VLAN

Click on

System

in the menu bar, and then click

VLAN

below it, this will give a list of all

configured VLANs, it will look something like this:

Add a new VLAN

Follow these steps to add a new route.

Step 1.

Go to

System

and

VLAN

.

Step 2.

Click on

Add new

in the bottom of the routing table.

Step 3.

Choose the interface that the VLAN should be on from the dropdown menu.

Step 4.

Specify the 801.2Q VLAN ID.

Step 5.

Fill in the IP address of the

VLAN

interface. This is the address that will be used to

ping the firewall, remotely control it and use as gateway for hosts on that VLAN.

Step 6.

Choose the correct Subnet mask of this interface from the drop down menu.

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

Remove a VLAN

Follow these steps to add a remove a route.

Step 1.

Go to

System

and

VLAN

.

Step 2.

Take

Edit

after the VLAN you would like to remove.

Step 3.

Check the checkbox named

Delete this VLAN

.

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

22

Routing

Click on

System

in the menu bar, and then click

Routing

below it, this will give a list of all

configured routes, it will look something like this:

The Routes configuration section describes the firewall’s routing table. DFL-1100 uses a

slightly different way of describing routes compared to most other systems. However, we

believe that this way of describing routes is easier to understand, making it less likely for

users to cause errors or breaches in security.

Interface

– Specifies which interface packets destined for this route shall be sent through.

Network

– Specifies the network address for this route.

Gateway

– Specifies the IP address of the next router hop used to reach the destination

network. If the network is directly connected to the firewall interface, no gateway address is

specified.

Local IP Address

– The IP address specified here will be automatically published on the

corresponding interface. This address will also be used as the sender address in ARP queries.

If no address is specified, the firewalls own interface IP address will be used.

Proxy ARP –

Specifies that the firewall shall publish this route via Proxy ARP.

One advantage with this form of notation is that you can specify a gateway for a particular

route, without having a route that covers the gateway’s IP address or despite the fact that the

route that covers the gateway’s IP address is normally routed via another interface.

The difference between this form of notation and that most commonly used is that there,

you do not specify the interface name in a separate column. Instead, you specify the IP

address of each interface as a gateway.

Note:

The firewall does not Proxy ARP routes on VPN interfaces.

Add a new Static Route

Follow these steps to add a new route.

Step 1.

Go to

System

and

Routing

.

Step 2.

Click on

Add new

in the bottom of the routing table.

Step 3.

Choose the interface that the route should be sent trough from the dropdown

menu.

Step 4.

Specify the Network and Subnet mask.

Step 5.

If this network is behind a remote gateway enable the checkbox

Network is

behind remote gateway

and specify the IP of that gateway

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

Remove a Static Route

Follow these steps to add a remove a route.

Step 1.

Go to

System

and

Routing

.

Step 2.

Take

Edit

after the route you would like to remove.

Step 3.

Check the checkbox named

Delete this route

.

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

24

High Availability

D-Link High Availability works by adding a back-up firewall to your existing firewall. The

back-up firewall has the same configuration as the primary firewall. It will stay inactive,

monitoring the primary firewall, until it deems that the primary firewall is no longer functioning,

at which point it will go active and assume the active role in the cluster. When the other

firewall comes back up, it will assume a passive role, monitoring the now active firewall.

What High Availability will do for you

D-Link High Availability will provide a redundant, state-synchronized firewalling solution.

This means that the state of the active firewall, i.e. connection table and other vital information,

is continuously copied to the inactive firewall. When the cluster fails over to the inactive

firewall, it knows which connections are active, and communication may continue to flow

uninterrupted.

The failover time is typically about one second; well in the scope for the normal TCP

retransmit timeout, which is normally over one minute. Clients connecting through the firewall

will merely experience the failover procedure as a slight burst of packet loss, and, as TCP

always does in such situations, retransmit the lost packets within a second or two, and go on

communicating.

What High Availability will NOT do for you

Adding redundancy to your firewall setup will eliminate one of the single points of failure in

your communication path. However, it is not a panacea for all possible communication failures.

Typically, your firewall is far from the only single point of failure. Redundancy for your

routers, switches, and your Internet connection are also issues that need to be addressed.

D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be

active, and the other will be inactive.

Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a "master" and a

"slave", are supported.

As is the case with all other firewalls supporting stateful failover, the D-Link High

Availability will only work between two D-Link DFL-1100 Firewalls. As the internal workings of

different firewalls, and, indeed, different major versions of the same firewall, can be radically

different, there is no way of communicating "state" to something which has a completely

different comprehension of what "state" means.

IP Addresses explained

For each cluster interface, there are three IP addresses:

•

Two "real" IP addresses; one for each firewall. These addresses are used to

communicate with the firewalls themselves, i.e. for remote control and monitoring.

They should not be associated in any way with traffic flowing through the cluster;

if either firewall is inoperative, the associated IP address will simply be

unreachable.

•

One "virtual" IP address; shared between the firewalls. This is the IP address to

use when configuring default gateways and other routing related matters. It is

also the address used by dynamic address translation, unless the configuration

explicitly specifies another address.

There is not much to say about the real IP addresses; they will act just like firewall

interfaces normally do. You can ping them or remote control the firewalls through them if your

configuration allows it. ARP queries for the respective addresses are answered by the firewall

that owns the IP address, using the normal hardware address, just like normal IP units do.

Note:

You cannot use PPPoE/DHCP/L2TP on the external interface when using HA.

The shared IP address and the failover mechanism

Both firewalls in the cluster know about the shared IP address. ARP queries for the shared

IP address, or any other IP address published via the ARP configuration section or through

Proxy ARP, will be answered by the active firewall.

The hardware address of the shared IP address, and other published addresses for that

matter, is not related to the hardware addresses of the firewall interfaces. Rather, it is

constructed from the cluster ID, on the following form: 10-00-00-C1-4A-nn, where nn is the

Cluster ID configured in the Settings section.

As the shared IP address always has the same hardware address, there will be no latency

time in updating ARP caches of units attached to the same LAN as the cluster when failover

occurs.

When a firewall discovers that its peer is no longer operational, it will broadcast a number

of ARP queries for itself, using the shared hardware address as sender address, on all

interfaces. This causes switches and bridges to re-learn where to send packets destined for

the shared hardware address in a matter of milliseconds.

Hence, the only real delay in the failover mechanism is detecting that a firewall is no

longer operational.

The activation messages (ARP queries) described above are also broadcast periodically

to ensure that switches won't forget where to send packets destined for the shared hardware

address.