We present a complete analysis of the D-Link DSR-1000AC professional router , a model that is designed specifically for business environments of small and medium-sized companies, where we have to segment the local network into independent and separate VLANs, although we can also intercommunicate between them by activating inter-VLAN routing and through the router to control access. This model is the most advanced of D-Link, and will allow us to configure in detail both the firewall and also the virtual private networks (VPN). In this complete review you will be able to see the technical characteristics of the router, the real performance of the equipment in different areas, and all the configuration options of its complete firmware.
Main technical characteristics
This professional router from the manufacturer D-Link is currently its top of the range, there is no router from this manufacturer more powerful and that allows so many simultaneous connections and so many VPN tunnels built. Due to the large number of features that this router has, we are going to talk about its main features in parts, first we will talk about its wired features, then WiFi, USB features, and finally the main firmware options. A very important detail is that the firmware is closely related to the hardware characteristics, so we will also talk about the firmware functionalities when we talk about the hardware.
This router has 2 Gigabit Ethernet ports for the Internet WAN . The firmware allows us to configure VLANs in each of the two Internet WANs, therefore, it is compatible with FTTH operators in Spain that use VLANs to provide Internet service. We will also be able to configure a load balancing between these WANs, and weigh the use of one or the other WAN, in addition, we can configure it as a failover of the connection in case of failure. Another very important feature is that we will have a third WAN through a 3G / 4G modem connected to the USB 2.0 port.of the router. Lastly, the firmware supports static IP address, dynamic IP address, PPPoE and PPTP / L2TP configurations as is often the case in professional computers. We must also indicate that it supports IPv6 networks completely, therefore, if the Internet operator uses this network protocol, you will not have problems.
This equipment has 4 Gigabit Ethernet ports for the LAN. In this case, we can also configure different VLANs in the LAN, this is ideal for setting up a router-on-stick network architecture and for all VLAN traffic to go through this router, to allow or deny said traffic. Each of the four physical ports for the LAN can be configured as access or as a trunk, depending on whether we are connecting a PC or a managed switch with VLANs. We can also enable or not inter-VLAN routing to intercommunicate the different subnets with each other, in addition, thanks to its complete firewall we will be able to configure all accesses in detail. Of course, by creating different VLANs we will be able to configure different DHCP servers, one for each subnet, to correctly segment all clients. The firmware will allow us to configure the Static DHCP,
Wireless WiFi Features
The main wireless WiFi features of this router are that it is dual band simultaneous with AC1750 Wi-Fi . In the 2.4GHz band we can achieve a speed of up to 450Mbps , thanks to its three antennas in MIMO 3T3R configuration. In the 5GHz band we can achieve a speed of up to 1,300Mbps , thanks to its three antennas in MIMO 3T3R configuration. The firmware will allow us to configure multiple-SSIDs , both for the 2.4GHz and 5GHz bands, in addition, we can configure each SSID in a specific VLAN ID, to correctly segment the WiFi wireless network and that they are in different subnets that we have created previously.
Some interesting firmware settings are to configure the WDS, the WPS, advanced features such as the beacon interval, DTIM and other parameters.
This router has two USB 2.0 ports, these USB ports have different functions:
- Connect a 3G / 4G modem and use it as a third Internet WAN.
- Upload firmware to the router directly, without using a PC to upload the firmware via the web.
- Saving the current configuration of the router also allows automatic saving when making changes to the router.
- Restore the current router configuration.
- Share a printer via USB (must be specifically enabled).
- Sharing data through Samba (it must be activated specifically), but it is USB 2.0 so we will not get more than 25MB / s.
Other features of the router
Regarding the size of this professional router, it measures 28cm wide, 18cm deep and 4.4cm high, with a maximum consumption of 23W at full performance.
This router allows a performance of up to 950Mbps through its firewall, with respect to VPNs we can have a performance of up to 250Mbps using 3DES symmetric encryption. In addition, we will be able to create the following VPN tunnels:
- A maximum of 155 VPN tunnels
- 70 IPsec tunnels
- 20 SSL / TLS tunnels
- 25 PPTP / L2TP tunnels
- 20 GRE tunnels
- 20 OpenVPN tunnels
Of course, we will be able to use robust ciphers such as AES-128 and also AES-256, in addition, we have the possibility to configure SHA256 and SHA384 in different VPN protocols. Lastly, this router allows up to 100,000 concurrent connections, 1,000 new sessions per second, and create up to 600 policies on the firewall. Other firmware services are that we can configure static and dynamic routes (RIP and OSPF), possibility to configure NAT / PAT in detail, web content filtering based on URLs and keywords, and we even have an IPS integrated in the firmware.
