Home » D-Link Manuals » Network Security & Firewall Devices » D-Link DFL-860E » Manual Viewer

D-Link DFL-860E User Manual for DFL-260E - Page 188

Important: Ensure all-nets appears in the main table, will mean that the connection will be dropped.

Add to My Manuals
Save this manual to your list of manuals

Page 188 highlights

4.3. Policy-based Routing Chapter 4. Routing Important: Ensure all-nets appears in the main table A common mistake when setting up policy-based routing is the absence of a default route with a destination interface of all-nets in the default main routing table. If there is no route that is an exact match then the absence of a default all-nets route will mean that the connection will be dropped. Example 4.7. Policy-based Routing with Multiple ISPs This example illustrates a multiple ISP scenario which is a common use of policy-based routing. The following is assumed: • Each ISP will provide an IPv4 network from its network range. A 2 ISP scenario is assumed in this case, with the network 10.10.10.0/24 belonging to ISP A and 20.20.20.0/24 belonging to ISP B. The ISP provided gateways are 10.10.10.1 and 20.20.20.1 respectively. • All addresses in this scenario are public addresses for the sake of simplicity. • This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the NetDefend Firewall. In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one from each ISP. However, this difference does not matter for the policy routing setup itself. Note that, for a single organization, Internet connectivity through multiple ISPs is normally best done with the BGP protocol, which means not worrying about different IP spans or about policy routing. Unfortunately, this is not always possible, and this is where Policy Based Routing becomes a necessity. We will set up the main routing table to use ISP A and add a named routing table called r2 that uses the default gateway of ISP B. Interface lan1 lan1 wan1 wan2 wan1 Network 10.10.10.0/24 20.20.20.0/24 10.10.10.1/32 20.20.20.1/32 all-nets Gateway 10.10.10.1 ProxyARP wan1 wan2 lan1 lan1 Contents of the named Policy-based Routing table r2: Interface wan2 Network all-nets Gateway 20.20.20.1 The table r2 has its Ordering parameter set to Default, which means that it will only be consulted if the main routing table lookup matches the default route (all-nets). Contents of the Policy-based Routing Policy: Source Interface lan1 wan2 Source Range 10.10.10.0/24 all-nets Destination Interface wan2 lan1 Destination Range all-nets 20.20.20.0/24 Selected/ Service ALL ALL Forward VR table r2 r2 Return VR table r2 r2 To configure this example scenario: Web Interface 1. Add the routes found in the list of routes in the main routing table, as shown earlier. 188

