKE is how the encryption keys a nnel Settings page on the DFL 600 allows you anual Key and IKE can be summarized as the keys and SPIs are negotiated betw...

Page 81: ... The following fields will identify the VPN tunnel on the DFL 600 Tunnel Name Enter a name by which this IPSec VPN tunnel configuration can be referrenced Peer Tunnel Type You can choose the type of remote peer that ...

Page 82: ...an IPSec VPN tunnel uses a dynamically assigned IP address this end m have a statically assigned IP address That is both ends of an IPSec VPN tunnel cannot have a dynamically assigned IP address Termination IP The IP address of the remote gateway If you choose Static IP address menu above you mu the remote end of the IPSec VPN tunnel here in the drop down st enter the IP address of Domain Name The...

Page 83: ...a remote host or a set of hosts sharing a common identity Phase 1 Proposal unicate in a e 2 n Phase 1 VPN IPSec negotiation allows the two endpoints of a VPN tunnel to comm secure way so that the encryption for the actual VPN tunnel can be accomplished in the Phas negotiation Click on this link to open the Phase 1 Proposal configuration page as show below Phase 2 Proposal has been initiated Click ...

Page 84: ...served for use on the remote network Subnet Mask Enter the subnet mask corresponding to the IP address range entered above Phase 1 Proposal Phase 1 Proposal Phase 1 VPN IPSec negotiation allows the two endpoints of a VPN tunnel to communicate in a secure way so that the encryption for the actual VPN tunnel can be accomplished in the Phase 2 negotiation The following fields will define the way the ...

Page 85: ... up a new phase 1 key Phase 2 negotiation will also be triggered to build a new tunnel IKE Hash This drop down menu a algorithm that will be used to ensure that the messages exchanged between the tw VPN tunnel endpoints has been received exactly as it was sent In other words a Hash algorithm is used to gene by a mathematical operation using the entire message The resulting numb message digest The ...

Page 86: ... key length for 3DES algorithm is three times as long as the DES key and is theref secure You must choose exactly the same Encryption algorithm on both ends of a VPN tunnel Phase 2 Proposal Phase 2 Proposal The following entries will establish the setup for the negotiation between the two endpoints for the encryption of messages once the VPN tunnel has been initiated PFS Mode This drop down menu a...

Page 87: ...t the entire packet will be encrypted by the DES or 3DES algorithm as selected below and authenticated by the MD5 or SHA algorithm as selected below entication ted the data AH specifies that only the auth algorithm MD5 or SHA as selected below will be used When AH is selec portion of packets sent between the two endpoints of a VPN tunnel will not be encrypted IPSec Life Duration This is similar to...

Page 88: ...cation method that will be used when ESP is selected in the IPSec Operation d You can choose between Null no authorization MD5 using MD5 message digest authentication and SHA using t SHA authentication method You must select the exact same ESP authentication method on both ends of a VPN tunnel AH Transform down menu above You can choose between MD5 using MD5 message digest authentication and SHA u...

Page 89: ...heir destination computer on your LAN PPTP Status PPTP can be Enabled or Disabled by clicking the appropriate click box and the clicking the Apply Starting IP Address pecify a range of IP ddresses for clients on your network that can P ng lds This allows you to s a use the PPTP protocol If you have only one I address enter this address in both the Starti IP Address and Ending IP Address fie Ending...

Page 90: ...d on the DFL 600 Username Enter the appropriate username for your PPTP account here Enter the appropriate password for your PPTP account here Retype the password you entered above here to confirm that it has been entered correctly link to di n the DFL 600 as sho below Password Confirm Password PPTP Status Click on the PPTP Status splay the current status of a PPTP tunnel o wn ...

Page 91: ...eir destination computer on your LAN L2TP Status L2TP can be Enabled or Disabled by clicking the appropriate click box and the clicking the Apply Starting IP Address This allows you to specify a range of IP addresses for servers on your network that can enter this address in both the Starting fields use the L2TP protocol If you have only one IP address IP Address and Ending IP Address Ending IP Ad...

Page 92: ... 64 PPTP and L2TP user accoun c Enter your L2TP account username here Enter your L2TP account password here Re enter your L2TP account password here to verify it has been entered correctly lick on the L2TP Statu n the DFL 600 as sho nk to display the current status of an L2T below Username Password Confirm Password L2TP Status C s li P tunnel o wn ...

Page 93: ...n China Please visit their respective websites for more formation page will open the in Clicking on the DDNS button from the Advanced following page DDNS This allows you to enable or disable DDNS on the DFL 600 Provider Select either Dyndns org or PeanutHull China Host Name Enter the appropriate host name here Username E mail Enter the appropriate Username here Password Key Enter the appropriate P...

Page 94: ... add or edit the Username and Password list to control access to the configuration of the DFL 600 A default user p Username Enter the username for the account here Old Password Enter the old password here New Password Enter the new password for the account here Confirm Password Enter the new password again here to verify that y the password has been entered correctl ...