Once we know the main features of this professional router, let’s see what the router is like in detail.
This professional D-Link DSR-1000AC router comes in the typical brown box from the D-Link manufacturer, like the rest of business equipment that always comes in this type of box. On the right side of the box we can see a sticker with the exact model of the equipment, the D-Link DSR-1000AC, and we can also see the serial number, the hardware version of the equipment, the firmware version that is installed in a default, and the MAC address of the router.
Inside the box we can see all the accessories, router documentation and also the D-Link DSR-1000AC, the contents of the box are as follows:
- D-Link DSR-1000AC professional router.
- Three dual external antennas with RP-SMA connector for WiFi.
- Brackets and screws to rack the router.
- Rubber pads to place the router on a table.
- Current transformer with 12V and 3A, with two wall connectors for different markets (EU and UK).
- Console cable, RJ-45 to RS-232 port.
- Cat5e Ethernet network cable.
- Documentation (warranty, declaration of conformity and quick installation guide).
In the following gallery you can see in detail everything that is included in the box of this professional router.
The brackets and screws that come in the box of the professional router D-Link DSR-1000AC, will help us to put it inside a typical 19 ”rack, this router perfectly meets the height dimensions required for installation in a rack with 1U. However, we also have rubber pads to place the router on a table without any problem. We must bear in mind that it is a professional router aimed at small and medium-sized companies, it is possible that a training center does not have a rack and needs to put it on a table.
The three built-in antennas are dual (2.4GHz and 5GHz) and have an RP-SMA connector, therefore, it is only necessary to screw them in and we will automatically have WiFi coverage without problems. We will also have a current transformer with two wall plugs, the one for the EU market and also the UK. The technical specifications of the current transformer are that it is capable of providing a voltage of 12V and a current of 3A, enough to power this professional router without problems.
Finally, we have an RJ-45 to RS-232 cable, that is, the console cable to manage this router through CLI with programs like Puttty. We also have a Cat5e Ethernet network cable that will allow us to connect to the local network at a speed of 1Gbps.
The documentation incorporated in this professional router is the product warranty, the firmware GPL code, a CD with all the information in PDF format, and most importantly: a quick installation guide for this professional router. We have this quick installation guide in Spanish, and we can see the contents of the box, the general description of the product, they will describe the status LEDs that this router has, and it will even help us to enter the firmware menu via the web to get started with your advanced administration.
Another interesting information in this quick installation guide is how we should place this router on a table or in a rack, in addition, it will indicate the initial configuration through the firmware via the web. This router is configured by default in 192.168.10.0/24, therefore, we must connect to any LAN and put the following address in the navigation bar: https://192.168.1.1 . By default we have the HTTPS protocol with a self-signed certificate, therefore, we will have to put an exception in the web browser.
This D-Link DSR-1000AC professional router is quite compact, measures 28cm wide, 18cm deep and 4.4cm high, so we can rack it up without problems with 1U. At the top we find the logo of the manufacturer D-Link, and on the front is where we will find all the ports and status LEDs of the equipment.
In the left area we will see the power LED of the equipment, the general status LED and the two LEDs of the WiFi frequency bands (2.4GHz and 5GHz). In the central part is where we will find the four Gigabit Ethernet ports for the LAN, it also supports 100Mbps synchronization. Finally, on the right side we will see the two Gigabit Ethernet ports for the Internet WAN, and the console port to manage the router via CLI.
On the right side of the D-Link DSR-1000AC router we can see a ventilation grill to adequately cool the internal components, and also the typical four holes to screw the rack support. On the left side we can see the same ventilation grille and also the four holes to screw the rack support. This router does not have active cooling, it is cooling
At the back of this professional router is where we will find the three RP-SMA connectors where we will have to screw the external antennas, to have WiFi connectivity in the company. We will also find the Kensington connector, to prevent theft of the router, the Reset button of the router, the on and off button, as well as the power connector. Just above the power connector we will see the minimum requirements for it to work, 12V and 2.5A, but the current transformer is capable of providing 12V and 3A, therefore, it is perfect.
At the bottom of the router we can see a sticker in the central part, in this sticker we can see the exact model of the router, the D-Link DSR-1000AC, we can also see the serial number, the MAC address, the hardware version router and the firmware version of the equipment.
This professional router has a design very similar to professional switches, a metallic finish, with all its ports on the front to easily connect different equipment, and on the back the WiFi antennas to provide wireless coverage. This model has the perfect dimensions to rack it, but we must bear in mind that the external antennas will occupy more space at the rear, and if we have other equipment with more depth, we will have a problem.
