Planet mh-5000 User Manual

Multi-Homing Security

Gateway

MH-5000

User’s Manual

Multi-Homing Security Gateway User’s Manual

The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User ’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted.

No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express written permission of PLANET Technology.

Disclaimer

PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.

PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred.

Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User ’s Manual and/or to the products described in this User’s Manual, at any time without notice.

If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.

CE mark Warning

This is a class A device, in a domestic environment, this product may cause radio interference, in which case the user may be required to take adequate measures.

Trademarks

The PLANET logo is a trademark of PLANET Technology.

This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.

Customer Service

For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following Website URL:

http://www.planet.com.tw

Before contacting customer service, please take a moment to gather the following information:

Multi-Homing Security Gateway serial number and MAC address

¨ ¨ Any error messages that displayed when the problem occurred ¨ Any software running when the problem occurred

Steps you took to resolve the problem on your own

Revision

User’s Manual for PLANET Multi-Homing Security Gateway

Model: MH-5000

Rev: 1.0 (September, 2004)

Part No. EM-MH5Kv1

Multi-Homing Security Gateway User’s Manual

Table of Contents

Chapter 1 Quick Start................................................................................................1

1.1 Check Your Package Contents.....................................................................................1

1.2 Five steps to configure MH-5000 quickly......................................................................1

1.3 Wiring the MH-5000......................................................................................................4

1.4 Default Settings and architecture of MH-5000..............................................................6

1.5 Using the Setup Wizard................................................................................................7

1.6 Internet Connectivity...................................................................................................10

1.6.1 LAN1-to-WAN1 Connectivity.......................................................................................................11

1.6.2

WAN1-to-DMZ1 Connectivity......................................................................................................12

Chapter 2 System Overview...................................................................................16

2.1 Typical Example Topology..........................................................................................16

2.2 Changing the LAN1 IP Address..................................................................................17

2.2.1

2.2.2

2.2.3 The design principle...................................................................................................................19

2.2.4 Web GUI design principle...........................................................................................................19

2.2.5 Rule principle..............................................................................................................................19

From LAN1 to configure MH-5000 LAN1 network settings...........................................................17

From CLI (command line interface) to configure MH-5000 LAN1 network settings.......................18

Chapter 3 Basic Setup............................................................................................21

3.1 Demand......................................................................................................................21

3.2 Objectives...................................................................................................................21

3.3 Methods......................................................................................................................21

3.4 Steps...........................................................................................................................21

3.4.1

3.4.2 Setup DMZ1, LAN1 Status..........................................................................................................23

3.4.3 Setup WAN1 IP alias..................................................................................................................25

Setup WAN1 IP..........................................................................................................................21

Chapter 4 System Tools..........................................................................................28

4.1 Demand......................................................................................................................28

4.2 Objectives...................................................................................................................28

4.3 Methods......................................................................................................................28

4.4 Steps...........................................................................................................................32

4.4.1

4.4.2 DDNS setting..............................................................................................................................34

4.4.3 DNS Proxy setting......................................................................................................................35

4.4.4 DHCP Relay setting....................................................................................................................35

4.4.5

4.4.6

General settings.........................................................................................................................32

SNMP Control............................................................................................................................36

Change MH-5000 interface.........................................................................................................37

Chapter 5 Remote Management.............................................................................38

5.1 Demands.....................................................................................................................38

5.2 Methods......................................................................................................................38

5.3 Steps...........................................................................................................................39

5.3.1 Telnet.........................................................................................................................................39

5.3.2

5.3.3

5.3.4 ICMP..........................................................................................................................................39

WWW.........................................................................................................................................39

SNMP.........................................................................................................................................39

Chapter 6 NAT.........................................................................................................40

6.1 Demands.....................................................................................................................40

6.2 Objectives...................................................................................................................41

6.3 Methods......................................................................................................................41

6.4 Steps...........................................................................................................................42

6.4.1 Setup Many-to-one NAT rules.....................................................................................................42

6.4.2

6.5 NAT modes introduction..............................................................................................50

6.5.1

6.5.2

6.5.3 One-to-One type.........................................................................................................................51

6.5.4 NAT modes & types....................................................................................................................52

Setup Virtual Server for the FtpServer1.......................................................................................46

Many-to-One type.......................................................................................................................50

Many-to-Many type.....................................................................................................................51

Chapter 7 Routing...................................................................................................53

7.1 Demands.....................................................................................................................53

7.2 Objectives...................................................................................................................54

7.3 Methods......................................................................................................................54

7.4 Steps...........................................................................................................................54

7.4.1

7.4.2 Add a policy routing entry...........................................................................................................56

Add a static routing entry............................................................................................................54

Chapter 8 Firewall...................................................................................................59

8.1 Demands.....................................................................................................................59

