Planet MH-5000 User Manual
  1. Manuals
  2. Brands
  3. Planet Manuals
  4. Gateway
  5. MH-5000
  6. User manual

Planet MH-5000 User Manual

Multi-homing security gateway
Hide thumbs Also See for MH-5000:
Table of Contents

Advertisement

Quick Links

Download this manual
Multi-Homing Security Gateway User's Manual
Multi-Homing Security
Gateway
MH-5000
User's Manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MH-5000 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Planet MH-5000

Summary of Contents for Planet MH-5000

  • Page 1 Multi-Homing Security Gateway User’s Manual Multi-Homing Security Gateway MH-5000 User’s Manual...

  • Page 2: Customer Service

    PLANET Technology. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.

  • Page 3: Table Of Contents

    Typical Example Topology ........................23 Changing the LAN1 IP Address......................24 2.2.1 From LAN1 to configure MH-5000 LAN1 network settings............24 2.2.2 From CLI (command line interface) to configure MH-5000 LAN1 network settings .......25 2.2.3 Web GUI design principle ......................25 2.2.4 Rule principle..........................26 Chapter 3 Basic Setup ........................29...
  • Page 4 Multi-Homing Security Gateway User’s Manual Demands ............................48 Methods..............................48 Remote Management Access Methods ....................49 Steps ..............................50 5.4.1 Telnet ............................50 5.4.2 SSH ............................50 5.4.3 WWW............................50 5.4.4 HTTPS ............................51 5.4.5 SNMP............................51 5.4.6 ICMP ............................51 Chapter 6 Authentication .......................52 Demands ............................52 Methods..............................52 Steps ..............................52 6.3.1 Local Setting ..........................52 6.3.2...
  • Page 5 12.2.4 IPSec Algorithms ........................93 12.2.5 Key Management ........................94 12.2.6 Encapsulation..........................95 12.2.7 IPSec Protocols ..........................95 12.3 Make VPN packets pass through MH-5000 ..................96 Chapter 13 Virtual Private Network – IPSec .................97 13.1 Demands ............................97 13.2 Objectives............................97 13.3 Methods..............................97 13.4 Steps ..............................98 Chapter 14 Virtual Private Network –Dynamic IPSec ..............
  • Page 6 Multi-Homing Security Gateway User’s Manual 16.4.1 Setup PPTP Network Server.....................130 16.4.2 Setup PPTP Network Client ......................131 Chapter 17 Remote Access VPN – L2TP ..................133 17.1 Demands ............................133 17.2 Objectives............................133 17.3 Methods............................133 17.4 Steps ..............................134 17.4.1 Setup L2TP Network Server .....................134 Chapter 18 Content Filtering –...
  • Page 7 Steps for Backup / Restore Configurations ..................184 27.8 Steps for Reset password .........................185 Appendix A Command Line Interface (CLI) ................186 A.1 Enable the port of MH-5000 ..........................186 A.2 CLI commands list (Normal Mode) ........................186 A.3 CLI commands list (Rescue Mode)........................188 Appendix B Trouble Shooting .....................191 Appendix C System Log Syntax ..................195...

  • Page 8: About This User Manual

    All the examples after Chapter 2 in this manual, which instruct you how to configure the Multi-Homing Security Gateway, are taken from MH-5000. The hardware and software specification of the MH-5000 will be introduced in Chapter 1. You can refer the examples to configure your MH-5000. That will help you to quick your configuration and save you time.

  • Page 9: What's New In Version 2.000

    This section describes the enhancements that were made to MH-5000 as compared to the previous version. It includes changes to the way that the MH-5000 operates, some of which are reflected by changes to the WBI and others that were made to the MH-5000 engine to improve performance and accuracy.

  • Page 10: Wan Backup

    Multi-Homing Security Gateway User’s Manual MH-5000. You can also select range to allow a range of the IP addresses such as DHCP IP range passing through MH-5000. See Chapter 11 IP/MAC Binding for Details. IPSec VPN improvements Hub and Spoke VPN: Suppose that your company has a main office and two branch offices or more which communicates using a hub and spoke VPN configuration.

  • Page 11: Chapter 1 Quick Start

    1.2 Five steps to configure MH-5000 quickly Let’s look at the common network topology without MH-5000 applying like Figure 1-. This is a topology which is almost used by all the small/medium business or SOHO use as their internet connectivity. Although that your topology is not necessarily the same diagram below, but it still can give you a guideline to configure MH-5000 quickly.
  • Page 12 Quick Start Here we would like to alter the original IP Sharer with the MH-5000 like Figure 1-. If we hope to have MH-5000 to replace the IP Sharer, we just need to simply execute the following five steps as Figure 1- showed. By these steps, we hope to build an image to tell you how to let MH-5000 work basically.

  • Page 13: Wiring The Mh-5000

    1.3 Wiring the MH-5000 First, connect the power cord to the socket at the back panel of the MH-5000 as in Figure 1- and then plug the other end of the power adapter to a wall outlet or power strip. The Power LED will turn ON to indicate proper operation.

  • Page 14: Default Settings And Architecture Of Mh-5000

    1.4 Default Settings and architecture of MH-5000 You should have an Internet account already set up and have been given most of the following information as Table 1-1. Fill out this table when you edit the web configuration of MH-5000. Items...
  • Page 15 Figure 1-6 The default settings of MH-5000 As the above diagram Figure 1- illustrated, this diagram shows the default topology of MH-5000. And you can configure the MH-5000 by connecting to the LAN1_IP (192.168.1.254) from the PC1_1 (192.168.1.1). In the following sections, we...

  • Page 16: Using The Setup Wizard

    Subnet Mask of 255.255.255.0 to be able to connect to the MH-5000. This address range can be changed later. There are instructions in the MH-5000 Quick Installation Guide, if you do not know how to set the IP address and Subnet Mask for your computer.
  • Page 17 Transparent mode provides the same basic protection as NAT mode. Packets received by the MH-5000 are intelligently forwarded or blocked according to firewall rules. MH-5000 can be inserted in your network at any point without the need to make any changes to your network or any of its components. However, VPN, NAT, Routing and some advanced firewall features (such as Authentication, IP/MAC Binding) are only available in NAT/Route mode.
  • Page 18 BASIC SETUP > Wizard > Next > DHCP If Get (DHCP) is Automatically selected, MH-5000 will request for IP address, netmask, and DNS servers from your ISP. You can use your preferred DNS by clicking the DNS IP Address and then completing the Primary DNS and Secondary DNS server IP addresses.

  • Page 19: Internet Connectivity

    The LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the MH-5000 on your LAN. This is the IP address you will enter in the URL field of your web browser to connect to the MH-5000. It is also the IP address that all of the computers and devices on your LAN will use as their Default Gateway.

  • Page 20: Wan1-To-Dmz1 Connectivity

    Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5000 has added the NAT rules as the right diagram. The rule Basic-LAN1 means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 192.168.1.254 /...
  • Page 21 ISP. Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5000 has added the NAT rules as the right diagram. The rule Basic-DMZ1 (number 1) means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 10.1.1.254 / 255.255.255.0), the...
  • Page 22 WAN side cannot connect to a private-IP (ex.10.1.1.5) through the internet. The data connections would be fail. After enabling this feature, the MH-5000 will translate the private IP/port into an IP/port of its own. Thus the problem is gracefully solved. Click Apply to proceed.

  • Page 23: Nat/Router Mode And Transparent Mode

    In this document, we will introduce you how to setup NAT/Router Mode firewall in the most examples. You can learn the settings of each feature by them. For more information of how to choose NAT or Route mode in the MH-5000, please refer Section 7.5.4.
  • Page 24 Quick Start Figure 1-7 MH-5000 Transparent mode connections Basically, transparent mode provides the same firewall protection as NAT mode. Packets received by the MH-5000 are intelligently forwarded or blocked according to the firewall rules. However, some advanced firewall features are only available in NAT/Route mode.

  • Page 25: Chapter 2 System Overview

    MH-5000 Multi-Homing Security Gateways. The VPN tunnel secures communications between Organizations more safely. We will focus on how to build up the topology using the MH-5000 as the following Figure 2-1. In order to achieve this purpose, we need to know all the administration procedure.

  • Page 26: Changing The Lan1 Ip Address

    WAN load balancing. Inbound load balancing will be supported in a very near future. Chapter25 ~ Chapter27 System Maintenance In this part, we provide some useful skills to help you to justify MH-5000 more securely and steadily. 2.2 Changing the LAN1 IP Address The default settings of MH-5000 are listing in Table 1-1.

  • Page 27: From Cli (Command Line Interface) To Configure Mh-5000 Lan1 Network Settings

    Warning: After you apply the changed settings, the network will be disconnected instantly since the network IP address you are logining is changed. 2.2.2 From CLI (command line interface) to configure MH-5000 LAN1 network settings Step 1. Use Console port to configure MH-5000 Use the supplied console line to connect the PC to the Diagnostic RS-232 socket of the MH-5000.

  • Page 28: Rule Principle

    What action will this rule do? Figure 2-3 The rule configuration is divided into three parts You may find many rules configuration in the MH-5000. They are distributed in the respective feature. These rules include NAT rule Virtual Server rule...
  • Page 29 MH-5000 User Manual Chapter 2 System Overview Additionally, please note that there is a button named “Move Before” in the Figure 2-4. If you are not satisfied with the current rule sequence, you can adjust the rule sequence by using the “Move Before” button.

  • Page 31: Chapter 3 Basic Setup

    4. Ping the public Internet Server IP addresses with a sequence of every specified Timeout to check the connection of the current default WAN link. When the specified WAN link is disconnected, MH-5000 will try to make the ping action to the first Public Internet Server IP address within the specified Timeout. When all of them are timeout, the default route/link will be switched to another WAN link to continue the ping action within the specified Detection Interval.

  • Page 32: Steps

    Range / Format EXAMPLE Assignment Default WAN When Default WAN link is enabled, all the link packets sent out from MH-5000 will be via Enable/Disable Enabled (Gateway/DNS) this port. Get DNS Automatically à Get DNS related information from DHCP Server...

  • Page 33: Setup Dmz1, Lan1 Status

    OSPF Area ID Specify OSPF area ID number digit string (Max 9 bits) Default WAN When Default WAN link is enabled. All the link packets sent out from MH-5000 will be via Enable/Disable Enabled (Gateway/DNS) this port. Service Name ISP vendor (Optional)
  • Page 34 MH-5000 User Manual Chapter 3 Basic Setup FIELD DESCRIPTION Range / Format EXAMPLE IP Address DMZ port IP address IPv4 format 10.1.1.254 IP Subnet Mask DMZ port IP subnet mask netmask format 255.255.255.0 Enable DHCP Server Enable DMZ port of the DHCP Sever or not...

  • Page 35: Setup Wan1 Ip Alias

    MH-5000 User Manual Chapter 3 Basic Setup IPv4 format in Pool Starting Specify the starting address of the DHCP IP address. the LAN1 192.168.40.100 Address address range Pool Size(max size: Specify the numbers of the DHCP IP address. 1 ~253...
  • Page 36 MH-5000 User Manual Chapter 3 Basic Setup Step 2. Edit, Delete IP alias record BASIC SETUP > WAN Settings > IP Alias You can easily add, edit, or delete IP alias records by the Add, Edit, or Delete button. WAN port...

  • Page 37: Setup Wan Backup

    MH-5000 User Manual Chapter 3 Basic Setup 3.4.4 Setup WAN Backup Step 4. Set public Internet server IP BASIC SETUP > WAN Settings > WAN Backup Specify public Internet server IPs for system to ping in order for you to make sure the connection of the default WAN link.

  • Page 39: Chapter 4 System Tools

    1. Basic configurations for domain name, password, system time, timeout and services. 2. DDNS: Suppose the MH-5000’s WAN uses dynamic IP but needs a fixed host name. When the IP is changed, it is necessary to have the DNS record updated accordingly. To use this service, one has to register the account, password, and the wanted host name with the service provider.
  • Page 40 Figure 4-1 DDNS mechanism chart 3. DNS Proxy: After activating the DNS proxy mode, the client can set its DNS server to the MH-5000 (that is, send the DNS requests to the MH-5000). The MH-5000 will then make the enquiry to the DNS server and return the result to the client.
  • Page 41 Chapter 4 System Tools 4. DHCP Relay: Activate the DHCP relay mode of MH-5000 so that the MH-5000 will become the relay agent and relay the DHCP broadcast to the configured DHCP server. As the following Figure 4-3 described, WALL-1 redirects the DHCP request from the preconfigured port (LAN1) to the real DHCP server (10.1.1.4).
  • Page 42 Figure 4-4 It is efficient to use SNMP Manager to monitor MH-5000 device 6. We can adjust the MH-5000 interface in the SYSTEM TOOLS > Admin Settings > Interface in according to our preference and requirement (3 WAN, 1 DMZ, 1 LAN). As the following Figure 4-5 demonstrated, there are three ISP connected onto MH-5000.

  • Page 43: Steps

    Click Apply. FIELD DESCRIPTION EXAMPLE Host Name The host name of the MH-5000 device MH-5000 Domain Name Fill in the domain name of company planet.com.tw Table 4-1 System Tools - General Setup menu Step 2.
  • Page 44 You can also enter an IP address instead. Check the Continuously (every 3 min) update system clock and click Apply. The MH-5000 will immediately update the system time and will periodically update it. Check the Update system clock...

  • Page 45: Ddns Setting

    Enabled Interface Assign which public IP address of interface to the DDNS server. WAN1 The domain address of DDNS server. In the MH-5000, we provide some websites for your choice. Service Provide WWW.ORAY.NET If you choose WWW.ORAY.NET as DDNS service provider. It would register the source IP address which is connected to the DDNS server.

  • Page 46: Dhcp Relay Setting

    Enable DNS Proxy Enabled forwarding it to the assigned DNS server. When there is a response from assigned DNS server, then MH-5000 will forward it back to the host of the LAN/DMZ. Table 4-6 System Tools – DNS Proxy menu 4.4.4 DHCP Relay setting...

  • Page 47: Change Mh-5000 Interface

    The community which will send SNMP trap. Here “community” is Trap community trap-comm something like password. Trap destination The IP address which will send SNMP trap from the MH-5000. 192.168.1.5 Table 4-8 SNMP Settings Step 2. MH-5000 traps The MH-5000 agent can send traps to the SNMP...
  • Page 48 You can specify WAN / LAN / DMZ for each port by your Port1 ~ Port5 preference. However, there must be one WAN and one LAN Port3 : WAN interface existing in the MH-5000. Port4 : DMZ Port5 : LAN Table 4-9 Change the MH-5000 interface setting...

  • Page 50: Chapter 5 Remote Management

    5.1 Demands Administrators may want to manage the MH-5000 remotely from any PC in LAN_1 with HTTP at port 8080, and from WAN_PC with TELNET. In addition, the MH-5000 may be more secure if monitored by a trusted host (PC1_1). What is more, the MH-5000 should not respond to ping to hide itself.

  • Page 51: Remote Management Access Methods

    MH-5000 unit. You should avoid allowing management access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a MH-5000 unit that allows remote management from the Internet, add secure administrative user passwords, change these passwords regularly, and only enable secure management access using HTTPS or SSH.

  • Page 52: Steps

    Setup SSH SYSTEM TOOLS > Remote Mgt. > SSH Enter 22 in the Server Port field. Check the LAN1/LAN2 checkbox. Click the ALL of Secure Client IP Address for accessing MH-5000. And click the Apply. 5.4.3 WWW Step 1. Setup WWW SYSTEM TOOLS >...

  • Page 53: Https

    Check the LAN1 checkbox. In the Secure Client Address field. If you prefer indicated specified IP address. Just click the Selected, and enter the valid IP address for reading the SNMP MIBs at the MH-5000. Finally click the Apply button. 5.4.6 ICMP Step 1.

  • Page 54: Chapter 6 Authentication

    This chapter introduces user authentication and explains how to implement it. 6.1 Demands MH-5000 Multi-Homing Security Gateway supports user authentication against the internal user database, a RADIUS server or a LDAP server. You can create a user account by adding username and password to the internal database to grant the user an access to Internet, etc.

  • Page 55: Pop3(S) Setting

    MH-5000 User Manual Chapter 6 Authentication Step 3. Configure Local Settings Basic Setup > Authentication > Authentication > Local Enter the Username and Password, and then click Add to add it to user’s list. If you would like to delete a user, just click that username and then click Delete to remove it.

  • Page 56: Imap(S) Setting

    Basic Setup > Authentication > Authentication > Radius If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the MH-5000 then will contact the RADIUS server for authentication. Click Authentication Type as Radius. Enter...

  • Page 57: Ldap Setting

    Basic Setup > Authentication > Authentication > LDAP If you have configured LDAP support and a user is required to authenticate using a LDAP server, the MH-5000 will then contact the LDAP server for authentication. To authenticate with the MH-5000, the user enters a username and password.

  • Page 58: Exempt Host

    MH-5000 User Manual Chapter 6 Authentication 6.3.6 Exempt Host Step 10. Configuring the Exempt Host Basic Setup > Authentication > Exempt Host Enter the exempt host IP Address, and click Add to add an IP address. When enabling authentication, the chosen PC IP address will...

  • Page 59: Chapter 7 Nat

    Chapter 7 This chapter introduces NAT and explains how to implement it in MH-5000. To facilitate the explanation on how MH-5000 implements NAT and how to use it, we zoom in the left part of Figure 1- into Figure 7-1.

  • Page 60: Objectives

    1. Let PC1_1~PC1_5 connect to the Internet. 2. As the Figure 7-2 illustrated, the clients will connect to the MH-5000. Then MH-5000 will forward the packet to the real server. So FTPServer1 (10.1.1.5) will be accessed by other Internet users.

  • Page 61: Steps

    As the above Figure 7-3 illustrates, the server 10.1.1.5 provides FTP service. But it is located on the DMZ region behind MH-5000. And MH-5000 will act as a Virtual Server role which redirects the packets to the real server 10.1.1.5. And you can announce to the internet users that there exists a ftp server IP/port is 61.2.1.1/44444.
  • Page 62 Step 2. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules As described in the above, the MH-5000 has set the rules for the LAN/DMZ zones. They all belong to the Many-to-One (M-1) type that will map many private addresses to the automatically chosen public IP address.
  • Page 63 IP address for being translated into. You can check the Auto choose IP from WAN ports. The MH-5000 will automatically determine which WAN IP is to be translated into. FIELD...
  • Page 64 MH-5000 to translate the private IP addresses into the pool of public IP addresses. The MH-5000 will use the first public IP until MH-5000 uses up all source ports for the public IP. MH-5000 will then choose the second public...

  • Page 65: Setup Virtual Server For The Ftpserver1

    IP assigned by the ISP. Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5000 has added the NAT rules automatically as right diagram described. The rule Basic-DMZ1 (number 1) means that, when matching...
  • Page 66 Customize the rule name as the ftpServer. For any packets with its destination IP equaling to the WAN1 IP (61.2.1.1) and destination port equaling to 44444, ask MH-5000 to translate the packet’s destination IP/port into 10.1.1.5/21. Check the Passive FTP client? to maximize the compatibility of the FTP protocol.
  • Page 67 Step 9. View the Result ADVANCED SETTINGS > NAT > Virtual Servers Now any request towards the MH-5000’s WAN1 IP (61.2.1.1) with port 44444 will be translated into a request towards 10.1.1.5 with port 21, and then be forwarded to the 10.1.1.5. The FTP server listening at port 21 in 10.1.1.5 will...

  • Page 68: Nat Modes Introduction

    As the above Figure 7-4 illustrated, NAT Many-to-One type means that many local PCs are translated into only one public IP address when the packets are forwarded out through the MH-5000. Take Connection1 for example. Its IP address and port are translated from 192.168.40.1:2933 to 61.2.1.1:2933. In the same way, when the packets of Connection2 are forwarded out, its IP address is still translated to the same public IP address (61.2.1.1:7896).

  • Page 69: One-To-One Type

    192.168.40.1:2933 to 61.2.1.1:2933. Until MH-5000 uses out of all source ports of the public (61.2.1.1), MH-5000 will then choose the second public IP (such as 61.2.1.2) from the address pool. For example, Connection2 are forwarded out, the source IP address will be translated into the second public IP address (61.2.1.2) from the public IP address pools.
  • Page 70 MH-5000 User Manual Chapter 7 If you choose Full Feature mode of NAT at Table 7-4, you may need to edit the rule by yourself. Then you must determine the NAT type in the NAT rule. What meaning does each NAT type represent? How to determine which NAT type is best choice for you.

  • Page 71: Chapter 8 Routing

    This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how MH-5000 implements routing and how to use it. We zoom in the left part of Figure 2-1 into Figure 8-1 and increase some devices for description.

  • Page 72: Objectives

    Routing 8.2 Objectives 1. We need to let MH-5000 knows how to forward the packets which is destinated financial department (192.168.50.0/24). 2. The network administrator plans to solve the problem by subscribing the second link (ISP2). He hopes that all the packets from the General-Manager-Room (192.168.40.192/26) will pass through the ISP2 link instead of the...
  • Page 73 MH-5000 User Manual Chapter 8 Routing The destination IP address of this static routing entry Destination IPv4 format 192.168.50.0 record. The destination IP Netmask of this static routing entry Netmask IPv4 format 255.255.255.0 record. Gateway The default gateway of this static routing entry record.

