D-Link DFL-600 Firewall/VPN Manual Rev. 2.
Table of Contents Introduction......................................................... 4 IP Address Settings and Computer Settings ...... 8 Introduction and Overview.................................. 9 Using the Configuration Utility ............................ 12 Setup Wizard ...................................................... 14 Home .................................................................. 20 WAN Settings ..................................................... 21 LAN Settings.................
Package Contents Contents of Package: • • • • • D-Link DFL-600 Firewall/VPN Router Manual Quick Installation Guide Power Adapter, 5V DC, 2.5A* CAT-5 UTP Cable If any of the above items are missing, please contact your reseller. *Using a power supply with a different voltage rating will damage the product and void the warranty. System Requirements: Internet Explorer 5.5 or higher or Netscape Navigator 7.1 or higher, with JavaScript enabled.
Introduction The D-Link DFL-600 Broadband VPN Router enables your network to connect to the Internet via a secure, private connection using a Cable or DSL modem. The Virtual Private Network (VPN) that is created on the Internet between your home and a VPN server in your office is secure from interference when you use the DFL-600. It is an ideal way to connect your computer to a Local Area Network (LAN).
With Firewall Protection, Hacker-attack logging, and Virtual Private Networking, the DFL-600 provides a level of security suitable for many businesses. This manual provides a quick introduction to network technology. Please take a moment to read through this manual and get acquainted with your DFL-600. Front View LED Indicators WAN Link/Act. (Green) WAN 10/100 (Green) DMZ Link/Act. (Green) DMZ 10/100 (Green) LAN (1-3) Link/Act.
Rearview Power (5V 2.5A DC) WAN Ports 1-3 DMZ Reset Connects the DC power adapter to the Power port Connects DSL/Cable modem to the WAN Ethernet port Connect networked devices such as computers and ftp servers to the three LAN ports. All LAN ports support auto crossover. Connects a networked device to the DMZ zone of the Firewall/VPN Router. The DMZ feature can be disabled. To reload the factory default settings, press the reset button.
Firewall Protection Supports general hacker attack pattern monitoring and logging. PPPoE Client Supports PPPoE client function to connect to a remote PPPoE server. Virtual Server Allows the internal server to be accessible from the Internet Upgradeable New Features Allows new features to be added in the future High Performance 64 bit RISC CPU Engine With the most advanced 64 bit RISC CPU Engine, DFL-600 guarantees full compatibility with future DSL/Cable technologies.
IP Address Settings and Computer Settings In order to install the DFL-600 you will need to check your computer’s settings and the values from your ISP.
Introduction and Overview The DFL-600 Firewall/VPN Router creates two separate networks on the LAN side of your network − by default, a 192.168.0.0 subnet and a 192.168.1.0 subnet (both with a subnet mask of 255.255.255.0). The DFL600 routes packets between these two subnets and the Internet (or the network connected to the DFL-600’s WAN port). The network address information of the WAN network is usually provided by an Internet Service Provider (ISP) or a network administrator. The 192.168.0.
The DMZ port is used to allow computers and devices connected to this port to have more direct access to the Internet. This is useful for certain applications that may conflict with the firewall and Network Address Translation (NAT) features of the DFL-600. Computers and devices connected to the DMZ port will not have the level of protection that the LAN ports can provide, however.
address, subnet mask, default gateway address, and primary and secondary DNS addresses. This information will be provided by your ISP. Point-to-Point Protocol over Ethernet (PPPoE) − this protocol requires the use of a Username and Password to gain access to the network. In addition, you can specify a Connect on Demand connection that will connect to the Internet only when a computer or device on your LAN makes a request, or when the DFL-600 is rebooted.
Using the Configuration Utility Launch your web browser and type the device IP address (https:// 192.168.0.1) in the browser’s address box. This is the default IP address of your DFL-600. Press Enter. The following dialog-box will appear to prompt you to enter the DFL-600’s default User Name and Password. The DFL-600’s default User Name is admin and the default Password is also admin − all lower case. Click OK to open the Home menu.
The Setup Wizard will guide you the most basic setup tasks, such as setting an administrative password, selecting the type of WAN connection you have, entering your computer’s host name (if required by your ISP), saving the configuration and restarting the router. All other setup tasks can be accomplished using the configuration utility from your web browser. To use the Setup Wizard, click on the Run Setup Wizard link. This will start the Setup Wizard.
Setup Wizard The Setup Wizard will guide you through the most basic setup tasks for the DFL-600. All other configuration tasks can be accomplished through the web-based manager. The Home menu contains a Run Setup Wizard link. Click on this button to run the Setup Wizard. Click Next to continue.
