PLANET MH-1000 User Manual

Multi-Homing Security Gateway User’s Manual
Multi-Homing Security
Gateway
MH-1000
User’s Manual
Multi-Homing Security Gateway User’s Manual
Copyright (C) 2006 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted. No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express written permission of PLANET Technology.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user may be required to take adequate measures.
To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.
Trademarks
The PLANET logo is a trademark of PLANET Technology. This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following Website URL:
http://www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
Multi-Homing Security Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET Multi-Homing Security Gateway
Model: MH-1000
Rev: 1.0 (February, 2006)
Multi-Homing Security Gateway User’s Manual
Table of Contents
CHAPTER 1: INTRODUCTION ........................................................................................................................ 1
1.1 FEATURES................................................................................................................................................................1
1.2 PACKAGE CONTENTS .............................................................................................................................................. 2
1.3 MH-1000 FRONT VIEW........................................................................................................................................... 2
1.4 MH-1000 REAR PANEL ...........................................................................................................................................2
1.5 SPECIFICATION ........................................................................................................................................................3
CHAPTER 2: ROUTER APPLICA TION............................................................................................................ 4
2.1 OVERVIEW ...............................................................................................................................................................4
2.2 BANDWIDTH MANAGEMENT WITH QOS................................................................................................................... 4
2.3 OUTBOUND TRAFFIC ...............................................................................................................................................9
2.4 INBOUND TRAFFIC .................................................................................................................................................10
2.5 DNS INBOUND.......................................................................................................................................................12
2.6 VIRTUAL PRIVATE NETWORKING ...........................................................................................................................16
CHAPTER 3: GETTING STARTED ................................................................................................................ 19
3.1 OVERVIEW .............................................................................................................................................................19
3.2 BEFORE YOU BEGIN..............................................................................................................................................19
3.3 CONFIGURING PCS FOR TCP/IP NETWORKING...................................................................................................19
3.4 FACTORY DEFAULT SETTINGS ...............................................................................................................................25
3.5 INFORMATION FROM YOUR ISP.............................................................................................................................25
CHAPTER 4: ROUTER CONFIGURATION....................................................................................................27
4.1 OVERVIEW .............................................................................................................................................................27
4.2 STATU S .................................................................................................................................................................. 28
4.3 QUICK STAR T.........................................................................................................................................................34
4.4 CONFIGURATION.................................................................................................................................................... 37
4.5 SAVE CONFIGURATION TO FLASH .........................................................................................................................80
4.6 LOGOUT .................................................................................................................................................................81
CHAPTER 5: TROUBLESHOOTING ............................................................................................................. 82
5.1 BASIC FUNCTIONALITY ..........................................................................................................................................82
5.2 LAN INTERFACE ....................................................................................................................................................83
5.3 WAN INTERFACE ...................................................................................................................................................87
5.4 ISP CONNECTION.................................................................................................................................................. 87
5.5 PROBLEMS WITH DATE AND TIME..........................................................................................................................89
5.6 RESTORING FACTORY DEFAULTS ..........................................................................................................................89
Multi-Homing Security Gateway User’s Manual
APPENDIX A: VIRTUAL P RIVATE NETWORKING....................................................................................... 90
A.1 WHAT IS THE VPN? ..............................................................................................................................................90
A.2 WHAT IS THE IPSEC?............................................................................................................................................90
APPENDIX B: IPSEC LOGS AND EVENTS.................................................................................................. 96
B.1 IPSEC LOG EVENT CATE GOR IES..........................................................................................................................96
B.2 IPSEC LOG EVENT TABLE.....................................................................................................................................96
APPENDIX C: BANDWIDTH MANAGEMENT WITH QOS............................................................................ 99
C.1 OVERVIEW.............................................................................................................................................................99
C.2 WHAT IS QUALITY OF SERVICE?...........................................................................................................................99
C.3 WHAT IS QUALITY OF SERVICE?...........................................................................................................................99
C.4 WHO NEEDS QOS? ..............................................................................................................................................99
APPENDIX D: ROUTER SETUP EXAMPLES ............................................................................................. 102
D.1 OUTBOUND FAIL OVER .......................................................................................................................................102
D.2 OUTBOUND LOAD BALANCING............................................................................................................................ 103
D.3 INBOUND FAIL OVER ...........................................................................................................................................106
D.4 DNS INBOUND FAIL OVER ..................................................................................................................................108
D.5 DNS INBOUND LOAD BALANCING ...................................................................................................................... 111
D.6 DYNAMIC DNS INBOUND LOAD BALANCING ...................................................................................................... 113
D.7 VPN CONFIGURATION ........................................................................................................................................ 117
D.8 IP SEC FAIL OVER (GATEWAY TO GAT EWAY ).....................................................................................................119
D.9 IP VPN CONCENTRATOR.................................................................................................................................... 122
D.10 PROTOCOL BINDING .........................................................................................................................................127
D.11 INTRUSION DETECTION .....................................................................................................................................128
D.12 PPTP REMOTE ACCESS BY WINDOWS XP .....................................................................................................129
D.13 PPTP REMOTE ACCESS .................................................................................................................................. 135
Multi-Homing Security Gateway User’s Manual

