Planet Technology MH-2000 User Manual

Multi-Homing Security Gateway User’s Manual
Multi-Homing Security
Gateway
MH-2000, MH-4000
User’s Manual
Multi-Homing Security Gateway User’s Manual
Copyright (C) 2005 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted. No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express written permission of PLANET Technology.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user may be required to take adequate measures.
To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.
Trademarks
The PLANET logo is a trademark of PLANET Technology. This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following Website URL:
http://
www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
Multi-Homing Security Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET Multi-Homing Security Gateway
Model: MH-2000, MH-4000
Rev: 4.0 (September, 2005)
Multi-Homing Security Gateway User’s Manual
Table of Contents
CHAPTER 1: INTRODUCTION ........................................................................................................................ 1
1.1 FEATURES................................................................................................................................................................1
1.2 PACKAGE CONTENTS .............................................................................................................................................. 2
1.3 MH-2K/4K FRONT VIEW.........................................................................................................................................2
1.4 MH-2K/4K REAR PANEL.........................................................................................................................................3
1.5 SPECIFICATION ........................................................................................................................................................4
CHAPTER 2: HARDWARE INSTALLA TION.................................................................................................... 5
2.1 INSTALLATION REQUIREMENTS ...............................................................................................................................5
2.2 OPERATION MODE...................................................................................................................................................5
2.2.1 Transparent Mode Connection Example...................................................................................................6
2.2.2 NAT Mode Connecting Example................................................................................................................ 6
CHAPTER 3: GETTING STARTED .................................................................................................................. 7
3.1 WEB CONFIGURATION .............................................................................................................................................7
3.2 CONFIGURE WAN 1 INTERFACE ............................................................................................................................. 8
3.3 CONFIGURE WAN 2 INTERFACE ........................................................................................................................... 10
3.4 CONFIGURE DMZ INTERFACE ...............................................................................................................................10
3.5 CONFIGURE POLICY ..............................................................................................................................................10
CHAPTER 4: WEB CONFIGURATION .......................................................................................................... 13
4.1 SYSTEM .................................................................................................................................................................14
4.1.1 Admin ...........................................................................................................................................................16
4.1.2 Settings........................................................................................................................................................18
4.1.3 Date/Time.................................................................................................................................................... 24
4.1.4 Multiple Subnet...........................................................................................................................................25
4.1.5 Hacker Alert.................................................................................................................................................29
4.1.6 Blaster Alert.................................................................................................................................................31
4.1.7 Route Table .................................................................................................................................................31
4.1.8 DHCP........................................................................................................................................................... 33
4.1.9 Dynamic DNS..............................................................................................................................................35
4.1.10 Host Table..................................................................................................................................................37
4.1.11 SNMP (MH-4000 only).............................................................................................................................39
4.1.12 Permitted IPs.............................................................................................................................................40
4.1.13 Language...................................................................................................................................................42
4.1.14 Logout........................................................................................................................................................42
4.1.15 Software Update....................................................................................................................................... 43
Multi-Homing Security Gateway User’s Manual
4.2 INTERFACE.............................................................................................................................................................44
4.2.1 LAN...............................................................................................................................................................44
4.2.2 WAN............................................................................................................................................................. 45
4.2.3 DMZ..............................................................................................................................................................50
4.3 ADDRESS ...............................................................................................................................................................52
4.3.1 LAN...............................................................................................................................................................52
4.3.2 LAN Group...................................................................................................................................................55
4.3.3 WAN............................................................................................................................................................. 58
4.3.4 WAN Group.................................................................................................................................................60
4.3.5 DMZ..............................................................................................................................................................63
4.3.6 DMZ Group..................................................................................................................................................66
4.4 SERVICE ................................................................................................................................................................69
4.4.1 Pre-defined..................................................................................................................................................69
4.4.2 Custom.........................................................................................................................................................70
4.4.3 Group............................................................................................................................................................73
4.5 SCHEDULE .............................................................................................................................................................76
4.6 QOS.......................................................................................................................................................................79
4.7 AUTHENTICATION ...................................................................................................................................................81
4.7.1 Auth Setting................................................................................................................................................. 81
4.7.2 Auth User.....................................................................................................................................................82
4.7.3 Auth User Group......................................................................................................................................... 86
4.7.4 Radius Server (MH-4000 Only)................................................................................................................89
4.7.5 POP3 (MH-4000 only)................................................................................................................................89
4.7.6 LDAP (MH-4000 only)................................................................................................................................90
4.8 CONTENT FILTERING..............................................................................................................................................92
4.8.1 URL Blocking...............................................................................................................................................92
4.8.2 Script Blocking............................................................................................................................................ 94
4.8.3 P2P Blocking...............................................................................................................................................95
4.8.4 IM Blocking..................................................................................................................................................96
4.8.5 Download Blocking..................................................................................................................................... 97
4.9 VIRTUAL SERVER...................................................................................................................................................99
4.9.1 Mapped IP .................................................................................................................................................100
4.9.2 Virtual Server.............................................................................................................................................102
4.10 POLICY ..............................................................................................................................................................108
4.10.1 Outgoing.................................................................................................................................................. 108
4.10.2 Incoming.................................................................................................................................................. 114
4.10.3 WAN To DMZ & LAN To DMZ............................................................................................................... 118
4.10.4 DMZ To WAN & DMZ To LAN...............................................................................................................122
4.11 VPN ...................................................................................................................................................................127
Multi-Homing Security Gateway User’s Manual
4.11.1 IPSec Autokey.........................................................................................................................................127
4.11.2 PPTP Server............................................................................................................................................ 172
4.11.3 PPTP Client............................................................................................................................................. 176
4.12 INBOUND BALANCE (MH-4000 ONLY) .............................................................................................................. 180
4.13 LOG ...................................................................................................................................................................203
4.13.1 T raf fic Log................................................................................................................................................203
4.13.2 Event Log ................................................................................................................................................205
4.13.3 Connection Log.......................................................................................................................................208
4.13.4 Log Backup.............................................................................................................................................210
4.14 ALARM ...............................................................................................................................................................213
4.14.1 Blaster Alarm...........................................................................................................................................213
4.14.2 T raf fic Alarm............................................................................................................................................214
4.14.3 Event Alarm............................................................................................................................................. 215
4.15 ACCOUNTING REPORT (MH-4000 ONLY) ......................................................................................................... 217
4.15.1 Setting......................................................................................................................................................217
4.15.2 Outbound Accounting Report...............................................................................................................217
4.15.3 Inbound Accounting Report..................................................................................................................222
4.16 STATI STICS ........................................................................................................................................................226
4.16.1 Interface Statistics..................................................................................................................................226
4.16.2 Policy Statistics....................................................................................................................................... 227
4.17 STATU S ..............................................................................................................................................................230
4.17.1 Interface Status.......................................................................................................................................230
4.17.2 System Info (MH-4000 only).................................................................................................................230
4.17.3 Auth Status..............................................................................................................................................231
4.17.4 ARP Table................................................................................................................................................232
4.17.5 DHCP Clients..........................................................................................................................................233
Multi-Homing Security Gateway User’s Manual

