D-Link DFL-600 User Manual

D-Link DFL-600

Firewall/VPN

Manual

Rev. 4.0

Building Networks for People

Table of Contents

Introduction......................................................... 4

IP Address Settings and Computer Settings ...... 8

Introduction and Overview.................................. 9

Using the Configuration Utility ............................ 12

Setup Wizard ...................................................... 14

Home .................................................................. 20

WAN Settings ..................................................... 21

LAN Settings....................................................... 27

DHCP Settings ................................................... 29

NAT..................................................................... 33

DMZ.................................................................... 34

Advanced Settings.............................................. 49

Connecting PCs to the DFL-600 Router............. 111

Networking Basics .............................................. 114

Contacting Technical Support............................. 128

Limited Warranty and Registration ..................... 129

Package Contents

Contents of Package:

• D-Link DFL-600 Firewall/VPN Router

• Manual

• Quick Installation Guide

• Power Adapter, 5V DC, 2.5A*

• CAT-5 UTP Cable

If any of the above items are missing, please contact your reseller.

*Using a power supply with a different voltage rating will damage the product and void the warranty.

System Requirements:

Internet Explorer 5.5 or higher or Netscape Navigator 7.1 or higher, with JavaScript enabled.

One computer with an installed 10Mbps, 100Mbps or 10/100 Mbps Ethernet adapter.

One RJ-45 DSL/Cable Modem for Internet connection.

Introduction

The D-Link DFL-600 VPN Router enables your network to connect to the Internet via a secure, private connection using a Cable or DSL modem. The Virtual Private Network (VPN) that is created on the Internet between your home and a VPN server in your office is secure from interference when you use the DFL-600.

It is an ideal way to connect your computer to a Local Area Network (LAN). After completing the steps outlined in the Quick Install Guide (included in your package) you will have the ability to share information and resources, such as files and printers, and take full advantage of a secure “connected” environment.

Connect the WAN port on the DFL-600 to the Ethernet port on your Cable/DSL modem using an Ethernet cable. Your entire LAN can now access the Internet using just one Internet account. The DFL-600 has 3 LAN ports, one DMZ port, and one WAN port. That means that 3 computers can share the benefits of the DFL-600-equipped network and 1 computer can be configured as a server for Internet applications that may conflict with the advanced protection from intrusion offered by your new DFL-600.

For the price of one Internet account, the DHCP-capable DFL-600 will automatically provide unique IP Addresses for all the computers on the network. (DHCP stands for Dynamic Host Configuration Protocol. It is a

protocol for assigning IP Addresses automatically. With a DHCP router like the DFL-600, there is no need to assign static IP Addresses, or purchase multiple addresses from your Internet Service Provider.)

Everyone in your home can access the Internet on his or her own computer, at the same time, without any noticeable decrease in speed and with Firewall Protection, Hacker-attack logging, and Virtual Private Networking, the DFL600 provides a level of security suitable for many businesses.

This manual provides a quick introduction to network technology. Please take a moment to read through this manual and get acquainted with your DFL-600.

Front View

LED Indicators

WAN Link/Act.

WAN 10/100 (Green) Green LED will LIGHT when a 100 Mbps Link is

DMZ Link/Act.

DMZ 10/100 (Green) Green LED will LIGHT when a 100 Mbps Link is

LAN (1-3) Link/Act.

LAN (1-3) 10/100

Power (Green) Green LED will LIGHT when powered ON.

(Green) Green LED will LIGHT when a good link is

established. Green LED will BLINK when packet is transmitting or receiving (Act.).

established. Green LED will NOT LIGHT when a 10 Mbps Link is established.

(Green) Green LED will LIGHT when a good link is

established. Green LED will BLINK when packet is transmitting or receiving (Act.).

established. Green LED will NOT LIGHT when a 10 Mbps Link is established.

(Green) Green LED will LIGHT when link is established

(Link). Green LED will BLINK when packet is transmitting or receiving (Act.).

(Green) Green LED will LIGHT when a 100 Mbps Link is

established. Green LED will NOT LIGHT when a 10 Mbps Link is established.

Rearview

Power (5V

Connects the DC power adapter to the Power port

2.5A DC) WAN Connects DSL/Cable modem to the WAN Ethernet port Ports 1-3 Connect networked devices such as computers and ftp

servers to the three LAN ports. All LAN ports support auto crossover.

DMZ Connects a networked device to the DMZ zone of the

Firewall/VPN Router. The DMZ feature can be disabled.

Reset To reload the factory default settings, press the reset

button. Pressing the Reset button will clear the current configuration as reset the DFL-600 to the factory default settings.

