Multi-Homing Security Gateway User`s Manual
Contents
1. You will first need to register and establish an account with the Dynamic DNS provider using their website Example DYNDNS http www dyndns org MH 1000 supports several Dynamic DNS providers such as www dyndns org www orgdns org www dhs org www dyns cx www 3domain hk www zoneedit com www 3322 0rg www no ip com D4 Dynamic DNS Disable Check to disable the Dynamic DNS function Enable Check to enable the Dynamic DNS function The following fields will be activated and required Dynamic DNS Server Select the DDNS service you have established an account with Wildcard Select this check box to enable the DYNDNS Wildcard Domain Name Enter your registered domain name for this service Username Enter your registered user name for this service Password Enter your registered password for this service Click Apply to save your changes 79 Multi Homing Security Gateway User s Manual 4 4 9 3 Device Management The Device Management Advanced Configuration settings allow you to control your router s security options and device monitoring features T PLANET a a Secunty Gale wap Hahaahing Co m oa iom MII Poon Device Management ma Devices Mame m sl rl Hari bil l 10 arfic Irz ior l i S OLD Web Sec Selling LP ee HT Por EO is defauh H T pet Ve hi PL z m h anas3eriar IP Addrass E 0 E IOC Y ries is Ar lus YAP i lap on mlidh pn CAN TN DE EA E AE IRE AR A Sa2. Disable E Es Mo NH Mo Me bo Ho fc Rule Select Enable to activate this rule Disable to deactivate this rule Destination This is the destination subnet IP address Netmask This is the subnet mask of the destination IP addresses based on above destination subnet IP Gateway This is the gateway IP address to which packets are to be forwarded Interface Select the interface through which packets are to be forwarded Cost This is the same meaning as Hop Click Apply to save your changes 78 Multi Homing Security Gateway User s Manual 4 4 9 2 Dynamic DNS The Dynamic DNS function allows you to alias a dynamic IP address to a static hostname allowing users whose ISP does not assign them a static IP address to use a domain name This is especially useful when hosting servers via your WAN connection so that anyone wishing to connect to you may use your domain name rather than having to use a dynamic IP address that changes periodically This dynamic IP address is the WAN1 WANe IP address of the router which is assigned to you by your ISP Click Edit in the Dynamic DNS Settings Table to set related parameters for a specific interface C PLANET Multi Homiming Security Gateway Meer lia ee HH 1000 Dynamic DNS Settings Parameters Dyrare DNS Enable Disable Dynarmac OHE Server www dyndns org dynamic wildcard Enable Disable Domain Name planglest dyndns ang Usemame Jack ya Parranda asses Apply
3. ESP divides its fields into three components ESP Header Placed before encrypted data the ESP Header contains the SPI and Sequence Number Its 91 Multi Homing Security Gateway User s Manual placement depends on whether ESP is used in transport mode or tunnel mode ESP Trailer Placed after the encrypted data the ESP Trailer contains padding that is used to align the encrypted data ESP Authentication Data This contains an Integrity Check Value ICV for when ESP s optional authentication feature is used ESP provides authentication integrity and confidentiality which provides data content protection and protects against data tampering A typical ESP packet looks like this SPI Sequence Number Authentication Data A 2 1 3 Security Associations SA Security Associations are a one way relationships between sender and receiver that specify IPSec related parameters They provide data protection by using the defined IPSec protocols and allow organizations to control according to the security policy in effect which resources may communicate securely SA is identified by 3 parameters Security Parameters Index SPI a locally unique value Destination IP Address Security Protocol AH or ESP but not both There are several other parameters associated with an SA that are stored in a Security Association database A 2 2 IPSec Modes To exchange data between different types of VPNs IPSec provid
4. 5 5 Problems with Date and Time If the date and time is not being displayed correctly be sure to set it for your MH 1000 via the Web Configuration Interface Both date and time can be found under Configuration gt System gt Time Zone 5 6 Restoring Factory Defaults You can restore your MH 1000 to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink This will reset your router to its default settings 89 Multi Homing Security Gateway User s Manual Appendix A Virtual Private Networking A 1 What is the VPN A Virtual Private Network VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access lt allows organizations to securely transmit data over a public medium like the Internet VPNs utilize tunnels which allow data to be safely delivered to the intended recipient Because private networks lack data security IPSec based VPNs employ encryption technologies that protect a private network from data theft or tampering These private networks can be implemented over any type of IP network which allows for excellent flexibility A 1 1 VPN Applications VPNs are traditionally used three ways Extranets Extranets are secure connections between two or more organizations IPSec based VPNs are ideal for extranet connections as they can be quickly and inexpensively installed Extranets are often
5. Data Network IP Address Netmask Security Algorithm Head Office IP Address oingle client Local IP Address 69 121 1 30 69 121 1 3 Any Local Address Any Local Address 192 168 1 0 255 255 255 0 Remote 69 121 1 3 69 121 1 30 IP Address 69 121 1 30 IP Address 69 121 1 3 Single Address 69 121 1 30 255 255 255 255 192 168 1 0 255 255 255 0 Proposal 12345678 12345678 119 Multi Homing Security Gateway User s Manual PFS PFS D 8 IP Sec Fail Over Gateway to Gateway mh planet dyndns org 192 168 2 x maa 200 200 200 1 192 168 3 x MH 1000 A MH 1000 B Before Fail Over D 200 200 200 1 gt 192 168 2 x mu MH 1000A n h planet dyndns org O MH 1000 B After Fail Over Step 1 Go to Configuration gt Dual WAN gt General Settings Enable Fail Over by selecting the Fail Over radio button Then configure your Fail Over policy 120 Multi Homing Security Gateway User s Manual Multi Homing Security Gateway HH 141388 Load Balance Fail Over Enable Disable Mati sic when probing Fi aer consecutive times O6ner Eom FR IF Gateway ae b p B CEnabie Step 2 Go to Configuration gt Advanced gt Dynamic DNS and configure your dynamic DNS settings Both WAN1 and WAN2 3 PLANET Multr Horming Secuniy Gateway HH 11H DEnabko ODisabie ween dyndns org dynamic v CiEmsbe Disable r
6. PPTP Add PPTP Account Connection Name Tunnel Lisemame Password Retype Fasswond Connection Type Poor Network IP Peer Nalrrask Metbios Broadcast PPTP General Sening ERTE indion Auth Type Cata Encryption Ericayplion Key Length Peer Encryption Mode IP Addresses Assigned Io Peer dle Time cast Apply Account Setting Name Enable Type rink mate q Pande Acces Multi Homing Security Gateway User s Manual Multi Homrming Security Gateway H BI TOO WinXP Enable C Disable tesi ec rtm te Remote Access CO LAM to LAN Miulfi FHomimg Security Gateway MH 1 i Enable O Disable Pap or Ghaap Enable Auto ba Only Ststeless Etart from 192 168 30 200 O nAg CE Enable cita anciprion wI use MS CHAPv to nu mtic ate the peer Peor Hotwork E o Delete E Step4 Click Save Config to save all changes to flash memory Step5 In Windows XP go Start gt Settings gt Network Connections EM Multi Homing Security Gateway User s Manual Step6 In Network Tasks Click Create a new connection and press Next New Connection Wizard Welcome to the New Connection Wizard This wizard helps you Connect to the Internet Connect to a private network such as pour workplace network Set up a home or small office network To continue click Nest 132 Multi Homing Security Gateway User s Manual Step7 Select Connect to the network at my workplace a
7. R Em y CAEN UN ME ISP 213 10 10 2 192 168 2 3 Ea _ ia In the above example PC 1 IP 192 168 2 2 and PC 2 IP 192 168 2 3 are connected to the Internet via WAN1 IP 230 100 100 1 and WAN2 IP 213 10 10 2 on MH 1000 You can configure MH 1000 to balance the load of each WAN port with one of two mechanisms 1 Session by session by traffic weight of link capability 2 IP Hash by traffic weight of link capability The IP Hash mechanism will ensure that the traffic from the same source IP address and destination IP address will go through the same WAN port This is useful for some server applications that need to identify the source IP address of the client By balancing the load between WAN1 and WANZ2 your MH 1000 can ensure that outbound traffic is efficiently handled by making sure that both ports are equally sharing the load preventing situations where one port is completely saturated by outbound traffic Please refer to appendix D for example settings 2 4 Inbound Traffic Learn how MH 1000 can handle inbound traffic in the following section 2 4 1 Inbound Fail Over Configuring MH 1000 for Inbound Fail Over allows you to ensure that incoming traffic is uninterrupted by having MH 1000 default to WAN2 should WANT fail 10 Multi Homing Security Gateway User s Manual 192 168 2 2 da ftp ftp planet com tw sdracnm tw Tip planetbiign ign dyndi y Internet
8. Remote Identifier The Identifier of the remote gateway According to the input value the ID type will be auto defined as IP Address FQDN DNS or FQUN E mail Remote Network The subnet of the remote network Allow you to enter an IP address and netmask Back Back to the Previous page Next Go to the next page 3 LAN to Host MH 1000 would like to establish an IPSec VPN tunnel with remote client software using Fixed Internet IP or domain name by using main mode Y PLANET A5fufti Ffommimg Security Gateway MIL IDON Sts l ok zar Cir quu idu ci Las SPE Ti KEREI SPH ES Pac izar Pr Puli y T Secure Gateway Address or Domain Name The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel Back Back to the Previous page Next Go to the next page 64 Multi Homing Security Gateway User s Manual 4 LAN to Mobile Host MH 1000 would like to establish an IPSec VPN tunnel with remote client software using Dynamic Internet IP by using aggressive mode gt PLANET Afgufi Homing Security aang y IPSec Wizard gp al A Hemmie lbuilloamalium eh ERE C Jick Sts t Perio Ir Jer ifier Lp lui sal ari Dacs Here TAHI BENEI IPSec IPse gt vy zard ltr E lal Remote Identifier The Identifier of the remote gateway According to the input value the ID type will be auto defined as IP Address FQDN DNS or FQUN E mail Back
9. yl Sent Tu Hecesrverd Packets 12 215 109 427 Properties Disable 4 Select Internet Protocol TCP IP and SESSE General click Properties Connect using BER SUSTeE Broadcom 440 104100 Integrated Controller Components checked are used by this connection Client Far Microsoft Networks File and Printer Sharing for Microsoft Networks Internet Protocol T CF IF Description Transmission Control Protocol Antermet Protoc khT he default Wide area network protocol that provides communicate across diverse interconnected networks Install Uninstall pertes Show icon in taskbar when connected OK Cancel 5 Select the Obtain an IP address automatically and the Obtain DNS server address automatically radio buttons 6 Click OK to finish the configuration 3 3 4 Windows 95 98 ME 1 Goto Start Settings Control Panel In the Control Network and choose the Configuration tab Panel double click on 2 Select TCP IP gt NE2000 Compatible or the name of your Network Interface Card NIC in your PC 3 Select the Obtain an IP address automatically radio button Internet Protocol TCP IP Properties Multi Homing Security Gateway User s Manual lx General You can get F settings assigned automatically if pour network supporks this capability Obhenwise you need ko ask your network administrator For the approp
10. Miulti Hormsinmg Security Gateway MH 144 PPTP O Enable Disable Pap or Chap Y Enable Ao v CE IP Addresses Assignedto Peer Stan frame 1921681 0 A T aout n MN Ds Enable data encryption wil use ME CHAPZ to authenticate the peer Create O PPTP function Select Enable to activate PPTP Server Disable to deactivate PPTP Server function 70 Multi Homing Security Gateway User s Manual Auth Type The authentication type Pap or Chap PaP Chap Data Encryption Select Enable or Disable the Data Encryption Encryption Key Length Auto 40 bits or 128 bits Peer Encryption Mode Only Stateless or Allow Stateless and Stateful IP Addresses Assigned to Peer Start from 192 168 1 x please input the IP assigned range from 1 254 except MH 1000 s LAN IP address with 192 168 1 1 as MH 1000 s default LAN IP address and IP pool range of DHCP server settings with 100 199 as MH 1000 s default DHCP IP pool range Idle Timeout Min Specify the time for remote peer to be disconnected without any activities from 0 120 Click Create to create a new PPTP VPN connection account Muln Homing Security Gateway MH 1000 PPTP Add PPTP Account Connection Na ma Tunnel Enable Disable Lsemame Password Retype Password Connection Type Perote Access ILAN to LAN Paer Network IP Peer Natmask Metbsos Broadcast Enable Disable apply Connection Name A user defined name for the c
11. Validate my identity as follows Require secured password hal Automatically use my Windows logon name and password and domain if any Reguire data encryption disconnect If none O Advanced custom settings Using these settings requires a knowledge eltinas of security protocols E Anas IPSec Settings D 13 PPTP Remote Access 136 Multi Homing Security Gateway User s Manual Step1 Go to Configuration gt VPN gt PPTP and Enable the PPTP function Disable the Encryption then Click Apply Multi FHormimg Security Gateway MHBH 11HHI PPTP General Settinq PPTP function Enable C Disable Auth Type Pap or Chap Data Encryplion Enable Encryption Kay Length Auto Y Peer Encrgplion Mode Only Staleless ki P Addresses Assane to Peer Jtet from 192 168 30 00 idle Tirmac ul Min CT Enable dala encryaljon wall use ME CRHAPV lo aqibenticsie he peer Apply Account Sening Marne Enable Type Peer Webwork Multi Horning Security Gateway a EL LE PPTP Edd PPTP Accomm Connection Marne PPTPC let Tunnel Enable t Disable Usemame tesi Password Retype Password ee Connection Type Rama Access L2 LAN to LAH Paar Neneark IP Peer Netmask Nethans Brosdc as Enable C Disable En Step3 Click Apply you can see the account is successfully created 1072 Multi Homing Security Gateway User s Manual Multi Homing Security Gateway H I i 1000 PPTP General Setti
12. aa Block WED URLs which contain thess keywords a ke r1 ul iri ERI Facial zar LIPI ill er LAH AE E Enter a keyword to be filtered and click Apply Your new keyword will be added to the filtered keyword listing Domains Filtering Click the top checkbox to enable this feature You can also choose to disable all web traffic except for trusted sites by clicking the bottom checkbox To edit the list of filtered domains click Details Multi Homng Security Gateway MH 1000 Forbidden Domain w Enter a domain and select whether this domain is trusted or forbidden with the pull down menu Next click Apply Your new domain will be added to either the Trusted Domain or Forbidden Domain listing depending on which you selected previously Restrict URL Features Use this to disable certain web features Select the options you want Block Java 59 Multi Homing Security Gateway User s Manual Applet Block ActiveX Block Web proxy Block Cookie Block Surfing by IP Address and click Apply to save your changes Multr Horming Secury Gateway MH 1000 O Enable Disable Enable Details O ODissble all WEB trafic except for Trusted Domains Block Java Applet Block Activex CJ Block Web proxy C Block Cook O L Black Surfing by IP Address You may also designate which IP addresses are to be excluded from these filters by adding them to the Exception List To do so click Ad
13. po pe ilb Wm Subnet b Rl Bo MW bes fas Es Mi Ariel rps T mhplanetdymdns omg FOON DHS w mh planat dyndns org 12 Jia e E Subnet x D Ib CU mes as ps ph E Main Mode C Aggressive Mode O Manual Key ESP O AH 3DES pe MOG 5 Enabled O Disabled 12345678 28800 Seconds j coda O Enabled X Disabled O Enabled C Disabled 30 seconds E contaculiva times D 9 IP VPN Concentrator Local ID Type Subnet Local ID Type Subnet Local subnet 192 168 3 0 Local subnet 0 0 0 0 Local maski 255 255 255 0 Local mask 0 0 0 0 Remote ID Type Subnet Remote ID Type Subnet Remote subnet 0 0 0 0 Remote subnet 192 168 3 0 Remote mask 0 0 0 0 Remote mask 255 255 255 0 200 200 200 1 192 168 323 182 158 2 A 100 100 100 1 KA Branch A llis TE MH 1000 B MH 1000 C YT Branch B Head quarter Jt Local ID Type Subnet annt Local subnet 0 0 0 0 Local mask 0 0 0 0 201 201 201 1 182 1 bo dx Remote ID Type Subnet Remote subnet 19216240 Local ID Type Subnet Remote mask 255 255 255 0 Local subnet 192 168 4 0 Local mask 255 255 255 0 Remote ID Type Subnet Remote subnet 0 0 0 0 Remote mask 0 0 0 0 123 Multi Homing Security Gateway User s Manual Step 1 Go to Configuration gt VPN gt IPSec gt IPSec Policy and configure the link from MH 1000 C to MH 1000 A Branch A IPSec Create Connection Name Tunnel Indarface Local ID Nehwnrk Reme Secure Men I Nebeenrk Proposal tecum
14. AH Provides authentication and integrity Encapsulating Security Payload ESP Provides confidentiality authentication and integrity Internet Key Exchange IKE Provides key management and Security Association SA management These components are discussed below A 2 1 1 Authentication Header AH The Authentication Header AH is a protocol that provides authentication and integrity protecting data from tampering It provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram The AH can also protect packets from unauthorized re transmission with anti replay functionality The presence of the AH header allows us to verify the integrity of the message but doesn t encrypt it Thus AH provides authentication but not privacy ESP protects data confidentiality Both AH and ESP can be used together for added protection A typical AH packet looks like this Payload Reserved Length Sequence Number Authentication Data A 2 1 2 Encapsulating Security Payload ESP Encapsulating Security Payload ESP provides privacy for data through encryption An encryption algorithm combines the data with a key to encrypt it It then repackages the data using a special format and transmits it to the destination The receiver then decrypts the data using the same algorithm ESP is usually used with AH to provide added data security
15. Back to the Previous page Next Go to the next page 5 LAN to Host for VPN Client only MH 1000 would like to establish an IPSec VPN tunnel with MH 1000 VPN Client by using aggressive mode dultri Flomssnmg Secunty Gateway IH B 2000 IPSec Wizard Step 7 of 3 Remote information A m As EN a rad i ni J FETE a EN E E ka MPH Client IP Addrats ia Lee doo fi HT Pease note that tha Make must be consistent with the setting of VPN Cant 4 Be nue ut em cbe mus e diferes VEN Chen E Ades Back wer VPN Client IP Address The VPN Client Address for MH 1000 VPN Client this value will be applied on both remote ID and Remote Network as single address Back Back to the Previous page Next Go to the next page 65 Multi Homing Security Gateway User s Manual Ab OOO Secenty Gateway MI LONA IPsec Wizard Conflquraden Summary Cor quratic Ls it al A oy Se n Firt w all VTE IH ae IPSec Policy ES Ucwizric o Ha ne baru i Ir erace IL Lacs hh ocn Seur Catena Fe nca IL Hi n Tacl SSC Hal 0n lezl 3 a gpl iri al a Sth erd 2a on ace Fropcsal aleck c ward Sezura wirus Seme 3 uorw rp Ip ers coe z eS Fared ley 4 Life ima Jaw h liri c ack Dor rapt sini F nil hy Fri ir vers wen Ade aes 8 LJ TAA DAN 055 a 4 B E 5 155 0 ngg Parola Sesurs Gateway dla ysa all yall Wain vie de ESP lt as Cr
16. C 4 Who Needs QoS QoS is ideal for home and office users who need to use a variety of real time applications like VoIP on line games P2P video streaming and FTP simultaneously With QoS you can optimize your bandwidth to accommodate several of these applications without experiencing latency or service interruptions 99 Multi Homing Security Gateway User s Manual C 4 1 Home Users Low latency is everything for gamers Most home users feel frustrated when trying to play an online game over a shared ADSL connection Unfortunately most routers have no way of determining the importance of the packet at any given time All the traffic is treated equally so a packet containing an urgent command may be delayed QoS gives you the ability to control the bandwidth Using IP Throttling bandwidth limits can be enforced on a particular application or any system within the LAN Prioritization specifies which packets have priority and should not be delayed and which packets have lower priority and should be moved to the end of the upload queue Suppose there are four students sharing a three floor house with one single broadband connection Robert a college freshman is playing the online game with his group members while Mary a sophomore student is talking to her net pal via Skype Meanwhile Jerome is downloading a movie file by using the P2P application program Sophia however is just trying to log on to the website to send her photo
17. IP Subnet Mask Enter the IP subnet mask provided by your ISP ISP Gateway Address Enter the ISP gateway address provided by your ISP MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below Primary DNS Enter the primary DNS provided by your ISP Secondary DNS Enter the secondary DNS provided by your ISP RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum Transmission Unit MTU for your network Click Apply to save your changes To reset to defaults click Reset 4 4 2 1 3 PPPoE 41 Multi Homing Security Gateway User s Manual PL ANET Multi FHaornminmg Security nonien d WANT PPPoE Connection Method PPPoE Keltima lisem ame Password Retype Password Connection bas Connect Idle Time O Dynamic OP automatically assigned by your ISP IP assigned by your ISP Fixed Your SP requires you lo mpu IP address TOP EM Your ISP requires rou to input WAH Ethernet MAC l MAC Address 7 Your ISP requaes you bo manually selup ONS setimgs ONS Primary DNS Tes os 1 1 Secondary DNS 0 jm RIP Disable CC RIP 2B C RIP 2M MITLI 14H2 epr Reset i Username Enter your user name Password Enter your password Retype Password Retype your password Connection Select whether the connection should Always Conne
