Home » D-Link Manuals » Network Security & Firewall Devices » D-Link DFL-260E » Manual Viewer

D-Link DFL-260E User Manual for DFL-260E - Page 96

IPv4 and IPv6 Cannot Share an Address Group Object, Troubelshooting IPv6 with ICMP Ping

Add to My Manuals
Save this manual to your list of manuals

Page 96 highlights

3.2. IPv6 Support Chapter 3. Fundamentals IPv4 and IPv6 Cannot Share an Address Group Object IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an IP6 Address and can be used in NetDefendOS rules and other objects in the same way as an IPv4 address. However, it is not possible to combine the two in one configuration object. For example, it is not possible to create an Address Group that contains both. The standard Address Group object can contain only IPv4 address objects. For IPv6 there is a special object called an IP6 Group object that can contain only IPv6 addresses. Similarly, the preconfigured all-nets address objects is a catch-all object for all IPv4 addresses. Another object, all-nets6 represents all IPv6 addreses and only IPv6 addreses. Furthermore, it is not possible to combine all-nets (all IPv4 addresses) with all-nets6 in a single Address Group object. For example, if a DropAll rule is needed as the last "catch-all" rule in an IP rule set, two rules are required to catch all IPv4 and IPv6 traffic. This is discussed further in Section 3.6, "IP Rules". In the same way, a routing table could route traffic for either a IPv4 network or an IPv6 network to the same interface but this must be done with two separate routes in the routing table, one for IPv4 and one for IPv6. It cannot be achieved using a single route. Troubelshooting IPv6 with ICMP Ping The CLI command ping can be used for both IPv4 and IPv6 addresses. For example: gw-world:/> ping 2001:DB8::2 This provides the means to determine if an IPv6 host is reachable and responding. IPv6 Usage Restrictions The following is a summary of IPv6 restrictions in the current version of NetDefendOS: • Management access with any NetDefendOS management interface is not possible using IPv6. • IP rules using IPv4 and IPv6 addresses can coexist in the same IP rule set but a single rule cannot combine IPv4 and IPv6. • IPv6 addresses are not currently supported in IP rules with the following actions: i. NAT ii. SAT iii. SLB SAT iv. Multiplex SAT • Routes using IPv4 and IPv6 addresses can coexist in the same routing table set but a single route cannot combine IPv4 and IPv6. • Routing rules using IPv4 and IPv6 addresses coexist but a single rule cannot combine IPv4 and IPv6. • IPv6 cannot be used for VPN or with ALGs, IDP or traffic shaping. 96

