1. Manuals
  2. Brands
  3. Planet Manuals
  4. Gateway
  5. MH-1000
  6. User manual

Planet MH-1000 User Manual

Multi-homimng security gateway
Hide thumbs Also See for MH-1000:
Table of Contents

Advertisement

Quick Links

Download this manual
Multi-Homing Security Gateway User's Manual
Multi-Homing Security
Gateway
MH-1000
User's Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet MH-1000

Summary of Contents for Planet MH-1000

  • Page 1 Multi-Homing Security Gateway User’s Manual Multi-Homing Security Gateway MH-1000 User’s Manual...

  • Page 2: Customer Service

    Copyright (C) 2006 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted.

  • Page 3: Table Of Contents

    Table of Contents CHAPTER 1: INTRODUCTION........................1 1.1 F ............................1 EATURES 1.2 P ..........................2 ACKAGE ONTENTS 1.3 MH-1000 F ......................... 2 RONT 1.4 MH-1000 R ......................... 2 ANEL 1.5 S ............................. 3 PECIFICATION CHAPTER 2: ROUTER APPLICATION......................4 2.1 O...
  • Page 4 Multi-Homing Security Gateway User’s Manual 3.3.2 Windows XP ..........................20 3.3.3 Windows 2000 .......................... 22 3.3.4 Windows 95/98/ME ........................23 3.3.5 Windows NT 4.0........................24 3.4 F ......................25 ACTORY EFAULT ETTINGS 3.4.1 User name and password......................25 3.4.2 LAN and WAN Port Addresses ....................25 3.5 I ISP ......................
  • Page 5 Multi-Homing Security Gateway User’s Manual 4.4.2.2 Bandwidth settings ..........................45 4.4.3 Dual WAN..........................45 4.4.3.1 General Settings..........................45 4.4.3.2 Outbound Load Balance ........................46 4.4.3.3 Inbound Load Balance........................47 4.4.3.4 Protocol Binding ..........................50 4.4.4 System............................51 4.4.4.1 Time Zone............................51 4.4.4.2 Remote Access ..........................52 4.4.4.3 Firmware Upgrade..........................52 4.4.4.4 Backup / Restore..........................53 4.4.4.5 Restart ..............................53 4.4.4.6 Password............................54...
  • Page 6 5.1.4 Forgot My Password ......................... 82 5.2 LAN I ..........................83 NTERFACE 5.2.1 Can’t Access MH-1000 from the LAN ..................83 5.2.2 Can’t Ping Any PC on the LAN ....................83 5.2.3 Can’t Access Web Configuration Interface................. 83 5.2.3.1 Pop-up Windows ..........................84 5.2.3.2 Java Scripts ............................85...
  • Page 7 Multi-Homing Security Gateway User’s Manual APPENDIX D: ROUTER SETUP EXAMPLES..................102 D.1 O ........................102 UTBOUND D.2 O ......................103 UTBOUND ALANCING D.3 I ......................... 106 NBOUND D.4 DNS I ......................... 108 NBOUND D.5 DNS I ......................111 NBOUND ALANCING D.6 D DNS I ..................113...

  • Page 8: Chapter 1: Introduction

    Load Balancing: MH-1000 provides the ability to balance the workload by distributing incoming traffic across the two connections. DNS inbound load balance: The MH-1000 can be configured to reply the WAN2 IP address for the DNS domain name request if WAN1 fails.

  • Page 9: Package Contents

    Bracket x 2 (For rack-mounted) n Screw x 4 (For rack-mounted) If any of the contents are missing or damaged, please contact your dealer or distributor immediately. 1.3 MH-1000 Front View MH-1000 Front Panel Description A solid light indicates a steady connection to a power source...

  • Page 10: Specification

    Connect to your local PC, switch or other local network device DC 12V Connect DC Power Adapter here (12VDC) 1.5 Specification Product Multi-homing Security Gateway Model MH-1000 Hardware Ethernet 8 x 10/100 Based-TX RJ-45 2 x 10/100 Based-TX RJ-45 Performance Firewall throughput 90Mbps...

  • Page 11: Chapter 2: Router Application

    Chapter 2: Router Application 2.1 Overview MH-1000 is a versatile device that can be configured to not only protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both Inbound and Outbound Load Balancing. Alternatively, MH-1000 can also be set to redirect incoming and outgoing network traffic with the Fail Over capability, ensuring minimal downtime and increased reliability.

  • Page 12: Qos Policies For Different Applications

    Multi-Homing Security Gateway User’s Manual 2.2.2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running, you can use MH-1000 to optimize the bandwidth that is being used on your network. VoIP Normal PCs...

  • Page 13: Guaranteed / Maximum Bandwidth

    2.2.3 Guaranteed / Maximum Bandwidth Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of bandwidth. For example, you can configure MH-1000 to reserve 10% of the available bandwidth for a particular computer on the network to transfer files.

  • Page 14: Priority Bandwidth Utilization

    2.2.5 Priority Bandwidth Utilization Assigning priority to a certain service allows MH-1000 to give either a higher or lower priority to traffic from this particular service. Assigning a higher priority to an application ensures that it is processed ahead of applications with a lower priority and vice versa.

  • Page 15: Management By Ip Or Mac Address

    2.2.6 Management by IP or MAC address MH-1000 can also be configured to apply traffic policies based on a particular IP or MAC address. This allows you to quickly assign different traffic policies to a specific computer on the network.

  • Page 16: Outbound Traffic

    Multi-Homing Security Gateway User’s Manual 2.3 Outbound Traffic This section outlines some of the ways you can use MH-1000 to manage outbound traffic. 2.3.1 Outbound Fail Over Configuring MH-1000 for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted.