Chapter 1: Introduction

As Internet become essential for your business, the only way to prevent your Internet connection from failure
is to have more than one connection. PLANET’s Multi-Homing Security Gateways (MH-2K/4K, in the
following section) reduce the risk of potential shutdown if one of the Internet connections should fail. In
addition, they allow you to perform load-balancing by distributing the traffic through two WAN connections.
With embedded DNS server of MH-4000, connections from Internet are given the IP address of two WAN
ports to balance the traffic over the links.
Not only a multi-homing device, PLANET’s MH-2K/4K also provides a complete security solution in a box.
The policy-based firewall, Intrusion detection and prevention, content filtering function and VPN connectivity
with 3DES and AES encryption make it a perfect product for your network security. No more complex
connection and settings for integrating different security products on the network is required.
Bandwidth management function is also supported on MH-2K/4K to offers network administrators an easy
yet powerful means to allocate network resources based on business priorities, and to shape and control
bandwidth usage.

1.1 Features

WAN Backup: MH-2K/4K can monitor the each WAN link status and automatically activate backup links
when a failure is detected. The detection is based on the configurable target Internet addresses.
Outbound Load Balancing: The network sessions are assigned based on the user configurable load
balancing mode, including “Auto”, “Round-Robin”, “By Traffic”, “By Session” and “By Packet”. User can
also configure which IP or TCP/UDP type of traffic use which WAN port to connect.
Inbound Load Balancing with Embedded DNS Server: In order to direct traffic to hosted servers
through two links and provide inbound loading balancing, the MH-4000 provides a built-in DNS server for
the hosted servers.
Policy-based Firewall: The built-in policy-based firewall prevents many known hacker attack, including
SYN attack, ICMP flood, UDP flood, Ping of Death, etc. The access control function allowed only
specified WAN or LAN users to use only allowed network services on specified time.
VPN Connectivity: The security gateway supports PPTP and IPSec VPN. With DES, 3DES and AES
encryption and SHA-1 / MD5 authentication, the network traffic over public Internet is secured.
Content Filtering: The security gateway can block network connection based on URLs, Scripts (The
Pop-up, Java Applet, cookies and Active X), P2P (eDonkey, Bit Torrent and WinMX), Instant Messaging
(MSN, Yahoo Messenger, ICQ, QQ and Skype) and Download blocking.
Dynamic Domain Name System (DDNS): The Dynamic DNS service allows you to alias a dynamic IP
address to a static hostname.
Multiple NAT: Multiple NAT allows local port to set multiple subnetworks and connect with the Internet
through different WAN IP Addresses.
- 1 -
Multi-Homing Security Gateway User’s Manual
Server Load Balancing: Up to 4 group virtual servers are supported for server load balancing ♦ Dynamic Host Control Protocol (DHCP) client and server: In the WAN site, the DHCP client can get
an IP address from the Internet Server Provider (ISP) automatically. In the LAN site, the DHCP server
can allocate up to 253 client IP addresses and distribute them including IP address, subnet mask as well
as DNS IP address to local computers. It provides an easy way to manage the local IP network.
Web based GUI: supports web based GUI for configuration and management. It also supports multiple
language including English, Traditional Chinese and Simplified Chinese.