Product Features

VPN

Provides Virtual Private Networking when communicating with a VPN serverequipped office, or with another DFL-600-equipped network. Supports IPSEC, PPTP, L2TP, and VPN pass through.

DSL/Cable Modem support

The DFL-600 can connect any Cable or DSL modem to the network.

DHCP

The DFL-600 is a DHCP-capable router. It automatically assigns unique IP Addresses to each network users that is connected to the DFL-600, for the price of one Internet account.

Firewall Protection

Supports general hacker attack pattern monitoring and logging.

PPPoE Client

Supports PPPoE client function to connect to a remote PPPoE server.

Virtual Server

Allows the internal server to be accessible from the Internet

Upgradeable New Features

Allows new features to be added in the future

High Performance 64 bit RISC CPU Engine

With the most advanced 64 bit RISC CPU Engine, DFL-600 guarantees full compatibility with future DSL/Cable technologies.

IPSec Security

(DES, 3DES, MD5, SHA-1)

Idle Timer

Set a specified idle-time before automatically disconnecting

Dial-on Demand

Eliminates the need for Dial-up. Automatically logs in to your ISP.

Web-Based Configuration

No software installation required. Can be configured through a web browser making it OS independent.

IP Address Settings and Computer Settings

In order to install the DFL-600 you will need to check your computer’s settings and the values from your ISP.

The information offered by your ISP:

• Dynamic IP settings

• Your fixed IP address for the gateway

• Your subnet mask for the gateway

• Your default gateway IP address

• Your DNS IP address

If you would like to use PPPoE, you will need the following values from your ISP in order to install your router:

• User Name

• Password

The static IP settings for the PC:

• Your PC’s fixed IP address

• Your PC’s subnet mask

• Your PC’s default gateway

• Your PC’s primary DNS IP address

Note: The router’s default IP address setting is 192.168.0.1, with a subnet mask of 255.255.255.0.

Dynamic IP Settings:

It is recommended that you allow your PC’s IP settings be automatically assigned by a DHCP server. By default, your new DFL-600 VPN Firewall functions as a DHCP server, and it will give your PC the necessary IP settings, every time you boot your PC.

Introduction and Overview

The DFL-600 Firewall/VPN Router creates two separate networks on the LAN side of your network − by default, a 192.168.0.0 subnet and a

192.168.1.0 subnet (both with a subnet mask of 255.255.255.0). The DFL600 routes packets between these two subnets and the Internet (or the network connected to the DFL-600’s WAN port). An Internet Service Provider (ISP) or a network administrator provides the network address information on the WAN network.

The 192.168.0.0 network

Area Network on the front panel, and 1, 2, and 3 on the rear panel − are, by default, assigned the IP address range between 192.168.0.2 to 192.168.0.254. So computers and other devices connected to these three ports either allow the DFL-600’s DHCP server to assign them IP addresses from this range, or you can manually assign devices connected to these ports an IP address from this range. Remember that the IP address, 192.168.0.0, is reserved. The

DFL-600 is assigned 192.168.0.1 − on the LAN side − and is configured from a computer (again, on the LAN side of your network) using a web browser. To connect to the DFL-600’s web-based management utility, type the IP address https://192.168.0.1 into the Address field of your web browser. The https specifies the secure version of http.

The 192.168.1.0 network

and rear panel − is, by default, assigned the IP address range between

192.168.1.2 to 192.168.1.254 − with a subnet mask of 255.255.255.0. So computers and other devices connected to this port must be assigned IP addresses from this range. The DHCP server on the DFL-600 only services the LAN ports, so you must manually assign a computer connected to the DMZ port an IP address from this range.

You can use this default IP addressing scheme, or you can configure your own. It is important to note that the three LAN ports and the DMZ port must be on different subnets (different ranges of IP addresses) and that the computers that are connected to these ports must have IP addresses in the appropriate range.

−

LAN. The three Ethernet ports labeled − Local

−

DMZ. The port labeled − DMZ on both the front

The DMZ port is used to allow computers and devices connected to this port to have more direct access to the Internet. This is useful for certain applications that may conflict with the firewall and Network Address Translation (NAT) features of the DFL-600. Computers and devices connected to the DMZ port will not have the level of protection that the LAN ports can provide, however. It is recommended that computers and devices connected to the DFL-600’s DMZ port have some type of firewall software installed and running to provide these devices with at least some level of protection from unwanted intrusions from the Internet.