8.2 Objectives...................................................................................................................59

8.3 Methods......................................................................................................................59

8.4 Steps...........................................................................................................................60

8.4.1 Block internal PC session (LAN à WAN)....................................................................................60

8.4.2

Setup Alert detected attack.........................................................................................................63

Chapter 9 VPN Technical Introduction..................................................................65

9.1 VPN benefit.................................................................................................................65

9.2 Related Terminology Explanation...............................................................................65

9.2.1 VPN...........................................................................................................................................65

9.2.2

9.2.3 Security Association...................................................................................................................65

9.2.4 IPSec Algorithms........................................................................................................................65

9.2.5 Key Management.......................................................................................................................66

9.2.6

IPSec.........................................................................................................................................65

Encapsulation.............................................................................................................................67

9.2.7 IPSec Protocols..........................................................................................................................67

9.3 Make VPN packets pass through MH-5000................................................................68

Chapter 10 Virtual Private Network – IPSec..........................................................69

10.1 Demands.....................................................................................................................69

10.2 Objectives...................................................................................................................69

10.3 Methods......................................................................................................................69

10.4 Steps...........................................................................................................................70

10.4.1 DES/MD5 IPSec tunnel: the IKE way..........................................................................................70

10.4.2 DES/MD5 IPSec tunnel: the Manual-Key way.............................................................................80

Chapter 11 Virtual Private Network –Dynamic IPSec............................................88

11.1 Demands.....................................................................................................................88

11.2 Objectives...................................................................................................................88

11.3 Methods......................................................................................................................88

11.4 Steps...........................................................................................................................89

Chapter 12 Virtual Private Network – PPTP..........................................................95

12.1 Demands.....................................................................................................................95

12.2 Objectives...................................................................................................................95

12.3 Methods......................................................................................................................96

12.4 Steps...........................................................................................................................96

12.4.1

12.4.2 Setup PPTP Network Client........................................................................................................97

Setup PPTP Network Server.......................................................................................................96

Chapter 13 Virtual Private Network – L2TP...........................................................99

13.1 Demands.....................................................................................................................99

13.2 Objectives...................................................................................................................99

13.3 Methods......................................................................................................................99

13.4 Steps.........................................................................................................................100

13.4.1 Setup L2TP Network Server.....................................................................................................100

Chapter 14 Content Filtering – Web Filters.........................................................103

14.1 Demands...................................................................................................................103

14.2 Objectives.................................................................................................................104

14.3 Methods....................................................................................................................104

14.4 Steps.........................................................................................................................105

14.5 Setting priorities........................................................................................................110

Chapter 15 Content Filtering – Mail Filters..........................................................113

15.1 Demands...................................................................................................................113

15.2 Objectives.................................................................................................................113

15.3 Methods....................................................................................................................113

15.4 Steps for Anti-Virus...................................................................................................114

15.5 Steps for Anti-Spam..................................................................................................115

III

15.6 Steps for SMTP Relay...............................................................................................116

Chapter 16 Content Filtering – FTP Filtering.......................................................117

16.1 Demands...................................................................................................................117

16.2 Objectives.................................................................................................................117

16.3 Methods....................................................................................................................117

16.4 Steps.........................................................................................................................118

Chapter 17 Intrusion Detection Systems.............................................................121

17.1 Demands...................................................................................................................121

17.2 Objectives.................................................................................................................121

17.3 Methods....................................................................................................................121

17.4 Steps.........................................................................................................................122

Chapter 18 Bandwidth Management....................................................................123

18.1 Demands...................................................................................................................123

18.2 Objectives.................................................................................................................124

18.3 Methods....................................................................................................................125

18.4 Steps.........................................................................................................................125

Chapter 19 Load Balancer....................................................................................129

19.1 Demands...................................................................................................................129

19.2 Objectives.................................................................................................................129

19.3 Methods....................................................................................................................130

19.4 Steps.........................................................................................................................130

19.4.1 Outbound Load Balancer..........................................................................................................130

Chapter 20 System Status....................................................................................131

20.1 Demands...................................................................................................................131

20.2 Objectives.................................................................................................................131

20.3 Methods....................................................................................................................131

20.4 Steps.........................................................................................................................131

Chapter 21 Log System........................................................................................134

21.1 Demands...................................................................................................................134

21.2 Objectives.................................................................................................................134

21.3 Methods....................................................................................................................134

21.4 Steps.........................................................................................................................134

21.4.1 System Logs............................................................................................................................134

21.4.2 Syslog & Mail log......................................................................................................................135

Chapter 22 System Maintenance.........................................................................137

22.1 Demands...................................................................................................................137

22.2 Steps for TFTP Upgrade...........................................................................................137