Enter a password in the Password field, and again in the Verify Password field. This will become the logon password for the DFL-600. This password is case-sensitive, so remember to use capital letters when logging on to the DFL-600’s web-based manager − if you enter a password with capital letters here. The user name, admin, will not be changed here. Note: If you choose to input a password, please remember it.
This menu allows you to select the type of connection your ISP provides. Many ISPs use the PPPoE (Point-to-Point Protocol over Ethernet) for DSL connections, while many Cable ISPs use DHCP (Dynamic Host Configuration Protocol). DHCP assigns an IP address for your Internet connection each time you log on (and is therefore, a dynamic IP address). DHCP is referred to as Dynamic IP address on the DFL-600.
Some ISPs require you to use an assigned host name for your Internet connection. If your ISP requires this, you can enter the assigned host name in the Host Name field. If you selected Static IP Address on the Select Internet Connection Type (WAN) wizard screen above, the following screen will open: This screen will allow you to enter the static IP address information, if your ISP has assigned a static IP address to your Internet account. Your ISP must provide this information.
This screen will allow you to enter the PPPoE information, if your ISP uses the PPPoE protocol for your Internet account. Your ISP must provide this information. Click Next to continue.
You have completed the basic setup Wizard. The configuration now needs to be entered into the DFL-600’s non-volatile RAM. Clicking Restart will save the configuration to non-volatile RAM and restart the router.
Home The Home menu contains links to all of the setup menus for the DFL-600.
WAN Settings The WAN Settings menu allows you to view the current configuration for your DFL-600, and to choose the protocol by which your DFL-600 will receive its WAN network settings. The settings listed under WAN Settings are the network settings currently in use by the DFL-600. The fields where you will enter the WAN Settings will change depending upon the choice you make in the IP Settings Mode dropdown menu. These settings are described below.
IP Settings Mode This drop-down menu determines how the DFL600 will obtain its IP address information. The fields where you will enter the information will change, as appropriate, to reflect the mode you have selected. The page shown above is in Dynamic mode. Dynamic allows the DFL-600 to get its IP address information from your ISP using the Dynamic Host Configuration Protocol (DHCP). Use this setting if your ISP instructs you to use DHCP or to automatically obtain an IP address.
Default Gateway Primary DNS Server Secondary DNS Server This is the IP address of a device at your ISP’s office where packets destined for the Internet − from your home network − are sent, before being forwarded to their final destination. For the DFL-600, the Default Gateway address is provided by your ISP. For computers on your home network, their Default Gateway is the IP address of your DFL-600.
Static IP Address − If your ISP has assigned you an IP address that will never change, choose this option.
PPPoE − If your ISP uses Point-to-Point Protocol over Ethernet (PPPoE), choose this option. When this option is chosen, the following fields appear to allow you to enter the network address information: Connect on Demand − allows the PPPoE WAN connection to be active only when a computer on your LAN makes a connection request. This is similar to the way a dial-up modem initiates a connection.
LAN Settings The LAN Settings allows you to view the current IP address and subnet mask assigned to the DFL-600. It also allows you to change these settings. If it is necessary to change the IP Address or Subnet Mask assigned to the DFL-600, enter the new values in the appropriate fields, and press Apply to make the changes current.
gateway setting for computers on the LAN side will be the DFL-600’s IP address − in this case, 192.168.0.1. Saving all of this information to the DFL-600’s flash RAM and restarting the router will make this IP addressing scheme current. When you enable DHCP (in Windows, “obtain an IP address automatically”) and restart the computers connected to the LAN side of the DFL-600, they will automatically be assigned IP addresses from the range 192.168.0.2 to 192.168.0.100.
DHCP Settings DHCP (Dynamic Host Configuration Protocol) is a method of automatically assigning IP addresses, subnet masks, default gateway and DNS server IP address to computers on the LAN side of the DFL-600. The DFL-600 can be a DHCP server for your LAN, assigning IP addresses, etc. to computers on your network from a range of addresses you specify below. DHCP Server Status Starting IP Address This allows you to Enable or Disable the DHCP Server feature on the DFL-600. The default is Enabled.
Ending IP Address Lease Time Auto Configuration IP addresses can range from 0.0.0.0 to 255.255.255.255, but in the DFL-600’s default IP addressing scheme, the range is from 192.168.0.0 to 192.168.0.255. Please note that the addresses ending in 0 and 255 are reserved for other uses, so the effective IP address range is 192.168.0.1 to 192.168.0.254. The DFL-600’s default IP address is 192.168.0.1. This is the last IP address in a range that the DFL-600 will assign to a computer on your network.