Chapter 1: Introduction

PLANET’s Multi-Homing Security Gateway, MH-1000 integrated with cutting-edge technology including
Load Balancing, VPN and Firewall for central sites to establish office network and connect with branch
offices, remote dial up and tele-workers. It is designed for business requiring application-based network
solution at low-capital investment and is perfectly catering to the needs of small and medium sized business.
Built-in multiple WAN interfaces can prevent your Internet connection from failure, and also reduces the risks
of potential shutdown if one of the Internet connections fails. Moreover, it allows you to perform
load-balancing by distributing the traffic through two WAN connections.
In addition to a multi-homing device, PLANET’s Multi-Homing Security Gateway provides a complete
security solution in a box. The policy-based firewall, content filtering function and VPN connectivity with
3DES and AES encryption make it a perfect product for your network security. Bandwidth management
function is also supported to offers network administrators an easy yet powerful means to allocate network
resources based on business priorities, and to shape and control bandwidth usage.

1.1 Features

WAN Fail-over: Auto failover feature can be configured for a second connection to ensure redundant
connectivity when the primary line fails.
Load Balancing: MH-1000 provides the ability to balance the workload by distributing incoming traffic
across the two connections.
DNS inbound load balance: The MH-1000 can be configured to reply the WAN2 IP address for the
DNS domain name request if WAN1 fails.
VPN Connectivity: The security gateway support PPTP and IPSec VPN. With DES, 3DES and AES
encryption and SHA-1 / MD5 authentication, the network traffic over public Internet is secured.
PPTP Server: The MH-1000 also provides PPTP server feature, the remote user can connect to
MH-1000 PPTP server without too many complex setting and to access the LAN resource.
Content Filtering: The security gateway can block network connection based on URLs, Scripts (The
Pop-up, Java Applet, cookies and Active X).
SPI Firewall: Built-in Stateful Packet Inspection (SPI) can determine if a data packet is allowed through
the firewall to the private LAN.
Denial of Service (DoS): The MH-1000 protects against hackers attack by DoS, it can allow private LAN
securely connected to the Internet.
Quality of Service (QoS): Network packets can be classified based on IP address and TCP/UDP port
number and give guarantee and maximum bandwidth with three levels of priority.
Dynamic Domain Name Service (DDNS): The Dynamic DNS service allows users to alias a dynamic IP
address to a static hostname.
- 1 -
Multi-Homing Security Gateway User’s Manual

1.2 Package Contents

The following items should be included:
MH-1000
Multi-Homing Security Gateway
User’s Manual CD-ROM
This Quick Installation Guide
Power Adapter
Bracket x 2 (For rack-mounted)
Screw x 4 (For rack-mounted)
If any of the contents are missing or damaged, please contact your dealer or distributor immediately.

