This publication, including all photographs, illustrations and software, is protected under
international copyright laws, with all rights reserved. Neither this manual, nor any of the material
contained herein, may be reproduced without written consent of the author.
Disclaimer
The information in this document is subject to change without notice. The manufacturer makes no
representations or warranties with respect to the contents hereof and specifically disclaim any
implied warranties of merchantability or fitness for any particular purpose. The manufacturer
reserves the right to revise this publication and to make changes from time to time in the content
hereof without obligation of the manufacturer to notify any person of such revision or changes.
Limitations of Liability
UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR
DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE
RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER
COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR
IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF
D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE,
D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR
LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN
EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE
PRODUCT.
A. CLI Reference ............................................................................................... 100
B. Windows IP Setup .......................................................................................... 114
3
User Manual
C. Apple Mac IP Setup ........................................................................................ 116
D. D-Link Worldwide Offices .............................................................................. 118
Alphabetical Index ............................................................................................. 120
4
Chapter 1. Product Overview
• The DFL-160 Solution, page 5
• Ethernet Interfaces, page 7
• The LED Indicators, page 9
1.1. The DFL-160 Solution
The NetDefend SOHO UTM product is a D-Link hardware/software solution designed for situations
where a conventional IP router connected to the public Internet in a small organization or home
environment does not have sufficient capabilities to provide the network security required to combat
today's universe of potential external threats.
The DFL-160 and the NetDefendOS Software
The term DFL-160 refers to the physical hardware that is provided with the NetDefend SOHO UTM
product. The operating system software that drives the hardware is a purpose built networking
operating system called D-Link NetDefendOS. This operating system is also found in D-Link DFL
firewall products designed for larger enterprises.
The NetDefendOS Management Interface
The principle management interface for the DFL-160 is through a web browser running on a
separate computer. This computer acts as a management workstation and the DFL-160 acts as a web
server, allowing the product to be managed through an intuitive set of web pages that are viewed
through the web browser.
The DFL-160 Interfaces
The DFL-160 provides 10/100/1000 Mbps capable LAN (Local Area Network) and DMZ
(Demilitarized Zone) Ethernet interfaces for the internal, protected networks plus a 10/100 Mbps
capable WAN (Wide Area Network) interface for connection to the public Internet. Further
information about all these can be found in Section 1.2, “Ethernet Interfaces”.
Additionally, a serial interface (the COM port) is provided for access to a Command Line Interface
(CLI).
Below is an image of the back of the DFL-160 unit showing all the connection ports.
5
1.1. The DFL-160 SolutionChapter 1. Product Overview
"Inside" and "Outside" Networks
The NetDefendOS provides the administrator with the ability to control and manage the traffic that
flows between the trusted "inside" networks and the much more threatening public Internet that lies
"outside".
The "outside" Internet network is connected to the DFL-160's WAN interface and the trusted
"inside" network is connected to the LAN interface. As explained later, there are, in fact, 4 LAN
interfaces connected together through an internal switch.
The network connected to the DMZ interface can be considered to also be "inside" but it is designed
for a network where servers are situated which are accessed by external hosts and users on the
public Internet. The DMZ therefore represents a place where threats such as server viruses can be
isolated and kept separate from the more sensitive LAN network. For this reason, connections
initiated from hosts and users on the DMZ network to the LAN network are never allowed.
Firewalling and UTM
NetDefendOS provides the NetDefend SOHO UTM product with the following important features
to protect against external threats coming from the Internet:
•Extensive Firewalling Capabilities
NetDefendOS can block traffic which does not comply with security policies defined by the
user. These policies can target traffic according to which protocol (such as HTTP or FTP) is
arriving and leaving, and by which interface, as well as optionally determining when such traffic
is allowed according to a time schedule.
There are three sets of basic traffic flow policies that can be defined:
1.Traffic initiated by internal networks ("outbound traffic")
2.Traffic initiated by external networks to hosts and users on the LAN network ("inbound
LAN traffic").
3.Traffic initiated by external networks to hosts and users on the DMZ network ("inbound
DMZ traffic").
