Planet Networking & Communication MH-1000, User Manual

Page 1: ...Multi Homing Security Gateway User s Manual Multi Homing Security Gateway MH 1000 User s Manual ...

Page 2: ...on in this User s Manual and reserves the right to make improvements to this User s Manual and or to the products described in this User s Manual at any time without notice If you find information in this manual that is incorrect misleading or incomplete we would appreciate your comments and suggestions CE mark Warning This is a class B device in a domestic environment this product may cause radio...

Page 3: ...IRTUAL PRIVATE NETWORKING 16 CHAPTER 3 GETTING STARTED 19 3 1 OVERVIEW 19 3 2 BEFORE YOU BEGIN 19 3 3 CONFIGURING PCS FOR TCP IP NETWORKING 19 3 4 FACTORY DEFAULT SETTINGS 25 3 5 INFORMATION FROM YOUR ISP 25 CHAPTER 4 ROUTER CONFIGURATION 27 4 1 OVERVIEW 27 4 2 STATUS 28 4 3 QUICK START 34 4 4 CONFIGURATION 37 4 5 SAVE CONFIGURATION TO FLASH 80 4 6 LOGOUT 81 CHAPTER 5 TROUBLESHOOTING 82 5 1 BASIC ...

Page 4: ...ERVICE 99 C 3 WHAT IS QUALITY OF SERVICE 99 C 4 WHO NEEDS QOS 99 APPENDIX D ROUTER SETUP EXAMPLES 102 D 1 OUTBOUND FAIL OVER 102 D 2 OUTBOUND LOAD BALANCING 103 D 3 INBOUND FAIL OVER 106 D 4 DNS INBOUND FAIL OVER 108 D 5 DNS INBOUND LOAD BALANCING 111 D 6 DYNAMIC DNS INBOUND LOAD BALANCING 113 D 7 VPN CONFIGURATION 117 D 8 IP SEC FAIL OVER GATEWAY TO GATEWAY 119 D 9 IP VPN CONCENTRATOR 122 D 10 PR...

Page 5: ...tures WAN Fail over Auto failover feature can be configured for a second connection to ensure redundant connectivity when the primary line fails Load Balancing MH 1000 provides the ability to balance the workload by distributing incoming traffic across the two connections DNS inbound load balance The MH 1000 can be configured to reply the WAN2 IP address for the DNS domain name request if WAN1 fai...

Page 6: ... Description PWR A solid light indicates a steady connection to a power source STATUS A blinking light indicates the device is writing to flash memory LAN 1 8 Lit when connected to an Ethernet device 10 100 Lit green when connected at 100Mbps Not lit when connected at 10Mbps LNK ACT Lit when device is connected Blinking when data is transmitting receiving WAN1 WAN2 Lit when connected to an Etherne...

Page 7: ... Network Protocol and features Static IP PPPoE PPTP Big Pond and DHCP client connection to ISP NAT Static Route RIP 2 Dynamic Domain Name System DDNS Virtual Server and DMZ DHCP server NTP Load Balancing Increased bandwidth of outbound and inbound trafficDNS inbound load balance Firewall Srateful Packet Inspection SPI and Denial of Service DoS prevention Packet Filter by IP port number and packet ...

Page 8: ...r even mission critical files efficiently move through the router even under a heavy load You can throttle the speed at which different types of outgoing data pass through the router In addition you can simply change the priority of different types of upload data and let the router sort out the actual speeds 2 2 1 Transparent Mode Connection Example QoS generally involves the prioritization of net...

Page 9: ...imize the bandwidth that is being used on your network Normal PCs VoIP Restricted PC As illustrated in the diagram above applications such as Voice over IP VoIP require low network latencies to function properly If bandwidth is being used by other applications such as an FTP server users using VoIP will experience network lag and or service interruptions during use To avoid this scenario this 5 ...

Page 10: ... bandwidth for a particular computer on the network to transfer files Alternatively you can set a Maximum Bandwidth to restrict a particular application to a fixed percentage of the total throughput Setting a Maximum Bandwidth of 20 for a file sharing program will ensure that no more than 20 of the available bandwidth will be used for file sharing 2 2 4 Policy Based Traffic Shaping Policy Based Tr...

Page 11: ...tion Assigning priority to a certain service allows MH 1000 to give either a higher or lower priority to traffic from this particular service Assigning a higher priority to an application ensures that it is processed ahead of applications with a lower priority and vice versa 7 ...

Page 12: ... traffic policies to a specific computer on the network 2 2 7 DiffServ DSCP Marking DiffServ a k a DSCP Marking allows you to classify traffic based on IP DSCP values These markings can be used to identify traffic within the network Other interfaces can match traffic based on the DSCP markings DSCP markings are used to decide how packets should be treated and is a useful tool to give precedence to...

Page 13: ... 2 2 and PC 2 IP_192 168 2 3 are connected to the Internet via WAN1 IP_230 100 100 1 on MH 1000 Should WAN1 fail Outbound Fail Over tells MH 1000 to reroute outgoing traffic to WAN2 IP_213 10 10 2 Configuring your MH 1000 for Outbound Fail Over provides a more reliable connection for your outgoing traffic Please refer to appendix D for example settings 2 3 2 Outbound Load Balancing Outbound Load B...

Page 14: ...and destination IP address will go through the same WAN port This is useful for some server applications that need to identify the source IP address of the client By balancing the load between WAN1 and WAN2 your MH 1000 can ensure that outbound traffic is efficiently handled by making sure that both ports are equally sharing the load preventing situations where one port is completely saturated by ...

