Unified Services Router User Manual Wireless N Service Router DSR-250NB1 DSR-150/150N/250/250N/500/500N/1000/1000N Version 2.
Preface Preface The information in this document is subject to change without notice. The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes.
Preface Safety Instructions Use the following safety guidelines to ensure your own personal safety and to help protect your system from potential damage. Safety Cautions To reduce the risk of bodily injury, electrical shock, fire, and damage to the equipment, observe the following precautions: • Observe and follow service markings. • Do not service any product except as explained in your system documentation.
Preface • These cables are equipped with three-prong plugs to help ensure proper grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use an extension cable, use a 3-wire cable with properly grounded plugs. • Observe extension cable and power strip ratings. Make sure that the total ampere rating of all products plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings limit for the extension cable or power strip.
Preface Protecting Against Electrostatic Discharge Static electricity can harm delicate components inside your system. To prevent static damage, discharge static electricity from your body before you touch any of the electronic components, such as the microprocessor. You can do so by periodically touching an unpainted metal surface on the chassis. You can also take the following steps to prevent damage from electrostatic discharge (ESD): 1.
Power Usage This device is an Energy Related Product (ErP) with High Network Availability (HiNA), and automatically switches to a power-saving Network Standby mode within 1 minute of no packets being transmitted. It can also be turned off through a power switch to save energy when it is not needed. DSR-250N/DSR-250NB1 Network Standby:7.8336 watts Switched Off: 0.1301 watts DSR-250 Network Standby: 7.8588 watts Switched Off: 0.1290 watts DSR-150N Network Standby: 8.2317 watts Switched Off: 0.
Table of Contents Table of Contents Preface ........................................................................................................................................................... i Manual Revisions........................................................................................................................................................................i Trademarks/Copyright Notice ...............................................................................................
Table of Contents Static IP .............................................................................................................................................................................31 PPPoE.................................................................................................................................................................................32 PPTP ......................................................................................................................
Table of Contents ISATAP................................................................................................................................................................................72 LAN Settings ...................................................................................................................................................................73 DHCPv6 Server ....................................................................................................................
Table of Contents Client Routes.................................................................................................................................................................116 Open VPN ................................................................................................................................................................................117 Settings ......................................................................................................................
Table of Contents Application Rules .................................................................................................................................................156 Attack Checks ...............................................................................................................................................................158 Intel® AMT ...........................................................................................................................................
System Logs ..................................................................................................................................................................194 Remote Logs .................................................................................................................................................................195 Syslog Server ...............................................................................................................................................
Appendix D - Log Output Reference ...................................................................................................... 231 Appendix E - RJ-45 Pin-outs ................................................................................................................... 294 Appendix F - New Wi Fi Frequency table ( New appendix section ) .................................................... 295 Appendix G - Product Statement .......................................................................
Section 1 - Introduction Introduction D-Link Services Routers offer a secure, high performance networking solution to address the growing needs of small and medium businesses. Integrated high -speed IEEE 802.11n and 3G wireless technologies offer comparable performance to traditional wired networks, but with fewer limitations.
Section 1 - Introduction • Efficient D-Link Green Technology As a concerned member of the global community, D-Link is devoted to providing eco-friendly products. D-Link Green Wi-Fi and D-Link Green Ethernet save power and prevent waste. The D-Link Green WLAN scheduler reduces wireless power automatically during off-peak hours. Likewise the D-Link Green Ethernet program adjusts power usage based on the detected cable length and link status.
Section 2 - Installation Installation This section provides information and steps on how to connect your DSR router to your network. Before you Begin Observe the following precautions to help prevent shutdowns, equipment failures, and injuries: • Ensure that the room in which you operate the device has adequate air circulation and that the room temperature does NOT exceed 40˚C (104˚F). • Allow 1 meter (3 feet) of clear space to the front and back of the device.
Section 3 - Basic Configuration Basic Configuration After you install the router, perform the basic configuration instructions described in this section which includes: • • • • • • • • • “#1 Log in to the Web UI” on page 5 “#2 Change LAN IP Address” on page 6 “#3 Configure DHCP Server” on page 7 “#4 Set Time and Date” on page 8 “#5 Internet Connection Setup” on page 9 “#6 Wireless Network Setup” on page 12 “#7 Create Users” on page 13 “#8 Security/VPN Wizard” on page 14 “#9 Dynamic DNS Wizard” on page 16
Section 3 - Basic Configuration #1 Log in to the Web UI The LAN connection may be through the wired Ethernet ports available on the router, or once the initial setup is complete, the DSR may also be managed through its wireless interface. Access the router’s Web user interface (Web UI) for management by using any web browser, such as Internet Explorer, Firefox, Chrome, or Safari. Note: The workstation from which you manage the router must be in the same subnet as the router (192.169.10.0/24).
Section 3 - Basic Configuration #2 Change LAN IP Address To change the LAN IP address of the router, follow the steps below: 1. Log in to the router. 2. Click Network > LAN > LAN Settings. The LAN Settings page will appear. 3. Under IP Address Setup, enter a new IP address for the router. 4. Enter a new subnet mask if needed. 5. Click Save at the bottom of the page. Note: If you change the IP address and click Save, the Web UI will not respond. Open a new connection to the new IP address and log in again.
Section 3 - Basic Configuration #3 Configure DHCP Server To change the DHCP settings of the router, follow the steps below: 1. Log in to the router. 2. Click Network > LAN > LAN Settings. The LAN Settings page will appear. 3. From the DHCP Mode drop-down menu under DHCP Setup, select None (disable), DHCP Server (enable), or DHCP Relay. Note: DHCP Relay will allow DHCP clients on the LAN to receive IP address leases and corresponding information from a DHCP server on a different subnet.
Section 3 - Basic Configuration #4 Set Time and Date 1. Log in to the router. 2. Click Wizard in the upper-right side of the page. If you want to manually configure your date/time settings, refer to “Date and Time” on page 162. 3. Click Run in the Date and Time Wizard box. 4. Click the continent from the map and then next to City, select your time zone from the drop-down menu. Toggle Daylight Saving to ON if it applies to you and then click Next. 5.
Section 3 - Basic Configuration #5 Internet Connection Setup This router has two WAN ports that can be used to establish a connection to the internet. It is assumed that you have arranged for internet service with your Internet Service Provider (ISP). Please contact your ISP or network administrator for the configuration information that will be required to setup the router. Supported Internet connection types include Dynamic, Static, PPPoE, PPTP, L2TP, Japanese PPPoE, and Russian PPPoE/PPTP/L2TP.
Section 3 - Basic Configuration a. If you selected DHCP, complete the fields below: Field MAC Address Source Host Name DNS Server Source Description This MAC address will be recognized by your ISP. Select from the following three options: • Use Default Address - Uses the default MAC address of the router. • Clone your PC’s MAC Address - Select to use the MAC address of the computer you are currently connecting with.
Section 3 - Basic Configuration b. If you selected Static, complete the fields below: Field IP Address Gateway IP Address IP Subnet Mask Primary DNS Server Secondary DNS Server Description Enter the IP address assigned by your ISP. Enter the gateway IP address assigned by your ISP. Enter the subnet mask assigned by your ISP. Enter the primary DNS server IP address assigned by your ISP. Enter the secondary DNS server IP address assigned by your ISP. 5. Click Save.
