1. Manuals
  2. Brands
  3. Planet Networking & Communication Manuals
  4. Gateway
  5. MH-1000
  6. User manual

Planet Networking & Communication MH-1000 User Manual

Multi-homing security gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Multi-Homing Security Gateway User's Manual
Multi-Homing Security
Gateway
MH-1000
User's Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet Networking & Communication MH-1000

Summary of Contents for Planet Networking & Communication MH-1000

  • Page 1 Multi-Homing Security Gateway User’s Manual Multi-Homing Security Gateway MH-1000 User’s Manual...

  • Page 2: Customer Service

    PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred.

  • Page 3: Table Of Contents

    Table of Contents CHAPTER 1: INTRODUCTION ........................1 1.1 F EATURES ................................1 1.2 P ACKAGE ONTENTS .............................. 2 1.3 MH-1000 F RONT ............................2 1.4 MH-1000 R ANEL ............................2 1.5 S PECIFICATION ................................ 3 CHAPTER 2: ROUTER APPLICATION......................4 2.1 O...
  • Page 4 Multi-Homing Security Gateway User’s Manual APPENDIX A: VIRTUAL PRIVATE NETWORKING..................90 A.1 W VPN? .............................. 90 HAT IS THE A.2 W ?............................90 HAT IS THE APPENDIX B: IPSEC LOGS AND EVENTS ....................96 B.1 IPS VENT ATEGORIES .......................... 96 B.2 IPS VENT ABLE...

  • Page 5: Chapter 1: Introduction

    Load Balancing: MH-1000 provides the ability to balance the workload by distributing incoming traffic across the two connections. ♦ DNS inbound load balance: The MH-1000 can be configured to reply the WAN2 IP address for the DNS domain name request if WAN1 fails. ♦...

  • Page 6: Package Contents

    Bracket x 2 (For rack-mounted) Screw x 4 (For rack-mounted) If any of the contents are missing or damaged, please contact your dealer or distributor immediately. 1.3 MH-1000 Front View MH-1000 Front Panel Description A solid light indicates a steady connection to a power source...

  • Page 7: Specification

    Connect to your local PC, switch or other local network device DC 12V Connect DC Power Adapter here (12VDC) 1.5 Specification Product Multi-homing Security Gateway Model MH-1000 Hardware Ethernet 8 x 10/100 Based-TX RJ-45 2 x 10/100 Based-TX RJ-45 Performance Firewall throughput 90Mbps...

  • Page 8: Chapter 2: Router Application

    Chapter 2: Router Application 2.1 Overview MH-1000 is a versatile device that can be configured to not only protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both Inbound and Outbound Load Balancing. Alternatively, MH-1000 can also be set to redirect incoming and outgoing network traffic with the Fail Over capability, ensuring minimal downtime and increased reliability.
  • Page 9 Multi-Homing Security Gateway User’s Manual 2.2.2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running, you can use MH-1000 to optimize the bandwidth that is being used on your network. VoIP Normal PCs...
  • Page 10 2.2.3 Guaranteed / Maximum Bandwidth Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of bandwidth. For example, you can configure MH-1000 to reserve 10% of the available bandwidth for a particular computer on the network to transfer files.
  • Page 11 2.2.5 Priority Bandwidth Utilization Assigning priority to a certain service allows MH-1000 to give either a higher or lower priority to traffic from this particular service. Assigning a higher priority to an application ensures that it is processed ahead of applications with a lower priority and vice versa.
  • Page 12 2.2.6 Management by IP or MAC address MH-1000 can also be configured to apply traffic policies based on a particular IP or MAC address. This allows you to quickly assign different traffic policies to a specific computer on the network.

  • Page 13: Outbound Traffic

    Multi-Homing Security Gateway User’s Manual 2.3 Outbound Traffic This section outlines some of the ways you can use MH-1000 to manage outbound traffic. 2.3.1 Outbound Fail Over Configuring MH-1000 for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted.

  • Page 14: Inbound Traffic

    WAN port. This is useful for some server applications that need to identify the source IP address of the client. By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that outbound traffic is efficiently handled by making sure that both ports are equally sharing the load, preventing situations where one port is completely saturated by outbound traffic.
  • Page 15 Internet. Under normal circumstances, the remote computer will gain access to the network via WAN1. Should WAN1 fail, Inbound Fail Over tells MH-1000 to reroute incoming traffic to WAN2 by using the Dynamic DNS mechanism. Configuring your MH-1000 for Inbound Fail Over provides a more reliable connection for your incoming traffic.

  • Page 16: Dns Inbound

    DNS Inbound is a three step process. First, a DNS request is made to the router via a remote PC. MH-1000, based on settings specified by the user, will direct the requesting PC to the correct WAN - 12 -...
  • Page 17 WAN IP address through the built-in DNS server. The remote PC then accesses the network via the specified WAN port. How MH-1000 directs this traffic through the built-in DNS server depends on whether it is configured for Fail Over or Load Balancing.
  • Page 18 Remote PCs are attempting to access the servers via the Internet by making a DNS request, entering a URL (www.mydomain.com). Using a load balancing algorithm, MH-1000 can direct incoming requests to either WAN port based on the amount of load each WAN port is currently experiencing. If WAN2 is experiencing a heavy load, MH-1000 responds to incoming DNS requests with WAN1.

  • Page 19: Bandwidth Monitor

    (1). The request is sent to the DNS server of MH-1000 through WAN2. (2). WAN2 will route this request to the embedded DNS server of MH-1000. (3). MH-1000 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request.

  • Page 20: Virtual Private Networking

    As such, it is perfect for connecting branch offices to headquarters across the Internet in a secure fashion. The following section discusses Virtual Private Networking with MH-1000. 2.6.1 General VPN Setup There are typically three different VPN scenarios.
  • Page 21 VPN is proper planning. The following sections demonstrate the various ways of using MH-1000 to setup your VPN. 2.6.2 VPN Planning - Fail Over Configuring your VPN with Fail Over allows MH-1000 to automatically default to WAN2 should WAN1 fail. planet.dyndns.org 192.168.3.x 192.168.2.x...
  • Page 22 All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the headquarter’s firewall management. You can also configure MH-1000 to function as a VPN Concentrator: Please refer to appendix D for example settings.

  • Page 23: Chapter 3: Getting Started

    Chapter 3: Getting Started 3.1 Overview MH-1000 is designed to be a powerful and flexible network device that is also easy to use. With an intuitive web-based configuration, MH-1000 allows you to administer your network via virtually any Java-enabled web browser and is fully compatible with Linux, Mac OS, and Windows 98/ME/NT/2000/XP operating systems.
  • Page 24 TCP/IP on your PCs: - Windows 95/98/Me/NT/2000/XP - Mac OS 7 and later Any TCP/IP capable workstation can be used to communicate with or through MH-1000. To configure other types of workstations, please consult the manufacturer’s documentation. 3.3.2 Windows XP 1.
  • Page 25 Multi-Homing Security Gateway User’s Manual 3. In the Local Area Connection Status window, click Properties. 4. Select Internet Protocol (TCP/IP) and click Properties. 5. Select Obtain address automatically and the Obtain DNS radio server address automatically buttons. 6. Click OK to finish the configuration. - 21 -...
  • Page 26 Multi-Homing Security Gateway User’s Manual 3.3.3 Windows 2000 1. Go to Start / Settings / Control Panel. In Control Panel, double-click Network and Dial-up Connections. 2. Double-click Local Area Connection. 3. In the Local Area Connection Status window click Properties. 4.
  • Page 27 Multi-Homing Security Gateway User’s Manual 5. Select Obtain address automatically and the Obtain DNS radio server address automatically buttons. 6. Click OK to finish the configuration. 3.3.4 Windows 95/98/ME 1. Go to Start / Settings / Control Panel. In Control Panel, double-click Network and choose the Configuration...
  • Page 28 Multi-Homing Security Gateway User’s Manual 4. Then select the DNS Configuration tab. 5. Select the Disable DNS radio button and click OK to finish the configuration. 3.3.5 Windows NT 4.0 1. Go to Start / Settings / Control Panel. In the Control Panel, double-click on Network and choose the Protocols tab.

  • Page 29: Factory Default Settings

    The default user name and password are "admin" and "admin" respectively. If you ever forget your user name and/or password, you can restore your MH-1000 to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink. Please note that doing this will also erase any previous router settings that you have made.
  • Page 30 PC. 3.5.2 Web Configuration Interface MH-1000 includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.1, and click Go.

  • Page 31: Chapter 4: Router Configuration

    Multi-Homing Security Gateway User’s Manual Chapter 4: Router Configuration 4.1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it. On the Web Configuration homepage, you will see the navigation pane located on the left hand side. From it, you will be able to select various options used to configure your router.

  • Page 32: Status

    Multi-Homing Security Gateway User’s Manual 4.2 Status The Status menu displays the various options that have been selected and a number of statistics about your MH-1000. In this menu, you will find the following sections: - ARP Table - Routing Table...
  • Page 33 Multi-Homing Security Gateway User’s Manual 4.2.1 ARP Table The Address Resolution Protocol (ARP) Table shows the mapping of Internet (IP) addresses to Ethernet (MAC) addresses. This is a quick way to determine the MAC address of your PC’s network interface to use with the router’s Firewall –...
  • Page 34 Multi-Homing Security Gateway User’s Manual 4.2.3 Session Table The NAT Session Table displays a list of current sessions for both incoming and outgoing traffic with protocol type, source IP, source port, destination IP and destination port, each page shows 10 sessions. No.: Number of the list.
  • Page 35 4.2.5 IPSec Status The IPSec Status window displays the status of the IPSec Tunnels that are currently configured on your MH-1000. Name: The name you assigned to the particular IPSec entry. Enable: Whether the IPSec connection is currently Enable or Disable.
  • Page 36 Multi-Homing Security Gateway User’s Manual Name: The name you assigned to the particular PPTP entry. Enable: Whether the PPTP connection is currently Enable or Disable. Status: Whether the PPTP is Active, Inactive or Disable. Type: Whether the Connection type is Remote Access or LAN to LAN Peer Network: The Remote subnet for LAN to LAN as connection type.
  • Page 37 Multi-Homing Security Gateway User’s Manual 4.2.8 System Log This window displays MH-1000’s System Log entries. Major events are logged on this window. Refresh: Refresh the System Log. Clear Log: Clear the System Log. Send Log: Send the System Log to your email account. You can set the email address in Configuration >...

