Product Manual
Page 5
... Device Setup 121 8.2 SMS service...122 3 Securing the Private Network 65 5.1 Firewall Rules ...65 5.2 Defining Rule Schedules 66 5.3 Configuring Firewall Rules 67 5.3.1 Firewall Rule Configuration Examples 72 5.4 Security on Custom Services 76 5.5 ALG support...77 5.6 VPN Passthrough for Firewall 78 5.7 Application Rules ...79 5.8 5.8.1 5.8.2 5.8.3 5.8.4 Web Content Filtering 80 Content Filtering...80 Approved URLs ...81...
... Device Setup 121 8.2 SMS service...122 3 Securing the Private Network 65 5.1 Firewall Rules ...65 5.2 Defining Rule Schedules 66 5.3 Configuring Firewall Rules 67 5.3.1 Firewall Rule Configuration Examples 72 5.4 Security on Custom Services 76 5.5 ALG support...77 5.6 VPN Passthrough for Firewall 78 5.7 Application Rules ...79 5.8 5.8.1 5.8.2 5.8.3 5.8.4 Web Content Filtering 80 Content Filtering...80 Approved URLs ...81...
Product Manual
Page 6
...your PC to E-mail or Syslog 135 Event Log Viewer in GUI 137 9.5 Backing up and Restoring Configuration Settings 138 9.6 Upgrading Router Firmware 139 9.7 Dynamic DNS Setup 140 9.8 9.8.1 9.8.2 9.8.3 9.8.4 Using ...VPN Tunnels 154 Chapter 11. Credits ...161 Appendix A. Factory Default Settings 165 Appendix C. Glossary ...162 Appendix B. Administration & Management 127 9.1 Configuration Access Control 127 9.1.1 Remote Management 127 9.1.2 CLI Access ...128 9.2 SNMP Configuration 128 9.3 Configuring Time Zone and NTP 130 9.4 9.4.1 9.4.2 9.4.3 Log Configuration...
...your PC to E-mail or Syslog 135 Event Log Viewer in GUI 137 9.5 Backing up and Restoring Configuration Settings 138 9.6 Upgrading Router Firmware 139 9.7 Dynamic DNS Setup 140 9.8 9.8.1 9.8.2 9.8.3 9.8.4 Using ...VPN Tunnels 154 Chapter 11. Credits ...161 Appendix A. Factory Default Settings 165 Appendix C. Glossary ...162 Appendix B. Administration & Management 127 9.1 Configuration Access Control 127 9.1.1 Remote Management 127 9.1.2 CLI Access ...128 9.2 SNMP Configuration 128 9.3 Configuring Time Zone and NTP 130 9.4 9.4.1 9.4.2 9.4.3 Log Configuration...
Product Manual
Page 9
... 54: Example of three IPsec client connections to the internal network through the DSR IPsec gateway ...89 Figure 55: VPN Wizard launch screen ...90 Figure 56: IPsec policy configuration...93 Figure 57: IPsec policy configuration continued (Auto policy via IKE 94 Figure 58: IPsec policy configuration continued (Auto / Manual Phase 2 95 Figure 59: PPTP tunnel...
... 54: Example of three IPsec client connections to the internal network through the DSR IPsec gateway ...89 Figure 55: VPN Wizard launch screen ...90 Figure 56: IPsec policy configuration...93 Figure 57: IPsec policy configuration continued (Auto policy via IKE 94 Figure 58: IPsec policy configuration continued (Auto / Manual Phase 2 95 Figure 59: PPTP tunnel...
Product Manual
Page 10
...status and associated Group 109 Figure 72: User configuration options...110 Figure 73: List of SSL VPN polices (Global filter 111 Figure 74: SSL VPN policy configuration 112 Figure 75: List of configured resources, which are available to assign to the DSR 102 Figure 65: List of groups ...103 ...Figure 66: User group configuration ...104 Figure 67: SSLVPN Settings......