Bandwidth Management: Network packets can be classified based on IP address, IP subnet and
TCP/UDP port number and give guarantee and burst bandwidth with three levels of priority.
User Authentication: User database can be configured on the devices, MH-4000 also supports the
authenticated database through external RADIUS, POP3 and LDAP server.

1.2 Package Contents

The following items should be included:
MH-2000
Multi-Homing Security Gateway
User’s Manual CD-ROM
This Quick Installation Guide
Power Adapter
MH-4000
Multi-Homing Security Gateway
User’s Manual CD-ROM
This Quick Installation Guide
Power Cord
Rack-mounting kit
RS-232 console cable
If any of the contents are missing or damaged, please contact your dealer or distributor immediately.

1.3 MH-2K/4K Front View

MH-2000 Front Panel
- 2 -
Multi-Homing Security Gateway User’s Manual
LED Description
PWR Power is supplied to this device.
STATUS Blinks to indicate this devise is being turned on
and booting. After one minute, this LED indicator will stop blinking, it means this device is now ready to use.
WAN1, WAN2, LAN, DMZ
MH-4000 Front Panel
LED Description
PWR Power is supplied to this device.
WAN1, WAN2, LAN, DMZ
Steady on indicates the port is connected to other network device.
Blink to indicates there is traffic on the port
Green Steady on indicates the port is
connected to other network device.
Blink to indicates there is traffic on the port
Orange Steady on indicates the port is
connected at 100Mbps speed

1.4 MH-2K/4K Rear Panel

MH-2000 Rear Panel
Port or button Description
RESET Press this button to restore to factory default
settings.
WAN 1, WAN2
LAN Connect to your local PC, switch or other
DMZ Connect to your server or other network
Connect to your xDSL/Cable modem or other Internet connection devices
local network device
device
- 3 -
Multi-Homing Security Gateway User’s Manual
MH-4000 Rear Panel

1.5 Specification

Product Multi-homing Security Gateway Model MH-2000 MH-4000 Hardware Ethernet
LED POWER, STATUS, 10/100 and LNK/ACT for each LAN and WAN port Power 5VDC, 2.4A 100~240 VAC, 50~60Hz Operating Environment Temperature: 0~50°C
Dimension W x D x H, mm 220 x 149 x 37 431 x 254 x 44 Regulatory FCC, CE Mark Software Management Web Web, SNMP Network Connection Transparent mode (WAN to DMZ), NAT, Multi-NAT, Static Route, RIPv2 Outbound Load Balancing Policy-based routing
Inbound Load Balancing Built-in DNS for inbound Firewall Policy-based firewall rule with schedule
VPN Tunnels 200 1000 VPN Functions PPTP, IPSec
Bandwidth Management Policy-based bandwidth management
Content Filtering URL blocking
User authentication Built-in user database Built-in user database with up to 500 entries
Log and Alarm Log and alarm for event and traffic
Statistics Traffic statistic for interface (WAN 1/2) and policies
Others Dynamic DNS
LAN 1 x 10/100Mbps RJ-45 WAN 2 x 10/100Mbps RJ-45 DMZ 1 x 10/100Mbps RJ-45
Relative Humidity: 10%~90%
Load-balancing by Round-Robin, traffic, session and packet
NAT/ NAPT SPI firewall Prevention of SYN attack, ICMP Flood, UDP flood, Ping of Death, Tear Drop, IP Spoofing, IP route, Port Scan and Land attack
DES, 3DES and AES encrypting SHA-1 / MD5 authentication algorithm Remote access VPN (Client-to-Site) and Site to Site VPN
Guarantee and maximum bandwidth with 3 priority levels Classify traffics based on IP, IP subnet, TCP/UDP port
Blocks Popup, Java Applet, cookies and Active X P2P blocking IM blocking Download blocking
Support RADIUS authentication
Log can be saved from web, sent by e-mail or sent to syslog server
Graphic display Record up to 30 day
NTP support DHCP server Mapping IP (DMZ) Server load balancing
- 4 -
Multi-Homing Security Gateway User’s Manual