1.3 MH-1000 Front View

MH-1000 Front Panel
LED Description
PWR A solid light indicates a steady connection to a power source
STATUS A blinking light indicates the device is writing to flash memory
LAN 1 - 8 Lit when connected to an Ethernet device
10/100: Lit green when connected at 100Mbps
Not lit when connected at 10Mbps LNK/ACT: Lit when device is connected. Blinking when data is transmitting /receiving
WAN1, WAN2
Lit when connected to an Ethernet device 10/100: Lit green when connected at 100Mbps
Not lit when connected at 10Mbps LNK/ACT: Lit when device is connected. Blinking when data is transmitting /receiving

1.4 MH-1000 Rear Panel

MH-1000 Rear Panel
- 2 -
Multi-Homing Security Gateway User’s Manual
Port or button Description
RESET To reset device and restore factory default settings, after
the device is fully booted, press and hold RESET until the Status LED begins to blink.
WAN 1, WAN2
LAN 1- 8 Connect to your local PC, switch or other local network
DC 12V Connect DC Power Adapter here (12VDC)
Connect to your xDSL/Cable modem or other Internet connection devices
device

1.5 Specification

Product Multi-homing Security Gateway Model MH-1000 Hardware Ethernet
LAN
8 x 10/100 Based-TX RJ-45
WAN
Performance Firewall throughput 90Mbps IPSec VPN throughput 30Mbps PPTP VPN throughput 10Mbps Maximum Concurrent sessions Software
Management
Network Protocol and
features
Load Balancing
Firewall
Content Filtering
VPN Tunnels
VPN Functions
QoS
Log and Alert
2 x 10/100 Based-TX RJ-45
10,000
Web
Static IP, PPPoE, PPTP, Big Pond and DHCP client connection to ISP NAT, Static Route, RIP-2 Dynamic Domain Name System (DDNS) Virtual Server and DMZ DHCP server NTP Increased bandwidth of outbound and inbound trafficDNS inbound load balance Srateful Packet Inspection (SPI) and Denial of Service (DoS) prevention Packet Filter (by IP, port number and packet type) E-mail alert and logs of attack MAC Address Filtering URL Filtering Java Applet/Active X/Web Proxy/Surfing of IP Address/Cookie Blocking
IPSec: 100, PPTP: 4
PPTP, IPSec VPN support DES, 3DES and AES encrypting SHA-1 / MD5 authentication algorithm Remote access VPN (Client-to-Site) and Site to Site VPN IPSec, PPTP, L2TP pass through Support DiffServ approach Prioritization and bandwidth managed by IP, Port number and MAC address Syslog support E-mail Alert
- 3 -
Multi-Homing Security Gateway User’s Manual

Chapter 2: Router Application

2.1 Overview

MH-1000 is a versatile device that can be configured to not only protect your network from malicious
attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both
Inbound and Outbound Load Balancing. Alternatively, MH-1000 can also be set to redirect incoming and
outgoing network traffic with the Fail Over capability, ensuring minimal downtime and increased reliability.

2.2 Bandwidth Management with QoS

Quality of Service (QoS) gives you full control over which types of outgoing data traffic should be given
priority by the router. By doing so, the router can ensure that latency-sensitive applications like voice,
bandwidth-consuming data like gaming packets, or even mission critical files efficiently move through the
router even under a heavy load. You can throttle the speed at which different types of outgoing data pass
through the router. In addition, you can simply change the priority of different types of upload data and let
the router sort out the actual speeds.

2.2.1 Transparent Mode Connection Example

QoS generally involves the prioritization of network traffic. QoS is comprised of three major components:
Classifier, Meter, and Scheduler. Each of these components has a distinct role in ensuring that incoming
and outgoing data is managed according to user specifications.
The Classifier analyses incoming packets and marks each one according to configured parameters. The
Meter communicates the drop priority to the Scheduler and measures the temporal priorities of the output
stream against configured parameters. Finally, the Scheduler schedules each packet for transmission
based on information from both the Classifier and the Meter.
- 4 -
Multi-Homing Security Gateway User’s Manual

2.2.2 QoS Policies for Different Applications

By setting different QoS policies according to the applications you are running, you can use MH-1000 to
optimize the bandwidth that is being used on your network.
VoIP
Normal PCs
Restricted PC
As illustrated in the diagram above, applications such as Voice over IP (VoIP) require low network latencies
to function properly. If bandwidth is being used by other applications such as an FTP server, users using
VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this
- 5 -
Multi-Homing Security Gateway User’s Manual
network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth
communications. The FTP server, on the other hand, has been given a maximum bandwidth cap to make
sure that regular service to both VoIP and normal Internet applications is uninterrupted.

