PLANET Technology does not warrant that the hardware will work properly in all enviro nments and
applications, and makes no warranty and representation, either implied or expressed, with respect to the
quality, performance, merchantability, or fitness for a particular purpose.
PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability
for any inaccuracies or omissions that may have occurred.
Information in this User’s Manual is subject to change without notice and does not represent a commitment
on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in
this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s
Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described
in this User’s Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your
comments and suggestions.
Trademarks
The PLANET logo is a trademark of PLANET Technology.
This documentation may refer to numerous hardware and software products by their trade names. In most, if
not all cases, these designations are claimed as trademarks or registered trademarks by their respective
companies.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user
may be required to take adequate measures.
Federal Communication Commission Interference Statement
This equipment has been tested and found to comply with the limits for a Class B digital device, pursu ant to
Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates, uses, and can radiate radio frequ ency
energy and, if not installed and used in accordance with the instructions, may cause harmful interference to
radio communications. However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or television reception, which can
be determined by turning the equipment off and on, the user is encouraged to try to correct the interference
by one or more of the following measures:
1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio technician for help.
To assure continued compliance (example-use only shielded interface cables when conne cting to computer or
peripheral devices). Any changes or modifications not expressly approved by the party responsible for
compliance could void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to the Following two conditions: (1)
This device may not cause harmful interference, and (2) this Device must accept any interference received,
including interference that may cause undesired operation.
R&TTE Compliance Statement
This equipment complies with all the requirements of DIRECTIVE 1999/5/EC OF THE EUROPEAN
PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication
terminal Equipment and the mutual recognition of their conformity (R&TTE)
The R&TTE Directive repeals and replaces in the directive 98/13/EEC (Telecommunications Terminal
Equipment and Satellite Earth Station Equipment) As of April 8, 2000.
WEEE Caution
To avoid the potential effects on the environment and human health as a result of the presence of hazardous
substances in electrical and electronic equipment, end users of electrical and electronic e quipment should
understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted
municipal waste and have to collect such WEEE separately.
Safety
This equipment is designed with the utmost care for the safety of those who install and use it. However,
special attention must be paid to the dangers of electric shock and static electricity when working with
electrical equipment. All guidelines of this and of the computer manufacture must therefore be allowed at all
times to ensure the safe use of the equipment.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following
Website URL:
http://www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
♦ Multi-Homing Security Gateway serial number and MAC address
♦ Any error messages that displayed when the problem occurred
♦ Any software running when the problem occurred
♦ Steps you took to resolve the problem on your own
CHAPTER 4: SYSTEM ................................................................................................................................... 13
6.1.2 LAN Group...................................................................................................................................................44
6.1.4 WAN Group.................................................................................................................................................46
6.5.3 Auth User Group......................................................................................................................................... 67
6.8.1 Mapped IP ...................................................................................................................................................99
6.8.2 Virtual Server 1- 4.....................................................................................................................................102
9.1.1 T raf fic Log..................................................................................................................................................262
9.3.1 WAN Statistics...........................................................................................................................................281
9.4WAKE ON LAN......................................................................................................................................................286
As Internet become essential for your business, the only way to prevent your Internet connection from failure
is to have more than one connection. PLANET’s Multi-Homing Security Gateway MH-2001 reduces the risk
of potential shutdown if one of the Internet connections should fail. In addition, they allow you to perform
load-balancing by distributing the traffic through two WAN connections.
Not only is a multi-homing device, PLANET’s MH-2001 also provides a complete security solution in a box.
The policy-based firewall, Intrusion detection and prevention, content filtering function and VPN connectivity
with 3DES and AES encryption make it become a perfect product for your network security. No more
complex connection and settings for integrating different security produ cts on the network is required.
Bandwidth management function is also supported on MH-2001 to offers network administrators an easy
and powerful means to allocate network resources based on business priorities, and to shape and control
bandwidth usage.
1.1 Features
WAN Backup: The MH-2001 can monitor each WAN link status and automatically activate backup links
when a failure is detected. The detection is based on the configurable targ et Internet addresses.
Outbound Load Balancing: The network sessions are assigned based on the user configurable load
balancing mode, including “Auto”, “Round-Robin”, “By Traffic”, “By Session”, “By Packet”, “By Source IP”
and “By Destination IP”. User can also configure which IP or TCP/UDP type of traffic use which WAN
port to connect.
Policy-based Firewall: The built-in policy-based firewall prevent many known hacker attack including
SYN attack, ICMP flood, UDP flood, Ping of Death, etc. The access control function allowed only
specified WAN or LAN use rs to use only allowed network services on specified time.