The Wide Area Network (WAN) side of the DFL-600 is anything connected to the WAN port. This is normally an Ethernet connection to a Cable or DSL modem that, in turn, provides a connection to the Internet. There are three different methods for your ISP to provide the necessary network address information to your DFL-600.

It can be useful when configuring your DFL-600 Firewall/VPN Router to think of the LAN side (all computers or devices connected to the three LAN ports or the DMZ port) and the WAN side (all computers or devices connected to the WAN port – the Internet). The WAN side of the router is connected to some device that ultimately allows a connection to the Internet, while the LAN side is connected to your computers or other network devices (such as a switch or hub) that ultimately allows users access to the both the Internet and any other devices on your LAN (such as a printer or scanner).

The network information (including the IP address) required by the WAN side of the DFL-600 is either obtained automatically from your ISP (or other network device on the WAN side) or is entered manually. The DFL-600 allows three methods for this information to be obtained, as follows:

Dynamic − your ISP uses the Dynamic Host Configuration Protocol (DHCP) to provide the network information. Some ISP’s may require you to enter an assigned Host Name, as well.

Static IP Address − your ISP assigns you an IP address that never changes. This is more common in businesses that lease dedicated connections. If your ISP uses this type of connection, you must manually enter the assigned IP

address, subnet mask, default gateway address, and primary and (optional) secondary DNS addresses. This information will be provided by your ISP.

Point-to-Point Protocol over Ethernet (PPPoE) − this protocol requires the use of a Username and Password to gain access to the network. In addition, you can specify a Connect on Demand connection that will connect to the Internet only when a computer or device on your LAN makes a request, or when the DFL-600 is rebooted.

If you do not know the appropriate method of obtaining the WAN side network address information, contact your ISP or network administrator.

The Device IP Settings dialog box allows you to specify the IP address that computers on your LAN will use to access the DFL-600’s web-based configuration utility. The default is 192.168.0.1 with a subnet mask of

255.255.255.0. If it becomes necessary to change this IP address, be sure to use an address that is in the same range (on the same subnet) as the three LAN ports, or you will not be able to access the DFL-600 from your LAN.

The many other features of the DFL-600 are described in subsequent sections.

Using the Configuration Utility

Launch your web browser and type the device IP address (https://

192.168.0.1) in the browser’s address box. This is the default IP address of

your DFL-600. Press Enter.

The following dialog-box will appear to prompt you to enter the DFL-600’s default User Name and Password. The DFL-600’s default User Name is admin and the default Password is also admin − all lower case.

Click OK to open the Home menu.

Note: Please make sure that the computer you will use to connect to and configure the DFL-600 is assigned an IP address that is in the same range as the DFL-600. The IP address of the DFL-600 is 192.168.0.1. All computers on your network must be within that range, for instance, the computer IP address could be any IP address from the range 192.168.0.2 to 192.168.0.254, with a subnet mask of 255.255.255.0.

The Setup Wizard will guide you the most basic setup tasks, such as setting an administrative password, selecting the type of WAN connection you have, entering your computer’s host name (if required by your ISP), saving the configuration and restarting the router.

All other setup tasks can be accomplished using the configuration utility from your web browser.

To use the Setup Wizard, click on the Run Setup Wizard link. This will start the Setup Wizard.

Setup Wizard

The Setup Wizard will guide you through the most basic setup tasks for the DFL-600. All other configuration tasks can be accomplished through the web-based manager.

The Home menu contains a Run Setup Wizard link. Click on this button to run the Setup Wizard.

Click Next to continue.

Enter a password in the Password field, and again in the Verify Password field. This will become the logon password for the DFL-600. This password is case-sensitive, so remember to use capital letters when logging on to the DFL-600’s web-based manager − if you enter a password with capital letters here. The user name, admin, will not be changed here.

Note: If you choose to input a password, please remember it. If you lose your password, you will have to manually reset the unit (using the reset button on the rear panel of the unit). Resetting the DFL-600 will return all configuration parameters to their factory default values, so all of your settings will be lost and will need to be entered again. The default Username is admin with a password that is also admin.

Click Next to continue.

This menu allows you to select the type of connection your ISP provides. Many ISPs use the PPPoE (Point-to-Point Protocol over Ethernet) for DSL connections, while many Cable ISPs use DHCP (Dynamic Host Configuration Protocol). DHCP assigns an IP address for your Internet connection each time you log on (and is therefore, a dynamic IP address). DHCP is referred to as Dynamic IP address on the DFL-600. The Setup Wizard will open a page with the appropriate fields for the entry of your ISP contact information, depending upon which of the three options you choose.