Section 3 - Basic Configuration #6 Wireless Network Setup This wizard provides a step-by-step guide to create and secure a new access point on the router. The network name (SSID) is the AP identifier that will be detected by supported clients. The Wizard uses a TKIP+AES cipher for WPA / WPA2 security; depending on support on the client side, devices associate with this AP using either WPA or WPA2 security with the same pre -shared key.
Section 3 - Basic Configuration #7 Create Users The Users Wizard allows you to create user account that you can assign to groups. Refer to “Users” on page 129 for more information. You may want to create Groups before users so you may assign them to groups as you create them. To create groups, refer to “Groups” on page 125. To create new users, follow the steps below: 1. Log in to the router. 2. Click Wizard in the upper-right side of the page. 3. Click Run in the Users Wizard box. 4.
Section 3 - Basic Configuration #8 Security/VPN Wizard The Security Wizard allows you to enable VPN passthrough and create a VPN. Follow the steps below: 1. Log in to the router. 2. Click Wizard in the upper-right side of the page. 3. Click Run in the Security Wizard box. 4. The wizard screen will appear. 5. Select the default outbound policy from the drop-down menu. 6. Toggle which type(s) of VPN you want allowed to pass through the router to ON and click Next.
Section 3 - Basic Configuration 7. You can quickly create both IKE and VPN policies. Once the IKE or VPN policy is created, you can modify it as required. 8. From the Select VPN Type drop-down menu, select either Site to Site or Remote Access. 9. Next to Connection Name, enter a name for this VPN connection. 10. Next to IP Protocol Version, select either IPv4 or IPv6. 11. Next to IKE Version, select the version of IKE. 12. Next to Pre-Shared Key, enter the pre-shared key used. 13.
Section 3 - Basic Configuration #9 Dynamic DNS Wizard Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS. org, D-Link DDNS, or Oray.net. Refer to “Dynamic DNS Settings” on page 53 for more information. Follow the steps below: 1. Log in to the router. 2. Click Wizard in the upper-right side of the page. 3. Click Run in the Dynamic DNS Wizard box.
Section 4 - LAN Configuration LAN Configuration By default, the router functions as a Dynamic Host Configuration Protocol (DHCP) server to the hosts on the LAN and WLAN network. With DHCP, PCs and other LAN devices can be assigned IP addresses as well as addresses for DNS servers, Windows Internet Name Service (WINS) servers, and the default gateway. With DHCP server enabled the router’s IP address serves as the gateway address for LAN and WLAN clients.
Section 4 - LAN Configuration LAN Settings Path: Network > LAN > LAN Settings To configure the LAN settings on the router: 1. Click Network > LAN > LAN Settings. 2. Complete the fields in the table below and click Save. Field IP Address Subnet Mask DHCP Mode Description Enter an new IP address for the router. Default is 192.168.10.1. Enter the subnet mask for your network. Default is 255.255.255.0. Select one of the following modes: • None - Turns off DHCP.
Section 4 - LAN Configuration DHCP Server 1. Select DHCP Server from the drop-down menu. 2. Complete the fields in the table below and click Save. Field DHCP Mode Description Select DHCP Server from the drop-down menu. Enter the starting IP address in the DHCP address pool. Any new DHCP client joining the LAN is Starting IP Address assigned an IP address within the starting and ending IP address range. Starting and ending IP addresses must be in the same IP address subnet as the router’s LAN IP address.
Section 4 - LAN Configuration DHCP Relay 1. Select DHCP Relay from the drop-down menu. 2. Complete the fields in the table below and click Save. Field DHCP Mode Domain Name Gateway Save Description Select DHCP Relay from the drop-down menu. Enter the domain name of your network. Enter the relay gateway IP address. Click Save at the bottom to save and activate your settings.
Section 4 - LAN Configuration DHCP Reserved IPs Path: Network > LAN > LAN DHCP Reserved IPs The router’s DHCP server can assign IP settings to your clients on your network by adding a client’s MAC address and the IP address to be assigned. Whenever the router receives a request from a client, the MAC address of that client is compared with the MAC address list present in the database.
Section 4 - LAN Configuration IGMP Setup Path: Network > LAN > IGMP Setup IGMP snooping (IGMP Proxy) allows the router to ‘listen’ in on IGMP network traffic through the router. This then allows the router to filter multicast traffic and direct it only to hosts that need this stream. This is helpful when there is a lot of multicast traffic on the network where all LAN hosts do not need to receive this multicast traffic. To enable IGMP Proxy: 1. Click Network > LAN > IGMP Setup. 2. Toggle IGMP Proxy to On.
Section 4 - LAN Configuration UPnP Setup Path: Network > LAN > UPnP Universal Plug and Play (UPnP) is a feature that allows the router to discover devices on the network that can communicate with the router and allow for auto-configuration. If a network device is detected by UPnP, the router can open internal or external ports for the traffic protocol required by that network device.
Section 4 - LAN Configuration Jumbo Frames Path: Network > LAN > Jumbo Frames Jumbo frames are Ethernet frames with more than 1500 bytes of payload. When this option is enabled, the LAN devices can exchange information at Jumbo frames rate. To enable jumbo frames: 1. Click Network > LAN > Jumbo Frames. 2. Toggle Activate Jumbo Frames to On. 3. Click Save.
Section 4 - LAN Configuration VLAN The router supports virtual network isolation on the LAN with the use of VLANs. LAN devices can be configured to communicate in a sub network defined by VLAN identifiers. LAN ports can be assigned unique VLAN IDs so that traffic to and from that physical port can be isolated from the general LAN. VLAN filtering is particularly useful to limit broadcast packets of a device in a large network VLAN support is enabled by default in the router.
Section 4 - LAN Configuration Field VLAN ID Name Captive Portal Activate InterVLAN Routing IP Address Subnet Mask DHCP Mode Enable DNS Proxy Save Description Enter a number between 2 and 4053. Enter a name for your VLAN. Toggle ON to enable Captive Portal (refer to the next page for more information). Toggle ON to allow routing between multiple VLANs or OFF to deny communication between VLANs. Enter the IP address for the VLAN. Enter the subnet mask for the VLAN.
Section 4 - LAN Configuration Captive Portal Note: The DSR-150/150N/250/250N routers do not have support for the Captive Portal feature. Captive Portal is available for LAN users only and not for DMZ hosts. Captive Portals can be enabled on a per-VLAN basis. Hosts of a particular VLAN can be directed to authenticate via the Captive Portal, which may be a customized portal with unique instructions and branding as compared to another VLAN.
Section 4 - LAN Configuration Port/Wireless VLAN Path: Network > VLAN Settings > Port VLAN In order to tag all traffic through a specific LAN port with a VLAN ID, you can associate a VLAN to a physical port and wireless segment. VLAN membership properties for the LAN and wireless LAN are listed on this page. The VLAN Port table displays the port identifier, the mode setting for that port and VLAN membership information.