Domain Name Primary DNS Server Secondary DNS Server The DFL-600 can provide a domain name to computers on your network. This domain name suffix can be provided automatically by your ISP, or you can enter it statically here. This suffix will then be automatically added to URL requests for access to your ISP’s servers. This is the IP address of a server on the Internet that provides the service of changing text URLs into IP address for sites on the Internet.
NAT Network Address Translation Note: NAT is automatically applied between the WAN and the LAN sides of the DFL-600. It does not require any user configuration. Network Address Translation (NAT) is a routing protocol that allows your network to become a private network that is isolated from, yet connected to the Internet.
DMZ NAT and the firewall features of your DFL-600 may conflict with certain interactive applications such as video conferencing or playing Internet video games. For these applications, a bypass can be set up using the DMZ port and a corresponding DMZ IP address. The DMZ IP address is “visible” to the Internet (or WAN) and does not benefit from the full protection of the NAT function.
DMZ Settings The DMZ Settings screen allows you to Enable and Disable the DMZ port on the DFL-600 and to specify the IP address and Subnet Mask that the DMZ port will use. The default DMZ IP address is 192.168.1.1 with a subnet mask of 255.255.255.0. IP Address Subnet Mask This is the IP address assigned to the DMZ port, and will be assigned to a PC that you connect to this port. You can assign any IP address to the DFL-600’s DMZ port that is within the range 192.168.1.1 to 192.168.1.254.
servers to connections to the WAN or Internet. The IP address must be from the same range as the IP address of the DMZ port. The default DMZ IP address is 192.168.1.1, so DMZ Servers must be from the IP address range from 192.168.1.2 to 192.168.1.254, with a subnet mask of 255.255.255.0. Global IP address This is the IP address assigned to the WAN side of the DFL-600 by your ISP.
Time Settings The DFL-600 can be set to obtain and distribute the correct time to computers on your LAN using the Simple Network Time Protocol (SNTP). Click on the Time button to open the following page: System Date Time Time Zone Time Set Type Displays the current system date and time. This drop-down menu allows you to select the time zone in which your DFL-600 is located. This drop-down menu allows you to specify the method the DFL-600 will use to obtain the date and time.
Set Type IP address Domain Name YYYY-MM-DD HH:MM:SS This drop-down menu allows you to select either the IP address of an SNTP server, or the Domain Name (URL) of an SNTP server that the DFL600 will contact to obtain the correct date and time. Enter the IP address of an SNTP server here. Enter the Domain Name (URL) of an SNTP server here. These fields allow you to manually enter the date using a year-month-day format. These fields allow you to manually enter the time using an hour: minute: second format.
Clicking the Enable click box, opposite the User Control table entry, will open the rest of the User Management page, including the Bandwidth control and Management Type table entries.
User Control Logout Timer Bandwidth Management Type This allows you to enable or disable the authentication of users on the LAN side of the DFL-600, without changing the configuration settings. This is useful when you need to troubleshoot Internet access problems for PCs on your LAN. You can enter a maximum amount of time that users are allowed to be “logged in”. When a user is logged in for a period of time longer than that specified here, they must log in again.
Clicking the Add Users link will open the following page: Add Users User name Password This allows you to add User names and Passwords for users on your LAN. In the Local mode, the DFL-600 authenticates users based upon the User name and Password entered here. Enter a User name here. Enter a Password corresponding to the User name entered above. POP3 The Post Office Protocol, version 3 (POP3) is used to access and retrieve email from a mailbox on a server that is usually located at your ISP’s facility.
POP3 Server IP Server Port The Post Office Protocol, version 3. This is used to view and retrieve e-mail from a POP3 server on the WAN. Enter the IP address of your POP3 server here. Your ISP should provide you with this address. This is the TCP port number that the POP3 server will use to communicate with PCs on your LAN. TCP port 110 is the ‘well known’ or default port used for the POP3 protocol.
If you have some PCs (or other network devices) that do not require RADIUS user authentication to access the WAN (Internet), you can enable 802.1x, and then enter the IP Address and IP (subnet) Mask of these devices under the Edit link (which will appear when you enable 802.1x). PCs and network devices that have their IP Address and IP (subnet) Mask entered on the 802.