  • Page 38: Quick Start

    Multi-Homing Security Gateway User’s Manual System > Email Alert. See the Email Alert section for more details. Please refer to Appendix F: IPSec Log Events for more information on log events. 4.3 Quick Start The Quick Start menu allows you to quickly configure your network for Internet access using the most basic settings.
  • Page 39 Multi-Homing Security Gateway User’s Manual Click Apply to save your changes. To reset to defaults, click Reset. 4.3.3 PPPoE Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Connection: Select whether the connection should Always Connect or Trigger on Demand. - Always Connect: If you want the router to establish a PPPoE session when starting up and to automatically re-establish the PPPoE session when disconnected by the ISP.
  • Page 40 Multi-Homing Security Gateway User’s Manual Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.

  • Page 41: Configuration

    Multi-Homing Security Gateway User’s Manual 4.4 Configuration The Configuration menu allows you to set many of the operating parameters of MH-1000. In this menu, you will find the following sections: - LAN - WAN - Dual WAN - System - Firewall...
  • Page 42 In this menu, you can disable or enable the Dynamic Host Configuration Protocol (DHCP) server. The DHCP protocol allows your MH-1000 to dynamically assign IP addresses to PCs on your network if they are configured to automatically obtain IP addresses.
  • Page 43 The WAN menu contains two items: ISP Settings and Bandwidth Settings. 4.4.2.1 ISP Settings This WAN Service Table displays the different WAN connections that are configured on MH-1000. To edit any of these connections, click Edit. You will be taken to the following menu.
  • Page 44 Multi-Homing Security Gateway User’s Manual Connection Method: Select how your router will connect to the Internet. Selections include Obtain an IP Address Automatically, Static IP Settings, PPPoE Settings, PPTP Settings, and Big Pond Settings. For each WAN port, the factory default is DHCP. If your ISP does not use DHCP, select the correct connection method and configure the connection accordingly.
  • Page 45 Multi-Homing Security Gateway User’s Manual Click Apply to save your changes. To reset to defaults, click Reset. 4.4.2.1.2 Static IP IP assigned by your ISP: Enter the static IP assigned by your ISP. IP Subnet Mask: Enter the IP subnet mask provided by your ISP. ISP Gateway Address: Enter the ISP gateway address provided by your ISP.
  • Page 46 Multi-Homing Security Gateway User’s Manual Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Connection: Select whether the connection should Always Connect or Trigger on Demand. Always Connect: If you want the router to establish a PPPoE session when starting up and to automatically re-establish the PPPoE session when disconnected by the ISP.
  • Page 47 Multi-Homing Security Gateway User’s Manual 4.4.2.1.4 PPTP Settings Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.
  • Page 48 Multi-Homing Security Gateway User’s Manual MAC address in the blanks below. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS. RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To disable RIP, select Disable from the drop down menu.
  • Page 49 Multi-Homing Security Gateway User’s Manual 4.4.2.2 Bandwidth settings Under Bandwidth Settings, you can easily configure both inbound and outbound bandwidth for each WAN port. WAN1: Enter your ISP inbound and outbound bandwidth for WAN1. WAN2: Enter your ISP inbound and outbound bandwidth for WAN2. NOTE: These values entered here are referenced by both QoS and Load Balancing functions.
  • Page 50 Click Apply to save your changes. 4.4.3.2 Outbound Load Balance Outbound Load Balancing on MH-1000 can be based on one of two methods: 1. Based on session mechanism 2. Based on IP address hash mechanism Choose one by clicking the corresponding radio button.
  • Page 51 Multi-Homing Security Gateway User’s Manual - Balance by Traffic weight: Balances traffic based on a traffic weight ratio. Enter the desired ratio into the blanks provided. Based on IP hash mechanism: The source IP address and destination IP address will go through specific WAN port (WAN1 or WAN2) according to policy settings in this mechanism.
  • Page 52 Multi-Homing Security Gateway User’s Manual SOA: Domain Name: The domain name of DNS Server 1. It is the name that you register on DNS organization. You have to fill-out the Fully Qualified Domain Name (FQDN) with an ending character (a dot) for this text field (ex:abc.com.). When you enter the following domain name, you can only input different chars without an ending dot, its name is then added with domain name, and it becomes FQDN.
  • Page 53 Multi-Homing Security Gateway User’s Manual To edit the Host Mapping URL list, click Edit. This will open the Host Mapping URL table, which lists the current Host Mapping URLs. To add a host mapping URL to the list, click Create. Domain Name: The domain name of the local host.
  • Page 54 Multi-Homing Security Gateway User’s Manual 4.4.3.4 Protocol Binding Protocol Binding lets you direct specific traffic to go out from a specific WAN port. Click the Create button to create a new policy entry. Policies entered would tell specific types of Internet traffic from a particular range of IPs to go to a particular range of IPs with ONE WAN port, rather than using both of the WAN ports with load balancing.
  • Page 55 In this menu are the following sections: Time Zone, Remote Access, Firmware Upgrade, Backup/Restore, Restart, Password, System Log and Email Alert. 4.4.4.1 Time Zone MH-1000 does not use an onboard real time clock; instead, it uses the Network Time Protocol (NTP) to - 51 -...
  • Page 56 NTP server outside your network. Simply choose your local time zone, enter NTP Server IP Address, and click Apply. After connecting to the Internet, MH-1000 will retrieve the correct local time from the NTP server you have specified. Your ISP may provide an NTP server for you to use.
  • Page 57 Multi-Homing Security Gateway User’s Manual NOTE: DO NOT power down the router or interrupt the firmware upgrade while it is still in process. Interrupting the firmware upgrade process could damage the router. 4.4.4.4 Backup / Restore This feature allows you to save and backup your router’s current settings, or restore a previously saved backup.
  • Page 58 Restart to reboot MH-1000 with factory default settings. You may also reset your router to factory default settings by holding the Reset button on the router until the Status LED begins to blink. Once MH-1000 completes the boot sequence, the Status LED will stop blinking. 4.4.4.6 Password In order to prevent unauthorized access to your router’s configuration interface, it requires the administrator...
  • Page 59 Multi-Homing Security Gateway User’s Manual 4.4.4.7 System Log Server This function allows MH-1000 to send system logs to an external Syslog Server. Syslog is an industry-standard protocol used to capture information about network activity. To enable this function, select the Enable radio button and enter your Syslog server IP address in the Log Server IP Address field.
  • Page 60 - When log is full: The router will send an alert only when the log is full. 4.4.5 Firewall MH-1000 includes a full Stateful Packet Inspection (SPI) firewall for controlling Internet access from your LAN, and preventing attacks from hackers. Your router also acts as a "natural" Internet firewall when using Network Address Translation (NAT), as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet.