...status and associated Group 109 Figure 72: User configuration options...110 Figure 73: List of SSL VPN polices (Global filter 111 Figure 74: SSL VPN policy configuration 112 Figure 75: List of configured resources, which are available to assign to the DSR 102 Figure 65: List of groups ...103 ...Figure 66: User group configuration ...104 Figure 67: SSLVPN Settings......
Product Manual
Page 11
Unified Services Router User Manual Figure 98: Dynamic DNS configuration 141 Figure 99: Router diagnostics tools available in the GUI 142 Figure 100: Sample trace route output 143 Figure 101: Device Status display...145 Figure ... 152 Figure 109: List of connected 802.11 clients per AP 153 Figure 110: List of LAN hosts ...154 Figure 111: List of current Active VPN Sessions 155 9
Unified Services Router User Manual Figure 98: Dynamic DNS configuration 141 Figure 99: Router diagnostics tools available in the GUI 142 Figure 100: Sample trace route output 143 Figure 101: Device Status display...145 Figure ... 152 Figure 109: List of connected 802.11 clients per AP 153 Figure 110: List of LAN hosts ...154 Figure 111: List of current Active VPN Sessions 155 9
Product Manual
Page 12
...DSR 1000N can be configured to automatically switch to a 3G network whenever a physical link is lost . Integrated high -speed IEEE 802.11n and 3G wireless technologies offer comparable performance to provide high data rates with minimal ―dead spots‖ throughout the wireless coverage area. DSR-250N and DSR... access anywhere and anytime using SSL VPN tunnels. The second WAN port can be configured as virtual private network (VPN) tunnels, IP Security (IPsec), Point-to isolate servers from your business operations. With the D-Link Unified Services Router you to -Point...
...DSR 1000N can be configured to automatically switch to a 3G network whenever a physical link is lost . Integrated high -speed IEEE 802.11n and 3G wireless technologies offer comparable performance to provide high data rates with minimal ―dead spots‖ throughout the wireless coverage area. DSR-250N and DSR... access anywhere and anytime using SSL VPN tunnels. The second WAN port can be configured as virtual private network (VPN) tunnels, IP Security (IPsec), Point-to isolate servers from your business operations. With the D-Link Unified Services Router you to -Point...
Product Manual
Page 13
... and 75 simultaneous IPSec VPN tunnels respectively. Efficient D-Link Green Technology As a concerned member of the global community, D-Link is devoted to providing eco-friendly products. o Model numbers DSR-500/500N/1000/1000N/250/250N GUI Menu Path/GUI Navigation - For more detailed setup instructions and explanations of each configuration parameter, refer to the...
... and 75 simultaneous IPSec VPN tunnels respectively. Efficient D-Link Green Technology As a concerned member of the global community, D-Link is devoted to providing eco-friendly products. o Model numbers DSR-500/500N/1000/1000N/250/250N GUI Menu Path/GUI Navigation - For more detailed setup instructions and explanations of each configuration parameter, refer to the...
Product Manual
Page 31
...the connection is idle for a period of routing manually by your LAN hosts to access internet sites over this WAN link while still permitting VPN traffic to be directed to a VPN configured on the ISP you to enable Microsoft Point-to-Point Encryption (MPPE). Split Tunnel (supported for L2TP ...assists with a USB modem is supported on , click Keep Connected. Required fields for this WAN port. If split tunnel is enabled, DSR won't expect a default route from Static Routing page. Connectivity Type: To keep the connection always on WAN3. for Japan ISPs that have...
...the connection is idle for a period of routing manually by your LAN hosts to access internet sites over this WAN link while still permitting VPN traffic to be directed to a VPN configured on the ISP you to enable Microsoft Point-to-Point Encryption (MPPE). Split Tunnel (supported for L2TP ...assists with a USB modem is supported on , click Keep Connected. Required fields for this WAN port. If split tunnel is enabled, DSR won't expect a default route from Static Routing page. Connectivity Type: To keep the connection always on WAN3. for Japan ISPs that have...