RADIUS 802.1X Server IP Authentication Port Accounting Port The Remote Access Dial-in User Service (RADIUS) is one of the most common protocols used to carry authorization, authentication, and configuration information between a RADIUS server on the WAN and PCs on your LAN. Choosing RADIUS will allow the DFL-600 to connect PCs on your LAN to a RADIUS server on the WAN. 802.1x is a standard for passing the Extensible Authentication Protocol (EAP) packets over a LAN.
Secret Key Accounting Service Authentication Method RADIUS server will use to connect to PCs on your LAN for the RADIUS accounting function. The default port number for accounting is 1813. Enter the shared key used between PCs on your LAN and the RADIUS server. Use the drop-down menu to enable or disable the RADIUS accounting service. Use the drop-down menu to enable or disable the RADIUS accounting service. Clicking the 802.1x Enable click-box, and then Edit link will open the following page: 802.
Clicking on the Edit link (which appears when you enable 802.1x) will open the 802.1x Device Configuration page, as shown below. If you have PCs on your LAN that do not require RADIUS user authentication to access the Internet (or other networks through your ISP), you can use Enable 802.1x, and then click the Edit link. This will allow you to enter the IP Address and IP (subnet) Mask of PCs on your LAN that need to bypass the RADIUS user authentication.
802.1X 802.1x is a standard for passing the Extensible Authentication Protocol (EAP) over a LAN. You should enable this only if there are 802.1x devices between the DFL-600 and the RADIUS server on the WAN. Clicking on the Edit link (which appears when you enable 802.1x) will open the 802.1x Device Configuration page, as shown below. Use this table to enter the IP Address and IP Mask The DFL-600 supports only 802.1X pass through. This means that the DFL-600 will forward 802.
Clicking the LDAP click box will open the following page: LDAP Server IP Server Port Base DN Enter the IP address of your LDAP server here. Your ISP should provide you with this address. This is the TCP port number that the LDAP server will use to communicate with PCs on your LAN. Port 389 is the ‘well known’ or default port used for LDAP, while Secure LDAP uses port 636. This is the Distinguished Name used for LDAP.
Advanced Settings NAT Network Address Translation Network Address Translation (NAT) is a routing protocol that allows your network to become a private network that is isolated from, yet connected to the Internet. It does this by changing the IP address of packets from a global IP address − assigned by your ISP − usable on the Internet to a local IP address − assigned by you − usable on your private network (but not on the Internet.
Private IP Transport Type This is the IP address of the server on your LAN that will provide the service to remote users. You can select the transport protocol (TCP or UDP) that the application on the virtual server will use for its connections. The choice of this protocol is dependent on the application that is providing the service. If you do not know which protocol to choose, check your application’s documentation.
Application Gateway (ALG) Some applications require multiple TCP or UDP ports to function properly. Applications such as Internet gaming, video conferencing, and Internet telephony are some examples of applications that often require multiple connections. These applications often conflict with NAT, and therefore require special handling. The Special Applications page allows you to configure your DFL-600 to allow computers on your LAN to access servers on the WAN that require multiple TCP or UDP connections.
Trigger Type Max Activity Interval Session Chained Address Replacement Replacement Format Allow sessions initiated from/to 3rd host Popular Applications port is used, enter the same port number in both the starting and ending port number fields. This is the protocol (TCP or UDP) that the application uses to make the connection. This is the maximum interval, in milliseconds, between the triggering of a protocol session and the protocol’s dynamic session.
down menu. Selecting one of the listed applications is the equivalent of entering the correct settings in the fields above for the specific application. For example, the Netmeeting application requires a Trigger Port Range of 1720 – 1720, a Trigger Type of TCP, and so on. The correct settings for the applications listed in this drop-down menu have been entered into the DFL-600’s firmware, for your convenience.
Subnet Mask Gateway IP Address This is the corresponding subnet mask for the remote network. This is the IP address of the gateway on the remote network that will provide the connection between your DFL-600 and servers on the remote network. Dynamic Routing Your DFL-600 can automatically discover routes to destinations on both your LAN and the WAN (Internet). You can choose either RIP1, RIP2 or None.
Rip Version RIP Enabled Interface Network Address Subnet Mask Interface Name Multicast Support Update Timer Timeout Timer Garbage Collection Timer Your DFL-600 can automatically discover routes to destinations on both your LAN and the WAN (Internet). You can choose either RIP1, RIP2 or None. RIP2 (Routing Information Protocol version 2) adds support for variable-length subnet masks, and is generally the best choice.