Page 15: ... com tw on MH 1000 A remote computer is trying to access these servers via the Internet Under normal circumstances the remote computer will gain access to the network via WAN1 Should WAN1 fail Inbound Fail Over tells MH 1000 to reroute incoming traffic to WAN2 by using the Dynamic DNS mechanism Configuring your MH 1000 for Inbound Fail Over provides a more reliable connection for your incoming tra...

Page 16: ...lancing the load between WAN1 and WAN2 your MH 1000 can ensure that inbound traffic is efficiently handled with both ports equally sharing the load preventing situations where service is slow because one port is completely saturated by inbound traffic Please refer to appendix D for example settings 2 5 DNS Inbound Using DNS Inbound is a great way to intelligently direct network traffic www planet2...

Page 17: ...l Over 100 100 100 1 DNS DNS Built in DNS S 192 168 2 2 192 168 2 3 1st connection 2nd connection 1st connection 2nd connection www mydomain com DNS DNS HTTP FTP In the above example an FTP Server IP_192 168 2 2 and an HTTP Server IP_192 168 2 3 are connected to the Internet via WAN1 IP_200 200 200 1 on MH 1000 A remote computer is trying to access these servers via the Internet and makes a DNS re...

Page 18: ...server IP_192 168 2 3 are connected to the Internet via WAN1 IP_200 200 200 1 and WAN2 IP_100 100 100 1 on MH 1000 Remote PCs are attempting to access the servers via the Internet by making a DNS request entering a URL www mydomain com Using a load balancing algorithm MH 1000 can direct incoming requests to either WAN port based on the amount of load each WAN port is currently experiencing If WAN2...

Page 19: ...yze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request 4 After the decision is made MH 1000 will route the DNS reply to the user through WAN2 5 The user will receive the DNS reply with the IP address of WAN1 6 The browser will initiate an HTTP request to the WAN1 IP address 7 The HTTP request will be send to MH 1000 s URL Host Map 8 The Host Map will then redirect ...

Page 20: ...Gateway setup where two remote gateways communicate over the Internet via a secure tunnel The next type of VPN setup is the Gateway to Multiple Gateway setup where one gateway Headquarters is communicating with multiple gateways Branch Offices over the Internet As with all VPNs data is kept secure with secure tunnels The final type of VPN setup is the Client to Gateway A good example of where this...

Page 21: ...000 VPN Tunnel VPN Tunnel 192 168 2 x 192 168 3 x After Fail Over Because the dynamic domain name planet dyndns org is configured for both WAN1 and WAN2 the active WAN port will announce the domain name through the WAN IP address The remote gateway will then be able to connect to the VPN through the domain name In this Gateway to Gateway example MH 1000 is communicating to a remote gateway using W...

Page 22: ...ase refer to appendix D for example settings 100 100 100 1 200 200 200 1 192 168 2 x 192 168 3 x 201 201 201 1 192 168 4 x Local subnet 0 0 0 0 Local mask 0 0 0 0 Remote subnet 192 168 3 0 Remote mask 255 255 255 0 Local subnet 192 168 3 0 Local mask 255 255 255 0 Remote subnet 0 0 0 0 Remote mask 0 0 0 0 Local subnet 0 0 0 0 Local mask 0 0 0 0 Remote subnet 192 168 4 0 Remote mask 255 255 255 0 L...

Page 23: ...whether you are going to use them in fail over mode for increased network reliability or load balancing mode for maximum bandwidth efficiency See Chapter 2 Router Applications for more information 2 Set up your accounts Have access to the Internet and locate the Internet Service Provider ISP configuration information Each MH 1000 WAN port must be configured separately whether you are using a separ...

Page 24: ...nfiguration interface check to see if you have any software based firewalls installed on your PCs as they can cause problems accessing the 192 168 1 1 IP address of MH 1000 The following sections outline how to set up your PCs for TCP IP networking Refer to the applicable section for your PC s operating system 3 3 1 Overview Before you begin make sure that the TCP IP protocol and a functioning Eth...

Page 25: ...cal Area Connection Status window click Properties 4 Select Internet Protocol TCP IP and click Properties 5 Select the Obtain an IP address automatically and the Obtain DNS server address automatically radio buttons 6 Click OK to finish the configuration 21 ...

Page 26: ... 1 Go to Start Settings Control Panel In the Control Panel double click on Network and Dial up Connections 2 Double click Local Area Connection 3 In the Local Area Connection Status window click Properties 4 Select Internet Protocol TCP IP and click Properties 22 ...

Page 27: ...dio buttons 6 Click OK to finish the configuration 3 3 4 Windows 95 98 ME 1 Go to Start Settings Control Panel In the Control Panel double click on Network and choose the Configuration tab 2 Select TCP IP NE2000 Compatible or the name of your Network Interface Card NIC in your PC 3 Select the Obtain an IP address automatically radio button 23 ...

Page 28: ...adio button and click OK to finish the configuration 3 3 5 Windows NT 4 0 1 Go to Start Settings Control Panel In the Control Panel double click on Network and choose the Protocols tab 2 Select TCP IP Protocol and click Properties 3 Select the Obtain an IP address from a DHCP server radio button and click OK 24 ...

Page 29: ...IP addresses for distribution to PCs 100 IP addresses continuing from 192 168 1 100 through 192 168 1 199 The DHCP Client is enabled to automatically get the WAN port configuration from the ISP 3 5 Information from Your ISP 3 5 1 Protocols Before configuring this device you have to check with your ISP Internet Service Provider to find out what kind of service is provided such as DHCP Static IP PPP...

Page 30: ...r PC 3 5 2 Web Configuration Interface MH 1000 includes a Web Configuration Interface for easy administration via virtually any browser on your network To access this interface open your web browser enter the IP address of your router which by default is 192 168 1 1 and click Go A user name and password window prompt will appear Enter your user name and password the default user name and password ...