Chapter 2: Hardware Installation

2.1 Installation Requirements

Before installing MH-2K/4K, make sure your network meets the following requirements.
- Mechanical Requirements
MH-2K/4K is installed between your Internet connection and local area network. You can place it on the
table or rack, and locate the unit near the power outlet.
- Electrical Requirements
MH-2K/4K is a power-required device, that means, it will not work until it is powered. If your network PCs
will need to transmit data all the time, please consider use an UPS (Uninterrupted Power Supply) for your
MH-2K/4K. It will prevent you from network data loss. In some area, installing a surge suppression device
may also help to protect your device from being damaged by unregulated surge or current to the
MH-2K/4K.
- Network Requirements
In order for MH-2K/4K to secure your network traffic, the traffic must pass through the device at a useful
point in a network. In most situations, MH-2K/4K should be placed behind the Internet connection device.

2.2 Operation Mode

MH-2K/4K DMZ port supports three operation modes, Disable, NAT and Transparent. In Disable mode, the
DMZ port is not active. In transparent mode, MH-2K/4K works as proxy with forward DMZ packet to WAN
and forward WAN packet to DMZ. The DMZ and WAN side IP addresses are in the same subnet. In NAT
mode, DMZ side user will share one public IP address of WAN port to make Internet connection. Please
find the following two pictures for example.
- 5 -

2.2.1 Transparent Mode Connection Example

Multi-Homing Security Gateway User’s Manual
The WAN1 and DMZ side IP addresses are on the same subnet. This application is suitable if you have a
subnet of IP addresses and you do not want to change any IP configuration on the subnet.

2.2.2 NAT Mode Connecting Example

DMZ and WAN1 IP addresses are on the different subnet. This provides higher security level then
transparent mode.
- 6 -
Multi-Homing Security Gateway User’s Manual

Chapter 3: Getting Started

3.1 Web Configuration

STEP 1:
Connect the Administrator’s PC and the LAN port of MH-2K/4K to a hub or switch. Make sure there is a link
light on the hub/switch for both connections. MH-2K/4K has an embedded web server used for management
and configuration. Use a web browser to display the configurations of MH-2K/4K (such as Internet Explorer
4(or above) or Netscape 4.0(or above) with full java script support). The default IP address of MH-2K/4K is
192.168.1.1 with a subnet mask of 255.255.255.0. Therefore, the IP address of the Administrator PC must be
in the range between 192.168.1.2– 192.168.1.254
If the company’s LAN IP Address is not subnet of 192.168.1.0, (i.e. LAN IP Address is 172.16.0.1), then the
Administrator must change his/her PC IP address to be within the same range of the LAN subnet (i.e.
172.16.0.2). Reboot the PC if necessary.
By default, MH-2K/4K is shipped with its DHCP Server function enabled. This means the client computers on
the LAN network including the Administrator PC can set their TCP/IP settings to automatically obtain an IP
address from the device.
The following table is a list of private IP addresses. These addresses may not be used as a WAN IP address.
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
STEP 2:
Once the Administrator PC has an IP address on the same network as the Multi-Homing Security Gateway,
open up an Internet web browser and type in
A pop-up screen will appear and prompt for a username and password. A username and password is required
to connect to MH-2K/4K. Enter the default login username and password of Administrator (see below).
Username: admin Password: admin
Click OK.
http://192.168.1.1 in the address bar.
- 7 -
Multi-Homing Security Gateway User’s Manual