  • Page 61 Multi-Homing Security Gateway User’s Manual 4.4.5.1 Packet Filter The Packet Filter function is used to limit user access to certain sites on the Internet or LAN. The Filter Table displays all current filter rules. If there is an entry in the Filter Table, you can click Edit to modify the setting of this entry, click Delete to remove this entry, or click Move to change this entry’s priority.
  • Page 62 Multi-Homing Security Gateway User’s Manual - End IP Address: Enter the End source IP Address this filter rule is to be applied. (for IP Range only) - Netmask: Enter the subnet mask of the above IP address. Destination IP: Select Any, Subnet, IP Range or Single Address. - Starting IP Address: Enter the destination IP or starting destination IP address this filter rule is to be applied.
  • Page 63 Multi-Homing Security Gateway User’s Manual Block ActiveX to filter web access with ActiveX components. Click Block Web proxy to filter web proxy access. Click Block Cookie to filter web access with Cookie components. Click Block Surfing by IP Address to filter web access with an IP address as the domain name. Exception List: You can input a list of IP addresses as the exception list for URL filtering.
  • Page 64 Multi-Homing Security Gateway User’s Manual Applet, Block ActiveX, Block Web proxy, Block Cookie, Block Surfing by IP Address) and click Apply to save your changes. You may also designate which IP addresses are to be excluded from these filters by adding them to the Exception List.
  • Page 65 Multi-Homing Security Gateway User’s Manual LAN MAC Filter can decide that MH-1000 will serve those devices at LAN side or not by MAC Address. Default Rule: Forward or Drop all LAN request. (Forward by default) Create: You can also input a specified MAC Address to be dropped or Forward without depending on the default rule.
  • Page 66 Multi-Homing Security Gateway User’s Manual 4.4.5.5 Intrusion Detection Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users. Intrusion Detection: Enable or disable this function. Intrusion Log: All the detected and dropped attacks will be shown in the system log. 4.4.6 VPN 4.4.6.1 IPSec IPSec is a set of protocols that enable Virtual Private Networks (VPN).
  • Page 67 Connection Type: There are 5 connection types: (1)LAN to LAN: MH-1000 would like to establish an IPSec VPN tunnel with remote router using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN gateway.
  • Page 68 Back: Back to the Previous page. Next: Go to the next page. (3)LAN to Host: MH-1000 would like to establish an IPSec VPN tunnel with remote client software using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel.
  • Page 69 (5)LAN to Host (for VPN Client only): MH-1000 would like to establish an IPSec VPN tunnel with MH-1000 VPN Client by using aggressive mode. VPN Client IP Address: The VPN Client Address for MH-1000 VPN Client, this value will be applied on both remote ID and Remote Network as single address.
  • Page 70 Multi-Homing Security Gateway User’s Manual After your configuration is done, you will see a Configuration Summary. Back: Back to the Previous page. Done: Click Done to apply the rule. 4.4.6.1.2 IPSec Policy Click Create to create a new IPSec VPN connection account. - 66 -...
  • Page 71 Multi-Homing Security Gateway User’s Manual Configuring a New VPN Connection Connection Name: A user-defined name for the connection. Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this tunnel. Interface: Select the interface the IPSec tunnel will apply to. WAN1: Select interface WAN1 WAN2: Select interface WAN2 Auto: The device will automatically apply the tunnel to WAN1 or WAN2 depending on which WAN...
  • Page 72 Multi-Homing Security Gateway User’s Manual - FQDN DNS (Fully Qualified Domain Name): Consists of a hostname and domain name. For example, WWW.VPN.COM is a FQDN. WWW is the host name, VPN.COM is the domain name. When you enter the FQDN of the local host, the router will automatically seek the IP address of the FQDN. - FQUN E-Mail (Fully Qualified User Name): Consists of a username and its domain name.
  • Page 73 Detection Interval: The interval time to check the remote IPSec device. By default is 30 seconds. Idle Timeout: If the remote VPN device does not respond, MH-1000 will retry to send out the packets. When the frequency reaches to the Idle Timeout setting, MH-1000 will disconnect the VPN connection automatically.
  • Page 74 Multi-Homing Security Gateway User’s Manual After you have created the IPSec connection, the account information will be displayed. Name: This is the user-defined name of the connection. Enable: This function activates or deactivates the IPSec connection. Local Subnet: Displays IP address and subnet of the local network. Remote Subnet: Displays IP address and subnet of the remote network.
  • Page 75 IP Addresses Assigned to Peer Start from: 192.168.1.x: please input the IP assigned range from 1 ~ 254 (except MH-1000’s LAN IP address with 192.168.1.1 as MH-1000’s default LAN IP address and IP pool range of DHCP server settings with 100~199 as MH-1000’s default DHCP IP pool range.) Idle Timeout “...
  • Page 76 - Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN2’s inbound traffic. Creating a New QoS Rule To get started using QoS, you will need to establish QoS rules. These rules tell MH-1000 how to handle both incoming and outgoing traffic. The following example shows you how to configure WAN1 Outbound...
  • Page 77 Multi-Homing Security Gateway User’s Manual QoS. Configuring the other traffic types follows the same process. To make a new rule, click Rule Table. This will bring you to the Rule Table which displays the rules currently in effect. Next, click Create to open the QoS Rule Configuration window. Interface: The current traffic type.
  • Page 78 Multi-Homing Security Gateway User’s Manual For IP Address: - Source IP Address Range: The range of source IP Addresses this rule applies to. - Destination IP Address Range: The range of destination IP Addresses this rule applies to. - Protocol: The type of packet this rule applies to. Choose from Any, TCP, UDP, or ICMP. - Source Port Range: The range of source ports this rule applies to.
  • Page 79 NAT. MH-1000 can also be configured as a virtual server so that remote users accessing services such as Web or FTP services via the public (WAN) IP address can be automatically redirected to local servers in the LAN network.
  • Page 80 Multi-Homing Security Gateway User’s Manual 4.4.8.2 Port Forwarding Table Because NAT can act as a "natural" Internet firewall, your router protects your network from being accessed by outside users, as all incoming connection attempts will point to your router unless you specifically create Virtual Server entries to forward those ports to a PC on your network.
  • Page 81 Configuration options within the Advanced section are for users who wish to take advantage of the more advanced features of MH-1000. Users who do not understand the features should not attempt to reconfigure their router, unless advised to do so by support staff.
  • Page 82 Multi-Homing Security Gateway User’s Manual Click on Static Route and then click Create to add a routing table. Rule: Select Enable to activate this rule, Disable to deactivate this rule. Destination: This is the destination subnet IP address. Netmask: This is the subnet mask of the destination IP addresses based on above destination subnet IP. Gateway: This is the gateway IP address to which packets are to be forwarded.
  • Page 83 Dynamic DNS Settings Table to set related parameters for a specific interface. You will first need to register and establish an account with the Dynamic DNS provider using their website, Example: DYNDNS http://www.dyndns.org/ (MH-1000 supports several Dynamic DNS providers , such as www.dyndns.org www.orgdns.org www.dhs.org, www.dyns.cx, www.3domain.hk, www.zoneedit.com, www.3322.org, www.no-ip.com...

