Planet Technology MH-1000 User Manual
Multi-Homing Security Gateway User’s Manual
Multi-Homing Security
Gateway
MH-1000
User’s Manual
Multi-Homing Security Gateway User’s Manual
Copyright
Copyright (C) 2006 PLANET Technology Corp. All rights reserved.
The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s
Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware,
software, and documentation are copyrighted.
No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium
or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information
storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express
written permission of PLANET Technology.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and
makes no warranty and representation, either implied or expressed, with respect to the quality, performance,
merchantability, or fitness for a particular purpose.
PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any
inaccuracies or omissions that may have occurred.
Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of
PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET
makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make
improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and
suggestions.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user
may be required to take adequate measures.
To avoid the potential effects on the environment and human health as a result of the presence of hazardous
substances in electrical and electronic equipment, end users of electrical and electronic equipment should
understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted
municipal waste and have to collect such WEEE separately.
Trademarks
The PLANET logo is a trademark of PLANET Technology.
This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases,
these designations are claimed as trademarks or registered trademarks by their respective companies.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following
Website URL:
http://www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
♦ Multi-Homing Security Gateway serial number and MAC address
♦ Any error messages that displayed when the problem occurred
♦ Any software running when the problem occurred
♦ Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET Multi-Homing Security Gateway
Model: MH-1000
Rev: 1.0 (February, 2006)
Multi-Homing Security Gateway User’s Manual
Table of Contents
CHAPTER 1: INTRODUCTION....................................................................................................................1
1.1 FEATURES ...........................................................................................................................................1
1.2 PACKAGE CONTENTS ............................................................................................................................2
1.3 MH-1000 FRONT VIEW .........................................................................................................................2
1.4 MH-1000 REAR PANEL .........................................................................................................................2
1.5 SPECIFICATION.....................................................................................................................................3
CHAPTER 2: ROUTER APPLICATION........................................................................................................4
2.1 OVERVIEW...........................................................................................................................................4
2.2 BANDWIDTH MANAGEMENT WITH QOS....................................................................................................4
2.2.1 Transparent Mode Connection Example......................................................................................4
2.2.2 QoS Policies for Different Applications.........................................................................................5
2.2.3 Guaranteed / Maximum Bandwidth..............................................................................................6
2.2.4 Policy Based Traffic Shaping.......................................................................................................6
2.2.5 Priority Bandwidth Utilization.......................................................................................................7
2.2.6 Management by IP or MAC address............................................................................................8
2.2.7 DiffServ (DSCP Marking).............................................................................................................8
2.3 OUTBOUND TRAFFIC.............................................................................................................................9
2.3.1 Outbound Fail Over.....................................................................................................................9
2.3.2 Outbound Load Balancing...........................................................................................................9
2.4 INBOUND TRAFFIC ..............................................................................................................................10
2.4.1 Inbound Fail Over......................................................................................................................10
2.4.2 Inbound Load Balancing.............................................................................................................11
2.5 DNS INBOUND ...................................................................................................................................12
2.5.1 DNS Inbound Fail Over.............................................................................................................13
2.5.2 DNS Inbound Load Balancing...................................................................................................14
2.6 VIRTUAL PRIVATE NETWORKING ...........................................................................................................16
2.6.1 General VPN Setup...................................................................................................................16
2.6.2 VPN Planning - Fail Over..........................................................................................................17
2.6.3 Concentrator.............................................................................................................................18
CHAPTER 3: GETTING STARTED............................................................................................................19
3.1 OVERVIEW.........................................................................................................................................19
3.2 BEFORE YOU BEGIN ...........................................................................................................................19
3.3 CONFIGURING PCS FOR TCP/IP NETWORKING......................................................................................19
3.3.1 Overview...................................................................................................................................20
Multi-Homing Security Gateway User’s Manual
3.3.2 Windows XP.............................................................................................................................20
3.3.3 Windows 2000..........................................................................................................................22
3.3.4 Windows 95/98/ME...................................................................................................................23
3.3.5 Windows NT 4.0........................................................................................................................24
3.4 FACTORY DEFAULT SETTINGS ..............................................................................................................25
3.4.1 User name and password..........................................................................................................25
3.4.2 LAN and WAN Port Addresses..................................................................................................25
3.5 INFORMATION FROM YOUR ISP............................................................................................................25
3.5.1 Protocols...................................................................................................................................25
3.5.2 Web Configuration Interface......................................................................................................26
CHAPTER 4: ROUTER CONFIGURATION................................................................................................27
4.1 OVERVIEW.........................................................................................................................................27
4.2 STATUS .............................................................................................................................................28
4.2.1 ARP Table.................................................................................................................................29
4.2.2 Routing Table............................................................................................................................29
4.2.3 Session Table...........................................................................................................................30
4.2.4 DHCP Table..............................................................................................................................30