  • Page 17: Inbound Traffic

    WAN port. This is useful for some server applications that need to identify the source IP address of the client. By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that outbound traffic is efficiently handled by making sure that both ports are equally sharing the load, preventing situations where one port is completely saturated by outbound traffic.

  • Page 18: Inbound Load Balancing

    Internet. Under normal circumstances, the remote computer will gain access to the network via WAN1. Should WAN1 fail, Inbound Fail Over tells MH-1000 to reroute incoming traffic to WAN2 by using the Dynamic DNS mechanism. Configuring your MH-1000 for Inbound Fail Over provides a more reliable connection for your incoming traffic.

  • Page 19: Dns Inbound

    DNS Inbound is a three step process. First, a DNS request is made to the router via a remote PC. MH-1000, based on settings specified by the user, will direct the requesting PC to the correct WAN - 12 -...

  • Page 20: Dns Inbound Fail Over

    WAN IP address through the built-in DNS server. The remote PC then accesses the network via the specified WAN port. How MH-1000 directs this traffic through the built-in DNS server depends on whether it is configured for Fail Over or Load Balancing.

  • Page 21: Dns Inbound Load Balancing

    Remote PCs are attempting to access the servers via the Internet by making a DNS request, entering a URL (www.mydomain.com). Using a load balancing algorithm, MH-1000 can direct incoming requests to either WAN port based on the amount of load each WAN port is currently experiencing. If WAN2 is experiencing a heavy load, MH-1000 responds to incoming DNS requests with WAN1.

  • Page 22: Bandwidth Monitor

    (1). The request is sent to the DNS server of MH-1000 through WAN2. (2). WAN2 will route this request to the embedded DNS server of MH-1000. (3). MH-1000 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request.

  • Page 23: Virtual Private Networking

    As such, it is perfect for connecting branch offices to headquarters across the Internet in a secure fashion. The following section discusses Virtual Private Networking with MH-1000. 2.6.1 General VPN Setup There are typically three different VPN scenarios.

  • Page 24: Vpn Planning - Fail Over

    One of the most important steps in setting up a VPN is proper planning. The following sections demonstrate the various ways of using MH-1000 to setup your VPN. 2.6.2 VPN Planning - Fail Over Configuring your VPN with Fail Over allows MH-1000 to automatically default to WAN2 should WAN1 fail. planet.dyndns.org 192.168.3.x 192.168.2.x...

  • Page 25: Concentrator

    All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the headquarter’s firewall management. You can also configure MH-1000 to function as a VPN Concentrator: Please refer to appendix D for example settings.

  • Page 26: Chapter 3: Getting Started

    Chapter 3: Getting Started 3.1 Overview MH-1000 is designed to be a powerful and flexible network device that is also easy to use. With an intuitive web-based configuration, MH-1000 allows you to administer your network via virtually any Java-enabled web browser and is fully compatible with Linux, Mac OS, and Windows 98/ME/NT/2000/XP operating systems.

  • Page 27: Overview

    TCP/IP on your PCs: - Windows 95/98/Me/NT/2000/XP - Mac OS 7 and later Any TCP/IP capable workstation can be used to communicate with or through MH-1000. To configure other types of workstations, please consult the manufacturer’s documentation. 3.3.2 Windows XP 1.
  • Page 28 Multi-Homing Security Gateway User’s Manual 3. In the Local Area Connection Status window, click Properties. 4. Select Internet Protocol (TCP/IP) and click Properties. 5. Select Obtain IP address automatically and the Obtain DNS server address automatically radio buttons. 6. Click OK to finish the configuration. - 21 -...

  • Page 29: Windows 2000

    Multi-Homing Security Gateway User’s Manual 3.3.3 Windows 2000 1. Go to Start / Settings / Control Panel. In Control Panel, double-click Network and Dial-up Connections. 2. Double-click Local Area Connection. 3. In the Local Area Connection Status window click Properties. 4.

  • Page 30: Windows 95/98/Me

    Multi-Homing Security Gateway User’s Manual 5. Select Obtain IP address automatically and the Obtain DNS server address automatically radio buttons. 6. Click OK to finish the configuration. 3.3.4 Windows 95/98/ME 1. Go to Start / Settings / Control Panel. In Control Panel, double-click...

  • Page 31: Windows Nt 4.0

    Multi-Homing Security Gateway User’s Manual 4. Then select the DNS Configuration tab. 5. Select the Disable DNS radio button and click OK to finish the configuration. 3.3.5 Windows NT 4.0 1. Go to Start / Settings / Control Panel. In the Control Panel, double-click on Network and choose the Protocols tab.

  • Page 32: Factory Default Settings

    The default user name and password are "admin" and "admin" respectively. If you ever forget your user name and/or password, you can restore your MH-1000 to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink. Please note that doing this will also erase any previous router settings that you have made.

  • Page 33: Web Configuration Interface

    PC. 3.5.2 Web Configuration Interface MH-1000 includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.1, and click Go.

  • Page 34: Chapter 4: Router Configuration

    Multi-Homing Security Gateway User’s Manual Chapter 4: Router Configuration 4.1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it. On the Web Configuration homepage, you will see the navigation pane located on the left hand side. From it, you will be able to select various options used to configure your router.

  • Page 35: Status

    Multi-Homing Security Gateway User’s Manual 4.2 Status The Status menu displays the various options that have been selected and a number of statistics about your MH-1000. In this menu, you will find the following sections: - ARP Table - Routing Table...

  • Page 36: Arp Table

    Multi-Homing Security Gateway User’s Manual 4.2.1 ARP Table The Address Resolution Protocol (ARP) Table shows the mapping of Internet (IP) addresses to Ethernet (MAC) addresses. This is a quick way to determine the MAC address of your PC’s network interface to use with the router’s Firewall –...

  • Page 37: Session Table

    Multi-Homing Security Gateway User’s Manual 4.2.3 Session Table The NAT Session Table displays a list of current sessions for both incoming and outgoing traffic with protocol type, source IP, source port, destination IP and destination port, each page shows 10 sessions. çç...

  • Page 38: Ipsec Status

    Lease Time: The expired time for the IP address. 4.2.5 IPSec Status The IPSec Status window displays the status of the IPSec Tunnels that are currently configured on your MH-1000. çç Name: The name you assigned to the particular IPSec entry.

  • Page 39: Traffic Statistic

    Multi-Homing Security Gateway User’s Manual çç Name: The name you assigned to the particular PPTP entry. Enable: Whether the PPTP connection is currently Enable or Disable. Status: Whether the PPTP is Active, Inactive or Disable. Type: Whether the Connection type is Remote Access or LAN to LAN Peer Network: The Remote subnet for LAN to LAN as connection type.

  • Page 40: System Log

    Multi-Homing Security Gateway User’s Manual 4.2.8 System Log This window displays MH-1000’s System Log entries. Major events are logged on this window. çç Refresh: Refresh the System Log. Clear Log: Clear the System Log. Send Log: Send the System Log to your email account. You can set the email address in Configuration >...

  • Page 41: Quick Start

    Multi-Homing Security Gateway User’s Manual System > Email Alert. See the Email Alert section for more details. Please refer to Appendix F: IPSec Log Events for more information on log events. 4.3 Quick Start The Quick Start menu allows you to quickly configure your network for Internet access using the most basic settings.

  • Page 42: Pppoe

    Multi-Homing Security Gateway User’s Manual Click Apply to save your changes. To reset to defaults, click Reset. 4.3.3 PPPoE Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Connection: Select whether the connection should Always Connect or Trigger on Demand. - Always Connect: If you want the router to establish a PPPoE session when starting up and to automatically re-establish the PPPoE session when disconnected by the ISP.

  • Page 43: Big Pond

    Multi-Homing Security Gateway User’s Manual Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.

  • Page 44: Configuration

    Multi-Homing Security Gateway User’s Manual 4.4 Configuration The Configuration menu allows you to set many of the operating parameters of MH-1000. In this menu, you will find the following sections: - LAN - WAN - Dual WAN - System - Firewall...

  • Page 45: Dhcp Server

    In this menu, you can disable or enable the Dynamic Host Configuration Protocol (DHCP) server. The DHCP protocol allows your MH-1000 to dynamically assign IP addresses to PCs on your network if they are configured to automatically obtain IP addresses.

  • Page 46: Wan

    The WAN menu contains two items: ISP Settings and Bandwidth Settings. 4.4.2.1 ISP Settings This WAN Service Table displays the different WAN connections that are configured on MH-1000. To edit any of these connections, click Edit. You will be taken to the following menu.

  • Page 47: Dhcp

    Multi-Homing Security Gateway User’s Manual Connection Method: Select how your router will connect to the Internet. Selections include Obtain an IP Address Automatically, Static IP Settings, PPPoE Settings, PPTP Settings, and Big Pond Settings. For each WAN port, the factory default is DHCP. If your ISP does not use DHCP, select the correct connection method and configure the connection accordingly.

  • Page 48: Static Ip

    Multi-Homing Security Gateway User’s Manual Click Apply to save your changes. To reset to defaults, click Reset. 4.4.2.1.2 Static IP IP assigned by your ISP: Enter the static IP assigned by your ISP. IP Subnet Mask: Enter the IP subnet mask provided by your ISP. ISP Gateway Address: Enter the ISP gateway address provided by your ISP.
  • Page 49 Multi-Homing Security Gateway User’s Manual Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. Connection: Select whether the connection should Always Connect or Trigger on Demand. Always Connect: If you want the router to establish a PPPoE session when starting up and to automatically re-establish the PPPoE session when disconnected by the ISP.

  • Page 50: Pptp Settings

    Multi-Homing Security Gateway User’s Manual 4.4.2.1.4 PPTP Settings Username: Enter your user name. Password: Enter your password. Retype Password: Retype your password. PPTP Client IP: Enter the PPTP Client IP provided by your ISP. PPTP Client IP Netmask: Enter the PPTP Client IP Netmask provided by your ISP. PPTP Client IP Gateway: Enter the PPTP Client IP Gateway provided by your ISP.

  • Page 51: Big Pond Settings

    Multi-Homing Security Gateway User’s Manual MAC address in the blanks below. DNS: If your ISP requires you to manually setup DNS settings, check the checkbox and enter your primary and secondary DNS. RIP: To activate RIP, select Send, Receive, or Both from the drop down menu. To disable RIP, select Disable from the drop down menu.

  • Page 52: Bandwidth Settings

    Multi-Homing Security Gateway User’s Manual 4.4.2.2 Bandwidth settings Under Bandwidth Settings, you can easily configure both inbound and outbound bandwidth for each WAN port. çç WAN1: Enter your ISP inbound and outbound bandwidth for WAN1. WAN2: Enter your ISP inbound and outbound bandwidth for WAN2. NOTE: These values entered here are referenced by both QoS and Load Balancing functions.

  • Page 53: Outbound Load Balance

    Click Apply to save your changes. 4.4.3.2 Outbound Load Balance çç Outbound Load Balancing on MH-1000 can be based on one of two methods: 1. Based on session mechanism 2. Based on IP address hash mechanism Choose one by clicking the corresponding radio button.

  • Page 54: Inbound Load Balance

    Multi-Homing Security Gateway User’s Manual - Balance by Traffic weight: Balances traffic based on a traffic weight ratio. Enter the desired ratio into the blanks provided. Based on IP hash mechanism: The source IP address and destination IP address will go through specific WAN port (WAN1 or WAN2) according to policy settings in this mechanism.
  • Page 55 Multi-Homing Security Gateway User’s Manual SOA: Domain Name: The domain name of DNS Server 1. It is the name that you register on DNS organization. You have to fill-out the Fully Qualified Domain Name (FQDN) with an ending character (a dot) for this text field (ex:abc.com.). When you enter the following domain name, you can only input different chars without an ending dot, its name is then added with domain name, and it becomes FQDN.
  • Page 56 Multi-Homing Security Gateway User’s Manual To edit the Host Mapping URL list, click Edit. This will open the Host Mapping URL table, which lists the current Host Mapping URLs. To add a host mapping URL to the list, click Create. Domain Name: The domain name of the local host.

  • Page 57: Protocol Binding

    Multi-Homing Security Gateway User’s Manual 4.4.3.4 Protocol Binding Protocol Binding lets you direct specific traffic to go out from a specific WAN port. Click the Create button to create a new policy entry. Policies entered would tell specific types of Internet traffic from a particular range of IPs to go to a particular range of IPs with ONE WAN port, rather than using both of the WAN ports with load balancing.

  • Page 58: System

    In this menu are the following sections: Time Zone, Remote Access, Firmware Upgrade, Backup/Restore, Restart, Password, System Log and Email Alert. 4.4.4.1 Time Zone çç MH-1000 does not use an onboard real time clock; instead, it uses the Network Time Protocol (NTP) to - 51 -...

  • Page 59: Remote Access

    NTP server outside your network. Simply choose your local time zone, enter NTP Server IP Address, and click Apply. After connecting to the Internet, MH-1000 will retrieve the correct local time from the NTP server you have specified. Your ISP may provide an NTP server for you to use.

  • Page 60: Backup / Restore

    Multi-Homing Security Gateway User’s Manual NOTE: DO NOT power down the router or interrupt the firmware upgrade while it is still in process. Interrupting the firmware upgrade process could damage the router. 4.4.4.4 Backup / Restore çç This feature allows you to save and backup your router’s current settings, or restore a previously saved backup.

  • Page 61: Password

    Restart to reboot MH-1000 with factory default settings. You may also reset your router to factory default settings by holding the Reset button on the router until the Status LED begins to blink. Once MH-1000 completes the boot sequence, the Status LED will stop blinking. 4.4.4.6 Password çç...

  • Page 62: System Log Server

    4.4.4.7 System Log Server çç This function allows MH-1000 to send system logs to an external Syslog Server. Syslog is an industry-standard protocol used to capture information about network activity. To enable this function, select the Enable radio button and enter your Syslog server IP address in the Log Server IP Address field.

  • Page 63: Firewall

    - When log is full: The router will send an alert only when the log is full. 4.4.5 Firewall MH-1000 includes a full Stateful Packet Inspection (SPI) firewall for controlling Internet access from your LAN, and preventing attacks from hackers. Your router also acts as a "natural" Internet firewall when using Network Address Translation (NAT), as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet.

  • Page 64: Packet Filter

    Multi-Homing Security Gateway User’s Manual 4.4.5.1 Packet Filter çç The Packet Filter function is used to limit user access to certain sites on the Internet or LAN. The Filter Table displays all current filter rules. If there is an entry in the Filter Table, you can click Edit to modify the setting of this entry, click Delete to remove this entry, or click Move to change this entry’s priority.

  • Page 65: Url Filter

    Multi-Homing Security Gateway User’s Manual - End IP Address: Enter the End source IP Address this filter rule is to be applied. (for IP Range only) - Netmask: Enter the subnet mask of the above IP address. Destination IP: Select Any, Subnet, IP Range or Single Address. - Starting IP Address: Enter the destination IP or starting destination IP address this filter rule is to be applied.
  • Page 66 Multi-Homing Security Gateway User’s Manual Block ActiveX to filter web access with ActiveX components. Click Block Web proxy to filter web proxy access. Click Block Cookie to filter web access with Cookie components. Click Block Surfing by IP Address to filter web access with an IP address as the domain name. Exception List: You can input a list of IP addresses as the exception list for URL filtering.

  • Page 67: Lan Mac Filter

    Multi-Homing Security Gateway User’s Manual Applet, Block ActiveX, Block Web proxy, Block Cookie, Block Surfing by IP Address) and click Apply to save your changes. You may also designate which IP addresses are to be excluded from these filters by adding them to the Exception List.

  • Page 68: Block Wan Request

    Multi-Homing Security Gateway User’s Manual LAN MAC Filter can decide that MH-1000 will serve those devices at LAN side or not by MAC Address. Default Rule: Forward or Drop all LAN request. (Forward by default) Create: You can also input a specified MAC Address to be dropped or Forward without depending on the default rule.

  • Page 69: Intrusion Detection

    Multi-Homing Security Gateway User’s Manual 4.4.5.5 Intrusion Detection çç Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users. Intrusion Detection: Enable or disable this function. Intrusion Log: All the detected and dropped attacks will be shown in the system log. 4.4.6 VPN 4.4.6.1 IPSec IPSec is a set of protocols that enable Virtual Private Networks (VPN).
  • Page 70 Connection Type: There are 5 connection types: (1)LAN to LAN: MH-1000 would like to establish an IPSec VPN tunnel with remote router using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN gateway.
  • Page 71 Back: Back to the Previous page. Next: Go to the next page. (3)LAN to Host: MH-1000 would like to establish an IPSec VPN tunnel with remote client software using Fixed Internet IP or domain name by using main mode. Secure Gateway Address (or Domain Name): The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel.
  • Page 72 (5)LAN to Host (for VPN Client only): MH-1000 would like to establish an IPSec VPN tunnel with MH-1000 VPN Client by using aggressive mode. VPN Client IP Address: The VPN Client Address for MH-1000 VPN Client, this value will be applied on both remote ID and Remote Network as single address.