Section 4 - LAN Configuration In Access mode the port is a member of a single VLAN (and only one). All data going into and out of the port is untagged. Traffic through a port in access mode looks like any other Ethernet frame. In General mode the port is a member of a user selectable set of VLANs. The port sends and receives data that is tagged or untagged with a VLAN ID. If the data into the port is untagged, it is assigned the defined PVID.
Section 5 - Connect to the Internet Connect to the Internet This router has two WAN ports that can be used to establish a connection to the internet. It is assumed that you have arranged for internet service with your Internet Service Provider (ISP). Please contact your ISP or network administrator for the configuration information that will be required to setup the router.
Section 5 - Connect to the Internet Static IP Path: Network > Internet > WAN1 Settings Select Static IP to manually enter the Internet settings supplied by your Internet Service Provider. Field IP Address IP Subnet Mask Gateway IP Address Description Enter the IP address supplied by your ISP. Enter the subnet mask supplied by your ISP. Enter the gateway IP address supplied by your ISP. Select either Get Dynamically from ISP or Use These DNS Servers to manually enter DNS DNS Server Source servers.
Section 5 - Connect to the Internet PPPoE Path: Network > Internet > WAN1 Settings Select PPPoE to enter the PPPoE Internet settings supplied by your Internet Service Provider. Field Address Mode User Name Password Service Authentication Type Description Select Dynamic IP or Static IP (IP settings supplied by your ISP). Enter your PPPoE user name. Enter your PPPoE password. Enter if your ISP requires it. Select the authentication type from the drop-down menu.
Section 5 - Connect to the Internet PPTP Path: Network > Internet > WAN1 Settings Select PPTP to enter the PPTP Internet settings supplied by your Internet Service Provider.
Section 5 - Connect to the Internet L2TP Path: Network > Internet > WAN1 Settings Select L2TP to enter the L2TP Internet settings supplied by your Internet Service Provider.
Section 5 - Connect to the Internet Japanese PPPoE Path: Network > Internet > WAN1 Settings Select Japanese PPPoE to enter the PPPoE Internet settings supplied by your Internet Service Provider. Field Address Mode User Name Password Service Authentication Type Description Select Dynamic IP or Static IP (IP settings supplied by your ISP). Enter your PPPoE user name. Enter your PPPoE password. Enter if your ISP requires it. Select the authentication type from the drop-down menu.
Section 5 - Connect to the Internet Russian PPPoE Path: Network > Internet > WAN1 Settings Select Russian PPPoE to enter the PPPoE Internet settings supplied by your Internet Service Provider. Field Address Mode User Name Password Service Authentication Type Description Select Dynamic IP or Static IP (IP settings supplied by your ISP). Enter your PPPoE user name. Enter your PPPoE password. Enter if your ISP requires it. Select the authentication type from the drop-down menu.
Section 5 - Connect to the Internet Russian PPTP Path: Network > Internet > WAN1 Settings Select Russian PPTP to enter the PPTP Internet settings supplied by your Internet Service Provider.
Section 5 - Connect to the Internet Russian L2TP Path: Network > Internet > WAN1 Settings Select Russian L2TP to enter the L2TP Internet settings supplied by your Internet Service Provider.
Section 5 - Connect to the Internet WAN2 Settings Path: Network > Internet > WAN2 Settings Select WAN and select the Internet connection type. Please refer to the previous pages (41-49) for more information. If you want to set WAN2 port to DMZ, skip to the next page.
Section 5 - Connect to the Internet DMZ This router supports one of the physical ports to be configured as a secondary WAN Ethernet port or a dedicated DMZ port. A DMZ is a sub network that is open to the public but behind the firewall. The DMZ adds an additional layer of security to the LAN, as specific services/ports that are exposed to the internet on the DMZ do not have to be exposed on the LAN.
Section 5 - Connect to the Internet WAN3 (3G Internet) Path: Network > Internet > WAN3 Settings This router supports the use of 3G Internet access. Cellular 3G internet access is available on WAN3 via a 3G USB modem for DSR-1000 and DSR-1000N. The cellular ISP that provides the 3G data plan will provide the authentication requirements to establish a connection. The dial Number and APN are specific to the cellular carriers.
Section 5 - Connect to the Internet WAN Mode Path: Network > Internet > WAN Mode This router supports multiple WAN links. This allows you to take advantage of failover and load balancing features to ensure certain internet dependent services are prioritized in the event of unstable WAN connectivity on one of the ports. To use Auto Failover or Load Balancing, WAN link failure detection must be configured. This involves accessing DNS servers on the internet or ping to an internet address (user defined).
Section 5 - Connect to the Internet Auto-Rollover using WAN IP In this mode one of your WAN ports is assigned as the primary internet link for all internet traffic and the secondary WAN port is used for redundancy in case the primary link goes down for any reason. Both WAN ports (primary and secondary) must be configured to connect to the respective ISP’s before enabling this feature.
Section 5 - Connect to the Internet Load Balancing Path: Network > Internet > WAN Mode This feature allows you to use multiple WAN links (and presumably multiple ISP’s) simultaneously. After configuring more than one WAN port, the load balancing option is available to carry traffic over more than one link. Protocol bindings are used to segregate and assign services over one WAN port in order to manage internet flow.
Section 5 - Connect to the Internet Round Robin 1. Click Network > Internet > WAN Mode. 2. Complete the fields from the table below and click Save. Field WAN Mode Load Balance WAN Health Check Save Description Select Load Balancing from the drop-down menu. Select Round Robin. • DNS lookup using WAN DNS Servers: DNS Lookup of the DNS Servers of the primary link is used to detect primary WAN connectivity.
Section 5 - Connect to the Internet Spillover 1. Click Network > Internet > WAN Mode. 2. Complete the fields from the table below and click Save. Field WAN Mode Load Balance WAN Health Check Retry Interval is Failover After Load Tolerance Max Bandwidth Save Description Select Load Balancing from the drop-down menu. Select Spillover Mode. • DNS lookup using WAN DNS Servers: DNS Lookup of the DNS Servers of the primary link is used to detect primary WAN connectivity.
Section 5 - Connect to the Internet Routing Mode Routing between the LAN and WAN will impact the way this router handles traffic that is received on any of its physical interfaces. The routing mode of the gateway is core to the behavior of the traffic flow between the secure LAN and the internet.
Section 5 - Connect to the Internet Transparent When Transparent Routing Mode is enabled, NAT is not performed on traffic between the LAN and WAN interfaces. Broadcast and multicast packets that arrive on the LAN interface are switched to the WAN and vice versa, if they do not get filtered by firewall or VPN policies.
Section 5 - Connect to the Internet Bridge When Bridge Mode routing is enabled, the first physical LAN port and secondary WAN/DMZ (port 2) interfaces are bridged together at Layer 2, creating an aggregate network. The other LAN ports and the primary WAN (WAN1) are not part of this bridge, and the router asks as a NAT device for these other ports. With Bridge mode for the LAN port 1 and WAN2/DMZ interfaces, L2 and L3 broadcast traffic as well as ARP / RARP packets are passed through.