Page 31: ...gs permanently to the device 3 Click RESTART to restart the device There are two options to restart the device Select Current Settings if would like to restart using the current configuration Select Factory Default Settings if you would like to restart using the factory default configuration 4 To exit the router s web interface click LOGOUT Please ensure that you have saved your configuration sett...

Page 32: ...enu displays the various options that have been selected and a number of statistics about your MH 1000 In this menu you will find the following sections ARP Table Routing Table Session Table DHCP Table IPSec Status PPTP Status Traffic Statistics System Log IPSec Log 28 ...

Page 33: ...a Access Control MAC addresses for each device on your LAN Interface The interface name on the router that this IP address connects to Static Static status of the ARP table entry NO indicates dynamically generated ARP table entries YES indicates static ARP table entries added by the user 4 2 2 Routing Table The Routing Table displays the current path for transmitted packets Both static and dynamic...

Page 34: ...Destination IP of the session To port Destination port of the session Sessions Filter when the presented field is filled please click Filter button From IP please input the source IP you would like to filter From port please input the source port you would like to filter To IP please input the destination IP you would like to filter To port please input the destination port you would like to filte...

Page 35: ...us window displays the status of the IPSec Tunnels that are currently configured on your MH 1000 ÍÍ Name The name you assigned to the particular IPSec entry Enable Whether the IPSec connection is currently Enable or Disable Status Whether the IPSec is Active Inactive or Disable Local Subnet The local IP address or subnet used Remote Subnet The subnet of the remote site Remote Gateway The remote ga...

Page 36: ...or LAN to LAN as connection type Connect by The remote address when connected Action Manually drop the tunnel 4 2 7 Traffic Statistic The Traffic Statistics window displays both sent and received sent data in Bytes sec over one hour duration The line in red represents WAN1 while the line in blue represents WAN2 ÍÍ WAN1 Transmitted Tx and Received Rx bytes and packets for WAN1 WAN2 Transmitted Tx a...

Page 37: ... Log Send the System Log to your email account You can set the email address in Configuration System Email Alert See the Email Alert section for more details 4 2 9 IPSec Log This page displays the router s IPSec Log entries Major events are logged to this window ÍÍ Refresh Refresh the IPSec Log Clear Log Clear the IPSec Log Send Log Send IPSec Log to your email account You can set the email addres...

Page 38: ...tomatically Static IP Settings PPPoE Settings PPTP Settings and Big Pond Settings 4 3 1 DHCP The following is information regarding your ISP that you will need to enter in order to properly configure your Internet connection If you select to Obtain an IP Address Automatically these will be automatically set for you provided that your ISP dynamically assigns an IP address ÍÍ 4 3 2 Static IP IP assi...

Page 39: ...sion when starting up and to automatically re establish the PPPoE session when disconnected by the ISP Trigger on Demand If you want to establish a PPPoE session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of tim...

Page 40: ...sion when disconnected by the ISP Trigger on Demand If you want to establish a PPTP session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on De...

Page 41: ...l WAN System Firewall VPN QoS Virtual Server Advanced These items are described below in the following sections 4 4 1 LAN There are two items within this section Ethernet and DHCP Server 4 4 1 1 Ethernet ÍÍ IP Address Enter the internal LAN IP address for MH 1000 192 168 1 1 by default Subnet Mask Enter the subnet mask 255 255 255 0 by default RIP RIP v2 Broadcast and RIP v2 Multicast Check to ena...

Page 42: ... need to manually assign a fixed IP address to each PC on your network and set the default gateway for each PC to the IP address of the router 192 168 1 1 by default To configure the router s DHCP Server select the Enable radio button and then configure parameters of the DHCP Server including the IP Pool starting IP address and ending IP address to be allocated to the PCs on your network DNS Serve...

Page 43: ...he configuration into the Host Table Press the Delete button to delete a configuration from the Host Table 4 4 2 WAN WAN refers to your Wide Area Network connection In most cases this means your router s connection to the Internet through your ISP MH 1000 features Dual WAN capability ÍÍ The WAN menu contains two items ISP Settings and Bandwidth Settings 4 4 2 1 ISP Settings This WAN Service Table ...

Page 44: ...gly Configurable items will vary depending on the connection method selected 4 4 2 1 1 DHCP Host Name Some ISPs authenticate logins using this field MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS ...

Page 45: ...r ISP MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below Primary DNS Enter the primary DNS provided by your ISP Secondary DNS Enter the secondary DNS provided by your ISP RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum T...

Page 46: ...ine for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on Demand is selected IP Assigned by your ISP If your IP is dynamically assigned by your ISP select the Dynamic radio button If your IP assigns a static IP address select the Static radio button and input your IP address in the blank provided MAC Address If your ISP requires you to input a WAN Eth...

Page 47: ...d to automatically re establish the PPTP session when disconnected by the ISP Trigger on Demand If you want to establish a PPTP session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of time Select the idle time fro...

Page 48: ...e Password Retype your password Login Server Enter the IP of the Login server provided by your ISP MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS RIP To activate RIP select Send Receive or Both fr...

Page 49: ...and outbound bandwidth for WAN2 NOTE These values entered here are referenced by both QoS and Load Balancing functions 4 4 3 Dual WAN In this section you can setup the fail over or load balance function outbound load balance or inbound load balance function or setup specific protocol to bind with specific WAN port In this menu are the following sections General Settings Outbound Load Balance Inbou...

Page 50: ...s 4 4 3 2 Outbound Load Balance ÍÍ Outbound Load Balancing on MH 1000 can be based on one of two methods 1 Based on session mechanism 2 Based on IP address hash mechanism Choose one by clicking the corresponding radio button Based on session mechanism The source IP address and destination IP address might go through WAN1 or WAN2 according to policy settings in this mechanism You can choose this me...

