Page 21 / 139 Scroll up to view Page 16 - 20
VLAN
Click on
System
in the menu bar, and then click
VLAN
below it, this will give a list of all
configured VLANs, it will look something like this:
Add a new VLAN
Follow these steps to add a new route.
Step 1.
Go to
System
and
VLAN
.
Step 2.
Click on
Add new
in the bottom of the routing table.
Step 3.
Choose the interface that the VLAN should be on from the dropdown menu.
Step 4.
Specify the 801.2Q VLAN ID.
Step 5.
Fill in the IP address of the
VLAN
interface. This is the address that will be used to
ping the firewall, remotely control it and use as gateway for hosts on that VLAN.
Step 6.
Choose the correct Subnet mask of this interface from the drop down menu.
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.
Remove a VLAN
Follow these steps to add a remove a route.
Step 1.
Go to
System
and
VLAN
.
Step 2.
Take
Edit
after the VLAN you would like to remove.
Step 3.
Check the checkbox named
Delete this VLAN
.
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.
Page 22 / 139
22
Routing
Click on
System
in the menu bar, and then click
Routing
below it, this will give a list of all
configured routes, it will look something like this:
The Routes configuration section describes the firewall’s routing table. DFL-1100 uses a
slightly different way of describing routes compared to most other systems. However, we
believe that this way of describing routes is easier to understand, making it less likely for
users to cause errors or breaches in security.
Interface
– Specifies which interface packets destined for this route shall be sent through.
Network
– Specifies the network address for this route.
Gateway
– Specifies the IP address of the next router hop used to reach the destination
network. If the network is directly connected to the firewall interface, no gateway address is
specified.
Local IP Address
– The IP address specified here will be automatically published on the
corresponding interface. This address will also be used as the sender address in ARP queries.
If no address is specified, the firewalls own interface IP address will be used.
Proxy ARP –
Specifies that the firewall shall publish this route via Proxy ARP.
One advantage with this form of notation is that you can specify a gateway for a particular
route, without having a route that covers the gateway’s IP address or despite the fact that the
route that covers the gateway’s IP address is normally routed via another interface.
The difference between this form of notation and that most commonly used is that there,
you do not specify the interface name in a separate column. Instead, you specify the IP
address of each interface as a gateway.
Note:
The firewall does not Proxy ARP routes on VPN interfaces.
Page 23 / 139
Add a new Static Route
Follow these steps to add a new route.
Step 1.
Go to
System
and
Routing
.
Step 2.
Click on
Add new
in the bottom of the routing table.
Step 3.
Choose the interface that the route should be sent trough from the dropdown
menu.
Step 4.
Specify the Network and Subnet mask.
Step 5.
If this network is behind a remote gateway enable the checkbox
Network is
behind remote gateway
and specify the IP of that gateway
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.
Remove a Static Route
Follow these steps to add a remove a route.
Step 1.
Go to
System
and
Routing
.
Step 2.
Take
Edit
after the route you would like to remove.
Step 3.
Check the checkbox named
Delete this route
.
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.
Page 24 / 139
24
High Availability
D-Link High Availability works by adding a back-up firewall to your existing firewall. The
back-up firewall has the same configuration as the primary firewall. It will stay inactive,
monitoring the primary firewall, until it deems that the primary firewall is no longer functioning,
at which point it will go active and assume the active role in the cluster. When the other
firewall comes back up, it will assume a passive role, monitoring the now active firewall.
What High Availability will do for you
D-Link High Availability will provide a redundant, state-synchronized firewalling solution.
This means that the state of the active firewall, i.e. connection table and other vital information,
is continuously copied to the inactive firewall. When the cluster fails over to the inactive
firewall, it knows which connections are active, and communication may continue to flow
uninterrupted.
The failover time is typically about one second; well in the scope for the normal TCP
retransmit timeout, which is normally over one minute. Clients connecting through the firewall
will merely experience the failover procedure as a slight burst of packet loss, and, as TCP
always does in such situations, retransmit the lost packets within a second or two, and go on
communicating.
What High Availability will NOT do for you
Adding redundancy to your firewall setup will eliminate one of the single points of failure in
your communication path. However, it is not a panacea for all possible communication failures.
Typically, your firewall is far from the only single point of failure. Redundancy for your
routers, switches, and your Internet connection are also issues that need to be addressed.
D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be
active, and the other will be inactive.
Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a "master" and a
"slave", are supported.
As is the case with all other firewalls supporting stateful failover, the D-Link High
Availability will only work between two D-Link DFL-1100 Firewalls. As the internal workings of
different firewalls, and, indeed, different major versions of the same firewall, can be radically
different, there is no way of communicating "state" to something which has a completely
different comprehension of what "state" means.
Page 25 / 139
IP Addresses explained
For each cluster interface, there are three IP addresses:
Two "real" IP addresses; one for each firewall. These addresses are used to
communicate with the firewalls themselves, i.e. for remote control and monitoring.
They should not be associated in any way with traffic flowing through the cluster;
if either firewall is inoperative, the associated IP address will simply be
unreachable.
One "virtual" IP address; shared between the firewalls. This is the IP address to
use when configuring default gateways and other routing related matters. It is
also the address used by dynamic address translation, unless the configuration
explicitly specifies another address.
There is not much to say about the real IP addresses; they will act just like firewall
interfaces normally do. You can ping them or remote control the firewalls through them if your
configuration allows it. ARP queries for the respective addresses are answered by the firewall
that owns the IP address, using the normal hardware address, just like normal IP units do.
Note:
You cannot use PPPoE/DHCP/L2TP on the external interface when using HA.
The shared IP address and the failover mechanism
Both firewalls in the cluster know about the shared IP address. ARP queries for the shared
IP address, or any other IP address published via the ARP configuration section or through
Proxy ARP, will be answered by the active firewall.
The hardware address of the shared IP address, and other published addresses for that
matter, is not related to the hardware addresses of the firewall interfaces. Rather, it is
constructed from the cluster ID, on the following form: 10-00-00-C1-4A-nn, where nn is the
Cluster ID configured in the Settings section.
As the shared IP address always has the same hardware address, there will be no latency
time in updating ARP caches of units attached to the same LAN as the cluster when failover
occurs.
When a firewall discovers that its peer is no longer operational, it will broadcast a number
of ARP queries for itself, using the shared hardware address as sender address, on all
interfaces. This causes switches and bridges to re-learn where to send packets destined for
the shared hardware address in a matter of milliseconds.
Hence, the only real delay in the failover mechanism is detecting that a firewall is no
longer operational.
The activation messages (ARP queries) described above are also broadcast periodically
to ensure that switches won't forget where to send packets destined for the shared hardware
address.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top