22.3 Steps for Firmware upgrade from Web GUI..............................................................138

22.4 Steps for Database Update from Web GUI...............................................................139

22.5 Steps for Factory Reset............................................................................................140

22.5.1 Step for factory reset under web GUI........................................................................................140

22.5.2

22.5.3

Step for NORMAL factory reset................................................................................................140

Steps for EMERGENT factory reset..........................................................................................140

22.6 Save the current configuration..................................................................................141

22.7 Steps for Backup / Restore Configurations...............................................................141

22.8 Steps for Reset password.........................................................................................142

Appendix A Command Line Interface (CLI).....................................................143

A.1 Enable the port of MH-5000......................................................................................143

A.2 CLI commands list (Normal Mode)............................................................................143

A.3 CLI commands list (Rescue Mode)..................................................................................145

Appendix B Troubleshooting............................................................................147

Appendix C System Log Syntax.......................................................................151

Appendix D Glossary of Terms........................................................................158

Appendix E Index..............................................................................................160

Appendix F Version of Software and Firmware..............................................161

MH-5000 User Manual Chapter 1

Quick Start

Chapter 1

Quick Start

This chapter introduces how to quick setup the MH-5000.

MH-5000 is an integrated all-in-one solution that can facilitate the maximum security and the best resource utilization for the enterprises. It contains a high-performance stateful packet inspection (SPI) Firewall, policy-based NAT, ASIC-based wire-speed VPN, upgradeable Intrusion Detection System, Dynamic Routing, Content Filtering, Bandwidth Management, WAN Load Balancer, Anti-Virus, Anti-Spam and other solutions in a single box. It is one of the most cost-effective all-in-one solutions for enterprises.

1.1 Check Your Package Contents

These are the items included with your MH-5000 purchase. They are the following items

1. MH-5000 x 1

2. Quick Installation Guide x 1

3. CD-ROM Manual / Installation Guide x 1

4. Power Cord x 1

5. Rack mount x 1

6. RS-232 cable x 1

1.2 Five steps to configure MH-5000 quickly

Let’s look at the common network topology without MH-5000 applying like Figure 1-1. This is a topology which is almost used by all the small/medium business or SOHO use as their internet connectivity. Although that your topology is not necessarily the same diagram below, but it still can give you a guideline to configure MH-5000 quickly.

Now you can pay attention at the IP Sharer in the diagram. The IP Sharer can provide you with NAT (Network Address Translation), PAT (Port Address Translation) and other functions.

Figure 1-1 The example before MH-5000 applies on it

Figure 1-2 The example after MH-5000 applies on it

MH-5000 User Manual Chapter 1

Quick Start

Here we would like to alter the original IP Sharer with the MH-5000 like Figure 1-2. If we hope to have MH-5000 to replace the IP Sharer, we just need to simply execute the following five steps as Figure 1-3 showed. By these steps, we hope to build an image to tell you how to let MH-5000 work basically.

Figure 1-3 Five steps to configure MH-5000

As the Figure 1-3 illustrated, with the five-step configurations, MH-5000 will have the same functions with the original IP Sharer. Please see the following description of the five-step configurations.

1. Setup: Install three physical lines inclusive of the power cord, outbound link (connected WAN1 port) and inbound direction (connected LAN1 port). For the details, please refer section 1.3. Continually, we will connect to the web GUI of MH-5000. So you must make sure that you have a PC which is located in the same subnet with MH-5000 before this step.

Start up the Internet browser with “http://192.168.1.254” in the address field. And follow with “admin/admin” as the default user name and password.

Note: The default LAN1 port is (192.168.1.254 / 255.255.255.0). Refer to section 1.5 for more information.

2. LAN: Configure the LAN1 port of MH-5000. You can refer to section 1.4 for the default network configurations of MH-5000.

Note: If you were connected from LAN1 port and changed the LAN1 IP address settings of MH-5000. The network will be disconnected since the IP address is different between your pc and MH-5000 LAN1 port.

3. WAN: Configure the WAN1 port of MH-5000. You can refer to section 1.4 for the default network configurations of MH-5000.

MH-5000 User Manual Chapter 1

Quick Start

4. NAT: Configure the connection of LAN to WAN direction. It will make all the client pc access the internet through MH-5000. For more information, please refer to section 1.6.1.

5. Virtual Server: If there is any server located inside the MH-5000. You may hope these servers can provide services outside. So you should configure the Virtual Server which provides connections of WAN to LAN direction. For more information, please refer to section 1.6.2.

After you completely finished the above steps, the connectivity function of MH-5000 is probably well-done.

1.3 Wiring the MH-5000

A. First, connect the power cord to the socket at the back panel of the MH-5000 as in

plug the other end of the power adapter to a wall outlet or power strip. The Power LED will turn ON to indicate proper operation.

