DLink DFL-300 Firewall/Router Review (DLink Hell)
Results 1 to 4 of 4

Thread: DLink DFL-300 Firewall/Router Review (DLink Hell)

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    356

    DLink DFL-300 Firewall/Router Review (DLink Hell)

    DLink DFL-300 Firewall/Router Review (DLink Hell)

    I run a small web development/hosting company. I recently upgraded my internet service to a fractional T1 and decided that it was time to invest in a good hardware firewall. I have minimal experience in Unix and did not want to implement a Unix based firewall because I wouldn't know how to secure the actual Unix box. I decided to start researching hardware firewalls. I had a limited budget being a small and new business, and was looking to spend a maximum of about $400.

    I came across the DLink DFL-300 for $380. The feature that caught my eye is the "Multiple Mapped IP (Software DMZ Host)". This feature allows me to assign all my servers internal IP Addresses while mapping the ISP assigned IP Addresses to the internal ones. All incoming traffic would then go through the firewall before reaching any of the servers. This is exactly what I wanted.

    I received the router/firewall, and it was pretty easy to setup. It has an easy to use web based interface. It also has many preset firewall rules (policies) that are commonly used such as FTP, HTTP, and DNS to name a few. It also allows the creation of grouped policies. For example if you want to allow ping, http, and ftp all to one mapped ip address, you do not have to create 3 seperate rules. You can create a new policy that includes those 3 policies (ping, http, ftp) then apply that one "grouped policy" to a mapped ip address. Pretty nifty feature. Mapping IP addresses was very easy, and applying the policies was also very easy. I mapped exactly 10 IP Addresses. I then started setting the policies for each mapped ip address. I ended up setting about 1 policy per mapped ip address.

    During the setup, as I added new policies to the mapped ip addresses, the web based interface started to lag terribly. It would take up to 5 minutes to simply add one policy to an ip address. It was almost impossible to work with. Internet access was also lost during the times that the router lagged. I had to actually reset the router twice and re-create all my settings. At this point I sent an e-mail to DLink tech support notifying them of this and asking if they have any performance issues with this router. I then went back to fiddling around with the firewall/router. After a few hours, everything was working fine. All the policies were set for the ip addresses, and the firewall/router was doing its job. I ran port scanners from an outside source on the IP Addresses, and the only ports shown as open were the ones that I set to allow traffic to. It was a beautiful site, and I was very pleased.

    Well after about a day I started noticing some strange activity. At various times through out the day my servers were unreachable. Only for a few minutes, and then they would be back up again. This would happen a couple times through out the day. Not too much of a big deal, but still something that I did not want to happen. I received a new client that needed a web site. I added the mapped IP Address to the router, and set the policy. I think that was the straw that broke the camels back. The day after certain ip addresses were no longer accessible from the outside. No policies for those ip addresses were changed, no server settings were changed, there was no reason that those ip address should not be accessible when the day before they were.

    Now I'm starting to get pretty pissed off. I never recieved a response to my original e-mail to DLink that I sent out about 4 days prior to this. I sent in another e-mail and am awaiting a response. I started looking for reviews on the product to see if anyone had been having any similar problems, and could not come across any. But what I did come across on the DLink site really urks me. This is what I found:

    "The maximum number of mapped IP addresses the DFL-300 can manage is dependant on what other services the DFL-300 is handling. Completely configure your mapped IP addresses one at a time until you find the limit for your DFL-300."
    (http://support.dlink.com/faq/view.as...estion=DFL-300)

    No where else on the site is it mentioned that mapped IP addresses are limited. They sure as hell make sure not to mention it in the product description. So here I am with a router that is supposed to support mapped IP addressing but if there is a spike in traffic, the router gets overloaded and cuts off internet access. That is ridiculous. 11 mapped IP addresses is not a lot to ask for from a firewall/router. My company hosts web sites that do not receive a lot of traffic. They are not demanding, and they are mainly small informative sites for other small businesses. They do not receive a lot of traffic at all. There is no reason that this router should not be able to support such minimal traffic.

    So there's my warning to anyone else looking into this product for commercial use. It is not reliable. If DLink gives me a miracle fix, I will be sure to mention it here, but until then this router is worthless in my eyes. I bought this router to keep hackers out and prevent down time, instead I have been experiencing more down time than ever. Be careful with this one.

    Jared
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #2
    Junior Member
    Join Date
    Apr 2003
    Posts
    24
    Jared;

    Have you opened up your DFL-300 to see what its got inside? Perhaps you could add more RAM to the box? The other thing you might want to consider is seeing if you can manage the Session Keep Alive values... this may be available via the web-based interface, or you may need to tune it with SNMP (supposing that's an option on the DFL-300.)

    I'm thinking what's happening is that the DFL-300 is keeping sessions that have long-since gone inactive, active in memory, and as a result those resources are not available to use for other, new and valid connections.

    Just a thought.

    -C

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    I will check that out. Thanks for the suggestions. I'll be sure to post if it helps or not.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Originally posted here by sodaphish
    you might want to consider is seeing if you can manage the Session Keep Alive values... this may be available via the web-based interface, or you may need to tune it with SNMP (supposing that's an option on the DFL-300.)

    I'm thinking what's happening is that the DFL-300 is keeping sessions that have long-since gone inactive, active in memory, and as a result those resources are not available to use for other, new and valid connections.
    No way to edit the session keep alive values through the DFL web interface.

    For now I took the server that receives the most traffic out from behind the firewall. I removed its mapped ip and its policy from the firewall settings. I unplugged the firewall/router for 30 seconds, and plugged it back in. Everything is working fine again just like it did originally. Now I guess my only option is to let it sit for a day or two and see what happens once again.

    I think what it comes down to is that this firewall/router is not reliable for commercial use. DLink shouldn't be advertising 1 to 1 IP Address mapping if it can only support a limited amount. They advertise it for small to medium size businesses. I have an extremely small business. I think 10 IP addresses is low enough to be considered small.
    An Ounce of Prevention is Worth a Pound of Cure...
     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •