![D-Link DFL-500 [12/122] Connecting to the web based manager](/img/pdf.png)
D-Link DFL-500 [12/122] Connecting to the web based manager
![D-Link DFL-600 [12/122] Connecting to the web based manager](/views2/1045598/page12/bgc.png)
DFL-500 User Manual
1
2
Front and back view of the DFL-500 NPG
Initial configuration
When the DFL-500 NPG is first powered on, it is running in NAT/Route mode and has the basic configuration
listed in DFL-500 NPG initial power on settings
.
DFL-500 NPG initial power on settings
Operating mode:
NAT/Route
User name: admin
Administrator account:
Password: (none)
IP: 192.168.1.99
Internal interface:
Netmask: 255.255.255.0
IP: 192.168.100.99
Netmask: 255.255.255.0
Default Gateway: 192.168.100.1
Primary DNS Server: 207.194.200.1
External interface:
Manual:
Secondary DNS Server: 207.194.200.129
Connecting to the web-based manager
The web-based manager is the primary tool for installing and configuring your DFL-500 NPG. Configuration
changes made with the web-based manager are effective immediately without the need to reset the firewall or
interrupt service.
To connect to the web-based manager you need:
•
a computer with an ethernet connection,
•
Internet Explorer version 4.0 or higher,
•
a crossover cable or an ethernet hub and two ethernet cables.
To connect to the web-based manager:
• Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2
and a netmask of 255.255.255.0.
Содержание
- Building networks for people 1
- D link dfl 500 1
- Network security firewall manual 1
- Getting started 10 3
- Introduction 8 3
- Nat route mode installation 15 3
- Table of contents 3
- Transparent mode installation 19 3
- Firewall configuration 23 4
- Users and authentication 43 4
- Ipsec vpns 48 5
- Pptp and l2tp vpns 66 5
- Web content filtering 71 5
- Administration 81 6
- Logging and reporting 78 6
- Glossary 101 7
- Index 104 7
- Limited warranty 119 7
- Registration 122 7
- Technical support 116 7
- About this document 8
- Introduction 8
- Nat route mode 8
- Nat route mode and transparent mode 8
- Transparent mode 8
- Customer service and technical support 9
- For more information 9
- Getting started 10
- Mounting 10
- Package contents 10
- 1 lb 0 8 kg 11
- 8 3 x 6 3 x 1 8 in 21 x 15 x 3 cm 11
- Connect the ac adapter to a power outlet the dfl 500 npg starts up the power and status lights light the status light flashes while the dfl 500 npg is starting up and remains lit when the system is up and running 11
- Connect the ac adapter to the power connection at the back of the dfl 500 npg 11
- Dc input voltage 5 v dc input current 3 a 11
- Operating temperature 32 to 104 f 0 to 40 c storage temperature 13 to 158 f 25 to 70 c humidity 5 to 95 non condensing 11
- Powering on 11
- To power on the dfl 500 npg 11
- A computer with an ethernet connection 12
- A crossover cable or an ethernet hub and two ethernet cables to connect to the web based manager 12
- Connecting to the web based manager 12
- Initial configuration 12
- Internet explorer version 4 or higher 12
- Set the ip address of the computer with an ethernet connection to the static ip address 192 68 and a netmask of 255 55 55 12
- The web based manager is the primary tool for installing and configuring your dfl 500 npg configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service to connect to the web based manager you need 12
- When the dfl 500 npg is first powered on it is running in nat route mode and has the basic configuration listed in dfl 500 npg initial power on settings 12
- Connecting to the command line interface cli 13
- Next steps 14
- Completing the configuration 15
- Configuring your internal network 15
- Connecting to your networks 15
- Nat route mode installation 15
- Preparing to configure nat route mode 15
- This chapter describes how to install your dfl 500 npg in nat route mode if you want to install the dfl 500 npg in transparent mode see transparent mode installation this chapter includes 15
- Use nat route mode settings to gather the information that you need to customize nat route mode settings 15
- Using the command line interface 15
- Using the setup wizard 15
- _____ _____ _____ _____ 15
- Configuring the dfl 500 npg to run in nat route mode 16
- Reconnecting to the web based manager 16
- Starting the setup wizard 16
- Using the command line interface 16
- Using the setup wizard 16
- Connecting to your networks 17
- Completing the configuration 18
- Configuring your internal network 18
- Setting the date and time 18
- Changing to transparent mode 19