Section 5 - Connect to the Internet IP Aliasing Path: Network > Internet > IP Aliasing A single WAN Ethernet port can be accessed via multiple IP addresses by adding an alias to the port. This is done by configuring an IP Alias address. To edit or delete any existing aliases, right-click the alias and select either Edit or Delete. To create a new alias: 1. Click Network > Internet > IP Aliasing. 2. Click Add New IP Aliasing. 3. Enter the following information and click Save.
Section 5 - Connect to the Internet DMZ Settings Path: Network > Internet > DMZ Settings If you set WAN2 port to DMZ, you will need to configure the port here. To configure the DMZ Settings: 1. Click Network > Internet > DMZ Settings. 2. Complete the fields from the table below and click Save. Field IP Address Subnet Mask DHCP Mode DHCP Server DHCP Relay Enable DNS Proxy Primary DNS Server Secondary DNS Server WINS Server Save Description Enter an IP address for the DMZ interface.
Section 5 - Connect to the Internet DMZ LAN DHCP Reserved IPs The router’s DHCP server can assign IP settings to your DMZ clients on your network by adding a client’s MAC address and the IP address to be assigned. Whenever the router receives a request from a client, the MAC address of that client is compared with the MAC address list present in the database.
Section 5 - Connect to the Internet Dynamic DNS Settings Path: Network > Internet > Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS. org, D-Link DDNS, or Oray.net. Each configured WAN can have a different DDNS service if required.
Section 5 - Connect to the Internet Traffic Management Bandwidth Profiles Path: Network > Internet > Traffic Management > Bandwidth Profiles Bandwidth profiles allow you to regulate the traffic flow from the LAN to WAN 1 or WAN 2. This is useful to ensure that low priority LAN users (like guests or HTTP service) do not monopolize the available WAN’s bandwidth for cost-savings or bandwidth-priority-allocation purposes.
Section 5 - Connect to the Internet 4. Enter the following information and click Save. Field Name Policy Type WAN Interface Description Enter a name for your profile. This identifier is used to associate the configured profile to the traffic selector. Select the policy type (Inbound or Outbound) from the drop-down menu. Select which WAN interface you want to associate this profile with. Profile Type Select either Priority or Rate from the drop-down menu.
Section 5 - Connect to the Internet Traffic Shaping Path: Network > Internet > Traffic Management > Traffic Shaping Once a profile has been created it can then be associated with a traffic flow from the LAN to WAN. Traffic selector configuration binds a bandwidth profile to a type or source of LAN traffic with the following settings. To create a traffic selector: 1. Click Network > Internet > Traffic Management > Traffic Shaping. 2. Click Add New Traffic Selector. 3.
Section 5 - Connect to the Internet Routing Static Routes Path: Network > Routing > Static Routes Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another. There is no communication between this router and other devices to account for changes in the path; once configured the static route will be active and effective until the network changes.
Section 5 - Connect to the Internet Field Route Name Active Private Destination IP Address IP Subnet Mask Interface Gateway IP Address Metric Save Description Enter a name for your route. Toggle to ON to activate this route or to OFF to deactivate. Toggle to ON to make this route private. If the route is made private, then the route will not be shared in a RIP broadcast or multicast. Enter the IP address of the static route’s destination. Enter the subnet mask of the static route.
Section 5 - Connect to the Internet RIP Path: Network > Routing > RIP Dynamic routing using the Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that is common in LANs. With RIP this router can exchange routing information with other supported routers in the LAN and allow for dynamic adjustment of routing tables in order to adapt to modifications in the LAN without interrupting traffic flow. Note: The DSR-150/150N/250/250N routers do not support RIP. To configure RIP: 1.
Section 5 - Connect to the Internet OSPF Path: Network > Routing > OSPF OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain. It gathers link state information from available routers and constructs a topology map of the network. OSPF version 2 is a routing protocol which described in RFC2328 - OSPF Version 2. OSPF is IGP (Interior Gateway Protocols). OSPF is widely used in large networks such as ISP backbone and enterprise networks.
Section 5 - Connect to the Internet Field OSPFv2 Enable Interface Area Priority Hello Interval Dead Interval Cost Authentication Type Md5 Key ID Md5 Authentication Key Save Description Toggle ON to enable OSPF. Displays the physical network interface on which OSPFv2 is Enabled/Disabled. Enter the area to which the interface belongs. Two routers having a common segment; their interfaces have to belong to the same area on that segment. The interfaces should belong to the same subnet and have similar mask.
Section 5 - Connect to the Internet Protocol Binding Path: Network > Routing > Protocol Binding Protocol bindings are useful when the Load Balancing feature is in use. Selecting from a list of configured services or any of the user-defined services, the type of traffic can be assigned to go over only one of the available WAN ports. For increased flexibility the source network or machines can be specified as well as the destination network or machines.
Section 5 - Connect to the Internet IPv6 IP Mode Path: Network > IPv6 > IP Mode This page allows you to configure the IP protocol version to be used on the router. In order to support IPv6 on your local network (LAN), you must set the router to be in IPv4 / IPv6 mode. This mode will allow IPv4 nodes to communicate with IPv6 devices through this router. To enable IPv6 on the router: 1. Click Network > IPv6 > IP Mode. 2. Select IPv4 & IPv6. 3. Click Save.
Section 5 - Connect to the Internet WAN Settings Path: Network > IPv6 > WAN1 Settings For IPv6 WAN connections, this router can have a static IPv6 address or receive connection information when configured as a DHCPv6 client. In the case where the ISP assigns you a fixed address to access the internet, the static configuration settings must be completed. In addition to the IPv6 address assigned to your router, the IPv6 prefix length defined by the ISP is needed.
Section 5 - Connect to the Internet Static IP To configure a static IPv6 Internet connection: 1. Click Network > IPv6 > WAN1 Settings. 2. Complete the fields in the table below and click Save. Field Connection Type IPv6 Address IPv6 Prefix Length Default IPv6 Gateway Primary DNS Server Secondary DNS Server Save Description Select Static. Enter the IP address supplied by your ISP. Enter the IPv6 prefix length supplied by your ISP. Enter the IPv6 gateway address supplied by your ISP.
Section 5 - Connect to the Internet PPPoE To configure a dynamic (DHCP) IPv6 Internet connection: 1. Click Network > IPv6 > WAN1 Settings. 2. Complete the fields in the table below and click Save. Field Connection Type User Name Password Authentication Type DHCPv6 Options Primary DNS Server Secondary DNS Server Save Description Select PPPoE. Enter your PPPoE user name. Enter your PPPoE password. Select the authentication type from the drop-down menu (Auto-negotiate/PAP/CHAP/MS-CHAP/MSCHAPv2).
Section 5 - Connect to the Internet Static Routing Path: Network > IPv6 > Static Routing Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another. There is no communication between this router and other devices to account for changes in the path; once configured the static route will be active and effective until the network changes.
Section 5 - Connect to the Internet Field Route Name Active IPv6 Destination IPv6 Prefix Length Interface IPv6 Gateway Metric Save Description Enter a name for your route. Toggle to ON to activate this route or to OFF to deactivate. Enter the IP address of the static route’s destination. Enter the prefix length of the static route. The physical network interface (WAN1, WAN2, WAN3, DMZ or LAN), through which this route is accessible.