  • Page 73: Ipsec Policy

    Multi-Homing Security Gateway User’s Manual After your configuration is done, you will see a Configuration Summary. Back: Back to the Previous page. Done: Click Done to apply the rule. 4.4.6.1.2 IPSec Policy çç Click Create to create a new IPSec VPN connection account. - 66 -...
  • Page 74 Multi-Homing Security Gateway User’s Manual Configuring a New VPN Connection Connection Name: A user-defined name for the connection. Tunnel: Select Enable to activate this tunnel. Select Disable to deactivate this tunnel. Interface: Select the interface the IPSec tunnel will apply to. WAN1: Select interface WAN1 WAN2: Select interface WAN2 Auto: The device will automatically apply the tunnel to WAN1 or WAN2 depending on which WAN...
  • Page 75 Multi-Homing Security Gateway User’s Manual - FQDN DNS (Fully Qualified Domain Name): Consists of a hostname and domain name. For example, WWW.VPN.COM is a FQDN. WWW is the host name, VPN.COM is the domain name. When you enter the FQDN of the local host, the router will automatically seek the IP address of the FQDN. - FQUN E-Mail (Fully Qualified User Name): Consists of a username and its domain name.
  • Page 76 Detection Interval: The interval time to check the remote IPSec device. By default is 30 seconds. Idle Timeout: If the remote VPN device does not respond, MH-1000 will retry to send out the packets. When the frequency reaches to the Idle Timeout setting, MH-1000 will disconnect the VPN connection automatically.

  • Page 77: Pptp

    Multi-Homing Security Gateway User’s Manual After you have created the IPSec connection, the account information will be displayed. Name: This is the user-defined name of the connection. Enable: This function activates or deactivates the IPSec connection. Local Subnet: Displays IP address and subnet of the local network. Remote Subnet: Displays IP address and subnet of the remote network.

  • Page 78: Qos

    IP Addresses Assigned to Peer Start from: 192.168.1.x: please input the IP assigned range from 1 ~ 254 (except MH-1000’s LAN IP address with 192.168.1.1 as MH-1000’s default LAN IP address and IP pool range of DHCP server settings with 100~199 as MH-1000’s default DHCP IP pool range.) Idle Timeout “...
  • Page 79 - Max ISP Bandwidth: The maximum bandwidth afforded by the ISP for WAN2’s inbound traffic. Creating a New QoS Rule To get started using QoS, you will need to establish QoS rules. These rules tell MH-1000 how to handle both incoming and outgoing traffic. The following example shows you how to configure WAN1 Outbound...
  • Page 80 Multi-Homing Security Gateway User’s Manual QoS. Configuring the other traffic types follows the same process. To make a new rule, click Rule Table. This will bring you to the Rule Table which displays the rules currently in effect. Next, click Create to open the QoS Rule Configuration window. Interface: The current traffic type.

  • Page 81: Virtual Server

    Multi-Homing Security Gateway User’s Manual For IP Address: - Source IP Address Range: The range of source IP Addresses this rule applies to. - Destination IP Address Range: The range of destination IP Addresses this rule applies to. - Protocol: The type of packet this rule applies to. Choose from Any, TCP, UDP, or ICMP. - Source Port Range: The range of source ports this rule applies to.

  • Page 82: Dmz

    NAT. MH-1000 can also be configured as a virtual server so that remote users accessing services such as Web or FTP services via the public (WAN) IP address can be automatically redirected to local servers in the LAN network.

  • Page 83: Port Forwarding Table

    Multi-Homing Security Gateway User’s Manual 4.4.8.2 Port Forwarding Table Because NAT can act as a "natural" Internet firewall, your router protects your network from being accessed by outside users, as all incoming connection attempts will point to your router unless you specifically create Virtual Server entries to forward those ports to a PC on your network.

  • Page 84: Advanced

    Configuration options within the Advanced section are for users who wish to take advantage of the more advanced features of MH-1000. Users who do not understand the features should not attempt to reconfigure their router, unless advised to do so by support staff.
  • Page 85 Multi-Homing Security Gateway User’s Manual Click on Static Route and then click Create to add a routing table. Rule: Select Enable to activate this rule, Disable to deactivate this rule. Destination: This is the destination subnet IP address. Netmask: This is the subnet mask of the destination IP addresses based on above destination subnet IP. Gateway: This is the gateway IP address to which packets are to be forwarded.

  • Page 86: Dynamic Dns

    Dynamic DNS Settings Table to set related parameters for a specific interface. You will first need to register and establish an account with the Dynamic DNS provider using their website, Example: DYNDNS http://www.dyndns.org/ (MH-1000 supports several Dynamic DNS providers , such as www.dyndns.org www.orgdns.org www.dhs.org, www.dyns.cx, www.3domain.hk, www.zoneedit.com, www.3322.org, www.no-ip.com...

  • Page 87: Device Management

    Multi-Homing Security Gateway User’s Manual 4.4.9.3 Device Management The Device Management Advanced Configuration settings allow you to control your router’s security options and device monitoring features. Device Name Name: Enter a name for this device. Web Server Settings HTTP Port: This is the port number the router’s embedded web server (for web-based configuration) will use.

  • Page 88: Logout

    Multi-Homing Security Gateway User’s Manual 4.6 Logout To exit the router’s web interface, click Logout. Please ensure that you have saved your configuration settings before you logout. [D5] Be aware that the router is restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out.

  • Page 89: Chapter 5: Troubleshooting

    If the error persists, you may have a hardware problem, and should contact technical support. 5.1.2 LEDs Never Turn Off When your MH-1000 is turned on, the LEDs turn on for about 10 seconds and then turn off. If all the LEDs stay on, there may be a hardware problem.