- Preparing to configure transparent mode 19
- Transparent mode installation 19
- Using the setup wizard 19
- Changing to transparent mode 20
- Configuring the transparent mode management ip address 20
- Reconnecting to the web based manager 20
- Starting the setup wizard 20
- Using the command line interface 20
- Configure the transparent mode default gateway 21
- Connecting to your network 21
- Setting the date and time 21
- Firewall configuration 23
- Adding nat route mode policies 24
- Changing to nat route mode 24
- Changing to transparent mode 24
- Nat route mode 24
- Nat route mode and transparent mode 24
- Transparent mode 24
- Configure the policy 25
- On a policy in the list to add the new policy above a specific policy 25
- You can also select insert policy before 25
- Arrange policies in the policy list so that they have the results that you expect see configuring policy lists for more information 26
- Select ok to add the policy the policy is added to the selected policy list 26
- Add transparent mode policies to control the network traffic that is allowed to pass through the firewall when you are running the it in transparent mode 27
- Adding transparent mode policies 27
- Configure the policy 27
- On a policy in the list to add the new policy above a specific policy 27
- Policy 27
- Select a policy list tab 27
- Select new to add a new policy you can also select insert policy before 27
- Arrange policies in the policy list so that they have the results that you expect arranging policies in a policy list is described in configuring policy lists 28
- Select ok to add the policy the policy is added to the selected policy list 28
- Configuring policy lists 29
- Policy matching in detail 29
- Addresses 30
- Changing the order of policies in a policy list 30
- Disabling a policy 30
- Enabling a policy 30
- Enabling and disabling policies 30
- Adding addresses 31
- Deleting addresses 31
- Organizing addresses into address groups 32
- Services 32
- Grouping services 33
- Predefined services 33
- Providing access to custom services 33
- Creating one time schedules 34
- Schedules 34
- Adding a schedule to a policy 35
- Creating recurring schedules 35
- Virtual ips 35
- Adding static nat virtual ips 36
- Using port forwarding virtual ips 37
- Adding policies with virtual ips 38
- Ip pools 39
- Configuring ip mac binding for packets going through the firewall 40
- Ip mac binding 40
- Adding ip mac addresses 41
- Configuring ip mac binding for packets going to the firewall 41
- Enabling ip mac binding 42
- Viewing the dynamic ip mac list 42
- Adding user names and configuring authentication 43
- Setting authentication time out 43
- Users and authentication 43
- Deleting user names from the internal database 44
- Adding radius servers 45
- Configuring radius support 45
- Deleting radius servers 45
- Adding user groups 46
- Configuring user groups 46
- Deleting user groups 47
- Interoperability with ipsec vpn products 48
- Ipsec vpns 48
- Configuring autoike key ipsec vpn 49
- Configuring a vpn concentrator for hub and spoke vpn 50
- Configuring dialup vpn 50
- Configuring manual key ipsec vpn 50
- Configuring the member vpns 51
- Configuring the vpn concentrator 51
- Add additional encrypt policies between the member vpns use the following configuration 52
- Add one encrypt policy between the member vpn and the vpn concentrator use the following configuration 52
- Add two autoike key tunnels with the same settings and add one of the remote gateways to each tunnel see adding an autoike key vpn tunnel 52
- Add two outgoing encrypt policies 52
- Add two remote gateways with the same settings including the same authentication key but with different remote gateway addresses see adding a remote gateway 52
- Configuring ipsec redundancy 52
- Ipsec redundancy allows you to create a redundant autoike key ipsec vpn configuration to two remote vpn gateway addresses 52
- See adding an autoike key vpn tunnel or add a manual key vpn tunnel see adding a manual key vpn tunnel 52
- See adding an encrypt policy 52
- To configure ipsec redundancy 52