Note
When a DFL-160 is started for the first time, no inbound traffic is allowed so the
administrator should decide what inbound traffic will be allowed as one of the first
setup steps.
•Unified Threat Management (UTM)
UTM is performed by NetDefendOS through the following features:
1.An Anti-Virus option to scan file downloads for viruses.
2.Intrusion Detection and Prevention to scan all traffic connecting to internal servers.
3.Web Content Filtering to implement policies on the types of web sites that can be accessed.
The DFL-160 has a number of physical Ethernet interfaces which can be used to plug into other
Ethernet networks. The image below shows these interfaces at the back of the hardware unit.
Interface Network Connections
The illustration below shows the typical usage of network connections to the DFL-160 interfaces.
Intended Interface Usage
The interfaces are intended to be used in the following ways:
•The LAN interfaces.
There are four physical LAN interfaces which are labeled: LAN1, LAN2, LAN3 and LAN4. These
are intended for connection to local, internal networks which will be protected from the outside
internet by the highest security available from the DFL-160.
Interfaces LAN1 to LAN4 are connected together via a switch fabric in the DFL-160 which
means that traffic travelling between them will not be subject to the control of NetDefendOS.
All four are considered to be part of the single logical LAN interface.
This manual will refer to the LAN interface and by this will mean a connection to any of these 4
physical interfaces.
The management options for the LAN interface are described in Section 3.3, “LAN Settings”.
•The DMZ interface.
This is for connection to a local network which will be the Demilitarized Zone (DMZ). A DMZ
is usually set aside to contain computers that regularly receive data from and send data to the
public internet. An example might be a mail server. The intent with the DMZ interface is to
provide a stage of security between the well protected, internal LAN networks and the public
Internet which is connected to the WAN interface.
If desired, the DMZ can be used like another LAN interface but does not share the common
LAN switch fabric mentioned above.
The management options for the DMZ interface are described in Section 3.4, “DMZ Settings”.
•The WAN interface.
This is intended for connection to an external network. In most cases this interface will be
connected to the public Internet via your Internet Service Provider (ISP).
The basic management options for the WAN interface are described in Section 3.2, “Internet
Connection”.
Interface Link Speed Capabilities
The physical speed capabilities are as follows:
Ethernet InterfaceCapability (Megabits/second)
LAN (1 to 4)10/100/1000 Mbps
DMZ10/100/1000 Mbps
WAN10/100 Mbps
8
1.3. The LED IndicatorsChapter 1. Product Overview
1.3. The LED Indicators
On the front portion of the DFL-160 casing are a set of indicator lights which show system status
and Ethernet port activity.
Power and Status
The power light is illuminated when power is applied and the status light is illuminated after
NetDefendOS has completed start up or if the boot menu has been entered prior to complete startup
(the latter is described in Chapter 8, The Console Boot Menu).
Ethernet Ports
On the right hand side of the front of the DFL-160 there is a line of LED lights that show the status
of the different Ethernet interfaces by showing a flashing or solid light in orange or green. The
image below shows these LED status indicators.
The following table shows the meaning of the Ethernet port LED colors.
LED StatusIndicated Link Status
Solid Amber1000 Mbps link established
Blinking AmberData transmission over 1000 Mbps link
Solid Green10/100 Mbps link established
Blinking GreenData transmission over 10/100 Mpbs link
Light offNo data link exists
9
1.3. The LED IndicatorsChapter 1. Product Overview
10
Chapter 2. Initial Setup
• Unpacking, page 11
• Web Browser Connection, page 13
• Browser Connection Troubleshooting, page 18
• Console Port Connection, page 19
2.1. Unpacking
Package Contents
Carefully open the product packaging and inside you will find the following:
•The DFL-160 hardware unit.
•The DFL-160 Quick Installation Guide.
•A plug-in 12 Volt/1.25 Amp power supply with connecting cable.
•One Category 5e Ethernet cable.
•One RS232 cable for connecting a console to the DFL-160 serial COM port.
•A CD ROM containing essential product documents and useful software utilities.