  • Page 74: Add A Policy Routing Entry

    MH-5000 User Manual Chapter 8 Routing 8.4.2 Add a policy routing entry Step 5. Setup the ISP2 link Basic Setup > WAN Settings > IP Alias We must add an IP alias record to the WAN1 port, because a new ISP link has been applied.
  • Page 75 MH-5000 User Manual Chapter 8 Routing FIELD DESCRIPTION Range / Format EXAMPLE Enabled / Activate this rule The policy routing rule is enabled or not. Enabled Disabled Status text string GenlManaRoo Rule name The policy routing rule name. (Max: 200...

  • Page 76: The Priority Of The Routing

    MH-5000 User Manual Chapter 8 Routing Step 8. View the result Advanced Settings > Routing > Policy Route After filling data completely, view the policy routing entries which have been set. Step 9. View the routing table Device Status > System Status > Routing Table Finally click the “Routing Table”...

  • Page 77: Chapter 9 Ip/Services Grouping

    MH-5000 User Manual Chapter 9 IP/Services grouping Chapter 9 IP/Services grouping This chapter introduces group functions and explains how to edit it. 9.1 Demands 1. You hope to group some similar IP addresses to make it easier for editing the firewall rule.
  • Page 78 MH-5000 User Manual Chapter 9 IP/Services grouping FIELD DESCRIPTION Range / Format EXAMPLE Select the interface which you are going to define Define Objects on __ All the interfaces LAN1 address object. Table 9-1 Define the address objects Step 11. Insert a new Address object BASIC SETUP >...
  • Page 79 MH-5000 User Manual Chapter 9 IP/Services grouping Step 13. Address Group Settings BASIC SETUP > Books > Address > Group You can add, edit, and delete all other addresses definition as required. You can also organize related addresses into address group to simplify firewall rule creation.
  • Page 80 MH-5000 User Manual Chapter 9 IP/Services grouping Step 15. view the address group result BASIC SETUP > Books > Address > Group According to our setting as previous steps, the address group is shown as right diagram.

  • Page 81: Setup Service

    9.4.2 Setup Service Step 16. Service Settings BASIC SETUP > Books > Service > Objects The MH-5000 predefined firewall services are listed as right diagram. You can add these services to any firewall rule or you can add a service if you need to create a firewall rule for a service that is not in the predefined service list.
  • Page 82 MH-5000 User Manual Chapter 9 IP/Services grouping Step 17. Insert a new service object BASIC SETUP > Books > Service > Insert Enter the Service name. Select which protocol type (TCP, UDP, ICMP) used by this service. Specify a Source and Destination Port number range for the service.

  • Page 83: Setup Schedule

    MH-5000 User Manual Chapter 9 IP/Services grouping FIELD DESCRIPTION Range / Format EXAMPLE The service group name. Note that group name should be an alphanumeric value Group Name (including dash ‘-‘ and underscore ‘_’), can start with a text string...
  • Page 84 MH-5000 User Manual Chapter 9 IP/Services grouping Stop time The stop time of the schedule object. 24-hour format 12:00 Table 9-7 The field of the Schedule object Step 21. Add a Schedule group BASIC SETUP > Books > Schedule > Groups > Insert As Step 2 indicated, you have already created two schedule objects to block the MSN service.

  • Page 85: Chapter 10 Firewall

    4. Administrators detect that PC1_1 in LAN_1 is doing something that may hurt our company and should instantly block his traffic towards the Internet. 5. A DMZ server was attacked by SYN-Flooding attack and requires the MH-5000 to protect it. 10.2 Objectives 1.

  • Page 86: Steps

    Enable Firewall feature of MH-5000 Enabled Inspection Firewall Disabled Enable this feature will block the fragmented packets Block all fragment Enabled / by the firewall of MH-5000. Warning: Enable this Disabled packets Disabled feature will cause problem in some applications. BUTTON DESCRIPTION...
  • Page 87 MH-5000 User Manual Chapter 10 Firewall Step 3. Customize the rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Check the Activate this rule checkbox. Enter the rule name as PC1_1, and enter the IP (192.168.40.1 address PC1_1 255.255.255.255). Select Block and Log to block and log the matched traffic.

  • Page 88: Setup Anti-Dos

    Setup Anti-DoS ADVANCED SETTINGS > Firewall > Anti-DoS With the Anti-DoS attacks protection enabled, the MH-5000 will be equipped with the built-in Anti-DoS engine. Normal DoS attacks will show up in the log when detecting and blocking such traffic. However, Flooding attacks require extra parameters to recognize.
  • Page 89 Table 10-4 Setup the thresholds of Anti-DoS Step 6. View Anti-DoS Logs DEVICE Status > Firewall Logs > Anti-DoS Logs While there are any DoS attackts through MH-5000 Firewall, it will block the attacked packets and log it as right diagram.

  • Page 91: Chapter 11 Ip/Mac Binding

    IP spoofing: IP spoofing attempts to use the IP address of a trusted computer to connect to or through the MH-5000 unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed.
  • Page 92 Advanced Setting > IP/MAC binding > Edit Rules > Insert Add an IP/MAC binding rule to allow our PC passing through the MH-5000. Otherwise our PC will be blocked by MH-5000 in the further steps. Here the IP address “192.168.40.5” is the MAC address of our login PC.
  • Page 93 Advanced Setting > IP/MAC binding > Edit Rules > Insert Add another IP/MAC rule to allow an IP address range to pass through MH-5000. This rule type is useful for local PC using DHCP feature specially. Suppose DHCP IP range of LAN1 interface is 192.168.40.100 to 192.168.40.119.
  • Page 94 “Block” Through the previous steps, we have configured two IP/MAC rules for allowing passing through MH-5000. In this step, we will change the IP/MAC binding status to “Block” to prohibit invalid IP address to pass through MH-5000. Step 13. Show the IP/MAC binding rule Advanced Setting >...

  • Page 95: Chapter 12 Vpn Technical Introduction

    MH-5000 User Manual Chapter 12 VPN Technical Introduction Chapter 12 VPN Technical Introduction This chapter introduces VPN related technology 12.1 VPN benefit If you choose to implement VPN technology in your enterprise, then it may bring the following benefits to your company.

  • Page 96: Key Management

    MH-5000 User Manual Chapter 12 VPN Technical Introduction 12.2.5 Key Management Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to setup a VPN. Ø IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange).

  • Page 97: Encapsulation

    This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the MH-5000. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

  • Page 98: Make Vpn Packets Pass Through Mh-5000

    Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > Pass Through If we need to setup MH-5000 between the existed IPSec / PPTP / L2TP connections. We need to open up the Firewall blocking port of MH-5000 in advance. Here we provide a simple way. You can through enable the IPSec / PPTP / L2TP pass through checkbox on this page.

  • Page 99: Chapter 13 Virtual Private Network - Ipsec

    MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Chapter 13 Virtual Private Network – IPSec This chapter introduces IPSec VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a VPN link between LAN_1 and LAN_2 in this chapter.