4.2.5 IPSec Status.............................................................................................................................31
4.2.6 PPTP Status..............................................................................................................................31
4.2.7 Traffic Statistic...........................................................................................................................32
4.2.8 System Log...............................................................................................................................33
4.2.9 IPSec Log.................................................................................................................................33
4.3 QUICK START.....................................................................................................................................34
4.3.1 DHCP.......................................................................................................................................34
4.3.2 Static IP....................................................................................................................................34
4.3.3 PPPoE......................................................................................................................................35
4.3.4 PPTP........................................................................................................................................35
4.3.5 Big Pond...................................................................................................................................36
4.4 CONFIGURATION.................................................................................................................................37
4.4.1 LAN..........................................................................................................................................37
4.4.1.1 Ethernet............................................................................................................................................37
4.4.1.2 DHCP Server....................................................................................................................................38
4.4.2 WAN.........................................................................................................................................39
4.4.2.1 ISP Settings......................................................................................................................................39
4.4.2.1.1 DHCP........................................................................................................................................40
4.4.2.1.2 Static IP.....................................................................................................................................41
4.4.2.1.3 PPPoE.......................................................................................................................................41
4.4.2.1.4 PPTP Settings...........................................................................................................................43
4.4.2.1.5 Big Pond Settings......................................................................................................................44
Multi-Homing Security Gateway User’s Manual
4.4.2.2 Bandwidth settings............................................................................................................................45
4.4.3 Dual WAN.................................................................................................................................45
4.4.3.1 General Settings................................................................................................................................45
4.4.3.2 Outbound Load Balance....................................................................................................................46
4.4.3.3 Inbound Load Balance.......................................................................................................................47
4.4.3.4 Protocol Binding................................................................................................................................50
4.4.4 System......................................................................................................................................51
4.4.4.1 Time Zone.........................................................................................................................................51
4.4.4.2 Remote Access.................................................................................................................................52
4.4.4.3 Firmware Upgrade.............................................................................................................................52
4.4.4.4 Backup / Restore...............................................................................................................................53
4.4.4.5 Restart..............................................................................................................................................53
4.4.4.6 Password..........................................................................................................................................54
4.4.4.7 System Log Server............................................................................................................................55
4.4.4.8 E-mail Alert.......................................................................................................................................55
4.4.5 Firewall.....................................................................................................................................56
4.4.5.1 Packet Filter......................................................................................................................................57
4.4.5.2 URL Filter..........................................................................................................................................58
4.4.5.3 LAN MAC Filter.................................................................................................................................60
4.4.5.4 Block WAN Request..........................................................................................................................61
4.4.5.5 Intrusion Detection............................................................................................................................62
4.4.6 VPN..........................................................................................................................................62
4.4.6.1 IPSec................................................................................................................................................62
4.4.6.1.1 IPSec Wizard.............................................................................................................................62
4.4.6.1.2 IPSec Policy..............................................................................................................................66
4.4.6.2 PPTP................................................................................................................................................70
4.4.7 QoS..........................................................................................................................................71
4.4.8 Virtual Server............................................................................................................................74
4.4.8.1 DMZ..................................................................................................................................................75
4.4.8.2 Port Forwarding Table........................................................................................................................76
4.4.9 Advanced..................................................................................................................................77
4.4.9.1 Static Route.......................................................................................................................................77
4.4.9.2 Dynamic DNS....................................................................................................................................79
4.4.9.3 Device Management..........................................................................................................................80
4.5 SAVE CONFIGURATION TO FLASH .........................................................................................................80
4.6 LOGOUT ............................................................................................................................................81
CHAPTER 5: TROUBLESHOOTING.........................................................................................................82
5.1 BASIC FUNCTIONALITY........................................................................................................................82
5.1.1 Router Won’t Turn On................................................................................................................82
Multi-Homing Security Gateway User’s Manual
5.1.2 LEDs Never Turn Off.................................................................................................................82
5.1.3 LAN or Internet Port Not On......................................................................................................82