  • Page 84: Save Configuration To Flash

    Multi-Homing Security Gateway User’s Manual 4.4.9.3 Device Management The Device Management Advanced Configuration settings allow you to control your router’s security options and device monitoring features. Device Name Name: Enter a name for this device. Web Server Settings HTTP Port: This is the port number the router’s embedded web server (for web-based configuration) will use.

  • Page 85: Logout

    Multi-Homing Security Gateway User’s Manual 4.6 Logout To exit the router’s web interface, click Logout. Please ensure that you have saved your configuration settings before you logout. Be aware that the router is restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out.

  • Page 86: Chapter 5: Troubleshooting

    If the error persists, you may have a hardware problem, and should contact technical support. 5.1.2 LEDs Never Turn Off When your MH-1000 is turned on, the LEDs turn on for about 10 seconds and then turn off. If all the LEDs stay on, there may be a hardware problem.

  • Page 87: Lan Interface

    If PCs connected to the LAN cannot be pinged: - Check the 10/100 LAN LEDs on MH-1000’s front panel. One of these LEDs should be on. If they are both off, check the cables between MH-1000 and the hub or PC.
  • Page 88 To use the Web Configuration Interface, you need to disable pop-up blocking. You can either disable pop-up blocking, which is enabled by default in Windows XP Service Pack 2, or create an exception for your MH-1000’s IP address. - 84 -...
  • Page 89 2. Under the Privacy tab, clear the Block pop-ups checkbox and click Apply to save your changes. Enabling Pop-up Blockers with Exceptions If you only want to allow pop-up windows with your MH-1000: 1. In Internet Explorer, select Tools > Internet Options.
  • Page 90 Multi-Homing Security Gateway User’s Manual 3. Under Scripting, check to see if Active scripting is set to Enable. 4. Ensure that Scripting of Java applets is set to Enabled. 5. Click OK to close the dialogue. 5.2.3.3 Java Permissions The following Java Permissions should also be given for the Web Configuration Interface to display properly: 1.