Page 51: ... IP address Balance by weight of link capacity Uses an IP hash to balance traffic based on weight of link bandwidth capacity Balance by weight Uses an IP hash to balance traffic based on a ratio Enter the desired ratio into the blanks provided Click Apply to save your changes 4 4 3 3 Inbound Load Balance ÍÍ Function Used to enable or disable inbound load balancing DNS Server 1 DNS Server 1 setting...

Page 52: ...rimary Name Server e g aaa its FQDN is aaa abc com Admin Mail Box The administrator s email account e g admin abc com Serial Number It is the version number that keeps in the SOA record Refresh Interval The interval refreshes are done Denoted in seconds Retry Interval The interval retries are done Denoted in seconds Expiration Time The length of time that can elapse before the zone is no longer au...

Page 53: ...ess of the local host Protocol You could also select the application type you would like to apply for automatic input Port Range The port range of all incoming packets are accepted and processed by a local host with the specified private IP address Candidates You can also select the Candidates which are referred from the ARP table for automatic input Helper You could also select the application ty...

Page 54: ...inding section please note that it would take precedence over the settings that are already configured in the Load Balance Setting section ÍÍ The Protocol Binding Table lists any protocol binding that has been configured To add a new binding click Create Interface Choose which WAN port to use WAN1 WAN2 Source IP Range All Source IP Click it to specify all source IPs Specified Source IP Click to sp...

Page 55: ...protocol of Internet traffic for the specified policy Choose from TCP UDP or Any Port Range The range of ports for the specified policy if you only want to use one port enter the same value in both boxes Click Apply to save your changes 4 4 4 System The System menu allows you to adjust a variety of basic router settings upgrade firmware set up remote access and more In this menu are the following ...

Page 56: ...e Internet select the Enable radio button To deactivate remote access select the Disable radio button This function also enables you grant access from any PC or from a specific IP address Click Apply to save your settings NOTE When enabling remote access be sure to change the default administration password for security reason 4 4 4 3 Firmware Upgrade ÍÍ Upgrading your MH 1000 s firmware is a quic...

Page 57: ...ficant changes to your router s configuration To backup your router s settings click Backup and select where to save the settings backup file You may also change the name of the file when saving if you wish to keep multiple backups Click OK to save the file To restore a previously saved backup file click Browse You will be prompted to select a file from your PC to restore Be sure to only restore s...

Page 58: ...default settings You may also reset your router to factory default settings by holding the Reset button on the router until the Status LED begins to blink Once MH 1000 completes the boot sequence the Status LED will stop blinking 4 4 4 6 Password ÍÍ In order to prevent unauthorized access to your router s configuration interface it requires the administrator to login with a password You can change...

Page 59: ...t network activity To enable this function select the Enable radio button and enter your Syslog server IP address in the Log Server IP Address field Click Apply to save your changes To disable this feature simply select the Disable radio button and click Apply 4 4 4 8 E mail Alert ÍÍ The Email Alert function allows a log of security related events such as System Log and IPSec Log to be sent to a s...

Page 60: ...equency of each email update Choose one of the five options Immediately The router will send an alert immediately Hourly The router will send an alert once every hour Daily The router will send an alert once a day The exact time can be specified using the pull down menu Weekly The router will send an alert once a week When log is full The router will send an alert only when the log is full 4 4 5 F...

Page 61: ...le click Create ID This is an identify that allows you to move the rule by before or after an ID Rule Enable or Disable this entry Action When Matched Select to Drop or Forward the packet specified in this filter entry Direction Incoming Packet Filter rules prevent unauthorized computers or applications accessing your local network from the Internet Outgoing Packet Filter rules prevent unauthorize...

Page 62: ...estination port number range If you only want to specify one service port then enter the same port number in both boxes Helper You could also select the application type you would like to apply for automatic input 4 4 5 2 URL Filter ÍÍ The URL Filter is a powerful tool that can be used to limit access to certain URLs on the Internet You can block web sites based on keywords or even block out an en...

Page 63: ...g the bottom checkbox To edit the list of filtered domains click Details Enter a keyword to be filtered and click Apply Your new keyword will be added to the filtered keyword listing Domains Filtering Click the top checkbox to enable this feature You can also choose to disable all web traffic except for trusted sites by clicking the bottom checkbox To edit the list of filtered domains click Detail...

Page 64: ...y also designate which IP addresses are to be excluded from these filters by adding them to the Exception List To do so click Add Enter a name for the IP Address and then enter the IP address itself Click Apply to save your changes The IP address will be entered into the Exception List and excluded from the URL filtering rules in effect 4 4 5 3 LAN MAC Filter ÍÍ 60 ...

Page 65: ...t depending on the default rule Rule Enable or disable this entry Action When Matched Select to Drop or Forward the packet specified in this filter entry MAC Address The MAC Address you would like to apply Candidates You can also select the Candidates which are referred from the ARP table for automatic input 4 4 5 4 Block WAN Request ÍÍ Blocking WAN requests is one way to prevent DDOS attacks by p...

Page 66: ...ed and dropped attacks will be shown in the system log 4 4 6 VPN 4 4 6 1 IPSec IPSec is a set of protocols that enable Virtual Private Networks VPN VPN is a way to establish secured communication tunnels to an organization s network via the Internet 4 4 6 1 1 IPSec Wizard ÍÍ Connection Name A user defined name for the connection Interface Select the interface the IPSec tunnel will apply to WAN1 Se...

Page 67: ...ore any IPSec traffic can be passed each router must be able to verify the identity of its peer This can be done by manually entering the pre shared key into both sides router or hosts Connection Type There are 5 connection types 1 LAN to LAN MH 1000 would like to establish an IPSec VPN tunnel with remote router using Fixed Internet IP or domain name by using main mode Secure Gateway Address or Do...