Section 5 - Connect to the Internet OSPFv3 Path: Network > IPv6 > OSPFv3 OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain. It gathers link state information from available routers and constructs a topology map of the network. Open Shortest Path First version 3 (OSPFv3) supports IPv6.
Section 5 - Connect to the Internet Field OSPFv3 Enable Interface Priority Hello Interval Dead Interval Cost Save Description Toggle ON to enable OSPFv3. Displays the physical network interface on which OSPFv3 is Enabled/Disabled. Helps to determine the OSPFv3 designated router for a network. The router with the highest priority will be more eligible to become Designated Router. Setting the value to 0 makes the router ineligible to become Designated Router. The default value is 1.
Section 5 - Connect to the Internet 6 to 4 Tunneling Path: Network > IPv6 > 6 to 4 Tunneling 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network. Select the check box to Enable Automatic Tunneling and allow traffic from an IPv6 LAN to be sent over an IPv4 Option to reach a remote IPv6 network. To enable 6 to 4 tunneling: 1. Click Network > IPv6 > 6 to 4 Tunneling. 2. Toggle Activate Auto Tunneling to ON. 3.
Section 5 - Connect to the Internet ISATAP Path: Network > IPv6 > 6 to 4 Tunneling ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. ISATAP specifies an IPv6-IPv4 compatibility address format as well as a means for site border router discovery. ISATAP also specifies the operation of IPv6 over a specific link layer - that being IPv4 used as a link layer for IPv6.
Section 5 - Connect to the Internet LAN Settings DHCPv6 Server Path: Network > IPv6 > LAN Settings > IPv6 LAN Settings In IPv6 mode, the LAN DHCP server is disabled by default (similar to IPv4 mode). The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN. The default IPv6 LAN address for the router is fec0::1. You can change this 128-bit IPv6 address based on your network requirements.
Section 5 - Connect to the Internet Field IPv6 Address IPv6 Prefix Length Status Mode Domain Name Server Preference DNS Servers Lease / Rebind Time Prefix Delegation Save Description Enter the IPv6 LAN address for the router. Enter the prefix length. Toggle to ON to enable DHCPv6. The IPv6 DHCP server is either stateless or stateful. If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto-configured by this router.
Section 5 - Connect to the Internet IPv6 Address Pools Path: Network > IPv6 > LAN Settings > IPv6 Address Pools This feature allows you to define the IPv6 delegation prefix for a range of IP addresses to be served by the router’s DHCPv6 server. Using a delegation prefix you can automate the process of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix. To add, edit, or delete a IPv6 address pool entry: 1.
Section 5 - Connect to the Internet IPv6 Prefix Length Path: Network > IPv6 > LAN Settings > IPv6 Prefix Length To add, edit, or delete a IPv6 prefix length entry: 1. Click Network > IPv6 > LAN Settings > IPv6 Prefix Length tab. 2. Right-click a current entry and select Edit or Delete. To add a new entry, click Add New Prefix Length. 3. Complete the fields in the table below and click Save. Field Profile Prefix Length Save Description Enter a name for this profile. Enter the prefix length.
Section 5 - Connect to the Internet Router Advertisement Path: Network > IPv6 > LAN Settings > Router Advertisement Router Advertisements are analogous to IPv4 DHCP assignments for LAN clients, in that the router will assign an IP address and supporting network information to devices that are configured to accept such details. Router Advertisement is required in an IPv6 network is required for stateless auto configuration of the IPv6 LAN.
Section 5 - Connect to the Internet Advertisement Prefixes Path: Network > IPv6 > LAN Settings > Advertisement Prefixes Router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration. Router advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router. To add, edit, or delete an advertisement prefix entry: 1.
Section 5 - Connect to the Internet IPv6 Tunnels Status Path: Network > IPv6 > IPv6 Tunnels Status This page displays the current status of IPv6 Tunnels.
Section 6 - Wireless Settings Wireless Settings The Wireless Network Setup Wizard is available for users new to wireless networking. By going through a few configuration pages you can enable a Wi-Fi™ network on your LAN and allow supported 802.11 clients to connect to the configured Access Point. To run the wizard, refer to “#6 Wireless Network Setup” on page 12. Access Points Path: Wireless > General > Access Points This router has an integrated 802.
Section 6 - Wireless Settings 3. Complete the fields in the table below and click Save. Field AP Name Profile Name Active Time Schedule Control Start/Stop Time WLAN Partition Save Description Enter a name for your virtual access point. Select a profile from the drop-down menu to associate this access point with. If you do not want to use the default profile, create a profile (refer to the next page) and then create an access point. Toggle to ON to “turn on” this access point.
Section 6 - Wireless Settings Profiles Path: Wireless > General > Profiles Creating a profile allows you to assign the security type, encryption and authentication to use when connecting the AP to a wireless client. The default mode is “open”, i.e., no security. This mode is insecure as it allows any compatible wireless clients to connect to an AP configured with this security profile. To create a new profile, use a unique profile name to identify the combination of settings.
Section 6 - Wireless Settings Field Profile Name SSID Description Enter a name for your profile. Enter a name for your wireless network (SSID). Toggle to ON if you want your SSID broadcast openly or toggle to OFF to hide it. Clients will have to know Broadcast SSID the SSID to connect. Select what kind of wireless security you want to use: • Open: Select this option to create a public “open” network to allow unauthenticated devices to access this wireless gateway.
Section 6 - Wireless Settings Radio Settings Path: Wireless > General > Radio Settings You may configure the channels and power levels available for the AP’s enabled on the router. The router has a dual band 802.11n radio, meaning either 2.4 GHz or 5 GHz frequency of operation can be selected (not concurrently though). Based on the selected operating frequency, the mode selection will let you define whether legacy connections or only 802.11n connections (or both) are accepted on configured APs.
Section 6 - Wireless Settings WMM Settings Path: Wireless > Advanced > WMM Wi-Fi Multimedia (WMM) provides basic Quality of Service (QoS) features to IEEE 802.11 networks. WMM prioritizes traffic according to four Access Categories (AC) - voice, video, best effort, and background. To configure the radio settings: 1. Click Wireless > Advanced > WMM. 2. Complete the fields in the table below and click Save.
Section 6 - Wireless Settings WDS Path: Wireless > Advanced > WDS Wireless Distribution System (WDS) is a system enabling the wireless interconnection of access points in a network. This feature is only guaranteed to work between devices of the same type (i.e., using the same chipset/ driver). When you enable WDS, use the same security configuration as the default access point. The WDS links do not have true WPA/WPA2 support, as in there is no WPA key handshake performed.
Section 6 - Wireless Settings Advanced Settings Path: Wireless > Advanced > Advanced Settings You can modify the 802.11 communication parameters in this page. Generally, the default settings are appropriate for most networks. 1. Click Wireless > Advanced > Advanced Settings. 2. Complete the fields in the table below and click Save. Field Beacon Interval Description Beacons are packets sent by an Access Point to synchronize a wireless network. The default value is 100.
Section 6 - Wireless Settings WPS Path: Wireless > Advanced > WPS WPS is a simplified method to add supporting wireless clients to the network. WPS is only applicable for APs that employ WPA or WPA2 security. To use WPS, select the eligible VAPs from the drop-down menu of APs that have been configured with this security and enable WPS status for this AP. The WPS Current Status section outlines the security, authentication, and encryption settings of the selected AP.