Product Manual
Page 47
The computers that arrive on the LAN interface are configured to be assigned IP addresses from a private subnet. Transparent routing between the LAN and WAN does not perform NAT. All DSR features (such as ―NAT loopback‖ since LAN generated traffic is a technique which allows ... to be in the same broadcast domain. NAT routing has a feature called ―NAT Hair-pinning‖ that you . NAT is configured with connection sharing, NAT also hides internal IP addresse s from LAN to access internal servers (eg. Along with a single "public" IP address....
The computers that arrive on the LAN interface are configured to be assigned IP addresses from a private subnet. Transparent routing between the LAN and WAN does not perform NAT. All DSR features (such as ―NAT loopback‖ since LAN generated traffic is a technique which allows ... to be in the same broadcast domain. NAT routing has a feature called ―NAT Hair-pinning‖ that you . NAT is configured with connection sharing, NAT also hides internal IP addresse s from LAN to access internal servers (eg. Along with a single "public" IP address....
Product Manual
Page 80
A specific firewall rule or service is not appropriate to allow encrypted VPN traffic for Firewall Advanced > Firewall Settings > VPN Passthrough This router's firewall settings can be enabled. 78 User Manual 5.6 VPN Passthrough for IPsec, PPTP, and L2TP VPN tunnel connections between the LAN and internet. Unified Services Router Figure 43: Available ALG support on the router. instead the appropriate check boxes in the VPN Passthrough page must be configured to introduce this passthrough support;
A specific firewall rule or service is not appropriate to allow encrypted VPN traffic for Firewall Advanced > Firewall Settings > VPN Passthrough This router's firewall settings can be enabled. 78 User Manual 5.6 VPN Passthrough for IPsec, PPTP, and L2TP VPN tunnel connections between the LAN and internet. Unified Services Router Figure 43: Available ALG support on the router. instead the appropriate check boxes in the VPN Passthrough page must be configured to introduce this passthrough support;
Product Manual
Page 81
...IP or IP range. Some applications require that is a dependency on one of the defined outgoing ports, and then opens an incoming port for VPN tunnels User Manual 5.7 Application Rules Advanced > Application Rules > Application Rules Application rules are opened outgoing or incoming port(s). This can also specify...forwarding does not offer. Port triggering is not appropriate for servers on the LAN, since there is an available option when configuring firewall rules. You can be forwarded to open when enabled. 79 This feature allows devices on the LAN or DMZ to request one...
...IP or IP range. Some applications require that is a dependency on one of the defined outgoing ports, and then opens an incoming port for VPN tunnels User Manual 5.7 Application Rules Advanced > Application Rules > Application Rules Application rules are opened outgoing or incoming port(s). This can also specify...forwarding does not offer. Port triggering is not appropriate for servers on the LAN, since there is an available option when configuring firewall rules. You can be forwarded to open when enabled. 79 This feature allows devices on the LAN or DMZ to request one...
Product Manual
Page 92
... a host on the VPN client or gateway to quickly create both IKE and VPN policies. Once the IKE or VPN policy is used for management, and the pre-shared key will be configured for this tunnel; Unified Services Router User Manual 6.1 VPN Wizard Setup > Wizard > VPN Wizard You can modify it... as required. Figure 55: VPN Wizard launch screen ...
... a host on the VPN client or gateway to quickly create both IKE and VPN policies. Once the IKE or VPN policy is used for management, and the pre-shared key will be configured for this tunnel; Unified Services Router User Manual 6.1 VPN Wizard Setup > Wizard > VPN Wizard You can modify it... as required. Figure 55: VPN Wizard launch screen ...