Page 68: ...Allow you to enter an IP address and netmask Back Back to the Previous page Next Go to the next page 3 LAN to Host MH 1000 would like to establish an IPSec VPN tunnel with remote client software using Fixed Internet IP or domain name by using main mode Secure Gateway Address or Domain Name The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel Back Back ...

Page 69: ...value the ID type will be auto defined as IP Address FQDN DNS or FQUN E mail Back Back to the Previous page Next Go to the next page 5 LAN to Host for VPN Client only MH 1000 would like to establish an IPSec VPN tunnel with MH 1000 VPN Client by using aggressive mode VPN Client IP Address The VPN Client Address for MH 1000 VPN Client this value will be applied on both remote ID and Remote Network ...

Page 70: ...er s Manual After your configuration is done you will see a Configuration Summary Back Back to the Previous page Done Click Done to apply the rule 4 4 6 1 2 IPSec Policy ÍÍ Click Create to create a new IPSec VPN connection account 66 ...

Page 71: ...e will automatically apply the tunnel to WAN1 or WAN2 depending on which WAN interface is active when the IPSec tunnel is being established Note Auto only applies to Fail Over mode For Load Balance mode please do not select Auto In Load Balance mode Auto will be forced to WAN1 interface if Auto is selected Local This section configures the local host ID This is the identity type of the local route...

Page 72: ...n IP address format FQDN DNS Fully Qualified Domain Name Consists of a hostname and domain name For example WWW VPN COM is a FQDN WWW is the host name VPN COM is the domain name When you enter the FQDN of the local host the router will automatically seek the IP address of the FQDN FQUN E Mail Fully Qualified User Name Consists of a username and its domain name For example user vpn com is a FQUN us...

Page 73: ... negotiation time Diffie Hellman is a public key cryptography protocol that allows two parties to establish a shared secret over the Internet Pre shared Key This is for the Internet Key Exchange IKE protocol IKE is used to establish a shared security policy and authenticated keys for services such as IPSec that require a key Before any IPSec traffic can be passed each router must be able to verify...

Page 74: ...t Displays IP address and subnet of the remote network Remote Gateway This is the IP address or Domain Name of the remote VPN device that is connected and has an established IPSec tunnel IPSec Proposal This is the selected IPSec security method 4 4 6 2 PPTP PPTP is a set of protocols that enable Virtual Private Networks VPN VPN is a way to establish secured communication tunnels to an organization...

Page 75: ... create a new PPTP VPN connection account Connection Name A user defined name for the connection Tunnel Select Enable to activate this tunnel Select Disable to deactivate this tunnel Username Please input the username for this account Password Please input the password for this account Retype Password Please repeat the same password as previous field Connection Type Select Remote Access for single...

Page 76: ...dth The maximum bandwidth afforded by the ISP for WAN1 s inbound traffic WAN2 Outbound QoS Function QoS Status for WAN2 outbound Select Enable to activate QoS for WAN2 s outgoing traffic Select Disable to deactivate Max ISP Bandwidth The maximum bandwidth afforded by the ISP for WAN2 s outbound traffic WAN2 Inbound QoS Function QoS Status for WAN2 inbound Select Enable to activate QoS for WAN2 s i...

Page 77: ...inbound and WAN2 outbound inbound Application User defined application name for the current rule Guaranteed The guaranteed amount of bandwidth for this rule as a percentage Maximum The maximum amount of bandwidth for this rule as a percentage Priority The priority assigned to this service Select a value from 0 to 6 0 being highest DSCP Marking Used to classify traffic Select from Best Effort Premi...

Page 78: ...ct the Candidates which are referred from the ARP table for automatic input Protocol The type of packet this rule applies to Choose from Any TCP UDP or ICMP Source Port Range The range of source ports this rule applies to Destination Port Range The range of destination ports this rule applies to Helper You could also select the application type you would like to apply for automatic input 4 4 8 Vir...

Page 79: ...ices via the public WAN IP address can be automatically redirected to local servers in the LAN network Depending on the requested service TCP UDP port number the device redirects the external service request to the appropriate server within the LAN network 4 4 8 1 DMZ The DMZ Host is a local computer exposed to the Internet When setting a particular internal IP address as the DMZ Host all incoming...

Page 80: ...cific port number for the service to use e g web HTTP port 80 FTP port 21 Telnet port 23 SMTP port 25 or POP3 port 110 When an incoming access request is received it will be forwarded to the corresponding internal server Click Create to add a new port forwarding rule This function allows any incoming data addressed to a range of service port numbers from the Internet WAN Port to be re directed to ...

Page 81: ...does have security implications as outside users will be able to connect to PCs on your network For this reason using specific Virtual Server entries just for the ports your application requires instead of using DMZ is recommended 4 4 9 Advanced Configuration options within the Advanced section are for users who wish to take advantage of the more advanced features of MH 1000 Users who do not under...

Page 82: ...rule Destination This is the destination subnet IP address Netmask This is the subnet mask of the destination IP addresses based on above destination subnet IP Gateway This is the gateway IP address to which packets are to be forwarded Interface Select the interface through which packets are to be forwarded Cost This is the same meaning as Hop Click Apply to save your changes 78 ...

Page 83: ... interface You will first need to register and establish an account with the Dynamic DNS provider using their website Example DYNDNS http www dyndns org MH 1000 supports several Dynamic DNS providers such as www dyndns org www orgdns org www dhs org www dyns cx www 3domain hk www zoneedit com www 3322 org www no ip com Dynamic DNS Disable Check to disable the Dynamic DNS function Enable Check to e...