Section 6 - Wireless Settings 4. Once enabled the following screen will appear. 5. Under WPS Setup Method, decide to either use PIN or PBC (Push Button). 6. If you want to use PIN method, enter the PIN next to Station PIN and click Configure Via PIN. You will need to enter the PIN on your wireless client and start the WPS process within one minute. 7. If you want to use push button method, click Configure Via PBC. This will initiate the WPS session.
Section 7 - VPN VPN A VPN provides a secure communication channel (“tunnel”) between two gateway routers or a remote PC client. The following types of tunnels can be created: • Gateway-to-gateway VPN: To connect two or more routers to secure traffic between remote sites. • Remote Client (client-to-gateway VPN tunnel): A remote client initiates a VPN tunnel as the IP address of the remote PC client is not known in advance. The gateway in this case acts as a responder.
Section 7 - VPN IPSec VPN Policies Path: VPN > IPSec VPN > Policies An IPsec policy is between this router and another gateway or this router and an IPsec client on a remote host. The IPsec mode can be either tunnel or transport depending on the network being traversed between the two policy endpoints. • Transport: This is used for end-to-end communication between this router and the tunnel endpoint, either another IPsec gateway or an IPsec VPN client on a host.
Section 7 - VPN Field Policy Name Policy Type IP Protocol Version IKE Version IPSec Mode Select Local Gateway Remote Endpoint IP Address/FQDN Enable Mode Config Enable NetBIOS Enable RollOver Protocol Enable DHCP Local IP/Remote IP Enable Keepalive Description Enter a unique name for the VPN Policy. This name is not an identifier for the remote WAN/client. Select either Manual or Auto. • Manual: All settings (including the keys) for the VPN tunnel are manually input for each end point.
Section 7 - VPN 3. Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase 1/ Phase 2 negotiation to use for the tunnel. This is covered in the IPsec mode setting, as the policy can be Manual or Auto. For Auto policies, the Internet Key Exchange (IKE) protocol dynamically exchanges keys between two IPsec hosts. The Phase 1 IKE parameters are used to define the tunnel’s security association details.
Section 7 - VPN A Manual policy does not use IKE and instead relies on manual keying to exchange authentication parameters between the two IPsec hosts. The incoming and outgoing security parameter index (SPI) values must be mirrored on the remote tunnel endpoint. As well the encryption and integrity algorithms and keys must match on the remote IPsec host exactly in order for the tunnel to establish successfully.
Section 7 - VPN Tunnel Mode Path: VPN > IPSec VPN > Tunnel Mode When tunnel mode is selected, you can enable NetBIOS and DHCP over IPSec. DHCP over IPSec allows this router to serve IP leases to hosts on the remote LAN. You can also define a single IP address, a range of IPs, or a subnet on both the local and remote private networks that can communicate over the tunnel. The router allows full tunnel and split tunnel support.
Section 7 - VPN Split DNS Names In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution. To add a DNS name: 1. Click VPN > IPSec VPN > Tunnel Mode > Split DNS Names tab. 2. Click Add New Split DNS name.
Section 7 - VPN DHCP Range This page displays the IP range to be assigned to clients connecting using DHCP over IPsec. By default the range is in 192.168.12.0 subnet. To configure the DHCP over IPSec DHCP server settings: 1. Click VPN > IPSec VPN > DHCP Range. 2. Complete the fields in the table below and click Save. Field Starting IP Address Ending IP Address Subnet Mask Save Description Enter the starting IP address to issue your clients connecting using DHCP over IPSec. Enter the ending IP address.
Section 7 - VPN Certificates This router uses digital certificates for IPsec VPN authentication. You can obtain a digital certificate from a wellknown Certificate Authority (CA) such as VeriSign, or generate and sign your own certificate using functionality available on this gateway. The router comes with a self-signed certificate, and this can be replaced by one signed by a CA as per your networking requirements.
Section 7 - VPN Active Self Certificates A self certificate is a certificate issued by a CA identifying your device (or self-signed if you don’t want the identity protection of a CA). The Active Self Certificate table lists the self certificates currently loaded on the router. The following information is displayed for each uploaded self certificate: Name: The name you use to identify this certificate, it is not displayed to IPsec VPN peers.
Section 7 - VPN Self Certificate Requests To request a self certificate to be signed by a CA, you can generate a Certificate Signing Request from the router by entering identification parameters and passing it along to the CA for signing. Once signed, the CA’s Trusted Certificate and signed certificate from the CA are uploaded to activate the self -certificate validating the identity of this gateway.
Section 7 - VPN Easy VPN Setup To upload an exported IPSec VPN policy: 1. Click VPN > IPSec VPN > Easy VPN Setup. 2. Click Browse and navigate to the policy file you want to upload. Select it and click Open. 3. Click Upload. 4. Once uploaded, go to VPN > IPSec VPN > Policies and the loaded VPN will be listed. Right-click it to edit or delete.
Section 7 - VPN PPTP VPN Server Path: VPN > PPTP VPN > Server A PPTP VPN can be established through this router. Once enabled a PPTP server is available on the router for LAN and WAN PPTP client users to access. Once the PPTP server is enabled, PPTP clients that are within the range of configured IP addresses of allowed clients can reach the router’s PPTP server. Once authenticated by the PPTP server (the tunnel endpoint), PPTP clients have access to the network managed by the router.
Section 7 - VPN Client Path: VPN > PPTP VPN > Client PPTP VPN Client can be configured on this router. Using this client you can access remote network which is local to PPTP server. Once client is enabled, the user can access Status > Active VPNs page and establish PPTP VPN tunnel clicking Connect. To configure the router as a PPTP VPN client: 1. Click VPN > PPTP VPN > Client tab. 2. Toggle Client to ON and complete the fields in the table below.
Section 7 - VPN PPTP Active Users List A list of PPTP connections will be displayed on this page. Right-click the connection to connect and disconnect.
Section 7 - VPN L2TP VPN Server Path: VPN > L2TP VPN > Server A L2TP VPN can be established through this router. Once enabled a L2TP server is available on the router for LAN and WAN L2TP client users to access. Once the L2TP server is enabled, PPTP clients that are within the range of configured IP addresses of allowed clients can reach the router’s L2TP server. Once authenticated by the L2TP server (the tunnel endpoint), L2TP clients have access to the network managed by the router.
Section 7 - VPN Client L2TP VPN Client can be configured on this router. Using this client we can access remote network which is local to L2TP server. Once client is enabled, the user can access Status > Active VPNs page and establish L2TP VPN tunnel clicking Connect. To configure the router as a L2TP VPN client: 1. Click VPN > L2TP VPN > Client tab. 2. Toggle Client to ON and complete the fields in the table below. Field Client Server IP Description Toggle to ON to enable L2TP client.
Section 7 - VPN L2TP Active Users List A list of L2TP connections will be displayed on this page. Right-click the connection to connect and disconnect.