Section	Page
User Manual	3
Table of Contents	4
Preface	15
Chapter 1. NetDefendOS Overview	17
1.1. Features	17
1.2. NetDefendOS Architecture	20
1.2.1. State-based Architecture	20
1.2.2. NetDefendOS Building Blocks	20
1.2.3. Basic Packet Flow	21
1.3. NetDefendOS State Engine Packet Flow	24
Chapter 2. Management and Maintenance	29
2.1. Managing NetDefendOS	29
2.1.1. Overview	29
2.1.2. The Default Administrator Account	30
2.1.3. The Web Interface	30
2.1.4. The CLI	36
2.1.5. CLI Scripts	44
2.1.6. Secure Copy	48
2.1.7. The Console Boot Menu	50
2.1.8. Management Advanced Settings	52
2.1.9. Working with Configurations	53
2.2. Events and Logging	59
2.2.1. Overview	59
2.2.2. Log Messages	59
2.2.3. Creating Log Receivers	60
2.2.4. Logging to MemoryLogReceiver	60
2.2.5. Logging to Syslog Hosts	60
2.2.6. Severity Filter and Message Exceptions	62
2.2.7. SNMP Traps	62
2.2.8. Advanced Log Settings	64
2.3. RADIUS Accounting	65
2.3.1. Overview	65
2.3.2. RADIUS Accounting Messages	65
2.3.3. Interim Accounting Messages	67
2.3.4. Activating RADIUS Accounting	67
2.3.5. RADIUS Accounting Security	68
2.3.6. RADIUS Accounting and High Availability	68
2.3.7. Handling Unresponsive RADIUS Servers	68
2.3.8. Accounting and System Shutdowns	69
2.3.9. Limitations with NAT	69
2.3.10. RADIUS Advanced Settings	69
2.4. Monitoring	71
2.4.1. The Link Monitor	71
2.4.2. SNMP Monitoring	73
2.4.3. Hardware Monitoring	76
2.4.4. Memory Monitoring Settings	78
2.5. The pcapdump Command	80
2.6. Maintenance	83
2.6.1. Auto-Update Mechanism	83
2.6.2. Backing Up Configurations	83
2.6.3. Restore to Factory Defaults	85
Chapter 3. Fundamentals	88
3.1. The Address Book	88
3.1.1. Overview	88
3.1.2. IP Addresses	88
3.1.3. Ethernet Addresses	90
3.1.4. Address Groups	91
3.1.5. Auto-Generated Address Objects	92
3.1.6. Address Book Folders	92
3.2. IPv6 Support	93
3.3. Services	98
3.3.1. Overview	98
3.3.2. Creating Custom Services	99
3.3.3. ICMP Services	102
3.3.4. Custom IP Protocol Services	104
3.3.5. Service Groups	104
3.3.6. Custom Service Timeouts	105
3.4. Interfaces	106
3.4.1. Overview	106
3.4.2. Ethernet Interfaces	108
3.4.2.1. Useful CLI Commands for Ethernet Interfaces	112
3.4.3. VLAN	115
3.4.4. PPPoE	118
3.4.5. GRE Tunnels	120
3.4.6. Interface Groups	124
3.5. ARP	126
3.5.1. Overview	126
3.5.2. The NetDefendOS ARP Cache	126
3.5.3. Creating ARP Objects	128
3.5.4. Using ARP Advanced Settings	130
3.5.5. ARP Advanced Settings Summary	131
3.6. IP Rules	135
3.6.1. Security Policies	135
3.6.2. IP Rule Evaluation	138
3.6.3. IP Rule Actions	139
3.6.4. Editing IP rule set Entries	140
3.6.5. IP Rule Set Folders	141
3.6.6. Configuration Object Groups	142
3.7. Schedules	146
3.8. Certificates	148
3.8.1. Overview	148
3.8.2. Certificates in NetDefendOS	150
3.8.3. CA Certificate Requests	151
3.9. Date and Time	153
3.9.1. Overview	153
3.9.2. Setting Date and Time	153
3.9.3. Time Servers	154
3.9.4. Settings Summary for Date and Time	157
3.10. DNS	160
Chapter 4. Routing	164
4.1. Overview	164
4.2. Static Routing	165
4.2.1. The Principles of Routing	165
4.2.2. Static Routing	169
4.2.3. Route Failover	174
4.2.4. Host Monitoring for Route Failover	177
4.2.5. Advanced Settings for Route Failover	179
4.2.6. Proxy ARP	180
4.3. Policy-based Routing	183
4.4. Route Load Balancing	190
4.5. OSPF	196
4.5.1. Dynamic Routing	196
4.5.2. OSPF Concepts	199
4.5.3. OSPF Components	204
4.5.3.1. OSPF Router Process	204
4.5.3.2. OSPF Area	206
4.5.3.3. OSPF Interface	207
4.5.3.4. OSPF Neighbors	209
4.5.3.5. OSPF Aggregates	209
4.5.3.6. OSPF VLinks	209
4.5.4. Dynamic Routing Rules	210
4.5.4.1. Overview	210
4.5.4.2. Dynamic Routing Rule	212