So far we have come with our external analysis of the professional router D-Link DSR-1000AC, now we are going to go to the test laboratory to check the real performance of this router in different tests wired, WiFi and more.
In the wired tests we will use the Jperf program to see how it behaves with multiple threads in the local network, and also for the Internet, in addition, by having inter-VLAN routing we will also check the performance that we will achieve. This router has hardware NAT, and its firmware implements this feature, so we hope to achieve the best LAN-WAN performance. Regarding the WiFi tests, we will test the wireless performance in the same scenario, and connecting the Jperf server in the same LAN of the WiFi network.
In these LAN tests we have used two PCs to exchange traffic between them with Jperf, both are in the LAN and in the same VLAN ID. A very important detail is that we have activated the Jumbo Frames at 9K to obtain the best possible wired performance in the local network.
With 100 concurrent TCP threads we get a transfer speed of 118 MB / s, an excellent result. We can see how the threads transfer at the same speed, this is synonymous with stability.
With 250 concurrent TCP threads we get a transfer speed of 117 MB / s, an excellent result.
With 500 concurrent TCP threads we obtain a transfer speed of 114 MB / s, a result that is also perfect, taking into account the number of concurrent TCP threads.
With 750 concurrent TCP threads we obtain a transfer speed of 112 MB / s, a result that continues to be excellent, easily exceeding 100MB / s.
With 1000 concurrent TCP threads we get a transfer speed of 84.4 MB / s, an outstanding result.
In the following table you can see a summary of the results achieved:
|118MB / s
|117MB / s
|114MB / s
|112MB / s
|84.4MB / s
It has become clear that this professional router is going to provide us with excellent performance in LAN-LAN, in these tests we have made use of Jumbo Frames that will allow us to obtain the best performance in the home local network, ideal for transferring data at the maximum speed of the Gigabit Ethernet interface. However, if you use normal size frames (1500 bytes), the performance is also outstanding, and it will work better for inter-VLAN routing traffic and for the Internet, as we will see below.
LAN tests with inter-VLAN routing
In these LAN tests we have used two PCs to exchange traffic between them with Jperf, both are in the LAN, but with different VLAN IDs, one PC is in VLAN 1 and another PC is in VLAN 100, inter-vlan routing is we have activated, therefore, we will have communication between both subnets. We have verified that if we have the 9K Jumbo Frames activated, the inter-vlan routing wired performance is poor, we only get 16MB / s.
If we deactivate the Jumbo Frames of the router and also of the Ethernet network cards, the performance is similar to that of the LAN-LAN tests, as if there were no inter-vlan routing. In this case, we have achieved a speed of 105MB / s, an excellent performance in this test.
Taking into account that the activation of the Jumbo Frames will improve very little in the Gigabit Ethernet interface, and that it is a great handicap for inter-vlan routing traffic, and also for the Internet WAN (because we normally have 1500 bytes ), then we would recommend you always have the Jumbo Frames deactivated.
The rest of the inter-vlan routing tests with Jumbo Frames disabled are the following:
In the following table you can see a summary of all the results obtained in this inter-VLAN routing test:
|105MB / s
|103MB / s
|101MB / s
|67.4MB / s
|52.1MB / s
LAN inter-VLAN routing conclusions
We have verified that activating Jumbo Frames means that we cannot achieve more than 16MB / s speed for traffic between two different VLANs, if we deactivate it we will achieve outstanding performance. Until the test of 500 concurrent TCP threads (included) the performance is outstanding, from the 750 concurrent TCP threads the performance is remarkable, because we have not managed to exceed the 100MB / s speed that we use as a reference.
In this test we will simulate how it will behave with P2P since we will connect multiple threads from the LAN to the WAN. As we said before, this router has hardware NAT, and its firmware implements this feature, so we expect great performance in this test. Here we also have the Jumbo Frames disabled.
With 100 concurrent TCP threads we get a transfer speed of 109 MB / s, an excellent result. We can see how the threads are transferred at the same speed, this is synonymous with stability and that the hardware NAT is working very well.
With 250 concurrent TCP threads we get a transfer speed of 110 MB / s, an excellent result.
With 500 concurrent TCP threads we get a transfer speed of 101 MB / s, an excellent result.
With 750 concurrent TCP threads we get a transfer speed of 97.2 MB / s, an outstanding result.
With 1000 concurrent TCP threads we get a transfer speed of 92.7 MB / s, an outstanding result.