5.1.4 Forgot My Password.................................................................................................................82
5.2 LAN INTERFACE.................................................................................................................................83
5.2.1 Can’t Access MH-1000 from the LAN........................................................................................83
5.2.2 Can’t Ping Any PC on the LAN..................................................................................................83
5.2.3 Can’t Access Web Configuration Interface.................................................................................83
5.2.3.1 Pop-up Windows...............................................................................................................................84
5.2.3.2 Java Scripts......................................................................................................................................85
5.2.3.3 Java Permissions..............................................................................................................................86
5.3 WAN INTERFACE................................................................................................................................87
5.3.1 Can’t Get WAN IP Address from the ISP...................................................................................87
5.4 ISP CONNECTION...............................................................................................................................87
5.5 PROBLEMS WITH DATE AND TIME..........................................................................................................89
5.6 RESTORING FACTORY DEFAULTS..........................................................................................................89
APPENDIX A: VIRTUAL PRIVATE NETWORKING...................................................................................90
A.1 WHAT IS THE VPN?............................................................................................................................90
A.1.1 VPN Applications......................................................................................................................90
A.2 WHAT IS THE IPSEC?..........................................................................................................................90
A.2.1 IPSec Security Components.....................................................................................................91
A.2.1.1 Authentication Header (AH)...............................................................................................................91
A.2.1.2 Encapsulating Security Payload (ESP)...............................................................................................91
A.2.1.3 Security Associations (SA).................................................................................................................92
A.2.2 IPSec Modes............................................................................................................................92
A.2.3 Tunnel Mode AH.......................................................................................................................93
A.2.4 Tunnel Mode ESP.....................................................................................................................93
A.2.5 Internet Key Exchange (IKE).....................................................................................................94
APPENDIX B: IPSEC LOGS AND EVENTS..............................................................................................96
B.1 IPSEC LOG EVENT CATEGORIES..........................................................................................................96
B.2 IPSEC LOG EVENT TABLE ...................................................................................................................96
APPENDIX C: BANDWIDTH MANAGEMENT WITH QOS.........................................................................99
C.1 OVERVIEW ........................................................................................................................................99
C.2 WHAT IS QUALITY OF SERVICE?...........................................................................................................99
C.3 WHAT IS QUALITY OF SERVICE?...........................................................................................................99
C.4 WHO NEEDS QOS?............................................................................................................................99
C.4.1 Home Users...........................................................................................................................100
C.4.2 Office Users...........................................................................................................................100
Multi-Homing Security Gateway User’s Manual
APPENDIX D: ROUTER SETUP EXAMPLES..........................................................................................102
D.1 OUTBOUND FAIL OVER .....................................................................................................................102
D.2 OUTBOUND LOAD BALANCING ...........................................................................................................103
D.3 INBOUND FAIL OVER.........................................................................................................................106
D.4 DNS INBOUND FAIL OVER.................................................................................................................108
D.5 DNS INBOUND LOAD BALANCING........................................................................................................111
D.6 DYNAMIC DNS INBOUND LOAD BALANCING..........................................................................................113
D.7 VPN CONFIGURATION.......................................................................................................................117
D.7.1 LAN to LAN.............................................................................................................................117
D.7.2 Host to LAN.............................................................................................................................118
D.8 IP SEC FAIL OVER (GATEWAY TO GATEWAY)........................................................................................120
D.9 IP VPN CONCENTRATOR ..................................................................................................................123
D.10 PROTOCOL BINDING .......................................................................................................................128
D.11 INTRUSION DETECTION ...................................................................................................................129
D.12 PPTP REMOTE ACCESS BY WINDOWS XP........................................................................................130
D.13 PPTP REMOTE ACCESS .................................................................................................................136
Multi-Homing Security Gateway User’s Manual
Chapter 1: Introduction
PLANET’s Multi-Homing Security Gateway, MH-1000 integrated with cutting-edge technology including
Load Balancing, VPN and Firewall for central sites to establish office network and connect with branch
offices, remote dial up and tele-workers. It is designed for business requiring application-based network
solution at low-capital investment and is perfectly catering to the needs of small and medium sized business.
Built-in multiple WAN interfaces can prevent your Internet connection from failure, and also reduces the risks
of potential shutdown if one of the Internet connections fails. Moreover, it allows you to perform
load-balancing by distributing the traffic through two WAN connections.
In addition to a multi-homing device, PLANET’s Multi-Homing Security Gateway provides a complete
security solution in a box. The policy-based firewall, content filtering function and VPN connectivity with
3DES and AES encryption make it a perfect product for your network security. Bandwidth management
function is also supported to offers network administrators an easy yet powerful means to allocate network
resources based on business priorities, and to shape and control bandwidth usage.
1.1 Features
♦ WAN Fail-over: Auto failover feature can be configured for a second connection to ensure redundant
connectivity when the primary line fails.
♦ Load Balancing: MH-1000 provides the ability to balance the workload by distributing incoming traffic
across the two connections.
♦ DNS inbound load balance: The MH-1000 can be configured to reply the WAN2 IP address for the
DNS domain name request if WAN1 fails.
♦ VPN Connectivity: The security gateway support PPTP and IPSec VPN. With DES, 3DES and AES
encryption and SHA-1 / MD5 authentication, the network traffic over public Internet is secured.
♦ PPTP Server: The MH-1000 also provides PPTP server feature, the remote user can connect to
MH-1000 PPTP server without too many complex setting and to access the LAN resource.
♦ Content Filtering: The security gateway can block network connection based on URLs, Scripts (The
Pop-up, Java Applet, cookies and Active X).
♦ SPI Firewall: Built-in Stateful Packet Inspection (SPI) can determine if a data packet is allowed through
the firewall to the private LAN.