4.5.4.3. OSPF Action	212
4.5.4.4. Routing Action	213
4.5.5. Setting Up OSPF	213
4.5.6. An OSPF Example	217
4.6. Multicast Routing	220
4.6.1. Overview	220
4.6.2. Multicast Forwarding with SAT Multiplex Rules	221
4.6.2.1. Multicast Forwarding - No Address Translation	221
4.6.2.2. Multicast Forwarding - Address Translation Scenario	224
4.6.3. IGMP Configuration	225
4.6.3.1. IGMP Rules Configuration - No Address Translation	227
4.6.3.2. IGMP Rules Configuration - Address Translation	228
4.6.4. Advanced IGMP Settings	230
4.7. Transparent Mode	233
4.7.1. Overview	233
4.7.2. Enabling Internet Access	238
4.7.3. Transparent Mode Scenarios	239
4.7.4. Spanning Tree BPDU Support	243
4.7.5. Advanced Settings for Transparent Mode	244
Chapter 5. DHCP Services	249
5.1. Overview	249
5.2. DHCP Servers	250
5.2.1. Static DHCP Hosts	253
5.2.2. Custom Options	255
5.3. DHCP Relaying	256
5.3.1. DHCP Relay Advanced Settings	257
5.4. IP Pools	259
Chapter 6. Security Mechanisms	263
6.1. Access Rules	263
6.1.1. Overview	263
6.1.2. IP Spoofing	264
6.1.3. Access Rule Settings	264
6.2. ALGs	266
6.2.1. Overview	266
6.2.2. The HTTP ALG	267
6.2.3. The FTP ALG	270
6.2.4. The TFTP ALG	279
6.2.5. The SMTP ALG	280
6.2.5.1. Anti-Spam Filtering	283
6.2.6. The POP3 ALG	289
6.2.7. The PPTP ALG	290
6.2.8. The SIP ALG	291
6.2.9. The H.323 ALG	302
6.2.10. The TLS ALG	316
6.3. Web Content Filtering	319
6.3.1. Overview	319
6.3.2. Active Content Handling	319
6.3.3. Static Content Filtering	320
6.3.4. Dynamic Web Content Filtering	322
6.3.4.1. Overview	322
6.3.4.2. Setting Up WCF	323
6.3.4.3. Content Filtering Categories	327
6.3.4.4. Customizing WCF HTML Pages	334
6.4. Anti-Virus Scanning	337
6.4.1. Overview	337
6.4.2. Implementation	337
6.4.3. Activating Anti-Virus Scanning	338
6.4.4. The Signature Database	338
6.4.5. Subscribing to the D-Link Anti-Virus Service	339
6.4.6. Anti-Virus Options	339
6.5. Intrusion Detection and Prevention	343
6.5.1. Overview	343
6.5.2. IDP Availability for D-Link Models	343
6.5.3. IDP Rules	345
6.5.4. Insertion/Evasion Attack Prevention	347
6.5.5. IDP Pattern Matching	348
6.5.6. IDP Signature Groups	349
6.5.7. IDP Actions	350
6.5.8. SMTP Log Receiver for IDP Events	351
6.6. Denial-of-Service Attack Prevention	355
6.6.1. Overview	355
6.6.2. DoS Attack Mechanisms	355
6.6.3. Ping of Death and Jolt Attacks	355
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea	356
6.6.5. The Land and LaTierra attacks	356
6.6.6. The WinNuke attack	356
6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle	357
6.6.8. TCP SYN Flood Attacks	358
6.6.9. The Jolt2 Attack	358
6.6.10. Distributed DoS Attacks	358
6.7. Blacklisting Hosts and Networks	360
Chapter 7. Address Translation	363
7.1. Overview	363
7.2. NAT	364
7.3. NAT Pools	369
7.4. SAT	372
7.4.1. Translation of a Single IP Address (1:1)	372
7.4.2. Translation of Multiple IP Addresses (M:N)	377
7.4.3. All-to-One Mappings (N:1)	379
7.4.4. Port Translation	381
7.4.5. Protocols Handled by SAT	381
7.4.6. Multiple SAT Rule Matches	381
7.4.7. SAT and FwdFast Rules	382
Chapter 8. User Authentication	385
8.1. Overview	385
8.2. Authentication Setup	387
8.2.1. Setup Summary	387
8.2.2. The Local Database	387
8.2.3. External RADIUS Servers	389
8.2.4. External LDAP Servers	389
8.2.5. Authentication Rules	396
8.2.6. Authentication Processing	398
8.2.7. A Group Usage Example	399
8.2.8. HTTP Authentication	399
8.3. Customizing Authentication HTML Pages	404
Chapter 9. VPN	409
9.1. Overview	409
9.1.1. VPN Usage	409
9.1.2. VPN Encryption	410
9.1.3. VPN Planning	411
9.1.4. Key Distribution	411
9.1.5. The TLS Alternative for VPN	412