Figure 1-4

and then

Figure 1-4 Back panel of the MH-5000

B. Using an Ethernet cable, insert one end of the cable to the WAN port on the front panel of the MH-5000

and the other end of the cable to a DSL or Cable modem, as in Figure 1-5.

C. Computers with an Ethernet adapter can be directly connected to any of the LAN ports using a

cross-over Ethernet cable, as in Figure 1-5.

D. Computers that act as servers to provide Internet services should be connected to the DMZ port using

an Ethernet Cable, as in Figure 1-5.

MH-5000 User Manual Chapter 1

Quick Start

Figure 1-5 Front end of the MH-5000

MH-5000 User Manual Chapter 1

Quick Start

1.4 Default Settings and architecture of MH-5000

You should have an Internet account already set up and have been given most of the following information as Table 1-1. Fill out this table when you edit the web configuration of MH-5000.

Items Default value New value

Password: admin

IP Address ____.____.____.____

Subnet Mask ____.____.____.____

WAN1

(Port 1)

WAN2

(Port 2)

DMZ1(Port 3)

Fixed IP

PPPoE

DHCP

Fixed IP

PPPoE

DHCP

Gateway IP ____.____.____.____

Primary DNS ____.____.____.____

Secondary DNS ____.____.____.____

PPPoE Username ____.____.____.____

PPPoE Password ____.____.____.____

IP Address ____.____.____.____

Subnet Mask ____.____.____.____

Gateway IP ____.____.____.____

Primary DNS ____.____.____.____

Secondary DNS ____.____.____.____

PPPoE Username ____.____.____.____

PPPoE Password

IP Address 10.1.1.254 ____.____.____.____

IP Subnet Mask 255.255.255.0 ____.____.____.____

Not initialized

____.____.____.____

LAN1(Port 4)

LAN2(Port 5)

IP Address 192.168.1.254 ____.____.____.____

IP Subnet Mask 255.255.255.0 ____.____.____.____

IP Address 192.168.2.254 ____.____.____.____

IP Subnet Mask 255.255.255.0 ____.____.____.____

Table 1-1 MH-5000 related network settings

MH-5000 User Manual Chapter 1

Quick Start

Figure 1-6 The default settings of MH-5000

As the above diagram Figure 1-6 illustrated, this diagram shows the default topology of MH-5000. And you can configure the MH-5000 by connecting to the LAN1_IP (192.168.1.254) from the PC1_1 (192.168.1.1). In the following sections, we will teach you how to quickly setup the MH-5000 in the basic appliances.

1.5 Using the Setup Wizard

A computer on your LAN1 must be assigned an IP address and Subnet Mask from the same range as the IP address and Subnet Mask assigned to the MH-5000, in order to be able to make an HTTPS connection using a web browser. The MH-5000 is assigned an IP address of 192.168.1.254 with a Subnet Mask of 255.255.255.0 by default. The computer that will be used to configure the MH-5000 must be assigned an IP address between 192.168.1.1 and 192.168.1.253 with a Subnet Mask of 255.255.255.0 to be able to connect to the MH-5000. This address range can be changed later.

MH-5000 User Manual Chapter 1

Quick Start

Step 1. Login

Type “admin” in the account field, “admin” in the Password field and click Login.

Step 2. Run Setup Wizard

Click the Run Setup Wizard.

Connect to https://192.168.1.254

After login to https://192.168.1.254

BASIC SETUP > Wizard

Step 3. System Name

Enter the Host Name and the Domain Name, followed by clicking the Next.

BASIC SETUP > Wizard

MH-5000 User Manual Chapter 1

Quick Start

Step 4. WAN Connectivity

Choose the type of IP Address Assignment provided by your ISP to access the Internet. Here we have four types to select. This will determine how the IP address of WAN1 is obtained. Click Next to proceed.

Step 4.a — DHCP client

If Get IP Automatically (DHCP) is selected, MH-5000 will request for IP address, netmask, and DNS servers from your ISP. You can use your preferred DNS by clicking the DNS IP Address and then completing the Primary DNS and Secondary DNS server IP addresses. Click Next to proceed.

BASIC SETUP > Wizard > Next

BASIC SETUP > Wizard > Next > DHCP

Step 4.b — Fixed IP

If Fixed IP Address is selected, enter the ISP-given IP Address, Subnet Mask, Gateway IP, Primary DNS and Secondary DNS IP. Click Next to proceed.

BASIC SETUP > Wizard > Next > Fixed IP

MH-5000 User Manual Chapter 1

Quick Start

Step 4.c — PPPoE client

If PPP over Ethernet is selected, enter the ISP-given User Name, Password and the optional Service Name. Click Next to proceed.

Step 4.d — Alert Message

Please Note that an alert message box “When changing to none fixed ip mode, system will delete all ip alias!” will appear while you change Get IP Automatically (DHCP) or PPP over Ethernet but not Fixed IP Address as your WAN link.