  • Page 100: Steps

    MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec “Local Address” means the local LAN subnet; “Remote Address” means the remote LAN subnet; “My Same IP Address” means the WAN IP address of the local VPN gateway while the “Peer’s IP Address”...
  • Page 101 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec FIELD DESCRIPTION EXAMPLE Enable IPSec Enable IPSec feature of MH-5000 Enabled BUTTON DESCRIPTION Apply Apply the settings which have been configured. Table 13-2 Enable the IPSec feature Step 2. Add an IKE rule ADVANCED SETTINGS >...
  • Page 102 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.40.0/255.255.255.0)
  • Page 103 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Encapsulation Choose Tunnel or Transport mode, see Tunnel / Tunnel Mode Chapter 12 for details. Transport Outgoing The WAN interface you are going to build WAN interfaces WAN1 Interface IPSec tunnel with.
  • Page 104 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec The key which is pre-shared with remote Pre-Shared Key text string 1234567890 side. Table 13-4 Related field explanation of adding an IPSec policy rule Step 4. Detail settings of IPSec IKE ADVANCED SETTINGS >...
  • Page 105 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Encrypt and Authenticate (DES, MD5) / Encrypt and Authenticate (DES, Encrypt and SHA1) / Encryption Choose a type of encryption and Authenticate Algorithm authentication algorithm combination. Encrypt and (DES、MD5) Authenticate (3DES,...
  • Page 106 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec 0~86400000 sec Set the IPSec SA lifetime. A value of 0 means SA Life Time IKE SA negotiation never times out. See 0~1440000 min 28800 sec Chapter 12 for details.
  • Page 107 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5000. And accomplish the VPN tunnel establishment. At WALL-2: Here we will install the IPSec properties of WALL-2. Note that the “Local Address” and “Remote address” field are opposite to the WALL-1, and so are “My IP Address”...
  • Page 108 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.88.0/255.255.255.0)
  • Page 109 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5000 and successfully access the 192.168.88.0/24 through the VPN tunnel. Ø DES/MD5 IPSec tunnel: the Manual-Key way In the previous section, we have introduced IKE method. Here we will introduce another method using Manual-Key way instead of IKE to install WALL-1.
  • Page 110 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > IPSec Check the Enable IPSec checkbox and click Apply. Step 2. Add a Manual Key rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key Click the Manual Key hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
  • Page 111 Interface IPSec tunnel with. Peer’s The IP address of remote site device, like IPv4 format 210.2.1.1 Address MH-5000 Multi-Homing Security Gateway. The Outgoing SPI (Security Parameter Index) hex(600 ~ 600000) / value. Outgoing SPI hex: 2222 dec(1500 ~ 6300000) The Incoming SPI (Security Parameter Index)
  • Page 112 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 4. Detail settings of IPSec Manual ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add > Advanced For the detailed setting in the Manual Key. We can press the Advanced button in the previous page.
  • Page 113 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5000. And accomplish the VPN tunnel establishment. At WALL-2: Second, we will use the Manual-Key way to install the IPSec properties of WALL-1.
  • Page 114 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 2. Add a Manual Key rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key Click the Manual Key hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
  • Page 115 MH-5000 User Manual Chapter 13 Virtual Private Network – IPSec Step 4. Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.
  • Page 116 ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5000 and successfully access the 192.168.88.0/24 through the VPN tunnel.

  • Page 117: Chapter 14 Virtual Private Network -Dynamic Ipsec

    MH-5000 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Chapter 14 Virtual Private Network –Dynamic IPSec This chapter introduces Dynamic IPSec VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a dynamic VPN link between LAN_1 and LAN_2 in this chapter.

  • Page 118: Steps

    MH-5000 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec 14.4 Steps In the following we will separately explain how to set up a secure DES/MD5 tunnel with the dynamic remote gateway IP address type. At WALL-1: At the first, we will install the IPSec properties of WALL-1. For the related explanation, please refer to Chapter 12 and Chapter 10.
  • Page 119 MH-5000 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.40.0/255.255.255.0)
  • Page 120 MH-5000 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 5. Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.
  • Page 121 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5000. And accomplish the VPN tunnel establishment. At WALL-2: Here we will install the IPSec properties of WALL-2. Note that the “Local Address” and “Remote address” field are opposite to the WALL-1, and so are “My IP Address”...
  • Page 122 MH-5000 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.88.0/255.255.255.0)
  • Page 123 ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5000 and successfully access the 192.168.88.0/24 through the VPN tunnel.

  • Page 125: Chapter 15 Virtual Private Network - Hub And Spoke Vpn

    15.2 Objectives 1. Using the VPN hub we can create a hub and spoke VPN configuration to direct traffic through a central MH-5000 from one VPN tunnel to another VPN tunnel. Each VPN tunnel provides connectivity to a different remote VPN gateway.

  • Page 126: Steps

    MH-5000 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN 15.4 Steps In the following, we will introduce you how to setup the Hub and Spoke VPN between main office and two branch offices. Configuring the IPSec IKE tunnels For the main office (the hub), we have to create the IKE tunnels, and then create VPN hub and add tunnels to it as members.
  • Page 127 MH-5000 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Pre-Shared Key 1234567890 1234567890 1234567890 1234567890 Table 15-1 The IKE tunnel configuration Configuring the VPN Hub for Main Office Step 8. Add a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules Suppose Main Office has already added two VPN tunnels to communicate with two branch offices.
  • Page 128 MH-5000 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 11. Add a VPN Hub ADVANCED SETTINGS > VPN Settings > VPN Hub > Add Select Add to add a VPN Hub. Enter a name in the Hub Name field.
  • Page 129 MH-5000 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 14. Add a VPN Spoke in Branch_1 ADVANCED SETTINGS > VPN Settings > VPN Spoke > Add Select Add to add a VPN Spoke. Enter a name in the Spoke Name field.
  • Page 130 MH-5000 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 17. Customize a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Enter the Rule Name as AllowVPN, Source IP as Hub-Spoke1 [Hub (192.168.1.0), Spoke_1 (192.168.40.0)], and Dest.

  • Page 131: Chapter 16 Remote Access Vpn - Pptp

    MH-5000 User Manual Chapter 16 Remote Access VPN – PPTP Chapter 16 Remote Access VPN – PPTP This chapter introduces PPTP and explains how to implement it. 16.1 Demands 1. One employee in our company may sometimes want to connect back to our coporate network to work on something.

  • Page 132: Methods

    LAN1. 2. Setup the MH-5000 as the PPTP client. Let all the client PCs behind the MH-5000. They can connect to the network behind PPTP Server by passing through MH-5000. It sounds like no Internet exists but can connect with each other.

  • Page 133: Setup Pptp Network Client

    Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the MH-5000 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next.
  • Page 134 Chapter 16 Remote Access VPN – PPTP FIELD DESCRIPTION EXAMPLE Enable PPTP Client Enable PPTP Client feature of MH-5000 Enabled Server IP The IP address of PPTP server. 61.2.1.1 Username The designed account which allows PPTP client to dial in.

  • Page 135: Chapter 17 Remote Access Vpn - L2Tp

    1. Setup the L2TP server at MH-5000 (LNS: L2TP Network Server). After dialing up to MH-5000, MH-5000 will assign a private IP which falls in the range of the settings in the L2TP server at MH-5000. Suppose the range is defined as 192.168.40.200 ~ 192.168.40.253, the remote host may get an IP of 192.168.40.200 and logically...