Page 95: ...The Remote Access page allows you to enter the IP addresses of computers o If you do not enter any IP addresses on this page then no IP address on WAN side of the DFL 600 no computer from the Internet will b a P The DFL 600 allows you to specify a proxy server for your LAN Enter the IP address and the port number in the fields provided roxy Redirect ...

Page 96: ...Apply Settings and Restart from the System Settings configuration into the DFL 600 s NVR revert to the last saved configuration when it is restarted e current configuration to the button on any given t but you must execute an page to enter the AM If you do not the DFL 600 will ns for restarting the DFL 600 save settings and restart tory default settings If you choose the Restore Factory There are ...

Page 97: ... local computer Clicking on the OK button will d er settings to a hard dr initiate a download of either the VPN settings as a text file named DFL600_vpn txt or the Firewall settings as a text file named DFL600_cw txt These files will be uploaded from the DFL 600 to the har drive of the computer that is accessing the web based configuration manag You can choose where on the local computer s hard di...

Page 98: ...e click the indows Explorer Tools Ping Ping is a small program that will send a series of test packets to a network device and ask for the device to send the packets back to the source It is ery useful to determine if a given network device is properly connected to ter the three is v the network and is operating properly To ping an IP address enter the IP address in the IP address field en number ...

Page 99: ......

Page 100: ...ion page displays the current network settings and allows you to view the IP address as DHCP Dynamic Host Configuration Protocol setting on the WAN Settings page under the Ho LAN Status MAC Address This is the MAC address of the DFL 600 on the LAN IP Address This is the DFL 600 s current IP address on the LAN ...

Page 101: ... the IP address of the DFL 600 on the WAN Subnet Mask This is the subnet mask address above that is currently in u DFL 600 on the WAN corresponding to the IP se by the Default Gateway Displays the IP address of the default gateway on the WAN Primary DNS Displays the IP address of the prim the WAN ary DNS on Secondary DNS Displays the IP address of the secondary DNS on the WAN Status NAT Info The D...

Page 102: ...rotocol in use b corresponding session gs of the various function tatus page allows y nable or disable each of these logs using a serie Transport y the Status Log Info Your DFL 600 can keep lo s it supports The Log S ou to e s of drop down menus Intrusion Log Certain sessions between computers on your LAN and the WAN have the potential to cause a disruption in the function of your com blocked by t...

Page 103: ...on IP address and the e intrusion was attempted TCP UDP port that th to Blocking Log Certain sessions between computer potential to cause a disruption in the function of your com blocked by the DFL 600 s firewall Some of these se by you under on the Port Filter Policy page under Advanced Settings tab Events blocked attempt on your LAN between computers on your LAN or between com s on your LAN and ...

Page 104: ...computer or device that was the destination onnection attempt to the DFL is displayed here Blocking Reason A brief statement of why the connection attempt was blocked is displayed here Session Log Session events when a computer on your LAN accesses an application of service on the WAN are logged by the DFL 600 and are displayed on the Session Log as shown below ...

Page 105: ...ort Filter Policy that will set s f e protocol used and the corresponding port umber is determined and entered into the DFL 600 s Intruder Blacklist nce the intruder s information is entered the DFL 600 s firewall will block packets from this location from crossing the DFL 600 from the WAN to the LAN from two computers on the LAN or from the LAN to the WAN Once an intruder s IP address is listed i...

Page 106: ...e a connection from the The IP address of a computer or device that will not be allowed t WAN to the DFL 600 is displayed here The IP Destination IP address of the computer or device that the intruder has tried to connect to is displayed here Destination port Type The port number or ICMP Type that an intruder used to attempt to make a connection is displayed here Port Trans Blocking Time This is t...

Page 107: ...0 maintains a table containing statistics concerning the IPSec protoco v Index This displays the sequence of the IPSec log HED There are five categories of status that can be displayed here as follows BROKEN NEGOTIATION P1 NEGOTIATION P2 P1_ESTABLISHED P2_ESTABLIS A brief descrip Description tion of the log entry will be displayed here ...

Page 108: ...administration You must have a Syslog application on one of the computers on your LAN to take advantage of this feature configuration page as Clicking on the Sys Log link will open the Sys Log shown below Save Location Choose either the Remote Server or the Local Flash option ...

Page 109: ... Alert This allows you to send syslog messages to an e mail address you specify below SMTP Server IP This is the IP address of your Simple Mail Transfer Protocol SMTP server Mail Subject This is the subject line that will app syslog message e mail is sent ear when a Recipient E mail This is the e mail addres mail will be sent to s the syslog message e Schedule You can select betw message e ma een ...

Page 110: ...a log transmitted on to and from displayed by clicking on th affic Statistics page as shown below our DFL 600 k of the total number of bytes received and the LAN and WAN This information can be e Traffic button to display the Tr ...