Product Manual
Page 93
...the remote endpoint of the tunnel by FQDN or static IP address Local WAN IP address / FQDN: This field can be accessed from a link on the local LAN. 4. Review the settings and click Connect to is received from Wizard Aggressive (Client policy ) or Main (Gateway policy) FQDN wan_local... Remote Accessibility fields to Client policies) 3DES SHA-1 Pre-shared Key DH-Group 2(1024 bit) 24 hours 8 hours 91 Configure Remote and Local WAN address for a VPN Client or Gateway policy (these can be different from the IP address range used on the remote LAN must be left blank...
...the remote endpoint of the tunnel by FQDN or static IP address Local WAN IP address / FQDN: This field can be accessed from a link on the local LAN. 4. Review the settings and click Connect to is received from Wizard Aggressive (Client policy ) or Main (Gateway policy) FQDN wan_local... Remote Accessibility fields to Client policies) 3DES SHA-1 Pre-shared Key DH-Group 2(1024 bit) 24 hours 8 hours 91 Configure Remote and Local WAN address for a VPN Client or Gateway policy (these can be different from the IP address range used on the remote LAN must be left blank...
Product Manual
Page 94
... two policy endpoints. Transport: This is used for network-to site VPN tunnel. Refer to set up an Auto IPsec policy. Easy Setup Site to configure VPN policies through the edit link. As well in this router and the tunnel endpoint, either tunnel or transport ... communication between this router and another IPsec gateway or an IPsec VPN client on a remote host. Once the Wizard creates the matching IKE and VPN policies required by importing a file containing vpn policies. 6.2 Configuring IPsec Policies Setup > VPN Settings > IPsec > IPsec Policies An IPsec policy is between...
... two policy endpoints. Transport: This is used for network-to site VPN tunnel. Refer to set up an Auto IPsec policy. Easy Setup Site to configure VPN policies through the edit link. As well in this router and the tunnel endpoint, either tunnel or transport ... communication between this router and another IPsec gateway or an IPsec VPN client on a remote host. Once the Wizard creates the matching IKE and VPN policies required by importing a file containing vpn policies. 6.2 Configuring IPsec Policies Setup > VPN Settings > IPsec > IPsec Policies An IPsec policy is between...
Product Manual
Page 95
...addresses of the machine or machines on the two VPN endpoints are defined you can be Manual or Auto. Unified Services Router Figure 56: IPsec policy configuration User Manual Once the tunnel type and endpoints of the tunnel are configured here, along with the policy parameters required to ...secure the tunnel 93 The Phase 2 Auto policy parameters cover the security association lifetime and encryption/authentication details of the IKE/VPN policy pair required to define the tunnel's...
...addresses of the machine or machines on the two VPN endpoints are defined you can be Manual or Auto. Unified Services Router Figure 56: IPsec policy configuration User Manual Once the tunnel type and endpoints of the tunnel are configured here, along with the policy parameters required to ...secure the tunnel 93 The Phase 2 Auto policy parameters cover the security association lifetime and encryption/authentication details of the IKE/VPN policy pair required to define the tunnel's...
Product Manual
Page 96
Unified Services Router User Manual Figure 57: IPsec policy configuration continued (Auto policy via IKE) A Manual policy does not use IKE and instead relies on... keys must be used only if your WAN is configured in some IPsec implementations the SPI (security parameter index) values require conversion at each endpoint. DSR supports VPN roll-over feature. Note that policies configured on primary WAN will rollover to exchange authentication parameters... index (SPI) values must match on manual keying to the secondary WAN in case of a link failure on the remote tunnel endpoint.
Unified Services Router User Manual Figure 57: IPsec policy configuration continued (Auto policy via IKE) A Manual policy does not use IKE and instead relies on... keys must be used only if your WAN is configured in some IPsec implementations the SPI (security parameter index) values require conversion at each endpoint. DSR supports VPN roll-over feature. Note that policies configured on primary WAN will rollover to exchange authentication parameters... index (SPI) values must match on manual keying to the secondary WAN in case of a link failure on the remote tunnel endpoint.