  • Page 136: Steps

    The IP address ending range which is allowed user to dial in LNS LAC End IP 211.54.63.5 server by using L2TP protocol. Username The account which allows L2TP client user to dial in MH-5000. L2tpUsers Password The password which allows L2TP client user to dial in MH-5000. Dif3wk...
  • Page 137 Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the MH-5000 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next.
  • Page 138 MH-5000 User Manual Chapter 17 Remote Access VPN – L2TP Connecting to the L2TP VPN 1. Connect to your ISP. 2. Start the dial-up connection configured in the previous procedure. 3. Enter your L2TP VPN User Name and Password. 4. Select Connect.

  • Page 139: Chapter 18 Content Filtering - Web Filters

    MH-5000 User Manual Chapter 18 Content Filtering – Web Filters Chapter 18 Content Filtering – Web Filters This chapter introduces web content filters and explains how to implement it. 18.1 Demands Figure 18-1 Use web filter functionality to avoid users browsing the forbidden web site 1.

  • Page 140: Objectives

    MH-5000 User Manual Chapter 18 Content Filtering – Web Filters Figure 18-2 Use web filter functionality to avoid users view the forbidden web site 2. As the above Figure 18-2 illustrates, someone (PC1_1) is browsing forbidden web pages on office hours. The contents of the web pages may include stock markets, violence, or sex that will waste the bandwidth of the Internet access link while degrading the efficiency of normal working hours.

  • Page 141: Steps

    Enable Web Filter feature of MH-5000 Enabled If enabling this feature, all the web pages pass through proxy (Only port 3128) will also be verified by MH-5000. If disabling the “Web Enable Web Proxy Filtering Disabled Proxy”, all the web pages through will bypass the verification.
  • Page 142 Trusted Domains. However, if the web objects are set to be blocked by the MH-5000 in step 3, these allowed accesses will never be able to retrieve these objects. Check the “Don’t block …” to allow the objects for these trusted domains.
  • Page 143 Enable Filter List in the will be allowed to pass Trusted Domains Enable/Disable Enabled Customization through MH-5000. Contrarily, all the domains in the will be blocked by Forbidden Domain the MH-5000. Except the following specified domain range Disable all web traffic specified by the trusted domain.
  • Page 144 Step 6. Customize Categories ADVANCED SETTINGS > Content Filters > Web Filter > Categories With the built-in URL database, MH-5000 can block web sessions towards several pre-defined Categories of URLs. Check the items that you want to block or log. Simply click the Block all categories will apply all categories.
  • Page 145 FIELD DESCRIPTION EXAMPLE Restricted Features Select the below items that will verified by Web Filter of MH-5000. ActiveX filter the web page that includes ActiveX Enabled Java filter the web page that includes Java applet...

  • Page 146: Setting Priorities

    MH-5000 User Manual Chapter 18 Content Filtering – Web Filters Step 8. Setup contents keyword ADVANCED SETTINGS > Content Filters > Web Filter > Keyword blocking Check the Enable Keyword Blocking to block any Web pages that contain the entered keywords.
  • Page 147 MH-5000 User Manual Chapter 18 Content Filtering – Web Filters High Priority Low Priority Figure 18-3 web filter features priority (from High to Low) According to the priorities of web filter, we have the guiding principle to setup the web filter now. As we know, there are many choices according to your requirement in the web filter settings.
  • Page 148 MH-5000 User Manual Chapter 18 Content Filtering – Web Filters If the web page contains the components included activex/java/javascript/cookie which indicated in “Web Filter > Web Filter > Features Web page Web”, or the keywords indicated in “Web Filter > Keyword”.

  • Page 149: Chapter 19 Content Filtering - Mail Filters

    MH-5000 User Manual Chapter 19 Content Filtering – Mail Filters Chapter 19 Content Filtering – Mail Filters This chapter introduces SMTP proxies and explains how to implement it. 19.1 Demands 1. Sometimes there are malicious scripts like *.vbs that may be attached in the email. If the users accidentally open such files, their computers may be infectious with virus.

  • Page 150: Steps For Anti-Virus

    MH-5000 User Manual Chapter 19 Content Filtering – Mail Filters Figure 19-1 Use SMTP / POP3 filter functionality to avoid some sensitive e-mail directly opened 19.4 Steps for Anti-Virus Step 1 – Enable Anti-Virus ADVANCED SETTINGS > Content Filters > Mail Filters > Anti-Virus Click the Anti-Virus hyperlink.

  • Page 151: Steps For Anti-Spam

    Content Filtering – Mail Filters Step 3 – Block attached files When enabled SMTP/POP3/IMAP filter function, MH-5000 will do Anti-Virus with two steps. Step 1, add the extensions which you would like to block. (Max: 32 items) You can add/delete the items by clicking Add/Delete button.

  • Page 152: Steps For Smtp Relay

    Content Filtering – Mail Filters Step 3 – Add the black list When enabled SMTP/POP3/IMAP filter function, MH-5000 will do Anti-Spam with three steps. Step 1, add the emails which you would like to block. You can add/delete the block list by clicking Add/Delete button.
  • Page 153 MH-5000 User Manual Chapter 19 Content Filtering – Mail Filters Step 2 – Apply SMTP Relay ADVANCED SETTINGS > Content Filters > Mail Filters > Anti-Spam When you apply the SMTP Relay, the IP addresses of the LAN and DMZ interfaces will be...

  • Page 154: Chapter 20 Content Filtering - Ftp Filtering

    MH-5000 User Manual Chapter 20 Content Filtering – FTP Filtering Chapter 20 Content Filtering – FTP Filtering This chapter introduces FTP proxies and explains how to implement it. 20.1 Demands 1. Some users in LAN1 use FTP to download big MP3 files and cause waste of bandwidth.

  • Page 155: Steps

    Click the Add button to add a new FTP filter. FIELD DESCRIPTION EXAMPLE Enable FTP Filter Enable FTP Filter feature of MH-5000 Enabled Table 20-1 FTP Filter FTP setting page Step 2. Add an FTP Filter ADVANCED SETTINGS > Content Filters > FTP Filter > FTP > Add Enter mp3 in the Name field and select Extension Name in the Blocked Type field.
  • Page 156 MH-5000 User Manual Chapter 20 Content Filtering – FTP Filtering Step 3. View the result ADVANCED SETTINGS > Content Filters > FTP Filter > FTP We can see the specified record in this page. Step 4. Add an Exempt Zone ADVANCED SETTINGS >...
  • Page 157 MH-5000 User Manual Chapter 20 Content Filtering – FTP Filtering Step 5. Show the Exempt Zones ADVANCED SETTINGS > Content Filters > FTP Filter > FTP Exempt Zone Here we can discover that new added Exempt Zone record is appeared.

  • Page 158: Chapter 21 Intrusion Detection Systems

    21.3 Methods 1. Specify where our Web server is located to let the IDS on the MH-5000 focus more on the attacks. 2. Setup logs to email to the specified email address when the log is full. You can also set daily/weekly emails to...

  • Page 159: Steps

    MH-5000 User Manual Chapter 21 Intrusion Detection Systems 21.4 Steps Step 1 – Enable IDS ADVANCED SETTINGS > IDS > IDS Status Check the Enable IDS checkbox, and then click the Apply button. Step 2 – Setup Logs DEVICE STATUS > Log Config > Mail Logs...