  • Page 90: Lan Interface

    If PCs connected to the LAN cannot be pinged: - Check the 10/100 LAN LEDs on MH-1000’s front panel. One of these LEDs should be on. If they are both off, check the cables between MH-1000 and the hub or PC.

  • Page 91: Pop-Up Windows

    To use the Web Configuration Interface, you need to disable pop-up blocking. You can either disable pop-up blocking, which is enabled by default in Windows XP Service Pack 2, or create an exception for your MH-1000’s IP address. - 84 -...

  • Page 92: Java Scripts

    2. Under the Privacy tab, clear the Block pop-ups checkbox and click Apply to save your changes. Enabling Pop-up Blockers with Exceptions If you only want to allow pop-up windows with your MH-1000: 1. In Internet Explorer, select Tools > Internet Options.

  • Page 93: Java Permissions

    Multi-Homing Security Gateway User’s Manual 3. Under Scripting, check to see if Active scripting is set to Enable. 4. Ensure that Scripting of Java applets is set to Enabled. 5. Click OK to close the dialogue. 5.2.3.3 Java Permissions The following Java Permissions should also be given for the Web Configuration Interface to display properly: 1.

  • Page 94: Wan Interface

    5.4 ISP Connection Unless you have been assigned a static IP address by your ISP, your MH-1000 will need to request an IP address from the ISP in order to access the Internet. If your MH-1000 is unable to access the Internet, first determine if your router is able to obtain a WAN IP address from the ISP.
  • Page 95 If an IP address cannot be obtained: 1. Turn off the power to your cable or DSL modem. 2. Turn off the power to your MH-1000. 3. Wait five minutes and power on your cable or DSL modem. 4. When the modem has finished synchronizing with the ISP (generally shown by LEDs on the modem), turn on the power to your router.

  • Page 96: Problems With Date And Time

    5.5 Problems with Date and Time If the date and time is not being displayed correctly, be sure to set it for your MH-1000 via the Web Configuration Interface. Both date and time can be found under Configuration > System > Time Zone.

  • Page 97: Appendix A: Virtual Private Networking

    Multi-Homing Security Gateway User’s Manual Appendix A: Virtual Private Networking A.1 What is the VPN? A Virtual Private Network (VPN) is a shared network where private data is segmented from other traffic so that only the intended recipient has access. It allows organizations to securely transmit data over a public medium like the Internet.

  • Page 98: Ipsec Security Components

    Multi-Homing Security Gateway User’s Manual A.2.1 IPSec Security Components IPSec contains three major components: - Authentication Header (AH): Provides authentication and integrity. - Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. - Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. These components are discussed below.

  • Page 99: Security Associations (Sa)

    Multi-Homing Security Gateway User’s Manual placement depends on whether ESP is used in transport mode or tunnel mode. ESP Trailer: Placed after the encrypted data, the ESP Trailer contains padding that is used to align the encrypted data. ESP Authentication Data: This contains an Integrity Check Value (ICV) for when ESP's optional authentication feature is used.

  • Page 100: Tunnel Mode Ah

    Multi-Homing Security Gateway User’s Manual addresses of the hosts must be public IP addresses. AH/E Transport Mode - This mode is used to provide data security between two networks. It provides protection for the entire IP packet and is sent by adding an outer IP header corresponding to the two tunnel end-points. Since tunnel mode hides the original IP header, it provides security of the networks with private IP address space.

  • Page 101: Internet Key Exchange (Ike)

    Multi-Homing Security Gateway User’s Manual Here is an example of a packet with ESP applied: Original Packet IP Header Data Packet with IPSec Encapsulation Security Payload New IP Header ESP Header Org IP Header Data ESP Trailer Authentication encrypted Authenticated A.2.5 Internet Key Exchange (IKE) Before either AH or ESP can be used, it is necessary for the two communication devices to exchange a secret key that the security protocols themselves will use.
  • Page 102 Multi-Homing Security Gateway User’s Manual Start Phase 1 Negotiate Main Mode Aggressive Mode ISAKMP SA Mutual Authentication New IPSec tunnel or Rekeying Phase 2 Quick Mode Negotiate SAs Quick Mode Without PFS With PFS For AH and ESP Protected Data Transfer - 95 -...

  • Page 103: Appendix B: Ipsec Logs And Events

    Multi-Homing Security Gateway User’s Manual Appendix B: IPSec Logs and Events B.1 IPSec Log Event Categories There are three major categories of IPSec Log Events for your MH-1000. These include: 1. IKE Negotiate Packet Messages 2. Rejected IKE Messages 3. IKE Negotiated Status Messages The table in the following section lists the different events of each category, and provides a detailed explanation of each.
  • Page 104 Multi-Homing Security Gateway User’s Manual Send Main mode third response Sending the third response message of main mode. Done for message of ISAKMP authentication. Received Main mode third Received the third response message of main mode. Done for response message of ISAKMP authentication.
  • Page 105 Multi-Homing Security Gateway User’s Manual INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from %s on %s but no connection has been authorized INVALID ID: Require peer to have ID %s, but peer declares %s INVALID ID INFORMATION: Initial Aggressive Mode packet claiming to be from %s on %s but no connection has been authorized IKE Negotiated Status Messages Received Delete SA payload and deleting IPSEC State (integer)

  • Page 106: Appendix C: Bandwidth Management With Qos

    Internet at the same time, service can slow to a crawl, causing service interruptions and general frustration. Quality of Service (QoS) is one of the ways MH-1000 can optimize the use of bandwidth, ensuring a smooth and responsive Internet connection for all users.