18. Multi Homing Security Gateway User s Manual Chapter 4 Router Configuration 4 1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it On the Web Configuration homepage you will see the navigation pane located on the left hand side From it you will be able to select various options used to configure your router Status Desica information Deica Meares Eystam Lip Time E unen Tria Fikale LAN MAC Addis Public VAM MAC dirare Firmar Marsi on Home URL LAK Paid G Hemnask DHCP Berar i WANT onneton Weihai i P ies Heimagk ssl rich Public WAHI MAC Ad ree Muiti Homing Security Gateway MH 1404 Refresh iH 100001 0 3 20 CI day hour rin zc Won amp ug 1 08 20 3H 2005 DO DA ad db 7 55 DO 08 ed dba 5c OU D ad 48 4L 54d 10 Sims How PI ENE T Tari IMAN LAO 182 1521 1 AME M5 ED G malaking Connect by Static IP Settings 150 162 068 95 25h 255 510 180 168 W m 1 Click Apply if you would like to apply the settings on the current screen to the device The settings will be effective immediately however the configuration is not saved yet and the settings will be erased if you power off or restart the device 2 Click SAVE CONFIG to save the current settings permanently to the device 3 Click RESTART to restart the device There are two options to restart the device Select Current Settings if would like to
19. WANT PPTP izennectian Method PPTP Sattings v LJ e eriam Password Retype Password FPFTF Cheni IP O 0 O PPTF Ghent IP Namask O 0 0 O PPTP Chart iP Gateway 10 0 0 PPTP Serer IP o 0 Connection Ahways Connect Idle Tima Co Dynarnac PP aulomalically assigned by your ISP IP assignd by your IEP C Fixed Y our ISP requiras you to input IP address MAG Address O Your ISP requires you to input WAN Ethemet MAC MAC Address 7 Your ISP requires you lo manuali setup DNS settings ONS Primary DING 168 35 1 i Secondary DNS Ol O n D RIP Disable wd HIPS O RPM MTU 1432 Username Enter your user name Password Enter your password Retype Password Retype your password PPTP Client IP Enter the PPTP Client IP provided by your ISP PPTP Client IP Netmask Enter the PPTP Client IP Netmask provided by your ISP PPTP Client IP Gateway Enter the PPTP Client IP Gateway provided by your ISP PPTP Server IP Enter the PPTP Server IP provided by your ISP Connection Select whether the connection should Always Connect or Trigger on Demand Always Connect If you want the router to establish a PPTP session when starting up and to automatically re establish the PPTP session when disconnected by the ISP Trigger on Demand If you want to establish a PPTP session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconn
20. 1 d Iesse amp UDP 92 135 13 33023 3425 553 TE Hi BEA 8 que 182150 Xx 2710 2403 1 1 x kaisi zm H us qas la A dk I 4 sucus EIE 102138 7 13 appe 52 163 1 1 x A Session 9 of9 l Seve Cor 313 Flasi T ar Tuy Dir Por e c Par na 4mn i BENTE mem Jump to sesslon ET No Number of the list Protocol Protocol type of the Session From IP Source IP of the session From port source port of the session To IP Destination IP of the session To port Destination port of the session Sessions Filter when the presented field is filled please click Filter button From IP please input the source IP you would like to filter From port please input the source port you would like to filter To IP please input the destination IP you would like to filter To port please input the destination port you would like to filter First To the first page Previous To the previous page Next To the next page Last To the last page Jump to the session please input the session number you would like to see and press GO 4 2 4 DHCP Table 30 Multi Homing Security Gateway User s Manual The DHCP Table displays a list of IP addresses that have been assigned to PCs on your network via Dynamic Host Configuration Protocol DHCP KE Wm 7 Se Y Gate p 3 PLANET ICAZA CRI Securly Gstewa pore De E a bom MII IC DHCP Table ma DIICP IP Assignment Table ARE Table ra m
21. AS Secon Minh od Encriptsnn Protocol Authentecateon Protocol Parfect Forward Secure Pre Shared Key EE Life Time Kay Life Tima Medbios Broadcast DPO Setting DPD Function Detection Inlerval kila Tirmeciud Multi Flomimg Security Gateway tors 1 Enabled 0 Dirablad WANT CO WAN C Auto IP Addess ta Data 100 100 100 1 F Ajddess O O 0 End IP ri Subre ko Sadness Met mack a ata 200 200 200 1 Remote WANIP Data F Address 197 1 BE 7 5 End FF pa Mali vw a nado Address Matmask 255 Pa 25 Man Mode Aggnessme Moda C Manual Kan ESP C AH DES MOS Enabled Disabled 12345675 235800 Seconds 3500 seconds 2 Enabled i Disabled J Enabled Disabled 3 Lecondi 4 CONTE EC LL times 124 HH 1XHH Multi Homing Security Gateway User s Manual Step 2 Go to Configuration gt VPN gt IPSec gt IPSec Policy and configure the link from MH 1000 C to MH 1000 B Branch B Mufti_Homing Security Gateway alu 0500 IPSec Create Comnnacrion damni Cia Tunnel Enabled Disabled Indra ces ANO O WAN CC Aute Local IC P Address v Data 100 100 100 1 IP Address T O j Mgtesork Sub rel v rise Heimask 0 0 O O Rambla Secure Galeway Data 20 201 A011 I Remote WAN P Data P di 1x G6 tL Network Sub rel v ee Hetmask 255 255 255 O Proposal Sacun Association Man Mode Aggressive Mode Manual Key Meli od o ESP O AH Encrypison Protocol JIES authentication Protocol MoS P
22. Domain Name Server 192 168 2 2 200 200 200 1 1st connection FB www mydomain com Se a y 200 200 1 FTP 192 168 2 3 Built in DNS gt pe o connection HTTP Before Fail Over 192 168 2 2 Cons C PA 7 N 1st connection FTP 7 www mydomain com DNS T nnection 192 168 2 3 Built in DNS 72 connection A 100 100 100 1 100 100 100 1 After Fail Over HTTP In the above example an FTP Server IP 192 168 2 2 and an HTTP Server IP 192 168 2 3 are connected to the Internet via WAN1 IP 200 200 200 1 on MH 1000 A remote computer is trying to access these servers via the Internet and makes a DNS request The DNS request www mydomain com will be sent through WAN1 200 200 200 1 to the built in DNS server The DNS server will reply 200 200 200 1 because this is the only active WAN port Should WAN 1 fail MH 1000 will instead reply with WANOS IP address 100 100 100 1 and the remote PC will gain access to the network via WAN2 By configuring MH 1000 for DNS Inbound Fail Over incoming requests will enjoy increased reliability when accessing your network Please refer to appendix D for example settings 13 Multi Homing Security Gateway User s Manual 2 5 2 DNS Inbound Load Balancing DNS Inbound Load Balancing allows MH 1000 to intelligently manage inbound traffic based on the amount of load of each WAN connection by assigning the I P address with the lowest traffic load to incomi
23. Gateway eT ee ay M H i 1 F F ISP Settings Al Je kame Deer ri WH veh Buho I 2 GUAN HACE zidit 45 TET IKP dE Beagaich 230 109 The WAN menu contains two items ISP Settings and Bandwidth Settings 4 4 2 1 ISP Settings P PLANET Worn Homing Secuny Gateway e NL i ba sim M H F F ISP Settings sam Ca TH Eeeerw PIE iilu Ii HI eH Stsic ES lil o KAT ST e HC P zit 42 EITA Y IP ll ng Beackuiech 22H iyt This WAN Service Table displays the different WAN connections that are configured on MH 1000 To edit any of these connections click Edit You will be taken to the following menu 39 Multi Homing Security Gateway User s Manual Multi FHorning Secuniy Gateway MH 1044 Stadic IP Sellings wl Obican an IF Address Aub rmaticall Static IP Settings PPP oe Settings PPTP Settings Big Pond Seliings Your ISP requires you to pai Elhemel MAG oo Ho Mo o Wo Ho kada ne es h h Secondary DNS o Me fo No BP Disable RIPE O APA MIU a Connection Method Select how your router will connect to the Internet Selections include Obtain an IP Address Automatically Static IP Settings PPPoE Settings PPTP Settings and Big Pond Settings For each WAN port the factory default is DHCP If your ISP does not use DHCP select the correct connection method and configure the connection accordingly Configurable items will vary dependi
24. ID s but peer declares s 97 Multi Homing Security Gateway User s Manual INVALID ID INFORMATION Initial Aggressive Mode packet claiming to be from 96s on Yes but no connection has been authorized INVALID ID Require peer to have ID s but peer declares s INVALID ID INFORMATION Initial Aggressive Mode packet claiming to be from 96s on Yes but no connection has been authorized 98 Multi Homing Security Gateway User s Manual Appendix C Bandwidth Management with QoS C 1 Overview In a home or office environment users constantly have to transmit data to and from the Internet When too many are accessing the Internet at the same time service can slow to a crawl causing service interruptions and general frustration Quality of Service QoS is one of the ways MH 1000 can optimize the use of bandwidth ensuring a smooth and responsive Internet connection for all users C 2 What is Quality of Service QoS is a feature that prioritizes and guarantees bandwidth to achieve optimal service performance QoS can maximize the use of available network bandwidth by prioritizing time sensitive traffic to avoid latencies and delays By ensuring that time sensitive applications such as VolP and streaming video get priority access to bandwidth users in both home and office environments can enjoy smooth and responsive data transmission no matter which applications they are running If you ve ever experienced slow Internet speeds
25. PC to the IP address of the router 192 168 1 1 by default To configure the router s DHCP Server select the Enable radio button and then configure parameters of the DHCP Server including the IP Pool starting IP address and ending IP address to be allocated to the PCs on your network DNS Server WINS Server and Domain Name These details are sent to each DHCP client when they request an IP address from the DHCP server Click Apply to enable this function Fixed Host allows specific computer network clients to have a reserved IP address Aulti Homing Security Gateway PA HE QO Multi Homing Security Gateway User s Manual D gt PLANET Main Homing Geceriiy Gatewsy Pe eC eke Pal I TEIKIKI Fixed Host al Js dm ral irl amic arzzior LH Fius DHCD spear IP Address Enter the IP address that you want to reserve for the above MAC address MAC Address Enter the MAC address of the PC or server you wish to be assigned a reserved IP Candidates You can also select the Candidates which are referred from the ARP table for automatic input Click the Apply button to add the configuration into the Host Table Press the Delete button to delete a configuration from the Host Table 4 4 2 WAN WAN refers to your Wide Area Network connection In most cases this means your router s connection to the Internet through your ISP MH 1000 features Dual WAN capability gt PLA Wet Homing Secuniy
26. Send Main mode second Sending the second message of main mode Done to exchange key message of ISAKMP values Received Main mode second Received the second message of main mode Done to exchange key Send Main mode second Sending the main mode second response message Done to exchange Received Main mode second Received the main mode second response message Done to exchange Send Main mode third message of Sending the third message of main mode Done for authentication aaa Received Main mode third Received the third message of main mode Done for authentication 96 Multi Homing Security Gateway User s Manual Send Main mode third response message of ISAKMP Sending the third response message of main mode Done for authentication Received Main mode third Received the third response message of main mode Done for response message of ISAKMP authentication Received Aggressive mode initial ISAKMP Message Received the first message of aggressive mode Send Aggressive mode first Sending the first response message of aggressive mode Done to response message of ISAKMP exchange proposal and key values Received Aggressive mode first Received the first response message of aggressive mode Done to response message of ISAKMP exchange proposal and key values Send Aggressive mode second message of ISAKMP Sending the second message of aggressive mode Done to exchange proposal and key values Received Aggressive mode Received the
27. User s Manual Mula Aoming Security Gateway MH 1000 Step 5 Click Save Config to save all changes to flash memory Y PLANET EA ES exl ilii L sick Stet Cc afr cad on Iy DAP lal Se var Sdyanie ad Pali amid Oyrar gt OHS Dynamic DNS oli Roaming Gecaenty Gateway MH 1 GL AR waje D 4 DNS Inbound Fail Over A vs ape ChE Tici dit sew Cun AE ll 108 Multi Homing Security Gateway User s Manual Authoritative Domain Name Server DNS 192 168 2 2 HO 200 200 200 1 FTP 1st connection mu OO www mydomain com DNS Internet 192 168 2 3 Built in DNS nd connection 200 200 200 1 HTTP Before Fail Over DNS 192 168 2 2 1 1st connection FTP Internet www mydomain com 192 168 2 3 Built in DNS i a 100 100 100 1 100 100 100 1 HTTP After Fail Over NOTE Before proceeding please ensure that both WAN1 and WAN are properly configured according to the settings provided by your ISP If not please refer to Chapter 4 2 2 1 ISP Settings for details on how to configure your WAN ports Step 1 Go to Configuration gt Dual WAN gt General Settings Select the Fail Over radio button and configure your fail over policy Alulti FHoming Securiy Gateway GELLI General Setting Dual WAN Mode E TW GAY OH c pecondt Step 2 Go to Configuration gt Dual WAN gt Inbound Load Balance Select the Enable radio
28. Wan Calbound Load Balance O Balance by Session Pound Fobin O Balance by Session weighl od link raparily Based on session mechanism Balanga by Session weight Load Balance Pobcy CI Badang by Trafic Cmght of link capacity Balance by Traffic weight Balance by weight of ink capacity Based on IP address hash mechanism Balance by weii apply Outbound Load Balancing on MH 1000 can be based on one of two methods 1 Based on session mechanism 2 Based on IP address hash mechanism Choose one by clicking the corresponding radio button Based on session mechanism The source IP address and destination IP address might go through WAN1 or WAN according to policy settings in this mechanism You can choose this mechanism if the applications the users use will not tell the difference of the WAN IP addresses some applications in the Internet need to identify the source IP address e g Back Forum Balance by Session Round Robin Balances session traffic based on a round robin method Balance by Session weight of length capacity Balances session traffic based on weight of length capacity Balance by Session weight Balances session traffic based on a weight ratio Enter the desired ratio in the blanks provided Balance by Traffic weight of length capacity Balances traffic based on weight of link capacity 46 Multi Homing Security Gateway User s Manual Balance by Traffic weight Balances traffic b
29. a web server FTP server Email server or game server the router can act as a virtual server You can set up a local server with a specific port number for the service to use e g web HTTP port 80 FTP port 21 Telnet port 23 SMTP port 25 or POP3 port 110 When an incoming access request is received it will be forwarded to the corresponding internal server Muflti FHorming Security Gateway HH 1000 Click Create to add a new port forwarding rule This function allows any incoming data addressed to a range of service port numbers from the Internet WAN Port to be re directed to a particular LAN private internal IP address This option gives you the Tp to handle applications that use more than one port such as games and audio video conferencing Multi Homing Security Gateway MH 1000 Virtual Server latin Rule So b lo lo ib Application User defined application name for the current rule Helper You could also select the application type you would like to apply for automatic input Protocol please select protocol type 76 Multi Homing Security Gateway User s Manual External Port Enter the port number of the service that will be sent to the Internal IP address Redirect Port Enter a new port number for the service that will be sent to the Internal IP address Internal IP Address Enter the LAN server host IP address that the service request from the Internet will be sent to Candidates You can al
30. alive or not Check Disable to stop the feature Detection Interval The interval time to check the remote IPSec device By default is 30 seconds Idle Timeout If the remote VPN device does not respond MH 1000 will retry to send out the packets When the frequency reaches to the Idle Timeout setting MH 1000 will disconnect the VPN connection automatically The range of Idle Timeout can be set within 1 to 10 Click the Apply button to save your changes 69 Multi Homing Security Gateway User s Manual After you have created the IPSec connection the account information will be displayed gt PLANET Adu Homing Secunfy Gateway M ls MIT qnn Ste us DL zl car uc D m o ASIM cdo T33 2113 MD PIG Uling Du ad S oy SLE Ti EE PH 37 IPsec Vi2alc IF Pili y mh Name This is the user defined name of the connection Enable This function activates or deactivates the IPSec connection Local Subnet Displays IP address and subnet of the local network Remote Subnet Displays IP address and subnet of the remote network Remote Gateway This is the IP address or Domain Name of the remote VPN device that is connected and has an established IPSec tunnel IPSec Proposal This is the selected IPSec security method 4 4 6 2 PPTP PPTP is a set of protocols that enable Virtual Private Networks VPN VPN is a way to establish secured communication tunnels to an organization s network via the Internet
31. changed and you don t know the current IP address reset the router to factory defaults by holding the Reset button on the back of your router for 6 seconds This will reset the router s IP address to 192 168 1 Check to see if your browser had Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to ensure that the Java applet is loaded Try closing the browser and re launching it Make sure you are using the correct User Name and Password User Names and Passwords are case sensitive so make sure that CAPS LOCK is not on when entering this information 83 Multi Homing Security Gateway User s Manual Try clearing your browser s cache 1 With Internet Explorer click Tools 5 Internet Options 2 Under the General tab click Delete Files x Security Privacy Content Connections Programs Advanced Internet Options General Home page A You can change which page to use For pour home page Address about blank l Use Default Use Blank Temporary Internet files Pages vou view on the Internet are stored in a special folder for quick viewing later Delete Cookies Delete Files Settings History The History folder contains links to pages you ve visited For quick access to recently viewed pages Days ta keep pages in history 20 3 Clear History 3 Make sure that the Delete All Offline Content checkbox is checked an
32. commitment on the part of PLANET PLANET assumes no responsibility for any inaccuracies that may be contained in this Users Manual PLANET makes no commitment to update or keep current the information in this Users Manual and reserves the right to make improvements to this Users Manual and or to the products described in this Users Manual at any time without notice If you find information in this manual that is incorrect misleading or incomplete we would appreciate your comments and suggestions CE mark Warning This is a class B device in a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment end users of electrical and electronic equipment should understand the meaning of the crossed out wheeled bin symbol Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately ny S Trademarks The PLANET logo is a trademark of PLANET Technology This documentation may refer to numerous hardware and software products by their trade names In most if not all cases these designations are claimed as trademarks or registered trademarks by their respective companies Customer Service For information on customer service and support for the Multi Homing Security Gateway please r
33. due to other network users using bandwidth consuming applications like P2P you ll understand why QoS is such a breakthrough for home users and office users PLANET makes itself unique by integrating QoS in its routers for both inbound and outbound traffic QoS helps users manage bandwidth and effectively prioritize data traffic It gives you full control over the traffic of any type of data Employed on DiffServ Differentiated Services architecture data traffic is given priority by the router ensuring latency sensitive applications like voice and mission critical data such as VPN move through the router at lightning speeds even under heavy load You can throttle the speed of different types of data passing through the router limit the speed of unimportant or bandwidth consuming applications and even distribute the bandwidth for different groups of users at home or in the office QoS keeps your Internet connection smooth and responsive C 3 What is Quality of Service QoS employs three different methods for optimizing bandwidth Prioritization Assigns different priority levels for different applications prioritizing traffic High Normal and Low priority settings Outbound and Inbound IP Throttling Controls network traffic and allows you to limit the speed of each application DiffServ Technology Manages priority queues and DSCP tagging through the Internet backbone Manages traffic among Ethernet wireless and ADSL interfaces
34. example you could type the name of pour workplace or the name of a server vou will connect to Step10 Input PPTP Server Address and press Next New Connection Wizard YPN Server Selection What is the name or address of the YPN server Tupe the host name or Internet Protocol IP address of the computer to which you are connecting Host name ar IP address for example microsoft com or 157 54 0 1 DD 100 100 1 134 Multi Homing Security Gateway User s Manual Step11 Please press Finish New Connection Wizard Completing the New Connection Wizard ou have successfully completed the steps needed to create the following connection Planet Share with all users of this computer The connection will be saved in the Network Connections folder Add a shortcut to this connection to my desktop To create the connection and close this wizard click Finish Step12 Double click the connection and input Username and Password that defined in Planet PPTP Account Settings Connect Planet User name test Password pr Save this user name and password for the following users Me only Anyone who uses this computer 135 Multi Homing Security Gateway User s Manual PS You can also refer the Properties gt Security page as below by default Planet Properties General Options secunty Networking Advanced Security options CO Typical recommended settings