♦ Denial of Service (DoS): The MH-1000 protects against hackers attack by DoS, it can allow private LAN
securely connected to the Internet.
♦ Quality of Service (QoS): Network packets can be classified based on IP address and TCP/UDP port
number and give guarantee and maximum bandwidth with three levels of priority.
♦ Dynamic Domain Name Service (DDNS): The Dynamic DNS service allows users to alias a dynamic IP
address to a static hostname.
- 1 -
Multi-Homing Security Gateway User’s Manual
1.2 Package Contents
The following items should be included:
MH-1000
n Multi-Homing Security Gateway
n User’s Manual CD-ROM
n This Quick Installation Guide
n Power Adapter
n Bracket x 2 (For rack-mounted)
n Screw x 4 (For rack-mounted)
If any of the contents are missing or damaged, please contact your dealer or distributor immediately.
1.3 MH-1000 Front View
MH-1000 Front Panel
LED Description
PWR A solid light indicates a steady connection to a power source
STATUS A blinking light indicates the device is writing to flash memory
LAN 1 - 8 Lit when connected to an Ethernet device
10/100: Lit green when connected at 100Mbps
Not lit when connected at 10Mbps
LNK/ACT: Lit when device is connected.
Blinking when data is transmitting /receiving
WAN1,
WAN2
Lit when connected to an Ethernet device
10/100: Lit green when connected at 100Mbps
Not lit when connected at 10Mbps
LNK/ACT: Lit when device is connected.
Blinking when data is transmitting /receiving
1.4 MH-1000 Rear Panel
MH-1000 Rear Panel
- 2 -
Multi-Homing Security Gateway User’s Manual
Increased bandwidth of outbound and inbound trafficDNS inbound load
Port or button Description
RESET To reset device and restore factory default settings, after
the device is fully booted, press and hold RESET until the
Status LED begins to blink.
WAN 1,
WAN2
LAN 1- 8 Connect to your local PC, switch or other local network
DC 12V Connect DC Power Adapter here (12VDC)
Connect to your xDSL/Cable modem or other Internet
connection devices
device
1.5 Specification
Product Multi-homing Security Gateway
Model MH-1000
Hardware
Ethernet
LAN 8 x 10/100 Based-TX RJ-45
WAN
Performance
Firewall throughput 90Mbps
IPSec VPN throughput 30Mbps
PPTP VPN throughput 10Mbps
Maximum Concurrent
sessions
Software
Management Web
Network Protocol and
features
Load Balancing
Firewall
Content Filtering
VPN Tunnels
VPN Functions
QoS
Log and Alert
2 x 10/100 Based-TX RJ-45
10,000
Static IP, PPPoE, PPTP, Big Pond and DHCP client connection to ISP
NAT, Static Route, RIP-2
Dynamic Domain Name System (DDNS)
Virtual Server and DMZ
DHCP server
NTP
balance
Srateful Packet Inspection (SPI) and Denial of Service (DoS) prevention
Packet Filter (by IP, port number and packet type)
E-mail alert and logs of attack
MAC Address Filtering
URL Filtering
Java Applet/Active X/Web Proxy/Surfing of IP Address/Cookie Blocking
IPSec: 100, PPTP: 4
PPTP, IPSec VPN support
DES, 3DES and AES encrypting
SHA-1 / MD5 authentication algorithm
Remote access VPN (Client-to-Site) and Site to Site VPN
IPSec, PPTP, L2TP pass through
Support DiffServ approach
Prioritization and bandwidth managed by IP, Port number and MAC address
Syslog support
E-mail Alert
- 3 -
Multi-Homing Security Gateway User’s Manual
Chapter 2: Router Application
2.1 Overview
MH-1000 is a versatile device that can be configured to not only protect your network from malicious
attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both
Inbound and Outbound Load Balancing. Alternatively, MH-1000 can also be set to redirect incoming and
outgoing network traffic with the Fail Over capability, ensuring minimal downtime and increased reliability.
2.2 Bandwidth Management with QoS
Quality of Service (QoS) gives you full control over which types of outgoing data traffic should be given
priority by the router. By doing so, the router can ensure that latency-sensitive applications like voice,
bandwidth-consuming data like gaming packets, or even mission critical files efficiently move through the
router even under a heavy load. You can throttle the speed at which different types of outgoing data pass
through the router. In addition, you can simply change the priority of different types of upload data and let
the router sort out the actual speeds.
2.2.1 Transparent Mode Connection Example
QoS generally involves the prioritization of network traffic. QoS is comprised of three major components:
Classifier, Meter, and Scheduler. Each of these components has a distinct role in ensuring that incoming
and outgoing data is managed according to user specifications.
The Classifier analyses incoming packets and marks each one according to configured parameters. The
Meter communicates the drop priority to the Scheduler and measures the temporal priorities of the output
stream against configured parameters. Finally, the Scheduler schedules each packet for transmission
based on information from both the Classifier and the Meter.