  • Page 91: Wan Interface

    5.4 ISP Connection Unless you have been assigned a static IP address by your ISP, your MH-1000 will need to request an IP address from the ISP in order to access the Internet. If your MH-1000 is unable to access the Internet, first determine if your router is able to obtain a WAN IP address from the ISP.
  • Page 92 If an IP address cannot be obtained: 1. Turn off the power to your cable or DSL modem. 2. Turn off the power to your MH-1000. 3. Wait five minutes and power on your cable or DSL modem. 4. When the modem has finished synchronizing with the ISP (generally shown by LEDs on the modem), turn on the power to your router.

  • Page 93: Problems With Date And Time

    5.5 Problems with Date and Time If the date and time is not being displayed correctly, be sure to set it for your MH-1000 via the Web Configuration Interface. Both date and time can be found under Configuration > System > Time Zone.

  • Page 94: Appendix A: Virtual Private Networking

    Multi-Homing Security Gateway User’s Manual Appendix A: Virtual Private Networking A.1 What is the VPN? A Virtual Private Network (VPN) is a shared network where private data is segmented from other traffic so that only the intended recipient has access. It allows organizations to securely transmit data over a public medium like the Internet.
  • Page 95 Multi-Homing Security Gateway User’s Manual A.2.1 IPSec Security Components IPSec contains three major components: - Authentication Header (AH): Provides authentication and integrity. - Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. - Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. These components are discussed below.
  • Page 96 Multi-Homing Security Gateway User’s Manual placement depends on whether ESP is used in transport mode or tunnel mode. ESP Trailer: Placed after the encrypted data, the ESP Trailer contains padding that is used to align the encrypted data. ESP Authentication Data: This contains an Integrity Check Value (ICV) for when ESP's optional authentication feature is used.
  • Page 97 Multi-Homing Security Gateway User’s Manual addresses of the hosts must be public IP addresses. AH/E Transport Mode - This mode is used to provide data security between two networks. It provides protection for the entire IP packet and is sent by adding an outer IP header corresponding to the two tunnel end-points. Since tunnel mode hides the original IP header, it provides security of the networks with private IP address space.
  • Page 98 Multi-Homing Security Gateway User’s Manual Here is an example of a packet with ESP applied: Original Packet Data IP Header Packet with IPSec Encapsulation Security Payload New IP Header ESP Header Data ESP Trailer Org IP Header Authentication encrypted Authenticated A.2.5 Internet Key Exchange (IKE) Before either AH or ESP can be used, it is necessary for the two communication devices to exchange a secret key that the security protocols themselves will use.
  • Page 99 Multi-Homing Security Gateway User’s Manual Start Phase 1 Negotiate Aggressive Mode Main Mode ISAKMP SA Mutual Authentication New IPSec tunnel or Rekeying Phase 2 Quick Mode Negotiate SAs Quick Mode Without PFS With PFS For AH and ESP Protected Data Transfer - 95 -...

  • Page 100: Appendix B: Ipsec Logs And Events

    Multi-Homing Security Gateway User’s Manual Appendix B: IPSec Logs and Events B.1 IPSec Log Event Categories There are three major categories of IPSec Log Events for your MH-1000. These include: 1. IKE Negotiate Packet Messages 2. Rejected IKE Messages 3. IKE Negotiated Status Messages The table in the following section lists the different events of each category, and provides a detailed explanation of each.
  • Page 101 Multi-Homing Security Gateway User’s Manual Send Main mode third response Sending the third response message of main mode. Done for message of ISAKMP authentication. Received Main mode third Received the third response message of main mode. Done for response message of ISAKMP authentication.
  • Page 102 Multi-Homing Security Gateway User’s Manual INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from %s on %s but no connection has been authorized INVALID ID: Require peer to have ID %s, but peer declares %s INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from %s on %s but no connection has been authorized IKE Negotiated Status Messages Received Delete SA payload and deleting IPSEC State (integer)

  • Page 103: Appendix C: Bandwidth Management With Qos

    Internet at the same time, service can slow to a crawl, causing service interruptions and general frustration. Quality of Service (QoS) is one of the ways MH-1000 can optimize the use of bandwidth, ensuring a smooth and responsive Internet connection for all users.
  • Page 104 Multi-Homing Security Gateway User’s Manual C.4.1 Home Users Low latency is everything for gamers. Most home users feel frustrated when trying to play an online game over a shared ADSL connection. Unfortunately, most routers have no way of determining the importance of the packet at any given time.
  • Page 105 Multi-Homing Security Gateway User’s Manual important packets have priority to ensure a good quality of broadband connection for the entire organization. Application Data Ratio (%) Priority Videoconferencing High VoIP High Email High Upload (High), Download (Normal) Other MP3 (Low), MSN (Normal) - 101 -...