  • Page 160: Chapter 22 Bandwidth Management

    MH-5000 User Manual Chapter 22 Bandwidth Management Chapter 22 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it. 22.1 Demands Figure 22-1 Use bandwidth management mechanism to shape the data flow on the downlink direction 1. As the above Figure 22-1 illustrated, we hope LAN_1 users can watch the Video Stream Server smoothly.

  • Page 161: Objectives

    MH-5000 User Manual Chapter 22 Bandwidth Management Figure 22-2 Use bandwidth management mechanism to shape the data flow on the uplink direction 2. As the above Figure 22-2 illustrated, LAN_1 PCs are using the E-Commerce service from the E-Commerce Server (140.113.79.3), causing the blocking of the VPN transfer from LAN_1 to LAN_2. So we want to make sure that the VPN tunnel links is reserved at least 600 kbps speed rate.

  • Page 162: Methods

    MH-5000 User Manual Chapter 22 Bandwidth Management 2. Reserve at least 600kbps for the LAN_1 to LAN_2 transfer. The LAN_1 PCs can share about 20% (308kbps) for using E-Commerce Services. However, when the LAN_1 to LAN_2 traffic less then 40% (617kbps), the E-Commerce service can occupy the free bandwidth from LAN_1-toLAN_2 and the remaining bandwidth from default class.
  • Page 163 MH-5000 User Manual Chapter 22 Bandwidth Management FIELD DESCRIPTION Range/Format EXAMPLE Enable Bandwidth Enable Bandwidth Management feature of MH-5000 Enable/Disable Enabled Management BUTTON DESCRIPTION Reset Bandwidth Reset all the bandwidth management rules to default status. Management Apply Apply the settings which have been configured.
  • Page 164 MH-5000 User Manual Chapter 22 Bandwidth Management Step 3. Add new classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-class Create a sub-class named web-from-WAN from the default class. Enter 0.3% in the bandwidth field. Make sure that Borrow button is unchecked...
  • Page 165 MH-5000 User Manual Chapter 22 Bandwidth Management Step 5. Setup WAN1-to-LAN1 Rules ADVANCED SETTINGS > Firewall > Edit Rules Select WAN1 to LAN1 to display the rules. There is a pre-defined rule that matches all traffic into the default class. Click Insert to insert a rule before the default rule.
  • Page 166 ADVANCED SETTINGS > Firewall > Edit Rules Now we can see that there are existed two customized rules in the queue of WAN1 to LAN1 direction. In the No. 1 rule. The MH-5000 is configured to direct video-from-WAN packets into video-from-WAN queue (300kbps).

  • Page 167: Outbound Traffic Management

    MH-5000 User Manual Chapter 22 Bandwidth Management Step 10. View the results ADVANCED SETTINGS > Firewall > Edit Rules We can see the result of our settings at the DMZ-to-LAN rule direction. 22.4.1 Outbound Traffic Management Step 1. Enable Bandwidth ADVANCED SETTINGS >...
  • Page 168 MH-5000 User Manual Chapter 22 Bandwidth Management Step 3. Partition into Classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-Class Create a sub-class named LAN_1-to-LAN_2 from the default class. Enter 40% in the bandwidth field, uncheck the Borrow button, and click Apply.
  • Page 169 MH-5000 User Manual Chapter 22 Bandwidth Management Step 6. View the rules ADVANCED SETTINGS > Firewall > Edit Rules MH-5000 configured direct outE-Commerce matched packets into E-Commerce queue (308 kbps), outVPN matched packets into the LAN_1-to-LAN_2 queue (617 kbps). Here we reserve 40% WAN1 bandwidth for the LAN_1 to LAN_2 VPN data, to guarantee the data communication between VPN.

  • Page 170: Chapter 23 Load Balancer

    The WAN load balancer module consists of outbound load balancing and inbound load balancing. Users may want to subscribe multiple WAN links and make their outbound traffic load-balanced among the WAN links. MH-5000 now supports outbound WAN load balancing. Inbound load balancing will be supported in a very near future.

  • Page 171: Steps

    MH-5000 User Manual Chapter 23 Load Balancer 23.4 Steps 23.4.1 Outbound Load Balancer Step 1. Make Firewall rules the same ADVANCED SETTINGS > Firewall > Edit Rules Since the traffic will be intelligently load-balanced among the WAN links, the Firewall settings for all WAN links should be set to the same settings.

  • Page 173: Chapter 24 High Availability

    MH-5000 User Manual Chapter 24 High Availability Chapter 24 High Availability This chapter introduces High Availability and explains how to implement it. 24.1 Demands Figure 24-1 Use High Availability mechanism to let network connection continually 1. As the above Figure 22-1 illustrates, your company is afraid that the firewall may be crashed someday, so it needs a backup system to let the network connection continually.

  • Page 174: Objectives

    Chapter 24 High Availability 24.2 Objectives 1. Prepare two MH-5000 devices, and then let one as a primary firewall and the other as a secondary firewall. While the primary firewall is crashed, you can replace it with secondary firewall. 24.3 Methods There are five steps to configure High Availability feature.
  • Page 175 MH-5000 User Manual Chapter 24 High Availability Step 2. Show the result in Web ADVANCED SETTINGS > High Availability > Status After you apply the High Availability feature, the secondary device will show the message to tell “Sync that configuration...

  • Page 176: Chapter 25 System Status

    Chapter 25 System Status 25.1 Demands Since we have finished the settings of MH-5000, we need to gather the device information quickly. Then we can have a overview of the system status. 25.2 Objectives We can know the current situation easily through an integrated interface.
  • Page 177 Click the Routing Table to see the routing table information of MH-5000. Step 6. Active Sessions DEVICE STATUS > System Status > Active Sessions Click the Active Sessions to see all the current sessions of MH-5000. The Active Sessions include all the outbound and inbound sessions.
  • Page 178 MH-5000 User Manual Chapter 25 System Status Step 7. Top20 Sessions DEVICE STATUS > System Status > Top20 Sessions Click the Top20 Sessions to see the front-20 sessions of transmitted bytes amount. These front-20 sessions were sorted by the amount of transmitted bytes.

  • Page 179: Chapter 26 Log System

    1. Through tracking the system logs, you can distinguish which administrated action is valid or not. 2. Use the syslog server to receive mail, or edit the “Mail Logs” page of MH-5000. Make the log mailed out automatically every periodic time.

  • Page 180: Syslog & Mail Log

    Syslog Server. It will let MH-5000 send logs to the Syslog Server specified in the “Syslog Server IP Address” field. Notice: If the logs were sent out to the syslog server, they will still keep a copy in the MH-5000. FIELD DESCRIPTION EXAMPLE...
  • Page 181 MH-5000 User Manual Chapter 26 Log System Test test the mail logs configuration in this page Table 26-3 Setup the Mail Logs...

  • Page 182: Chapter 27 System Maintenance

    CLI only because you can never enter the web GUI with the lost password. 3. Anthoer issue is that after setup the MH-5000 properly, we might want to keep the current configuration to avoid the unknown accident. Then we can recover the original state from the previous reserved configuration.