Step 5. System Status

Here we select Fixed IP method in WAN1 port. Then the MH-5000 provides a short summary of the system. Please check if anything mentioned above is properly set into the system. Click Finish to close the wizard.

BASIC SETUP > Wizard > Next > PPPoE

BASIC SETUP > Wizard > Run Setup Wizard > Next > Next

1.6 Internet Connectivity

After setting up MH-5000 with the wizard, MH-5000 can connect to the ISP. In this chapter, we introduce LAN1-to-WAN1 Connectivity to explain how the computers under LAN1 can access the Internet at WAN1 through MH-5000.

MH-5000 User Manual Chapter 1

Quick Start

Subsequently, we introduce WAN1-to-DMZ1 Connectivity to explain how the servers under DMZ1 can be accessed by the LAN1 users and other Internet users on the WAN1 side.

You MUST press Apply to proceed to the next page. Once applying any changes, the settings are immediately

updated into the flash memory.

1.6.1 LAN1-to-WAN1 Connectivity

The LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the MH-5000 on your LAN. This is the IP address you will enter in the URL field of your web browser to connect to the MH-5000. It is also the IP address that all of the computers and devices on your LAN will use as their Default Gateway.

Step 1. Device IP Address

Setup the IP Address and IP Subnet Mask for the MH-5000.

Step 2. Client IP Range

Enable the DHCP server if you want to use MH-5000 to assign IP addresses to the computers under LAN1. Specify the Pool Starting Address, Pool Size, Primary DNS, and Secondary DNS that will be assigned to them.

Example: in the figure, the MH-5000 will assign one IP address from 192.168.1.100 ~

192.168.1.119, together with the DNS server

192.168.1.254, to the LAN1 PC that requests

for an IP address.

Step 3. Apply the Changes

Click Apply to save. Now you can enable the DHCP clients on your LAN1 PCs to get an IP.

Step 4. Check NAT Status

The default setting of NAT is in Basic Mode. After completing Step 3, the NAT is automatically configured related rules to let all private-IP LAN/DMZ-to-WAN requests to be translated with the public IP assigned by the ISP.

BASIC SETUP > LAN Settings > LAN1 Status

Note: The IP Pool Starting Address must be on the same subnet specified in the IP Address and the IP Subnet Mask field.

For example, the addresses given by the 192.168.1.100 with a pool size of 20 (192.168.1.100 ~ 192.168.1.119) are all within the same range of 192.168.1.254 /

255.255.255.0

ADVANCED SETTINGS > NAT > Status

MH-5000 User Manual Chapter 1

Quick Start

Step 5. Check NAT Rules

The MH-5000 has added the NAT rules as the right diagram. The rule Basic-LAN1 means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 192.168.1.254 /

255.255.255.0), the request will be translated

into a public-source-IP requests, and then be forwarded to the destinations.

ADVANCED SETTINGS > NAT > NAT Rules

1.6.2 WAN1-to-DMZ1 Connectivity

This section tells you how to provide an FTP service with a server installed under your DMZ1 to the public Internet users. After following the steps, users at the WAN side can connect to the FTP server at the DMZ1 side.

Step 1. Device IP Address

Setup the IP Address and IP Subnet Mask for the MH-5000 of the DMZ1 interface.

Step 2. Client IP Range

Enable the DHCP server if you want to use MH-5000 to assign IP addresses to the computers under DMZ1.

BASIC SETUP > DMZ Settings > DMZ1 Status

Step 3. Apply the Changes

Click Apply to save your settings.

MH-5000 User Manual Chapter 1

Quick Start

Step 4. Check NAT Status

The default setting of NAT is in Basic Mode. After applying the Step 3, the NAT is automatically configured related rules to let all private-IP LAN/DMZ-to-WAN requests to be translated with the public IP assigned by the ISP.

Step 5. Check NAT Rules

The MH-5000 has added the NAT rules as the right diagram. The rule Basic-DMZ1 (number 1) means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 10.1.1.254 / 255.255.255.0), the request will be translated into a public-source-IP requests, and then be forwarded to the destinations.

ADVANCED SETTINGS > NAT > Status

ADVANCED SETTINGS > NAT > NAT Rules

Step 6. Setup IP for the FTP

Server

Step 7. Setup Server Rules

Insert a virtual server rule by clicking the Insert button.

Assign an IP of 10.1.1.5/255.255.255.0 to the FTP server under DMZ1. Assume the FTP Server is at 10.1.1.5. And it is listening on the well-known port (21).