VPN Connectivity: The security gateway support PPTP and IPSec VPN. With DES, 3DES and AES
encryption and SHA-1 / MD5 authentication, the network traffic over public Internet is secured.
Content Filtering: The security gateway can block network connection based on URLs, Scripts (The
Pop-up, Java Applet, cookies and Active X), P2P (eDonkey, Bit Torrent and WinMX), Instant Messaging
(MSN, Yahoo Messenger, ICQ, QQ and Skype) and Download/ Upload blocking.
Dynamic Host Control Protocol (DHCP) server: DHCP server can allocate up to 253 client IP
addresses and distribute them including IP address, subnet mask as well as DNS IP address to local
computers. It provides an easy way to manage the local IP network.
Web based GUI: MH-2001 support s web based GUI for configuration and m anagement. It also support s
multiple language including English, Traditional Chinese and Simplified Chinese.
User Authentication: User database can be configured on the devices, MH-2001 also supports the
authenticated database through external RADIUS and POP3 server.
Bandwidth Management: Network packets can be classified based on IP address, IP subnet and
TCP/UDP port number and give guarantee and burst bandwidth with three level s of priority
Dynamic Domain Name System (DDNS): The Dynamic DNS service allows users to alias a dynamic
IP address to a static hostname.
Multiple NAT: Multiple NAT allows local port to set multiple subnet and connect to the Internet through
different WAN IP addresses.
Server Load Balancing: Up to 4 group virtual servers support server load balancing
Accounting Report: Accounting report function can monitor the information about the Intranet and
External network traffic via MH-2001.
1.2 Package Contents
The following items should be included:
MH-2001
Multi-Homing Security Gateway x 1
User’s Manual CD-ROM x 1
Quick Installation Guide x 1
Power Adapter x 1
Cat5 Cable x 1
Mat x 4
If any of the contents are missing or damaged, please contact your deale r or distributor immediately.
1.3 MH-2001 Front View
MH-2001 Front Panel
LED / Button Definition
LED / Button Description
Reset Button Press this button to restore factory default setting.
PWR Power is supplied to this device.
STATUS Blinks to indicate this devise is being turned on and
booting. Af ter four minutes, this LED indicator will stop
blinking, it means this device is now ready to use.
WAN1, WAN2,
LAN, DMZ
Steady on indicates the port is conn ected to other
network device.
1 x 10/100Mbps RJ-45
2 x 10/100Mbps RJ-45
1 x 10/100Mbps RJ-45
Web
DMZ_NAT, DMZ_Transparent, NAT
Static Route, RIPv2
Policy-based routing
Load-balancing by Round-Robin, traffic, session, packet, Source IP and
Destination IP
Policy-based firewall rule with schedule
NAT/ NAPT
SPI firewall
Prevention of SYN attack, ICMP Flood, UDP flood, Ping of Death, Tear Drop,
IP Spoofing, IP route, Port Scan and Land attack
200/100
(Configure/Connection)
VPN Functions
Content Filtering
Bandwidth Management
User authentication
Accounting Report
Log and Alarm
Statistics
Others
PPTP, IPSec
DES, 3DES and AES encrypting
SHA-1 / MD5 authentication algorithm
Remote access VPN (Client-to-Site) and Site to Site VPN
URL blocking, Script blocking (Pop up, Java Applet, cookies and Active X)
IM blocking (MSN, Yahoo Messenger, ICQ, QQ and Skype)
P2P blocking (eDonkey, Bit Torrent and WinMX)
Download and Upload blocking
Policy-based bandwidth management
Guarantee and maximum bandwidth with 3 priority levels
Classify traffics based on IP, IP subnet, TCP/UDP port
Built-in user database with up to 200 entries
Radius, POP3 authentication support
Outbound/Inbound accounting report statistics by Source IP, Destination IP
and Service
Log and alarm for event and traffic
Log can be saved from web, sent by e-mail or sent to syslog server
Traffic statistic for interface (WAN 1/2) and policies
Graphic display
Record up to 30 days
Firmware Upgradeable through Web
Configuration Backup and Restore through Web
Dynamic DNS
NTP support
DHCP server
Multiple NAT and multiple DMZ (mapped IP) support
Server load balancing
Before installing MH-2001, make sure your network meets the following requirements.
- Mechanical Requirements
MH-2001 is installed between your Internet connection and local area network. You can place it on the
table or rack, and locate the unit near the power outlet.