Section	Page
User Manual	3
Table of Contents	4
Preface	15
Chapter 1. NetDefendOS Overview	17
1.1. Features	17
1.2. NetDefendOS Architecture	20
1.2.1. State-based Architecture	20
1.2.2. NetDefendOS Building Blocks	20
1.2.3. Basic Packet Flow	21
1.3. NetDefendOS State Engine Packet Flow	24
Chapter 2. Management and Maintenance	29
2.1. Managing NetDefendOS	29
2.1.1. Overview	29
2.1.2. The Default Administrator Account	30
2.1.3. The Web Interface	30
2.1.4. The CLI	36
2.1.5. CLI Scripts	44
2.1.6. Secure Copy	48
2.1.7. The Console Boot Menu	50
2.1.8. Management Advanced Settings	52
2.1.9. Working with Configurations	53
2.2. Events and Logging	59
2.2.1. Overview	59
2.2.2. Log Messages	59
2.2.3. Creating Log Receivers	60
2.2.4. Logging to MemoryLogReceiver	60
2.2.5. Logging to Syslog Hosts	60
2.2.6. Severity Filter and Message Exceptions	62
2.2.7. SNMP Traps	62
2.2.8. Advanced Log Settings	64
2.3. RADIUS Accounting	65
2.3.1. Overview	65
2.3.2. RADIUS Accounting Messages	65
2.3.3. Interim Accounting Messages	67
2.3.4. Activating RADIUS Accounting	67
2.3.5. RADIUS Accounting Security	68
2.3.6. RADIUS Accounting and High Availability	68
2.3.7. Handling Unresponsive RADIUS Servers	68
2.3.8. Accounting and System Shutdowns	69
2.3.9. Limitations with NAT	69
2.3.10. RADIUS Advanced Settings	69
2.4. Monitoring	71
2.4.1. The Link Monitor	71
2.4.2. SNMP Monitoring	73
2.4.3. Hardware Monitoring	76
2.4.4. Memory Monitoring Settings	78
2.5. The pcapdump Command	80
2.6. Maintenance	83
2.6.1. Auto-Update Mechanism	83
2.6.2. Backing Up Configurations	83
2.6.3. Restore to Factory Defaults	85
Chapter 3. Fundamentals	88
3.1. The Address Book	88
3.1.1. Overview	88
3.1.2. IP Addresses	88
3.1.3. Ethernet Addresses	90
3.1.4. Address Groups	91
3.1.5. Auto-Generated Address Objects	92
3.1.6. Address Book Folders	92
3.2. IPv6 Support	93
3.3. Services	98
3.3.1. Overview	98
3.3.2. Creating Custom Services	99
3.3.3. ICMP Services	102
3.3.4. Custom IP Protocol Services	104
3.3.5. Service Groups	104
3.3.6. Custom Service Timeouts	105
3.4. Interfaces	106
3.4.1. Overview	106
3.4.2. Ethernet Interfaces	108
3.4.2.1. Useful CLI Commands for Ethernet Interfaces	112
3.4.3. VLAN	115
3.4.4. PPPoE	118
3.4.5. GRE Tunnels	120
3.4.6. Interface Groups	124
3.5. ARP	126
3.5.1. Overview	126
3.5.2. The NetDefendOS ARP Cache	126
3.5.3. Creating ARP Objects	128
3.5.4. Using ARP Advanced Settings	130
3.5.5. ARP Advanced Settings Summary	131
3.6. IP Rules	135
3.6.1. Security Policies	135
3.6.2. IP Rule Evaluation	138
3.6.3. IP Rule Actions	139
3.6.4. Editing IP rule set Entries	140
3.6.5. IP Rule Set Folders	141
3.6.6. Configuration Object Groups	142
3.7. Schedules	146
3.8. Certificates	148
3.8.1. Overview	148
3.8.2. Certificates in NetDefendOS	150
3.8.3. CA Certificate Requests	151
3.9. Date and Time	153
3.9.1. Overview	153
3.9.2. Setting Date and Time	153
3.9.3. Time Servers	154
3.9.4. Settings Summary for Date and Time	157
3.10. DNS	160
Chapter 4. Routing	164
4.1. Overview	164
4.2. Static Routing	165
4.2.1. The Principles of Routing	165
4.2.2. Static Routing	169
4.2.3. Route Failover	174
4.2.4. Host Monitoring for Route Failover	177
4.2.5. Advanced Settings for Route Failover	179
4.2.6. Proxy ARP	180
4.3. Policy-based Routing	183
4.4. Route Load Balancing	190
4.5. OSPF	196
4.5.1. Dynamic Routing	196
4.5.2. OSPF Concepts	199
4.5.3. OSPF Components	204
4.5.3.1. OSPF Router Process	204
4.5.3.2. OSPF Area	206
4.5.3.3. OSPF Interface	207
4.5.3.4. OSPF Neighbors	209
4.5.3.5. OSPF Aggregates	209
4.5.3.6. OSPF VLinks	209
4.5.4. Dynamic Routing Rules	210
4.5.4.1. Overview	210
4.5.4.2. Dynamic Routing Rule	212