Location of the Hardware
The DFL-160 unit is designed for table mounting only. The product can be mounted on any
appropriate stable, flat, level surface that can safely support the weight of the unit and its attached
cables.
11
2.1. UnpackingChapter 2. Initial Setup
Environmental and Operating Parameters
The following table lists the key environmental and operatíng parameters for the DFL-160
hardware.
ParameterDFL-160 Value
AC Input100-240 VAC, 50/60 Hz, External supply
Operating Temperature Range0°C to +50°C
Storage Temperature Range-40°C to +70°C
Operational Humidity Range10% to 90% RH
Storage Humidity Range5% to 90% RH
Power ConsumptionUnder 20 Watts
Heat Flow Considerations
The DFL-160 is a low power device that generates a modest amount of heat output during operation.
The following precautions should be taken to allow this heat to dissipate:
•Do not install the DFL-160 in an environment where the operating ambient temperature might
come close to or go beyond the recommended operating temperature range (as stated in the table
above, the operating range is from 0°C to +50°C).
•Make sure that airflow around the DFL-160 unit is not restricted.
•Do not place anything on top of the unit, including any other electronic devices.
Power Supply Precautions
The following is recommended in regard to the power supply:
•Make sure that any power source circuits are properly grounded, and use the power cord
supplied with the DFL-160 to connect it to the power source.
•Ensure that the DFL-160 does not overload the power circuits, wiring and over-current
protection. To determine the possibility of overloading the supply circuits, add together the
ampere ratings of all devices installed on the same circuit as the DFL-160 and compare the total
with the rating limit for the circuit. The maximum ampere ratings are usually printed on the
devices near AC power connectors.
•If your installation requires any power cords other than the one supplied with the product, be
sure to use a power cord displaying the logo of the safety agency that defines the regulations for
power cords in your country. The logo is your assurance that the power cord can be used safely
with the DFL-160.
•The purchase and use of a separate surge protection unit from a third party should be considered
to protect against damage by electrical power surges. This is particularly recommended in
geographic regions where lightning strikes might occur.
Software Installation
A copy of the NetDefendOS network operating system is already pre-installed on the DFL-160 unit.
When the unit is powered up, NetDefendOS will automatically start for the first time with the
factory default settings. Initial startup is described in Section 2.2, “Web Browser Connection”.
12
2.2. Web Browser ConnectionChapter 2. Initial Setup
2.2. Web Browser Connection
This section describes the steps for accessing a DFL-160 for the first time through a web browser.
The user interface accessed in this way is known as the NetDefendOS Web Interface (or WebUI).
1. Connect the Cables
The DFL-160 and a management workstation (typically a Windows PC) running a web browser
should be physically connected together so they are on the same Ethernet network. A connection can
be made directly using a crossover Ethernet cable, or by connecting the management workstation
and the firewall to the same switch.
One of the four LAN interfaces should be attached to the same Ethernet network as the management
workstation (or a network accessible from the workstation via one or more routers). Typically the
connection is made via a switch or hub in the network but can, instead, be done directly using a
regular straight-through Ethernet cable.
For Internet connection, the WAN interface should be connected to your ISP.
2. Setting the Workstation Interface IP Address
Traffic will be able to flow between the designated workstation interface and the DFL-160 LAN
interface because they are on the same IP network. If DHCP is enabled on the workstation (and this
is usually the default) or DHCP is enabled on the device, such as a router, via which the connection
is made then the workstation should not need further configuration. IP addresses are assigned
automatically with DHCP and the reader can skip to step 3.
If, for some reason, DHCP is not available then manual configuration of the workstation interface IP
address will be needed. There are two appendices in this manual that describe how to do this,
depending on the workstation:
•Appendix B, Windows IP Setup
•Appendix C, Apple Mac IP Setup
3. Connect the Power
NetDefendOS starts up as soon as the DFL-160 unit is connected to the power supply (there is no
On/Off switch). Power is connected by plugging the cable from the power supply into the unit's
power plug socket and then plugging the supply into a normal wall socket.
Once power is connected, NetDefendOS will take a couple of seconds to boot up. When this process
is complete, the Status front panel light is lit and the DFL-160 is ready to be managed through a web
browser.