Section 7 - VPN SSL VPN Server Policies SSL VPN Policies can be created on a Global, Group, or User level. User level policies take precedence over Group level policies and Group level policies take precedence over Global policies. These policies can be applied to a specific network resource, IP address, or IP ranges on the LAN, or to different SSL VPN services supported by the router. The List of Available Policies can be filtered based on whether it applies to a user, group, or all users (global).
Section 7 - VPN 4. Complete the fields from the table below and click Save. Network Resource Field Policy Type Available Groups/Users Apply Policy To Policy Name IP Address Mask Length ICMP Begin/End Defined Resources Service Permission Save D-Link DSR-Series User Manual IP Address Description Select Global, Group, or User. If you selected Group, select a group from the drop-down menu. If you selected User, select a user from the drop-down menu.
Section 7 - VPN Portal Layouts Path: VPN > SSL VPN > Portal Layouts You may create a custom page for remote VPN users that is viewed during authentication. You may include login instructions, services, and other details. Note that the default portal LAN IP address is https://192.168.10.1/ scgi-bin/userPortal/portal. This is the same page that opens when the “User Portal” link is clicked on the SSL VPN menu of the router web UI. To create a new portal layout: 1. Click VPN > SSL VPN > Portal Layouts. 2.
Section 7 - VPN Field Description Enter a name for this portal. This name will be used as part of the path for the SSL portal Portal Layout Name URL. Only alphanumeric characters are allowed for this field. Login Profile View Select a login profile from the drop-down menu. Enter the portal web browser window title that appears when the client accesses this Portal Site Title portal. This field is optional. Banner Title The banner title that is displayed to SSL VPN clients prior to login.
Section 7 - VPN Resources Path: VPN > SSL VPN > Resources Network resources are services or groups of LAN IP addresses that are used to easily create and configure SSL VPN policies. This shortcut saves time when creating similar policies for multiple remote SSL VPN users. Adding a Network Resource involves creating a unique name to identify the resource and assigning it to one or all of the supported SSL services.
Section 7 - VPN Field Resource Name Service ICMP Object Type Object Address Mask Length Begin/End Save D-Link DSR-Series User Manual Description Enter a unique name for this resource. Select VPN Tunnel, Port Forwarding, or All. Toggle to ON to include ICMP traffic. Select Single IP Address or IP Network. Enter the IP address. If you selected IP Network, enter the mask length (0-32). Enter a port range for the object. Click to save your settings.
Section 7 - VPN Port Forwarding Port forwarding allows remote SSL users to access specified network applications or services after they login to the User Portal and launch the Port Forwarding service. Traffic from the remote user to the router is detected and re-routed based on configured port forwarding rules. Internal host servers or TCP applications must be specified as being made accessible to remote users.
Section 7 - VPN Client Path: VPN > SSL VPN > SSL VPN Client An SSL VPN tunnel client provides a point-to-point connection between the browser-side machine and this router. When a SSL VPN client is launched from the user portal, a "network adapter" with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This allows local applications to access services on the private network without any special network configuration on the remote SSL VPN client machine.
Section 7 - VPN Client Routes Path: VPN > SSL VPN > SSL VPN Client If the SSL VPN client is assigned an IP address in a different subnet than the corporate network, a client route must be added to allow access to the private LAN through the VPN tunnel. As well a static route on the private LAN‘s firewall (typically this router) is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client.
Section 7 - VPN Open VPN Settings VPN > OpenVPN > Settings OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/ password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. An OpenVPN can be established through this router. You can select server mode, client mode, or access server client mode.
Section 7 - VPN Client To configure the router as an OpenVPN client: 1. Click VPN > OpenVPN > Settings. 2. Toggle OpenVPN to ON and complete the fields in the table below. Field Mode Server IP Port Tunnel Protocol Encryption Algorithm Hash Algorithm Save Description Select Client. Enter the IP address of the OpenVPN server. Enter what port to use. The default port is 1194. Select either TCP or UDP. Select the encryption algorithm from the drop-down menu. Select the hash algorithm from the drop-down menu.
Section 7 - VPN Access Server Client To configure the router as an OpenVPN access server client: 1. Click VPN > OpenVPN > Settings. 2. Toggle OpenVPN to ON and complete the fields in the table below. Field Mode Port Upload Status File Save Description Select Access Server Client. Enter what port to use. The default port is 1194. Displays if a configuration file has been uploaded. Click Browse and locate the configuration file. Click Open and then click Upload.
Section 7 - VPN Local Networks If you selected Split Tunnel (from OpenVPN Server), you can create a local network by following the steps below: 1. Click VPN > OpenVPN > Local Networks. 2. Click Add New OpenVPN Local Network. 3. Enter a local IP network. 4. Enter the subnet mask. 5. Click Save.
Section 7 - VPN Remote Networks To create remote networks: 1. Click VPN > OpenVPN > Remote Networks. 2. Click Add New OpenVPN Remote Network. 3. 4. 5. 6. Enter a name of the remote network. Enter a local IP network. Enter the subnet mask. Click Save.
Section 7 - VPN Authentication This page will allow you to upload certificates and keys. Click Browse and select the file you want to upload. Click Open and then click Upload.
Section 7 - VPN GRE VPN > VPN Settings > GRE GRE tunnels allow for broadcast traffic on the LAN of the router to be passed over the internet and received by remote LAN hosts. This is primarily useful in the D-Link Discovery Protocol (DDP) application where broadcast traffic from one LAN host is to be received by all LAN hosts in the local subnets of the GRE endpoints.
Section 7 - VPN 3. Complete the fields in the table below and then click Save. Field GRE Tunnel Name IP Address Subnet Mask Interface Remote End Address Enable DDP Broadcast IP Address Subnet Mask Gateway IP Address Save Description Enter a name for the tunnel. Enter the IP address of this endpoint. It will be referenced in the other router’s static route as the Gateway IP address. Enter the subnet mask. Select the interface to create this tunnel with from the drop-down menu.
Section 8 - Security Security Groups Path: Security > Authentication > User Database > Groups The group page allows creating, editing, and deleting groups. The groups are associated to set of user types. To edit/delete an existing group, or add a new group: 1. Click Security > Authentication > User Database > Groups tab. 2. Right-click a group entry and select either Edit or Delete. To add a new group, click Add New Group. 3. Complete the fields in the table below and click Save.
Section 8 - Security Login Policies Path: Security > Authentication > Internal User Database > Groups Using the following procedure, you can grant or deny a user group login access to the web management interface. 1. Click Security > Authentication > Internal User Database > Groups tab. 2. Click Add Login Policies. 3. Complete the fields from the table below and click Save. Field Group Name Description Select the group you want to configure.
Section 8 - Security Browser Policies Path: Security > Authentication > Internal User Database > Groups Use this feature to allow or deny users in a selected group from using a particular web browser to log in to the router’s web management interface. 1. Click Security > Authentication > Internal User Database > Groups tab. 2. Click Add Browser Policies. 3. Complete the fields from the table below and click Save.
Section 8 - Security IP Policies Path: Security > Authentication > Internal User Database > Groups Use this feature to allow or deny users in a user group to log in to the router’s web management interface from a particular network or IP address. 1. Click Security > Authentication > Internal User Database > Groups tab. 2. Click Add IP Policies. 3. Complete the fields from the table below and click Save.