- Add a remote gateway configuration to define the parameters that the dfl 500 npg uses to connect to and establish an autoike key vpn tunnel with a remote vpn gateway or a remote vpn client the remote gateway configuration consists of the ip address of the remote vpn gateway or client as well as the p1 proposal settings required to establish the vpn tunnel to successfully establish a vpn tunnel the remote vpn gateway or client must have the same authentication key and compatible p1 proposal settings you can add one remote gateway and then create multiple autoike key tunnels that include the same remote gateway in their configurations when the dfl 500 npg receives an ipsec vpn connection request it starts a remote gateway that matches the connection request the vpn tunnel that starts depends on the source and destination addresses of the ipsec vpn request which the dfl 500 npg matches with an encrypt policy to add a remote gateway 53
- Adding a remote gateway 53
- Configure the remote gateway 53
- Remote gateway 53
- Select new to add a new remote gateway 53
- The source and destination of both policies must be the same add a different autoike key tunnel to each policy see adding an encrypt policy 53
- About dialup vpn authentication 54
- Aggressive mode with a user group selected 54
- Aggressive mode with no user group 54
- For dialup vpn authentication to work you must create compatible configurations on the dfl 500 npg that is the dialup server and its dialup clients the configurations required for the server and the clients are different for different dialup gateway configurations there are four possible dialup vpn authentication configurations 54
- Main mode with a user group selected 54
- Main mode with no user group selected 54
- Select ok to save the remote gateway 54
- A username and password in the user group added to the dialup server remote gateway in this configuration the clients pre shared key must be formatted with a between the user name and password username password 55
- Aggressive mode with no user group 55
- For each variation the remote gateway field of the dialup server remote gateway configuration must be set to dialup user and all of the clients must have their remote gateway or equivalent set to the static ip address of the remote gateway server the following sections describe how to configure authentication on the server and clients for each of these variations 55
- In this configuration the server and the clients use aggressive mode for key exchange a user group has not been selected in the server dialup remote gateway clients authenticate with the server using their authentication keys 55
- In this configuration the server and the clients use main mode for key exchange a user group has been selected in the server dialup remote gateway clients authenticate with the server using their authentication keys the client authentication key can be one of the following 55
- In this configuration the server and the clients use main mode for key exchange a user group has not been added to the server dialup remote gateway clients authenticate with the server using their authentication keys 55
- Main mode with a user group selected 55
- Main mode with no user group selected 55
- The same as the server authentication key 55
- About dh groups 56
- About the p1 proposal 56
- Aggressive mode with a user group selected 56
- Autoike key ipsec vpns use a two phase process for creating a vpn tunnel during the first phase p1 the vpn gateways at each end of the tunnel negotiate to select a common algorithm for encryption and another one for authentication when you configure the remote gateway p1 proposal you are selecting the algorithms that the dfl 500 npg proposes during phase 1 negotiation you can select up to three different encryption and authentication algorithm combinations choosing more combinations might make it easier for p1 negotiation but you can restrict the choice to one if required for negotiation to be successful both ends of the vpn tunnel must have at least one encryption algorithm and one authentication algorithm in common 56
- In this configuration the server and the clients use aggressive mode for key exchange a user group is selected in the server dialup remote gateway the format of the authentication key depends on the information in the local id field 56
- Select 3des to propose to encrypt packets using triple des encryption 56
- Select des to propose to encrypt packets using des encryption 56
- Select md5 to propose to use md5 authentication 56
- Select sha1 to propose to use sha1 authentication 56
- The diffie hellman dh algorithm creates a shared secret key that can be created at both ends of the vpn tunnel without communicating the key across the internet you can select from dh group 1 2 and 5 dh group 5 produces the most secure shared secret key and dh group 1 produces the least secure key however dh group 1 is faster that dh group 5 56
- About nat traversal 57