  • Page 107: Home Users

    Multi-Homing Security Gateway User’s Manual C.4.1 Home Users Low latency is everything for gamers. Most home users feel frustrated when trying to play an online game over a shared ADSL connection. Unfortunately, most routers have no way of determining the importance of the packet at any given time.
  • Page 108 Multi-Homing Security Gateway User’s Manual important packets have priority to ensure a good quality of broadband connection for the entire organization. Application Data Ratio (%) Priority Videoconferencing High VoIP High Email High Upload (High), Download (Normal) Other MP3 (Low), MSN (Normal) - 101 -...

  • Page 109: Appendix D: Router Setup Examples

    Multi-Homing Security Gateway User’s Manual Appendix D: Router Setup Examples D.1 Outbound Fail Over Step 1: Go to Configuration > WAN > ISP Settings. Select WAN1 and WAN2 and click Edit. [S9] Step 2: Configure WAN1 and WAN2 according to the information given by your ISP. - 102 -...

  • Page 110: Outbound Load Balancing

    Step 3: Go to Configuration > Dual WAN > General Settings. Select the Fail Over radio button. Under Connectivity Decision, input the number of times MH-1000 should probe the WAN before deciding that the ISP is in service or not (3 by default). Next, input the duration of the probe cycle (30 sec. by default) and choose the way WAN ports are probed.
  • Page 111 Multi-Homing Security Gateway User’s Manual Step 2: Configure your WAN2 ISP settings and click Apply. Step 3: Go to Configuration > Dual WAN > General Settings. Select the Load Balance radio button. - 104 -...
  • Page 112 Multi-Homing Security Gateway User’s Manual Step 4: Go to Configuration > Dual WAN > Outbound Load Balance. Choose the Load Balance mechanism you want and click Apply. Step 5: Complete. To check traffic statistics, go to Status > Traffic Statistics. [D11] Step 6: Click Save Config to save all changes to flash memory.

  • Page 113: Inbound Fail Over

    HTTP After Fail Over Configuring your MH-1000 for Inbound Fail Over is a great way to ensure a more reliable connection for incoming requests. To do so, follow these steps: NOTE: Before you begin, ensure that both WAN1 and WAN2 have been properly configured. See Chapter 4: Router Configuration for more details.
  • Page 114 Multi-Homing Security Gateway User’s Manual Step 2: Configure Fail Over options if necessary. Step 3: Go to Configuration > Advanced > Dynamic DNS. Set the WAN1 DDNS settings. Step 4: From the same menu, set the WAN2 DDNS settings. - 107 -...

  • Page 115: Dns Inbound Fail Over

    Multi-Homing Security Gateway User’s Manual Step 5: Click Save Config to save all changes to flash memory. D.4 DNS Inbound Fail Over - 108 -...
  • Page 116 Multi-Homing Security Gateway User’s Manual Authoritative Domain Name Server 200.200.200.1 192.168.2.2 www.mydomain.com 1st connection Built-in DNS 192.168.2.3 200.200.200.1 connection HTTP Before Fail Over 192.168.2.2 1st connection www.mydomain.com connection Built-in DNS 192.168.2.3 100.100.100.1 100.100.100.1 HTTP After Fail Over NOTE: Before proceeding, please ensure that both WAN1 and WAN2 are properly configured according to the settings provided by your ISP.
  • Page 117 Multi-Homing Security Gateway User’s Manual Step 3: Input DNS Server 1 settings and click Apply. Step 4: Configure your Host URL Mapping for DNS Server 1 by clicking Edit to enter the Host URL Mappings List. Click Create and input the settings for Host URL Mappings and click New. - 110 -...

  • Page 118: Dns Inbound Load Balancing

    Multi-Homing Security Gateway User’s Manual Step 5: Click Save Config to save all changes to flash memory. D.5 DNS Inbound Load Balancing Authoritative Domain Name Server DNS Request 200.200.200.1 192.168.2.2 WAN 1 www.mydomain.com DNS Reply WAN 2 192.168.2.3 100.100.100.1 Built-in DNS 200.200.200.1 Heavy load on WAN 2 HTTP...
  • Page 119 Multi-Homing Security Gateway User’s Manual Step 2: Go to Configuration > Dual WAN > Inbound Load Balance > Server Settings and configure DNS Server 1. Step 3: Go to Configuration > Dual WAN > Inbound Load Balance > Host URL Mapping and configure your FTP mapping.

  • Page 120: Dynamic Dns Inbound Load Balancing

    Multi-Homing Security Gateway User’s Manual Step 4: Next configure your HTTP mapping. Step 5: Click Save Config to save all changes to flash memory. D.6 Dynamic DNS Inbound Load Balancing - 113 -...
  • Page 121 Multi-Homing Security Gateway User’s Manual 192.168.2.2 www.planet3.dyndns.org www.planet2.dyndns.org 192.168.2.3 www.planet3.dyndns.org HTTP www.planet2.dyndns.org Remote Access from Internet Step 1: Go to Configuration > WAN > Bandwidth Settings. Configure your WAN inbound and outbound bandwidth. Step 2: Go to Configuration > Dual WAN > General Settings and enable Load Balance mode. You may then decide whether to enable Service Detection or not.
  • Page 122 Multi-Homing Security Gateway User’s Manual Step 3: Go to Configuration > Dual WAN > Outbound Load Balance. Choose your load balance policy and click Apply to apply your changes. If you selected Based on session mechanism as your policy, the source IP address and destination IP address may go through WAN1 or WAN2 depending on policy settings.
  • Page 123 Multi-Homing Security Gateway User’s Manual WAN1: WAN 2: Step 5: Go to Configuration > Virtual Server and set up a virtual server for both FTP and HTTP. [D12] - 116 -...

  • Page 124: Vpn Configuration

    Multi-Homing Security Gateway User’s Manual Step 6: Click Save Config to save all changes to flash memory. D.7 VPN Configuration This section outlines some concrete examples on how you can configure MH-1000 for your VPN. D.7.1 LAN to LAN - 117 -...