Product Manual
Page 97
... (PAP or CHAP). PAP, the router first checks in the router are available; Unified Services Router User Manual Figure 58: IPsec policy configuration continued (Auto / Manual Phase 2) 6.2.1 Extended Authentication (XAUTH) You can secure the connection between the router and the RADIUS server with ...an ext ernal authentication server such as a RADIUS server. Rather than configure a unique VPN policy for each user, you can configure the VPN gateway router to authenticate users. With a user database, user accounts created in the user database to see ...
... (PAP or CHAP). PAP, the router first checks in the router are available; Unified Services Router User Manual Figure 58: IPsec policy configuration continued (Auto / Manual Phase 2) 6.2.1 Extended Authentication (XAUTH) You can secure the connection between the router and the RADIUS server with ...an ext ernal authentication server such as a RADIUS server. Rather than configure a unique VPN policy for each user, you can configure the VPN gateway router to authenticate users. With a user database, user accounts created in the user database to see ...
Product Manual
Page 98
... user can be configured with the same VPN policy parameters used in the VPN tunnel that are authorized to establish a VPN tunnel between the LAN VPN client and the VPN server. 6.4.1 PPTP Tunnel Support Setup > VPN Settings > PPTP > PPTP Client PPTP VPN Client can access Status > Active VPNs page and establish PPTP VPN tunnel clicking Connect. Alternatively VPN tunnel users can...
... user can be configured with the same VPN policy parameters used in the VPN tunnel that are authorized to establish a VPN tunnel between the LAN VPN client and the VPN server. 6.4.1 PPTP Tunnel Support Setup > VPN Settings > PPTP > PPTP Client PPTP VPN Client can access Status > Active VPNs page and establish PPTP VPN tunnel clicking Connect. Alternatively VPN tunnel users can...
Product Manual
Page 99
Once enabled a PPTP server is enabled, PPTP clients that are within the range of configured IP addresses of allowed clients can be established through this router. Once authenticated by the PPTP server (the tunnel endpoint), PPTP clients have access to ... on the router for LAN and WAN PPTP client users to the network managed by the router. 97 PPTP Client User Manual Figure 60: PPTP VPN connection status Setup > VPN Settings > PPTP > PPTP Server A PPTP VPN can reach the router's PPTP server. Unified Services Router Figure 59: PPTP tunnel configuration -
Once enabled a PPTP server is enabled, PPTP clients that are within the range of configured IP addresses of allowed clients can be established through this router. Once authenticated by the PPTP server (the tunnel endpoint), PPTP clients have access to ... on the router for LAN and WAN PPTP client users to the network managed by the router. 97 PPTP Client User Manual Figure 60: PPTP VPN connection status Setup > VPN Settings > PPTP > PPTP Server A PPTP VPN can reach the router's PPTP server. Unified Services Router Figure 59: PPTP tunnel configuration -
Product Manual
Page 100
Once enabled a L2TP server is enabled, L2TP clients that are within the range of configured IP addresses of allowed clients can be established through this router. PPTP Server User Manual 6.4.2 L2TP Tunnel Support Setup > VPN Settings > L2TP > L2TP Server A L2TP VPN can reach the router's L2TP server. Once authenticated by the L2TP server (the... on the router for LAN and WAN L2TP client users to the network managed by the router. 98 Unified Services Router Figure 61: PPTP tunnel configuration -
Once enabled a L2TP server is enabled, L2TP clients that are within the range of configured IP addresses of allowed clients can be established through this router. PPTP Server User Manual 6.4.2 L2TP Tunnel Support Setup > VPN Settings > L2TP > L2TP Server A L2TP VPN can reach the router's L2TP server. Once authenticated by the L2TP server (the... on the router for LAN and WAN L2TP client users to the network managed by the router. 98 Unified Services Router Figure 61: PPTP tunnel configuration -