2.2.3 Guaranteed / Maximum Bandwidth

Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of
bandwidth. For example, you can configure MH-1000 to reserve 10% of the available bandwidth for a
particular computer on the network to transfer files.
Alternatively you can set a Maximum Bandwidth to restrict a particular application to a fixed percentage of
the total throughput. Setting a Maximum Bandwidth of 20% for a file sharing program will ensure that no
more than 20% of the available bandwidth will be used for file sharing.

2.2.4 Policy Based Traffic Shaping

Policy Based Traffic Shaping allows you to apply specific traffic policies across a range of IP addresses or
ports. This is particularly useful for assigning different policies for different PCs on the network. Policy
based traffic shaping lets you better manage your bandwidth, providing reliable Internet and network
service to your organization.
- 6 -
Multi-Homing Security Gateway User’s Manual

2.2.5 Priority Bandwidth Utilization

Assigning priority to a certain service allows MH-1000 to give either a higher or lower priority to traffic from
this particular service. Assigning a higher priority to an application ensures that it is processed ahead of
applications with a lower priority and vice versa.
- 7 -
Multi-Homing Security Gateway User’s Manual

2.2.6 Management by IP or MAC address

MH-1000 can also be configured to apply traffic policies based on a particular IP or MAC address. This
allows you to quickly assign different traffic policies to a specific computer on the network.

2.2.7 DiffServ (DSCP Marking)

DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values. These markings
can be used to identify traffic within the network. Other interfaces can match traffic based on the DSCP
markings. DSCP markings are used to decide how packets should be treated, and is a useful tool to give
precedence to varying types of data.
- 8 -
Multi-Homing Security Gateway User’s Manual

2.3 Outbound Traffic

This section outlines some of the ways you can use MH-1000 to manage outbound traffic.

2.3.1 Outbound Fail Over

Configuring MH-1000 for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted.
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via
WAN1 (IP_230.100.100.1) on MH-1000. Should WAN1 fail, Outbound Fail Over tells MH-1000 to reroute
outgoing traffic to WAN2 (IP_213.10.10.2). Configuring your MH-1000 for Outbound Fail Over provides a
more reliable connection for your outgoing traffic.
Please refer to appendix D for example settings.

2.3.2 Outbound Load Balancing

Outbound Load Balancing allows MH-1000 to intelligently manage outbound traffic based on the amount of
load of each WAN connection.
- 9 -
Multi-Homing Security Gateway User’s Manual
192.168.2.2
230.100.100.1
ISP
192.168.2.3
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via
WAN1 (IP_230.100.100.1) and WAN2 (IP_213.10.10.2) on MH-1000. You can configure MH-1000 to
balance the load of each WAN port with one of two mechanisms:
1. Session (by session/by traffic/weight of link capability)
2. IP Hash (by traffic/weight of link capability)
The IP Hash mechanism will ensure that the traffic from the same source IP address and destination IP
address will go through the same WAN port. This is useful for some server applications that need to identify
the source IP address of the client.
213.10.10.2
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that outbound traffic is
efficiently handled by making sure that both ports are equally sharing the load, preventing situations where
one port is completely saturated by outbound traffic.
Please refer to appendix D for example settings.

2.4 Inbound Traffic

Learn how MH-1000 can handle inbound traffic in the following section.

2.4.1 Inbound Fail Over

Configuring MH-1000 for Inbound Fail Over allows you to ensure that incoming traffic is uninterrupted by
having MH-1000 default to WAN2 should WAN1 fail.
- 10 -
Multi-Homing Security Gateway User’s Manual
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
ftp.planet.com.tw
Before Fail Over
ftp.planet.com.tw
Remote Access from Internet
ftp://ftp.planet.com.tw
ftp://ftp.planet.com.tw
Remote Access from Internet
After Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are
connected to the Internet via WAN1 (ftp.planet.com.tw) on MH-1000. A remote computer is trying to access
these servers via the Internet. Under normal circumstances, the remote computer will gain access to the
network via WAN1. Should WAN1 fail, Inbound Fail Over tells MH-1000 to reroute incoming traffic to WAN2
by using the Dynamic DNS mechanism. Configuring your MH-1000 for Inbound Fail Over provides a more
reliable connection for your incoming traffic.
Please refer to appendix D for example settings.