3.2 Configure WAN 1 interface

After entering the username and password, MH-2K/4K WebUI screen will display. Select the Interface tab on
the left menu then click on WAN below it.
Click on Modify button of WAN NO.1. The following page is shown.
Alive Indicator Site IP: This feature is used to ping an address for detecting WAN connection status. Service: ICMP You can select an IP address by Assist, or type an IP address manually. Service: DNS You can select a DNS IP and Domain name by Assist, or type the related data manually.
PPPoE (ADSL User): This option is for PPPoE users who are required to enter a username and password in
order to connect.
Username: Enter the PPPoE username provided by the ISP. Password: Enter the PPPoE password provided by the ISP. IP Address provided by ISP:
Dynamic: Select this if the IP address is automatically assigned by the ISP. Fixed: Select this if you were given a static IP address. Enter the IP address that is given to you by
your ISP.
Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP. Service-On-Demand:
The PPPoE connection will automatically disconnect after a length of idle time (no activities). Enter in
the amount of idle minutes before disconnection. Enter ‘0’ if you do not want the PPPoE connection to
disconnect at all.
- 8 -
Multi-Homing Security Gateway User’s Manual
For Dynamic IP Address (Cable Mod em User): This option is for users who are automatically assigned an
IP address by their ISP, such as cable modem users. The following fields apply:
MAC Address: This is the MAC Address of the device. Some ISPs require specified MAC address. If the
required MAC address is your PC’s, click Clone MAC Address.
Hostname: This will be the name assign to the device. Some cable modem ISP assigns a specific
hostname in order to connect to their network, please enter the hostname here. If not
required by your ISP, you do not have to enter a hostname.
Domain Name: You can specify your own domain name or leave it blank. User Name: The user name is provided by ISP. Password: The password is provided by ISP. Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP.
For Static IP Address: This option is for users who are assigned a static IP Address from their ISP. Your ISP
will provide all the information needed for this section such as IP Address, Netmask, Gateway, and DNS.
IP Address: Enter the static IP address assigned to you by your ISP. This will be the public IP address of
the WAN 1 port of the device.
Netmask: This will be the Netmask of the WAN 1 network. (i.e. 255.255.255.0) Default Gateway: This will be the Gateway IP address. Domain Name Server (DNS): This is the IP Address of the DNS server.
Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP.
For PPTP (European User Only): This is mainly used in Europe. You need to know the PPTP Server
address as well as your name and password.
User Name: The user name is provided by ISP. Password: The password is provided by ISP. IP Address: Enter the static IP address assigned to you by your ISP, or obtain an IP address
automatically from ISP.
PPTP Gateway: Enter the PPTP server IP address assigned to you by your ISP. Connect ID: This is the ID given by ISP. This is optional. Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP. BEZEQ-ISRAEL: Select this item if you are using the service provided by BEZEQ in Israel. Service-On-Demand: The PPTP connection will automatically disconnect after a length of idle time (no
activities). Enter the amount of idle minutes before disconnection. Enter ‘0’ if you
do not want the PPTP connection to disconnect at all.
NOTE: This function is not supported on MH-4000.
Ping: Select this to allow the WAN network to ping the IP Address of MH-2K/4K This will allow people from
the Internet to be able to ping MH-2K/4K WAN IP. If set to enable, the device will respond to echo request
packets from the WAN network.
- 9 -
Multi-Homing Security Gateway User’s Manual
WebUI: Select this to allow the device WebUI to be accessed from the WAN network. This will allow the
WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username
and password to enter the WebUI.

3.3 Configure WAN 2 interface

If you want to connect WAN 2 to another ISP connection, click Modify button of WAN No. 2 then repeat above
procedures to setup.

3.4 Configure DMZ interface

Depends on your network requirement, you can disable the DMZ port, make DMZ port transparent to WAN 1 or
enable NAT function on it.
To configure the DMZ port, select the Interface tab on the left menu, then click on DMZ, the following page is
shown.
Please refer to section 3 for select the mode you need and configure relative IP parameters.

3.5 Configure Policy

STEP 1:
Click on the Policy tab from the main function menu, and then click on Outgoing (LAN to WAN) from the
sub-function list.
STEP 2:
Click on New Entry button.
STEP 3:
When the New Entry option appears, enter the following configuration:
Source Address – select “Inside_Any”
- 10 -
Destination Address – select “Outside_Any” Service - select “ANY” Action - select “Permit, ALL”
Click on OK to apply the changes.
Multi-Homing Security Gateway User’s Manual
STEP 4:
The configuration is successful when the screen below is displayed.
- 11 -
Multi-Homing Security Gateway User’s Manual
Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP
Address set to MH-2K/4K’s LAN IP Address (i.e. 192.168.1.1). At this point, all the computers on the LAN
network should gain access to the Internet immediately. If MH-2K/4K filter function is required, please refer to
the Policy section in chapter 4.
- 12 -
Multi-Homing Security Gateway User’s Manual