- Electrical Requirements
MH-2001 is a power-required device, which means, it will not work until it is powered. If your network PCs
will need to transmit data all the time, please consider use an UPS (Uninterrupted Power Supply) for your
MH-2001. It will prevent you from network data loss. In some area, installing a surge suppression device
may also help to protect your device from being damaged by unregulated surge or current to the MH-2001.
- Network Requirements
In order for MH-2001 to secure your network traffic, the traffic must pass through the device at a useful
point in a network. In most situations, MH-2001 should be placed behind the Internet connection device.
MH-2001 DMZ port supports three operation modes, Disable, NAT and Transparent. In Disable mode, the
DMZ port is not active. In transparent mode, MH-2001 works as proxy with forward DMZ packet to WAN
and forward WAN packet to DMZ. The DMZ and WAN side IP addresses are in the same subnet. In NAT
mode, DMZ side user will share one public IP address of WAN port to make Internet connection. Please
find the following two pictures for example.
2.2.1 Transparent Mode Connection Example
Internet
ADSL / Cable
LAN
192.168.1.1
255.255.255.0
LAN PC1
192.168.1.2
ISP1
Modem
WAN1
61.11.11.11
LAN PC2
192.168.1.3
WAN2
62.22.22.22
MH-2001
DMZ PC1
61.11.11.12
ISP2
ADSL / Cable
Modem
DMZ Transparent
DMZ PC2
61.11.11.13
To WAN1
The WAN1 and DMZ side IP addresses are on the same subnet. This application is suitable if you have a
subnet of IP addresses and you do not want to change any IP configuration on the subnet.
Connect the Administrator’s PC and the LAN port of MH-2001 to a hub or switch. Make sure there is a link
light on the hub/switch for both connections. MH-2001 has an embedded web server used for management
and configuration. Use a web browser to display the configurations of MH-2001 (such as Internet Explorer
4(or above) or Netscape 4.0(or above) with full java script support). The default IP address of MH-2001 is
192.168.1.1 with a subnet mask of 255.255.255.0. Therefore, the IP address of the Administrator PC must be
in the range between 192.168.1.2– 192.168.1.254
If the company’s LAN IP Address is not subnet of 192.168.1.0, (i.e. LAN IP Address is 172.16.0.1), then the
Administrator must change his/her PC IP address to be within the same range of the LAN subnet. Reboot
the PC if necessary.
By default, MH-2001 is shipped with its DHCP Server function enabled. This means the client computers on
the LAN network including the Administrator PC can set their TCP/IP settings to automatically obtain an IP
address from the device.
The following table is a list of private IP addresses. These addresses may not be used as a WAN IP address.
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
STEP 2:
Once the Administrator PC has an IP address on the same network as the Multi-Homing Security Gateway,
open up an Internet web browser and type in http://192.168.1.1
A pop-up screen will appea r and prompt for a username and p assword. A username and password is required
to connect to MH-2001. Enter the default login username and password of Administrator (see below).
After entering the username and password, MH-2001 WebUI screen will display. Select the Interface tab on
the left menu. Click on WAN from the sub-fun ction list, and a sub-function list will be displayed.
Click Modify button to configure WAN NO. 1 and the following page will be displayed.
Alive Indicator Site IP:
Service: ICMP You can select an IP address by Assist, or type an IP address manually.
This feature is used to ping an address for detecting WAN connection status.
Service: DNS You can select a DNS IP and Domain name by Assist, or type the related data manually.
PPPoE (ADSL User):
This option is for PPPoE users who are required to enter a username and password in
order to connect.
Username: Enter the PPPoE username provided by the ISP.
Password: Enter the PPPoE password provided by the ISP.
IP Address provided by ISP:
Dynamic: Select this if the IP address is automatically assigned by the ISP.
Fixed: Select this if you were given a static IP address. Enter the IP address that is given to you by
your ISP.
Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP.
Service-On-Demand:
The PPPoE connection will automatically disconnect after a length of idle time (no activities). Enter in
the amount of idle minutes before disconnection. Enter ‘0’ if you do not want the PPPoE connection to
disconnect at all.
For Dynamic IP Address (Cable Modem User):
This option is for users who are automatically assigned an
IP address by their ISP, such as cable modem users. The following fields apply:
MAC Address: This is the MAC Address of the device. Some ISPs require specified MAC add ress. If the
required MAC address is your PC’s, click Clone MAC Address.
Hostname: This will be the name assign to the device. Some cable modem ISP assigns a specific
hostname in order to connect to their network, please enter the hostname here. If not
required by your ISP, you do not have to enter a hostname.