  • Page 183: Steps For Firmware Upgrade From Web Gui

    MH-5000‘s LAN1. Login to MH-5000’s console. Enter en to enter privileged mode. Configure the MH-5000> en LAN1 address so that the MH-5000 can connect MH-5000# ip ifconfig INTF3 192.168.40.254 255.255.255.0 to the TFTP server. The CLI command to configure LAN1 interface is ip ifconfig INTF3 192.168.1.254 255.255.255.0.

  • Page 184: Steps For Database Update From Web Gui

    MH-5000 User Manual Chapter 27 System Maintenance Upgrade firmware SYSTEM TOOLS > Firmware Upgrade > Firmware Upgrade In the System Tools / Firmware Upgrade page. Select the path of firmware through Browse button, check Preserve Saved Configurations to reserve original settings.

  • Page 185: Steps For Factory Reset

    Factory reset SYSTEM TOOLS > System Utilities > Factory Reset In the Web GUI mode. Follow the path of right side. We can make MH-5000 configuration restored to the factory defaults with simply clicking the Apply button. Warning: Be careful to use this function. It will make all your present configurations disappear.

  • Page 186: Save The Current Configuration

    Backup the current SYSTEM TOOLS > System Utilities > Save Configuration configuration After finishing the settings of MH-5000, be sure to Press the Save button in this page to keep the running configuration. 27.7 Steps for Backup / Restore Configurations Step 1.

  • Page 187: Steps For Reset Password

    MH-5000 User Manual Chapter 27 System Maintenance 27.8 Steps for Reset password Step 1. Enter the boot loader >> NetOS Loader (i386), V1.5 (Fri Feb 20 10:25:11 CST 2004) Press <TAB> to prompt - starting in 0 If you forget the password, you can use the following way to reset the password.

  • Page 188: Appendix A Command Line Interface (Cli)

    Command Line Interface (CLI) You can configure the MH-5000 through the web interface (http/https) for the most time. Besides you can use another method, console/ssh/telnet method to configure the MH-5000 in the emergency. This is known as the Command Line Interface (CLI).
  • Page 189 Show system and network status version (ver) sys version Show MH-5000 firmware version Table A-1 Non-privileged mode of normal mode Note: If you don’t know what parameter is followed by the commands, just type “?” following the command. Ex “ip ?”. It will show all the valid suffix parameters from “ip”.

  • Page 190: Cli Commands List (Rescue Mode)

    If the original firmware was damaged by some accidents, you may need to recover it with the factory reset process in the rescue mode. Boot the MH-5000 and press <tab> or <space> during the 2-second countdown process. You may refer Section 27.5.3 for details.
  • Page 191 MH-5000 User Manual Appendix A Command Line Interface (CLI) Privileged mode Main Example Command description commands commands Show the help menu disable disable Turn off privileged mode command (dis) exit (ex) exit Exit command shell Configure IP related settings ip arp status Show the ip/MAC mapping table ip dns query www.yam.com.tw...

  • Page 193: Appendix B Trouble Shooting

    Please neglect the LED status, because it will confuse your judgment sometimes. I have already set the WAN1 ip address of MH-5000 the same subnet with my pc, but I can’t use https to login MH-5000 via WAN1 port from my pc all the time, why?...
  • Page 194 Make sure if you have already added a WAN to LAN policy in the Advanced Settings/Firewall to let the IPSec packets pass through the MH-5000. (The default value from WAN to LAN is block.). When you add a Firewall rule, the Source IP and Netmask are the IP address, PrefixLen/Subnet Mask in the pages of the Remote Address Type.
  • Page 195 Why the Source-IP field of System Logs is blank? Ans: One reason is that you may enter Host Name and following by a space like “MH-5000 “. And enter the Domain Name string like “planet.com.tw” in the firmware version 1.391B. Then the System Name will present as “MH-5000 .planet.com.tw”.
  • Page 196 Almost all the cases will not cause firmware fail. The MH-5000 will automatically reboot and all configurations will still remain as before. But sometimes it will make firmware fail. If the firmware fails, MH-5000 will automatically enter rescue mode when it reboots. You may need to do the factory reset, and then restore your original configuration to MH-5000.

  • Page 197: Appendix C System Log Syntax

    The first part is Component type, second part is Log ID, third part is log description and final part is Event ID. When you applied each setting in the MH-5000, you had been issued an Event. So the same Event ID may have many different Log IDs because you may change different settings in the same apply action.
  • Page 198 MH-5000 User Manual Appendix C System Log Syntax BANDWIDTH: [B01] WAN1 Disable bandwidth management with PPPoE connection. Web filter categories CONTENT: [C01] Web filter categories configuration update CONTENT configuration updated by admin (192.168.17.100:443). EID=6 Web filter added trusted CONTENT: [C02] Web filter add trusted host by admin host (192.168.17.100:443).
  • Page 199 MH-5000 User Manual Appendix C System Log Syntax Updated POP3 filter CONTENT: [C22] Updated POP3 filter exempt zone exempt zone configuration configuration by admin (192.168.17.100:443). EID=25 POP3 filter exempt zone CONTENT: [C23] POP3 filter exempt zone added range from added range 140.126.1.1 to 140.126.1.255 by admin (192.168.17.100:443).
  • Page 200 MH-5000 User Manual Appendix C System Log Syntax Mail Log LOG: [L02] mail logfile to tom@hotmail.com. Remote Syslog Server offline Enable/Disable Syslog LOG: [L04] Enable syslog server at 192.168.17.100 by admin Forward to Remote Syslog (192.168.17.102:443). Server LOG: [L04] Disable syslog server by admin (192.168.17.102:443).
  • Page 201 192.168.1.2/255.255.255.0 by admin (192.168.17.102:443). SYSTEM: [S09] LAN1: Change IP address alias 192.168.1.2/255.255.255.0 to 192.168.1.3/255.255.255.0 by admin (192.168.17.102:443). Set Host Name SYSTEM: [S10] HostName:MH-5000, set by admin (192.168.17.102:443). Set Domain Name SYSTEM: [S11] Domain Name: planet.com.tw, set by admin (192.168.17.102:443). Enable/Disable DDNS SYSTEM: [S12] Enable Dynamic DNS with hostname wall.adsldns.org on WAN1 by admin (192.168.17.102:443).
  • Page 202 MH-5000 User Manual Appendix C System Log Syntax Setup TELNET Server Setup SSH Server Setup WWW Server Setup HTTPS Server Setup SNMP Server MISC Setup Enable/Disable SNMP SYSTEM: [S28] Enable SNMP by admin (192.168.17.104:443) SYSTEM: [S28] System Location: Building-A. SYSTEM: [S28] Contact Info: +886-2-28826262.

  • Page 203: Appendix D Glossary Of Terms

    NAT (Network Address Translation) – By the network address translation skill, we can transfer the internal network private address of MH-5000 to the public address for the Internet usage. By this method, we can use a large amount of private addresses in the enterprise.
  • Page 204 MH-5000 User Manual Appendix D Glossary of Terms PPTP extends the Point to Point Protocol (PPP) standard for traditional dial-up networking. PPTP is best suited for the remote access applications of VPNs, but it also supports LAN internetworking. PPTP operates at Layer 2 of the OSI model.

Table of Contents