- 4 -
Multi-Homing Security Gateway User’s Manual
2.2.2 QoS Policies for Different Applications
By setting different QoS policies according to the applications you are running, you can use MH-1000 to
optimize the bandwidth that is being used on your network.
VoIP
Normal PCs
Restricted PC
As illustrated in the diagram above, applications such as Voice over IP (VoIP) require low network latencies
to function properly. If bandwidth is being used by other applications such as an FTP server, users using
VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this
- 5 -
Multi-Homing Security Gateway User’s Manual
network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth
communications. The FTP server, on the other hand, has been given a maximum bandwidth cap to make
sure that regular service to both VoIP and normal Internet applications is uninterrupted.
2.2.3 Guaranteed / Maximum Bandwidth
Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of
bandwidth. For example, you can configure MH-1000 to reserve 10% of the available bandwidth for a
particular computer on the network to transfer files.
Alternatively you can set a Maximum Bandwidth to restrict a particular application to a fixed percentage of
the total throughput. Setting a Maximum Bandwidth of 20% for a file sharing program will ensure that no
more than 20% of the available bandwidth will be used for file sharing.
2.2.4 Policy Based Traffic Shaping
Policy Based Traffic Shaping allows you to apply specific traffic policies across a range of IP addresses
or[D1] ports. This is particularly useful for assigning different policies for different PCs on the network.
Policy based traffic shaping lets you better manage your bandwidth, providing reliable Internet and network
service to your organization.
- 6 -
Multi-Homing Security Gateway User’s Manual
2.2.5 Priority Bandwidth Utilization
Assigning priority to a certain service allows MH-1000 to give either a higher or lower priority to traffic from
this particular service. Assigning a higher priority to an application ensures that it is processed ahead of
applications with a lower priority and vice versa.
- 7 -
Multi-Homing Security Gateway User’s Manual
2.2.6 Management by IP or MAC address
MH-1000 can also be configured to apply traffic policies based on a particular IP or MAC address. This
allows you to quickly assign different traffic policies to a specific computer on the network.
2.2.7 DiffServ (DSCP Marking)
DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values. These markings
can be used to identify traffic within the network. Other interfaces can match traffic based on the DSCP
markings. DSCP markings are used to decide how packets should be treated, and is a useful tool to give
precedence to varying types of data.
- 8 -
Multi-Homing Security Gateway User’s Manual
2.3 Outbound Traffic
This section outlines some of the ways you can use MH-1000 to manage outbound traffic.
2.3.1 Outbound Fail Over
Configuring MH-1000 for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted.
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via
WAN1 (IP_230.100.100.1) on MH-1000. Should WAN1 fail, Outbound Fail Over tells MH-1000 to reroute
outgoing traffic to WAN2 (IP_213.10.10.2). Configuring your MH-1000 for Outbound Fail Over provides a
more reliable connection for your outgoing traffic.
Please refer to appendix D for example settings.
2.3.2 Outbound Load Balancing
Outbound Load Balancing allows MH-1000 to intelligently manage outbound traffic based on the amount of
load of each WAN connection.
- 9 -
Multi-Homing Security Gateway User’s Manual
192.168.2.2
230.100.100.1
ISP
192.168.2.3
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via
WAN1 (IP_230.100.100.1) and WAN2 (IP_213.10.10.2) on MH-1000. You can configure MH-1000 to
balance the load of each WAN port with one of two mechanisms:
1. Session (by session/by traffic/weight of link capability)
2. IP Hash (by traffic/weight of link capability)
The IP Hash mechanism will ensure that the traffic from the same source IP address and destination IP
address will go through the same WAN port. This is useful for some server applications that need to identify
the source IP address of the client.
213.10.10.2
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that outbound traffic is
efficiently handled by making sure that both ports are equally sharing the load, preventing situations where
one port is completely saturated by outbound traffic.
Please refer to appendix D for example settings.
2.4 Inbound Traffic
Learn how MH-1000 can handle inbound traffic in the following section.
2.4.1 Inbound Fail Over
Configuring MH-1000 for Inbound Fail Over allows you to ensure that incoming traffic is uninterrupted by
having MH-1000 default to WAN2 should WAN1 fail.
- 10 -
Multi-Homing Security Gateway User’s Manual
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
ftp.planetbillion.dyndns.
Before Fail Over
ftp.planet.com.twbillio
Remote Access from Internet
After Fail Over
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are
connected to the Internet via WAN1 (ftp.planet.com.tw) on MH-1000. A remote computer is trying to access
these servers via the Internet. Under normal circumstances, the remote computer will gain access to the
ftp://ftp.planet.com.tw
ftp ftp.billion.dydns.org
ftp:// ftp.planet.com.tw
Remote Access from Internet
network via WAN1. Should WAN1 fail, Inbound Fail Over tells MH-1000 to reroute incoming traffic to WAN2
by using the Dynamic DNS mechanism. Configuring your MH-1000 for Inbound Fail Over provides a more
reliable connection for your incoming traffic.