4.5.4.3. OSPF Action	212
4.5.4.4. Routing Action	213
4.5.5. Setting Up OSPF	213
4.5.6. An OSPF Example	217
4.6. Multicast Routing	220
4.6.1. Overview	220
4.6.2. Multicast Forwarding with SAT Multiplex Rules	221
4.6.2.1. Multicast Forwarding - No Address Translation	221
4.6.2.2. Multicast Forwarding - Address Translation Scenario	224
4.6.3. IGMP Configuration	225
4.6.3.1. IGMP Rules Configuration - No Address Translation	227
4.6.3.2. IGMP Rules Configuration - Address Translation	228
4.6.4. Advanced IGMP Settings	230
4.7. Transparent Mode	233
4.7.1. Overview	233
4.7.2. Enabling Internet Access	238
4.7.3. Transparent Mode Scenarios	239
4.7.4. Spanning Tree BPDU Support	243
4.7.5. Advanced Settings for Transparent Mode	244
Chapter 5. DHCP Services	249
5.1. Overview	249
5.2. DHCP Servers	250
5.2.1. Static DHCP Hosts	253
5.2.2. Custom Options	255
5.3. DHCP Relaying	256
5.3.1. DHCP Relay Advanced Settings	257
5.4. IP Pools	259
Chapter 6. Security Mechanisms	263
6.1. Access Rules	263
6.1.1. Overview	263
6.1.2. IP Spoofing	264
6.1.3. Access Rule Settings	264
6.2. ALGs	266
6.2.1. Overview	266
6.2.2. The HTTP ALG	267
6.2.3. The FTP ALG	270
6.2.4. The TFTP ALG	279
6.2.5. The SMTP ALG	280
6.2.5.1. Anti-Spam Filtering	283
6.2.6. The POP3 ALG	289
6.2.7. The PPTP ALG	290
6.2.8. The SIP ALG	291
6.2.9. The H.323 ALG	302
6.2.10. The TLS ALG	316
6.3. Web Content Filtering	319
6.3.1. Overview	319
6.3.2. Active Content Handling	319
6.3.3. Static Content Filtering	320
6.3.4. Dynamic Web Content Filtering	322
6.3.4.1. Overview	322
6.3.4.2. Setting Up WCF	323
6.3.4.3. Content Filtering Categories	327
6.3.4.4. Customizing WCF HTML Pages	334
6.4. Anti-Virus Scanning	337
6.4.1. Overview	337
6.4.2. Implementation	337
6.4.3. Activating Anti-Virus Scanning	338
6.4.4. The Signature Database	338
6.4.5. Subscribing to the D-Link Anti-Virus Service	339
6.4.6. Anti-Virus Options	339
6.5. Intrusion Detection and Prevention	343
6.5.1. Overview	343
6.5.2. IDP Availability for D-Link Models	343
6.5.3. IDP Rules	345
6.5.4. Insertion/Evasion Attack Prevention	347
6.5.5. IDP Pattern Matching	348
6.5.6. IDP Signature Groups	349
6.5.7. IDP Actions	350
6.5.8. SMTP Log Receiver for IDP Events	351
6.6. Denial-of-Service Attack Prevention	355
6.6.1. Overview	355
6.6.2. DoS Attack Mechanisms	355
6.6.3. Ping of Death and Jolt Attacks	355
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	356
6.6.5. The Land and LaTierra attacks	356
6.6.6. The WinNuke attack	356
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	357
6.6.8. TCP SYN Flood Attacks	358
6.6.9. The Jolt2 Attack	358
6.6.10. Distributed DoS Attacks	358
6.7. Blacklisting Hosts and Networks	360
Chapter 7. Address Translation	363
7.1. Overview	363
7.2. NAT	364
7.3. NAT Pools	369
7.4. SAT	372
7.4.1. Translation of a Single IP Address (1:1)	372
7.4.2. Translation of Multiple IP Addresses (M:N)	377
7.4.3. All-to-One Mappings (N:1)	379
7.4.4. Port Translation	381
7.4.5. Protocols Handled by SAT	381
7.4.6. Multiple SAT Rule Matches	381
7.4.7. SAT and FwdFast Rules	382
Chapter 8. User Authentication	385
8.1. Overview	385
8.2. Authentication Setup	387
8.2.1. Setup Summary	387
8.2.2. The Local Database	387
8.2.3. External RADIUS Servers	389
8.2.4. External LDAP Servers	389
8.2.5. Authentication Rules	396
8.2.6. Authentication Processing	398
8.2.7. A Group Usage Example	399
8.2.8. HTTP Authentication	399
8.3. Customizing Authentication HTML Pages	404
Chapter 9. VPN	409
9.1. Overview	409
9.1.1. VPN Usage	409
9.1.2. VPN Encryption	410
9.1.3. VPN Planning	411
9.1.4. Key Distribution	411
9.1.5. The TLS Alternative for VPN	412