  • Page 125: Host To Lan

    Multi-Homing Security Gateway User’s Manual Branch Office Head Office Local IP Address IP Address Data 69.121.1.30 69.121.1.3 Network Any Local Address Any Local Address IP Address 192.168.0.0 192.168.1.0 Netmask 255.255.255.0 255.255.255.0 Remote Secure Gateway Address(or 69.121.1.3 69.121.1.30 Hostname) IP Address IP Address Data 69.121.1.3...
  • Page 126 Multi-Homing Security Gateway User’s Manual Single client Head Office Local IP Address IP Address Data 69.121.1.30 69.121.1.3 Network Any Local Address Any Local Address IP Address 0.0.0.0 192.168.1.0 Netmask 0.0.0.0 255.255.255.0 Remote Secure Gateway Address(or 69.121.1.3 69.121.1.30 Hostname) IP Address IP Address Data 69.121.1.3...

  • Page 127: Ip Sec Fail Over (Gateway To Gateway)

    Multi-Homing Security Gateway User’s Manual D.8 IP Sec Fail Over (Gateway to Gateway) mh.planet.dyndns.org 200.200.200.1 192.168.2.x 192.168.3.x MH-1000 B MH-1000 A VPN Tunnel Before Fail Over 192.168.3.x 192.168.2.x 200.200.200.1 mh.planet.dyndns.org MH-1000 B MH-1000 A VPN Tunnel After Fail Over Step 1: Go to Configuration > Dual WAN > General Settings. Enable Fail Over by selecting the Fail Over radio button.
  • Page 128 Multi-Homing Security Gateway User’s Manual Step 2: Go to Configuration > Advanced > Dynamic DNS and configure your dynamic DNS settings (Both WAN1 and WAN2). Step 3: Go to Configuration > VPN > IPSec > IPSec Policy. Click Create to configure VPN settings. - 121 -...
  • Page 129 Multi-Homing Security Gateway User’s Manual Step 4: Click Save Config to save all changes to flash memory. To configure another MH-1000 gateway, refer to the screenshot below. - 122 -...

  • Page 130: Ip Vpn Concentrator

    Multi-Homing Security Gateway User’s Manual D.9 IP VPN Concentrator - 123 -...
  • Page 131 Multi-Homing Security Gateway User’s Manual Step 1: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from MH-1000-C to MH-1000-A Branch A. - 124 -...
  • Page 132 Multi-Homing Security Gateway User’s Manual Step 2: Go to Configuration > VPN > IPSec > IPSec Policy and configure the link from MH-1000-C to MH-1000-B Branch B. - 125 -...
  • Page 133 Multi-Homing Security Gateway User’s Manual Step 3: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from MH-1000-A Branch A to MH-1000-C. - 126 -...
  • Page 134 Multi-Homing Security Gateway User’s Manual Step 4: Go to Configuration > VPN > IPSec > IPSec Policy and configure the connection from MH-1000-B Branch B to MH-1000-C. Step 5: Click Save Config to save all changes to flash memory. - 127 -...

  • Page 135: Protocol Binding

    Multi-Homing Security Gateway User’s Manual D.10 Protocol Binding Step 1: Go to Configuration > Dual WAN > General Settings. Select the Load Balancing radio button. Step 2: Go to Configuration > Dual WAN > Protocol Binding and configure settings for WAN1. Step 3: Go to Configuration >...

  • Page 136: Intrusion Detection

    Multi-Homing Security Gateway User’s Manual Step 4: Click Save Config to save all changes to flash memory. D.11 Intrusion Detection Step 1: Go to Configuration > Firewall > Intrusion Detection and Enable the settings. Step 2: Click Apply and then Save Config to save all changes to flash memory. - 129 -...

  • Page 137: Pptp Remote Access By Windows Xp

    Multi-Homing Security Gateway User’s Manual D.12 PPTP Remote Access by Windows XP Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Click Apply. - 130 -...
  • Page 138 Multi-Homing Security Gateway User’s Manual Step2: Click Create to create a PPTP Account. Step3: Click Apply, you can see the account is successfully created. Step4: Click Save Config to save all changes to flash memory. Step5: In Windows XP, go Start > Settings > Network Connections. - 131 -...
  • Page 139 Multi-Homing Security Gateway User’s Manual Step6: In Network Tasks, Click Create a new connection, and press Next. - 132 -...
  • Page 140 Multi-Homing Security Gateway User’s Manual Step7: Select Connect to the network at my workplace and press Next. Step8: Select Virtual Private Network connection and press Next. - 133 -...
  • Page 141 Multi-Homing Security Gateway User’s Manual Step9: Input the user-defined name for this connection and press Next. Step10: Input PPTP Server Address and press Next. - 134 -...
  • Page 142 Multi-Homing Security Gateway User’s Manual Step11: Please press Finish. Step12: Double click the connection, and input Username and Password that defined in Planet PPTP Account Settings. - 135 -...

  • Page 143: Pptp Remote Access

    Multi-Homing Security Gateway User’s Manual PS. You can also refer the Properties > Security page as below, by default. D.13 PPTP Remote Access - 136 -...
  • Page 144 Multi-Homing Security Gateway User’s Manual Step1: Go to Configuration > VPN > PPTP and Enable the PPTP function, Disable the Encryption, then Click Apply. Step2: Click Create to create a PPTP Account. Step3: Click Apply, you can see the account is successfully created. - 137 -...
  • Page 145 Multi-Homing Security Gateway User’s Manual Step4: Click Save Config to save all changes to flash memory. Step5: In another MH-1000 as Client, Go to Configuration > WAN > ISP Settings. Step6: Click Apply, and Save CONFIG. - 138 -...

Table of Contents