Please refer to appendix D for example settings.
2.4.2 Inbound Load Balancing
Inbound Load Balancing allows MH-1000 to intelligently manage inbound traffic based on the amount of
load of each WAN connection.
- 11 -
192.168.2.2
FTP
Multi-Homing Security Gateway User’s Manual
www.planet3.com.twbill
www.planet2.com.twbilli
HTTP
192.168.2.3
www.planet3.com.twbilli
www.planet2.com.twbill
Remote Access from Internet
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are
connected to the Internet via WAN1 (www.planet2.com.tw) and WAN2 (www.planet3.com.tw) on MH-1000.
Remote PCs are attempting to access the servers via the Internet. Using Inbound Load Balancing,
MH-1000 can direct incoming requests to the correct WAN port based on group assignment. For example,
a sales force can be directed to www.planet2.com.tw while the R&D group can access www.planet3.com.tw.
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that inbound traffic is
efficiently handled with both ports equally sharing the load, preventing situations where service is slow
because one port is completely saturated by inbound traffic.
Please refer to appendix D for example settings.
2.5 DNS Inbound
Using DNS Inbound is a great way to intelligently direct network traffic.
ISP
ISP
DNS Inbound is a three step process. First, a DNS request is made to the router via a remote
PC. MH-1000, based on settings specified by the user, will direct the requesting PC to the correct WAN
- 12 -
Multi-Homing Security Gateway User’s Manual
Before Fail Over
After Fail Over
DNS
DNS
DNS
DNS
port by replying the selected WAN IP address through the built-in DNS server. The remote PC then
accesses the network via the specified WAN port. How MH-1000 directs this traffic through the built-in DNS
server depends on whether it is configured for Fail Over or Load Balancing.
Learn how to make DNS Inbound on MH-1000 work for you in the following section.
2.5.1 DNS Inbound Fail Over
MH-1000 can be configured to reply the WAN2 IP address for the DNS domain name request should
WAN1 fail.
Authoritative Domain Name Server
192.168.2.2
FTP
192.168.2.3
HTTP
192.168.2.2
FTP
192.168.2.3
HTTP
Built-in DNS
Built-in DNS
200.200.200.1
1st connection
2nd connection
1st connection
2nd connection
100.100.100.1
www.mydomain.com
200.200.200.1
www.mydomain.com
100.100.100.1
In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_200.200.200.1) on MH-1000. A remote computer is trying to
access these servers via the Internet, and makes a DNS request. The DNS request (www.mydomain.com)
will be sent through WAN1 (200.200.200.1) to the built-in DNS server. The DNS server will reply
200.200.200.1 because this is the only active WAN port. Should WAN1 fail, MH-1000 will instead reply with
WAN2’s IP address (100.100.100.1), and the remote PC will gain access to the network via WAN2. By
configuring MH-1000 for DNS Inbound Fail Over, incoming requests will enjoy increased reliability when
accessing your network.
Please refer to appendix D for example settings.
- 13 -
Multi-Homing Security Gateway User’s Manual
DNS Request
DNS Request
Heavy load on WAN
Heavy load on WAN
WAN 1
WAN 2
WAN 1
2.5.2 DNS Inbound Load Balancing
DNS Inbound Load Balancing allows MH-1000 to intelligently manage inbound traffic based on
the amount of load of each WAN connection by assigning the IP address with the lowest traffic
load to incoming requests.
Authoritative Domain Name Server
192.168.2.2
200.200.200.1
www.mydomain.com
FTP
192.168.2.3
HTTP
Built-in DNS
100.100.100.1
DNS Reply
200.200.200.1
200.200.200.1
192.168.2.2
www.mydomain.com
FTP
192.168.2.3
HTTP
WAN 2
Built-in DNS
100.100.100.1
DNS Reply
100.100.100.1
In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are
connected to the Internet via WAN1 (IP_200.200.200.1) and WAN2 (IP_100.100.100.1) on MH-1000.
Remote PCs are attempting to access the servers via the Internet by making a DNS request, entering a
URL (www.mydomain.com).
Using a load balancing algorithm, MH-1000 can direct incoming requests to either WAN port based on the
amount of load each WAN port is currently experiencing. If WAN2 is experiencing a heavy load, MH-1000
responds to incoming DNS requests with WAN1.
By balancing the load between WAN1 and WAN2, your MH-1000 can ensure that inbound traffic is
efficiently handled, making sure that both ports are equally sharing the load and preventing situations
where service is slow because one port is completely saturated by inbound traffic.
Please refer to appendix D for example settings.