In the following table you can see a summary of the speed achieved in these LAN-WAN tests that we have carried out:
|109MB / s
|110MB / s
|101MB / s
|97.2MB / s
|92.7MB / s
The performance that this professional router has provided us in the LAN-WAN tests has been excellent, we have verified that the speed is very high in all the tests carried out. This router has been able to pass all tests, including the test of 1,000 TCP threads with speeds of more than 740Mbps. In a real small business or office environment we will never reach this number of concurrent connections, so we can reach speeds above 600Mbps without problems.
LAN-WLAN (Wireless) tests
The time has come to see if the wireless coverage and speed is up to the best, or if, on the contrary, it is below. We have placed the professional router D-Link DSR-1000AC in the location of the «Living room», and we have gone through the different rooms checking the coverage and real speed with the Intel AX200 card that incorporates the Lenovo X1 Carbon laptop.
Many new routers do not allow to separate the WiFi frequency bands using different SSIDs, however, this professional router does allow it, in addition, it allows us to assign each SSID a specific VLAN ID. We have separated the two frequency bands to test the performance of the 2.4GHz and 5GHz bands separately, in this way, we can know what the maximum speed of both bands is.
D-Link DSR-1000AC AC1750: Test at 2.4GHz
We have configured the 2.4GHz band on channel 6 + 10, since we have activated the 20 / 40MHz channel width. The firmware does not allow disabling the HT20 / 40 Coexistence, so it is very likely that the 20MHz channel width is always activated instead of the 40MHz channel width. We have activated the WPA2-Personal encryption in this frequency band, to verify that everything works correctly with the maximum possible security provided by the firmware. The rest of the options are the default ones.
Here are the results obtained with the jperf2 client-server with 50 concurrent TCP threads:
|Intel AX200 AX3000
Speed: 11.5MB / s
Speed: 8.8MB / s
Speed: 8.1MB / s
Speed: 3.5MB / s
Speed: 1.0MB / s
The theoretical maximum speed that we would achieve in this frequency band would be 450Mbps with a 3 × 3 client, when using a 2 × 2 client the maximum theoretical speed would be 300Mbps, and we have achieved real 92Mbps, a remarkable performance but it would have been double if we didn’t have HT20 / 40 Coexistence.
D-Link DSR-1000AC AC1750: Test at 5GHz
We have configured the 5GHz band on channel 40 with the typical 80MHz channel width. We have disabled roaming assistance in the firmware, since in remote places it would expel us from the Wi-Fi wireless network. We have activated the WPA2-Personal encryption in this frequency band, to verify that everything works correctly with the maximum possible security provided by the firmware. The rest of the options are the default ones, except that we have set the emission power of this frequency band at 100% to have the best possible performance.
Here are the results obtained with the iperf3 client-server with 50 concurrent TCP threads:
|Intel AX200 AX3000
Speed: 42.5MB / s
Speed: 25.4MB / s
Speed: 16.5MB / s
Speed: 2.1MB / s
The maximum theoretical speed that we would achieve in this frequency band would be 1300Mbps with a 3 × 3 client, when we use a 2 × 2 client the maximum theoretical speed would be 867Mbps, and we have achieved 332Mbps real, an outstanding performance considering the card WiFi we have used.
This router in the 2.4GHz band has behaved remarkably, at all times the coverage is very good, however, the decision to incorporate HT20 / 40 Coexistence weighs on the real performance that we can achieve, and it is that only we have been able to reach up to the real 92Mbps, we would have achieved approximately 180Mbps if we had 40MHz of channel width. In the different rooms the connection is very stable, and in the most remote place (storage room) is where we have achieved 8Mbps, a low speed, but we must bear in mind that we are two floors above the router, and with interference from other WiFi networks in this frequency band.
The DSR-1000AC in the 5GHz band has performed outstandingly, achieving a speed of up to 330Mbps real, a very good figure, and that would have been better if we had a 3 × 3 WiFi card instead of the Intel AX200 which is 2 × 2. In the different rooms, the connection is very stable at all times, and in the furthest place (storage room) we have not been able to connect, the coverage is too low and we cannot connect.
The coverage and speed in general of this router is outstanding, although the 5GHz band shines above the 2.4GHz band in speed, and the 2.4GHz band over the 5GHz band in coverage, something completely normal and that we already expected.
This router has two USB 2.0 ports, the objective of these USB ports is to use a third WAN with a 3G / 4G modem, it will also allow us to save configurations, restore configurations and load firmwares directly from the USB, that is, administration tasks, as with many other professional routers with similar characteristics. However, D-Link has also incorporated the ability to use these USB 2.0 ports for network printer sharing (if specifically enabled) and also to share files and folders over the local network (if specifically enabled).