9.2. VPN Quick Start	413
9.2.1. IPsec LAN to LAN with Pre-shared Keys	414
9.2.2. IPsec LAN to LAN with Certificates	415
9.2.3. IPsec Roaming Clients with Pre-shared Keys	416
9.2.4. IPsec Roaming Clients with Certificates	418
9.2.5. L2TP Roaming Clients with Pre-Shared Keys	419
9.2.6. L2TP Roaming Clients with Certificates	421
9.2.7. PPTP Roaming Clients	421
9.3. IPsec Components	423
9.3.1. Overview	423
9.3.2. Internet Key Exchange (IKE)	423
9.3.3. IKE Authentication	429
9.3.4. IPsec Protocols (ESP/AH)	430
9.3.5. NAT Traversal	431
9.3.6. Algorithm Proposal Lists	433
9.3.7. Pre-shared Keys	434
9.3.8. Identification Lists	435
9.4. IPsec Tunnels	438
9.4.1. Overview	438
9.4.2. LAN to LAN Tunnels with Pre-shared Keys	440
9.4.3. Roaming Clients	440
9.4.4. Fetching CRLs from an alternate LDAP server	445
9.4.5. Troubleshooting with ikesnoop	446
9.4.6. IPsec Advanced Settings	453
9.5. PPTP/L2TP	457
9.5.1. PPTP Servers	457
9.5.2. L2TP Servers	458
9.5.3. L2TP/PPTP Server advanced settings	463
9.5.4. PPTP/L2TP Clients	463
9.6. SSL VPN	466
9.6.1. Overview	466
9.6.2. Configuring SSL VPN in NetDefendOS	467
9.6.3. Installing the SSL VPN Client	469
9.6.4. Setup Example	472
9.7. CA Server Access	474
9.8. VPN Troubleshooting	477
9.8.1. General Troubleshooting	477
9.8.2. Troubleshooting Certificates	478
9.8.3. IPsec Troubleshooting Commands	478
9.8.4. Management Interface Failure with VPN	479
9.8.5. Specific Error Messages	479
9.8.6. Specific Symptoms	482
Chapter 10. Traffic Management	485
10.1. Traffic Shaping	485
10.1.1. Overview	485
10.1.2. Traffic Shaping in NetDefendOS	486
10.1.3. Simple Bandwidth Limiting	488
10.1.4. Limiting Bandwidth in Both Directions	489
10.1.5. Creating Differentiated Limits Using Chains	490
10.1.6. Precedences	492
10.1.7. Pipe Groups	496
10.1.8. Traffic Shaping Recommendations	499
10.1.9. A Summary of Traffic Shaping	500
10.1.10. More Pipe Examples	501
10.2. IDP Traffic Shaping	506
10.2.1. Overview	506
10.2.2. Setting Up IDP Traffic Shaping	506
10.2.3. Processing Flow	507
10.2.4. The Importance of Specifying a Network	507
10.2.5. A P2P Scenario	508
10.2.6. Viewing Traffic Shaping Objects	509
10.2.7. Guaranteeing Instead of Limiting Bandwidth	510
10.2.8. Logging	510
10.3. Threshold Rules	511
10.4. Server Load Balancing	514
10.4.1. Overview	514
10.4.2. SLB Distribution Algorithms	515
10.4.3. Selecting Stickiness	516
10.4.4. SLB Algorithms and Stickiness	517
10.4.5. Server Health Monitoring	518
10.4.6. Setting Up SLB_SAT Rules	519
Chapter 11. High Availability	523
11.1. Overview	523
11.2. HA Mechanisms	525
11.3. Setting Up HA	528
11.3.1. HA Hardware Setup	528
11.3.2. NetDefendOS Manual HA Setup	529
11.3.3. Verifying the Cluster Functions	530
11.3.4. Unique Shared Mac Addresses	531
11.4. HA Issues	532
11.5. Upgrading an HA Cluster	534
11.6. Link Monitoring and HA	536
11.7. HA Advanced Settings	537
Chapter 12. ZoneDefense	539
12.1. Overview	539
12.2. ZoneDefense Switches	540
12.3. ZoneDefense Operation	541
12.3.1. SNMP	541
12.3.2. Threshold Rules	541
12.3.3. Manual Blocking and Exclude Lists	541
12.3.4. ZoneDefense with Anti-Virus Scanning	543
12.3.5. Limitations	543
Chapter 13. Advanced Settings	546
13.1. IP Level Settings	546
13.2. TCP Level Settings	550
13.3. ICMP Level Settings	555
13.4. State Settings	556
13.5. Connection Timeout Settings	558
13.6. Length Limit Settings	560
13.7. Fragmentation Settings	562
13.8. Local Fragment Reassembly Settings	566
13.9. Miscellaneous Settings	567
Appendix A. Subscribing to Updates	570
Appendix B. IDP Signature Groups	572
Appendix C. Verified MIME filetypes	576
Appendix D. The OSI Framework	580