35. or password you can restore your MH 1000 to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink Please note that doing this will also erase any previous router settings that you have made The Status LED will remain solid as the device boots Once the boot sequence is complete the LED will shut off indicating that MH 1000 is ready 3 4 2 LAN and WAN Port Addresses The default values for LAN and WAN ports are shown below diio festus The DHCP Client is enabled to SubnetMask 255 255 255 0 automatically get the WAN port DHCP server Enabled configuration from the ISP function IP addresses for 100 IP addresses continuing distribution to from 192 168 1 100 through PCs 192 168 1 199 3 5 Information from Your ISP 3 5 1 Protocols Before configuring this device you have to check with your ISP Internet Service Provider to find out what kind of service is provided such as DHCP Static IP PPPoE or PPTP The following table outlines each of these protocols Configure this WAN interface to use DHCP client protocol to get an IP address from your ISP automatically Your ISP provides an IP address to the router dynamically when logging in Configure this WAN interface with a specific IP address This IP address should be provided by your ISP PPPoE PPP over Ethernet is known as a dial up DSL or cable service It is designed to integrate the broadband serv
36. power down the router or interrupt the firmware upgrade while it is still in process Interrupting the firmware upgrade process could damage the router 4 4 4 4 Backup Restore r 3 Multi Homing Securily Gateway al mari TA te HH 14H Backup Restore Allows you to backup the configuration settings te your computer mr restare configuration from your computer Backup Configuration Ceckup configurMion to your compuler Backup Restore Candiguration Configuration File Browse Regione vill oreo he comen Configuration amd restart the derce H yos Kea lo keap Me camen Restore This feature allows you to save and backup your router s current settings or restore a previously saved backup This is useful if you wish to experiment with different settings knowing that you have a backup handy It is advisable to backup your router s settings before making any significant changes to your router s configuration To backup your router s settings click Backup and select where to save the settings backup file You may also change the name of the file when saving if you wish to keep multiple backups Click OK to save the file To restore a previously saved backup file click Browse You will be prompted to select a file from your PC to restore Be sure to only restore setting files that have been generated by the Backup function and that were created when using the same firmware version Settings files saved to your PC sho
37. 4 Check to see that the WAN port is properly connected to the ISP If a Connected by x where x is your connection method is not shown your router has not successfully obtained an IP address from your ISP If an IP address cannot be obtained 1 Turn off the power to your cable or DSL modem 2 Turn off the power to your MH 1000 3 Wait five minutes and power on your cable or DSL modem 4 When the modem has finished synchronizing with the ISP generally shown by LEDs on the modem turn on the power to your router If an IP address still cannot be obtained Your ISP may require a login program Consult your ISP whether they require PPPoE or some other type of login If your ISP requires a login check to see that your User Name and Password are entered correctly Your ISP may check for your PC s host name Assign the PC Host Name of your ISP account as your PC s host name on the router Your ISP may check for your PCs MAC address Either inform your ISP that you have purchased a new 88 Multi Homing Security Gateway User s Manual network device or ask them to use your router s MAC address or configure your router to spoof your PC s MAC address If an IP address can be obtained but your PC cannot load any web pages from the Internet Your PC may not recognize DNS server addresses Configure your PC manually with DNS addresses Your PC may not have the router correctly configured as its TCP IP gateway
38. 50 LAA SISTE A AP E 51 A m Masc m 51 4 4 4 2 REMOTE NE a AGA a ce 52 A 52 AA AA Backup RESO e Aa 53 NGA Bie IC AA ese 53 Z2 Ooo WOM AA 54 243 7 5ystem BO SL AA AA AA 55 ZY ka ad ma CIA O AR AB 55 AAO NAA APA DA AA AA AA 56 44A o PACMAN 57 A AA APA PP 58 4 45 38 ANIMA IIR doeet Do D ere cel oe eel a e 60 zm 5A BIOCK WAN Marec a 61 4 2 5 5 Mk IO DOetec OE Ga iod ono ata 62 a 62 7 Er Soa UL cd G AP eS AP A EIL ICE 62 4415 111 9 CC VVIZdfGrcd ii a serena a NAA Ga AA dan An deaee cee 62 AG TEP sO e yeaa RE E T 66 quon aa atone acta AA a boc a Aa a Na 70 44AT OOS ghee 71 AA e e e ee e e e e e e e e Gob tat 74 AB e 75 4 4 8 2 Port Forwarding ls A ILU IPIE 76 AN E 77 AAA HANG AQUI A A A GARENA AA 77 Ba AA EE DO 79 4 4 9 3 Device Manageme Daanan ocio aquae nao chaton ad promesses sepa nad suene Gana pan a Gab ANNA Gana Aha asare erar AG Ga 80 4 5 SAVE CONFIGURATION TO FLASH dada dada da fada da foie oio oae d OD Da Oed Oda nodis 80 PO Recon 81 CHAPTER 5 TROUBLESHOOTING 1 1 Bie EHui220029900220252220382208200532212 212042020052 0042208022208202 a 82 co BAG kUNG HONALI ea 82 5 IL 1RHouterWont TUITi O RE SEDED RB MEER aaen 82 Multi Homing Security Gateway User s Manual S ALE NGI ON bt 82 5 1 3 LAN or Internet Port Not On ccccccscccsecccesenseecsuecsesenseensuessuessueensuensue
39. A bundle will protect using selectors IDi and IDr payloads The following is an illustration on how data is handled with IKE 94 Multi Homing Security Gateway User s Manual Start Phase 1 Negotiate ISAKMP SA Mutual Authentication New IPSec tunnel or Rekeying Phase 2 Negotiate SAs For AH and ESP Protected Data Transfer 95 Multi Homing Security Gateway User s Manual Appendix B IPSec Logs and Events B 1 IPSec Log Event Categories There are three major categories of IPSec Log Events for your MH 1000 These include 1 IKE Negotiate Packet Messages 2 Rejected IKE Messages 3 IKE Negotiated Status Messages The table in the following section lists the different events of each category and provides a detailed explanation of each B 2 IPSec Log Event Table Log Event Explanation Send Main mode initial message Sending the first initial message of main mode phase I Done to of ISAKMP exchange encryption algorithm hash algorithm and authentication method Send Aggressive mode initial Sending the first message of aggressive mode phase Received Main mode initial Received the first message of main mode a rm Send Main mode first response Sending the first response message of main mode Done to exchange Received Main mode first Received the first response message of main mode Done to exchange response message of ISAKMP encryption algorithm hash algorithm and authentication method
40. After Fail Over Because the dynamic domain name planet dyndns org is configured for both WAN1 and WANZ2 the active WAN port will announce the domain name through the WAN IP address The remote gateway will then be able to connect to the VPN through the domain name In this Gateway to Gateway example MH 1000 is communicating to a remote gateway using WAN1 through a secure VPN tunnel Should WAN1 fail outbound traffic from MH 1000 will automatically be redirected to WAN2 This process is completely transparent to the remote gateway as MH 1000 will automatically update the domain name planet dyndns org with the WAN2 IP address Configuring a Gateway to Multiple Gateway setup with Fail Over is similar as shown below 17 Multi Homing Security Gateway User s Manual MH 1000 SR 192 168 3 x 192 168 2 x planet dyndns org MH 1000 200 200 200 1 abii 11192 168 4 x Before Fail Over MH 1 me planet dyndns org MH 1000 100 100 100 1 192 168 3 x 192 168 2 x 200 200 200 1 Configuring MH 1000 for Fail Over provides added reliability to your VPN 2 6 3 Concentrator The VPN Concentrator provides an easy way for branch offices to connect to headquarter through a VPN tunnel All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of LAN side traffic This way all branch offices can connect to each other through headquarter via the headquarter s fire
41. Configuration gt Dual WAN gt Outbound Load Balance Choose the Load Balance mechanism you want and click Apply Multi Homing Security Gateway Li Est O Balance by Session Pound Rabi Balance by Session weight af link capaci C Based on session mechanism Balance by Session weight O Balance by Trafic might of lirik DEAK EIpERR C Balance by Trafic weight SE Ha a Balance by weigh of link ril C Based on IP address hash mechanism a a E M O Balance by weight i NARRO MN Security Gateway 3 PLANET MH Tut Traffic Statistics Pi cgi IEA les 41 P dii u Senet si wy Tak 3 zd Ae ca Betas ACE 25 Tz ackats 22760 nu lial ius Ex ytes tx Parkes J ale 1 Hl n IN 1 Ia ach cd v3 ar call il Ld ETE m tx Dyas Trs7 amp latiz icz EE Le pa ie LIE Lack Stet Cc figi cat an euo Can qp balas ni ho Es ezr n pe 11 25 IK d3 Y zu 45 er 32 n 7 a Ens Bes o Tak Blut Trato D11 otep 6 Click Save Config to save all changes to flash memory 105 Multi Homing Security Gateway User s Manual D 3 Inbound Fail Over 192 168 2 2 ftp planetest dyndns org E planetestbillion dynd u FTP p tp billic r7 i z 7 arardvnedne nra Internet 19246823 HTTP Before Fail Over Remote Access from Internet 192 168 2 2 Em 192 168 2 3 HTTP Configuring your MH 1000 for Inbound Fai
42. Ethernet cable 249 Multi Homing Security Gateway User s Manual 3 Have TCP IP installed and configured with an IP address The IP address for each PC may be a fixed IP address or one that is obtained from a DHCP server If using a fixed IP address it is important to remember that it must be in the same subnet as the router The default IP address of MH 1000 is 192 168 1 1 with a subnet mask of 255 255 255 0 Using the default configuration networked PCs must reside in the same subnet and have an IP address in the range of 192 168 1 2 to 192 168 1 254 However you ll find that the quickest and easiest way to configure the IP addresses for your PCs is to obtain the IP addresses automatically by using the router as a DHCP server If you are unable to access the web configuration interface check to see if you have any software based firewalls installed on your PCs as they can cause problems accessing the 192 168 1 1 IP address of MH 1000 The following sections outline how to set up your PCs for TCP IP networking Refer to the applicable section for your PC s operating system 3 3 1 Overview Before you begin make sure that the TCP IP protocol and a functioning Ethernet network adapter is installed on each of your PCs The following operating systems already include the necessary software components you need to install TCP IP on your PCs Windows 95 98 Me NT 2000 XP Mac OS 7 and later Any TCP IP capable workstation c
43. Gateway AH H 1000 Lx Enable Disable EE NG N This function allows MH 1000 to send system logs to an external Syslog Server Syslog is an industry standard protocol used to capture information about network activity To enable this function select the Enable radio button and enter your Syslog server IP address in the Log Server IP Address field Click Apply to save your changes To disable this feature simply select the Disable radio button and click Apply 4 4 4 8 E mail Alert Mun Hormina Security Gateway nn PI a MH T11HHI CEnable Disable R M The Email Alert function allows a log of security related events such as System Log and IPSec Log to be sent to a specified email address 55 Multi Homing Security Gateway User s Manual Email Alert You may enable or disable this function by selecting the appropriate radio button Recipient s Email Address Enter the email address where you wish the alert logs to be sent Sender s Email Address Enter the email address where you wish the alert logs to be sent by which address SMTP Mail Server Enter your email account s outgoing mail server lt may be an IP address or a domain name Mail Server Login Some SMTP servers may request users to login before serving Select Enable to activate SMTP server login function Disable to deactivate Username Input the SMTP server s username Password Input the SMTP server s
44. H 1000 s System Log entries Major events are logged on this window System Log Aug 1 05 00 25 Aug 1 05 00 25 Aug 1 06 00 36 Aug 1 05 00 78 Aug 1 06 00 30 Aug 1 06 00 30 Aug 1 05 00 37 Aug 1 05 01 26 Aug 1 06 01 37 Aug 1 05 01 39 Aue 1 05 01 41 Aug 1 06 01 45 Refresh Refresh the System Log Clear Log Clear the System Log Multi Homng Secunty Gateway HH 145 Iritiali ze YAN finr failover mode Switch activ gateway to WAN Connecling to ISP for WANT DACP cheri send descower DHCP chert send discover DHCP chert send drcoves DACP fal to oban lease Fail to synchronize with time sen DHCP chent send discover DHCP chert send desc owes DHCP chent send dsc ove DHCP fad to oblain lease Send Log Send the System Log to your email account You can set the email address in Configuration gt System gt Email Alert See the Email Alert section for more details 4 2 9 IPSec Log This page displays the router s IPSec Log entries Major events are logged to this window Y PLANET Soba La mos ka SETTE AM Table Rosi ale A TA TE DHCP Table IPSec Statue PP Palo rafie 2 41 stic o etar Lag Pra li Juir 73H lt alig Ji az ior qr dz alg nahk ih IPSec Log Refresh Refresh the IPSec Log Clear Log Clear the IPSec Log Muri Tosrneg Secunty Gateway MI Lnd Send Log Send IPSec Log to your email account You can set the email address in Configuration 5 33 Mu
45. IKE as a primary support protocol IKE facilitates and automates the SA setup and exchanges keys between parties transferring data Using keys ensures that only the sender and receiver of a message can access it These keys need to be re created or refreshed frequently so that the parties can communicate securely with each other Refreshing keys on a regular basis ensures data confidentiality There are two phases to this process Phase deals with the negotiation and management of IKE and IPSec parameters This phase can be carried out in either one of two modes Main Mode or Aggressive Mode Main mode utilizes three message pairs that negotiate IKE parameters establish a shared secret and derive session keys and exchange and provide identities retroactively authenticating the information sent This method is very secure but when using the pre shared key method for authentication it is possible to use IDs other than the packets s IP addresses Aggressive mode reduces this process to three messages but parameter negotiation is limited identity protection is lacking except when using public key encryption and is more vulnerable to Denial of Service attacks Phase II known as Quick Mode establishes symmetrical IPSec Security Associations for both AH and ESP It does this by negotiating IP Sec parameters exchange nonces to derive session keys from the IKE shared secret exchange DH values to generate a new key and identify which traffic this S
46. INS HTTP Before Fail Over Remote Access from Internet 192 168 2 2 cr ftp ftp planet com tw gt MGa q4 TAG 192 168 2 3 X Ji ftp planet com twbillio HTTP Remote Access from Internet After Fail Over In the above example an FTP Server IP 192 168 2 2 and an HTTP Server IP 192 168 2 3 are connected to the Internet via WAN1 ftp planet com tw on MH 1000 A remote computer is trying to access these servers via the Internet Under normal circumstances the remote computer will gain access to the network via WAN1 Should WANY1 fail Inbound Fail Over tells MH 1000 to reroute incoming traffic to WAN2 by using the Dynamic DNS mechanism Configuring your MH 1000 for Inbound Fail Over provides a more reliable connection for your incoming traffic Please refer to appendix D for example settings 2 4 2 Inbound Load Balancing Inbound Load Balancing allows MH 1000 to intelligently manage inbound traffic based on the amount of load of each WAN connection s44 Multi Homing Security Gateway User s Manual a al 192 1 www planet3 com twbiH FTP mm www planet2 com twbilli 1 www planet3 com twbilli HTTP a an AunAne ara 192 168 2 3 www planet2 com twbiH Remote Access from Internet In the above example an FTP server IP 192 168 2 2 and an HTTP server IP 192 168 2 3 are connected to the Internet via WAN1 www planet2 com tw and WAN2 www planet3 com tw on MH 1000 Remote PC
47. Mapping URL list click Edit This will open the Host Mapping URL table which lists the current Host Mapping URLs e PA z ag Securit Gstewsy 1 P PLANET Mur tr fosa Secun Gstewa ii MIL a Host URL Mapping List ale uic z Star Cn lt a sarli iri nn LAH CODA lun vp Canel 23H ag ET Dals we bono ns PA r l ratc zal adir 3 To add a host mapping URL to the list click Create Miulti FHormming Securily Gateway MHBH 11HHI Host URL Mappings drase Canddatat S i p nm Helper O Domain IN be Sapendo alomalical a7 Narag Ried Domain Name The domain name of the local host Host URL The URL to be mapped Private IP Address The IP address of the local host Protocol You could also select the application type you would like to apply for automatic input Port Range The port range of all incoming packets are accepted and processed by a local host with the specified private IP address Candidates You can also select the Candidates which are referred from the ARP table for automatic input Helper You could also select the application type you would like to apply for automatic input Name1 The Alias Host URL Name2 The Alias Host URL Click Apply to save your changes 49 Multi Homing Security Gateway User s Manual 4 4 3 4 Protocol Binding Protocol Binding lets you direct specific traffic to go out from a specific WAN port Click the Create button to create a
48. Multi Homing Security Gateway User s Manua Blworking amp Commusicalban Multi Homing Security Gateway MH 1000 User s Manual Multi Homing Security Gateway User s Manual Copyright Copyright C 2006 PLANET Technology Corp All rights reserved The products and programs described in this User s Manual are licensed products of PLANET Technology This User s Manual contains proprietary information protected by copyright and this User s Manual and all accompanying hardware software and documentation are copyrighted No part of this User s Manual may be copied photocopied reproduced translated or reduced to any electronic medium or machine readable form by any means by electronic or mechanical Including photocopying recording or information storage and retrieval systems for any purpose other than the purchaser s personal use and without the prior express written permission of PLANET Technology Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications and makes no warranty and representation either implied or expressed with respect to the quality performance merchantability or fitness for a particular purpose PLANET has made every effort to ensure that this User s Manual is accurate PLANET disclaims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent a
49. NS ene 200 200 200 1 pa Heavy load on WAN 2 DNS Reauest 192 168 2 2 200 200 200 1 HP Internet www mydomain com WAN 2 DNS Reblv 192 168 2 3 Built in DNS 100 100 100 1 HTTP 100 100 100 1 Heavy load on WAN 1 Step 1 Go to Configuration gt Dual WAN gt General Settings Select the Load Balance radio button 111 Multi Homing Security Gateway User s Manual MulttHorming Security Gateway MH 1 HR General Setting Daal WAN Mode Mods 5 Load Balance CF al Over WAN Port Service Detection Policy Termice Detectan ffor load balance is Enable C J Des able Connectivity Decision Mat an serice when probing tailed after 3 consecutiva lires Probe Cycle Every X seconds 1 atit Probe WANT Host Gateway Probe WAKO L Hoi Falback to WAHT when East Possible for Tailowes Digable cm Step 2 Go to Configuration gt Dual WAN gt Inbound Load Balance gt Server Settings and configure DNS Server 1 Multi Forning Security Gateway MH 1000 DNS Server 1 SDA Dornain Harma mydornain com Purisary Name Serves inei Adran Mad Box mime my domain co Saria Humb Refresh interval 356000 Sat Retry niana BOO Ger Expiration Tare 85400 Ser Mineria TTL 180 Cat NS Record Nara Serear MX Record Mal Exchanger P Adi S Hes EHI T O O Dorian vell be appended sitometica ll m these ers Step 3 Go to Configuration gt Dual WAN gt Inbound Load Balance gt Host URL Mapping and configure y
50. O RING Security Gateway gt Era di MH T r Suve Config to Flash Please Lia you wish lo sana the on ligu rali wri EE L Jick Sts t z A E EV TASE WI De a lr vue Sas E RCA A ORO ATAR to c BUE ching E ili al ari Seve Cor 313 Flas eal 4 6 Logout To exit the router s web interface click Logout Please ensure that you have saved your configuration settings before you logout Microsoft Internet Explorer E A Successful Be aware that the router is restricted to only one PC accessing the web configuration interface at a time Once a PC has logged into the web interface other PCs cannot gain access until the current PC has logged out If the previous PC forgets to logout the second PC can access the page after a user defined period 5 minutes by default You can modify this value using the Advanced gt Device Management section of the Web Configuration Interface Please see the Advanced section of this manual for more information 81 Multi Homing Security Gateway User s Manual Chapter 5 Troubleshooting 5 1 Basic Functionality This section deals with issues regarding your MH 1000 s basic functions 5 1 1 Router Won t Turn On If the Power and other LEDs fail to light when your MH 1000 is turned on Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet Check that you are using the 12VDC po
51. Password Enter your password Retype Password Retype your password Login Server Enter the IP of the Login server provided by your ISP MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum Transmission Unit MTU for your network Click Apply to save your changes To reset to defaults click Reset A simpler alternative is to select Quick Start from the main menu Please see the Quick Start section of this chapter for more information 44 Multi Homing Security Gateway User s Manual 4 4 2 2 Bandwidth settings Under Bandwidth Settings you can easily configure both inbound and outbound bandwidth for each WAN port gt PLANET Afulti Homing Security Gateway HH 1000 102000 kbps Inbound Bandwidth 102400 kbpa Outbound Bandwidih 102400 kbps Inbound Etandwidth 1102400 kbps s These bundwidh settings WI be referenced by QoS and Loadtalince functions WANT Enter your ISP inbound and outbound bandwidth for WANT WAN Enter your ISP inbound and outbound bandwidth for WAN2 NOTE These values entered here are referenced by both QoS
52. S Uta E fan Maal kala Kan Eka NG LA KA LALA LAAN kah PG ELA GALA Eo A PG CLA Can dd ne 136 Multi Homing Security Gateway User s Manual Chapter 1 Introduction PLANET s Multi Homing Security Gateway MH 1000 integrated with cutting edge technology including Load Balancing VPN and Firewall for central sites to establish office network and connect with branch offices remote dial up and tele workers It is designed for business requiring application based network solution at low capital investment and is perfectly catering to the needs of small and medium sized business Built in multiple WAN interfaces can prevent your Internet connection from failure and also reduces the risks of potential shutdown if one of the Internet connections fails Moreover it allows you to perform load balancing by distributing the traffic through two WAN connections In addition to a multi homing device PLANET s Multi Homing Security Gateway provides a complete security solution in a box The policy based firewall content filtering function and VPN connectivity with 3DES and AES encryption make it a perfect product for your network security Bandwidth management function is also supported to offers network administrators an easy yet powerful means to allocate network resources based on business priorities and to shape and control bandwidth usage 1 1 Features WAN Fail over Auto failover feature can be configured for a second connection to ensure redundant