If you want to share files and folders, it only supports the Samba 1.0 protocol, it does not support Samba 2.0 or higher, so if you use an operating system like Windows 10, you will have to enable support for this old protocol to enter. Our recommendation is not to enable it, because it is a currently unsafe protocol. This router does not have an FTP server to access the USB ports, only SMB 1.0.
This professional router D-Link DSR-1000AC allows you to configure different types of VPN, depending on the needs of the company, we can configure a VPN based on IPsec or OpenVPN. In RedesZone we have configured VPN in the local network to check the real performance of these VPN networks, without there being peering problems with the operator etc. In this way, on the Internet WAN we will have the VPN client, and on the LAN we will have another PC to check the speed as if it were on the local network.
Testing with IPsec IKEv1
The first test we have done with IPsec IKEv1, the configuration at the encryption and hash level in phase 1, and encryption, hash and PDF in phase 2 we will detail it, so that you can see how performance changes if we modify the security of the link.
In the first test with the IKEv1 IPsec VPN we have configured the security as follows:
- Phase 1: AES-128 bits, SHA-256, DH Group 2 (1024 bits)
- Phase 2: AES-128 bit, SHA-256, PFS disabled
The performance achieved is 113Mbps, an outstanding performance considering that we have very good security.
In the second test with the IKEv1 IPsec VPN we have configured the security as follows:
- Phase 1: AES-256 bits, SHA-512, DH Group 14 (2048 bits)
- Phase 2: AES-256-bit, SHA-512, PFS DH Group 2 (1024-bit)
The performance achieved is 124Mbps, an outstanding performance considering that we have better security than before, activating the PFS.
As you can see, the performance of the VPN with IPsec is outstanding, achieving a real 124Mbps.
Testing with OpenVPN
Regarding the OpenVPN server, the configuration made has been AES-128-CBC and SHA-256, the performance we have achieved is 28.5Mbps, a good performance considering that it uses SSL / TLS, this speed is the which we normally get on professional routers, unless they have hardware encryption acceleration or are really powerful.
Thanks to these VPN services built into the router, we can establish secure VPN tunnels with the best possible security.
The firmware of this professional router D-Link DSR-1000AC is very advanced, we have dozens of configuration options that will allow us great versatility. Being a professional router, we do not have a step-by-step configuration wizard, but we will directly have the firmware via the web to access with a PC through https://192.168.10.1. An important detail is that being HTTPS, we will have a self-signed digital certificate, therefore, we will have to add the exception in our browser to be able to access it without errors.
The username is “admin” and the password is “admin”, but it will ask us to change the default password. Once changed, we can access the firmware menu with the new user credentials.
In the main menu of the router we can see the status display panel, and all the configuration options at the top. In addition, we will be able to configure and customize the dashboard with different widgets, to have everything that interests us under control. As you can see, in this area we will see the type of network traffic, the status of the Internet WANs, the bandwidth used, the VPNs, the use of CPU and RAM, traffic information and also the VLANs that we have configured in the router.
Due to the large number of configuration options in different areas, we have subdivided this section of the firmware into different well differentiated parts, the firmware is in English only, so we will put the parts of the firmware in this language without translating:
- Status (we will see the general status of the router, CPU, RAM, connections, status of DHCP clients, VPN clients, interface statistics, WiFi statistics and much more).
- Wireless (all settings related to WiFi).
- Network (LAN configuration, VLANs, Internet WAN configuration, static and dynamic routing, and everything related to IPv6).
- VPN (OpenVPN configuration, IPsec, GRE and more).
- Security (configuration of authentication, web filtering, firewall and IPS among other options).
- Maintenance (administration options, equipment management, firmware, saving and loading configurations, and viewing and configuring the registry).
Once we have seen all the parts of the firmware, we are going to see in detail the different menus that we have available.
In the «Status» section we can see the status of the system, the LAN, all the WANs that we have the possibility to configure, and also the general status of the WiFi network. Here we can see both the firmware and hardware version, as well as the IP addresses and status data of the LAN and WAN, in addition, we can also see the SSIDs of the WiFi network that we have configured and on which channels it is broadcasting.
We can also see all the logs and even filter the logs to show us only what interests us, in addition, we will also have the status of the USB ports and if we have connected an external storage device, of course, we will have the option to see the clients by DHCP in the LAN, either with IPv4 or IPv6, also if we have clients in the DMZ.
Other options to view status is to see the list of clients in the captive portal, the currently active sessions, if we have VPN clients configured, statistics of the different interfaces, see the WiFi clients and also wireless and device statistics.