Domain Name: You can specify your own domain name or leave it blank.
User Name: The user name is provided by ISP.
Password: The password is provided by ISP.
Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP.
For Static IP Address:
This option is for users who are assigned a static IP Address from their ISP. Your ISP
will provide all the information needed for this section such as IP Address, Netmask, Gateway, and DNS.
IP Address: Enter the static IP address assign ed to you by your ISP. This will be the public IP address of
the WAN 1 port of the device.
Netmask: This will be the Netmask of the WAN 1 network. (i.e. 255.255.255.0)
Default Gateway: This will be the Gateway IP address.
Domain Name Server (DNS): This is the IP Address of the DNS server.
Max. Upstream/Downstream Bandwidth: The bandwidth provided by ISP.
Ping:
Select this to allow the WAN network to ping the IP Address of MH-2001 This will allow people from the
Internet to be able to ping MH-2001 WAN IP. If set to enable, the device will respond to echo request packets
from the WAN network.
HTTP: Select this to allow the device WebUI to be accessed from the W AN network. This will allow the W ebUI
to be configured from a user on the Internet. Keep in mind that the device always requires a username and
password to enter the WebUI.
3.3 Configure WAN 2 interface
If you want to connect WAN 2 to another ISP connection, click Modify button of W AN No. 2 then repeat abov e
procedures to setup.
3.4 Configure DMZ interface
Depends on your network requirement, you can disable the DMZ port, make DMZ port transparent to WAN 1 or
enable NAT function on it.
To configure the DMZ port, select the Interface tab on the left menu, then click on DMZ, the following page is
shown.
Please refer to Section 2.2 for select the mode you need and configure relative IP parameters.
3.5 Configure Policy
STEP 1:
Click on the Policy tab from the main function menu, and then click on Outgoing (LAN to WAN) from the
sub-function list.
STEP 2:
Click on New Entry button.
STEP 3:
When the New Entry option appears, enter the following configuration:
The configuration is successful when the screen below is displayed.
Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP
Address set to MH-2001’s LAN IP Address (i.e. 192.168.1.1). At this point, all the computers on the LAN
network should gain access to the Internet immediately. If MH-2001 filter function is required, please refe r to
the Policy section in chapter 7.
MH-2001 Administration and monitoring configuration is set by the System Administrator. The System
Administrator can add or modify System settings and monitoring mode. The sub Administrators can only read
System settings but not modify them. In System, the System Administrator can:
1. Add and change the sub Administrator’s names and passwords;
2. Back up all MH-2001 settings into local files;
3. Set up alerts for Hackers invasion.
“System” is the managing of settings such as the privileges of packets that pass through MH-2001 and
monitoring controls. Administrators may manage, monitor, and configure MH-2001 settings. All configurations
are “read-only” for all users other than the Administrator; those users are not able to change any settings for
MH-2001.
4.1 Administration
4.1.1 Admin
Click the System/Administration/Admin on the left menu, and the list of Administrato rs will display as bel ow.
Define the required fields of Administrator
Admin Name:
The username of Administrators and Sub Administrator for the MH-2001. The admin user name cannot
be removed; and the sub-admin user can be removed or configure.
The default Account: admin; Password: admin
Privilege:
The privileges of Administrators (Admin or Sub Admin). The username of the main Administrator is
Administrator with reading / writing privilege. Administrator also can change the system setting, log
system status, and to increase or delete sub-administrator . Sub-Admin may be created by the Admin by
Click Modify to change the “Sub-Administrator’s” password or click Remove to delete a “Sub
Administrator.”
New Sub Admin
. Sub Admin have only read and monitor privilege and cannot change any
Changing the Main/Sub-Administrator’s Password
Step 1. The Modify Administrator Password window will appear. Enter in the required information:
Password: enter original password.
New Password: enter new password
Confirm Password: enter the new password again.
Step 2. Click OK to confirm password change or click Cancel to cancel it.
Adding a new Sub Administrator
Step 1. In the Add New Sub Administrator window:
Sub Admin Name: enter the username of new Sub Admin.
Password: enter a password for the new Sub Admin.
Confirm Password: enter the password again.
Step 2. Click OK to add the user or click Cancel to cancel the addition.
