Enterprise Firewall at SOHO Prices?

I am the IT Manager for an organization of about 35 users over a few locations. I recently purchased the DFL-300 to perform the functions of a dying gateway server that had been in place since before I came on board. This server was used to manage a VPN connection with a remote office with a similar gateway, manage our main office's internet connection, and provide static IP routing from external public IP's to several internal non-routable IP addresses. This was necessary because we manage our own e-mail server, and have some other servers that need easy access from the outside world.

I considered a wide variety of other products, everything from Linksys BEFVP41 (which I have used quite successfully to connect several small businesses) to enterprise products from SonicWall and WatchGuard, etc. Here is where the DFL-300 stood out:

Price: I paid a little under $300 for our unit. The most basic SOHO VPN routers cost about $80, a SonicWall SOHO 3 with 50 user licenses costs about $800. It also was very nice that I didn't have to deal with user licenses, and VPN tunnel licenses. Most of the higher end products require this, and it is absurd. I want to buy the product and be done with it.

Features: Two big reasons I chose this device. First of all, I could do static one-one NAT. This means I could enter an external IP address assigned by my ISP and map it to an internal IP (192.168...). This was important because we have multiple servers, and port forwarding probably wouldn't cut it for us. Secondly, the DFL-300 includes a tasteful packet inspection firewall that allows me to configure for my own security needs. IPSec VPN compatibility was also a must for us to network our remote office.

Actual performance: Overall the DFL-300 does everything D-Link said it would. I did have some interesting problems, however.

First of all, when you change settings on the system, it usually doesn't need to reboot the whole system. Several times during my initial configuration, and later during tweaking, the system quit responding after making changes, or after a power cycle. The only thing I could do was reset the system to factory default, and then restore my configuration from a saved file (great feature that I hoped I would never need). ALWAYS export your configuration to a file before making any changes!

I also had some difficulty with configuring the firewall. Some rules would work, some would not. I had some serious DNS issues (we ran a DNS server) even when I allowed all traffic from any address through. It still blocked the DNS queries. I also tried the DMZ port feature, and had the same problems. I was able to work around by physically placing the DNS server between the firewall and the Internet connection on a switch. I would really like to see easier configuration of firewall rules in this system. I would also like to be able to at least look at the pre-defined service that come with the DFL-300 to see which ports they are allowing and blocking. As of now I don't have a good solution, but I will tinker more with the port settings for my servers.

One-one mapped IP forwarding seems to work great, firewall problems aside.

VPN configuration worked on the first try, but the interface to set it up was a little confusing. Connected without a hitch to an Asante VR2004C VPN router using IPSec VPN.

DHCP: I really wish I could configure the entire TCP/IP stack that gets sent to the clients. This product (and the others that I checked on) does not allow you to specify WINS server and alternate DNS servers on your internal network. I will need to hard code in the WINS server info into each client if I decide to use the DFL-300 as a DHCP server. For now, I'm still an NT server for DHCP.

Final word: I think this is a good product that needs some work. If I had to do it over again, I would consider other products, but would probably buy again based on price. It would be nice to have more control over packet filter, and maybe a little more stability when configuring. Also, it would be super cool to see dual WAN ports on this product to have redundant high speed connections/bandwidth load balancing. I guess at this price you can't have it all! One other note- the DLink "knowledge base" was very weak. A few FAQ type things that I already knew from the manual.