In the “Wireless” section is where we can configure everything related to the WiFi network, we will have “Virtual AP” to configure different SSIDs in the 2.4GHz or 5GHz band, in addition, we will be able to edit these profiles easily to adapt it to our needs. We will be able to configure the SSID that we want, with the authentication that we need, always recommended WPA2-Personal or Enterprise.
Other configuration options are related to «Radio», that is, the operating mode, channel width, channel, transmission power and transmission speed, for both frequency bands. Something that has caught our attention is that in the 5GHz band the transmission power is at 54% by default, we must set it to 100% to have the maximum possible wireless performance.
Other configuration options related to WiFi is the WMM, WDS options for both frequency bands, and also advanced WiFi configurations, where we can configure the Beacon Interval, DTIM and other advanced parameters. These options are also available in both frequency bands. Finally, we can activate the WPS that, by default, is deactivated to have the best possible security.
In the LAN section we will be able to configure whether we want to allow ping from the LAN to the router interface on the LAN, we can also configure the main LAN with VLAN ID 1, with its corresponding DHCP server in which we can also configure Static DHCP To provide the same IP to a specific MAC, in addition, we can activate the IP / MAC Binding to mitigate ARP Spoofing attacks. Other available options are to activate the IGMP Proxy and UPnP, both functions by default are deactivated.
The VLAN section is where we will be able to configure new VLANs with new subnets, including a DHCP server for each of the subnets that we want to create. We will be able to configure VLANs per port, where we will configure LAN port 4 to be in trunk mode, or in access mode in a specific VLAN, this is ideal to properly segment the network traffic of the different LANs that we have available.
In the WAN section is where we can configure the Internet connection, either with one WAN or with several, because we have the same configuration options in WAN 1 and WAN 2. We will be able to configure VLAN Tag in the Internet WAN, configure Static, dynamic IP, PPPoE and also other forms of connection. Also, the WAN2 port can be configured as a DMZ to have a network completely isolated from the LAN. We must remember that WAN 3 is with a 3G / 4G modem, and that we can configure on demand whenever we want to use it, in this section is where we will have to put the APN data, authentication etc.
Finally, we must bear in mind that we have different WAN configuration modes, with load balancing or connection failover, in addition, we can also configure the behavior of the different WANs by weighting the traffic that is requested.
In the routing section we will be able to configure the NAT, IP aliases, the DMZ configuration and if we want to activate DHCP here, and even see the list of reserved IP addresses that are in the DMZ. Finally, we can configure the Dynamic DNS (DDNS) with different providers, such as DynDNS, FreeDNS, No-IP and others.
In the “Traffic Management” section is where we can configure the different profiles of bandwidth, QoS, traffic shaping, session limit and much more. If you need to prioritize certain computers or certain traffic, this is where you should make the different advanced settings.
This router allows static routing, and also dynamic routing. We have the possibility of configuring RIP and OSPF, both for IPv4 and IPv6, in addition, we will also have the VRRP protocol for redundancy in routers.
In the VPN section, we will be able to configure the IPsec protocol in detail, both in its IKEv1 version and in the IKEv2 version. We will be able to configure IPsec type VPN for both remote access and Site-to-Site, we have a large number of configuration options available, both for phase 1 and for phase 2, ideal to provide the best possible security with algorithms of robust encryption such as AES-128 or AES-256, in addition, we will also have at our disposal the use of SHA2-256 and SHA2-512 among others. Regarding authentication, we will be able to configure authentication based on PSK and also on RSA certificates.
Other configuration options in this section of VPN, is the possibility of using the “Full tunnel” mode to tunnel all the traffic through the VPN, and also “Split tunnel” to tunnel only certain traffic directed to certain computers or networks, the same occurs with respect to the tunnel’s DNS servers, if those of the VPN server itself or externally are resolved. In the “Trusted Certificates” section is where we can upload a new CA to use RSA-based authentication.
In the “L2TP VPN” section we can configure this protocol to connect to the local network remotely. We have many configuration options such as enabling NAT in the tunnel, authenticating users with a local or external database, different authentication protocols such as CHAP or MSCHAPv2, enabling a secret key in the tunnel, and more. We must also bear in mind that in this firmware we can configure an L2TP client, so that this router connects via VPN to another.