9.2. VPN Quick Start	413
9.2.1. IPsec LAN to LAN with Pre-shared Keys	414
9.2.2. IPsec LAN to LAN with Certificates	415
9.2.3. IPsec Roaming Clients with Pre-shared Keys	416
9.2.4. IPsec Roaming Clients with Certificates	418
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	419
9.2.6. L2TP Roaming Clients with Certificates	421
9.2.7. PPTP Roaming Clients	421
9.3. IPsec Components	423
9.3.1. Overview	423
9.3.2. Internet Key Exchange (IKE)	423
9.3.3. IKE Authentication	429
9.3.4. IPsec Protocols (ESP/AH)	430
9.3.5. NAT Traversal	431
9.3.6. Algorithm Proposal Lists	433
9.3.7. Pre-shared Keys	434
9.3.8. Identification Lists	435
9.4. IPsec Tunnels	438
9.4.1. Overview	438
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	440
9.4.3. Roaming Clients	440
9.4.4. Fetching CRLs from an alternate LDAP server	445
9.4.5. Troubleshooting with ikesnoop	446
9.4.6. IPsec Advanced Settings	453
9.5. PPTP/L2TP	457
9.5.1. PPTP Servers	457
9.5.2. L2TP Servers	458
9.5.3. L2TP/PPTP Server advanced settings	463
9.5.4. PPTP/L2TP Clients	463
9.6. SSL VPN	466
9.6.1. Overview	466
9.6.2. Configuring SSL VPN in NetDefendOS	467
9.6.3. Installing the SSL VPN Client	469
9.6.4. Setup Example	472
9.7. CA Server Access	474
9.8. VPN Troubleshooting	477
9.8.1. General Troubleshooting	477
9.8.2. Troubleshooting Certificates	478
9.8.3. IPsec Troubleshooting Commands	478
9.8.4. Management Interface Failure with VPN	479
9.8.5. Specific Error Messages	479
9.8.6. Specific Symptoms	482
Chapter 10. Traffic Management	485
10.1. Traffic Shaping	485
10.1.1. Overview	485
10.1.2. Traffic Shaping in NetDefendOS	486
10.1.3. Simple Bandwidth Limiting	488
10.1.4. Limiting Bandwidth in Both Directions	489
10.1.5. Creating Differentiated Limits Using Chains	490
10.1.6. Precedences	492
10.1.7. Pipe Groups	496
10.1.8. Traffic Shaping Recommendations	499
10.1.9. A Summary of Traffic Shaping	500
10.1.10. More Pipe Examples	501
10.2. IDP Traffic Shaping	506
10.2.1. Overview	506
10.2.2. Setting Up IDP Traffic Shaping	506
10.2.3. Processing Flow	507
10.2.4. The Importance of Specifying a Network	507
10.2.5. A P2P Scenario	508
10.2.6. Viewing Traffic Shaping Objects	509
10.2.7. Guaranteeing Instead of Limiting Bandwidth	510
10.2.8. Logging	510
10.3. Threshold Rules	511
10.4. Server Load Balancing	514
10.4.1. Overview	514
10.4.2. SLB Distribution Algorithms	515
10.4.3. Selecting Stickiness	516
10.4.4. SLB Algorithms and Stickiness	517
10.4.5. Server Health Monitoring	518
10.4.6. Setting Up SLB_SAT Rules	519
Chapter 11. High Availability	523
11.1. Overview	523
11.2. HA Mechanisms	525
11.3. Setting Up HA	528
11.3.1. HA Hardware Setup	528
11.3.2. NetDefendOS Manual HA Setup	529
11.3.3. Verifying the Cluster Functions	530
11.3.4. Unique Shared Mac Addresses	531
11.4. HA Issues	532
11.5. Upgrading an HA Cluster	534
11.6. Link Monitoring and HA	536
11.7. HA Advanced Settings	537
Chapter 12. ZoneDefense	539
12.1. Overview	539
12.2. ZoneDefense Switches	540
12.3. ZoneDefense Operation	541
12.3.1. SNMP	541
12.3.2. Threshold Rules	541
12.3.3. Manual Blocking and Exclude Lists	541
12.3.4. ZoneDefense with Anti-Virus Scanning	543
12.3.5. Limitations	543
Chapter 13. Advanced Settings	546
13.1. IP Level Settings	546
13.2. TCP Level Settings	550
13.3. ICMP Level Settings	555
13.4. State Settings	556
13.5. Connection Timeout Settings	558
13.6. Length Limit Settings	560
13.7. Fragmentation Settings	562
13.8. Local Fragment Reassembly Settings	566
13.9. Miscellaneous Settings	567
Appendix A. Subscribing to Updates	570
Appendix B. IDP Signature Groups	572
Appendix C. Verified MIME filetypes	576
Appendix D. The OSI Framework	580