A typical scenario of how traffic is directed with DNS Inbound Load Balancing is illustrated below:
- 14 -
Multi-Homing Security Gateway User’s Manual
2 3 4 5 6
8 9
DNS Request
DNS Reply
HTTP Request
HTTP Reply
11
HTTP Server
1
WAN 1
10
URL Host Map
7
DNS Server
Bandwidth Monitor
In the example above, the client is making a DNS request.
WAN 2
(1). The request is sent to the DNS server of MH-1000 through WAN2.
(2). WAN2 will route this request to the embedded DNS server of MH-1000.
(3). MH-1000 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the
request.
(4). After the decision is made, MH-1000 will route the DNS reply to the user through WAN2.
(5). The user will receive the DNS reply with the IP address of WAN1.
(6). The browser will initiate an HTTP request to the WAN1 IP address.
(7). The HTTP request will be send to MH-1000’s URL Host Map.
(8). The Host Map will then redirect the HTTP request to the HTTP server.
(9). The HTTP server will reply.
(10). The URL Host Map will route the packet through WAN1 to the user.
(11). Finally, the client will receive an HTTP reply packet.
- 15 -
Multi-Homing Security Gateway User’s Manual
Secure Tunnel
VPN
Client
2.6 Virtual Private Networking
A Virtual Private Network (VPN) enables you to send data between two computers across a shared or
public network in a manner that emulates the properties of a point-to-point private link. As such, it is perfect
for connecting branch offices to headquarters across the Internet in a secure fashion.
The following section discusses Virtual Private Networking with MH-1000.
2.6.1 General VPN Setup
There are typically three different VPN scenarios. The first is a Gateway to Gateway setup, where two
remote gateways communicate over the Internet via a secure tunnel.
100.100.100.1
192.168.2.x
The next type of VPN setup is the Gateway to Multiple Gateway setup, where one gateway
(Headquarters) is communicating with multiple gateways (Branch Offices) over the Internet. As with all
VPNs, data is kept secure with secure tunnels.
100.100.100.1
192.168.2.x
Secure Tunnel
Secure Tunnel
Secure Tunnel
200.200.200.1
192.168.3.x
200.200.200.1
192.168.3.x
201.201.201.1
192.168.4.x
The final type of VPN setup is the Client to Gateway. A good example of where this can be applied is
when a remote sales person accesses the corporate network over a secure VPN tunnel.
100.100.100.
192.168.2.x
myID.dyndns.org
- 16 -
Multi-Homing Security Gateway User’s Manual
Before Fail Over
After Fail Over
192.168.2.x
192.168.2.x
VPN Tunnel
VPN[D2] provides a flexible, cost-efficient, and reliable way for companies of all sizes to stay connected.
One of the most important steps in setting up a VPN is proper planning. The following sections
demonstrate the various ways of using MH-1000 to setup your VPN.
2.6.2 VPN Planning - Fail Over
Configuring your VPN with Fail Over allows MH-1000 to automatically default to WAN2 should WAN1 fail.
MH-1000
planet.dyndns.org
200.200.200.1
MH-1000
192.168.3.x
VPN Tunnel
192.168.3.x
MH-1000
planet.dyndns.org
200.200.200.1
MH-1000
Because the dynamic domain name planet.dyndns.org is configured for both WAN1 and WAN2, the active
WAN port will announce the domain name through the WAN IP address. The remote gateway will then be
able to connect to the VPN through the domain name.
In this Gateway to Gateway example, MH-1000 is communicating to a remote gateway using WAN1
through a secure VPN tunnel. Should WAN1 fail, outbound traffic from MH-1000 will automatically be
redirected to WAN2. This process is completely transparent to the remote gateway, as MH-1000 will
automatically update the domain name (planet.dyndns.org) with the WAN2 IP address. Configuring a
Gateway to Multiple Gateway setup with Fail Over is similar, as shown below:
- 17 -
Multi-Homing Security Gateway User’s Manual
Before Fail Over
192.168.2.x
192.168.2.x
MH-1000
MH-1000
MH-1000
MH-1000
100.100.100.1
planet.dyndns.org
200.200.200.1
100.100.100.1
192.168.3.x
192.168.4.x
192.168.3.x
MH-1000
MH-1000
planet.dyndns.org
200.200.200.1
192.168.4.x
Configuring MH-1000 for Fail Over provides added reliability to your VPN.
2.6.3 Concentrator
The VPN Concentrator provides an easy way for branch offices to connect to headquarter through a VPN
tunnel. All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of
LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the
headquarter’s firewall management. You can also configure MH-1000 to function as a VPN Concentrator:
Please refer to appendix D for example settings.