Chapter 4: Web Configuration

The functions of MH-2000 and MH-4000 have some differences. MH-4000 support more functions then
MH-2000. Please find the following table for a list of their functions comparison.
Menu items MH-2000 MH-4000
System
Admin V V Setting V V Date/Time V V Multiple Subnet V V Hacker Alert V V Blaster Alert V V Route Table V V DHCP V V Host Table V V SNMP N/A V Dynamic DNS V V Language V V Permitted IP V V Logout V V Software Update V V
Interface V V
LAN V V WAN V V DMZ V V
Address V V
LAN V V LAN Group V V WAN V V WAN Group V V DMZ V V DMZ Group V V
Service V V
Pre-defined V V Custom V V Group V V
Schedule V V QoS V V Authentication V V
Auth User V V Auth User Group V V RADIUS N/A V
Content Filter V V
URL Blocking V V Script Blocking V V P2P Blocking V V IM Blocking V V Download Blocking V V
Virtual Server V V
Mapped IP V V Virtual Server1 V V Virtual Server2 V V Virtual Server3 V V
- 13 -
Multi-Homing Security Gateway User’s Manual
Virtual Server4 V V
Policy V V
Outgoing V V Incoming V V WAN to DMZ V V LAN to DMZ V V DMZ to WAN V V DMZ to LAN V V
VPN V V
IPSec Autokey V V PPTP Server V V PPTP Client V V
Inbound Balance N/A V Log V V
Traffic Log V V Event Log V V Connection Log V V Log Backup V V
Alarm V V
Traffic Alarm V V Event Alarm V V
Accounting Report N/A V
Outbound N/A V Inbound N/A V
Statistics V V
Interface Statistics V V Policy Statistics V V
Status V V
Interface Status V V System Info. N/A V Auth. Status V V ARP Table V V DHCP Clients V V

4.1 System

MH-2K/4K Administration and monitoring configuration is set by the System Administrator. The System
Administrator can add or modify System settings and monitoring mode. The sub Administrators can only read
System settings but not modify them. In System, the System Administrator can:
1. Add and change the sub Administrator’s names and passwords;
2. Back up all MH-2K/4K settings into local files;
3. Set up alerts for Hackers invasion.
“System” is the managing of settings such as the privileges of packets that pass through MH-2K/4K and
monitoring controls. Administrators may manage, monitor, and configure MH-2K/4K settings. All
configurations are “read-only” for all users other than the Administrator; those users are not able to change
any settings for MH-2K/4K.
Admin: Control of user access to MH-2K/4K. He/she can add/remove users and change passwords.
- 14 -
Multi-Homing Security Gateway User’s Manual
Setting: The Administrator may use this function to backup MH-2K/4K configurations and export (save) them
to an “Administrator” computer or anywhere on the network; or restore a configuration file to the device; or restore MH-2K/4K back to default factory settings. Under Setting, the Administrator may enable e-mail alert
notification. This will alert Administrator(s) automatically whenever MH-2K/4K has experienced unauthorized
access or a network hit (hacking or flooding). Once enabled, an IP address of a SMTP (Simple Mail Transfer
protocol) Server is required. Up to two e-mail addresses can be entered for the alert notifications.
Date/Time: This function enables MH-2K/4K to be synchronized either with an Internet Server time or with the
client computer’s clock.
Multiple Subnet: This function allows local port to set multiple subnet works and connect with the internet
through different WAN 1 IP Addresses.
Hacker Alert: When abnormal conditions occur, MH-2K/4K will send an e-mail alert to notify the Administrator, and also display warning messages in the Event window of Alarm.
Blaster Alert: This function is to protect your network from blaster worm. When abnormal network access on
RPC port occur, MH-2K/4K will block the access on specified time, send an e-mail alert or SNMP trap to notify
the Administrator, and also display warning messages in the Event window of Alarm.
Route Table: Use this function to enable the Administrator to add static routes for the networks when the
dynamic route is not efficient enough.
DHCP: Administrator can configure DHCP (Dynamic Host Configuration Protocol) settings for the LAN (LAN)
network.
Host Table: MH-2K/4K Administrator may use the Host Table function to make the device act as a DNS
Server for the LAN and DMZ network. All DNS requests to a specific Domain Name will be routed to
MH-2K/4K’s IP address. For example, an organization has their mail server (i.e., mail.planet.com.tw) in the
DMZ network (i.e. 192.168.10.10). The outside Internet world may access the mail server of the organization
easily by its domain name, providing that the Administrator has set up Virtual Server or Mapped IP settings
correctly. However, for the users in the LAN network, their WAN DNS server will assign them a public IP
address for the mail server. So for the LAN network to access the mail server (mail.planet.com.tw), they would
have to go out to the Internet, then come back through MH-2K/4K to access the mail server. Essentially, the
LAN network is accessing the mail server by a real public IP address, while the mail server serves their
request by a NAT address and not a real one. This odd situation occurs when there are servers in the DMZ
network and they are bound to real IP addresses. To avoid this, set up Host Table so all the LAN network
computers will use MH-2K/4K as a DNS server, which acts as the DNS Proxy.
- 15 -
Multi-Homing Security Gateway User’s Manual
Dynamic DNS: The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address
to a static hostname, allowing your device to be more easily accessed by specific name. When this function is
enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address
provided by ISP.
SNMP (MH-4000 only): Provide the System Administrator enabling SNMP Trap Alert Notification for sending
email to the setting SNMP Trap receiver IP address when the network is disconnected/ connected and being
attacked by hackers or when emergency conditions occur.
Language: Both Chinese and English are supported in MH-2K/4K.
Permitted IP: Enables the Administrator to authorize specific internal/external IP address(es) for Managing
Gateway.
Logout: Administrator logs out the Multi-Homing Security Gateway. This function protects your system while
you are away.
Software Update: The administrator can update the device’s software with the latest version. Administrators
may visit distributor’s web site to download the latest firmware. Administrators may update the device
firmware to optimize its performance and keep up with the latest fixes for intruding attacks.