2.4.2 Inbound Load Balancing

Inbound Load Balancing allows MH-1000 to intelligently manage inbound traffic based on the amount of
load of each WAN connection.
- 11 -
192.168.2.2
FTP
Multi-Homing Security Gateway User’s Manual
www.planet3.com.tw
www.planet2.com.tw
HTTP
192.168.2.3
www.planet3.com.tw
www.planet2.com.tw
Remote Access from Internet
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are
connected to the Internet via WAN1 (www.planet2.com.tw) and WAN2 (www.planet3.com.tw) on MH-1000.
Remote PCs are attempting to access the servers via the Internet. Using Inbound Load Balancing,
MH-1000 can direct incoming requests to the correct WAN port based on group assignment. For example,
a sales force can be directed to www.planet2.com.tw while the R&D group can access www.planet3.com.tw.
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that inbound traffic is
efficiently handled with both ports equally sharing the load, preventing situations where service is slow
because one port is completely saturated by inbound traffic.
Please refer to appendix D for example settings.

2.5 DNS Inbound

Using DNS Inbound is a great way to intelligently direct network traffic.
ISP
ISP
DNS Inbound is a three step process. First, a DNS request is made to the router via a remote PC. MH-1000, based on settings specified by the user, will direct the requesting PC to the correct WAN
- 12 -
Multi-Homing Security Gateway User’s Manual
port by replying the selected WAN IP address through the built-in DNS server. The remote PC then
accesses the network via the specified WAN port. How MH-1000 directs this traffic through the built-in DNS
server depends on whether it is configured for Fail Over or Load Balancing.
Learn how to make DNS Inbound on MH-1000 work for you in the following section.

2.5.1 DNS Inbound Fail Over

MH-1000 can be configured to reply the WAN2 IP address for the DNS domain name request should
WAN1 fail.
Authoritative Domain Name Server
192.168.2.2
200.200.200.1
DNS
FTP
1st connection
www.mydomain.com
DNS
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
Built-in DNS
Built-in DNS
nd
connection
2
Before Fail Over
1st connection
nd
2
connection
100.100.100.1
200.200.200.1
DNS
www.mydomain.com
DNS
100.100.100.1
After Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_200.200.200.1) on MH-1000. A remote computer is trying to
access these servers via the Internet, and makes a DNS request. The DNS request (www.mydomain.com
will be sent through WAN1 (200.200.200.1) to the built-in DNS server. The DNS server will reply
)
200.200.200.1 because this is the only active WAN port. Should WAN1 fail, MH-1000 will instead reply with
WAN2’s IP address (100.100.100.1), and the remote PC will gain access to the network via WAN2. By
configuring MH-1000 for DNS Inbound Fail Over, incoming requests will enjoy increased reliability when
accessing your network.
Please refer to appendix D for example settings.
- 13 -
Multi-Homing Security Gateway User’s Manual
y
q

2.5.2 DNS Inbound Load Balancing

DNS Inbound Load Balancing allows MH-1000 to intelligently manage inbound traffic based on the amount of load of each W AN connection b y assigning the IP address with the lowest tr affic load to incoming requests.
Authoritative Domain Name Server
192.168.2.2
FTP
192.168.2.3
HTTP
200.200.200.1
WAN 1
WAN 2
Built-in DNS
100.100.100.1
Heavy load on WAN
DNS Request
www.mydomain.com
DNS Reply
200.200.200.1
192.168.2.2
WAN 1
FTP
192.168.2.3
HTTP
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_200.200.200.1) and WAN2 (IP_100.100.100.1) on MH-1000.
Remote PCs are attempting to access the servers via the Internet by making a DNS request, entering a
URL (www.mydomain.com).
Using a load balancing algorithm, MH-1000 can direct incoming requests to either WAN port based on the
amount of load each WAN port is currently experiencing. If WAN2 is experiencing a heavy load, MH-1000
responds to incoming DNS requests with WAN1.
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that inbound traffic is
Built-in DNS
WAN 2
Heav
200.200.200.1
100.100.100.1
load on WAN
DNS Re
www.mydomain.com
uest
DNS Reply
100.100.100.1
efficiently handled, making sure that both ports are equally sharing the load and preventing situations
where service is slow because one port is completely saturated by inbound traffic.
Please refer to appendix D for example settings.
A typical scenario of how traffic is directed with DNS Inbound Load Balancing is illustrated below:
- 14 -
Multi-Homing Security Gateway User’s Manual
ply
q
y
r
11
HTTP Repl
6
WAN 1
10
URL Host Map
9
7
8
HTTP Re
1
DNS Request
uest
2
DNS Server
3
Bandwidth Monitor
DNS Re
5
WAN 2
4
HTTP Serve
In the example above, the client is making a DNS request.
(1). The request is sent to the DNS server of MH-1000 through WAN2.
(2). WAN2 will route this request to the embedded DNS server of MH-1000.
(3). MH-1000 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the
request.
(4). After the decision is made, MH-1000 will route the DNS reply to the user through WAN2.
(5). The user will receive the DNS reply with the IP address of WAN1.
(6). The browser will initiate an HTTP request to the WAN1 IP address.
(7). The HTTP request will be send to MH-1000’s URL Host Map.
(8). The Host Map will then redirect the HTTP request to the HTTP server.
(9). The HTTP server will reply.
(10). The URL Host Map will route the packet through WAN1 to the user.
(11). Finally, the client will receive an HTTP reply packet.
- 15 -
Multi-Homing Security Gateway User’s Manual