Page 84: ...he IP address to 0 0 0 0 will disable IP address restrictions allowing users to login from any IP address Expire to auto logout Specify a time frame for the system to auto logout the user s configuration session Example User A changes HTTP port number to 100 specifies their own IP address of 192 168 1 100 and sets the logout time to be 100 seconds The router will only allow User A access from the ...

Page 85: ... the web configuration interface at a time Once a PC has logged into the web interface other PCs cannot gain access until the current PC has logged out If the previous PC forgets to logout the second PC can access the page after a user defined period 5 minutes by default You can modify this value using the Advanced Device Management section of the Web Configuration Interface Please see the Advance...

Page 86: ...may be a hardware problem If all LEDs are still on one minute after powering up Cycle the power to see if the router recovers Clear the configuration to factory defaults If the error persists you may have a hardware problem and should contact technical support 5 1 3 LAN or Internet Port Not On If either the LAN LEDs or Internet LED does not light when the Ethernet connection is made check the foll...

Page 87: ...eck the corresponding LAN LEDs on your PC s Ethernet device are on Make sure that driver software for your PC s Ethernet adapter and TCP IP software is correctly installed and configured on your PC Verify the IP address and the subnet mask of MH 1000 and the computers are on the same subnet 5 2 3 Can t Access Web Configuration Interface If you are having trouble accessing MH 1000 s Web Configurati...

Page 88: ...ent checkbox is checked and click OK 4 Click OK under Internet Options to close the dialogue In Windows type arp d at the command prompt to clear you computer s ARP table 5 2 3 1 Pop up Windows To use the Web Configuration Interface you need to disable pop up blocking You can either disable pop up blocking which is enabled by default in Windows XP Service Pack 2 or create an exception for your MH ...

Page 89: ...ceptions If you only want to allow pop up windows with your MH 1000 1 In Internet Explorer select Tools Internet Options 2 Under the Privacy tab click Settings to open the Pop up Blocker Settings dialogue 3 Enter the IP address of your router 4 Click Add to add the IP address to the list of Allowed sites 5 Click Close to return to the Privacy tab of the Internet Options dialogue 6 Click Apply to s...

Page 90: ...sure that Scripting of Java applets is set to Enabled 5 Click OK to close the dialogue 5 2 3 3 Java Permissions The following Java Permissions should also be given for the Web Configuration Interface to display properly 1 In Internet Explorer click Tools Internet Options 2 Under the Security tab click Custom Level 86 ...

Page 91: ...ote that user names and passwords are case sensitive If your ISP requires MAC address authentication clone the MAC address from your PC on the LAN as MH 1000 s WAN MAC address If your ISP requires host name authentication configure your PC s name as MH 1000 s system name 5 4 ISP Connection Unless you have been assigned a static IP address by your ISP your MH 1000 will need to request an IP address...

Page 92: ... or DSL modem 4 When the modem has finished synchronizing with the ISP generally shown by LEDs on the modem turn on the power to your router If an IP address still cannot be obtained Your ISP may require a login program Consult your ISP whether they require PPPoE or some other type of login If your ISP requires a login check to see that your User Name and Password are entered correctly Your ISP ma...

Page 93: ...esses Your PC may not have the router correctly configured as its TCP IP gateway 5 5 Problems with Date and Time If the date and time is not being displayed correctly be sure to set it for your MH 1000 via the Web Configuration Interface Both date and time can be found under Configuration System Time Zone 5 6 Restoring Factory Defaults You can restore your MH 1000 to its factory settings by holdin...

Page 94: ...s vendors customers or other businesses Intranets Intranets are private networks that connect an organization s locations together These locations range from a headquarters to branch offices to a remote employee s home Intranets are often used for email and for sharing applications and files A firewall protects Intranets from unauthorized access Remote Access Remote access enables mobile workers t...

Page 95: ...uthorized re transmission with anti replay functionality The presence of the AH header allows us to verify the integrity of the message but doesn t encrypt it Thus AH provides authentication but not privacy ESP protects data confidentiality Both AH and ESP can be used together for added protection A typical AH packet looks like this Reserved Payload Length Next Header SPI Authentication Data Seque...

Page 96: ... Security Associations SA Security Associations are a one way relationships between sender and receiver that specify IPSec related parameters They provide data protection by using the defined IPSec protocols and allow organizations to control according to the security policy in effect which resources may communicate securely SA is identified by 3 parameters Security Parameters Index SPI a locally ...

Page 97: ...s sent by adding an outer IP header corresponding to the two tunnel end points Since tunnel mode hides the original IP header it provides security of the networks with private IP address space IP Dat TC AH E A 2 3 Tunnel Mode AH AH is typically applied to a data packet in the following manner Original Packet IP Header TCP Data Org IP Header TCP Data Packet with IPSec Authentication Header AH New I...

Page 98: ...hase I deals with the negotiation and management of IKE and IPSec parameters This phase can be carried out in either one of two modes Main Mode or Aggressive Mode Main mode utilizes three message pairs that negotiate IKE parameters establish a shared secret and derive session keys and exchange and provide identities retroactively authenticating the information sent This method is very secure but w...

Page 99: ...r s Manual Start Main Mode Aggressive Mode Quick Mode With PFS Quick Mode Without PFS New IPSec tunnel or Rekeying or or Phase 1 Negotiate ISAKMP SA Mutual Authentication Phase 2 Negotiate SAs For AH and ESP Protected Data Transfer 95 ...

Page 100: ...de Send Main mode first response message of ISAKMP Sending the first response message of main mode Done to exchange encryption algorithm hash algorithm and authentication method Received Main mode first response message of ISAKMP Received the first response message of main mode Done to exchange encryption algorithm hash algorithm and authentication method Send Main mode second message of ISAKMP Se...