13
2.2. Web Browser ConnectionChapter 2. Initial Setup
4. Connect to the DFL-160 by Surfing to the IP address 192.168.10.1
Using a web browser (Internet Explorer or Firefox is recommended), surf to the IP address
192.168.10.1. This can be done using either HTTP or the more secure HTTPS protocol in the URL.
These two alternatives are discussed next.
A. Using HTTP
Enter the address http://192.168.10.1 into the browser navigation window as shown below. This will
send an initial browser request to the DFL-160.
If the browser does not respond, check that the web browser does not have a proxy server
configured. For possible problems with the network connection, consult Section 2.3, “Browser
Connection Troubleshooting”.
B. Using HTTPS
To connect with the added security of HTTPS instead, enter https://192.168.10.1 in the browser.
When responding to an https:// request, NetDefendOS sends a self-signed certificate which will not
be initially recognized so it will be necessary to tell the browser to accept the certificate for this and
future sessions. Different browsers handle this in slightly different ways. For example, in Microsoft
Internet Explorer the following error message will be displayed in the browser window.
To continue, tell the Windows IE browser to accept the certificate by clicking the following link
which appears near the bottom of the browser window.
In FireFox, this procedure is called "Add a security exception" and is a similar process of telling the
browser to accept the unsigned certificate.
5. Logging on to the DFL-160
NetDefendOS will next respond like a web server with the initial login dialog page as shown below.
14
2.2. Web Browser ConnectionChapter 2. Initial Setup
The available management web interface language options are selectable at the bottom of this
dialog. This defaults to the language set for the browser if NetDefendOS supports that language.
Now login with the username admin and the password admin. The full web interface will now
appear as shown below and you are ready to begin setting up the initial DFL-160 configuration.
This initial web interface page after login always displays the System option in the Status menu, as
shown above. As a first step, it is recommended to click on the different menus shown in the top
menu bar to a get a feel where different options are located. This menu structure is duplicated in the
layout of later chapters that describe the options.
During initial setup, the System menu is the only set of options that should need to be changed.
Logging Out
When you have finished working with the management web interface, it is recommended to always
logout to prevent other with access to the workstation getting unauthorized access to the DFL-160.
Logout by clicking on the Logout link at the top right of the management web interface.
Automatic Logout
Logout will occur automatically after a period of 15 minutes management inactivity and this length
15
2.2. Web Browser ConnectionChapter 2. Initial Setup
of time is fixed. After automatic logout occurs, the next interaction with the management web
interface will take the browser to the login page.
Connecting to the Internet
In the typical DFL-160 installation the next step is to connect to the public Internet. To do this the
WAN interface should be connected to your Internet Service Provider (ISP). This is usually done
through other equipment such as a broadband modem.
The WAN interface is, by default, configured to use DHCP to automatically fetch the required
external IP addresses from the ISP. If required, detailed WAN interface configuration is done by
going to the System > Internet Connection menu (these options are described in Section 3.2,
“Internet Connection”).
Once a connection to the Internet is established, web surfing from clients on networks attached to
the LAN interfaces is then possible. This is not possible with the DMZ interface since connections
on that interface are blocked until they are explicitly allowed.
Setting Firewall Security Policies
A key feature of the DFL-160 product is the ability to act as a firewall and impose security policies
on what kinds of traffic can flow between interfaces and in what direction.
As a next step, it is recommended to go to the Firewall > Outbound LAN Traffic menu and decide
what kinds of traffic can be initiated by internal hosts and users (these options are described in
Section 4.1, “Outbound LAN Traffic Options”).
By default, everything is allowed for outbound connections on the LAN interface but it is
recommended to restrict this to the minimum necessary. For instance, allowing the HTTP and
HTTPS services may be sufficient for web surfing.
A corresponding set of firewall options exists for the DMZ interface (see Section 4.2, “Outbound
DMZ Traffic Options”) but on initial setup, no outbound traffic is allowed on this interface so
services must be explicitly allowed.