53. TP Server IP provided by your ISP Connection Select whether the connection should Always Connect or Trigger on Demand Always Connect If you want the router to establish a PPTP session when starting up and to automatically re establish the PPTP session when disconnected by the ISP Trigger on Demand If you want to establish a PPTP session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on Demand is selected Click Apply to save your changes To reset to defaults click Reset 4 3 5 Big Pond Multi Floming Security Gateway HH 1040 Quick Start WANT Big Pond Connection Biel mi Big Pond Settings ka Usemame Password Retype Password Logan server O o O L Apply Reset Username Enter your user name Password Enter your password Retype Password Retype your password Login Server Enter the IP of the Login server provided by your ISP Click Apply to save your changes To reset to defaults click Reset For detailed instructions on configuring WAN settings please refer to the WAN section of this chapter 36 Multi Homing Security Gateway User s Manual 4 4 Configuration The Configuration menu allows you to set many of the operating paramete
54. Table which displays the rules currently in effect gt PLANET ndiuri Alorming Secaeniy Gala way E MH 1 GUE ervice Quick Ste t Cc fiar cad an Iy PAPI MEE sl iri raul Multi Homing Security Gateway HH 1000 WANI Outbound fa jo Jm 3 Noman wi Disable GP Address C MAC Address From 0 0 0 0 Tp 255 755255255 Pot F anim Helper y ana i Halpar MELASE Interface The current traffic type This can be WAN1 outbound inbound and WAN2 outbound inbound Application User defined application name for the current rule Guaranteed The guaranteed amount of bandwidth for this rule as a percentage Maximum The maximum amount of bandwidth for this rule as a percentage Priority The priority assigned to this service Select a value from 0 to 6 O being highest DSCP Marking Used to classify traffic Select from Best Effort Premium Gold Service High Medium Low Silver H M L and Bronze H M L Address Type The type of address this rule applies to Select IP Address or MAC Address 73 Multi Homing Security Gateway User s Manual For IP Address Source IP Address Range The range of source IP Addresses this rule applies to Destination IP Address Range The range of destination IP Addresses this rule applies to Protocol The type of packet this rule applies to Choose from Any TCP UDP or ICMP Source Port Range The range of source ports t
55. YES indicates static ARP table entries added by the user 4 2 2 Routing Table The Routing Table displays the current path for transmitted packets Both static and dynamic routes are displayed y Ato Ha ming SAY Gatowa3 y gt PLANET a Y ay ng parapo ak ere oe Routing Table St us Euuting dable RP Tak 3 aan Des inz ior Hi iln j laith Eun i o 1 22 102 C EE mr Y J 0 C Y LAH C SE SSC able e E ES Tha 9411 ce cce m i IHE FH DIICP Tak 3 E 10C 3 J 0 C J OR 53 03 2527 Sy 85 1 C IF mb adis MET Stee No Number of the list Destination The IP address of the destination network Netmask The destination netmask address Gateway Interface The IP address of the gateway or existing interface that this route will use Cost The number of hops counted as the cost of the route 29 Multi Homing Security Gateway User s Manual 4 2 3 Session Table The NAT Session Table displays a list of current sessions for both incoming and outgoing traffic with protocol type source IP source port destination IP and destination port each page shows 10 sessions z Ait Oaming Security Gateway F PLANET 7 Hu MII a Session Table aa oc abl BOK s Proteza Freni 7 rtr Por c IR c Pen sil uy bil ls 192 150 IX 2710 3 402 1 1 L D Y D lge ues Tin UIH meris sale 3 UDP 102 138 1XX 33023 eC F623 150 ra HN i ES 192 150 11 3713 2402 1 1 X us Bod F T Qu TC 11 UE v 153 1
56. a shared security policy and authenticated keys for services such as IPSec that require a key Before any IPSec traffic can be passed each router must be able to verify the identity of its peer This can be done by manually entering the pre shared key into both sides router or hosts Connection Type There are 5 connection types 1 LAN to LAN MH 1000 would like to establish an IPSec VPN tunnel with remote router using Fixed Internet IP or domain name by using main mode gt PLANE MuititHoriung Security Gate way iba E Ea n a aoe MILI ICI IPSec Wizard Siep ool Hernote p nlbmmalicn zals ALE ETE E E 5 e mice aloe Talara Ades or 139119018 m au irili Iri MN F T o 3 a LAH Pe nca Paba E KR aa bi ri mik n TI Ple t Secure Gateway Address or Domain Name The IP address or hostname of the remote VPN gateway Remote Network The subnet of the remote network Allow you to enter an IP address and netmask Back Back to the Previous page Next Go to the next page 2 LAN to Mobile LAN MH 1000 would like to establish an IPSec VPN tunnel with remote router using Dynamic Internet IP by using aggressive mode 63 Multi Homing Security Gateway User s Manual zm Ol onc wi dy Ge r PLANET Afu Omg amp acurity Gate Way pr AAA E M H TU Ste We Jesus E Remote lalaan IL Sk zar Can pailun La Iu a sus Sack 52x System EE PR 3p EE Para Pula y m
57. an be used to communicate with or through MH 1000 To configure other types of workstations please consult the manufacturer s documentation 3 3 2 Windows XP E Control Panel File Edit View Favorites Tools Help 1 Go to Start Control Panel in Classic O search E Folders RTS View In the Control Panel double click O O p Search E Folders ana on Network Connections Ni LI a e 2 Double click Local Area Connection Y Control Panel Network Phone and Power Options Gp Switch to Category View aa a Modem See Also ke d sg Printers and Regional and Scanners and E Windows Update Faxes Language Cameras Help and Support 5 O S H o sg Scheduled Sounds and Speech Tasks Audio Devices z 3 In the Local Area Connection Status window click Properties 4 Select Internet Protocol TCP IP and click Properties 5 Select the Obtain an IP address automatically and the Obtain DNS server address automatically radio buttons 6 Click OK to finish the configuration Multi Homing Security Gateway User s Manual at Local Area Connection Status General Support Connection Connected 00 19 32 100 0 Mbps S batu Duration Speed Aci Recelved Packets a it Local Area Connection Properties General Authentication Advanced Connect using BS 45U5T ek Broadcom 4402 102100 Integrated Controller This connection uses the Foll
58. anaaanaaanaasanasanasananaaaasanasanasananusanas 8 ES COIS CP MATINO hanap R AP e 8 2 0 DUTBOUNDTRARAC AA 9 2 9 1 QUIDOUNOG Fail OVER OO 9 2 3 2 Outbound Load Balancing cooocccocccocncconocononononoononononononannnnnnnnonnnnnnnnnnnnrnnnnnnnnnnnannnarnnnrnnnanenannnnnos 9 2INBOUND TRAFF IO C P 10 2A AO ue E 10 24 ZANDOUNG Load Balangiga iwasan TUR 11 trash Szene AA AA 12 2 5 DINO JOOOUNG Fall OVEN iia tala talata 13 2 5 2 ONS INDOUNO LOBO DAA CAN aos 14 2 0 VIRTUAL PRIVATE NETWORKING rata 16 VU NECI UN OO Ue eee eee ELAG oO LOL UE 16 20 V NFO A s babe isa ssi 17 2 0 0 CONCON Ta O ascii 13 0422 1921 12 05 04 22 12 12 1 ilo 18 CHAPTERS GETTING STARTED naaa inu Oa DAANG Qua Goa Eu qo KA apos SA uva uaa Duae Eos ooo Ou Eu Eua Aa 19 S HOVERWIEN usus a uM MM 19 3 2 BEFORE OU BEGIN Cr e E 19 9 9 CONFIGURING POS FOR FCPAP NETWORKING cd 19 D1 LANGO W ern rnnr r annn r annn E REPERE EPERRA PERED P EARDER REPA a nonan annant 20 Multi Homing Security Gateway User s Manual E A eee eee ee eee eee 20 3 3 3 Windows 2000 PAN 22 3 3 4 WINDOWS DD19O MEA ida 23 GD VWVINOOWS NT E IT aa po aa po a NG NG SB GG NG BG na aa Sa nG MG sa NG SM GAN a BB aNG Ba MG NG Aa NG AG BG AG BG aga 24 JA FAC TORY DEFAULT A 25 9 441 Username and Das WO Usa ie 25 ove LAN and WAN POLE AOOICS SCS cn 25 9 9 INFORMATION FROM COURSES aadd dl naaa kaa kaaa aang a paa 25 EA RN 25 3 5 2 Web C
59. and Load Balancing functions 4 4 3 Dual WAN In this section you can setup the fail over or load balance function outbound load balance or inbound load balance function or setup specific protocol to bind with specific WAN port In this menu are the following sections General Settings Outbound Load Balance Inbound Load Balance and Protocol Binding 4 4 3 1 General Settings Multi Homing Security Gateway HH 1000 EN Enable Disable Nol in service when probing faded after 3 cangec ns HEN b b b C Enable Disable 45 Multi Homing Security Gateway User s Manual Mode You can select Load Balance or Fail Over Service Detection Enables or disables the service detection feature For fail over the service detection function is enabled For load balance user is able to enable or disable it Connectivity Decision Establishes the number of times probing the connection has to fail before the connection is judged as failed Probe Cycle The number of seconds between each probe Probe WAN1 Determines if WAN1 is a gateway or host If host is selected please enter the IP address Probe WAN2 Determines if WAN2 is a gateway or host If host is selected please enter the IP address Fail back to WAN1 when possible Enables or disables fail back to WAN1 This function only applies to fail over Click Apply to save your changes 4 4 3 2 Outbound Load Balance Multi FHomisim Security Gateway MH 1000 Dual
60. ange Helper G Destination Port Range Helper G WAMI Outbound FTP 20 0 b Lowest Disable v Best Effort eee Premium To 255 255 255 255 Gold serice L Gold service M To 255 255 255 255 sold service H silver sericerL Silver service lvf To 655 Silver service H To 1 Bronze service L Bronze service h Bronze servicerH Multi Homing Security Gateway User s Manual 2 3 Outbound Traffic This section outlines some of the ways you can use MH 1000 to manage outbound traffic 2 3 1 Outbound Fail Over Configuring MH 1000 for Outbound Fail Over allows you to ensure that outgoing traffic is uninterrupted 20 100 100 1 15t Connection Internet 192 168 2 2 Internet 203 connection 213 10 10 2 gt In the above example PC 1 IP_192 168 2 2 and PC 2 IP_192 168 2 3 are connected to the Internet via WANT1 IP 230 100 100 1 on MH 1000 Should WANT1 fail Outbound Fail Over tells MH 1000 to reroute outgoing traffic to WAN2 IP_213 10 10 2 Configuring your MH 1000 for Outbound Fail Over provides a more reliable connection for your outgoing traffic Please refer to appendix D for example settings 2 3 2 Outbound Load Balancing Outbound Load Balancing allows MH 1000 to intelligently manage outbound traffic based on the amount of load of each WAN connection Multi Homing Security Gateway User s Manual gt 192 168 2 2 230 100 100 1
61. ased on a traffic weight ratio Enter the desired ratio into the blanks provided Based on IP hash mechanism The source IP address and destination IP address will go through specific WAN port WAN1 or WAN2 according to policy settings in this mechanism This will assure that some applications will work when it would like to authenticate the source IP address Balance by weight of link capacity Uses an IP hash to balance traffic based on weight of link bandwidth capacity Balance by weight Uses an IP hash to balance traffic based on a ratio Enter the desired ratio into the blanks provided Click Apply to save your changes 4 4 3 3 Inbound Load Balance Multi Homing Securiiy Gateway HH 15H Dual Wan Inhommnidl aml Balance Function Enable C Disable Server Setlings Eti OG DNS Serrar 1 Host URL Mappings coran Serer Settings EMO DNS Server2 y Hast URL Mappings Edi Apply Function Used to enable or disable inbound load balancing DNS Server 1 DNS Server 1 settings including Host URL mappings DNS Server 2 DNS Server 2 settings including Host URL mappings To edit server settings click Edit The following example illustrates DNS Server 1 settings DNS Server 2 settings follow a similar procedure 47 Multi Homing Security Gateway User s Manual Afuln Homing Security Gateway MH 1 Hh DNS Server 1 SIA Domain Name abc com Primary Name Sener aa Admin Mail Dox admiregeabe com Senal Musri
62. at the ISP is in service or not 3 by default Next input the duration of the probe cycle 30 sec by default and choose the way WAN ports are probed Multi FHoming Securiy Gateway ILE TUPA General Setting Dual WAH Mode Mode Ooo Balance WAN Part Service Detection Policy Serice Detection trek Waimea Connectivity Decision Poi Probe Cycle F PET apconds Taree Gateway Probe WANT SEN Pa odere Orbs GAY UT aa E IGahewa Probe WAN KA Failback to WANT when poi baa ie foliar Apply D10 Please ensure the WAN ports are functioning by performing a ping operation on each before proceeding Finally choose whether or not MH 1000 should fail back to WAN1 Step 4 Click Save Config to save all changes to flash memory D 2 Outbound Load Balancing 192 168 2 2 230 100 100 1 ISP Internet 213 100 100 2 With Outbound Load Balancing you can improve upload performance by optimizing your connection via Dual WAN To do this follow these steps Step 1 Go to Configuration gt WAN gt ISP Settings Configure your WAN1 ISP settings and click Apply 103 Multi Homing Security Gateway User s Manual HM H 10 00 3 PLANET Muiti Horing Security Gateway 5Multi Homing Secunty Gateway MH 104 Multi Homring Security Gateway MH 1000 a Dalan Hiya ELT 104 Multi Homing Security Gateway User s Manual Step 4 Go to
63. ault settings by holding the Reset button on the back of your router until the Status LED begins to blink Then enter the default User Name and Password to access your router 5 2 LAN Interface Refer to this section for issues relating to MH 1000 s LAN Interface 5 2 1 Can t Access MH 1000 from the LAN If there is no response from MH 1000 from the LAN Check your Ethernet cable types and each connection Make sure the computer s Ethernet adapter is installed and functioning properly If the error persists you may have a hardware problem and should contact technical support 5 2 2 Can t Ping Any PC on the LAN If PCs connected to the LAN cannot be pinged Check the 10 100 LAN LEDs on MH 1000 s front panel One of these LEDs should be on If they are both off check the cables between MH 1000 and the hub or PC Check the corresponding LAN LEDs on your PC s Ethernet device are on Make sure that driver software for your PC s Ethernet adapter and TCP IP software is correctly installed and configured on your PC Verify the IP address and the subnet mask of MH 1000 and the computers are on the same subnet 5 2 3 Can t Access Web Configuration Interface If you are having trouble accessing MH 1000 s Web Configuration Interface from a PC connected to the network Check the connection between the PC and the router Make sure your PC s IP address is on the same subnet as the router If your MH 1000 s IP address has
64. button and configure DNS Server 1 by clicking Edit 109 Multi Homing Security Gateway User s Manual Dual Wan Inh aund Load Balance Function Enable Disable Server Selimga ONS Server 1 Ros URL Mappinga cenar Satin g8 ONS fewr d Host URL Mappings DNS Server 1 SUA Dornain Marne mydorain com Primary Name Server dns dsdrm n Mall Box aed rinig m y domain co Serial Humbe 1 P afresh int era 38000 Sec Patry interval 500 Sec Expiration Tare 86400 KE Kinana TTL 180 Sec NS Recond Hane Servei MX Recard Mad Exchanger IP Address GALA PA Dori well be apeenoed eotematicalty m basa cda Apply E a Security Gateway HH 1000 Eri o CONG Edi Murfii FHoriung Secuniy Gateway MH 1000 Step 4 Configure your Host URL Mapping for DNS Server 1 by clicking Edit to enter the Host URL Mappings List Click Create and input the settings for Host URL Mappings and click New 110 Multi Homing Security Gateway User s Manual Adul Homing Security Gateway MH 1000 Host URL Mappings mydomain com ap 192 na 2 2 ur PI paran Me be apuerded automatically m these feda Step 5 Click Save Config to save all changes to flash memory D 5 DNS Inbound Load Balancing Authoritative Domain Name Server DNS Reauest 192 168 2 2 200 200 200 1 fa WAN 1 AE D f f www mydomain com j nmierne FTP DNS Reply WAN 2 192 168 2 3 uu 135731003 Built in D
65. connectivity when the primary line fails Load Balancing MH 1000 provides the ability to balance the workload by distributing incoming traffic across the two connections DNS inbound load balance The MH 1000 can be configured to reply the WAN2 IP address for the DNS domain name request if WAN1 fails VPN Connectivity The security gateway support PPTP and IPSec VPN With DES 3DES and AES encryption and SHA 1 MD5 authentication the network traffic over public Internet is secured PPTP Server The MH 1000 also provides PPTP server feature the remote user can connect to MH 1000 PPTP server without too many complex setting and to access the LAN resource Content Filtering The security gateway can block network connection based on URLs Scripts The Pop up Java Applet cookies and Active X SPI Firewall Built in Stateful Packet Inspection SPI can determine if a data packet is allowed through the firewall to the private LAN Denial of Service DoS The MH 1000 protects against hackers attack by DoS it can allow private LAN securely connected to the Internet Quality of Service QoS Network packets can be classified based on IP address and TCP UDP port number and give guarantee and maximum bandwidth with three levels of priority Dynamic Domain Name Service DDNS The Dynamic DNS service allows users to alias a dynamic IP address to a static hostname Multi Homing Security Gateway User s Manual 1 2 Package Content
66. ct or Trigger on Demand Always Connect If you want the router to establish a PPPoE session when starting up and to automatically re establish the PPPoE session when disconnected by the ISP Trigger on Demand If you want to establish a PPPoE session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on Demand is selected IP Assigned by your ISP If your IP is dynamically assigned by your ISP select the Dynamic radio button If your IP assigns a static IP address select the Static radio button and input your IP address in the blank provided MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum Transmission Unit MTU for your network Click Apply to save your changes To reset to defaults click Reset 42 Multi Homing Security Gateway User s Manual 4 4 2 1 4 PPTP Settings Multi FHoming Security Gateway MHB 110
67. d D gt PLANET AAO nG Sy Gateway a man M H TU Excepdon l e Tuic 73H lt anle a1 azior h TITAN Pazke Filte WHI a Las WaT F ter Enter a name for the IP Address and then enter the IP address itself Click Apply to save your changes The IP address will be entered into the Exception List and excluded from the URL filtering rules in effect 4 4 5 3 LAN MAC Filter Mufti Flonmimg Securily Gateway MH 1 C Fowan Drop Create i 60 Multi Homing Security Gateway User s Manual LAN MAC Filter can decide that MH 1000 will serve those devices at LAN side or not by MAC Address Default Rule Forward or Drop all LAN request Forward by default Create You can also input a specified MAC Address to be dropped or Forward without depending on the default rule Multr Horning Security Gateway MH 1404010 1 Enable O Disable Drop Rule Enable or disable this entry Action When Matched Select to Drop or Forward the packet specified in this filter entry MAC Address The MAC Address you would like to apply Candidates You can also select the Candidates which are referred from the ARP table for automatic input 4 4 5 4 Block WAN Request Multi_Aloming Security Gateway MH 1000 Blocking WAN requests is one way to prevent DDOS attacks by preventing ping requests from the Internet Use this menu to enable or disable function bl Multi Homing Secu
68. d click OK Delete Files T Delete all Files in the Temporary Internet Files au can also delete all your offline content stored locally Delete all offline content 4 Click OK under Internet Options to close the dialogue In Windows type arp d at the command prompt to clear you computer s ARP table 5 2 3 1 Pop up Windows To use the Web Configuration Interface you need to disable pop up blocking You can either disable pop up blocking which is enabled by default in Windows XP Service Pack 2 or create an exception for your MH 1000 s IP address 84 Multi Homing Security Gateway User s Manual Disabling All Pop ups In Internet Explorer select Tools gt Pop up Blocker and select Turn Off Pop up Blocker D6 You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab of the Internet Options dialogue 1 In Internet Explorer select Tools gt Internet Options 2 Under the Privacy tab clear the Block pop ups checkbox and click Apply to save your changes Enabling Pop up Blockers with Exceptions If you only want to allow pop up windows with your MH 1000 1 In Internet Explorer select Tools Internet Options 2 Under the Privacy tab click Settings to open the Pop up Blocker Settings dialogue D7 3 Enter the IP address of your router 4 Click Add to add the IP address to the list of Allowed sites 5 Click Close to return to the Privacy tab of the Interne
69. degrees of security and speed of negotiation Main Mode Uses the automated Internet Key Exchange IKE setup most secure method with the highest level of security Aggressive Mode Uses the automated Internet Key Exchange IKE setup mid level security Speed is faster than Main mode Manual Key Standard level of security It is the fastest of the three methods 68 Multi Homing Security Gateway User s Manual Method There are two methods of checking the authentication information AH Authentication Header and ESP Encapsulating Security Payload Use ESP for greater security so that data will be encrypted and authenticated AH data will be authenticated but not encrypted Encryption Protocol Select the encryption method from the pull down menu There are several options DES 3DES and AES 128 192 and 256 3DES and AES are more powerful but increase latency DES Stands for Data Encryption Standard It uses a 56 bit encryption method 3DES Stands for Triple Data Encryption Standard It uses a 168 bit encryption method AES Stands for Advanced Encryption Standard You can use 128 192 or 256 bits as encryption method Authentication Protocol Authentication establishes data integrity and ensures it is not tampered with while in transit There are two options Message Digest 5 MD5 and Secure Hash Algorithm SHA1 While slower SHA1 is more resistant to brute force attacks than MD5 MD5 A one way hashing algo
