D-Link Blog Home

A firewall protects your network from the outside world. The D-Link DIR-655 offers a firewall type functionality. The SPI feature helps prevent cyber attacks. Sometimes you may want a computer exposed to the outside world for certain types of applications. If you choose to expose a computer, you cam enable DMZ. DMZ is short for Demilitarized Zone. This option will expose the chosen computer completely to the outside world.

Enable SPI:

SPI (Stateful Packet Inspection, also known as dynamic packet filtering) helps to prevent cyber attacks by tracking more state per session. It validates that the traffic passing through the session conforms to the protocol.

NAT Endpoint Filtering:

Select one of the following for TCP and UDP ports:

Endpoint Independent – Any incoming traffic sent to an open port will be forwarded to the application that opened the port. The port will close if idle for 5 minutes.

Address Restricted – Incoming traffic must match the IP address of the outgoing connection.

Address + Port Restriction – Incoming traffic must match the IP address and port of the outgoing connection.

Enable DMZ Host:

If an application has trouble working from behind the D-Link router, you can expose one computer to the Internet and run the application on that computer.

Note: Placing a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only recommended as a last resort.

IP Address:

Specify the IP address of the computer on the LAN that you want to have unrestricted Internet communication. If this computer obtains it’s IP address automatically using DHCP, be sure to make a static reservation on the Basic > DHCP page so that the IP address of the DMZ machine does not change.

Tags: DIR-655, Firewall

You can use the Virtual Server to forward an individual port to one of your computers. You cannot forward the same port to multiple computers. In order to configure the D-Link Virtual Server you need to know the IP address of the computer that needs the port opened and the service port number. The links below will help you find the IP address of your machine. If you don’t know which port needs to be opened, try checking the software manufacture’s support website for information on use behind firewall.

Configuring the Virtual Server on D-Link DI-604:

Step 1: Access the device configuration by entering 192.168.0.1 in your web browser. Login with your username and password. The default username is admin and the password is blank.

Step 2a: If the port you need to forward is a common port, it will be under the predefined virtual server list at the bottom of the page. Click the pad and paper icon next to the virtual server entry you want to use. The Protocol Type and Service Port fields are preconfigured. Click the Enable radio button to use the virtual server. Enter the private IP address of the computer that will use the service port. Configure the Schedule as needed, then Apply your settings.

Step 2b: If the port you need to forward is not listed under the predefined virtual server list at the bottom of the page, you can create a new entry for your application. Click the Enable radio button to use the virtual server. Give your virtual server a name. Next, enter the private IP address of the computer that will use the service port. Then, select the Protocol Type and enter the Service Port. If you don’t know how to use Private and Public port assignment, then just enter the same port number in both fields. Configure the Schedule as needed and Apply your settings.

Tags: DI-604, Firewall, Virtual Server

This article teaches you how to create and configure a custom service on D-Link firewall DFL-210,DFL-800,DFL-1600.

Step 1: Open the web browser and type the IP address of the D-Link router into address bar (default is 192.168.1.1). Press Enter.

Step 2: Click on the plus sign next to Objects and then select Sevices.

Step 3: Click on Add, and then select the type of service (TCP/UDP Service, ICMP Service, IP Protocol Service, Service Group) from the dropdown menu.

Step 4: Configure the custom service as followed:

Name: enter a name as desired.
Type: select an appropriate type for this service (TCP, UDP, TCP/UDP).
Source: leave as is (By default 0-65535).
Destination: enter a port for this custom service.
Click on OK.

Step 5: Click the Configuration tab and select Save and Activate from the dropdown menu. Click on OK to save and activate the settings.

Tags: custom service, DFL-210, Firewall

Intrusion Protection System and Web Content Filtering constantly updated by D-Link’s global sensor grid with Kaspersky Labs providing anti-virus signatures.

SYDNEY, Aust. — August 8, 2011

D-Link Australia & New Zealand, the end-to-end networking solutions provider for business and consumers, today introduced the DFL-260E NetDefend™ Unified Threat Management (UTM) Firewall, providing small to mid-sized businesses with comprehensive defence against virus attacks, unauthorised intrusions and harmful content.

The D-Link DFL-260E is the latest addition to D-Link’s NetDefend UTM Firewall family designed to protect small to mid-sized businesses (SMBs) from a wide variety of network threats. It includes the same comprehensive security features as the DFL-860E NetDefend™ UTM Firewall released earlier this year but with capacities and pricing to suit smaller businesses.