Local subnet: 192.168.3.0
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.3.0
Remote mask: 255.255.255.0
200.200.200.1
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
Remote mask: 0.0.0.0
192.168.3.x
MH-1000
192.168.2.x
100.100.100.1
MH-1000
MH-1000
Local subnet: 0.0.0.0
Local mask: 0.0.0.0
Remote subnet: 192.168.4.0
Remote mask: 255.255.255.0
201.201.201.1
Local subnet: 192.168.4.0
Local mask: 255.255.255.0
Remote subnet: 0.0.0.0
192.168.4.x
Remote mask: 0.0.0.0
- 18 -
Multi-Homing Security Gateway User’s Manual
Chapter 3: Getting Started
3.1 Overview
MH-1000 is designed to be a powerful and flexible network device that is also easy to use. With an intuitive
web-based configuration, MH-1000 allows you to administer your network via virtually any Java-enabled
web browser and is fully compatible with Linux, Mac OS, and Windows 98/ME/NT/2000/XP operating
systems.
The following chapter takes you through the very first steps to configuring your network for MH-1000. Take
a look and see how easy it is to get your network up and running.
3.2 Before You Begin
In order to simplify the configuration process and increase the efficiency of your network, you should
consider the following items before setting up your network for the first time:
1. Plan your network
Decide whether you are going to use one or both WAN ports. For one WAN port, you may need a fully
qualified domain name either for convenience or if you have a dynamic IP address. If you are going to use
both WAN ports, determine whether you are going to use them in fail over mode for increased network
reliability or load balancing mode for maximum bandwidth efficiency. See Chapter 2: Router Applications
for more information.
2. Set up your accounts
Have access to the Internet and locate the Internet Service Provider (ISP) configuration information. Each
MH-1000 WAN port must be configured separately, whether you are using a separate ISP for each WAN
port or are having the traffic of both WAN ports routed through the same ISP.
3. Determine your network management approach
MH-1000 is capable of remote management. However, this feature is not active by default. If you reset the
device, remote administration must be enabled again. If you decide to manage your network remotely, be
sure to change the default password for security reason.
4. Prepare to physically connect MH-1000 to Cable or DSL modems and a computer.
3.3 Configuring PCs for TCP/IP Networking
In order for your networked PCs to communicate with your router, they must have the following
characteristics:
1. Have a properly installed and functioning Ethernet Network Interface Card (NIC).
2. Be connected to MH-1000, either directly or through an external repeater hub via an Ethernet cable.
- 19 -
Multi-Homing Security Gateway User’s Manual
3. Have TCP/IP installed and configured with an IP address.
The IP address for each PC may be a fixed IP address or one that is obtained from a DHCP server. If using
a fixed IP address, it is important to remember that it must be in the same subnet as the router. The default
IP address of MH-1000 is 192.168.1.1 with a subnet mask of 255.255.255.0. Using the default
configuration, networked PCs must reside in the same subnet, and have an IP address in the range of
192.168.1.2 to 192.168.1.254. However, you’ll find that the quickest and easiest way to configure the IP
addresses for your PCs is to obtain the IP addresses automatically by using the router as a DHCP server.
If you are unable to access the web configuration interface, check to see if you have any software-based
firewalls installed on your PCs, as they can cause problems accessing the 192.168.1.1 IP address of
MH-1000.
The following sections outline how to set up your PCs for TCP/IP networking. Refer to the applicable
section for your PC’s operating system.
3.3.1 Overview
Before you begin, make sure that the TCP/IP protocol and a functioning Ethernet network adapter is
installed on each of your PCs.
The following operating systems already include the necessary software components you need to install
TCP/IP on your PCs:
- Windows 95/98/Me/NT/2000/XP
- Mac OS 7 and later
Any TCP/IP capable workstation can be used to communicate with or through MH-1000. To configure other
types of workstations, please consult the manufacturer’s documentation.
3.3.2 Windows XP
1. Go to Start / Control Panel (in Classic
View). In the Control Panel, double-click
on Network Connections.
2. Double-click Local Area Connection.
- 20 -
3. In the Local Area Connection Status
window, click Properties.
4. Select Internet Protocol (TCP/IP) and
click Properties.
Multi-Homing Security Gateway User’s Manual
5. Select the Obtain an IP address
automatically and the Obtain DNS
server address automatically radio
buttons.
6. Click OK to finish the configuration.
- 21 -
3.3.3 Windows 2000
1. Go to Start / Settings / Control Panel. In
the Control Panel, double-click on
Network and Dial-up Connections.
2. Double-click Local Area Connection.
Multi-Homing Security Gateway User’s Manual
3. In the Local Area Connection Status
window click Properties.
4. Select Internet Protocol (TCP/IP) and
click Properties.
- 22 -
5. Select the Obtain an IP address
automatically and the Obtain DNS
server address automatically radio
buttons.
6. Click OK to finish the configuration.
3.3.4 Windows 95/98/ME
1. Go to Start / Settings / Control Panel. In
Multi-Homing Security Gateway User’s Manual
the Control Panel, double-click on
Network and choose the Configuration
tab.
2. Select TCP/IP ->NE2000 Compatible, or
the name of your Network Interface Card
(NIC) in your PC.
3. Select the Obtain an IP address
automatically radio button.
- 23 -
Loading...