The Meaning of "Outbound"
Keep in mind that the term outbound refers to traffic that is initiated from "inside", behind the
DFL-160 (in other words, from hosts and clients connected to the LAN or DMZ interface). All web
surfing traffic, no matter if it is a server request from a client or the reply to that request, is
considered to be outbound (this point will be repeated later in the manual). Conversely, inbound
traffic is exchanges that are initiated from the "outside", on the public Internet.
Using the DMZ for Management
By default, the DMZ interface is allocated the IP address 192.168.11.1 on the 192.168.11.0/24
network. However, the DMZ interface can't be used for initial connection with a browser because it
is not enabled as a management interface.
Management access through the DMZ interface can be enabled after initial management connection
through the LAN interface.
Going Further
At this point the DFL-160 product should be operational and acting as a secure barrier between
internal networks and the public Internet. The next step for the administrator is to further explore the
16
2.2. Web Browser ConnectionChapter 2. Initial Setup
features of the product and bring into use those which meet the needs of a particular installation.
It is recommended that adminstrators familiarize themselves with the web interface by clicking on
the main menu options and exploring the individual options available with each. The later part of
this manual has a structure which reflects the naming and order of these menu options.
In most instances the web interface provides a helpful text description on the right hand side for how
features are used as well as more detailed descriptions for individual fields and options.
17
2.3. Browser Connection
Troubleshooting
2.3. Browser Connection Troubleshooting
If the management interface does not respond after the DFL-160 has powered up and NetDefendOS
has started, there are a number of simple steps to trouble shoot basic connection problems:
1. Check that the LAN interface is being used
The most obvious problem is that the wrong DFL-160 interface has been used for the initial
connection. Only the LAN interface is enabled for managment access for the initial connection from
a browser after NetDefendOS starts for the first time.
2. Is the LAN interface properly connected?
Check the link indicator lights on the management interface. If they are dark then there may be a
cable problem.
3. Check the cable type connected to the management interface.
If the management interface is connected directly to the management workstation or another router
or host? In this case, an Ethernet "cross-over" cable may be needed for the connection, depending on
the capabilities of the interface.
4. Using the ifstat CLI command
Chapter 2. Initial Setup
To investigate a connection problem further, connect a console to the RS232 port on the DFL-160
after NetDefendOS starts. Details of making this connection is described below in Section 2.4,
“Console Port Connection”.
When you press the enter key, NetDefendOS should respond with the standard CLI prompt:
DFL-160:/>
Now enter the following command a number of times:
DFL-160:/> ifstat lan
This will display a number of counters for the LAN interface.
If the Input counters in the hardware section of the output are not increasing then the error is likely
to be in the cabling. However, it may simply be that the packets are not getting to the DFL-160 in
the first place. This can be confirmed with a packet sniffer if it is available.
If the Input counters are increasing, the LAN interface may not be attached to the correct physical
network. There may also be a problem with the routing information in any connected hosts or
routers.
5. Using the arpsnoop CLI command
A final diagnostic test is to try using the console command:
DFL-160:/> arpsnoop -all
This will show the ARP packets being received on the different interfaces and confirm that the
correct cables are connected to the correct interfaces.
18
2.4. Console Port ConnectionChapter 2. Initial Setup
2.4. Console Port Connection
Initial setup of the DFL-160 can be done using only the web interface but DFL-160 also provides a
Command Line Interface (CLI) which can be used for certain administrative tasks. This is accessed
through a console connected directly to the unit's RS232 COM port, which is shown below. All CLI
commands are listed in Appendix A, CLI Reference.
The console also provides the ability to interact directly with the firmware that controls the
operation of the DFL-160 (see Chapter 8, The Console Boot Menu).
Console Setup
When setting up a console connected directly to the DFL-160's RS232 port, the console can be a
traditional "dumb" console device but is more typically a PC or other computer running console
emulation software (such as the HyperTerminal software included with some Windows versions).
An included RS232 null modem cable is used to connect the console to the console port. This port is
marked COM, as shown in the image above.
The connected console must have the following communication settings:
•9600 bps.
•No parity.
•8 bits.
•1 stop bit.