The new UTM firewall provides integrated policy-based routing, Network Address Translation, Virtual Private Network (VPN), proactive network security, Intrusion Prevention System (IPS), Web Content Filtering, Anti-Virus Protection, traffic load balancing and bandwidth management in one rack-mountable chassis.

The firewall’s hardware is designed to increase performance, and a web surfing control database contains millions of URLs for Web Content Filtering. Real-time IPS, anti-virus and URL database update services protect the network from application exploits, network worms, malicious code attacks, and provide everything needed to manage employee Internet access behaviour.

The DFL-260E’s network management features include Remote Management, Bandwidth Control Policies, URL/Keyword Blocking, Access Policies and SNMP. For network monitoring, the firewall supports e-mail alerts, system log, consistency checks and real-time statistics.

Maintaining an effective defence requires that all three databases used by the UTM firewall are kept up to date. To provide a robust defence, D-Link offers optional 12-month NetDefend Firewall UTM Services subscriptions which include distinct NetDefend service updates for IPS, Anti-Virus and Web Content Filtering (free three-month trials are also available).

Tags: DFL-260E, Firewall, NetDefend, UTM

1. Introduction

The objective of this document is to provide a guide describing how to configure the devices to achieve the same environment as show at the network topology. Users of this document are expected to already possess basic knowledge of D-Link devices and TheGreenBow VPN program, and are familiar with how to perform basic configurations. Only important configurations, such as those pertaining to interfacing and integrating, will be described in this document.

2. Product used

TheGreenBow_VPN_Client 4.61.003 and DFL-800 are used in the FAQ. The same applies to all other DFL products with Netdefend OS.

3. Network Diagram

Note: Router is set to allow IPSec pass through.

4. Configurations

In this document, we will only describe the main configurations for this Scenario. The configurations setting for all the D-Link products will not be described here and for more detail about the product you can download their user guide.

4.1 TheGreenBow VPN client and DFL-800

In this scenario the user can connect back to the headquarter database by using TheGreenBow VPN client tunneling to DFL-800.

All configurations are based on DFL-800 and TheGreenBow
VPN Client (F/W: 4.61.003)
The steps in this configuration are:
• Setup DFL-800 for VPN tunneling
• Setup Pre-shared Key
• Phase 1 and Phase 2 algorithms setup
• Setting up IPSec-Tunnel
• Setup IP Rules
• Setup TheGreenBow VPN client
• Setup Phase 1
• Setup Phase 2

4.1.1) Setup DFL-800 for VPN tunneling
4.1.1.1) Setup Pre-Shared Key

1) Login to the DFL-800 and click “Authenticate Objects” and add a new “Pre-shared Key” and fill in the passphrase and name

4.1.1.2) Phase 1 and Phase 2 algorithms setup

1) At the “IKE Algorithms”, select the Encryption and Integrity algorithms for your phase 1 authenticate.

2) Next is the “IPSec Algorithms”, select the Encryption and Integrity algorithms for the phase 2.

4.1.1.3) Setting up IPSec-Tunnel

1) After we finish setting up the algorithms, next we will need to create the “IPSec-Tunnel” as show below.

2) Next, click on the “Authentication” tab and select the “PreShared Key” you have setup at the steps 1.

3) After selecting the Pre-Shared Key, next is to enable the “Dynamically add route” at the routing tab.

4) Last step is to make sure the DH Group at the IKE setting is the same setting for the TheGreenBow Client.

4.1.1.4) Setup IP Rules

Now is to setup the IP Rules so there the DFL-800 knows where to direct all the traffic to.

1) First add a new interface group name “IPSec-LAN” by grouping up “IPSec-Tunnel” and “LAN”

2) Next, click “IP Rules” and add a new IP rule as show below.

4.1.2) Setup TheGreenBow VPN Client
4.1.2.1) Setup Phase 1

1) Right click on the “Root” to add a new “Phase1”, next fill in the IP address for this VPN client and Remote gateway IP follow by Preshared Key and IKE setting.

Note: the Preshared Key and IKE must be the same setting set in the DFL-800

4.1.2.2) Setup Phase 2

1) Right click on the “Phase1” to add a new “Phase2”, next fill in the VPN Client address for this VPN client and Remote gateway IP follow by ESP setting.

Note: the ESP Encryption and Authentication setting must be the same in the DFL-800 IPSec-Tunnel.

5.1) Test Result

a. The VPN tunnel will be open at any negotiate mode set in Phase 1 and Phase 2.

b. The DFL will show the tunnel is up at their VPN status.

c. Client is able to Ping to the remote network.

Tags: Firewall, IPSec, TheGreenBow, VPN