70. e Hat PPI tlie Traffic Steis 3s Name The name you assigned to the particular PPTP entry Enable Whether the PPTP connection is currently Enable or Disable Status Whether the PPTP is Active Inactive or Disable Type Whether the Connection type is Remote Access or LAN to LAN Peer Network The Remote subnet for LAN to LAN as connection type Connect by The remote address when connected Action Manually drop the tunnel 4 2 7 Traffic Statistic The Traffic Statistics window displays both sent and received sent data in Bytes sec over one hour duration The line in red represents WAN1 while the line in blue represents WAN2 3 PUANET Wael Horned Gece Gateway HTWEKN de LEA M om LALLA Traffic Statistics 19113 Salis ics RP Table gt Tis Butas 245J32 Ls Decke 4135 Pin ar il i T Dyes 1201751 Sl Aa y Hiholo ar Pi ida DI ICP Table T Bytes 20010 Tx ackst 217 IP nli irn z Diagram PAP zals Ha mah i vi Traffic Zial stics LEE Ng Ta IMSec Leg Mic Sand AT Sats Ccafiq co ES meee LI LI aT a 1 p cu n iJ Jo d a du Er Thee dr Blk Tisi Bu Tr Tl r WAN 1 Transmitted Tx and Received Rx bytes and packets for WAN1 WAN2 Transmitted Tx and Received Rx bytes and packets for WAN2 Display Allows you to change the units of measurement for the traffic graph 2 35 4 2 8 System Log Multi Homing Security Gateway User s Manual This window displays M
71. ect the router when there is no activity on the line for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on Demand is selected IP Assigned by your ISP If your IP is dynamically assigned by your ISP select the Dynamic radio button If your IP assigns a static IP address select the Static radio button This will take you to another page for inputting the IP address information MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your 43 Multi Homing Security Gateway User s Manual MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum Transmission Unit MTU for your network Click Apply to save your changes To reset to defaults click Reset 4 4 2 1 5 Big Pond Settings Multi Homing Security Gateway HH 1000 WANI Big Pain Connection Method Big Pond Settings Ligarnarna Pagsswoad Retype Password Login erar ja 0 D MAC Adres O Taur ISP eques you to input WAN Elhemel MAC MAL Addnez amp F E Y pur ESP requires you to manually setup DHS setings DNS Prirmary ONS 168 86 i 1 Secondary DNS 0 D 0 RIP Disable 5 AIP O RIP 2M MTU 1600 Username Enter your user name
72. ecurity Gateway User s Manual End IP Address Enter the End source IP Address this filter rule is to be applied for IP Range only Netmask Enter the subnet mask of the above IP address Destination IP Select Any Subnet IP Range or Single Address Starting IP Address Enter the destination IP or starting destination IP address this filter rule is to be applied End IP Address Enter the End destination IP Address this filter rule is to be applied for IP Range only Netmask Enter the subnet mask of the above IP address Protocol Select the Transport protocol type Any TCP UDP Source Port Range Enter the source port number range If you only want to specify one service port then enter the same port number in both boxes Destination Port Range Enter the destination port number range If you only want to specify one service port then enter the same port number in both boxes Helper You could also select the application type you would like to apply for automatic input 4 4 5 2 URL Filter a e Security Gateway HI 1 1000 URL Filter Configuration URL Filtanng O Enable Disable Keyword F ilbering Enable Detalla G JEnable Details Domains Ferna Disable all WEB traffic except for Trusted Domains C Block Jaya Apple Blaek Acia Permet URL Features Block Web proxy Block Cookie Bleck Suring by IP Address Exception List Name IP Address Crate O The URL Filter is a powerful tool that can be used to limi
73. efer to the following Website URL http www planet com tw Before contacting customer service please take a moment to gather the following information e Multi Homing Security Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own Revision User s Manual for PLANET Multi Homing Security Gateway Model MH 1000 Rev 1 0 February 2006 Multi Homing Security Gateway User s Manual Table of Contents CHAPTER 1 INTRODUCTION 0n NN NN KAKA NN NEN KNA ALLAN 1 IRE EAT CPR SAA AAA AAA AAA AAA 1 1 2 PACKAGE CONTENT SO ha PAANAN EU NUMINI EN UE UIN EUE MUNI RURU NERUINM EUN NEUEC DURO UERUURME US LU UNE 2 SIMA ODO FRONT VIEW p 2 AMI OO REA PANEL tatiana dad cada 2 SPEAR o iO 3 CHAPTER2 ROUTER APPLICATION o o O 4 Fog FOVERVIE Wc 4 2 2 BANDWIDTH MANAGEMENT WITH QOS 00010 0000m nenne 4 2 2 1 Transparent Mode Connection EXamMple ooccconcccocccccconoccnnoocnnononnonnononannonannonannonnnnonnnnonannonannnns 4 22 2 Q0oF OCICS TOF DIeren vVADDIIGCATODS aka a le eee LAS EOS tne ne 5 2 2 3 Guaranteed Maximum Bandwidth 1 a 6 224A Policy Based Iran SNA e e Ga EGG e ot 6 2 2 5 Priority Bandwidth A a ind 7 2 2 6 Management by IP or MAC address 0 000000200maaaaaawaaaa
74. er alte Juice Stan a aril ari n LAHI Created Tees Bi kia Falla LICL F er The Packet Filter function is used to limit user access to certain sites on the Internet or LAN The Filter Table displays all current filter rules If there is an entry in the Filter Table you can click Edit to modify the setting of this entry click Delete to remove this entry or click Move to change this entry s priority When the entry is upper the priority is higher To create a new filter rule click Create Multi Hominag Securiy Gateway BH 1 Enable Disable mi CE Era 7 m PAU PAST Pies a Ea Lisil FUI J ow 3 Outgoing sw Any VE Hi d P n Me Mo PF An NN aem a CB ID This is an identify that allows you to move the rule by before or after an ID Rule Enable or Disable this entry Action When Matched Select to Drop or Forward the packet specified in this filter entry Direction Incoming Packet Filter rules prevent unauthorized computers or applications accessing your local network from the Internet Outgoing Packet Filter rules prevent unauthorized computers or applications accessing the Internet Select if the new filter rule is incoming or outgoing Source IP Select Any Subnet IP Range or Single Address Starting IP Address Enter the source IP or starting source IP address this filter rule is to be applied 57 Multi Homing S
75. erfect Forward Secure Enabled 1 Disabled PreS heared Key 12945578 KE Life Tima 29600 Seconds Key Life Tirme 3500 Seconds Nelbios Brosdcasi J Enabled Disabled DPD Setting DPD Function J Enabled Disabled Detection Infernal 3 seconds idie Tiree out 4 consecutiva times Apay 125 Multi Homing Security Gateway User s Manual Step 3 Go to Configuration gt VPN gt IPSec gt IPSec Policy and configure the connection from MH 1000 A Branch A to MH 1000 C IPSec eae Comacion Mamie Tne Interface Loca Ki Petro Remote Secure Gateway iD Hatwor Proposal Secure Associati Method Encryption Protocol Audhentication Protocol Pate Forward Secure PraShamd Kay IKE Life Tiree Key Lie Terme Metbios Groadcast UPO Setting DPD Function Detection Interval ie Teneoul Apply alot Enabled JJ WANT C IF Address Sub ried Des abled Remolie WAN IP Uriel Multfi FHoming Security Gateway MH 14IHH Waah CO Auto aa DO 200 200 1 IP Address 192 168 3 End IP Adi hiirnask 255 255 Pang o Dala 109 100 100 1 Cala IF Address 0 T n T Ered F Address Netra sk O o H Y Main Mode C Aggressie Mode Manual Key ESP O AH DES WCE ha 5 Enablad 55 Disablad PEE 0800 3600 Enabled Disabled Enabled C Disabled Seconds Seconds Xx seconds a consecutivos mira 126 Multi Homing Security Gateway User s Manual Step 4 Go to C
76. ersion Cue Home URL PLANE hooky nioratin LAN C 152 58 1 1 Metmask 265 256 265 0 rer C Enabled WANI na n Method 5 Connect by Staic IP Setlings IP Address 182 168 99 96 Matmagk 255 255 850 Co aleway 192 158 389 253 DNS 16595 1 1 Mp Tira D 2 22 44 dau hour minc te WAN nection Method D Mo Link IP Address Marlimiansk Gal caray DNS Up Tira 28 Multi Homing Security Gateway User s Manual 4 2 1 ARP Table The Address Resolution Protocol ARP Table shows the mapping of Internet IP addresses to Ethernet MAC addresses This is a quick way to determine the MAC address of your PC s network interface to use with the router s Firewall MAC Address Filter function See the Firewall section of this chapter for more information on this feature anion Sacuony Gala way MH 1UDD PLANET z ME A a a LEE ARP Table IP x3 MAG I isi VAL addres mil g bulb n i aa E2103 lz JOP SURE Hang VES LS r3 2c2 3n Tak 2 pi LU R41 111 I WIR s IF eo 4 LAS LI sala 3 2 6301 25 01 33 2F SE 0F SC Whe r3 y l TT ETRE No Number of the list IP Address A list of IP addresses of devices on your LAN MAC Address The Media Access Control MAC addresses for each device on your LAN Interface The interface name on the router that this IP address connects to Static Static status of the ARP table entry NO indicates dynamically generated ARP table entries
77. erver IP Address and click Apply After connecting to the Internet MH 1000 will retrieve the correct local time from the NTP server you have specified Your ISP may provide an NTP server for you to use To have MH 1000 automatically adjust for Daylight Savings Time check the Automatic checkbox 4 4 4 2 Remote Access Muflfi FHoming Security Gateway Y PLANET HH HE Remote PEDOME C Enable Disable Everyone Change defaull pas gwa ri Omy isP Allow Remote Access By PC from this subnet To allow remote users to configure and manage MH 1000 through the Internet select the Enable radio button To deactivate remote access select the Disable radio button This function also enables you grant access from any PC or from a specific IP address Click Apply to save your settings NOTE When enabling remote access be sure to change the default administration password for security reason 4 4 4 3 Firmware Upgrade gt IL INET Afulrti toming Security Gear Upgrading your MH 1000 s firmware is a quick and easy way to enjoy increased functionality better reliability and ensure trouble free operation To upgrade your firmware simply visit PLANET s website http www planet com tw and download the latest firmware image file for MH 1000 Next click Browse and select the newly downloaded firmware file Click Upgrade to complete the update 59 Multi Homing Security Gateway User s Manual NOTE DO NOT
78. es two major modes Tunnel Mode This mode is used for host to host security Protection extends to the payload of IP data and the IP s90 Multi Homing Security Gateway User s Manual addresses of the hosts must be public IP addresses 192 188 17 28 1982 188 100 857 183 61 71 246 194 83 103 188 Transport Mode This mode is used to provide data security between two networks It provides protection for the entire IP packet and is sent by adding an outer IP header corresponding to the two tunnel end points Since tunnel mode hides the original IP header it provides security of the networks with private IP address space em NE m oL ISP j Internat ISP RS 192 51 71 246 aaa T 194 853 103 185 ar n a CORO A 2 3 Tunnel Mode AH AH is typically applied to a data packet in the following manner Original Packet Rn EN a a pi a Packet with IPSec Authentication Header Authenticated A 2 4 Tunnel Mode ESP 93 Multi Homing Security Gateway User s Manual Here is an example of a packet with ESP applied Original Packet Packet with IPSec To Security Payload P l encrypted Authenticated A 2 5 Internet Key Exchange IKE Before either AH or ESP can be used it is necessary for the two communication devices to exchange a secret key that the security protocols themselves will use To do this IPSec uses Internet Key Exchange
79. fu A Pl Poll sale pd 1 CEB CD OTE 7 06 street zx are aa scili DHCD Table ahezh IPSec Staue PP F alan No Number of the list IP Address A list of IP addresses of devices on your LAN Device Name The host name computer name of the client MAC Address The MAC address of client Lease Time The expired time for the IP address 4 2 5 IPSec Status The IPSec Status window displays the status of the IPSec Tunnels that are currently configured on your MH 1000 F PLANET AJAO Nng Security Gateway y imram M H T r IPSec Status ETE IB esc d urinis ST sse sala E zas n Tal ale z m zi i a Name The name you assigned to the particular IPSec entry Enable Whether the IPSec connection is currently Enable or Disable Status Whether the IPSec is Active Inactive or Disable Local Subnet The local IP address or subnet used Remote Subnet The subnet of the remote site Remote Gateway The remote gateway IP address SA The Security Association for this IPSec entry Action Manually connect or drop the tunnel 4 2 6 PPTP Status The PPTP Status window displays the status of the PPTP Tunnels that are currently configured on your MH 1000 Bf Multi Homing Security Gateway User s Manual E A r itr 462 P E PLANET Aduti Haming Sacirrity Gala way PUTRECEDRId FI MA 1 GH PPTP Status TE ALP Tat Re stir Table FF IFP aci des Pos ud ahili DHC Tat 2 IP S
80. given for the Web Configuration Interface to display properly 1 In Internet Explorer click Tools gt Internet Options 2 Under the Security tab click Custom Level Internet Options General Securty Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings amp 0 8s Internet Local intranet Trusted sites Restricted sites Internet This zone contains all Web sites you haven t placed in other zones Security level for this zone Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level Custom Level Default Level ad Security Settings Settings Ej Microsoft YM Java permissions e Custom O Disable Java High safety CO Low safety CO Medium safety E Miscellaneous E Access data sources across domains 5 Disable 0 Enable O Prompt E Allow META REFRESH PO mio Ll Illi Reset custom settings 86 Multi Homing Security Gateway User s Manual 3 Under Microsoft VM make sure that a safety level for Java permissions is selected 4 Click OK to close the dialogue NOTE If Java from Sun Microsystems is installed scroll down to Java Sun and ensure that the checkbox is filled 5 3 WAN Interface If you are having problems with the WAN Interface refer to the tips below 5 3 1 Can t Get WAN IP Address from the ISP If the WAN IP addres
81. he network administrator can define and classify important packets specify a minimum guaranteed rate for each application and ensure that 100 Multi Homing Security Gateway User s Manual important packets have priority to ensure a good quality of broadband connection for the entire organization tow Upload High Download Normal Der ek MPs ion MSN oral 101 Multi Homing Security Gateway User s Manual Appendix D Router Setup Examples D 1 Outbound Fail Over Step 1 Go to Configuration gt WAN gt ISP Settings Select WAN1 and WAN2 S9 and click Edit e p L AN ET nduri HAorming Secon xs Us d ISP Settings EE C dick Stet Va lui sal ar Ah TERT IKP mi in pii Bar deihi Sectir gs YA dod Er o Step 2 Configure WAN1 and WAN according to the information given by your ISP OD PLANET Multr Horming Security Gateway MH 1000 WI Your ISP requires youto input Ethemet MAC l em as M CN E 57 CN Disable GI PaB O RPM A5Multi Horming Secunty Gateway MH 14H Static IP Settings N mo e GF E me pon CM a a om ur IBP reges you ta input oo kl Hk 102 Multi Homing Security Gateway User s Manual Step 3 Go to Configuration gt Dual WAN gt General Settings Select the Fail Over radio button Under Connectivity Decision input the number of times MH 1000 should probe the WAN before deciding th
82. his rule applies to Destination Port Range The range of destination ports this rule applies to Helper You could also select the application type you would like to apply for automatic input Click Apply to save your changes Aludt Homing Security Gateway MH 1 hr Quality of Service Add Gas Rula interface WANI Outbound Application Guarande pel l 9 Maximum 100 8t Pro 3 Hormal SCP Marking Desa ble hj address Type OF Address CO MAC Address Source MAG Address CLandasies G ex NANO XOU OU XX EXT Protocol Ang Y Source Part Range Helper G From To Destmatinn Port Range Heiner i From Tb For MAC Address Source MAC Address The source MAC Address of the device this rule applies to Candidates You can also select the Candidates which are referred from the ARP table for automatic input Protocol The type of packet this rule applies to Choose from Any TCP UDP or ICMP Source Port Range The range of source ports this rule applies to Destination Port Range The range of destination ports this rule applies to Helper You could also select the application type you would like to apply for automatic input 4 4 8 Virtual Server In TCP IP and UDP networks a port is a 16 bit number used to identify which application program usually a server incoming connections should be delivered to Some ports have numbers that are pre assigned to them by the Internet Assigned Numbers Authority IANA and these are refe
83. hree different VPN scenarios The first is a Gateway to Gateway setup where two remote gateways communicate over the Internet via a secure tunnel 100 100 100 1 200 200 200 1 Secure Tunnel E 192 168 3 x 192 168 2 x The next type of VPN setup is the Gateway to Multiple Gateway setup where one gateway Headquarters is communicating with multiple gateways Branch Offices over the Internet As with all VPNs data is kept secure with secure tunnels 200 200 200 e gt 400 100 100 1 201 201 201 1 7 192 168 4 x 192 168 2 x The final type of VPN setup is the Client to Gateway A good example of where this can be applied is when a remote sales person accesses the corporate network over a secure VPN tunnel 100 100 100 mylD dyndns org VPN Client 192 168 2 x 6 Multi Homing Security Gateway User s Manual VPN D2 provides a flexible cost efficient and reliable way for companies of all sizes to stay connected One of the most important steps in setting up a VPN is proper planning The following sections demonstrate the various ways of using MH 1000 to setup your VPN 2 6 2 VPN Planning Fail Over Configuring your VPN with Fail Over allows MH 1000 to automatically default to WAN2 should WANI fail Baa anet dyndns or 192 168 3 x 192 168 2 x o 200 200 200 1 NN MH 1000 Before Fail Over gt 200 200 200 1 MH 1000 192 168 3 x 192 168 2 x l
84. ice QoS and both Inbound and Outbound Load Balancing Alternatively MH 1000 can also be set to redirect incoming and outgoing network traffic with the Fail Over capability ensuring minimal downtime and increased reliability 2 2 Bandwidth Management with QoS Quality of Service QoS gives you full control over which types of outgoing data traffic should be given priority by the router By doing so the router can ensure that latency sensitive applications like voice bandwidth consuming data like gaming packets or even mission critical files efficiently move through the router even under a heavy load You can throttle the speed at which different types of outgoing data pass through the router In addition you can simply change the priority of different types of upload data and let the router sort out the actual speeds 2 2 1 Transparent Mode Connection Example QoS generally involves the prioritization of network traffic QoS is comprised of three major components Classifier Meter and Scheduler Each of these components has a distinct role in ensuring that incoming and outgoing data is managed according to user specifications The Classifier analyses incoming packets and marks each one according to configured parameters The Meter communicates the drop priority to the Scheduler and measures the temporal priorities of the output stream against configured parameters Finally the Scheduler schedules each packet for transmission based o
85. ices into the current widely deployed easy to use and low cost dial up access networking infrastructure 25 Multi Homing Security Gateway User s Manual If your ISP provides a PPTP connection you can use the PPTP protocol to PPTP establish a connection to your ISP Big Pond The Big D3 Pond login for Telstra cable in Australia If your account uses PPP over Ethernet PPPoE you will need to enter your login name and password when configuring your MH 1000 After the network and firewall are configured MH 1000 will login automatically and you will no longer need to run the login program from your PC 3 5 2 Web Configuration Interface MH 1000 includes a Web Configuration Interface for easy administration via virtually any browser on your network To access this interface open your web browser enter the IP address of your router which by default is 192 168 1 1 and click Go A user name and password window prompt will appear Enter your user name and password the default user name and password are admin and admin to access the Web Configuration Interface Connect to 192 168 1 1 EP M WebAdmin User name Password Remember my password If the Web Configuration Interface appears congratulations You are now ready to configure your MH 1000 If you are having trouble accessing the interface please refer to Chapter 5 Troubleshooting for possible resolutions s90
86. is Mac ran A IEEE EOJ sec om AT ta an bi After your configuration is done you will see a Configuration Summary Back Back to the Previous page Done Click Done to apply the rule 4 4 6 1 2 IPSec Policy CP PLANET hhh plies eke IPSec Pre bun alis Juices Hal Hame Erable arhe iri nn LABI Create Dp FRE Y v HM Ise 256 Wits x PPT cal Heto Perma Fleznr IP amp 3drazs ni In IP amp 3dras2 He 3In5m IP amp 3drazs ril In Malt Honannag Secuniy Gateway Peri Cates Click Create to create a new IPSec VPN connection account 66 MIT LALA INSe gt Prapc sal Multi Homing Security Gateway User s Manual Configuring a New VPN Connection Muti Homing Security Gateway MH 1000 Enabled O Disabled WANT CO WANG Auto dP Address W Any Local Address dPAddwss Main Mode C Aggressive Mode Manual Key mo wj Enabled Disabled 26800 Seconds o Second Enabled 3 Disabled O Enabled C Disabled E X serends 4 consecuta limas Connection Name A user defined name for the connection Tunnel Select Enable to activate this tunnel Select Disable to deactivate this tunnel Interface Select the interface the IPSec tunnel will apply to WANT Select interface WAN1 WAN 2 Select interface WAN2 Auto The device will automatically apply the tunnel to WAN1 or WAN2 depe
87. l 11 HTTP Reply 5 DNS Reply gt e 1 DNS Request 6 HTTP Request HTTP Server In the example above the client is making a DNS request 1 The request is sent to the DNS server of MH 1000 through WANZ2 2 WAN2 will route this request to the embedded DNS server of MH 1000 3 MH 1000 will analyze the bandwidth of both WAN1 and WAN and decide which WAN IP to reply to the request 4 After the decision is made MH 1000 will route the DNS reply to the user through WAN 2 5 The user will receive the DNS reply with the IP address of WANT1 6 The browser will initiate an HTTP request to the WAN1 IP address 7 The HTTP request will be send to MH 1000 s URL Host Map 8 The Host Map will then redirect the HT TP request to the HTTP server 9 The HTTP server will reply 10 The URL Host Map will route the packet through WAN1 to the user 11 Finally the client will receive an HTTP reply packet 15 Multi Homing Security Gateway User s Manual 2 6 Virtual Private Networking A Virtual Private Network VPN enables you to send data between two computers across a shared or public network in a manner that emulates the properties of a point to point private link As such it is perfect for connecting branch offices to headquarters across the Internet in a secure fashion The following section discusses Virtual Private Networking with MH 1000 2 6 1 General VPN Setup There are typically t