ADVANCED SETTINGS > NAT > Virtual Servers

MH-5000 User Manual Chapter 1

Quick Start

Step 8. Customize the Rule

Customize the rule name as the ftpServer. For any packets with its destination IP address equaling to the WAN1 IP (61.2.1.1) and destination port equaling to 44444. MH-5000 will translate the packet’s destination IP/port into 10.1.1.5/21. Check the Passive FTP client to maximize the compatibility of the FTP protocol. This is useful if you want to provide connectivity to passive FTP clients. For passive FTP clients, the server at DMZ will return them the private IP address (10.1.1.5) and the port number for the clients to connect back for data transmissions. Since the FTP clients at the WAN side cannot connect to a private-IP (ex.10.1.1.5) through the internet. The data connections would fail. After enabling this feature, the MH-5000 will translate the private IP/port into an IP/port of its own. Thus the problem is gracefully solved. Another point is to be sure to check “Auto update to Firewall rules when you Apply this page?” or “Auto update to NAT rules when you Apply this page?” Then, the virtual server rule will add Firewall or NAT rules automatically. Click Apply to proceed.

Step 9. View the Result

Now any request towards the MH-5000’s WAN1 IP (61.2.1.1) with dest. port 44444 will be translated into a request towards 10.1.1.5 with port 21, and then be forwarded to the

10.1.1.5. The FTP server listening at port 21

in 10.1.1.5 will pick up the request.

ADVANCED SETTINGS > NAT > Virtual Servers > Insert

ADVANCED SETTINGS > NAT > Virtual Servers

Step 10. View the NAT Rules

In the previous Step 8, we have already checked “Auto update to Firewall/NAT rules when you Apply this page”, so it will automatically add one NAT rule to transfer the IP address of virtual server when server responses packet back to the client.

ADVANCED SETTINGS > NAT > NAT Rules

MH-5000 User Manual 0

Step 11. View the Firewall Rules

The same as Step 10. When we check “Auto update to Firewall/NAT rules when you Apply this page”, it will automatically add one Firewall rule in the WAN1 to DMZ1 direction. This firewall rule will let the packets with dest. IP address/port be matched with virtual server rule in order to pass through MH-5000.

ADVANCED SETTINGS > Firewall > Edit Rules

MH-5000 User Manual Chapter 2

System Overview

Chapter 2

System Overview

In this chapter, we will introduce the network topology for use with later chapters.

2.1 Typical Example Topology

In this chapter, we introduce a typical network topology for the MH-5000. In Figure 2-1, the left half side is a MH-5000 with one LAN, one DMZ, and one WAN link. We will demonstrate the administration procedure in the later chapters by using the below Figure 2-1.

The right half side contains another MH-5000 connected with one LAN, one DMZ, and one WAN. You can imagine this is a branch office of Organization_1. In this architecture, all the users under Organization can access sever reside in the Internet or DMZ region smoothly. Besides, Organization_1 communicates with Organization_2 with a VPN tunnel established by the two MH-5000 Multi-Homing Security Gateways. The VPN tunnel secures communications between Organizations more safely.

We will focus on how to build up the topology using the MH-5000 as the following Figure 2-1. In order to achieve this purpose, we need to know all the administration procedure.

Figure 2-1 Typical topology for deploying MH-5000

MH-5000 User Manual Chapter 2

System Overview

Continually, we will introduce all the needed administration procedure in the following section.

1. Chapter3 Basic Setup How to configure the WAN/DMZ/LAN port settings..

2. Chapter6 ~ Chapter8 NAT, Routing and Firewall Introducing the NAT, Routing, Firewall features.

3. Chapter9 ~ Chapter12 VPN Technology Introduction If you need to build a secure channel with your branch office, or wish to access the inside company resource as usual while outside your company, the Virtual Private Network (VPN) function can satisfy you.

4. Chapter13 ~ Chapter15 Content Filtering If you hope to restrict the web contents, mail attachments, or downloaded ftp file from intranet region, try this feature to fit your requirement.

5. Chapter16 Intrusion Detection System Use the Intrusion Detection System (IDS) to detect all the potential DoS attacks, worms, hackers from Internet.

6. Chapter17 Bandwidth Management If you wish to make your inbound/outbound bandwidth utilized more efficiently, you may use the Bandwidth Management feature to manage your bandwidth.

7. Chapter19 ~ Chapter21 System Maintenance In this part, we provide some useful skills to help you to justify MH-5000 more securely and steadily.

2.2 Changing the LAN1 IP Address

The default settings of MH-5000 are listing in Table 1-1. However, the original LAN1 setting is

192.168.1.254/255.255.255.0 instead of 192.168.40.254/255.255.255.0 as in Figure 2-1. We will change the LAN1 IP of

the MH-5000 to 192.168.40.254.

We provide two normal ways to configure the LAN1 IP address. One is to configure the LAN1 IP from LAN1 port. The other way is to configure the LAN1 IP through console.