Section 8 - Security Users User Management Path: Security > Authentication > Internal User Database > Users After you add user groups, you can add users to the user groups. Users can be added individually, or they can be imported from a comma-separated-value (CSV) formatted file. After you add users, you can edit them when changes are required or delete users when you no longer need them. To edit/delete existing users, or add a new user: 1.
Section 8 - Security Import User Database Path: Security > Authentication > Internal User Database > Get User DB The DSR administrator can add users to the local built-in database directly via an appropriately-formatted comma separated value (CSV) file. The advantage of this feature is to allow for a large number of users to be added to the system with one operation, and the same file can be uploaded to multiple DSR devices as needed.
Section 8 - Security Create a User Database (CSV File) The following parameters must be used to define the User database CSV file. 1. Create an empty text file with a .csv extension. 2. Each line in the file corresponds to a single user entry. Every line should end with carriage return equivalent of CRLF. Do not add comments or other text in this file. 3. Formatting rules: a) All the fields must be enclosed within double quotes. b) Consecutive fields are separated by commas.
Section 8 - Security External Authentication Servers RADIUS Server Path: Security > Authentication > External Auth Server > RADIUS Server A RADIUS server can be configured and accessible by the router to authenticate client connections. To configure the router to connect to your RADIUS server: 1. Click Security > Authentication > External Auth Server > RADIUS Server tab. 2. Complete the RADIUS server information from the table below and click Save. You can configure up to three servers.
Section 8 - Security POP3 Server Path: Security > Authentication > External Auth Server > POP3 Server POP3 is an application layer protocol most commonly used for e-mail over a TCP/IP connection. The authentication server can be used with SSL encryption over port 995 to send encrypted traffic to the POP3 server. The POP3 server’s certificate is verified by a user-uploaded CA certificate. If SSL encryption is not used, port 110 will be used for the POP3 authentication traffic.
Section 8 - Security POP3 Trusted Server Path: Security > Authentication > External Auth Server > POP3 Trusted CA A CA file is used as part of the POP3 negotiation to verify the configured authentication server identity. Each of the three configured servers can have a unique CA used for authentication. To configure: 1. Click Security > Authentication > External Auth Server > POP3 Trusted CA tab. 2. Click Add CA File. 3. Click Browse and select a CA file. Click Open and then click Upload.
Section 8 - Security LDAP Server Path: Security > Authentication > External Auth Server > LDAP Server The LDAP authentication method uses LDAP to exchange authentication credentials between the router and an external server. The LDAP server maintains a large database of users in a directory structure, so users with the same user name but belonging to different groups can be authenticated since the user information is stored in a hierarchal manner.
Section 8 - Security AD Server Path: Security > Authentication > External Auth Server > AD Server Active Directory authentication is an enhanced version of NT Domain authentication. The Kerberos protocol is leveraged for authentication of users, who are grouped in Organizational Units (OUs). In particular the Active Directory server can support more than a million users given is structure while the NT Domain server is limited to thousands.
Section 8 - Security Field Authentication Server (1-3) Active Directory Domain (1-3) Timeout Retries Administrator Account Save Server Check Description Enter the IP address of your AD server(s). Enter the active directory domain name(s). Set the amount of time in seconds that the router should wait for a response from the AD server. This determines the number of tries the controller will make to the AD server before giving up.
Section 8 - Security NT Domain Server Path: Security > Authentication > External Auth Server > NT Domain The NT Domain server allows users and hosts to authenticate themselves via a pre-configured Workgroup field. Typically Windows or Samba servers are used to manage the domain of authentication for the centralized directory of authorized users. To configure the router to connect to your NT domain server: 1. Click Security > Authentication > External Auth Server > NT Domain tab. 2.
Section 8 - Security Login Profiles Path: Security > Authentication > Login Profiles When a wireless client connects to the SSIDs or VLANs, the user sees a login page. The Login Profile and SLA page allows you to customize the appearance of that page with specific text and images. The wireless router supports multiple login and SLA pages. Associate login page or SLAs on SSIDs or VLANs separately. To add, delete, or edit login profiles: 1. Click Security > Authentication > Login Profiles tab. 2.
Section 8 - Security Field Profile Name Description General Details Enter a name for this captive portal profile. The name should allow you to differentiate this captive profile from others you may set up. Browser Title Enter the text that will appear in the title of the browser during the captive portal session. Background Select whether the login page displayed during the captive portal session will show an image or color. Choices are: • Image: Displays an image as the background on the page.
Section 8 - Security External Payment Gateway Enable External Payment Gateway Session Title 1 Message Session Title 2 Success Message Session Title 3 Failure Message Enable Billing Profile Service Disclaimer Text Payment Server Enables or disables external payment gateway and online wireless service purchasing from on the login page. Enter the text that appears in the title of the online purchasing login box when the user logs in to the captive portal session.
Section 8 - Security Web Content Filtering Static Filtering Path: Security > Authentication > Static Filtering You may block access to certain Internet services. To block or allow a service: 1. Click Security > Web Content Filter > Static Filtering tab. 2. Toggle Content Filtering to ON. 3. Toggle the service to ON to block. Toggle to OFF to allow. 4. Click Save.
Section 8 - Security Approved URLs Path: Security > Web Content Filter > Static Filtering > Approved URL The approved URL list is an acceptance list for all URL domain names. Domains added to this list are allowed in any form. For example, if the domain “dlink” is added to this list then all of the following URL’s are permitted access from the LAN: www.dlink.com, support.dlink.com, etc. Importing/exporting from a text or CSV file is also supported. To add/import/export URLs to the approved list: 1.
Section 8 - Security Blocked Keywords Path: Security > Web Content Filter > Static Filtering > Blocked Keywords Keyword blocking allows you to block all website URL’s or site content that contains the keywords in the configured list. This is lower priority than the Approved URL List; i.e. if a blocked keyword is present in a site allowed by a trusted domain in the Approved URL List, then access to that site will be allowed. Import/export from a text or CSV file is also supported.
Section 8 - Security Dynamic Filtering Path: Security > Web Content Filter > Dynamic Filtering Dynamic Filtering will allow you to filter content from a list of categories. The router must be upgraded with the WCF license and then the Content Filtering option, which allows the user to filter out internet sites, needs to be enabled. When enabled, access to a website belonging to one of these configured categories will be blocked with an error page. To add/import/export URLs to the approved list: 1.
Section 8 - Security Firewall Firewall Rules Path: Security > Firewall > Firewall Rules > IPv4 Firewall Rules or IPv6 Firewall Rules Inbound (WAN to LAN/DMZ) rules restrict access to traffic entering your network, selectively allowing only specific outside users to access specific local resources. By default all access from the insecure WAN side are blocked from accessing the secure LAN, except in response to requests from the LAN or DMZ.
Section 8 - Security 3. Complete the fields from the table below and click Save. Field From Zone To Zone Service Action Source Hosts Destination Hosts Log QoS Priority (IPv4 only) Description Select the source of originating traffic: either secure LAN, public DMZ, or insecure WAN. For an inbound rule WAN should be selected. Select the destination of traffic covered by this rule. If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN.