4.1.1 Admin

On the left hand menu, click on Setup, and then select Admin below it. The current list of Administrator(s)
shows up.
ÍÍ
- 16 -
Multi-Homing Security Gateway User’s Manual
Settings of the Administration table Administrator Name: The username of Administrators for MH-2K/4K. The user admin cannot be removed.
Privilege: The privileges of Administrators (Admin or Sub Admin)
The username of the main Administrator is Administrator with read / write privilege. Sub Admins may be created by the Admin by clicking
New Sub Admin
. Sub Admins have read only
privilege.
Configure: Click Modify to change the “Sub Administrator’s” password and click Remove to delete a “Sub
Administrator.”
Changing the Main/Sub-Administrator’s Password
Step 1. The Modify Administrator Password window will appear. Enter in the required information:
Password: enter original password. New Password: enter new password Confirm Password: enter the new password again.
Step 2. Click OK to confirm password change or click Cancel to cancel it.
Adding a new Sub Administrator
Step 1. In the Add New Sub Administrator window:
Sub Admin Name: enter the username of new Sub Admin.Password: enter a password for the new Sub Admin. Confirm Password: enter the password again.
Step 2. Click OK to add the user or click Cancel to cancel the addition.
- 17 -
Multi-Homing Security Gateway User’s Manual
Removing a Sub Administrator
Step 1. In the Administration table, locate the Administrator name you want to edit, and click on the
Remove option in the Configure field.
Step 2. The Remove confirmation pop-up box will appear. Click OK to remove that Sub Admin or click
Cancel to cancel.