The Static IP address click-box is used to enter a permanent IP address that is assigned by your ISP. If your ISP assigns you a permanent IP address, choose this option.

Click Next to continue.

Some ISPs require you to use an assigned host name for your Internet connection. If your ISP requires this, you can enter the assigned host name in the Host Name field.

If you selected Static IP Address on the Select Internet Connection Type (WAN) wizard screen above, the following screen will open:

This screen will allow you to enter the static IP address information, if your ISP has assigned a static IP address to your Internet account. Your ISP must provide this information.

If you selected PPPoE (Point-to-Point Protocol over Ethernet) on the Select Internet Connection Type (WAN) screen above, the following window will open:

This screen will allow you to enter the PPPoE information, if your ISP uses the PPPoE protocol for your Internet account. Your ISP must provide this information.

Click Next to continue.

You have completed the basic setup Wizard. The configuration now needs to be entered into the DFL-600’s non-volatile RAM. Clicking Restart will save the configuration to non-volatile RAM and restart the router.

Home

The Home menu contains links to all of the setup menus for the DFL-600.

Click on the WAN button:

WAN Settings

The WAN Settings menu allows you to view the current configuration for your DFL-600, and to choose the protocol by which your DFL-600 will receive its WAN network settings.

The settings listed under WAN Settings are the network settings currently in use by the DFL-600. The fields where you will enter the WAN Settings will change depending upon the choice you make in the IP Settings Mode dropdown menu. These settings are described below.

IP Settings Mode

IP Address

Subnet Mask

This drop-down menu determines how the DFL600 will obtain its IP address information. The fields where you will enter the information will change, as appropriate, to reflect the mode you have selected. The page shown above is in

Dynamic mode.

Dynamic allows the DFL-600 to get its IP

address information from your ISP using the Dynamic Host Configuration Protocol (DHCP). Use this setting if your ISP instructs you to use DHCP or to automatically obtain an IP address. A server on your ISP’s network will then automatically send the necessary IP address information to your DFL-600.

Static allows you to manually enter the necessary IP address information. Use this setting if your ISP has permanently assigned an IP address to your connection.

PPPoE allows you to enter a Username and Password for a Point-to-Point Protocol over Ethernet (PPPoE) internet connection. Use this setting if your ISP has provided you with an ADSL modem that operates in Bridge mode. This is the current IP address used to identify your ‘location’ on the Internet. It is assigned by your ISP, or entered statically by you. IP addresses work in combination with a subnet mask, described below. A subnet mask is a number, in the same form as an IP address, that is used to mathematically separate a range of IP addresses into a Network portion and a Node portion. The Node portion

identifies a specific device on the Network − in this case, the DFL-600.

Default Gateway

This is the IP address of a device at your ISP’s office where packets destined for the Internet − from your home network − are sent, before being

forwarded to their final destination. For the DFL-600, the Default Gateway address is provided by your ISP. For computers on your home network, their Default Gateway is the IP address of your DFL-600.

Primary DNS Server

This is the IP address of a computer on the Internet that provides the service of changing text URLs into IP address for sites on the Internet. The IP address of this device is provided by your ISP.

Secondary DNS Server

This is the IP address of a second DNS server, to be used in case there is a problem with the Primary DNS Server. A secondary DNS server IP address is optional.

The ISP Settings page allows you to modify the way that the DFL-600 obtains its network settings from your Internet Service Provider (ISP). The entry fields on the page will change depending upon which of the following options you choose: Dynamic IP Address, Static IP Address, and PPPoE.

Dynamic IP Address − If your ISP uses the Dynamic Host Configuration Protocol (DHCP) to assign an IP address, subnet mask, default gateway and Domain Name Server (DNS) addresses, choose this option. Some ISPs require the use of an assigned Host Name for the device that will make the WAN connection. You can enter this name into the Host Name field.

This is the type of IP address assignment protocol most commonly used by cable ISPs. In addition, many cable modems use the MAC address of the first computer to link to the modem as a way of identifying the user and the corresponding Internet account. The DFL-600 offers a MAC cloning feature where the DFL-600 will read the MAC address of the NIC card in the PC that the cable modem uses to identify the user. The DFL-600 will then use this

MAC address when connecting to the cable modem. Clicking on the Clone button will enable this function.

Remember to click the Apply button and then to save the changes using

Tools, System, and the Save button.