88. l Over is a great way to ensure a more reliable connection for p planetest dyndns org ao Sd KU Dlanetest dynd ns org After Fail Over Remote Access from Internet incoming requests To do so follow these steps NOTE Before you begin ensure that both WAN1 and WAN have been properly configured See Chapter 4 Router Configuration tor more details Step 1 From the Web Configuration Interface go to Configuration gt Dual WAN gt General Settings Select the Fail Over radio button Multi FHorminmg Security Gateway HH 14HHI General Setting Deal WAN Mode Moda load Balance Fad Cher WAN Port Service Detection Policy Serice Detection fir a ad alse Emable Disalbe v d ibi incitan Hot in serice when probing failed after 3 consecutive pa lines Probe Cycle o Em seconda ESSI Ere NA Ce Gates Probe WANT eee i Host TAE TIE Gama Probe WAND a as r A Wo HE YET LJ Hist Fwibockiu WANT when C Enabla possible ior failowes Disable 106 Multi Homing Security Gateway User s Manual Step 2 Configure Fail Over options if necessary Multi Horming Security Gateway HH 14HHI Multi Flomimg Securily Gateway HH 1XHH Enable O Disable veww dymdns org dynamic agi OEmable Disable l O planetest dyndrs ong O Jjackyko a Step 4 From the same menu set the WAN2 DDNS seitings 107 Multi Homing Security Gateway
89. l pri ripe a Step 3 Go to Configuration gt VPN gt IPSec gt IPSec Policy Click Create to configure VPN settings E TES IPSec Create Connection Name Turina inde rkac e Network Remote Secure Galeway ID Fili naag rk Proposal Secun A OC ation Maihoel Encryption Protocol amp thartic ton Protocol Perfect Forward Secure PreSharea Key HE Life Tima Key Life Tire Meibios Broadcast DPD Setting DEPT Function Detection Infernal kie Tirnao ul Apply Multi Homing Security Gateway User s Manual Maitt Homng Secunty Gateway ha Enabled C2 Disabled AWANI Ol OWAN SI Aute FODH DNS v Data rnh planis dide a org F Address 132 66 a 7 End F Calls nat 5 LM Address Metmask 55 HE Mu Data 200 200 2001 1 Female HANIP Data F adders NG 166 J End I Su bra STN Hi atl ne Metmask 255 265 255 Maan Mode Aggessme Mode C Manual Key i ESP L5 AM DES His a Enabled Disabled 12345578 23900 Seconds 3500 Seconds O Enabled Disabled Ci Enabled Disabled CI seconds 4 conseculwe times Step 4 Click Save Config to save all changes to flash memory To configure another MH 1000 gateway refer to the screenshot below 100 0H 11H Multi Homing Security Gateway User s Manual Mult Homing Security Gateway MH 1000 miooo DJ C Enabled Disabled 2 WAMI C WANG C Auto IP Address Mj 200 200 200 1
90. lance Choose your load balance policy and click Apply to apply your changes If you selected Based on session mechanism as your policy the source IP address and destination IP address may go through WAN1 or WAN depending on policy settings If you selected Based on IP hash mechanism as your policy the source IP address and destination IP address will go through a specific WAN port according to the IP hash algorithm Mult Homing Security Gateway MH 144 O Balance by Session Round Robi Balance by Session weight of ink capacity Based an session mechanism O Balanca by Session weight i O Balance by Traffic iight of link capacity C Balance by Trafic weight 0 Balance by weight of link capacity o Balance by weight E L C Based on IP address hash mechanism Step 4 Go to Configuration gt Advanced gt Dynamic DNS and input the dynamic DNS settings for WAN1 and WAN2 P PLANET AU Goming Gece Gateway AA ESTE hi H 7 DL Dynamic DNS ab A 13H MAHI VU watan der dns org erar 23 Cdi da MAG an azar h nem maple y spp der dng org idera z Fil i us AH a F wer PH MES siHJal arer hear ec INTTR Pan 1 5 3a ric 7 115 Multi Homing Security Gateway User s Manual WAN 1 i 3 PLANET Multi Homing Secunty Gateway Tm MH 1000 pd A fa i 1 fa 7 Pr c Pil i i i EL a a O PLANET Multi FHominmg Security Gatewa
91. lti Homing Security Gateway User s Manual System gt Email Alert See the Email Alert section for more details Please refer to Appendix F IPSec Log Events for more information on log events 4 3 Quick Start The Quick Start menu allows you to quickly configure your network for Internet access using the most basic settings Connection Method Select your router s connection to the Internet Selections include Obtain an IP Address Automatically Static IP Settings PPPoE Settings PPTP Settings and Big Pond Settings 4 3 1 DHCP The following is information regarding your ISP that you will need to enter in order to properly configure your Internet connection If you select to Obtain an IP Address Automatically these will be automatically set for you provided that your ISP dynamically assigns an IP address Mufti Flonmimg Security Gateway M H 10 00 Quick Start WAN1 DHCP Obtain an IP Address Autbomatica ly Aen est Multi FHorning Security Gateway MH 1404 Quick Start WAN1 Static IP Settings m 42 hea Mos pm 265 ls n nag hes a 168 5 MI E i o do fh IP assigned by your ISP Enter the assigned IP address from your IP IP Subnet Mask Enter your IP subnet mask ISP Gateway Address Enter your ISP gateway address Primary DNS Enter your primary DNS Secondary DNS Enter your secondary DNS 34 Multi Homing Security Gateway User s Manual Click Apply to save your cha
92. n IP Range 50 Multi Homing Security Gateway User s Manual All Destination IP Click it to specify all source IPs Specified Destination IP Click to specify a specific destination IP address and Destination IP Netmask Destination IP Address If Specified Destination IP was chosen here s where the IP can be entered Destination IP Netmask If Specified Destination IP was chosen here s where the subnet mask can be entered Protocol The particular protocol of Internet traffic for the specified policy Choose from TCP UDP or Any Port Range The range of ports for the specified policy if you only want to use one port enter the same value in both boxes Click Apply to save your changes 4 4 4 System The System menu allows you to adjust a variety of basic router settings upgrade firmware set up remote access and more In this menu are the following sections Time Zone Remote Access Firmware Upgrade Backup Restore Restart Password System Log and Email Alert Afain Homiag Security Gateway a ER ERI Time Zone EMT MZ EY hiountaan Tane LIS AC ar ada MAURUS JAwbornatic Multi Homing Securily Gateway HH 14H MH 1000 does not use an onboard real time clock instead it uses the Network Time Protocol NTP to 51 Multi Homing Security Gateway User s Manual acquire the current time from an NTP server outside your network Simply choose your local time zone enter NTP S
93. n information from both the Classifier and the Meter Multi Homing Security Gateway User s Manual scheduler WANI MAN p Inbound Outbound pute SS n 2 2 2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running you can use MH 1000 to optimize the bandwidth that is being used on your network l M NE B jj ESE Ej i 388 VoIP Restricted PC As illustrated in the diagram above applications such as Voice over IP VoIP require low network latencies to function properly If bandwidth is being used by other applications such as an FTP server users using VoIP will experience network lag and or service interruptions during use To avoid this scenario this 5 Multi Homing Security Gateway User s Manual network has assigned VolP with a guaranteed bandwidth and higher priority to ensure smooth communications The FTP server on the other hand has been given a maximum bandwidth cap to make sure that regular service to both VolP and normal Internet applications is uninterrupted 2 2 3 Guaranteed Maximum Bandwidth Setting a Guaranteed Bandwidth ensures that a particular service receives a minimum percentage of bandwidth For example you can configure MH 1000 to reserve 1096 of the available bandwidth for a particular computer on the network to transfer files Alternatively you can set a Maximum Bandwidth to restrict a par
94. nd press Next New Connection Wizard Network Connection Type What do you want ta da Connect to the Internet Connect to the Internet so you can browse the Web and read email Connect to the network at my workplace Connect to a business network using dial up ar YPN sa you can work from home a field office or another location O Set up a home or small office network Connect to an existing home or small office network or set up a new one Pa ch 2 Set up an advanced connection Connect directly to another computer using pour senal parallel ar infrared port or set up this computer so that other computers can connect ko it Step8 Select Virtual Private Network connection and press Next New Connection Wizard Network Connection How do you want to connect ta the network ak pour workplace Create the following connection C3 Dial up connection Connect using a modem and a regular phone line or an Integrated Services Digital Network ISDM phone line T AI CJ Virtual Private Network connection Connect to the network using a virtual private network VPN connection ever the Internet 133 Multi Homing Security Gateway User s Manual Step9 Input the user defined name for this connection and press Next Mew Connection Wizard Connection Name Specify a name for this connection to your workplace Tupe a name for this connection in the following bos Company Mame Planet For
95. nding on which WAN interface is active when the IPSec tunnel is being established Note Auto only applies to Fail Over mode For Load Balance mode please do not select Auto In Load Balance mode Auto will be forced to WAN1 interface if Auto is selected Local This section configures the local host ID This is the identity type of the local router or host Choose from the following four options WAN IP Address Automatically use the current WAN Address as ID IP Address Use an IP address format 67 Multi Homing Security Gateway User s Manual FQDN DNS Fully Qualified Domain Name Consists of a hostname and domain name For example WWW VPN COM is a FQDN WWW is the host name VPN COM is the domain name When you enter the FQDN of the local host the router will automatically seek the IP address of the FQDN FQUN E Mail Fully Qualified User Name Consists of a username and its domain name For example user vpn com is a FQUN user is the username and vpn com is the domain name Data Enter the ID data using the specific ID type Network Set the IP address IP range subnet or address range of the local network Any Local Address Will enable any local address on the network Subnet The subnet of the local network Selecting this option enables you to enter an IP address and netmask IP Range The IP Range of the local network Single Address The IP address of the local host Remote This section c
96. network Decide whether you are going to use one or both WAN ports For one WAN port you may need a fully qualified domain name either for convenience or if you have a dynamic IP address If you are going to use both WAN ports determine whether you are going to use them in fail over mode for increased network reliability or load balancing mode for maximum bandwidth efficiency See Chapter 2 Router Applications for more information 2 Set up your accounts Have access to the Internet and locate the Internet Service Provider ISP configuration information Each MH 1000 WAN port must be configured separately whether you are using a separate ISP for each WAN port or are having the traffic of both WAN ports routed through the same ISP 3 Determine your network management approach MH 1000 is capable of remote management However this feature is not active by default If you reset the device remote administration must be enabled again If you decide to manage your network remotely be sure to change the default password for security reason 4 Prepare to physically connect MH 1000 to Cable or DSL modems and a computer 3 3 Configuring PCs for TCP IP Networking In order for your networked PCs to communicate with your router they must have the following characteristics 1 Have a properly installed and functioning Ethernet Network Interface Card NIC 2 Be connected to MH 1000 either directly or through an external repeater hub via an
97. new policy entry Policies entered would tell specific types of Internet traffic from a particular range of IPs to go to a particular range of IPs with ONE WAN port rather than using both of the WAN ports with load balancing NOTE If any policies are added in the Protocol Binding section please note that it would take precedence over the settings that are already configured in the Load Balance Setting section 1 gt PU ie ET Mat Homing Geceriiy Gatewsy MH te Protocol Binding Protowol Hiniling Table al Je Mic Stan AA LAH Create da Duns ep C ane al zat ig Cattourd Liar Dal hound in A rn l ratc zal adir 3 The Protocol Binding Table lists any protocol binding that has been configured To add a new binding click Create Malti Honmng Security Gateway HET II WANT Al Source P C Spocibed Source P DAI Destmaton P C Specibed Destination IP 1 u nr Any ki o Pot Range Helper M Ls Protoce Binding haa higher prion then Routing ET Interface Choose which WAN port to use WAN1 WAN2 Source IP Range All Source IP Click it to specify all source IPs Specified Source IP Click to specify a specific source IP address and source IP netmask Source IP Address If Specified Source IP was chosen here s where the IP can be entered Source IP Netmask If Specified Source IP was chosen here s where the subnet mask can be entered Destinatio
98. ng PPTP function Enable Disable Auth Typ Pap pr Chap v Dala Encryption Enable Encryption Key Length Ago Par Encryption Mode Orly Stateless v IP Addresses Assigned to Pee Slad from 192 16939 20 die Tamenut O hin Us Enable dala enciyplicn wil sn ME CHAPVZ fo authenticate Mes pesar Apply OS Accomm Setting Paare Enable Type Peer Hetwosk PPTPCberi Remole Access o cat NG balat Q nasa 43 otep4 Click Save Config to save all changes to flash memory otep5 In another MH 1000 as Client Go to Configuration gt WAN gt ISP Settings Multi FHorning Security Gateway MH 1000 WANT PPTP Connection Melhor PPTP Eettings w7 imame L ti Password can Retype Password ETT PPTP Clim IP 200 200 00 I PPTP Client IP Netmash 256 255 255 D PPTP Client IP Galeway 200 200 an 254 PPTP Sener IP 100 DO 100 Connector Akaye Comed Mile Time 2 Dynamic iP autornatically assigned by your ISP IP assigned by your ISP A Fixed Your IEP requires you lo mpu IP address MAC Address Your ISF requires you lo mpu WAH Ethernet MAL MAC Address Tour ISP requires you to manually sup ONS settings DNS Primary DNS 163 5 Secondary DNS D o RiP Disable E RIP 2B 2 RIP 2M MTU 143 Apply Reset otep6 Click Apply and Save CONFIG 138
99. ng on the connection method selected 4 4 2 1 1 DHCP Multi FHominmg Security Gateway MH 1000 Oba an P Adora Asoc v CI Your ISP requires you to input WAN Ethernet MAC Mio Ho Hx Hoo Mo BH 7 Your ISP quee yu tu MAMI m DNS min Primary DNS 163 los gi NH Secondary DNS G ja o m Disable Ce RIP 2B C RIP 2M 1500 Host Name Some ISPs authenticate logins using this field MAC Address If your ISP requires you to input a WAN Ethernet MAC check the checkbox and enter your MAC address in the blanks below DNS If your ISP requires you to manually setup DNS settings check the checkbox and enter your primary and secondary DNS RIP To activate RIP select Send Receive or Both from the drop down menu To disable RIP select Disable from the drop down menu MTU Enter the Maximum Transmission Unit MTU for your network 40 Multi Homing Security Gateway User s Manual Click Apply to save your changes To reset to defaults click Reset 4 4 2 1 2 Static IP MuittHoming Security Gateway aliai WAN1 Static IP Connection Method Saltic IP Settings ni IP assigna by pour ISP a lic as id Subnet M zm pupas Gateway Address 19 1BR 59 253 imd L ie ISP requires you lo anpual Ethemet MAC NAA MAC Addam Primary DNS CC Secondary DNS 0 0 D 0 i BET Disable s RIP 28 O RIP 2M Apply Pasa IP assigned by your ISP Enter the static IP assigned by your ISP
100. ng requests Authoritative Domain Name Server 192 168 2 2 l l 200 200 200 1 za WAN Jg 192 168 2 3 Built in DNS fa Request www mydomain com DNS Reply FTP 100 100 100 1 200 200 200 1 Heavy load on WAN 200 200 200 1 192 168 2 2 DNS Reauest Fr 5 Ey 192 168 2 3 Built in DNS 100 100 100 1 100 100 100 1 Heavy load on WAN HTTP www mydomain com DNS Repl HTTP In the above example an FTP server IP 192 168 2 2 and an HTTP server IP 192 168 2 3 are connected to the Internet via WAN1 IP 200 200 200 1 and WAN2 IP 100 100 100 1 on MH 1000 Remote PCs are attempting to access the servers via the Internet by making a DNS request entering a URL www mydomain com Using a load balancing algorithm MH 1000 can direct incoming requests to either WAN port based on the amount of load each WAN port is currently experiencing If WAN2 is experiencing a heavy load MH 1000 responds to incoming DNS requests with WAN1 By balancing the load between WAN1 and WANZ2 your MH 1000 can ensure that inbound traffic is efficiently handled making sure that both ports are equally sharing the load and preventing situations where service is slow because one port is completely saturated by inbound traffic Please refer to appendix D for example settings A typical scenario of how traffic is directed with DNS Inbound Load Balancing is illustrated below dd Multi Homing Security Gateway User s Manua
101. nges To reset to defaults click Reset 4 3 3 PPPoE Miulti FHorning Security Gateway HH 11H Username Enter your user name Password Enter your password Retype Password Retype your password Connection Select whether the connection should Always Connect or Trigger on Demand Always Connect If you want the router to establish a PPPoE session when starting up and to automatically re establish the PPPoE session when disconnected by the ISP Trigger on Demand If you want to establish a PPPoE session only when there is a packet requesting access to the Internet i e when a program on your computer attempts to access the Internet Idle Time Auto disconnect the router when there is no activity on the line for a predetermined period of time Select the idle time from the drop down menu Active if Trigger on Demand is selected Click Apply to save your changes To reset to defaults click Reset 4 3 4 PPTP Mult Homing Security Gateway HH 14H Multi Homing Security Gateway User s Manual Username Enter your user name Password Enter your password Retype Password Retype your password PPTP Client IP Enter the PPTP Client IP provided by your ISP PPTP Client IP Netmask Enter the PPTP Client IP Netmask provided by your ISP PPTP Client IP Gateway Enter the PPTP Client IP Gateway provided by your ISP PPTP Server IP Enter the PP
102. nnnnnnnnnrrrnnnnnnnnrrrnnnnannrrrrnnnananens 96 DIREC IO EVENTO A TECOS 96 IRE O TABLE e ads dlls aii e 96 APPENDIX C BANDWIDTH MANAGEMENT WITH QOS ooconncccccncccncccncnnccnnconcnnncnaconcnnnnnnnonnnnnnnnnnrrnnnannnnnns 99 SEO I qe BAG GA ANGAL OLGE 99 G2 WHAT IS QUALITY OFASERVIGO EY Susie ded duda va a tie o dest ON 99 G 3 WHAT IS CAPO SV aaah AA 99 SAWHO NEEDS OOG on 99 CT OTIC SONS a susi 100 C 4 2 Office US CIS aaa sass as hos hn nba pana an ea ee Saha assets ata labo cala dol dad isla dolo ee 100 Multi Homing Security Gateway User s Manual APPENDIX D ROUTER SETUP EXAMPLES 111111117777r eene enne nn nann nnn nasa nass san saa a asas aas s arr nas 102 DT OUTBOUND FAILOVER sonitono e a 102 DZ OUTBOUND LOAD BALANCING eee eee necio iaaiiai EBE AGAD EGG bana LEG 103 1 3 INBOUND FAK COVER nenna UA AA 106 D 4 DNSINBOUND FAIL OVER np A LLL d E EE 108 DS DINSANBOUND LOAD BALANGING aaa AA Aa 111 D 6 DYNAMIC DNS NBOUND LOAD BALANCING aia 113 BAM heces AA ANA AA AA e NENNT 117 PAAANO E Mane RAO AAA A RA OO AER AR A An 117 D 7 2 Host to PAIN aa aaah aka aka kaka 118 DS TP SEG FAILOVER GATEWAY TO GATEWAY naaa NA AA 120 DAR NPINNGONGENTRATORN eee 123 EOI ROTOS OPI INDING astron 128 DT INTRUSIONDETECTON s ANAN UNS IC AA ANNA 129 D 12PPTP REMOTE ACCESS BY WINDOWS XP scusa kakabakahakakakakakakakahakakahakakihakahakabahabakahakahakakakalbakakakakakata 130 Ae We ERE IO TE ACCES
103. nsuessusssusensnensuessusssussnesenaess 82 5 bA EOFgoLMy FassWOFQ dos 82 DANI e PE 83 o2 Cant ACCESS MEHFTOOD TOMOS LAN e we O on anap anag 83 5 2 2 Cant Ping Any PC ON ANE LAN ci iii AGA 83 5 2 3 Can t Access Web Configuration Interface 2 0200 0020 aaa nananana naasa anan 83 3 22 34 POP UP WYINTOWS ink ha ANGAL NAG ae 84 O Seen a e 85 9 2 9 9 Java SMS INS A ANA E n E ISIN dd e LE 86 To VAN UNTERRAC E r roh in i cinto ni dicos 87 5 3 1 Can t Get WAN IP Address from the ISP vastarinta a a aa a eaa Eana E eS EAE EE EE EE 87 SOP CONNECTION se uur ean al 87 5 0 PROBLEMS WITH DATEAND TIME aaa kaa AA NAA ada 89 5 0 RESTORING FACTORY DEFAULT Saca UAE ULA EGGS 89 APPENDIX A VIRTUAL PRIVATE NETWORKING u 11111 110 nana 90 NA AA ooa EM re oe 90 Al Vie IN ADDICAUONS m 90 A2 WEATIS TEMP SEO cee ee ee eee 90 A 2 1 IPSEC Security Components 10 c cscccceeccceecceeeccseessseeesseeesseecsseesseeesseeesseeesseeesseeesseeesaesesseessaeeees 91 A211 Authentication Header Anta a de o debent ite AA 91 A 2 1 2 Encapsulating Security Payload ESP cccceeecesseeeeeeeeeeeeeeeeeeaeeeesaeeesaeeeseeeesaeeeseeeessaeeseneeesaeeenaaes 91 A23 SeCURILY ASSOCIANONS Ok aT 92 DES CO MOUS EE 92 A23 UNNE MOGOAM nese els ete ee ele nba nba lo lo le kainan 93 A O a AA 93 A9 Nemet Kev Exchange IKE ii A A A A A AA A AAA E 94 APPENDIX B IPSEC LOGS AND EVENTS oocccccccconccnnccncnoncnnccnnnnnnnnncnnnnonannc
104. onfiguration gt VPN gt IPSec gt IPSec Policy and configure the connection from MH 1000 B Branch B to MH 1000 C IPSec Ci im mti Conneriion Fame Tunnel Interface Local LE Heber Remote Secure Gateway D Hatwork Proposal Secure Association Method Encryption Protocol Asslhentication Protocol Perfect Forward Secure Prashand Kay IKE Life Tire Kay Lie Tene Matbios Broadcast OPO Setting DPD Funcion election Intersal die Tarien Bang eot iei Enabled O Disabled Multi Homing Security Gateway MH 140400 PAN C AMANG CO Auto IF Address i Guire Li Rampe WAN IP S ubniH w Main Mode HES O AIDS ht 3 Enabled O Disablad Dala A 20 201 1 IP Address 1g 168 d End IP Adde Meira gk 255 255 255 T Dala D 100 100 1 Cala IF Addiece O O End IF Arid ress fdr ak D 0 D Aggressive Mode i Manual Key 23455 36800 Seconds JEN Seconds Enabled Disabled O Enabled Disabled N0 seconds 4 consecuti Bird otep 5 Click Save Config to save all changes to flash memory 127 Multi Homing Security Gateway User s Manual D 10 Protocol Binding Step 1 Go to Configuration gt Dual WAN gt General Settings Select the Load Balancing radio button Muti Flornminmg Security Gateway MH 1000 Enable O Disable Not in senice when probing failed ater 3 f consecutive JI INI Fi ARANA AN PS 2 seconds Multi Fominmg Secu