  • Page 106: Appendix D: Router Setup Examples

    Multi-Homing Security Gateway User’s Manual Appendix D: Router Setup Examples D.1 Outbound Fail Over Step 1: Go to Configuration > WAN > ISP Settings. Select WAN1 and WAN2 and click Edit. Step 2: Configure WAN1 and WAN2 according to the information given by your ISP. - 102 -...

  • Page 107: Outbound Load Balancing

    Step 3: Go to Configuration > Dual WAN > General Settings. Select the Fail Over radio button. Under Connectivity Decision, input the number of times MH-1000 should probe the WAN before deciding that the ISP is in service or not (3 by default). Next, input the duration of the probe cycle (30 sec. by default) and choose the way WAN ports are probed.
  • Page 108 Multi-Homing Security Gateway User’s Manual Step 2: Configure your WAN2 ISP settings and click Apply. Step 3: Go to Configuration > Dual WAN > General Settings. Select the Load Balance radio button. - 104 -...
  • Page 109 Multi-Homing Security Gateway User’s Manual Step 4: Go to Configuration > Dual WAN > Outbound Load Balance. Choose the Load Balance mechanism you want and click Apply. Step 5: Complete. To check traffic statistics, go to Status > Traffic Statistics. Step 6: Click Save Config to save all changes to flash memory.

  • Page 110: Inbound Fail Over

    HTTP After Fail Over Configuring your MH-1000 for Inbound Fail Over is a great way to ensure a more reliable connection for incoming requests. To do so, follow these steps: NOTE: Before you begin, ensure that both WAN1 and WAN2 have been properly configured. See Chapter 4: Router Configuration for more details.
  • Page 111 Multi-Homing Security Gateway User’s Manual Step 2: Configure Fail Over options if necessary. Step 3: Go to Configuration > Advanced > Dynamic DNS. Set the WAN1 DDNS settings. Step 4: From the same menu, set the WAN2 DDNS settings. - 107 -...

  • Page 112: Dns Inbound Fail Over

    Multi-Homing Security Gateway User’s Manual Step 5: Click Save Config to save all changes to flash memory. D.4 DNS Inbound Fail Over - 108 -...
  • Page 113 Multi-Homing Security Gateway User’s Manual Authoritative Domain Name Server 200.200.200.1 192.168.2.2 www.mydomain.com 1st connection Built-in DNS 192.168.2.3 200.200.200.1 connection HTTP Before Fail Over 192.168.2.2 1st connection www.mydomain.com connection Built-in DNS 192.168.2.3 100.100.100.1 100.100.100.1 HTTP After Fail Over NOTE: Before proceeding, please ensure that both WAN1 and WAN2 are properly configured according to the settings provided by your ISP.
  • Page 114 Multi-Homing Security Gateway User’s Manual Step 3: Input DNS Server 1 settings and click Apply. Step 4: Configure your Host URL Mapping for DNS Server 1 by clicking Edit to enter the Host URL Mappings List. Click Create and input the settings for Host URL Mappings and click New. - 110 -...

  • Page 115: Dns Inbound Load Balancing

    Multi-Homing Security Gateway User’s Manual Step 5: Click Save Config to save all changes to flash memory. D.5 DNS Inbound Load Balancing DNS Request Authoritative Domain Name Server 200.200.200.1 192.168.2.2 WAN 1 www.mydomain.com DNS Reply WAN 2 192.168.2.3 100.100.100.1 Built-in DNS 200.200.200.1 Heavy load on WAN 2 HTTP...
  • Page 116 Multi-Homing Security Gateway User’s Manual Step 2: Go to Configuration > Dual WAN > Inbound Load Balance > Server Settings and configure DNS Server 1. Step 3: Go to Configuration > Dual WAN > Inbound Load Balance > Host URL Mapping and configure your FTP mapping.

  • Page 117: Dynamic Dns Inbound Load Balancing

    Multi-Homing Security Gateway User’s Manual Step 4: Next configure your HTTP mapping. Step 5: Click Save Config to save all changes to flash memory. D.6 Dynamic DNS Inbound Load Balancing - 113 -...
  • Page 118 Multi-Homing Security Gateway User’s Manual 192.168.2.2 www.planet3.dyndns.org www.planet2.dyndns.org 192.168.2.3 www.planet3.dyndns.org HTTP www.planet2.dyndns.org Remote Access from Internet Step 1: Go to Configuration > WAN > Bandwidth Settings. Configure your WAN inbound and outbound bandwidth. Step 2: Go to Configuration > Dual WAN > General Settings and enable Load Balance mode. You may then decide whether to enable Service Detection or not.
  • Page 119 Multi-Homing Security Gateway User’s Manual Step 3: Go to Configuration > Dual WAN > Outbound Load Balance. Choose your load balance policy and click Apply to apply your changes. If you selected Based on session mechanism as your policy, the source IP address and destination IP address may go through WAN1 or WAN2 depending on policy settings.
  • Page 120 Multi-Homing Security Gateway User’s Manual WAN1: WAN 2: Step 5: Go to Configuration > Virtual Server and set up a virtual server for both FTP and HTTP. - 116 -...