Policy (Firewall Settings) Policy Rules The DFL-600 allows you to establish a period of time that a policy rule will be active or enforced. In addition, you can enable or disable a policy rule without changing that rule’s configuration. This is useful when you need to troubleshoot access problems for a PC on your LAN. The schedule for a policy rule is specified on the Policy Rules page, as shown below. Enter a name for the policy rule you want to configure in the Policy Name field.
Next, select a period of time for the policy to be active. Always instructs the router to enforce a policy any time that policy is enabled. One Time instructs the router to enforce the policy only during the current session − when the DFL-600 is restarted, a One Time policy will no longer be enforced. One Week instructs the router to enforce the policy for the period of time between the Start Time and the End Time, specified using the dropdown menus.
The Port Filter allows you to specify transport protocols and TCP/UDP port ranges that the DFL-600 will allow computers on the WAN side to use to make connections to PCs on the LAN side. You can choose to block Java programs from being downloaded from the Internet and executed by PCs on your LAN by clicking the Block Java Enabled click-box and then the Apply button. Blocking Java programs will disable certain functions on many web-sites, and is equivalent to disabling Java in many web browsers.
• Allow all outbound packets to pass through the router to the WAN (Internet). • Allow inbound packets only for a virtual server on your LAN running the FTP, SSH, TELNET, SMTP, POP3, or LDAP protocols. • Deny remote access to the DFL-600 from the WAN (Internet) The following fields can be configured for the current In policy. Transport Type Protocol Port Range Direction This drop-down menu allows you to specify the transport protocol that will be filtered by the DFL-600.
Key Word Filter The DFL-600 will also allow you to enter key words that the router will use to deny access from PCs on web sites that contain these words in the URLs. Clicking on the Back button from the Add Service Rules page (shown above) will take you back to the In policy page. Then clicking on the Key Words link will open the following page. Enter a key word that you want the DFL-600 to scan for and prevent PCs on websites that contain that word in their URLs from accessing PCs on your LAN.
The Port Filter allows you to specify transport protocols and TCP/UDP port ranges that the DFL-600 will prevent computers on the LAN side from using to make connections to PCs on the WAN side of the router. Clicking on the “Blocked Service” link will open the following page.
The default firewall port filter rules on the DFL-600 are: • Allow all outbound packets to pass through the router to the WAN (Internet). • Allow inbound packets only for a virtual server on your LAN running the FTP, SSH, TELNET, SMTP, POP3, or LDAP protocols. • Deny remote access to the DFL-600 from the WAN (Internet) The following fields can be configured for the current Out policy.
Untrusted Domains The Domain Filter allows you to specify domain names that the DFL-600 will prevent computers on the LAN side from using to make connections to PCs on the WAN side of the router. Clicking on the “Untrusted Domain” link will open the following page. Enter a Domain Name that you want the DFL-600 to scan for and prevent PCs on websites that contain that word in their URLs from accessing PCs on your LAN.
Enter a Domain Name that you want the DFL-600 to scan for and prevent PCs on websites that contain that word in their URLs from accessing PCs on your LAN. Blocked MAC Addresses The DFL-600 will allow you to make a list of MAC addresses for which outgoing packets will be filtered. MAC (Media Access Control) addresses are the physical addresses that are assigned to networking devices by their respective manufacturers.
Enter a MAC Address that you want the DFL-600 to scan for and filter packets that have that MAC address as their destination address.
IPSec Settings IPSec (Internet Protocol Security) is a group of protocols designed to allow flexible, secure and interoperable communication over the Internet. IPSec is used to establish an encrypted − and therefore, secure − connection between two points on a network. IPSec provides access control, connectionless data integrity, data origin authentication, protection against replay attacks and confidentiality for each IPSec packet.
IPSEC Tunnel Mode The IPSEC Tunnel Mode page allows you to setup a secure tunnel between your DFL-600 and a remote gateway.
Add/New Tunnel Tunnel ID Termination IP Shared Key Tunnel Type Phase 1 Proposal Mode DH Group The following fields will identify the VPN tunnel on the DFL-600. An alphanumeric string that identifies the remote tunnel. A sting of up to 63 characters can be entered. The Tunnel ID is sometimes called the Negotiation ID of the remote gateway. The IP address of the remote gateway. The encryption key that should be entered exactly the same way on both endpoints in order to establish Phase 1 negotiation.
IKE Life Duration IKE Hash IKE Encryption This is the duration (in seconds) the phase 1 key after the tunnel is established. When this duration has past, the two peers will trigger a restart of the phase 1 negotiation to set up a new phase 1 key. Phase 2 negotiation will also be triggered to build a new tunnel. This drop-down menu allows you to select the algorithm that will be used to ensure that the messages exchanged between the two IPSec VPN tunnel endpoints has been received exactly as it was sent.
