NeuroAgent

DFL-870 Routing Configuration: Complete Guide

Complete guide to configuring routing on DFL-870 firewall for inter-subnet communication. Step-by-step instructions for creating routing and firewall rules.

#dfl-870#d-link#firewall#network-configuration#routing#subnets
Question

How to properly configure routing on a DFL-870 firewall?

I’m experiencing the following issue:
All 6 ports of the device are configured with local IP addresses (for example, 10.98.8.118, 10.99.34.118, etc.), and I plan to use it as a simple router between these local networks (LANs). From devices located in the same subnet as the corresponding port, ping works successfully. However, ping between adjacent subnets (through other ports) doesn’t work. What routing and firewall rules need to be established to ensure communication between all subnets?

NeuroAgent

Configuring Routing on DFL-870 Firewall for Inter-Subnet Communication

Configuring routing on the DFL-870 firewall for communication between subnets requires proper configuration of system routing rules and firewall rules. Your issue is related to the firewall not processing inter-subnet traffic between ports by default, and to ensure communication between all subnets, you need to explicitly enable routing and create appropriate firewall rules.

Table of Contents

Overview of DFL-870 Device

The DFL-870 is a NetDefend UTM Firewall from D-Link designed for corporate use. The device is equipped with multiple gigabit ports and supports advanced security features source.

Key features:

  • Support for multiple WAN ports for load balancing and redundancy
  • Integrated VPN client and server (IPSec, PPTP, L2TP, SSL)
  • Hardware-accelerated VPN
  • Web interface and CLI for configuration
  • Support for VLAN and inter-subnet routing

The Ethernet ports function on the DFL-870 can be configured through the web interface or CLI interface to meet various network requirements source.

Analysis of Current Problem

Your situation is typical for many users configuring a firewall in router mode between subnets for the first time. The problem is as follows:

  1. All 6 ports have local IP addresses - this means each port is in its own subnet
  2. Intra-subnet communication works - devices can ping other devices in the same subnet
  3. Inter-subnet communication doesn’t work - devices in different subnets cannot communicate through the firewall

This occurs because firewalls block inter-interface traffic by default, even when IP addresses are properly configured. Explicit permission for routing between interfaces is required.

Required Routing Configuration

To ensure communication between all subnets on the DFL-870, you need to perform the following steps:

1. Enable IP Forwarding

Ensure that IP forwarding (routing between interfaces) is enabled. This is typically done through the web interface in the system settings section.

2. Create Static Routes

For each subnet, you need to create a static route pointing to the corresponding port. For example:

  • Subnet 10.98.8.0/24 via LAN1 port (10.98.8.118)
  • Subnet 10.99.34.0/24 via LAN2 port (10.99.34.118)
  • And so on for all ports

3. Configure Interfaces

Each interface should be properly configured with the appropriate subnet mask and default gateway.

Important: Best practice is to associate one subnet/IP range with one VLAN source.

Configuring Firewall Rules

This is the most critical stage for solving your problem. You need to create firewall rules that allow traffic between subnets.

Basic rules:

  1. Allow ICMP (for ping)
  2. Allow necessary services between subnets
  3. Block all other traffic by default

Example firewall rules:

Source Destination Protocol Port Action
10.98.8.0/24 10.99.34.0/24 ICMP - Allow
10.99.34.0/24 10.98.8.0/24 ICMP - Allow
10.99.34.0/24 10.100.50.0/24 TCP 80,443 Allow

Note: You can set the firewall to control traffic within a subnet, but if communication occurs from PC 1 to PC 2 and they are in the same subnet, the firewall will not be involved source.

Step-by-Step Configuration Guide

Step 1: Access the Web Interface

  1. Connect to the DFL-870 through a web browser
  2. Use the device’s default IP address (usually 192.168.0.1 or 192.168.1.1)
  3. Enter the login and password (default admin/admin)

Step 2: Configure Interfaces

  1. Go to the “Network” > “Interfaces” section
  2. For each LAN port:
    • Set the IP address and subnet mask
    • Configure the appropriate VLAN if needed
    • Save the settings

Step 3: Enable IP Forwarding

  1. Go to the “System” > “Advanced” section
  2. Find the “IP Forwarding” parameter and enable it
  3. Save the settings

Step 4: Create Static Routes

  1. Go to the “Routing” > “Static Routes” section
  2. For each subnet, create a route:
    • Network: Subnet IP address (e.g., 10.99.34.0)
    • Netmask: Subnet mask (e.g., 255.255.255.0)
    • Gateway: Interface IP address (e.g., 10.99.34.118)
    • Interface: Corresponding LAN port
    • Save the settings

Step 5: Configure Firewall Rules

  1. Go to the “Security” > “Firewall Rules” section
  2. Create rules to allow traffic between subnets:
    • Source: IP address of the first subnet
    • Destination: IP address of the second subnet
    • Service: ICMP (for ping) or required services
    • Action: Allow
    • Save the settings

Step 6: Testing

  1. Check connectivity between devices in different subnets
  2. Use the tracert or traceroute command to verify routing
  3. Check the system log for blocked packets

Important Security Recommendations

  1. Principle of least privilege: Allow only necessary ports and protocols between subnets
  2. Use VLANs: For larger networks, it’s recommended to use VLANs to separate traffic
  3. Monitoring: Configure system logging and security monitoring
  4. Updates: Regularly update the device firmware
  5. Backup: Create backups of the configuration before making changes

Solving Common Problems

Problem: Ping doesn’t work between subnets

Possible causes and solutions:

  1. IP forwarding is disabled

    • Check that IP forwarding is enabled in system settings

  2. Missing static routes

    • Ensure all necessary static routes are created

  3. Firewall blocking

    • Check firewall rules and add a rule for ICMP

  4. Incorrect interface configuration

    • Verify that IP addresses and subnet masks are configured correctly

Problem: Some services don’t work

Solution:

  1. Add rules to the firewall to allow the required ports
  2. Check that services are listening on all necessary interfaces
  3. Ensure there are no port conflicts

Problem: Poor performance

Solution:

  1. Optimize firewall rules (simple rules at the beginning of the list)
  2. Check the device’s CPU load
  3. Consider hardware VPN acceleration when using VPN

Sources

  1. D-Link DFL-870 Quick Installation Manual - ManualsLib
  2. DFL-870 NetDefend UTM Firewall - D-Link
  3. Inter-VLAN Routing: Configuration Examples - Catchpoint
  4. Can we set filewall rule to control within subnet? - Network Engineering Stack Exchange
  5. Inter-LAN Routing - Draytek

Conclusion

Configuring routing on the DFL-870 firewall for communication between subnets requires attention to several key aspects:

  1. Proper interface configuration - each port should have the correct IP address and subnet mask
  2. Enabling IP forwarding - this is the foundation of inter-subnet routing
  3. Creating static routes for each subnet through the appropriate interface
  4. Firewall rules - explicitly allowing traffic between subnets
  5. Testing and monitoring - regular verification of functionality and network security

By following these steps, you can ensure reliable communication between all subnets through your DFL-870 firewall. If you have additional questions, it’s recommended to consult the official D-Link documentation or support forums.

How to configure VLAN on DFL-870 for better network segmentation?What security rules should be implemented on DFL-870 for inter-subnet communication?How to troubleshoot routing issues on DFL-870 firewall?How to configure VPN on DFL-870 for secure remote access?What are the best practices for organizing firewall rules on DFL-870?How to monitor traffic and logs on DFL-870 for security analysis?
Ask NeuroAgent