  • Page 121: Vpn Configuration

    Multi-Homing Security Gateway User’s Manual Step 6: Click Save Config to save all changes to flash memory. D.7 VPN Configuration This section outlines some concrete examples on how you can configure MH-1000 for your VPN. D.7.1 LAN to LAN Branch Office...
  • Page 122 Multi-Homing Security Gateway User’s Manual Secure Gateway Address(or 69.121.1.3 69.121.1.30 Hostname) IP Address IP Address Data 69.121.1.3 69.121.1.30 Network Subnet Subnet IP Address 192.168.1.0 192.168.0.0 Netmask 255.255.255.0 255.255.255.0 Proposal IKE Pre-shared Key 12345678 12345678 Security Algorithm Main Mode; Main ESP: 3DES 3DES D.7.2 Host to LAN...

  • Page 123: Ip Sec Fail Over (Gateway To Gateway)

    Security Algorithm Main Mode; Main ESP: 3DES 3DES D.8 IP Sec Fail Over (Gateway to Gateway) mh.planet.dyndns.org 192.168.2.x 200.200.200.1 192.168.3.x MH-1000 B MH-1000 A Before Fail Over 192.168.2.x 200.200.200.1 192.168.3.x mh.planet.dyndns.org MH-1000 B MH-1000 A After Fail Over - 119 -...
  • Page 124 Multi-Homing Security Gateway User’s Manual Step 1: Go to Configuration > Dual WAN > General Settings. Enable Fail Over by selecting the Fail Over radio button. Then, configure your Fail Over policy. Step 2: Go to Configuration > Advanced > Dynamic DNS and configure your dynamic DNS settings (Both WAN1 and WAN2).
  • Page 125 Multi-Homing Security Gateway User’s Manual Step 4: Click Save Config to save all changes to flash memory. To configure another MH-1000 gateway, refer to the screenshot below. - 121 -...

  • Page 126: Ip Vpn Concentrator

    Multi-Homing Security Gateway User’s Manual D.9 IP VPN Concentrator - 122 -...
  • Page 127 Multi-Homing Security Gateway User’s Manual Step 1: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from MH-1000-C to MH-1000-A Branch A. - 123 -...
  • Page 128 Multi-Homing Security Gateway User’s Manual Step 2: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from MH-1000-C to MH-1000-B Branch B. - 124 -...
  • Page 129 Multi-Homing Security Gateway User’s Manual Step 3: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from MH-1000-A Branch A to MH-1000-C. - 125 -...
  • Page 130 Multi-Homing Security Gateway User’s Manual Step 4: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from MH-1000-B Branch B to MH-1000-C. Step 5: Click Save Config to save all changes to flash memory. - 126 -...

  • Page 131: Protocol Binding

    Multi-Homing Security Gateway User’s Manual D.10 Protocol Binding Step 1: Go to Configuration > Dual WAN > General Settings. Select the Load Balancing radio button. Step 2: Go to Configuration > Dual WAN > Protocol Binding and configure settings for WAN1. Step 3: Go to Configuration >...

  • Page 132: Intrusion Detection

    Multi-Homing Security Gateway User’s Manual Step 4: Click Save Config to save all changes to flash memory. D.11 Intrusion Detection Step 1: Go to Configuration > Firewall > Intrusion Detection and Enable the settings. Step 2: Click Apply and then Save Config to save all changes to flash memory. - 128 -...

  • Page 133: Pptp Remote Access By Windows Xp

    Multi-Homing Security Gateway User’s Manual D.12 PPTP Remote Access by Windows XP Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Click Apply. - 129 -...
  • Page 134 Multi-Homing Security Gateway User’s Manual Step2: Click Create to create a PPTP Account. Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory. Step5: In Windows XP, go Start > Settings > Network Connections. - 130 -...
  • Page 135 Multi-Homing Security Gateway User’s Manual Step6: In Network Tasks, Click Create a new connection, and press Next. - 131 -...
  • Page 136 Multi-Homing Security Gateway User’s Manual Step7: Select Connect to the network at my workplace and press Next. Step8: Select Virtual Private Network connection and press Next. - 132 -...
  • Page 137 Multi-Homing Security Gateway User’s Manual Step9: Input the user-defined name for this connection and press Next. Step10: Input PPTP Server Address and press Next. - 133 -...
  • Page 138 Multi-Homing Security Gateway User’s Manual Step11: Please press Finish. Step12: Double click the connection, and input Username and Password that defined in Planet PPTP Account Settings. - 134 -...

  • Page 139: Pptp Remote Access

    Multi-Homing Security Gateway User’s Manual PS. You can also refer the Properties > Security page as below, by default. D.13 PPTP Remote Access - 135 -...
  • Page 140 Multi-Homing Security Gateway User’s Manual Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Disable the Encryption, then Click Apply. Step2: Click Create to create a PPTP Account. Step3: Click Apply, you can see the account is successfully created. - 136 -...
  • Page 141 Multi-Homing Security Gateway User’s Manual Step4: Click Save Config to save all changes to flash memory. Step5: In another MH-1000 as Client, Go to Configuration > WAN > ISP Settings. Step6: Click Apply, and Save CONFIG. - 137 -...

Table of Contents