•No flow control.
Entering the Boot Menu
The Boot Menu is another feature that can only be accessed through the console. It is a direct
management interface to the DFL-160's firmware loader software which underlies the
NetDefendOS software. It allows the administrator to reset the DFL-160 unit as well as set a console
password.
The boot menu is entered by pressing any console key between power up and NetDefendOS
starting. The console will display the message Press any key to abort and load boot menu during
this interval. This feature is described further in Chapter 8, The Console Boot Menu.
Console Output Truncation
The only limitation with issuing CLI commands through the serial console is that there is a finite
19
2.4. Console Port ConnectionChapter 2. Initial Setup
buffer allocated for output. This buffer limit means that a single large volume of console output may
be truncated. This happens rarely and only with certain commands.
The DFL-160 USB Port
Next to the RS232 port is a USB port. This port is not used with the current version of
NetDefendOS. The port is intended for use with features planned for future NetDefendOS versions
and is provided so that no hardware upgrade will be required in order to make use of those features
after a software upgrade.
20
2.4. Console Port ConnectionChapter 2. Initial Setup
21
Chapter 3. The System Menu
• Administration, page 22
• Internet Connection, page 25
• LAN Settings, page 27
• DMZ Settings, page 30
• Logging, page 33
• Date and Time, page 35
• Dynamic DNS Settings, page 37
The System menu options allow the administrator to control and manage essential operating settings
of the DFL-160.
The sections that follow describe the options in this menu in the order they appear.
3.1. Administration
The options on this page deal with administrator access to the DFL-160 through one of the Ethernet
interfaces. The page is divided into 3 sections:
A. Management Settings
B. Administrator Settings
C. Management Ports
A. Management Settings
The principal purpose of these settings are to determine with which protocol and on what interfaces
the administrator can manager the DFL-160 through a web browser using the web interface.
22
3.1. AdministrationChapter 3. The System Menu
The recommendation is to restrict the interfaces which allow management access and to always use
the HTTPS protocol to ensure that management communication is encrypted.
The only advantage in using HTTP for management access is to avoid the issue with certificates.
NetDefendOS sends an unsigned certificate to the browser when using HTTPS and this means there
is an extra, small step involved to tell the browser to accept the certificate (the interaction to do this
is slightly different depending on the browser).
Enabling Ping Requests
Another option in the management settings is to determine which interfaces will receive and respond
to an ICMP ping request. Ping requests are a simple means to establish if a host is "alive" and
consist of a simple sequence of an "are you there" ping request to an IP address followed by a "yes I
am" response by the host.
It is often best to disallow responses to ping requests received from the public internet on the WAN
interface which is why ping responses on WAN are disabled by default. Potential intruders often use
pings to scan the internet for potential target IP addresses and it is therefore not recommended to
expose the DFL-160s public IP address to this probing.
For troubleshooting purposes, however, it may be desirable to temporarily enable ping responses on
the WAN interface.
B. Administrator Settings
By default, the administrator username admin with a password admin exists when a brand new
DFL-160 is started for the first time. It is recommended, at a minimum, to change the passwordof this user as one of the first steps during initial setup.
If desired, the username admin can also be changed and this will also boost security for
administrator access.
A second user with username audit is also defined but must be explicitly enabled by ticking the
checkbox on the web interface page. The audit user has read-only access to the NetDefendOS. They
can see the entire NetDefendOS web interface but cannot make any configuration changes. The
default password for the audit user is audit and this also, as a minimum, should be changed as soon
as possible if the audit user is enabled. If desired, the audit username can also be changed from audit
to something else.
C. Management Ports
The default port numbers for HTTP and HTTPS management access can be changed. This must be
done if normal inbound traffic is enabled for the same protocol that is used for management
access.
23
3.1. AdministrationChapter 3. The System Menu
For instance, if HTTPS is used for management access and HTTPS inbound traffic is enabled (this
is done in Section 4.3, “Inbound Traffic Options”) then both will use the port number 443 and there
will be a problem. The port number for management traffic and normal HTTPS traffic must be
unique.
