D-Link DFL-210 Network Firewall Fast, Though Complex

The smallest unit of the D-Link NetDefend family, the DFL-210 is a dark gray metal box about 6 x 8 in., second largest of the group tested but still relatively small. All the connections are in the back with lights for power and status, Ethernet, WAN and DMZ ports on the front. Air vents on both ends and the top mean you need to place the unit in the open for air flow.

Included are two Ethernet patch cables, the power supply and a documentation CD. Unfortunately, the Quick Installation Guide is only on CD, with no paper version. Worse, the guide has errors. Also included are a Firewall Registration Manual (that's on paper) and a serial console cable for a command line interface.

The last two items give a strong clue to the strength of the DFL-210 -- it's much more a complex firewall that supports dual-WAN connections than a small business router with a firewall. D-Link's marketing says this is a Small Office/Home Office (SOHO) product, but nothing could be further from the truth. The most difficult of all units tested to install and configure, this unit will frustrate most small businesses that try to install it themselves. That said, once up and running, the unit was rock solid and did a better job wringing slightly better speed from the dual-WAN connection than all the other units.

Features

The DFL-210 has four Fast Ethernet (100Mbps) network connections, one dedicated WAN port, and a DMZ port that does double duty as the second WAN port. Maximum firewall throughput is 80Mbps, which is better than most of the other units. VPN throughput is up to 25Mbps spread across a maximum of 100 tunnels. A highly configurable firewall leads the security package that includes intrusion detection and intrusion prevention. Tools for traffic management and QoS are included as well as SNMP support.

User authentication through RADIUS and LDAP help the DFL-210 integrate into a large network, another indication this isn't really a SOHO device, but can work fine in a branch office setting. Remote management controls are set by some of the many firewall policies, which include NAT, Port Address Translation (PAT), and Static Address Translation (SAT).

Gather your lucky charms and stroke your rabbit foot for good luck before starting to install the DFL-210. Make your own luck by turning off the popup blocker in your browser on the computer you use to install the unit. Why? The setup screen appears once, only once, as a popup, and if you don't catch it, you have to use a different computer or reset the unit to factory settings and try again. The Setup screen is supposed to be visible on the main status line in the administration software, but it only appears one time on each computer used to run the admin, never to be seen again on the status line or anywhere else unless the unit is reset to factory settings and the process started over.

Since DHCP is disabled (the only unit tested so configured), you must prepare a PC in the 192.168.1.x address range to start the setup process. The first screen rightfully demands you change the admin user's password away from the default, but doesn't enforce or even suggest creating a strong password. Time and timezone settings come next, but an option to add external timeservers doesn't appear until later.

Next, you choose your broadband connection for your WAN interface. Standard options for static, DHCP, PPPoE, and the PPTP follow as with all other units. As a nod toward D-Link's international sales, an option for Big Pond finishes up the list.

Finally you get a chance to turn on the DHCP server to parcel out client addresses, and put your address range for clients. Next you have to add the default gateway (unnecessary in other units) and type in your DNS server IP addresses.

The DFL-210 does not include a DNS server. If you put the same IP address in the DNS field as the default gateway, as you do with all other units tested here, your network clients will not be able to resolve URLs because they won't be linked to a real DNS server. For our tests, we used Google's free public DNS addresses of 8.8.8.8 and 8.8.4.4, both of which were passed to clients as requested.

Next comes the "helper" servers, including addresses for up to two syslog servers and two more external time servers. This ends the setup process, and when you click the Activate button, all the details will be saved to the DFL-210.

This is actually a nice touch. Using the admin utility through a browser, the Configuration drop-down menu has three options: Save and Activate (as just done), Discard Changes, and View Changes. When fighting through more complicated configurations to make the unit usable, as we had to do several times, a list of planned changes ready to be implemented gave us a chance to double check before hitting Save and Activate.

Operation

Once restarted, network clients will have access through the DFL-210's firewall and security policies to the Internet through the WAN port. Converting the DMZ port for duty as the second WAN port takes some effort, none of which is detailed in the manual. Luckily, the technical support person we used, knew his product well and communicated even more clearly.

All rules and policies refer to named objects, such as lan_ip and wan_dns2, rather than actual addresses. The table matching names to addresses is the Address Book where we changed the DMZ port address to match the second broadband IP address, then created a group that linked LAN traffic to both the WAN and DMZ (now WAN2) ports.

There are three options for WAN load balancing: Round Robin, Destination and Spillover. Round Robin sends alternate packets through alternate WAN ports, and resulted in better bandwidth usage than any other router we tested. However, if clients outside connect via Secure-HTTP for any reason, the Round Robin alternate sources confuse the client, so Destination is the best choice in that case.

Feedback is just about non-existent. To track how many packets are coming and going, you must choose Status on the status line, then Interface. A screen named Interface Status appears, showing details from a single interface at a time. The only performance feedback is a text listing of packet and bytes in and out for that interface, along with the number of errors and dropped packets.

Although changing the LAN IP address from the default 192.168.1.x to our test lab's 10.0.1.1 is technically only a matter of changing the lan_ip, lannet, and lan_dhcpserver_range and activating the changes, we missed the time window to connect using the changed LAN address from our admin computer. We could never connect to the unit after that until we reset it back to factory defaults and started the setup all over again. We then left the DHCP address at the default, because the aggravation wasn't worth trying that a second time.

D-Link likes to advertise that its small business products have "enterprise features," and the DFL-210 certainly has them. However, it also has enterprise complexity for setup and configuration. Once through that aggravation, however, the DFL-210 provided the fastest average throughput rate during our testing by a small margin.

Read more about LAN and WAN in Network World's LAN & WAN section.