2.2.1 From LAN1 to configure MH-5000 LAN1 network settings

Step 1. Connect to the MH-5000

Using a network line to connect MH-5000 with LAN1 port. The PC which connected to MH-5000 must be assigned 192.168.1.X address (LAN1 default IP address is 192.168.1.254/24). Type

https://192.168.1.254

or http://192.168.1.254:8080 to configure the MH-5000 in the web browser.

Use an IE at 192.168.1.1 to connect to https://192.168.1.254

MH-5000 User Manual Chapter 2

System Overview

Step 2. Setup LAN1 IP information

Enter the IP Address and IP Subnet Mask with

192.168.40.254 / 255.255.255.0 and click Apply.

Warning: After you apply the changed settings, the network will be disconnected instantly since the network IP address you login is changed.

BASIC SETUP > LAN Settings > LAN1 Status

2.2.2 From CLI (command line interface) to configure MH-5000 LAN1 network

settings

Step 1. Use Console port to configure

MH-5000

Use the supplied console line to connect the PC to the Diagnostic RS-232 socket of the MH-5000. Start a new connection using the HyperTerminal with parameters: No Parity, 8 Data bits, 1 stop bit, and baud rate 9600. Enter admin for user name and admin for password to login. After logging into MH-5000, enter the commands “en“ to enter the privileged mode. Enter the command “ip ifconfig INTF3 192.168.40.254 255.255.255.0” to change the IP of the LAN1 interface.

MH-5000 User Manual Chapter 2

Status field:

name of this rule

Condition field:

packet hold? And it will

Action field:

by this rule? What action

will this rule do?

System Overview

2.2.3 The design principle

2.2.4 Web GUI design principle

Figure 2-2 You can select the functional area by the sequence in Web GUI

If we want to configure MH-5000, we can follow the sequence as the Figure 2-2 illustrated. Step1. Select Main-function Step2. Select Sub-function Step3. Select Tag Step4. Configure the real parameters

2.2.5 Rule principle

Describe the status and

What kind of characteristics does

If the packet is captured

Figure 2-3 The rule configuration is divided into three parts

MH-5000 User Manual Chapter 2

Status field:

Condition field:

Action field:

If the packet is captured by this

do?

If you are not satisfied with the

efore button.

System Overview

You may find many rules configuration in the MH-5000. They are distributed in the respective feature. These rules include

1. NAT rule

2. Virtual Server rule

3. Firewall rule

4. Policy route rule

5. Bandwidth management rule

The behavior of each rule is different, and so are their configuration parameters. But the designed principle of each rule is the same. The configuration is divided into three parts as Figure 2-3 illustrated. You just need to enter the necessary information onto each part according to your requirement. As for the definitions of the three-part configuration, please refer to the following description.

1. Status: Describe the status and name of this rule.

Condition

3. Action: If the packet is captured by this rule? What action will this rule do?

As the Figure 2-4 illustrated, the page of the rule edition is also divided into three parts. Their definitions are also the same as we have discussed in Figure 2-3.

Additionally, please note that there is a button named “Move Before” in the Figure 2-4. If you are not satisfied with the current rule sequence, you can adjust the rule sequence by using the “Move Before” button.

: What kind of characteristics does packet hold? And it will be captured by this rule.

Describe the status and name of this rule

What kind of characteristics does packet hold? And it will be captured by this rule

rule? What action will this rule

current rule sequence the rule sequence by using the Move

Figure 2-4 The rules in the page of the rule edition are also divided into three parts.

MH-5000 User Manual Chapter 3

Basic Setup

Chapter 3

Basic Setup

In this chapter, we will introduce how to setup network settings for each port separately

3.1 Demand

1. For the external network, suppose your company uses DSL to connect Internet via fixed-IP. By this way, you should setup WAN port of the MH-5000 in advance.

2. There are some adjustment within your company, so the original network stucture has been changed. Now, you should modify the configuration between the internal network (DMZ, LAN).

3. Your company needs more network bandwidth if it is insufficent for your company to connect to the external network. Suppose there are many public IPs in your commpany. You would like to specify an unique public IP to a local server.

3.2 Objectives

1. Configure the network settings of the MH-5000 WAN1 port.

2. Configure the network settings of the MH-5000 DMZ1 and LAN1 ports.

3. We hope to assign another IP address to the same WAN port we have configured an existed IP address before.

3.3 Methods

1. Select the Fixed IP Address method in the MH-5000 Basic Setup/WAN settings/WAN1 IP, and then configure the related account and password in order to connet to the internet.

2. Configure the related network settings in the pages of the MH-5000 Basic Setup / DMZ settings / DMZ1 Status、 Basic Setup / LAN settings / LAN1 Status.