Page 111: ...nectin If you do not wish to set the static IP address on your PC you will ne configure your PC to request an IP address from the gateway Click the Start button s D In the configuration tab select the TCP IP protocol line that has been associated with your network card adapter If there is no you will need to install TCP IP now ...

Page 112: ... gateway G for Windows 95 98 Inside the windows 95 98 Start button select Ru ow this computer has an IP address of 192 168 0 After clickin Yes CONFIRM YOUR PC There are tw puter s IP WINIPCF n and type winipcfg In the xample bel 100 and the efault gateway is 192 168 0 1 The default gateway should be the network device IP address The MAC address in windows 95 98 is called the Adapter Address NOTE Y...

Page 113: ... IPCONFIG and press Enter Your PC IP wn below IPCONFIG for Windows 2000 NT XP In the DOS command prompt type information will be displayed as sho ...

Page 114: ...ction you will learn how to es using Microsoft Windows XP Note Please refer to websites such as and http www microsoft com windows2000 for information about K CONNECTIONS networking computers using Windows 2000 ME or 98 Go to START CONTROL PANEL NETWOR Select Set up a home or small office network When this screen appears Click Next ...

Page 115: ...l the instructions in this window P puter If through a gateway router select the Click Next In the following window select the best description of your com your computer connects to the Internet second option as shown ...

Page 116: ... optional Click Next Enter a Computer description and a Computer nam Click Next e ...

Page 117: ...s on your network should have the Enter a Workgroup name All computer same Workgroup name Click Next Please wait while the wizard applies the changes ...

Page 118: ...puter e a few minutes When the changes are complete Click Next Please wait while the wizard configures the com This may tak ...

Page 119: ...l run this disk on each of the In the window below select the best option In this exam Network Setup Disk has been selected computers on your network Click Next Insert a disk into the Floppy Disk Drive in this case drive A ...

Page 120: ...er you e the Network Setup Disk to puters on your Please read the information under Here s complete the Network Setup Wizard you will us run the Network Setup Wizard once on each of the com network To continue Click Next en Click Finish to complete the Please read the information on this screen th Network Setup Wizard ...

Page 121: ...e new settings will take re puter Next you will need to run puters on your network After puters your new wireless You have completed configuring this com the Network Setup Disk on all the other com running the Network Setup Disk on all your com network will be ready to use ...

Page 122: ...ese directions Select the Computer Name Tab in the System Properties window You m puter description if In Windows XP Click START in the lower left corner of the screen Right click on My Computer Select Properties Click Change ay enter a Com you wish this field is optional To rename the computer and join a domain ...

Page 123: ...ter up e the Workgroup mputers on must have the same Workgroup name Click OK In this window enter the Compu name Select Workgro and enter the nam of All co your network ...

Page 124: ... Sta A N l Gateways Broadband Routers will autom puters on the network using DHCP Dynam Configuration Protocol technology If you are using a DHCP capable to assign Static IP Addresses g a DHCP capable Gateway Ro w these instructions uter or you need tic IP Address please follo ouble click on rol Panel Go to START D Cont ork Connections Double click on Netw ...

Page 125: ...Right click on Local Area Connections perties Double click Pro Highlight Internet Protocol TCP IP Click Properties ...

Page 126: ... IP Addresses that ask must be th rver inform S P ask The IP Addresses on your netw e range For example if one com Address of 192 168 0 2 the other computers 192 168 0 4 The subnet m e computers on the network ation will be provided by your ISP Internet Service are sequential like 192 168 0 3 and the same for all Input your DNS server addresses The DNS se Provider Click OK ...

Page 127: ...the assignment of a Static IP Address You do not need assign a Static IP Address if you have a DHCP capable Gateway Router You have completed to ...

Page 128: ... D Link Technical Support over the Telephone 800 758 5489 24 hours a day seven days a week D Link Technical Support over the Internet http support dlink com When contacting technical support please provide the following information Serial number of the unit Model number or product name Software type and version number Contacting Technical Support ou can find the most recent software and user docum...

Page 129: ...the non nforming Software will be refunded by D Link provided that the non conforming Software and all copies ereof is first returned to D Link The license granted respecting any Software for which a refund is given tomatically terminates hat You Must Do For Warranty Service egistration is conducted via a link on our Web Site http www dlink com D Link Systems Inc D Link provides this 1 Year warran...

Page 130: ...TIRE W PERFORMANCE OF THE PRODUCT IS WITH THE PURCHASER OF THE PRODUCT Limitation of Liability TO THE MAXIMUM EXTENT PERMITTED BY LAW D LINK IS NOT LIABLE UNDER ANY CONTRACT NEGLIGENCE STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT INCONVENIENCE OR DAMAGES OF ANY CHARACTER WHETHER DIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL INCLUDING BUT NOT LIMITED TO DAMAGE...

Page 131: ...echnician for help Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Register Your D Link Product Online at http www dlink com sales reg ...