4.1.2 Settings

The Administrator may use this function to backup MH-2K/4K configurations and export (save) them to an
“Administrator” computer or anywhere on the network; or restore a configuration file to the device; or restore
MH-2K/4K back to default factory settings.
Entering the Settings window
Click Setting in the System menu to enter the Settings window. MH-2K/4K Configuration settings will be shown on the screen.
- 18 -
ÍÍ
Multi-Homing Security Gateway User’s Manual
Exporting MH-2K/4K settings
Step 1. Under Configuration, click on the Download button next to Export Sy stem Settings to Client. Step 2. When the File Download pop-up window appears, choose the destination place to save the
exported file. The Administrator may choose to rename the file if preferred.
- 19 -
Multi-Homing Security Gateway User’s Manual
Importing MH-2K/4K settings
Under Configuration, click on the Browse button next to Import System Settings. When the Choose File pop-up window appears, select the file which contains the saved MH-2K/4K Settings, then click OK. Click OK to import the file into MH-2K/4K or click Cancel to cancel importing.
Restoring Factory Default Settings
Step 1. Select Reset Factory Settings under Configuration.
Click OK at the bottom-right of the screen to restore the factory settings.
Enabling E-mail Alert Notification
Step 1. Select Enable E-mail Alert Notification under E-Mail Settings. This function will enable the
Multi-Homing Security Gateway to send e-mail alerts to the System Administrator when the
network is being attacked by hackers or when emergency conditions occur.
Step 2. SMTP Server IP: Enter SMTP server’s IP address. Step 3. E-Mail Address 1: Enter the first e-mail address to receive the alarm notification. Step 4. E-Mail Address 2: Enter the second e-mail address to receive the alarm notification. (Optional)
Click OK on the bottom-right of the screen to enable E-mail alert notification.
- 20 -
Multi-Homing Security Gateway User’s Manual
Web Management (WAN Interface)
The administrator can change the port number used by HTTP or HTTPS port anytime. (HTTPS only
supports with MH-4000)
Step 1. Set Web Management (WAN Interface). The administrator can change the port number used
by HTTP or HTTPS port anytime.
Step 2. Idle Timeout. Fill in the Idle Timeout setting, when time is up, the remote user will be logout
automatically. 0 means no timeout. (Idle Timeout only supports with MH-4000)
- 21 -
Multi-Homing Security Gateway User’s Manual
MTU (set networking packet length)
The administrator can modify the networking packet length.
Step 1. MTU Setting. Modify the networking packet length.
Link Speed / Duplex Mode Setting
This function allows administrator to set the transmission speed and mode of WAN Port. This feature is only
available with MH-2000.
Dynamic Routing (RIPv2)
Enable Dynamic Routing (RIPv2), MH-2K/4K will advertise an IP address pool to the specific network so that
the address pool can be provided to the network. You can choose to enable LAN, WAN or DMZ interface to
allow RIP protocol supporting.
Routing information update timer: MH-2K/4K will send out the RIP protocol in a period of time to update the
routing table, the default timer is 30 seconds.
Routing information timeout: If MH-2K/4K does not receive the RIP protocol from the other router in a
period of time, MH-2K/4K will cut off the routing automatically until it receives RIP protocol again. The default
timer is 180 seconds.
- 22 -
Multi-Homing Security Gateway User’s Manual
Administration Packet Logging
Step 1. Select this option to the device’s Administration Packet Logging. Once this function is
enabled, every packet to this appliance will be recorded for system administrator to trace.
System Reboot
Once this function is enabled, MH-2K/4K will be rebooted. Reboot Appliance: Click Reboot. A confirmation pop-up box will appear. Follow the confirmation pop-up box, click OK to restart MH-2K/4K or click Cancel to discard changes
- 23 -
Multi-Homing Security Gateway User’s Manual

4.1.3 Date/Time

Synchronizing the MH-2K/4K with the System Clock
Administrator can configure MH-2K/4K’s date and time by either syncing to an Internet Network Time Server
(NTP) or by syncing to your computer’s clock.
Follow these steps to sync to an Internet Ti me Server Step 1. Enable synchronization by checking the box. Step 2. Click the down arrow to select the offset time from GMT. Step 3. Enter the Server IP Address or Server name with which you want to synchronize. Step 4. Update system clock every 5 minutes You can set the interval time to synchronize with outside
servers. If you set it to 0, it means the device will not synchronize automatically.
Follow this step to sync to your computer’s clock. Step 1. Click on the Sync button. Click OK to apply the setting or click Cancel to discard changes.
- 24 -
Multi-Homing Security Gateway User’s Manual

4.1.4 Multiple Subnet

NA T mode
Multiple Subnet allows local port to set multiple subnet works and connect with the internet through different
WAN 1 IP Addresses.
For instance: The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the
company is divided into R&D department, service, sales department, procurement department, accounting
department, the company can distinguish each department by different subnet works for the purpose of
convenient management. The settings are as the following:
1. R&D department sub-network: 192.168.1.11/24(LAN ) ÅÆ 168.85.88.253(WAN 1)
2. Service department sub-network: 192.168.2.11/24(LAN ) ÅÆ 168.85.88.252(WAN 1)
3. Sales department sub-network: 192.168.3.11/24(LAN ) ÅÆ 168.85.88.251(WAN 1)
4. Procurement department sub-network: 192.168.4.11/24(LAN ) ÅÆ 168.85.88.250(WAN 1)
5. Accounting department sub-network: 192.168.5.11/24(LAN ) ÅÆ 168.85.88.249(WAN 1)
The first department(R&D department) was set while setting interface IP, the other four ones have to be added
in Multiple Subnet, after completing the settings, each department use the different WAN IP Address to
connect to the internet. The settings of LAN computers on service department are as the following
Service IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.11
The other departments are also set by groups, this is the function of Multiple Subnet.
Multiple Subnet settings
Click Multiple Subnet in the System menu to enter Multiple Subnet window.
Multiple Subnet functions: WAN Interface IP / Forwarding Mode: Display WAN Port IP Address and Forwarding Mode. Alias IP of Int. Interface / Netmask: Local port IP Address and subnet Mask. Configure: Modify the settings of Multiple Subnet. Click Modify to modify the parameters of Multiple Subnet
or click Delete to delete settings.
Add a Multiple Subnet NAT Mode: Step 1: Click the New Entry button below to add Multiple Subnet.
- 25 -
Loading...
+ 209 hidden pages