Match case Limit results 1 per page

IPv4 and IPv6 Cannot Share an Address Group Object

IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an

IP6 Address

and can be used in NetDefendOS rules and other objects in the same way as an IPv4

address. However,

it is not possible to combine the two in one configuration object

For example, it is not possible to create an

Address Group

that contains both. The standard

Address

Group

object can contain only IPv4 address objects. For IPv6 there is a special object called an

IP6

Group

object that can contain only IPv6 addresses.

Similarly, the preconfigured

all-nets

address objects is a catch-all object for all IPv4 addresses.

Another object,

all-nets6

represents

all

IPv6 addreses and

only

IPv6 addreses.

Furthermore, it is not possible to combine

all-nets

(all IPv4 addresses) with

all-nets6

in a single

Address Group

object. For example, if a

DropAll

rule is needed as the last "catch-all" rule in an IP

rule set, two rules are required to catch all IPv4 and IPv6 traffic. This is discussed further in

Section 3.6, “IP Rules”

In the same way, a routing table could route traffic for either a IPv4 network or an IPv6 network to

the same interface but this must be done with two separate routes in the routing table, one for IPv4

and one for IPv6. It cannot be achieved using a single route.

Troubelshooting IPv6 with ICMP Ping

The CLI command

ping

can be used for both IPv4 and IPv6 addresses. For example:

gw-world:/>

ping 2001:DB8::2

This provides the means to determine if an IPv6 host is reachable and responding.

IPv6 Usage Restrictions

The following is a summary of IPv6 restrictions in the current version of NetDefendOS:

•

Management access with any NetDefendOS management interface is not possible using IPv6.

•

IP rules using IPv4 and IPv6 addresses can coexist in the same IP rule set but a single rule

cannot combine IPv4 and IPv6.

•

IPv6 addresses are

not

currently supported in IP rules with the following actions:

NAT

ii.

SAT

iii.

SLB SAT

iv.

Multiplex SAT

•

Routes using IPv4 and IPv6 addresses can coexist in the same routing table set but a single route

cannot combine IPv4 and IPv6.

•

Routing rules using IPv4 and IPv6 addresses coexist but a single rule cannot combine IPv4 and

IPv6.

•

IPv6 cannot be used for VPN or with ALGs, IDP or traffic shaping.

3.2. IPv6 Support

Chapter 3. Fundamentals