Page 101: ... proposal and key values IPSec Received Quick mode initial message Received the first message of quick mode Phase II Done to exchange proposal and key values IPSec Send Quick mode first response message Sending the first response message of quick mode Phase II Done to exchange proposal and key values IPSec Received Quick mode first response message Received the first response message of quick mode...

Page 102: ...have ID s but peer declares s INVALID ID INFORMATION Initial Aggressive Mode packet claiming to be from s on s but no connection has been authorized IKE Negotiated Status Messages Received Delete SA payload and deleting IPSEC State integer Received Delete SA payload Deleting ISAKMP State integer Main Aggressive mode peer ID is identifier string ISAKMP SA Established IPsec SA Established 98 ...

Page 103: ...S helps users manage bandwidth and effectively prioritize data traffic It gives you full control over the traffic of any type of data Employed on DiffServ Differentiated Services architecture data traffic is given priority by the router ensuring latency sensitive applications like voice and mission critical data such as VPN move through the router at lightning speeds even under heavy load You can ...

Page 104: ... to solve this problem You can first classify different applications online games FTP Skype email as shown in the table below Then you can manage and prioritize the flow of bandwidth at different levels e g 30 for games 20 for downloads 10 for email 20 for FTP and 35 for others QoS can be used to identify different applications and assign priority to enable a smooth and responsive broadband connec...

Page 105: ...nt packets have priority to ensure a good quality of broadband connection for the entire organization Application Data Ratio Priority Videoconferencing 30 High VoIP 20 High Email 10 High FTP 10 Upload High Download Normal Other 30 MP3 Low MSN Normal 101 ...

Page 106: ...User s Manual Appendix D Router Setup Examples D 1 Outbound Fail Over Step 1 Go to Configuration WAN ISP Settings Select WAN1 and WAN2 and click Edit Step 2 Configure WAN1 and WAN2 according to the information given by your ISP 102 ...

Page 107: ...N ports are probed Please ensure the WAN ports are functioning by performing a ping operation on each before proceeding Finally choose whether or not MH 1000 should fail back to WAN1 Step 4 Click Save Config to save all changes to flash memory D 2 Outbound Load Balancing 230 100 100 1 213 100 100 2 ISP 192 168 2 2 192 168 2 3 With Outbound Load Balancing you can improve upload performance by optim...

Page 108: ...Multi Homing Security Gateway User s Manual Step 2 Configure your WAN2 ISP settings and click Apply Step 3 Go to Configuration Dual WAN General Settings Select the Load Balance radio button 104 ...

Page 109: ... Go to Configuration Dual WAN Outbound Load Balance Choose the Load Balance mechanism you want and click Apply Step 5 Complete To check traffic statistics go to Status Traffic Statistics Step 6 Click Save Config to save all changes to flash memory 105 ...

Page 110: ...1 and WAN2 have been properly configured See Chapter 4 Router Configuration for more details Step 1 From the Web Configuration Interface go to Configuration Dual WAN General Settings Select the Fail Over radio button planetest dyndns org Before Fail Over 192 168 2 2 192 168 2 3 planetest dyndns org After Fail Over ftp planetest dyndns org Remote Access from Internet ftp planetest dyndns org Remote...

Page 111: ...g Security Gateway User s Manual Step 2 Configure Fail Over options if necessary Step 3 Go to Configuration Advanced Dynamic DNS Set the WAN1 DDNS settings Step 4 From the same menu set the WAN2 DDNS settings 107 ...

Page 112: ...Multi Homing Security Gateway User s Manual Step 5 Click Save Config to save all changes to flash memory D 4 DNS Inbound Fail Over 108 ...

Page 113: ...ction www mydomain com DNS DNS HTTP FTP NOTE Before proceeding please ensure that both WAN1 and WAN2 are properly configured according to the settings provided by your ISP If not please refer to Chapter 4 2 2 1 ISP Settings for details on how to configure your WAN ports Step 1 Go to Configuration Dual WAN General Settings Select the Fail Over radio button and configure your fail over policy Step 2...

Page 114: ...nual Step 3 Input DNS Server 1 settings and click Apply Step 4 Configure your Host URL Mapping for DNS Server 1 by clicking Edit to enter the Host URL Mappings List Click Create and input the settings for Host URL Mappings and click New 110 ...

Page 115: ...1 www mydomain com 200 200 200 1 Authoritative Domain Name Server 100 100 100 1 100 100 100 1 DNS Request DNS Reply Built in DNS Heavy load on WAN 2 Heavy load on WAN 1 WAN 1 WAN 2 WAN 1 WAN 2 100 100 100 1 200 200 200 1 DNS Reply DNS Request www mydomain com 192 168 2 2 192 168 2 3 FTP HTTP HTTP Step 1 Go to Configuration Dual WAN General Settings Select the Load Balance radio button 111 ...

Page 116: ...eway User s Manual Step 2 Go to Configuration Dual WAN Inbound Load Balance Server Settings and configure DNS Server 1 Step 3 Go to Configuration Dual WAN Inbound Load Balance Host URL Mapping and configure your FTP mapping 112 ...

Page 117: ...Multi Homing Security Gateway User s Manual Step 4 Next configure your HTTP mapping Step 5 Click Save Config to save all changes to flash memory D 6 Dynamic DNS Inbound Load Balancing 113 ...

Page 118: ...planet3 dyndns org www planet2 dyndns org 192 168 2 2 192 168 2 3 FTP HTTP Step 1 Go to Configuration WAN Bandwidth Settings Configure your WAN inbound and outbound bandwidth Step 2 Go to Configuration Dual WAN General Settings and enable Load Balance mode You may then decide whether to enable Service Detection or not 114 ...