105. onfiguration INterface occoconccconccconnnoconocononoonnnononnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnonannnnnnnnns 26 CHAPTER 4 ROUTER CONFIGURATION 11111110 0am 27 AD A o pro 27 AU AS did toe dr E uL e tae 28 g2 IE Tp c II 29 HONG TADA A n eee E 29 ASES ON 30 42 4DAGP AA 30 eee eee 31 4 20 ad TAS US AAA AA A ee AAA 31 7 ET E S T KA a ak AE a BG GG aa ba 32 4 2 8 System LOG AAA gg aga ana baban aa aaa o 33 AA Nino EDU anana aiii uiii e ie 33 AA C OTAR qM a oo RUE EE a PR 34 SA ETE 34 4 9 2 Aa 34 O ARO aaa as 35 SA AA A 35 A IO ONG METTE 36 A CONFIGURATION a A a E Pa 37 da LAIN A AA AA 37 c IDEST ie eee ee eee Eu Uu uu II MI E D CC EE 37 4d A PAPA Eae 38 NA WAN HH 39 4 4 2 1 ISP Settings coccion 39 a A UMISUNIRD EUN EID SM ect eree rene 40 q1 2 1 2 tale acus cnini iusti ARA PAPA AA PARANG TA PPAPA RAP TAMA PPDRRPARPARAEPAAPE PABAGE 41 CEA 2 AA 41 242 ASA PP CHING SN AA ie ee APA eae a et 43 ele Neon DIG OMCs CUI OS states aa tesa esters sates DPI ADM DP AT 44 Multi Homing Security Gateway User s Manual AA a ANA AA 45 LE NOEBII IMMER 45 24 3 1 General Selliigs dei eon oth Son oett oen etin od one tere e Lebe i o e des eiit ient 45 4 4 3 2 Outbound koad Balafiges as sterium se Qut erras ANN a 46 4 43 INOQUNO Load Balance iii ido 47 4 42 9 4E na KG KGG Mo lalo AA AA
106. onfigures the remote host Secure Gateway Address or Domain Name The IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel ID The identity type of the local host Choose from the following three options Remote IP Address Automatically use the remote gateway Address as ID IP Address Use an IP address format FQDN DNS Fully Qualified Domain Name Consists of a hostname and domain name For example WWW VPN COM is a FQDN WWW is the host name VPN COM is the domain name When you enter the FQDN of the local host the router will automatically seek the IP address of the FQDN FQUN E Mail Fully Qualified User Name Consists of a username and its domain name For example user vpn com is a FQUN user is the username and vpn com is the domain name Data Enter the ID data using the specific ID type Network Set the subnet IP Range single address or gateway address of the remote network Any Local Address Will enable any local address on the network Subnet The subnet of the remote network Selecting this option allows you to enter an IP address and netmask IP Range The IP Range of the remote network Single Address The IP address of the remote host Gateway Address The gateway address of the remote host Proposal Secure Association SA SA is a method of establishing a security policy between two points There are three methods of creating SA each varying in
107. onnection Tunnel Select Enable to activate this tunnel Select Disable to deactivate this tunnel Username Please input the username for this account Password Please input the password for this account Retype Password Please repeat the same password as previous field Connection Type Select Remote Access for single user Select LAN to LAN for remote gateway Peer Network IP Please input the IP for remote network Peer Netmask Please input the Netmask for remote network Netbios Broadcast Allows MH 1000 to send local Netbios Broadcast packets through the PPTP Tunnel please select Enable or Disable 4 4 7 QoS MH 1000 can optimize your bandwidth by assigning priority to both inbound and outbound data with QoS This menu allows you to configure QoS for both inbound and outbound traffic Ha Multi Homing Security Gateway User s Manual Adulti Homing Securtty Gateway PA HI O00 Quality of Service WAN 1 Outbounil 05 function Enable Disable Hula Table Max ISP Bandwidth 102400 kbps Bandwidth SallingaG WAN 1 lobo mil Gus function O Enable Disable Rule Tablet Max ISP Bandwidth 102400 kbps 3amdhwidih Salting 43 WAN 2 Outbound ans function C Enable Disable Rule Table Max ISP Dandwidth 103400 keps Aamiwicih Settings WAN 2 labo ain QoS function Enable Disable Rule Table Max ISP Bandwidth 102400 kbps landidih Setting sat Apply The first menu screen gives you an overview of which WAN ports currently ha
108. our FTP mapping 2112 Multi Homing Security Gateway User s Manual E PLANET Afulfti FHoming Security Gateway h a N Lc MH 00 E gt PLANET Mufti Formimg Security Gateway Baebes ld 7 HH 1000 Step 5 Click Save Config to save all changes to flash memory D 6 Dynamic DNS Inbound Load Balancing 113 Multi Homing Security Gateway User s Manual 192 168 2 2 www planet3 dyndns org 192 168 2 3 www planet3 dyndns org HTTP www planet2 dyndns org Remote Access from Internet Step 1 Go to Configuration gt WAN gt Bandwidth Settings Configure your WAN inbound and outbound bandwidth Maii Homing Security Gateway MH EET CAES me 1 7 ER a dn Tu uu Pali gt Pil Ni al ka LE LLLES BEN ER BB TOLEI Y d has JER PAMIANGAN PIANO Nil BEI ARA ae ana rn Outbound Banda mr Inbound Bandwidth TUM kbps Qutbound Bandaadth 5120 kbpa inbound Bandwidth svn Kbps ese bandwicth settings mi be referenced by CoS and Loadbatance functions Step 2 Go to Configuration gt Dual WAN gt General Settings and enable Load Balance mode You may then decide whether to enable Service Detection or not Mult Homing Security Gateway HH 10 00 Enable C Disable Natin serice when probing tilad after 3 consecutive O Ew X3 seconds 114 Multi Homing Security Gateway User s Manual Step 3 Go to Configuration gt Dual WAN gt Outbound Load Ba
109. owing thems E Chent for Microsoft Networks File and Printer Sharing For Microsoft Networks i Qos Packet Scheduler MAA Protocol T CPI I Install Description SSS Transmission Control ProtocolAntermet Protocol The default ide area network protocol that provides communication across diverse interconnected networks Show icon in notification area when connected Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings assigned automatically iF pour network supports this capability Otherwise vou need to ask pour network administrator For the appropriate IP settings Obtain an IP address automatically C5 Use the following IP address Obtain DNS server address automatically Use the following DANS server addresses 91 Multi Homing Security Gateway User s Manual 3 3 3 Windows 2000 Eg tahan k end lb Crane Arn l n x 1 Go to Start Settings Control Panel In ma mene mb akan h the Control Panel double click on sta Ges Ve ANGAT Gl aha and PUR nt 7t d a Network and Dial up Connections m 2 Double click Local Area Connection ai d bh Na Network and Dial up 7 Connections Local Ana Lun un END hin Me tay AT DOC jour qr 3 In the Local Area Connection Status PRA aaa IE window click Properties General Connection Statys Connected Duration 06 16 26 Speed 100 0 Mbps Ayo tub
110. particular internal IP address as the DMZ Host all incoming packets will be checked by the Firewall and NAT algorithms then passed to the DMZ host when a packet received does not use a port number used by any other Virtual Server entries Caution Such Local computer exposure to the Internet may face a variety of security risks Multi FHoming Security Gateway MH 1000 Virtual Server Port Forwarding Ll Enable DMZ Funcion Enable Disable DMZ IP Address Landidales G ET Part Forwarding Table Application Protocol Extemal Pon intemal IP Internal Post BE AF i3 Enable DMZ function Enable Activates your router s DMZ function Disable Default setting Disables the DMZ function DMZ IP Address Give a static IP address to the DMZ Host when the Enable radio button is selected Be aware this IP will be exposed to the WAN Internet Candidates You can also select the Candidates which are referred from the ARP table for automatic input Select the Apply button to apply your changes 75 Multi Homing Security Gateway User s Manual 4 4 8 2 Port Forwarding Table Because NAT can act as a natural Internet firewall your router protects your network from being accessed by outside users as all incoming connection attempts will point to your router unless you specifically create Virtual Server entries to forward those ports to a PC on your network When your router needs to allow outside users to access internal servers e g
111. password Alert via Email when Select the frequency of each email update Choose one of the five options Immediately The router will send an alert immediately Hourly The router will send an alert once every hour Daily The router will send an alert once a day The exact time can be specified using the pull down menu Weekly The router will send an alert once a week When log is full The router will send an alert only when the log is full 4 4 5 Firewall MH 1000 includes a full Stateful Packet Inspection SPI firewall for controlling Internet access from your LAN and preventing attacks from hackers Your router also acts as a natural Internet firewall when using Network Address Translation NAT as all PCs on your LAN will use private IP addresses that cannot be directly accessed from the Internet Please see the WAN configuration section for more details gt PLANET IICA CIA Cecy Gateway Billings s Camias kan MIL EE Packet Filter Pagkat illa able alis Juice E a z Il Ensale Acior eciar 23 IP Dez gacc Porn Det oW rihi ari n LAH Created ES Pi ia Filli LIL F zer La a Dotar Rhi ki BL pu il Irre ior Delad an You can find three items under the Firewall section Packet Filter URL Filter and Block WAN Request 56 Multi Homing Security Gateway User s Manual 4 4 5 1 Packet Filter 3 PLANET Mot ming Gece Gateway Wa srani koe eee MH 1 PO Packet Filt
112. ply Irl Gal n ET epar zer Static Forza Digg AS RA Mar ade mie at Device Name Name Enter a name for this device Web Server Settings HTTP Port This is the port number the router s embedded web server for web based configuration will use The default value is the standard HTTP port 80 Users may specify an alternative if for example they are running a web server on a PC within their LAN Management IP Address You may specify an IP address allowed to logon and access the router s web server Setting the IP address to 0 0 0 0 will disable IP address restrictions allowing users to login from any IP address Expire to auto logout Specify a time frame for the system to auto logout the user s configuration session Example User A changes HTTP port number to 100 specifies their own IP address of 192 168 1 100 and sets the logout time to be 100 seconds The router will only allow User A access from the IP address 192 168 1 100 to logon to the Web GUI by typing http 192 168 1 1 100 in their web browser After 100 seconds the device will automatically logout User A 4 5 Save Configuration To Flash After changing the router s configuration settings you must save all of the configuration parameters to flash memory to avoid them being lost after turning off or resetting your router Click Apply to write your new configuration to flash memory 80 Multi Homing Security Gateway User s Manual F PLANET WH
113. processed ahead of applications with a lower priority and vice versa TEE EE AE Normal To 255 255 255 255 To 255 255 255 255 2 3 4 5 Multi Homing Security Gateway User s Manual 2 2 6 Management by IP or MAC address MH 1000 can also be configured to apply traffic policies based on a particular IP or MAC address This allows you to quickly assign different traffic policies to a specific computer on the network Quality of Service Add 005 Rule Interface Application Guaranteed Maximum Priority OSEP Marking Address Type Source IP Address Range Destination IP Address Range Protocol source Port Range Helper Destination Port Range Helper WAMI Outbound FTP 10 9 20 or E Lowest Y Disable w IP Address O MAC Address From 192 188 1 1 From 0 0 0 0 To 255 255 255 255 To 255 255 255 255 Ta 655395 To 21 2 2 7 DiffServ DSCP Marking DiffServ a k a DSCP Marking allows you to classify traffic based on IP DSCP values These markings can be used to identify traffic within the network Other interfaces can match traffic based on the DSCP markings DSCP markings are used to decide how packets should be treated and is a useful tool to give precedence to varying types of data Quality of Service Add 005 Rule Interface Application Guaranteed Maximum Priority DSCP Marking Address Type source IP Address Range Destination IP Address Range Protocol source Port R
114. restart using the current configuration Select Factory Default Settings if you would like to restart using the factory default configuration 4 To exit the router s web interface click LOGOUT Please ensure that you have saved your configuration settings before you logout Be aware that the router is restricted to only one PC accessing the web configuration interface at a time Once a PC has logged into the web interface other PCs cannot gain access until the current PC has logged out If the previous PC forgets to logout the second PC can access the page after a user defined period 5 minutes by default The following sections will show you how to configure your router using the Web Configuration Interface mfa Multi Homing Security Gateway User s Manual 4 2 Status The Status menu displays the various options that have been selected and a number of statistics about your MH 1000 In this menu you will find the following sections ARP Table Routing Table Session Table DHCP Table PSec Status PPTP Status Traffic Statistics System Log IPSec Log Murti Hominmg Security Gateway B eu PRESS as MH 1000 PESTE Refresh Dowice o ia o a Derice Alone MH 1000 Sram Lip Tima D 3 20 50 day hour minc sec ment Time Mon Aug 1 08 20 53 2005 Sync Now DO 04 ad 46 0256 00 04 ed 46 02 5c 00 04 e0 46 02 5d Privata LAN MAC Address Pubic WAHT MAC Address Publ WARD MAC Address Fermaare v
115. riate IP settings Obtain an IP address automatically Use the following IP address IP address Subnet mask Default gatera Obtain ONS server address automatically Use the following DMS server addresses Advanced Preferred DHS serseri Alternate DAS server Cancel Network ES Configuration Identification Access Control The following network components are installed mm Microsoft Family Logon Sef SUS Tek Broadcom 440s 107100 Integrated Controller 34 Dial Up Adapter E TCP IP ASIUSTekBrmadcom 440 107100 Integrated 4 TOPAP gt Dial Up Adapter d Remove Primary Network Logon Microsoft Family Logan m File and Print Sharing Description TCFP ZIP ix the protocol you use bo connect to the Internet and wide area networks OE Cancel TCPFIP Properties kd NetBlos IP Address Advanced DAS Configuration Gateway WIS Configuration Bindings An IP address can be automatically assigned to this computer IF pour network does mot automatically assign IP addresses ask Hour network administrator For an address and then type it in the space below Specify an IP address TERES epe Cancel Moek ae Multi Homing Security Gateway User s Manual 4 Then select the DNS Configuration tab Te aT EOS 5 Select the Disable DNS radio button and DNS Configuration Gateway WINS Configura
116. rithm that produces a 128 bit hash SHA1 A one way hashing algorithm that produces a 160 bit hash Perfect Forward Secure Choose whether to enable PFS using Diffie Hellman public key cryptography to change encryption keys during the second phase of VPN negotiation This function will provide better security but extends the VPN negotiation time Diffie Hellman is a public key cryptography protocol that allows two parties to establish a shared secret over the Internet Pre shared Key This is for the Internet Key Exchange IKE protocol IKE is used to establish a shared security policy and authenticated keys for services such as IPSec that require a key Before any IPSec traffic can be passed each router must be able to verify the identity of its peer This can be done by manually entering the pre shared key into both sides router or hosts IKE Life Time Allows you to specify the timer interval for renegotiation of the IKE security association The value is in seconds eg 28800 seconds 8 hours Key Life Time Allows you to specify the timer interval for renegotiation of another key The value is in seconds eg 3600 seconds 1 hour Netbios Broadcast Allows MH 1000 to send local Netbios Broadcast packet through the IPSec Tunnel please select Enable or Disable DPD Setting DPD function Select Enable MH 1000 will send out informational packet to see if remote VPN device responds the packets the function is used to detect the tunnel is
117. rity Gateway HH 1000 WANT A v CA Source IP C Specified Source IP 182 fee fp fo pes joe jme fas GA Destination IP Specified Destination P m o jm p Moss fs loss loss mero 20 Step 3 Go to Configuration gt Dual WAN gt Protocol Binding and configure settings for WAN2 128 Multi Homing Security Gateway User s Manual PA H LIL r P PLANET Multr Homing Security Gateway ENG a EUA ee ca PA De i Wi NO Y ko T1 Ja wan z CHA Source IF E Specified Saure IP E P EF Mbs pa Ps C AB Destination P A E P E E Step 4 Click Save Config to save all changes to flash memory D 11 Intrusion Detection Fa Server Safe Intrusion Detection on Bdufti Florminmg cecurmty Gateway PA H T oon Step 2 Click Apply and then Save Config to save all changes to flash memory 129 Multi Homing Security Gateway User s Manual D 12 PPTP Remote Access by Windows XP Business Trip Windows XP p oe PPTP Client 5 P Internet Y r PPTP Server t amp cal subnet 192 168 30 0 Local mask 255 255 7550 100 100 100 1 Step1 Go to Configuration gt VPN gt PPTP and Enable the PPTP function Click Apply Muifti FHorninmg Securily Gateway HIH 11H GiEnable C Disable only Stateless vj er Stat kom 19218830000 AA a Cni D 130 Step2 Click Create to create a PPTP Account
118. rity Gateway User s Manual 4 4 5 5 Intrusion Detection 3 PLANET Multi Aoming Security Gateway m Intemet Enable Disable Enable E Disable Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users Intrusion Detection Enable or disable this function Intrusion Log All the detected and dropped attacks will be shown in the system log 4 4 6 VPN 4 4 6 1 IPSec IPSec is a set of protocols that enable Virtual Private Networks VPN VPN is a way to establish secured communication tunnels to an organization s network via the Internet 4 4 6 1 1 IPSec Wizard Multi Homing Security Gateway MH 1000 O WAN C WANG C Auto LAN to LAN OLAN te LAN Mobile LAN OLAN to Hast O LAN to Host Mobile Client CLAN to Host For vPN Client Connection Name A user defined name for the connection Interface Select the interface the IPSec tunnel will apply to WANT Select interface WAN1 WAN 2 Select interface WAN2 260 Multi Homing Security Gateway User s Manual Auto The device will automatically apply the tunnel to WAN1 or WAN2 depending on which WAN interface is active when the IPSec tunnel is being established Note Auto only applies to Fail Over mode For Load Balance mode please do not select Auto In Load Balance mode Auto will be forced to WAN1 interface if Auto is selected Pre shared Key This is for the Internet Key Exchange IKE protocol IKE is used to establish
119. rred to as well known ports Servers follow the well known port assignments so clients can locate them If you wish to run a server on your network that can be accessed from the WAN i e from other machines 74 Multi Homing Security Gateway User s Manual on the Internet that are outside your local network or any application that can accept incoming connections e g peer to peer applications and are using NAT Network Address Translation then you will usually need to configure your router to forward these incoming connection attempts using specific ports to the PC on your network running the application You will also need to use port forwarding if you want to host an online game server The reason for this is that when using NAT your publicly accessible IP address will be used by and point to your router which then needs to deliver all traffic to the private IP addresses used by your PCs Please see the WAN Configuration section of this manual for more information on NAT MH 1000 can also be configured as a virtual server so that remote users accessing services such as Web or FTP services via the public WAN IP address can be automatically redirected to local servers in the LAN network Depending on the requested service TCP UDP port number the device redirects the external service request to the appropriate server within the LAN network 4 4 8 1 DMZ The DMZ Host is a local computer exposed to the Internet When setting a
120. rs of MH 1000 In this menu you will find the following sections LAN WAN Dual WAN System Firewall VPN Qos Virtual Server Advanced These items are described below in the following sections 4 4 1 LAN There are two items within this section Ethernet and DHCP Server Multi Homing Security Gateway MH TiRBI Disable RIRJB O RIP 2M Multi Horms sng Security Gateway MH TiRBI eS E e o Disable se c RIEOB O RIB 2M IP Address Enter the internal LAN IP address for MH 1000 192 168 1 1 by default Subnet Mask Enter the subnet mask 255 255 255 0 by default RIP RIP v2 Broadcast and RIP v2 Multicast Check to enable RIP 37 Multi Homing Security Gateway User s Manual 4 4 1 2 DHCP Server In this menu you can disable or enable the Dynamic Host Configuration Protocol DHCP server The DHCP protocol allows your MH 1000 to dynamically assign IP addresses to PCs on your network if they are configured to automatically obtain IP addresses Adulti FHoming Securty Gateway PA HI OOO KC Enable O Disable TRIER 1901581129 b Ho n p pd do fo MU CI CI e o fo fo Mo To disable the router s DHCP Server select the Disable radio button and then click Apply When the DHCP Server is disabled you will need to manually assign a fixed P address to each PC on your network and set the default gateway for each
121. s The following items should be included MH 1000 n Multi Homing Security Gateway n User s Manual CD ROM n This Quick Installation Guide n Power Adapter n Bracket x 2 For rack mounted n Screw x 4 For rack mounted If any of the contents are missing or damaged please contact your dealer or distributor immediately 1 3 MH 1000 Front View MH 1000 Front Panel e PLANET E Multi Homing Security Gateway PWE O o Oo aa 0 6 QO 00 Wwe O STATUS E GG O Li ao e C DO O LNKACT 7 L MH 1000 1 3 4 5 E T F 1 A solid light indicates a steady connection to a power source STATUS A blinking light indicates the device is writing to flash memory Lit when connected to an Ethernet device 10 100 Lit green when connected at 100Mbps Not lit when connected at 10Mbps LNK ACT Lit when device is connected Blinking when data is transmitting receiving Lit when connected to an Ethernet device 10 100 Lit green when connected at 100Mbps Not lit when connected at 10Mbps LNK ACT Lit when device is connected Blinking when data is transmitting receiving 1 4 MH 1000 Rear Panel MH 1000 Rear Panel Multi Homing Security Gateway User s Manual RESET To reset device and restore factory default settings after the device is fully booted press and hold RESET until the Status LED begins to blink WAN 1 Connect to your xDSL Cable modem or other Internet WAN2 connection devices LAN 1 8 Connect to your local PC switch or other local net