2.6 Virtual Private Networking

A Virtual Private Network (VPN) enables you to send data between two computers across a shared or
public network in a manner that emulates the properties of a point-to-point private link. As such, it is perfect
for connecting branch offices to headquarters across the Internet in a secure fashion.
The following section discusses Virtual Private Networking with MH-1000.

2.6.1 General VPN Setup

There are typically three different VPN scenarios. The first is a Gateway to Gateway setup, where two
remote gateways communicate over the Internet via a secure tunnel.
100.100.100.1
192.168.2.x
The next type of VPN setup is the Gateway to Multiple Gateway setup, where one gateway
(Headquarters) is communicating with multiple gateways (Branch Offices) over the Internet. As with all
VPNs, data is kept secure with secure tunnels.
100.100.100.1
192.168.2.x
Secure Tunnel
Secure Tunnel
Secure Tunnel
200.200.200.1
192.168.3.x
200.200.200.1
192.168.3.x
201.201.201.1
192.168.4.x
The final type of VPN setup is the Client to Gateway. A good example of where this can be applied is
when a remote sales person accesses the corporate network over a secure VPN tunnel.
100.100.100.
192.168.2.x Secure Tunnel
myID.dyndns.org
VPN Client
- 16 -
Multi-Homing Security Gateway User’s Manual
V
VPN provides a flexible, cost-efficient, and reliable way for companies of all sizes to stay connected. One of
the most important steps in setting up a VPN is proper planning. The following sections demonstrate the
various ways of using MH-1000 to setup your VPN.

2.6.2 VPN Planning - Fail Over

Configuring your VPN with Fail Over allows MH-1000 to automatically default to WAN2 should WAN1 fail.
192.168.2.x
MH-1000
planet.dyndns.org
200.200.200.1
MH-1000
192.168.3.x
VPN Tunnel
Before Fail Over
192.168.2.x
MH-1000
planet.dyndns.org
200.200.200.1
MH-1000
PN Tunnel
After Fail Over
Because the dynamic domain name planet.dyndns.org is configured for both WAN1 and WAN2, the active
WAN port will announce the domain name through the WAN IP address. The remote gateway will then be
192.168.3.x
able to connect to the VPN through the domain name.
In this Gateway to Gateway example, MH-1000 is communicating to a remote gateway using WAN1
through a secure VPN tunnel. Should WAN1 fail, outbound traffic from MH-1000 will automatically be
redirected to WAN2. This process is completely transparent to the remote gateway, as MH-1000 will
automatically update the domain name (planet.dyndns.org) with the WAN2 IP address. Configuring a
Gateway to Multiple Gateway setup with Fail Over is similar, as shown below:
- 17 -
Multi-Homing Security Gateway User’s Manual
MH-1000
192.168.2.x
MH-1000
planet.dyndns.org
100.100.100.1
200.200.200.1
MH-1000
192.168.3.x
192.168.4.x
Before Fail Over
100.100.100.1
192.168.2.x
MH-1000
planet.dyndns.org
200.200.200.1
Configuring MH-1000 for Fail Over provides added reliability to your VPN.