The OpenVPN section is where we can configure the OpenVPN server or client, and connect remotely to the router or we can connect to another VPN router. It supports both configuration modes, in addition, we can also configure it for remote access VPN or use a Site-to-Site. Regarding authentication, we can configure a CA and later configure digital certificates for client authentication. D-Link includes internally the possibility of generating OpenVPN certificates automatically, but we can also generate them externally and upload OpenVPN certificates to the router’s web interface. Other security improvements include configuring a TLS key for additional authentication, and even creating OpenVPN policies to tunnel or not this traffic.
In the OmniSSL section we can create OpenVPN client certificates and have a captive portal. Finally, we have the possibility to create GRE tunnels.
In the “Security” section we have all the options regarding authentication in the local database, we can create different users and user groups, we can also configure an external RADIUS server for client authentication, in addition, we can configure POP3 servers , LDAP, Active Directory and also NT domains. As for RADIUS, we will have the possibility of enabling a captive gate and also for accounting (external). Other options in this section are to configure a login profile and even services to route traffic through certain interfaces.
In the “Web content filter” section is where we can filter web content, and we will have different configuration options based on URLs and keywords, however, the most interesting thing is to activate the “Dynamic Filtering” section but it requires an additional subscription to to provide us with the service. The best thing if you want to filter this type of content, is to use a DNS like NextDNS or directly an AdGuard Home in the local network, so that all DNS requests are filtered.
In the firewall rules section is where we can configure all the firewall policies, allow or deny the traffic that comes and goes to or from a specific interface, we can block at the subnet and IP address level. We will have the possibility to configure rules for IPv4, IPv6 and we will also be able to configure rules if we are acting in bridge mode. In the “Schedules” section we can create a rule so that a specific rule is executed during a certain time or at a certain schedule. We may also block clients based on their MAC address. Finally, we can also configure personalized services to allow or deny traffic.
Other options available in the “Firewall” section are the typical ALGs that we always find in all routers, including VPN Passthrough, dynamic port forwarding and different types of attacks that we can stop, ideal to protect the local network adequately. We will also have the possibility to configure the Intel AMT and Intel AMT Reflector. Finally, the IPS and IDS can also be activated on the router, and even between which subnets we want to enable it: LAN and WAN and / or DMZ and WAN.
To finish with the “Security” section, we have the application control section where we can configure different policies.
In the “Maintenance / Administration” section we can see the name of the router itself, configure the date and time, configure the session time without expiration and we have to re-authenticate, add the WCF license that we have told you before (the dynamic web filtering), configure the different USB ports to share printers on the network and also to enable data sharing through the local network via Samba, configure SMS if we introduce a compatible 3G / 4G modem, install the drivers for the 3G modem / 4G compatible, change the language of the graphical user interface and enable web management to be only available for certain IP addresses or certain VLANs.
Other management options are the possibility of managing this router locally via SSH, remotely via SSH or SNMP, respond to ping from the Internet WAN, and even if LAN access is allowed via WAN (without using VPN). We will also have a specific and very complete menu to configure the SNMP protocol to remotely manage this router, and even to monitor it.
Other interesting options are the built-in network utilities, we can do the typical ping or traceroute from the router, a DNS lookup, enable the integrated WireShark and also check the system. D-Link also allows you to turn off the equipment status LED and even detects the cable length to save as much energy as possible. Finally, we have the possibility to activate or not the DDP Client in the router.
Regarding the firmware, we will be able to load a new firmware via the web from our PC, we will also have the possibility to load it through the USB port with a removable storage device, and even check online if we have a new firmware. As for the backup, we can save a copy of the configuration on our PC or in any of the USB ports, in addition, we can also restore it in these ways. An interesting option is the possibility to save backup copies of the configuration automatically via USB, and also to encrypt the configuration file with a password, so that no one sees our configuration in clear text. Finally, we can do a reset through the firmware, and also a factory reset.
In the “Logs” section is where we can configure everything related to the registers of the different services of the router, in addition, we can send the logs classified by emergency, alert, critical, error etc, and in different services, ideal to have everything under control and see if there is some kind of error. We can also send all these logs to a local or remote syslog server. Other configuration options are to see the logs of packages accepted or dropped (blocked) in the different interfaces that we have available. Finally, we can configure the logs of the system itself, both FTP, unicast traffic, etc.
In the “Remote Logging” section is where we can configure the logs to be sent to us via email, or store them in a remote Syslog server, in the case of having inserted a 3G / 4G modem, we also have the possibility that they send us certain logs by SMS, as long as we have a free SMS rate, because if not, we will have a large expense.
So far we have arrived with our analysis of the firmware of the D-Link DSR-1000AC router, a really complete device with a very advanced firmware, which will allow us to make a large number of configurations to adapt to the needs of companies. We have also reached the end of our complete analysis, so now we are going to list a list of strengths, weaknesses, and final conclusions.