122. s are attempting to access the servers via the Internet Using Inbound Load Balancing MH 1000 can direct incoming requests to the correct WAN port based on group assignment For example a sales force can be directed to www planet2 com tw while the R amp D group can access www planet3 com tw By balancing the load between WAN1 and WANe your MH 1000 can ensure that inbound traffic is efficiently handled with both ports equally sharing the load preventing situations where service is slow because one port is completely saturated by inbound traffic Please refer to appendix D for example settings 2 5 DNS Inbound Using DNS Inbound is a great way to intelligently direct network traffic DNS Inbound is a three step process First a DNS request is made to the router via a remote PC MH 1000 based on settings specified by the user will direct the requesting PC to the correct WAN 12 Multi Homing Security Gateway User s Manual port by replying the selected WAN IP address through the built in DNS server The remote PC then accesses the network via the specified WAN port How MH 1000 directs this traffic through the built in DNS server depends on whether it is configured for Fail Over or Load Balancing Learn how to make DNS Inbound on MH 1000 work for you in the following section 2 5 1 DNS Inbound Fail Over MH 1000 can be configured to reply the WAN 2 IP address for the DNS domain name request should WAN f fail Authoritative
123. s cannot be obtained from the ISP f you are using PPPoE or S8 PPTP encapsulation you will need a user name and password Ensure that you have entered the correct Service Type User Name and Password Note that user names and passwords are case sensitive If your ISP requires MAC address authentication clone the MAC address from your PC on the LAN as MH 1000 s WAN MAC address If your ISP requires host name authentication configure your PC s name as MH 1000 s system name 5 4 ISP Connection Unless you have been assigned a static IP address by your ISP your MH 1000 will need to request an IP address from the ISP in order to access the Internet If your MH 1000 is unable to access the Internet first determine if your router is able to obtain a WAN IP address from the ISP To check the WAN IP address 1 Open your browser and choose an external site i e www planet com tw 2 Access the Web Configuration Interface by entering your router s IP address default is 192 168 1 1 3 The WAN IP Status is displayed on the first page 87 Multi Homing Security Gateway User s Manual Miuulti FHorm ng Secunty Gateway MH 10040 MARIO 8 E E33 day bour min sec Mon Ag 1 11 53 41 2005 ODA A 02 5b Od ed dolis mm PLANET Technology C mporatin Connect by Static IP bitinga 132 188 99 54 IO A90 188 90 263 1689511 05 36 19 day hour min sac Connection Method a eee ee ee ee
124. s to her family As a result the net speed slows to a crawl and affects everyone sharing the Internet connection QoS is designed for managing traffic flow and bandwidth to solve this problem You can first classify different applications online games FTP Skype email as shown in the table below Then you can manage and prioritize the flow of bandwidth at different levels e g 30 for games 20 for downloads 10 for email 2096 for FTP and 359 for others QoS can be used to identify different applications and assign priority to enable a smooth and responsive broadband connection 20 load High Download Normal pe C 4 2 Office Users QoS is also ideal for small businesses using an office server as a web server With QoS control web pages served to your customers can be given top priority and delivered first so that it will not be impeded by email and office web browsing Here is a good example of how QoS can work in an office environment A CEO is holding a videoconference with international clients in the meeting room However the streaming video and voice frequently lag Sales people are talking to international agencies via VoIP phone while sending orders via email to vendors for production However some staff are downloading MP3 music files large size photos and watching video streaming online Consequently the Internet connection slows down This is why business users need QoS to manage data traffic With QoS t
125. second message of aggressive mode Done to exchange second ISAKP Message proposal and key values Send Quick mode initial message Sending the first message of quick mode Phase II Done to exchange proposal and key values IPSec Received Quick mode initial Received the first message of quick mode Phase Il Done to exchange message proposal and key values IPSec Send Quick mode first response Sending the first response message of quick mode Phase II Done to message exchange proposal and key values IPSec Received Quick mode first Received the first response message of quick mode Phase II Done to response message exchange proposal and key values IPSec Send Quick mode second Sending the second message of quick mode Phase Il message Received Quick mode second Received the second message of quick mode Phase Il message ISAKMP IKE Packet ISAKMP Information ISAKMP Quick Mode Indicates IKE packet Indicates Information packet Indicates quick mode packet NO PROPOSAL CHOSEN No acceptable Oakley Transform NO PROPOSAL CHOSEN No acceptable Proposal in IPsec SA NO PROPOSAL CHOSEN PFS is required in Quick Initial SA NO PROPOSAL CHOSEN PFS is not required in Quick Initial SA NO PROPOSAL CHOSEN Initial Aggressive Mode message from s but no connection has been configured NO PROPOSAL CHOSEN Initial Main Mode message received on s u but no connection has been authorized INVALID ID Require peer to have
126. so select the Candidates which are referred from the ARP table for automatic input NOTE You need to give your LAN server host a static IP address for the Virtual Server to work properly Click Apply to save your changes Using port forwarding does have security implications as outside users will be able to connect to PCs on your network For this reason using specific Virtual Server entries just for the ports your application requires instead of using DMZ is recommended 4 4 9 Advanced Configuration options within the Advanced section are for users who wish to take advantage of the more advanced features of MH 1000 Users who do not understand the features should not attempt to reconfigure their router unless advised to do so by support staff There are three items within the Advanced section Static Route Dynamic DNS and Device Management 4 4 9 1 Static Route The static route settings enable the router to route IP packets to another network subnet The routing table stores the routing information so the router knows where to redirect the IP packets aTe Multi Homing Security Gateway User s Manual gt PLANET e e Secunty Gate way mie keg A Som moms kill l BAT Static Route Sts Us Coro ch oun or juratic va sal d Atse zal o Ecte arr LI lt a ce UE 1c arr ard Click on Static Route and then click Create to add a routing table Afuflti Floming Security Gateway HH 1000
127. t Options dialogue 6 Click Apply to save your changes 5 2 3 2 Java Scripts If the Web Configuration Interface is not displaying properly in your browser check to make sure that Java Scripts are allowed 1 In Internet Explorer click Tools Internet Options 2 Under the Security tab click Custom Level 85 Internet Options General Securty Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings amp O Internet Local intranet Trusted sites Restricted sites Internet This zone contains all Web sites vou haven t placed in other zones Security level for this zone Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level Multi Homing Security Gateway User s Manual EE Security Settings Settings Disable 2 Enable O Prompt Scripting of Java applets Disable 2 Enable O Prompt Les User Authentication Logon CO Anonymous logon Automatic logon only in Intranet zone CO Automatic logon with current username and pass Prompt for user name and password llli gt Reset custom settings 3 Under Scripting check to see if Active scripting is set to Enable 4 Ensure that Scripting of Java applets is set to Enabled 5 Click OK to close the dialogue 5 2 3 3 Java Permissions The following Java Permissions should also be
128. t access to certain URLs on the Internet You can block web sites based on keywords or even block out an entire domain Certain web features can also be blocked to grant added security to your network URL Filtering You can choose to Enable or Disable this feature Keyword Filtering Click the checkbox to enable this feature To edit the list of filtered keywords click Details Domain Filtering Click the enable checkbox to enable filtering by Domain Name Click the Disable all WEB traffic except for trusted domains check box to allow web access only for trusted domains Restrict URL Features Click Block Java Applet to filter web access with Java Applet components Click 58 Multi Homing Security Gateway User s Manual Block ActiveX to filter web access with ActiveX components Click Block Web proxy to filter web proxy access Click Block Cookie to filter web access with Cookie components Click Block Surfing by IP Address to filter web access with an IP address as the domain name Exception List You can input a list of IP addresses as the exception list for URL filtering Keyword Filtering Click the top checkbox to enable this feature You can also choose to disable all web traffic except for trusted sites by clicking the bottom checkbox To edit the list of filtered domains click Details PB PLANET NARRO ARNO Seacouriy Gateway merase bee MH H TU Keywords Filtering Create G Jick Srt Cc iige al on at ON WAN
129. teer Refresh Intereal 36000 Sac Retry interval EOD Em Experatson Tire Besin Sr Manira TTL 180 Sac NS Record Name Server MX Record Mall Exchanger IP Address Sree T Domain wii be ancencded gulometcay ip be Delia Apply SOA Domain Name The domain name of DNS Server 1 It is the name that you register on DNS organization You have to fill out the Fully Qualified Domain Name FQDN with an ending character a dot for this text field ex abc com When you enter the following domain name you can only input different chars without an ending dot its name is then added with domain name and it becomes FQDN Primary Name Server The name assigned to the primary Name Server e g aaa its FQDN is aaa abc com Admin Mail Box The administrator s email account e g admin abc com Serial Number It is the version number that keeps in the SOA record Refresh Interval The interval refreshes are done Denoted in seconds Retry Interval The interval retries are done Denoted in seconds Expiration Time The length of time that can elapse before the zone is no longer authoritative Denoted in seconds Minimum TTL The minimum time to live Denoted in seconds NS Record Name Server The name of the Primary Name Server MX Record Mail Exchanger The name of the mail server IP Address The mail server IP address Click Apply to save your changes 48 Multi Homing Security Gateway User s Manual To edit the Host
130. ticular application to a fixed percentage of the total throughput Setting a Maximum Bandwidth of 20 for a file sharing program will ensure that no more than 20 of the available bandwidth will be used for file sharing Quality of Service Add QoS Rule Interface Application Guaranteed Maximum Priority DSCP Marking Address Type source IP Address Range Destination IP Address Range Protocol Source Port Range Helper Destination Port Range Helper G WANT Outbound B Lowest Disable x IP Address CO MAC Address From 0 0 0 0 TCP w From 1 From 20 2 2 4 Policy Based Traffic Shaping To 256 265 256 255 To 255 255 255 255 To 65536 Ta 2 Policy Based Traffic Shaping allows you to apply specific traffic policies across a range of IP addresses or D1 ports This is particularly useful for assigning different policies for different PCs on the network Policy based traffic shaping lets you better manage your bandwidth providing reliable Internet and network service to your organization Multi Homing Security Gateway User s Manual Quality of Service E Lowest ge Helper a ra ad AA a epus vM t Range Helper From Apply AN 2 2 5 Priority Bandwidth Utilization Assigning priority to a certain service allows MH 1000 to give either a higher or lower priority to traffic from this particular service Assigning a higher priority to an application ensures that it is
131. tion IP Address Enable DNS Host Dermat DAS Server Search Winder Tene Domat subhi Seanch Ander Add Remove click OK to finish the configuration Cancel Network Identification Sevices Protocols Adapters Bindings 3 3 5 Windows NT 4 0 1 Go to Start Settings Control Panel In Network Protocols Y NetBEUW Protocol the Control Panel double click on Network LA IE Combi Tino SS N wLink NeBI05 and choose the Protocols tab qe 2 Select TCP IP Protocol and click Properties M Deecnption Transport Control Protecolirternet Protocol The default vede area network protocol that provides Communication across diverse inbercormected networks _ Cancel 3 Select the Obtain an IP address from a DHCP server radio button and click OK IP Address DNS WINS Address Routing An IP address can be automatically assigned to this network card by a DHCP server IF pour network does not have a DHCP server ask your network administrator for an address and then type it in the space below Adapter c Obtain an IP address from a DHEP server Specify an IP address iP doress Peru Gateway Advanced cancel Multi Homing Security Gateway User s Manual 3 4 Factory Default Settings 3 4 1 User name and password The default user name and password are admin and admin respectively If you ever forget your user name and
132. uld not be manually edited in any way After selecting the settings file you wish to use clicking Restore will load those settings into the router 4 4 4 5 Restart 53 Multi Homing Security Gateway User s Manual Mulfr Homing Secunty Gateway MH 1000 C Gumeni Settings O Factory Default Settings The Restart feature allows you to easily restart MH 1000 To restart with your last saved configuration select the Current Settings radio button and click Restart If you wish to restart the router using the factory default settings select Factory Default Settings and click Restart to reboot MH 1000 with factory default settings You may also reset your router to factory default settings by holding the Reset button on the router until the Status LED begins to blink Once MH 1000 completes the boot sequence the Status LED will stop blinking 4 4 4 6 Password Multi Homing Security Gateway AR 1000 asrasbras Eonfirm name Note nue af MARRU crecer of password i 8 characters In order to prevent unauthorized access to your router s configuration interface it requires the administrator to login with a password You can change your password by entering your new password in both fields Click Apply to save your changes Click Reset to reset to the default administration password admin 54 Multi Homing Security Gateway User s Manual 4 4 4 7 System Log Server gt PLANET Adulti Homing Security
133. used to securely share a company s information with suppliers vendors customers or other businesses Intranets Intranets are private networks that connect an organization s locations together These locations range from a headquarters to branch offices to a remote employee s home Intranets are often used for email and for sharing applications and files A firewall protects Intranets from unauthorized access Remote Access Remote access enables mobile workers to access email and business applications Remote access VPNs greatly reduce expenses by enabling mobile workers to dial a local Internet connection and then set up a secure IPSec based VPN communications to their organization A 2 What is the IPSec Internet Protocol Security IPSec is a set of protocols and algorithms that provide data authentication integrity and confidentiality as data is transferred across IP networks IPSec provides data security at the IP packet level and protects against possible security risks by protecting data IPSec is widely used to establish VPNs There are three major functions of IPSec Confidentiality Conceals data through encryption Integrity Ensures that contents did not change in transit Authentication Verifies that packets received are actually from the claimed sender 90 Multi Homing Security Gateway User s Manual A 2 1 IPSec Security Components IPSec contains three major components Authentication Header
134. ve QoS active and the bandwidth settings for each WAN Outbound QoS Function QoS status for WAN1 outbound Select Enable to activate QoS for WAN1 s outgoing traffic Select Disable to deactivate Max ISP Bandwidth The maximum bandwidth afforded by the ISP for WAN1 s outbound traffic WAN 1 Inbound QoS Function QoS status for WAN1 inbound Select Enable to activate QoS for WAN1 s incoming traffic select Disable to deactivate Max ISP Bandwidth The maximum bandwidth afforded by the ISP for WAN1 s inbound traffic WAN2 Outbound QoS Function QoS Status for WAN2 outbound Select Enable to activate QoS for WAN2 s outgoing traffic Select Disable to deactivate Max ISP Bandwidth The maximum bandwidth afforded by the ISP for WAN2 s outbound traffic WAN2 Inbound QoS Function QoS Status for WAN2 inbound Select Enable to activate QoS for WAN2 s incoming traffic Select Disable to deactivate Max ISP Bandwidth The maximum bandwidth afforded by the ISP for WAN2 s inbound traffic Creating a New QoS Rule To get started using QoS you will need to establish QoS rules These rules tell MH 1000 how to handle both incoming and outgoing traffic The following example shows you how to configure WAN1 Outbound 72 Multi Homing Security Gateway User s Manual QoS Configuring the other traffic types follows the same process To make a new rule click Rule Table This will bring you to the Rule
135. wall management You can also configure MH 1000 to function as a VPN Concentrator Please refer to appendix D for example settings Local subnet 192 168 3 0 Local subnet 0 0 0 0 Local mask 255 255 255 0 Local mask 0 0 0 0 Remote subnet 0 0 0 0 Remote subnet 192 168 3 0 200 200 200 1 Remote mask 0 0 0 0 Remote mask 255 255 255 0 192 168 3 x erem MH 1 000 192 168 2 x TE l O MH 1000 Li a m a o Local subnet 0 0 0 0 E Local mask 0 0 0 0 Local subnet 192 168 4 0 Remote subnet 192 168 4 0 Local mask 255 255 255 0 Remote mask 255 255 255 0 Remote subnet 0 0 0 0 Remote mask 0 0 0 0 248 Multi Homing Security Gateway User s Manual Chapter 3 Getting Started 3 1 Overview MH 1000 is designed to be a powerful and flexible network device that is also easy to use With an intuitive web based configuration MH 1000 allows you to administer your network via virtually any Java enabled web browser and is fully compatible with Linux Mac OS and Windows 98 ME NT 2000 XP operating systems The following chapter takes you through the very first steps to configuring your network for MH 1000 Take a look and see how easy it is to get your network up and running 3 2 Before You Begin In order to simplify the configuration process and increase the efficiency of your network you should consider the following items before setting up your network for the first time 1 Plan your
136. wer adapter supplied by Planet for this product If the error persists you may have a hardware problem and should contact technical support 5 1 2 LEDs Never Turn Off When your MH 1000 is turned on the LEDs turn on for about 10 seconds and then turn off If all the LEDs stay on there may be a hardware problem If all LEDs are still on one minute after powering up Cycle the power to see if the router recovers Clear the configuration to factory defaults If the error persists you may have a hardware problem and should contact technical support 5 1 3 LAN or Internet Port Not On If either the LAN LEDs or Internet LED does not light when the Ethernet connection is made check the following Make sure each Ethernet cable connection is secure at the firewall and at the hub or workstation Make sure that power is turned on to the connected hub or workstation Be sure you are using the correct cable When connecting the firewall s Internet port to a cable or DSL modem use the cable that was supplied with the cable or DSL modem This cable could be a standard straight through Ethernet cable or an Ethernet crossover cable 5 1 4 Forgot My Password Try entering the default User Name and Password User Name admin Password admin 82 Multi Homing Security Gateway User s Manual Please note that both the User Name and Password are case sensitive If this fails you can restore your MH 1000 to its factory def
137. work device DC 12V Connect DC Power Adapter here 12VDC 1 5 Specification Performance Firewall throughput 90Mbps IPSec VPN throughput 30Mbps PPTP VPN throughput 10Mbps sessions Software Management Network Protocol and Static IP PPPoE PPTP Big Pond and DHCP client connection to ISP NAT Static Route RIP 2 features Dynamic Domain Name System DDNS Virtual Server and DMZ DHCP server NTP Load Balancing UI bandwidth of outbound and inbound trafficDNS inbound load alance SPI DoS Firewall Srateful Packet Inspection SPI and Denial of Service DoS prevention Packet Filter by IP port number and packet type E mail alert and logs of attack MAC Address Filtering Content Filtering URL Filtering Java Applet Active X Web Proxy Surfing of IP Address Cookie Blocking VPN Tunnels IPSec 100 PPTP 4 VPN Functions PPTP IPSec VPN support DES 3DES and AES encrypting SHA 1 MD5 authentication algorithm Remote access VPN Client to Site and Site to Site VPN IPSec PPTP L2TP pass through Support DiffServ approach Prioritization and bandwidth managed by IP Port number and MAC address Log and Alert Syslog support E mail Alert Multi Homing Security Gateway User s Manual Chapter 2 Router Application 2 1 Overview MH 1000 is a versatile device that can be configured to not only protect your network from malicious attackers but also ensure optimal usage of available bandwidth with Quality of Serv
138. y i de DR HH 1 0 00 Step 5 Go to Configuration Virtual Server and set up a virtual server for both FTP and HTTP D12 116 Multi Homing Security Gateway User s Manual Multr Horming Security Gateway Pd H NULL Ex fe Multi FHoming Security Gateway PA HI OOO Step 6 Click Save Config to save all changes to flash memory D 7 VPN Configuration This section outlines some concrete examples on how you can configure MH 1000 for your VPN D 7 1 LAN to LAN 47 Eranch Office Router IPSec 192 168 0 0 24 Public IP Public IP 192 168 0 254 69 121 1 30 69 121 1 3 192 168 1 254 Multi Homing Security Gateway User s Manual Head Office Router Encryption Data IPSec VPN Connection 192 168 1 0 24 IPSec VPN LAN to LAN Branch Office Head Office Local Data Network IP Address Netmask Secure Gateway Address or Hostname Data Network IP Address Netmask IKE Pre shared Key Security Algorithm D 7 2 Host to LAN 69 121 1 3 69 121 1 30 IP Address IP Address 121 Su 12345678 12345678 118 Public IP 69 12 1 1 30 Windows XP E o Multi Homing Security Gateway User s Manual Head Office Public IP 69 121 1 3 192 168 1 254 Router IPSec Encryption Data E VPH Connection 192 168 1 0 24 IPSec VPN Host to LAN Data Network IP Address Netmask Secure Gateway Address or Hostname
Download Pdf Manuals
Related Search