Page 119: ...hanism as your policy the source IP address and destination IP address may go through WAN1 or WAN2 depending on policy settings If you selected Based on IP hash mechanism as your policy the source IP address and destination IP address will go through a specific WAN port according to the IP hash algorithm Step 4 Go to Configuration Advanced Dynamic DNS and input the dynamic DNS settings for WAN1 an...

Page 120: ...Multi Homing Security Gateway User s Manual WAN1 WAN 2 Step 5 Go to Configuration Virtual Server and set up a virtual server for both FTP and HTTP 116 ...

Page 121: ...tion This section outlines some concrete examples on how you can configure MH 1000 for your VPN D 7 1 LAN to LAN Branch Office Head Office Local ID IP Address IP Address Data 69 121 1 30 69 121 1 3 Network Any Local Address Any Local Address IP Address 192 168 0 0 192 168 1 0 Netmask 255 255 255 0 255 255 255 0 Remote 117 ...

Page 122: ...Network Subnet Subnet IP Address 192 168 1 0 192 168 0 0 Netmask 255 255 255 0 255 255 255 0 Proposal IKE Pre shared Key 12345678 12345678 Security Algorithm Main Mode ESP MD5 3DES PFS Main ESP MD5 3DES PFS D 7 2 Host to LAN Single client Head Office Local ID IP Address IP Address Data 69 121 1 30 69 121 1 3 Network Any Local Address Any Local Address 118 ...

Page 123: ...t Single Address IP Address 192 168 1 0 69 121 1 30 Netmask 255 255 255 0 255 255 255 255 Proposal IKE Pre shared Key 12345678 12345678 Security Algorithm Main Mode ESP MD5 3DES PFS Main ESP MD5 3DES PFS D 8 IP Sec Fail Over Gateway to Gateway Before Fail Over After Fail Over 192 168 2 x 200 200 200 1 200 200 200 1 192 168 3 x 192 168 3 x mh planet dyndns org MH 1000 A MH 1000 A MH 1000 B MH 1000 ...

Page 124: ...gs Enable Fail Over by selecting the Fail Over radio button Then configure your Fail Over policy Step 2 Go to Configuration Advanced Dynamic DNS and configure your dynamic DNS settings Both WAN1 and WAN2 Step 3 Go to Configuration VPN IPSec IPSec Policy Click Create to configure VPN settings 120 ...

Page 125: ...Multi Homing Security Gateway User s Manual Step 4 Click Save Config to save all changes to flash memory To configure another MH 1000 gateway refer to the screenshot below 121 ...

Page 126: ...Multi Homing Security Gateway User s Manual D 9 IP VPN Concentrator 122 ...

Page 127: ...Multi Homing Security Gateway User s Manual Step 1 Go to Configuration VPN IPSec IPSec Policy and configure the link from MH 1000 C to MH 1000 A Branch A 123 ...

Page 128: ...Multi Homing Security Gateway User s Manual Step 2 Go to Configuration VPN IPSec IPSec Policy and configure the link from MH 1000 C to MH 1000 B Branch B 124 ...

Page 129: ...Multi Homing Security Gateway User s Manual Step 3 Go to Configuration VPN IPSec IPSec Policy and configure the connection from MH 1000 A Branch A to MH 1000 C 125 ...

Page 130: ...g Security Gateway User s Manual Step 4 Go to Configuration VPN IPSec IPSec Policy and configure the connection from MH 1000 B Branch B to MH 1000 C Step 5 Click Save Config to save all changes to flash memory 126 ...

Page 131: ... Step 1 Go to Configuration Dual WAN General Settings Select the Load Balancing radio button Step 2 Go to Configuration Dual WAN Protocol Binding and configure settings for WAN1 Step 3 Go to Configuration Dual WAN Protocol Binding and configure settings for WAN2 127 ...

Page 132: ...Step 4 Click Save Config to save all changes to flash memory D 11 Intrusion Detection Step 1 Go to Configuration Firewall Intrusion Detection and Enable the settings Step 2 Click Apply and then Save Config to save all changes to flash memory 128 ...

Page 133: ...Multi Homing Security Gateway User s Manual D 12 PPTP Remote Access by Windows XP Step1 Go to Configuration VPN PPTP and Enable the PPTP function Click Apply 129 ...

Page 134: ...Manual Step2 Click Create to create a PPTP Account Step3 Click Apply you can see the account is successfully created Step4 Click Save Config to save all changes to flash memory Step5 In Windows XP go Start Settings Network Connections 130 ...

Page 135: ...Multi Homing Security Gateway User s Manual Step6 In Network Tasks Click Create a new connection and press Next 131 ...

Page 136: ...Multi Homing Security Gateway User s Manual Step7 Select Connect to the network at my workplace and press Next Step8 Select Virtual Private Network connection and press Next 132 ...

Page 137: ...Multi Homing Security Gateway User s Manual Step9 Input the user defined name for this connection and press Next Step10 Input PPTP Server Address and press Next 133 ...

Page 138: ...Multi Homing Security Gateway User s Manual Step11 Please press Finish Step12 Double click the connection and input Username and Password that defined in Planet PPTP Account Settings 134 ...

Page 139: ...Multi Homing Security Gateway User s Manual PS You can also refer the Properties Security page as below by default D 13 PPTP Remote Access 135 ...

Page 140: ...User s Manual Step1 Go to Configuration VPN PPTP and Enable the PPTP function Disable the Encryption then Click Apply Step2 Click Create to create a PPTP Account Step3 Click Apply you can see the account is successfully created 136 ...

Page 141: ...Homing Security Gateway User s Manual Step4 Click Save Config to save all changes to flash memory Step5 In another MH 1000 as Client Go to Configuration WAN ISP Settings Step6 Click Apply and Save CONFIG 137 ...