- Add an autoike key tunnel to specify the parameters used to create and maintain a vpn tunnel that has been started by a remote gateway configuration to add an autoike key vpn tunnel 57
- Adding an autoike key vpn tunnel 57
- Autoike key 57
- Configure the autoike key vpn tunnel 57
- Nat network address translation converts private ip addresses into routable public ip addresses the dfl 500 npg uses napt network address port translation in which both ip addresses and ports are mapped mapping both components allows multiple private ip addresses to use a single public ip address because a nat device modifies the original ip address of an ipsec packet the packet fails an integrity check this failure means that ipsec vpn does not work with nat devices nat traversal solves this problem by encapsulating the ipsec packet within a udp packet encapsulating the ipsec packet allows nat to process the packet without changing the original ipsec packet 57
- Select new to add a new autoike key vpn tunnel 57
- About replay detection 58
- About the p2 proposal 58
- About perfect forward secrecy pfs 59
- Adding a manual key vpn tunnel 59
- Configure a manual key tunnel to create an ipsec vpn tunnel between the dfl 500 npg and a remote ipsec vpn client or gateway that is also using manual key a manual key vpn tunnel consists of a name for the tunnel the ip address of the vpn gateway or client at the opposite end of the tunnel and the encryption algorithm to use for the tunnel depending on the encryption algorithm you must also specify the encryption keys and optionally the authentication keys used by the tunnel because the keys are created when you configure the tunnel no negotiation is required for the vpn tunnel to start however the vpn gateway or client that connects to this tunnel must use the same encryption algorithm and must have the same encryption and authentication keys to create a manual key vpn tunnel 59
- Configure the vpn tunnel 59
- Manual key 59
- Perfect forward secrecy pfs improves the security of a vpn tunnel by making sure that each key created during phase 2 is not related to the keys created during phase 1 or to other keys created during phase 2 pfs might reduce performance because it forces a new diffie hellman key exchange when the phase 2 tunnel starts and whenever the keylife ends and a new key must be generated as a result using pfs might cause minor delays during key generation if you do not enable pfs the vpn tunnel creates all phase 2 keys from a key created during phase 1 this method of creating keys is less processor intensive but also less secure if an unauthorized party gains access to the key created during phase 1 all the phase 2 encryption keys can be compromised 59
- Select new to add a new manual key vpn tunnel 59
- The dfl 500 npg sends an alert email when replay detection detects a replay packet to receive the alert email you must configure alert email and select enable alert email for critical firewall vpn events or violations for information about alert email see configuring alert email 59
- Adding a vpn concentrator 60
- Concentrator 60
- Enter the name of the new concentrator in the concentrator name field 60
- Select new to add a vpn concentrator 60
- Select ok to save the manual key vpn tunnel 60
- To add tunnels to the vpn concentrator select a vpn tunnel from the available tunnels list and select the right arrow 60
- To remove tunnels from the vpn concentrator select the tunnel in the members list and select the left arrow 60
- Adding an encrypt policy 61
- Viewing vpn tunnel status 63
- Testing a vpn 64
- Viewing dialup vpn connection status 64
- Pptp and l2tp vpns 66
- Pptp vpn configuration 66
- Configuring the dfl 500 npg as a pptp gateway 67
- Add the addresses from the pptp address range to the external interface address list the addresses can be grouped into an external address group 68
- Add the addresses to which pptp users can connect to the internal interface the addresses can be grouped into an address group 68
- Int policy to allow pptp clients to connect through the dfl 500 npg configure the policy as follows 68
- You can also configure traffic shaping logging and web filter settings for pptp policies for information about adding firewall policies see adding nat route mode policies 68
- Configuring the dfl 500 npg as an l2tp gateway 69
- L2tp vpn configuration 69
- Blocking web pages that contain unwanted content 71
- Configuring content filtering 71
- Enabling web content filtering 71
- Web content filtering 71