3. Configure the IP alias in WAN1 port.

3.4 Steps

3.4.1 Setup WAN1 IP

Step 1. Setup WAN1 port

Here we select Fixed IP Address method in WAN1 port. Fill in the IP Address, Subnet Mask, Gateway IP. And then enter the other DNS IP Address, Routing Protocol fields. Click Apply to finish this setting.

BASIC SETUP > WAN Settings > WAN1 IP > Fixed IP Address

MH-5000 User Manual Chapter 3

Basic Setup

IP Address

Assignment

Get IP

Automatically

(DHCP)

FIELD DESCRIPTION Range / Format

Default WAN link (Gateway/DNS)

Get DNS Automatically / DNS IP Address

Routing Protocol

OSPF Area ID Specify OSPF area ID number

Default WAN link (Gateway/DNS)

When Default WAN link is enabled, all the packets sent out from MH-5000 will be via this port.

Get DNS Automatically à Get DNS related information from DHCP Server

DNS IP Address à manually specify these Primary and Secondary DNS Server information

Determine to enable the dynamic routing protocol, to receive RIP message, to send out the RIP message if the RIP message is received or not.

When Default WAN link is enabled. All the packets sent out from MH-5000 will be via this port.

Enable/Disable Enabled

Get DNS Automatically / DNS IP Address

None, RIPv1/In, RIPv1/In+Out, RIPv2/In, RIPv2/In+Out, OSPF

IPv4 format or digit string (Max 9 bits)

Enable/Disable Enabled

EXAMPLE

Get DNS

Automatically

None

Fixed IP Address

PPP over Ethernet

IP Address Specified IP address IPv4 format 61.2.1.1

Subnet Mask Specified subnet mask IPv4 format 255.255.255.248

Gateway IP Default gateway IP address IPv4 format 61.2.1.6

DNS IP Address:

Primary DNS Secondary DNS

Routing Protocol

OSPF Area ID Specify OSPF area ID number

Default WAN link (Gateway/DNS)

Service Name ISP vendor (Optional) text string So-Net

Specified Primary and Secondary DNS Server address

Determine to enable the dynamic routing protocol, to receive RIP message, to send out the RIP message if the RIP message is received or not.

When Default WAN link is enabled. All the packets sent out from MH-5000 will be via this port.

IPv4 format

None, RIPv1/In, RIPv1/In+Out, RIPv2/In, RIPv2/In+Out, OSPF

IPv4 format or digit string (Max 9 bits)

Enable/Disable Enabled

Primary DNS:

168.95.1.1

Secondary DNS:

0.0.0.0

None

MH-5000 User Manual Chapter 3

Basic Setup

User Name The user name of PPPoE account text string Hey

Password The password of PPPoE account text string G54688

Get DNS Automatically à Get DNS related

Get DNS Automatically / DNS IP Address

information from PPPoE ISP DNS IP Address à manually specify these

Primary and Secondary DNS Server information

Get DNS Automatically / DNS IP Address

Get DNS

Automatically

Connect / Disconnect button

Table 3-1 Detailed information of setup WAN port configuration

Through click Connect or Disconnect button to connect or disconnect PPPoE link

3.4.2 Setup DMZ1, LAN1 Status

Step 1. Setup DMZ port

Here we are going to configure the DMZ1 settings. Setup IP Address and IP Subnet Mask, and determine if you would like to enable the DHCP Server. And then select Routing Protocol. Click Apply to finish this setting.

Connect / Disconnect

BASIC SETUP > DMZ Settings > DMZ1 Status

Click Connect

FIELD DESCRIPTION Range / Format

IP Address DMZ port IP address IPv4 format 10.1.1.254

IP Subnet Mask DMZ port IP subnet mask netmask format 255.255.255.0

Enable DHCP Server Enable DMZ port of the DHCP Sever or not Enable/Disable Enabled

IP Pool Starting Address

Pool Size(max size:

253)

Primary DNS Server

Secondary DNS Server

Specify the starting address of the DHCP IP address.

Specify the numbers of the DHCP IP address. 1 ~253 20

Specify the Primary DNS Server IP address of the DHCP information.

Specify the Secondary DNS Server IP address of the DHCP information.

IPv4 format in the DMZ address range

IPv4 format 10.1.1.254

IPv4 format 0.0.0.0

EXAMPLE

10.1.1.1

+ 138 hidden pages

Planet mh-5000 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1.1 Check Your Package Contents

1.2 Five steps to configure MH-5000 quickly

1.3 Wiring the MH-5000

1.4 Default Settings and architecture of MH-5000

1.5 Using the Setup Wizard

1.6 Internet Connectivity

2.1 Typical Example Topology

2.2 Changing the LAN1 IP Address

3.1 Demand

3.2 Objectives

3.3 Methods

3.4 Steps