Phase 2 Proposal PFS Mode IPSec Operation IPSec Life Duration The following entries will establish the setup for the negotiation between the two endpoints for the encryption of messages once the VPN tunnel has been initiated. This drop-down menu allows you to specify the mode that will be used for IPSec Perfect Forward Security (PFS). The choices are Disabled, Group 1, and Group 2. Group 1 uses 768-bit encryption, and Group 2 uses 1024-bit encryption.
ESP Transform This drop-down menu allows you to select the encryption algorithm that will be used when ESP is selected in the IPSec Operation dropdown menu above. You can choose between Null − no encryption, DES − using DES encryption, and 3DES − using triple DES encryption. ESP Auth You must select the exact same ESP transform (encryption algorithm) on both ends of a VPN tunnel.
Type Starting Target Host Subnet Mask addresses of computers on the remote LAN (the remote endpoint of the VPN tunnel) that will be allowed to access the VPN. This drop-down menu allows you to select the type of network definition for the range of IP addresses on the remote LAN that will be allowed to access the VPN. At the time of the writing of this manual, only the Subnet type is supported.
IPSec Status Click on the IPSec Status link to display the current IPSec status table, as shown below.
VPN-PPTP Settings The Point-to-Point Tunneling Protocol (PPTP) is another method of establishing a secure tunnel between the DFL-600 and a remote gateway. The PPTP Settings page allows you to enable or disable PPTP on the DFL600. PPTP Pass Through PPTP Status Starting IP Address Ending IP Address Click Enable to allow PPTP packets to pass through the router to the destination computer on your LAN.
PPTP Account The PPTP Account settings page allows you to enter a username and password for a PPTP account. A combined maximum of 64 PPTP and L2TP user accounts can be configured on the DFL-600. Username Password Confirm Password Enter the appropriate username for your PPTP account here. Enter the appropriate password for your PPTP account here. Retype the password you entered above here to confirm that it has been entered correctly.
VPN-L2TP Settings The Layer 2 Tunneling Protocol (L2TP) is another method of establishing a secure tunnel between your DFL-600 and a remote gateway. The L2TP Status page allows you to enable or disable L2TP on the DFL-600. L2TP Pass Through L2TP Status Starting IP Address Ending IP Address Click Enable to allow L2TP packets to pass through the router to the destination computer on your LAN.
L2TP Account The L2TP page allows you enter your username and password for an L2TP account. A combined maximum of 64 PPTP and L2TP user accounts can be configured on the DFL-600. Username Password Confirm Password Enter your L2TP account username here. Enter your L2TP account password here. Re-enter your L2TP account password here to verify it has been entered correctly. L2TP Status Click on the L2TP Status link to display the current status of an L2TP tunnel on the DFL-600, as shown below.
available in China. Please visit their respective websites for more information. Clicking on the DDNS button from the Advanced page will open the following page. DDNS Provider Host Name Username/E-mail Password/Key This allows you to enable or disable DDNS on the DFL-600 Select either Dyndns.org or PeanutHull(China) Enter the appropriate host name here. Enter the appropriate Username here. Enter the appropriate Password or Key here.
Tools − Administration The Admin Settings page allows you to add or edit the Username and Password list to control access to the configuration of the DFL-600. A default user account is configured with the username admin, and a password of admin. You can change the password at any time. Username Old Password New Password Confirm Password Enter the username for the account here. Enter the old password here. Enter the new password for the account here.
Remote Access The Remote Access page allows you to enter the IP addresses of computers on the WAN (Internet) that will be allowed to access the configuration utility. If you do not enter any IP addresses on this page, then no IP address on the WAN side of the DFL-600 (no computer from the Internet) will be allowed to access the DFL-600’s configuration utility. Tools − System The System Settings page allows you to save the current configuration to the DFL-600’s Flash RAM (NVRAM).
Tools − Firmware The Firmware Upgrade page allows you to upgrade the DFL-600’s firmware from a new firmware file stored on your local hard drive. In addition, you can choose to load the DFL-600’s current VPN or Firewall settings to a hard drive on a local computer. Clicking on the OK button will initiate a download of either the VPN settings (as a text file named DFL600_vpn.txt) or the Firewall settings (as a text file named DFL600_cw.txt).