Static IP Address − If your ISP has assigned you an IP address that will

never change, choose this option. When this option is chosen, the following fields appear to allow you to enter the network address information:

PPPoE − If your ISP uses Point-to-Point Protocol over Ethernet (PPPoE), choose this option. When this option is chosen, the following fields appear to allow you to enter the network address information:

Connect on Demand − allows the PPPoE WAN connection to be active only when a computer on your LAN makes a connection request. This is similar to the way a dial-up modem initiates a connection.

LAN Settings

The LAN Settings allows you to view the current IP address and subnet mask assigned to the DFL-600. It also allows you to change these settings.

If it is necessary to change the IP Address or Subnet Mask assigned to the DFL-600, enter the new values in the appropriate fields, and press Apply to make the changes current.

Note: if you assign an IP address and subnet mask to the DFL-600 that is different from the IP address range assigned to the computers connected to the LAN ports, you will no longer be able to connect to the DFL-600 from any of these computers. In order to re-establish the connection between a computer on the LAN side and the DFL-600, you will need to assign at least one computer on the LAN side an IP address from the same range as the IP address you assign to the DFL-600. As an alternative, you can configure the DFL-600’s DHCP server to give IP addresses from the new IP address range that you will give the DFL-600 here. If you choose this option, you will have to reboot the PCs on the LAN side of the DFL-600 in order for them to get their new IP address settings (or you can enter the “C:\>ipconfig /renew” command in the Command Prompt window, without rebooting your computer).

As an example, if your LAN network is to be a 192.168.0.x network with a subnet mask of 255.255.255.0, you might assign the DFL-600 an IP address of 192.168.0.1 and configure the DFL-600’s DHCP server to assign addresses in the range between 192.168.0.2 to 192.168.0.100. The default gateway setting for computers on the LAN side will be the DFL-600’s IP address − in this case, 192.168.0.1.

Saving all of this information to the DFL-600’s flash RAM and restarting the router will make this IP addressing scheme current. When you enable DHCP (in Windows, “obtain an IP address automatically”) and restart the computers connected to the LAN side of the DFL-600, they will automatically be assigned IP addresses from the range 192.168.0.2 to

192.168.0.100.

As an alternative, you could disable the DHCP server on the DFL-600 and manually update the IP address, subnet mask and default gateway information for each computer on the LAN side of the DFL-600.

It is recommended that if you need to change the IP addressing scheme for the DFL-600, that you configure the DFL-600’s DHCP server with the appropriate IP address range and subnet mask first, and then assign an IP address from the same range to the DFL-600. That way, a computer on the LAN side of your network can always get the proper network addressing information by DHCP from the DFL-600 simply by being restarted.

DHCP Settings

DHCP (Dynamic Host Configuration Protocol) is a method of automatically assigning IP addresses, subnet masks, default gateway and DNS server IP address to computers on the LAN side of the DFL-600. The DFL-600 can be a DHCP server for your LAN, assigning IP addresses, etc. to computers on your network from a range of addresses you specify below.

DHCP Server Status

Starting IP Address

This allows you to Enable or Disable the DHCP Server feature on the DFL-600. The default is Enabled. This is the first IP address in a range that the DFL-600 will assign to a computer on your network. This IP address can not be the same as the IP address assi

ned to the DFL-600, nor can

Ending IP Address

Lease Time

Auto Configuration

the IP address assigned to the DFL-600 be contained in the range of IP addresses available for the DFL-600 to assign. In this case, the IP address of the DFL-600 is 192.168.0.1, so the first IP address in the range is 192.168.0.2.

IP addresses can range from 0.0.0.0 to

255.255.255.255, but in the DFL-600’s default IP addressing scheme, the range is from

192.168.0.0 to 192.168.0.255. Please note that the addresses ending in 0 and 255 are reserved for other uses, so the effective IP address range is 192.168.0.1 to 192.168.0.254. The DFL-600’s default IP address is 192.168.0.1. This is the last IP address in a range that the DFL-600 will assign to a computer on your network. In this case, the range of IP addresses between 192.168.0.2 to 192.168.0.100 gives 99 different IP addresses that the DFL-600 can assign to the computers on your network. This is the length of time any computer on you network that is assigned network settings by the DFL-600 − through the DHCP protocol − can keep its network settings. If the lease expires while a computer is logged on to your network, that computer will request a new set of network settings. The default is 3600 seconds. This field allows you to specify whether or not the DFL-600 will assign the following network settings to the computers on your network. If you choose to Enable Auto Configuration, the following network settings will be obtained automatically from your ISP by the DFL-600, and will then be assigned to computers on your network. If you choose to Disable Auto Configuration, the network settings you enter in the fields below will be assigned to computers on your network.

+ 101 hidden pages