2.6.3 Concentrator

The VPN Concentrator provides an easy way for branch offices to connect to headquarter through a VPN
MH-1000
MH-1000
192.168.3.x
192.168.4.x
tunnel. All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of
LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the
headquarter’s firewall management. You can also configure MH-1000 to function as a VPN Concentrator:
Please refer to appendix D for example settings.
Local subnet: 192.168.3.0
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.3.0
Remote mask: 255.255.255.0
200.200.200.1
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
Remote mask: 0.0.0.0
192.168.3.x
MH-1000
192.168.2.x
100.100.100.1
MH-1000
MH-1000
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.4.0
Remote mask: 255.255.255.0
201.201.201.1
Local subnet: 192.168.4.0
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
192.168.4.x
Remote mask: 0.0.0.0
- 18 -
Multi-Homing Security Gateway User’s Manual

Chapter 3: Getting Started

3.1 Overview

MH-1000 is designed to be a powerful and flexible network device that is also easy to use. With an intuitive
web-based configuration, MH-1000 allows you to administer your network via virtually any Java-enabled
web browser and is fully compatible with Linux, Mac OS, and Windows 98/ME/NT/2000/XP operating
systems.
The following chapter takes you through the very first steps to configuring your network for MH-1000. Take
a look and see how easy it is to get your network up and running.

3.2 Before You Begin

In order to simplify the configuration process and increase the efficiency of your network, you should
consider the following items before setting up your network for the first time:
1. Plan your network
Decide whether you are going to use one or both WAN ports. For one WAN port, you may need a fully
qualified domain name either for convenience or if you have a dynamic IP address. If you are going to use
both WAN ports, determine whether you are going to use them in fail over mode for increased network
reliability or load balancing mode for maximum bandwidth efficiency. See Chapter 2: Router Applications
for more information.
2. Set up your accounts
Have access to the Internet and locate the Internet Service Provider (ISP) configuration information. Each
MH-1000 WAN port must be configured separately, whether you are using a separate ISP for each WAN
port or are having the traffic of both WAN ports routed through the same ISP.
3. Determine your network management approach
MH-1000 is capable of remote management. However, this feature is not active by default. If you reset the
device, remote administration must be enabled again. If you decide to manage your network remotely, be
sure to change the default password for security reason.
4. Prepare to physically connect MH-1000 to Cable or DSL modems and a computer.

3.3 Configuring PCs for TCP/IP Networking

In order for your networked PCs to communicate with your router, they must have the following
characteristics:
1. Have a properly installed and functioning Ethernet Network Interface Card (NIC).
2. Be connected to MH-1000, either directly or through an external repeater hub via an Ethernet cable.
- 19 -
Multi-Homing Security Gateway User’s Manual
3. Have TCP/IP installed and configured with an IP address.
The IP address for each PC may be a fixed IP address or one that is obtained from a DHCP server. If using
a fixed IP address, it is important to remember that it must be in the same subnet as the router. The default IP address of MH-1000 is 192.168.1.1 with a subnet mask of 255.255.255.0. Using the default
configuration, networked PCs must reside in the same subnet, and have an IP address in the range of
192.168.1.2 to 192.168.1.254. However, you’ll find that the quickest and easiest way to configure the IP
addresses for your PCs is to obtain the IP addresses automatically by using the router as a DHCP server.
If you are unable to access the web configuration interface, check to see if you have any software-based
firewalls installed on your PCs, as they can cause problems accessing the 192.168.1.1 IP address of
MH-1000.
The following sections outline how to set up your PCs for TCP/IP networking. Refer to the applicable
section for your PC’s operating system.

3.3.1 Overview

Before you begin, make sure that the TCP/IP protocol and a functioning Ethernet network adapter is
installed on each of your PCs.
The following operating systems already include the necessary software components you need to install
TCP/IP on your PCs:
- Windows 95/98/Me/NT/2000/XP
- Mac OS 7 and later
Any TCP/IP capable workstation can be used to communicate with or through MH-1000. To configure other
types of workstations, please consult the manufacturer’s documentation.