Update File Browse Enter the full DOS path and filename to the new firmware file on your local hard drive. For example, if the file is in the root directory of your C drive, enter C:\newfile.had and click the OK button to begin the file transfer. If you are unsure about the location of the new firmware file on your local hard drive, click the Browse button to open a Windows Explorer window to look for this file.
Status − Device Info The Device Information page displays the current network settings and allows you to view the IP address assigned to the DFL-600 by your ISP using DHCP (Dynamic Host Configuration Protocol − the Dynamic IP Address setting on the WAN Settings page under the Home page). LAN Status MAC Address IP Address Subnet Mask DHCP Server This is the MAC address of the DFL-600 on the LAN. This is the DFL-600’s current IP address on the LAN.
WAN Status MAC Address Connection Type IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS This is the MAC address of the DFL-600 on the WAN. This displays the current connection type between the DFL-600 and your ISP. This is the IP address of the DFL-600 on the WAN. This is the subnet mask corresponding to the IP address above, that is currently in use by the DFL-600 on the WAN. Displays the IP address of the default gateway on the WAN. Displays the IP address of the primary DNS on the WAN.
Private IP address: Port Peer IP address: Port This is the IP address and port number of a computer or device on your LAN that has an active NAT session. This is the IP address and port number of a computer or device on the WAN that has an active connection with the DFL-600 Status − Log Info Your DFL-600 can keep logs of the various functions it supports. The Log Status page allows you to enable or disable each of these logs using a series of drop-down menus.
Intrusion Type Source: port Destination: port A brief statement of the type of intrusion that was attempted is displayed here. Displays the source IP address and the TCP/UDP port that the intrusion was attempted from. Displays the destination IP address and the TCP/UDP port that the intrusion was attempted to. Blocking Log Certain sessions between computers on your LAN and the WAN have the potential to cause a disruption in the function of your computers and are blocked by the DFL-600’s firewall.
Transport Type Source Destination: port Blocking Reason The protocol used to make the connection attempt is displayed here. The IP address and the TCP/UDP port number of the computer or device that was the destination of connection attempt to the DFL is displayed here.
Source: port Destination: port Type Terminate Reason The IP address and TCP/UDP port number of the computer or device that initiated the session is displayed here. The IP address and TCP/UDP port number of the computer or device that responded to the session initiation is displayed here. The protocol used to conduct the session is displayed here. When the session is terminated, it is displayed here.
intruder’s IP address will remain in the Intruder Blacklist for an additional amount of time. While the intruder’s IP address is on the DFL-600’s Intruder Blacklist, that IP address is blocked from sending packets through the DFL600. Source IP Destination IP Destination Port/Transport Type Blocking Time The IP address of a computer or device that will not be allowed to make a connection from the WAN to the DFL-600 is displayed here.
IPSec Log The DFL-600 maintains a table containing statistics concerning the IPSec protocol connection between the WAN and the LAN. These statistics can be viewed on the IPSEC Statistics table, as shown below: Index This displays the sequence of the IPSec log. There are five categories of status that can be displayed here, as follows: BROKEN NEGOTIATION P1 NEGOTIATION P2 P1_ESTABLISHED P2_ESTABLISHED Description A brief description of the log entry will be displayed here.
Sys Log The DFL-600 can save or transmit Syslog messages to aid in network administration. You must have a Syslog application on one of the computers on your LAN to take advantage of this feature. Clicking on the Sys Log link will open the Sys Log configuration page, as shown below. Save Location Choose either the Remote Server or the Local Flash option.
Remote Server IP Sys Log Level Mail Alert SMTP Server IP Mail Subject Recipient E-mail Schedule Enter the IP address of the computer on your LAN that is running the Sys log application. This drop-down menu allows you to select the level of Sys log information that the DFL-600 will send to the Sys log server. This allows you to send syslog messages to an email address you specify below. This is the IP address of your Simple Mail Transfer Protocol (SMTP) server.
Status − Traffic Log Your DFL-600 keeps a log of the total number of bytes received and transmitted on to and from the LAN and WAN. This information can be displayed by clicking on the Traffic button to display the Traffic Statistics page, as shown below.
Connecting PCs to the DFL-600 Router If you do not wish to set the static IP address on your PC, you will need to configure your PC to request an IP address from the gateway. Click the Start button, select Settings then select Control Panel. Double-click the Network icon. In the configuration tab, select the TCP/IP protocol line that has been associated with your network card/adapter. If there is no TCP/IP line listed, you will need to install TCP/IP now.