Match case Limit results 1 per page

Important: Ensure all-nets appears in the main table

A common mistake when setting up policy-based routing is the absence of a default

route with a destination interface of

all-nets

in the default

main

routing table.

If there is no route that is an exact match then the absence of a default

all-nets

route

will mean that the connection will be dropped.

Example 4.7. Policy-based Routing with Multiple ISPs

This example illustrates a multiple ISP scenario which is a common use of policy-based routing. The following is

assumed:

•

Each ISP will provide an IPv4 network from its network range. A 2 ISP scenario is assumed in this case, with

the network

10.10.10.0/24

belonging to ISP A and

20.20.20.0/24

belonging to ISP B. The ISP provided

gateways are

10.10.10.1

and

20.20.20.1

respectively.

•

All addresses in this scenario are public addresses for the sake of simplicity.

•

This is a "drop-in" design, where there are no explicit routing subnets between the ISP gateways and the

NetDefend Firewall.

In a provider-independent network, clients will likely have a single IP address, belonging to one of the ISPs. In a

single-organization scenario, publicly accessible servers will be configured with two separate IP addresses: one

from each ISP. However, this difference does not matter for the policy routing setup itself.

Note that, for a single organization, Internet connectivity through multiple ISPs is normally best done with the BGP

protocol, which means not worrying about different IP spans or about policy routing. Unfortunately, this is not

always possible, and this is where

Policy Based Routing

becomes a necessity.

We will set up the main routing table to use ISP A and add a named routing table called

that uses the default

gateway of ISP B.

Interface

Network

Gateway

ProxyARP

lan1

10.10.10.0/24

wan1

lan1

20.20.20.0/24

wan2

wan1

10.10.10.1/32

lan1

wan2

20.20.20.1/32

lan1

wan1

all-nets

10.10.10.1

Contents of the named Policy-based Routing table

Interface

Network

Gateway

wan2

all-nets

20.20.20.1

The table

has its

Ordering

parameter set to

Default

, which means that it will only be consulted if the main

routing table lookup matches the default route (

all-nets

Contents of the Policy-based Routing Policy:

Source

Interface

Source

Range

Destination

Interface

Destination

Range

Selected/

Service

Forward

VR table

Return

VR table

lan1

10.10.10.0/24

wan2

all-nets

ALL

wan2

all-nets

lan1

20.20.20.0/24

ALL

To configure this example scenario:

Web Interface

Add the routes found in the list of routes in the main routing table, as shown earlier.

4.3. Policy-based Routing

Chapter 4. Routing

188