3.3.2 Windows XP

1. Go to Start / Control Panel (in Classic
View). In the Control Panel, double-click
on Network Connections.
2. Double-click Local Area Connection.
- 20 -
3. In the Local Area Connection Status
window, click Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
Multi-Homing Security Gateway User’s Manual
5. Select the Obtain an IP address
automatically and the Obtain DNS server address automatically radio
buttons.
6. Click OK to finish the configuration.
- 21 -

3.3.3 Windows 2000

1. Go to Start / Settings / Control Panel. In
the Control Panel, double-click on
Network and Dial-up Connections.
2. Double-click Local Area Connection.
Multi-Homing Security Gateway User’s Manual
3. In the Local Area Connection Status window click Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
- 22 -
5. Select the Obtain an IP address
automatically and the Obtain DNS server address automatically radio
buttons.
6. Click OK to finish the configuration.

3.3.4 Windows 95/98/ME

1. Go to Start / Settings / Control Panel. In
Multi-Homing Security Gateway User’s Manual
the Control Panel, double-click on
Network and choose the Configuration
tab.
2. Select TCP/IP ->NE2000 Compatible, or
the name of your Network Interface Card
(NIC) in your PC.
3. Select the Obtain an IP address automatically radio button.
- 23 -
4. Then select the DNS Configuration tab.
5. Select the Disable DNS radio button and click OK to finish the configuration.

3.3.5 Windows NT 4.0

1. Go to Start / Settings / Control Panel. In
Multi-Homing Security Gateway User’s Manual
the Control Panel, double-click on Network and choose the Protocols tab.
2. Select TCP/IP Protocol and click Properties.
3. Select the Obtain an IP address from a DHCP server radio button and click OK.
- 24 -
Multi-Homing Security Gateway User’s Manual

3.4 Factory Default Settings

3.4.1 User name and password

The default user name and password are "admin" and "admin" respectively.
If you ever forget your user name and/or password, you can restore your MH-1000 to its factory settings by
holding the Reset button on the back of your router until the Status LED begins to blink. Please note that
doing this will also erase any previous router settings that you have made. The Status LED will remain solid
as the device boots. Once the boot sequence is complete, the LED will shut off, indicating that MH-1000 is
ready.

3.4.2 LAN and WAN Port Addresses

The default values for LAN and WAN ports are shown below:
LAN Port WAN Port
IP address
Subnet Mask DHCP server
function IP addresses for
distribution to PCs
192.168.1.1
255.255.255.0
Enabled
100 IP addresses continuing
from 192.168.1.100 through
192.168.1.199
The DHCP Client is enabled to
automatically get the WAN port
configuration from the ISP.

3.5 Information from Your ISP

3.5.1 Protocols

Before configuring this device, you have to check with your ISP (Internet Service Provider) to find out what
kind of service is provided such as DHCP, Static IP, PPPoE, or PPTP. The following table outlines each of
these protocols:
Configure this WAN interface to use DHCP client protocol to get an IP
DHCP
Static IP
PPPoE
address from your ISP automatically. Your ISP provides an IP address to the
router dynamically when logging in.
Configure this WAN interface with a specific IP address. This IP address
should be provided by your ISP.
PPPoE (PPP over Ethernet) is known as a dial-up DSL or cable service. It is
designed to integrate the broadband services into the current widely
deployed, easy-to-use, and low-cost dial-up-access networking
infrastructure.
- 25 -
Multi-Homing Security Gateway User’s Manual
PPTP
If your ISP provides a PPTP connection, you can use the PPTP protocol to
establish a connection to your ISP.
Big Pond
The Big Pond login for Telstra cable in Australia.
If your account uses PPP over Ethernet (PPPoE), you will need to enter your login name and password
when configuring your MH-1000. After the network and firewall are configured, MH-1000 will login
automatically, and you will no longer need to run the login program from your PC.

3.5.2 Web Configuration Interface

MH-1000 includes a Web Configuration Interface for easy administration via virtually any browser on your
network. To access this interface, open your web browser, enter the IP address of your router, which by
default is 192.168.1.1, and click Go. A user name and password window prompt will appear. Enter your
user name and password (the default user name and password are "admin" and "admin") to access the
Web Configuration Interface.
If the Web Configuration Interface appears, congratulations! You are now ready to configure your MH-1000.
If you are having trouble accessing the interface, please refer to Chapter 5: Troubleshoo ting for possible
resolutions.
- 26 -
Loading...
+ 111 hidden pages