STEP 1﹒Add the following setting in Permitted IPs of Administration:
Name: Enter a new name
IP Address: Enter a IP address you want to permitted
Netmask: Enter the Netmask( 255.255.255.255 mean s a host)
Service: Select Ping and HTTP
Click OK
Complete add new permitted IPs
To make Permitted IPs be effective, it must cancel the Ping and HTTP selection in the WebUI of
MH-2001 that Administrator enter. (LAN, WAN, or DMZ Interface)
Before canceling the HTTP selection of Interface, must set up t he Permitted IPs first, otherwise, it would
cause the situation of cannot enter WebUI by appointed Interface.
Under Software Update, the admin may update the device’s software with newer software.
You may acquire the current version number of software in Version Number. Administrators may visit
distributor’s web site to download the latest version and save it in server’s hard disc.
Step 1. Click Browse to select the latest version of Software.
Step 2. Click OK to update software.
NOTE: It takes three minutes to update the software. The system will restart automatically after updating the
software.
The Configure is according to the basic setting of theMH-2001. In this chapter the definition is Setting,
Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table, and Language settings.
4.2.1 Setting
TheAdministrator may use this function to backup, restore MH-2001 configurations or restore MH-2001 back
to default factory settings. You can also set general setting like device’s name, E-mail setting and HTTP port
on it.
Entering the Settings window
Click Setting in the System/configure menu to enter the Settings window. MH-2001 Configuration
settings will be shown on the screen.
Exporting MH-2001 settings
Step 1. Under Backup/Restore Configuration, click on the Download button next to Export System
Settings to Client.
Step 2. When the File Download pop-up window appears, choose the destination place to save the
Under Backup/Restore Configuration, click on the Browse button next to Import System Settings. When
the Choose File pop-up window appears, select the file which contains the saved MH-2001 Settings, then
click OK.
Click OK to import the file into MH-2001 or click Cancel to cancel importing.
- 19 -
Restoring Factory Default Settings
Step 1. Select Reset Factory Settings.
Click OK at the bottom-right of the screen to restore the factory settings.
Step 1. You can modify your device name. Enter the new name in the field.
Step 2. Click OK at the bottom-right of the screen.
Enabling E-mail Alert Notification
Step 1. Select Enable E-mail Alert Notification under E-Mail Settings. This function will enable the
MH-2001 to send e-mail alerts to the System Administrator when the network is being attacked
by hackers or when emergency conditions occur.
Step 2. SMTP Server IP: Enter SMTP server’s IP address.
Step 3. E-Mail Address 1: Enter the first e-mail address to receive the alarm notification.
Step 4. E-Mail Address 2: Enter the second e-mail address to receive the alarm notification. (Optional)
Step 5. Click OK on the bottom-right of the screen to enable E-mail alert notification.
The administrator can modify the networking packet length.
Step 1. MTU Setting. Modify the networking packet length. ( Range 40 – 1500 )
Step 2. Click OK at the bottom-right of the screen.
Dynamic Routing (RIPv2)
Enable Dynamic Routing (RIPv2), MH-2001 will switch the routing information of RIP. The routers which
support RIP can connect automatically. You can choose to enable LAN, WAN1, WAN2 or DMZ interface to
allow RIP protocol supporting.
Routing information update timer: MH-2001 will send out the RIP protocol in a period of time to update the
routing table, the default timer is 30 seconds.
Routing information timeout: If MH-2001 does not receive the RIP protocol fro m the other router in a peri od
of time, MH-2001 will cut off the routing automatically until it receives RIP protocol again. The default timer is
180 seconds.
Select this option to the device’s SIP protocol pass-through. Once this function is enabled, the SIP
packets will be allowed to pass-throug h via MH-2001.
To-Appliance Packets Log
Select this option to the device’s To-Appliance Packets Log. Once this function is enabled, every packet
to this appliance will be recorded for system administrator to trace.
Once this function is enabled, MH-2001 will be rebooted.
Click Reboot. The confirmation pop-up box will appear. Click OK to restart MH-2001 or click Cancel to
discard changes
4.2.2 Date/Time
Synchronizing the MH-2001 with the System Clock
Administrator can configure MH-2001’s date and time by either syncing to an Internet Network Time Server
(NTP) or by syncing to your computer’s clock.
Follow these steps to sync to an Internet T i me Server
Step 1. Enable synchronization by checking the box.
Step 2. Click the down arrow to select the offset time from GMT.
Step 3. Enter the Server IP Address or Server name with which you want to synchronize.
Step 4. Update system clock every 120 minutes You can set the interval time to synchronize with
outside servers. If you set it to 0, it means the device will not synchronize automatically.
Follow this step to sync to your computer’s clock.
Step 1. Click on the Sync button. Click OK to apply the setting or click Cancel to disca rd changes.
- 24 -
Loading...
+ 267 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.