The solution is to change the HTTPS port for administrator access to, for example, port 400. Then
the administrator surfs to the IP https://192.168.10.1:400/ to access the web management interface.
Important
The above must be done if there is a clash of port numbers after enabling inbound
traffic.
Management Through the Serial Console
Some administration tasks can be carried out through a console device attached directly to the serial
port of the DFL-160. There are two administration options:
•Using the boot menu
The boot menu can be accessed between power up and completion of NetDefendOS startup. It is
used for performing a limited set of low level administration tasks and is described fully in
Chapter 8, The Console Boot Menu.
•Using CLI Commands
Once NetDefendOS has booted up and started, a set of CLI commands can be entered through
the console. These commands are listed and described in Appendix A, CLI Reference.
24
3.2. Internet ConnectionChapter 3. The System Menu
3.2. Internet Connection
The options on this page allow the administrator to specify the communications protocol with which
the WAN interface is connected to the public Internet via an Internet Service Provider (ISP).
Your ISP will provide details of their connection. The first task is to make a physical Ethernet
connection between the DFL-160's WAN interface and the ISP. This might be typically done
through some form of broadband modem and the relevant third party modem documentation should
be consulted in order to have this link operational.
The possible connection protocol options are:
A. DHCP Setup
B. Static Connection
C. PPPoE Connection
D. PPTP Connection
A. DHCP Setup
The DHCP protocol is a means for a network device, such as the DFL-160, to retrieve all required
IP addresses automatically from a DHCP server. In this case, the ISP provides the IP addresses from
its DHCP server, provided that the Ethernet connection to the ISP is functioning.
All required IP addresses will automatically be retrieved and no further configuration is normally
required for this option. The only option is the MTU value that will be used for this connection but
this normally doesn't need to be changed.
The MTU value appears as an option in all the different types of Internet connections described
below. The MTU value effects the level of packet fragmentation in connections to the ISP. A lower
MTU value increases fragmentation with a resulting increase in processing overhead to re-assemble
the packets. The default MTU value is 1500.
B. Static Connection
With this option the IP addresses required for the internet connection are entered manually.
Your ISP should provide all the information needed for this option. All fields need to be entered
except for the Secondary DNS server field.
C. PPPoE Connection
With this option, the username and password supplied by your ISP for PPPoE connection should be
entered. The Service field should be left blank unless the ISP supplies a value for it.
If the Dial-on-Demand option is enabled, the PPPoE connection will not be set up until traffic is
actually sent.
25
3.2. Internet ConnectionChapter 3. The System Menu
The Idle Timeout is the length of time with inactivity that passes before PPPoE disconnection occurs
if the Dial-on-Demand is selected.
DNS servers are set automatically after connection with PPPoE.
D. PPTP Connection
With this option, the username and password supplied by your ISP for PPTP connection should be
entered. If DHCP is to be used with the PPTP connection to the ISP then this should be selected,
otherwise Static should be selected and the static IP addresses supplied by the ISP should be
entered.
If the Dial-on-Demand option is enabled, the PPTP connection will not be set up until traffic is
actually sent. This works in the same way as described above with a PPPoE connection.
The Idle Timeout is the length of time with inactivity that passes before PPTP disconnection occurs
if the Dial-on-Demand is selected.
DNS servers are set automatically after connection with PPTP.
26
3.3. LAN SettingsChapter 3. The System Menu
3.3. LAN Settings
The settings in this part of the management web interface determine how the DFL-160's LAN
interface operates. These settings are very similar to the corresponding page for the DMZ interface
(see Section 3.4, “DMZ Settings”).
The Logical LAN Interface
There are four physical interfaces in the DFL-160 hardware which are labeled: LAN1...LAN4. As
explained in Section 1.2, “Ethernet Interfaces”, these are connected together by a switch fabric in
the DFL-160 so they act as a single logical interface called LAN. This manual, therefore, refers only
to the LAN logical interface and the rules applied to LAN apply to all four physical interfaces but
not the traffic flowing between them.