- Two WAN ports for load balancing, and an optional third WAN with 3G / 4G modem. Supports VLANs on the WAN.
- Four Gigabit Ethernet ports for the LAN, with support for VLANs and inter-vlan routing.
- Multifunction USB 2.0 ports for administration, printer and file sharing
- Very complete firmware at all levels, features to highlight:
- Configuration of segmented subnets in VLANs
- Allows you to configure an advanced firewall in a very detailed way
- Allows multiple SSIDs with one or more SSIDs for each configured VLAN
- VPN with IPsec and OpenVPN mainly, in addition to other protocols such as L2TP and also GRE.
- Authentication in external RADIUS and support of different protocols
- Complete registry system (logs) to detect possible failures or problems.
- Outstanding LAN-LAN performance and inter-vlan routing performance
- Excellent LAN-WAN performance
- Remarkable WiFi wireless performance on the 2.4GHz band and outstanding on the 5GHz band.
- 124Mbps IPsec VPN performance with very good security, OpenVPN achieves 28.5Mbps.
- Metallic design, rackable and oriented to small and medium-sized companies with advanced technical characteristics.
- Price: remarkable, this professional router is worth about 380 euros.
- If we use the USB 2.0 port to share files or folders, you must enable the SMB 1.0 protocol.
- We do not have an FTP server to enter the content of the USB 2.0 ports
- The firmware does not incorporate an internal RADIUS server to authenticate clients and / or for AAA, it must be external.
This professional router is a great option for offices and small businesses that need to communicate their headquarters safely through a VPN such as IPsec, the hardware characteristics of this model are of a medium-high-end equipment, and it is thanks to its two Gigabit Ethernet ports for the Internet WAN, we can have two ISP operators and configure the load balancing between both Internet lines. Regarding the LAN ports, we have a total of four Gigabit Ethernet ports in which we can configure untagged and tagged VLANs, since it allows configuring the ports in trunk mode to “pass” the VLANs to a manageable switch, and properly segment the professional network . The incorporation of WiFi with simultaneous dual band AC1750 is a very interesting addition to connect wirelessly to the router,
The LAN-LAN performance has been excellent in all the performance tests, and the same happens with the inter-VLAN routing performance when activated, we have had an outstanding performance, so we can make the most of the Gigabit Ethernet ports that this router incorporates . Regarding the LAN-WAN tests , the performance has also been excellent. Regarding WiFi performance , it has been outstanding globally, both in the 2.4GHz band and in the 5GHz band it has behaved as a high-performance home router. Lastly, regarding the performance of VPN tunnels, we have achieved a speed of 124Mbps with IPsec IKEv1, an outstanding performance if we take into account the level of security that we have configured the VPN, in addition, we have also achieved 28.5Mbps with OpenVPN which is a good performance. We must bear in mind that this router does not have AES-NI hardware acceleration dedicated exclusively for the encryption and decryption of traffic.
What we liked the most about this professional router is its firmware , it has a large number of advanced configuration options, such as creating subnets associated with a VLAN, advanced configuration of the firewall, support for IPv6 networks, support for creating IPsec tunnels with all the possible options, the possibility of creating an OpenVPN server and much more, such as configuring the router’s firewall or the WAN in detail as we want. If you are new to the world of networking, this firmware will be a bit “big” for you because we have very advanced options, including dynamic interior gateway routing such as RIP and OSPF, in addition to VRRP. If you already have experience, then most of the available configuration options will be very familiar to you.
Our assessment of this D-Link DSR-1000AC router after testing its performance thoroughly, checking all the options of its firmware, including the functions that are oriented to VPNs, and the price of 380 euros, is 9/10 .
We hope you liked the analysis, if you have any questions you can put a comment and we will respond delightedly.
|AC1750 simultaneous dual band (up to 450Mbps in 2.4GHz and up to 1,300Mbps in 5GHz)
|4 Gigabit Ethernet ports for LAN and 2 Gigabit Ethernet ports for WAN
|USB 2.0 ports
|Yes, it has 2 ports
- Hardware features: 2 WAN, 4 LAN and WiFi AC1750
- Multi-function USB 2.0 ports
- Very complete firmware with very advanced options
- Excellent LAN-LAN performance and outstanding inter-VLAN
- Excellent LAN-WAN performance
- Outstanding WiFi performance
- Excellent IPsec VPN performance, with good OpenVPN
- Value for money: remarkable
- We do not have SMB 2.0 or 3.0, nor FTP server
- The firmware does not have a RADIUS server