Click the Properties button, then choose the IP Address tab. Select Obtain an IP address automatically. After clicking OK, windows might ask you to restart the PC. Click Yes. CONFIRM YOUR PC’S IP CONFIGURATION There are two tools which are great for finding out a computer’s IP configuration: MAC address and default gateway. • WINIPCFG (for Windows 95/98) Inside the windows 95/98 Start button, select Run and type winipcfg. In the example below this computer has an IP address of 192.168.0.
• IPCONFIG (for Windows 2000/NT/XP) In the DOS command prompt type IPCONFIG and press Enter. Your PC IP information will be displayed as shown below.
Networking Basics Using the Network Setup Wizard in Windows XP In this section you will learn how to establish a network at home or work, using Microsoft Windows XP. Note: Please refer to websites such as http://www.homenethelp.com and http://www.microsoft.com/windows2000 for information about networking computers using Windows 2000, ME or 98. Go to START>CONTROL PANEL>NETWORK CONNECTIONS Select Set up a home or small office network When this screen appears, Click Next.
Please follow all the instructions in this window: Click Next In the following window, select the best description of your computer. If your computer connects to the Internet through a gateway/router, select the second option as shown.
Click Next Enter a Computer description and a Computer name (optional.
Enter a Workgroup name. All computers on your network should have the same Workgroup name. Click Next Please wait while the wizard applies the changes.
When the changes are complete, Click Next. Please wait while the wizard configures the computer. This may take a few minutes.
In the window below, select the best option. In this example, “Create a Network Setup Disk” has been selected. You will run this disk on each of the computers on your network. Click Next.
Format the disk if you wish, and Click Next. Please wait while the wizard copies the files. Please read the information under Here’s how in the screen below. After you complete the Network Setup Wizard you will use the Network Setup Disk to run the Network Setup Wizard once on each of the computers on your network. To continue Click Next Please read the information on this screen, then Click Finish to complete the Network Setup Wizard.
The new settings will take effect when you restart the computer. Click Yes to restart the computer. You have completed configuring this computer. Next, you will need to run the Network Setup Disk on all the other computers on your network. After running the Network Setup Disk on all your computers, your new wireless network will be ready to use.
Naming your Computer Naming your computer is optional. If you would like to name your computer please follow these directions: In Windows XP: Click START (in the lower left corner of the screen) Right-click on My Computer Select Properties • Select the Computer Name Tab in the System Properties window. You may enter a Computer description if you wish, this field is optional.
• In this window, enter the Computer name. • Select Workgroup and enter the name of the Workgroup. • All computers on your network must have the same Workgroup name.
Assigning a Static IP Address Note: Residential Gateways/Broadband Routers will automatically assign IP Addresses to the computers on the network, using DHCP (Dynamic Host Configuration Protocol) technology. If you are using a DHCP-capable Gateway/Router you will not need to assign Static IP Addresses.
Right-click on Local Area Connections.
Select Use the following IP address in the Internet Protocol (TCP/IP) Properties window. Input your IP address and subnet mask. (The IP Addresses on your network must be within the same range. For example, if one computer has an IP Address of 192.168.0.2, the other computers should have IP Addresses that are sequential, like 192.168.0.3 and 192.168.0.4. The subnet mask must be the same for all the computers on the network.) Input your DNS server addresses.
You have completed the assignment of a Static IP Address. (You do not need to assign a Static IP Address if you have a DHCP-capable Gateway/Router.
Contacting Technical Support You can find the most recent software and user documentation on the D-Link website. D-Link provides free technical support for customers within the United States for the duration of the warranty period on this product. U.S. customers can contact D-Link technical support through our web site, or by phone. D-Link Technical Support over the Telephone: (800) 758-5489 24 hours a day, seven days a week. D-Link Technical Support over the Internet: http://support.dlink.
Limited Warranty and Registration D-Link Systems, Inc. (“D-Link”) provides this 1-Year warranty for its product only to the person or entity who originally purchased the product from: • • D-Link or its authorized reseller or distributor. Products purchased and delivered with the fifty United States, the District of Columbia, US Possessions or Protectorates, US Military Installations, addresses with an APO or FPO.
• After an RMA number is issued, the defective product must be packaged securely in the original or other suitable shipping package to ensure that it will not be damaged in transit, and the RMA number must be prominently marked on the outside of the package. • The customer is responsible for all shipping charges to and from D-Link (No CODs allowed). Products sent COD will become the property of D-Link Systems, Inc. Products should be fully insured by the customer and shipped to D-Link Systems Inc.
• • • Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Register Your D-Link Product Online at http://www.dlink.