LAN Interface Options
There are three sections on the web interface page relating to the LAN:
A. LAN Interface Settings
B. Mode
C. DHCP Server Settings
A. LAN Interface Settings
The IP address of the LAN interface is allocated here for NAT and Routing mode. Transparent
mode does not require an IP address to be allocated, instead, the LAN interface automatically gets
the same IP address as the WAN interface.
The presentation of the LAN interface options in the web interface is shown below:
The setting Relay DNS queries sent to the LAN interface IP should be enabled if, for example,
web browsers running on LAN clients are going to be resolved using external DNS servers on the
internet. Any other situation where URL resolution is required will also need to find a DNS server.
These DNS servers should be configured if they have not been automatically when connecting to an
ISP.
B. Mode
There are three modes that are available with the LAN interface. The presentation of the mode
options in the web interface is shown below.
27
3.3. LAN SettingsChapter 3. The System Menu
•NAT Mode
This mode enables Dynamic Network Address Translation (NAT) use between the LAN and
WAN interfaces. This means that the individual IP addresses of hosts on the LAN interface will
be hidden from the public internet. All traffic coming from the public Internet to LAN hosts will
be directed to the public IP address of the WAN interface and NetDefendOS will perform the
necessary IP address translation.
Enabling NAT is a recommended way to shield the users and hosts on the LAN network from
outside attack. It also means that a DFL-160 requires just a single public IP address to be
allocated by the ISP.
•Router Mode
This is the mode used if NAT is not used. It means that each the individual hosts and users on
the LAN network need their own public IP addresses if they are to communicate with the public
Internet.
Although not recommended when WAN is connected to the public internet, there may be
situations where NAT cannot be applied and the individual LAN network addresses need to be
exposed through the WAN interface.
In some scenarios, the WAN interface may be connected to another internal network and in this
case NAT usage may also not be appropriate because there is no need to shield LAN addresses
and there are lots of internal IP addresses that can be used.
•Transparent Mode
This mode is used if the DFL-160 is to be placed between the LAN and WAN interface in a
transparent way. This means that no IP addresses need to be changed in either network, but the
traffic flowing between the interfaces is still subject to the rules and controls imposed by
NetDefendOS.
In transparent mode, NetDefendOS works out from the traffic itself which networks can be
found on the interfaces and creates the necessary entries in its routing table.
Note
In transparent mode, the LAN interface takes on the same IP address as the WAN
interface.
If both the LAN and DMZ interfaces have transparent mode enabled, traffic will flow
transparently between all 3 of the DFL-160 interfaces.
C. DHCP Server Settings
With this option enabled, a range of IP addresses can be allocated which can then be allocated out to
hosts on the network that need them. The presentation of the DHCP server options in the web
interface is shown below.
In most scenarios, the LAN network will be an "internal" network that does not require public IP
addresses. However, if a range of public IP addresses are allocated by the ISP these could also be
allocated using this feature.
NetDefendOS also allows a DHCP Reservations list to be created. These bind a certain IP address
28
3.3. LAN SettingsChapter 3. The System Menu
with a particular MAC address. When a request for a DHCP lease is received on the interface,
NetDefendOS checks the MAC address of the requesting DHCP client against the list. If a match is
found, the IP address that has been associated with the MAC address is the one that is handed out.
The screenshot below shows how this option appears in the web interface. Combinations of IP
address and MAC address can be added to the list. The red icon on the right of each entry can be
clicked to delete the entry.
This feature allows the same IP address to be always allocated to a particular DHCP client.
Transparent Mode and the Interface IP Address
There are some considerations that should be noted with the LAN IP address when transparent
mode is enabled:
•In transparent mode, the LAN interface will take on the same IP address as the WAN interface.
•If DHCP is enabled on the WAN interface and the IP address on WAN cannot be refreshed
within its DHCP lease time then it will receive the IP address 0.0.0.0 and the LAN interface will
also receive this IP address.
This will mean that it will not be possible for the administrator to connect through the LAN
interface with a browser to perform management tasks while the LAN interface has the 0.0.0.0
IP address.
These IP address considerations are also true if transparent mode is enabled on the DMZ interface.
29
Loading...
+ 93 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.