- Backing up and restoring the banned word list 72
- Changing the content block message 72
- Clearing the banned word list 72
- Blocking access to urls 73
- Configuring url blocking 73
- Changing the url block message 74
- Clearing the url block list 74
- Downloading the url block list 74
- Uploading a url block list 74
- Exempting urls from content or url blocking 75
- Removing scripts from web pages 75
- Adding urls to the exempt url list 76
- Clearing the exempt url list 76
- Downloading the exempt url list 76
- Uploading an exempt url list 77
- Configuring logging 78
- Logging and reporting 78
- Recording logs on a remote computer 78
- Recording logs on a webtrends server 78
- Configuring alert email 79
- Selecting what to log 79
- Configuring alert email 80
- Enabling alert email 80
- Testing alert email 80
- Administration 81
- System status 81
- Upgrading the dfl 500 npg firmware 82
- Upgrading the firmware 82
- Upgrading the firmware from a tftp server using the cli 82
- Upgrading the firmware using the web based manager 82
- Backing up system settings 84
- Displaying the dfl 500 npg serial number 84
- Restoring system settings 84
- Restoring system settings to factory defaults 84
- Changing to nat route mode 85
- Changing to transparent mode 85
- Restarting the dfl 500 npg 86
- Shutting down the dfl 500 npg 86
- System status monitor 86
- At the top of the display the system status monitor shows 87
- Configuring the external interface 87
- Configuring the internal interface 87
- Configuring the management interface transparent mode 87
- Each line of the system status monitor displays the following information about each active firewall connection 87
- Network configuration 87
- Network to make any of the following changes to the dfl 500 npg network settings 87
- Setting dns server addresses 87
- Configuring the external interface 88
- Configuring the internal interface 88
- Configuring the external interface for dhcp 89
- Configuring the external interface with a static ip address 89
- Configuring the external interface for pppoe 90
- Controlling management access to the external interface 90
- Changing the external interface mtu size to improve network performance 91
- Adding routing gateways 92
- Configuring routing 92
- Configuring the management interface transparent mode 92
- Setting dns server addresses 92
- Adding a default route 93
- Adding routes to the routing table 93
- Adding routes transparent mode 94
- Configuring the routing table 94
- Enabling rip server support 94
- Configure the dhcp settings 95
- Configure the ip network settings of the computers on your network to obtain an ip address automatically using dhcp 95
- If the dfl 500 npg is operating in nat route mode you can configure it to be the dhcp server for your internal network 95
- Providing dhcp services to your internal network 95
- Repeat these steps to add more routes as required 95
- Select apply 95
- Select enable dhcp 95
- System configuration 96
- Viewing the dynamic ip list 96
- Setting system date and time 97
- Adding and editing administrator accounts 98
- Adding new administrator accounts 98
- Changing web based manager options 98
- Configuring snmp 99
- Configuring the dfl 500 npg for snmp connections 99
- Editing administrator accounts 99
- Select apply 100
- Glossary 101
- Dfl 500 user manual 116 116
- Offices 116
- Technical support 116
- Dfl 500 user manual 117 117
- Registration card 117
- Limited warranty 119
- Register the d link dfl 500 office firewall online at http www dlink com sales reg 122
- Registration 122
Похожие устройства
- Nikon Coolpix S9400 Black Инструкция по эксплуатации
- Bosch WLF16260OE Инструкция по эксплуатации
- Philips 190G6FB Инструкция по эксплуатации
- Nikon Coolpix S9400 White Инструкция по эксплуатации
- D-Link DFL-600 Инструкция по эксплуатации
- Philips 190CW7CS Инструкция по эксплуатации
- Hyundai H-TV1400 Инструкция по эксплуатации
- Targus CN600 Black Инструкция по эксплуатации
- Canon SX500 IS Инструкция по эксплуатации
- Philips 200XW7EB Инструкция по эксплуатации
- Scarlett SC-1135S Инструкция по эксплуатации
- D-Link DRS-200 Инструкция по эксплуатации
- Canon SX50 HS Инструкция по эксплуатации
- Targus TEB01 Black Инструкция по эксплуатации
- Philips 190C7FS Инструкция по эксплуатации
- Samsung RSE8*** Инструкция по эксплуатации
- D-Link DNR-322L Инструкция по эксплуатации
- Canon PowerShot A3500 IS Black Инструкция по эксплуатации
- Targus AWE55UE Black Инструкция по эксплуатации
- Philips 170C7FS Инструкция по эксплуатации