RS-1200 Dual WAN Security Gateway
re you still using a PC based Firewall program to manage your company's network? The AirLive RS family of security gateways are designed to offer complete advance Firewall,2-Way B a n d w i d t h m a n a g e r, V P N s e r v e r s , M e s s e n g e r Control, Access Authentication, and much more in an all-in-one box. The RS-1200 is powered by a powerful Dual WAN Connection The RS-1200 offer 2 of WAN interface for load balancing and redundancy. Reducing the risk of a potentially catastrophic shutdown if one of the connections should fail. In addition to maintaining a reliable connection, RS-1200 features out-bound load balancing that can increase your upstream bandwidth when connecting to 2 different ISP services.
DMZ port support DMZ port is a specific hardware port that lets outside user from internet access your servers without exposing your network to attack. Therefore, you can put your server group on the DMZ port and put your PC network on the regular LAN port. This setup protects your local network from the traffic to the server group. Best of all, users can choose to use NAT or Transparent modes for the DMZ port. QoS Bandwidth Management The RS-1200 feature AirLive's second generation bandwidth management function with easier setting and more features. Administrators can control the bandwidth speed for downstream and upstream traffic separately. For each traffic direction, administrat or can define the Guaranteed (Minimum) and Maximum bandwidth. Furthermore, the bandwidth definition can be saved as a policy for firewall. So the administrator can easily control the bandwidth of a single IP, IP group, or by application Best of all, application support are user definable for infinite expandability. Whether it is for business to set priority of their application or for selling Internet services by bandwidth, the RS-1200 has the function for it. VPN Server and client The RS-1200 features advance VPN server and client funcation.The gateway offers both IPsec and PPTP server function plus PPTP client function, So whether you want to work from home or connect 2 office networks together over Internet securely, the RS-1200 has the function for you.
Multiple Virtual Sever Some router provide Multi-DMZ support. But the RS-1200 goes one extra step to provide multi virtual server support. So that means if your ISP provide more than one real IP address, you can take full advantage of it by assigning different forwarding rules for each real IP address. Up to 4 real IP addresses are supported each with its own NAT table Policy Based Firewall with scheduling At the factory's default setting, the RS-1200 does not open any services. Administrator should decide whether to open all services (just go to the policy page and create a policy from inside any to outside any and create another one from outside any to inside any) or open certain services only. The policies are listed in a order list, so administrator has the flexibility to choose which policy has the highest priority. Best of all, all these policies can be activate or deactivate by automatic scheduling (Monday to Sunday, starting and finishing hours)
Password Authentication for Internet Access For each policy, administrator can define a password needed for accessing. Take for example, you can set a policy for web browsing (port 80). And the gateway will automatically pop-up a window asking the user to enter password when they want to access the Internet. Up to 200 authentication policies can be made. This feature is useful for system administrator who want to limit certain service to certain individuals regardless of which station they use. Furthermore, it can also be used for control of selling Internet services

Content Filtering system administrators can establish and enforce acceptable Internet access policies. Content filtering enables the blocking of certain websites either by IP or by domain name. Administrators can also define schedule for each content filtering rules. But best of all, you can also choose to block javascript, active-X, POP-UP, or Cookies. Up to 300 content filtering rules can be made. Messenger and Skype Blocking One of the biggest headache for system administrators is to block messenger and Skype traffic. Because these application use dynamic ports that are hard to block, it is usually difficult to block those particular applications. With the RS-1200, it can block MSN messenger, Yahoo Messenger, ICQ, QQ messenger, and Skype traffic with a click of a button. Advance Security Functions The gateway can be either configured in transparent mode as a gateway or enable the NAT router function. It has many security features built-in such as SPI, SYN, ICMP, DoS, UDP, Ping of Death and Port Scan. The traffic log can be sent automatically by email or by Syslog function. The gateway even features Accounting Report function that display individual IP/service's usage in time or Kilobytes. Therefore, administrator can charge account by time or traffic used. The RS-1200 is a product that combines the most important and useful security features in one package. It allows you to take complete control over your network. Contact your authorized AirLive dealer for details

Specification

Hardware
Dimensions: H: 40mm W: 150m D: 220mm Connection & Display

Security Functions

Processor : Intel IXP425, 266MHz Memory: 8MB Flash, 64MB SDRAM Power: 100~240 VAC DC 5V, 2.4A
LAN port 1x 10/100 Base-T Ethernet RJ 45 port WAN port 2 x 10/100 Base-T Ethernet RJ45 port
DMZ port 1x 10/100 Base-T Ethernet RJ 45 port Connecting to Internet FTP,SNMP,HTTP,DNS) Reset Reset to the original default setting QoS function
50 max VPN tunnel entries Log and Stastic
Incoming and Outgoing Policy Stateful Packet Inspection (SPI) PI, SYN, ICMP, DoS, UDP Permited IP Ping of Death and Port Scan Blaster Alert VPN pass-through IPSec and PPTP

Email alert Syslog

Accounting Report Incoming IP traffic Outgoing IP traffic Incoming Service Outgoing Service By usage in Kbps By Time used
Upstream and Downstream Bandwidth Control Define Guaranteed and Maximum Bandwidth Limit bandwidth by IP and/or by Application Service User definable Service
Event Alarm Content Filtering Javascript, active-X, POP-UP, or Cookies

controls

Save QoS rule as a policy Authentication
Local User name and password build in Authentication User (up to 200 Users)
build in Authentication Group ( up to 20 Group) WAN Support

PPPoE Fixed IP DHCP WAN1/ WAN2 interface enable setup ICMP, DNS WAN connection service PPTP 70Mbps NAT throughtput 45000 Concurrent NAT sessions
IM Blocking MSN messenge Yahoo Messenger ICQ QQ Skype Virtual Server
eDonkey , BT , WinMX P2P Blocking
Multi Virtual Server support (up to 4 real IP) Up to 16 virtual server entries
Management and Maintenance
Web-based management Firmware upgrade DDNS Routed Table
LAN support Hardware Specifications
Dimensions: H: 40mm W: 150m D: 220mm Multiple Subnets Physical Interfaces DMZ support WAN Port: 1 * 10/100 Base-T Ethernet RJ45 port, NAT mode
Memory: 16MB Flash, 32MB SDRAM Transparent mode Power: 100~240 VAC NAT mode
Processor: with 2 WINS server settings DHCP Waveplus MIPS 100MHz CPU
Limit bandwidth by IP and/or by Application Scheduling Service Define Days of the Week User definable Service Define Start Hour (in 30 minutes interval) Save QoS rule as a policy Define Ending Hour (in 30 minutes interval) Up to 100 rules Up to 20 schedule type Authentication Local User name and password
Ordering Information Up to 200 policies
LAN Ports: 4 * 10/100 Base-T Ethernet RJ45 port, Transparent mode QoS function LAN to DMZ, DMZ to LAN, WAN to Upstream and Downstream Bandwidth Control DMZ,DMZ to WAN Define Guaranteed and Maximum Bandwidth policy control
Incoming IP traffic Storing Temperature : -20 C ~ 70 C Outgoing IP traffic Operating Humidity: 90% max relative nonIncoming Service condensing Outgoing Service EMI/EMC Compliance
Log and Stastic Clock Email alert Host name table Syslog Environmental Specifications Accounting Report Operating Temp: 0 C to 55 C;

Content Filtering

By usage with FCC part 15, subpart J Comply in Kbps By TimeBused Class CISPR/FCC Event Alarm with CE/EMC Comply
Javascript, active-X, POP-UP, or Cookies controls URL Filtering IP Filtering Up to 300 entries Virtual Server Multi Virtual Server support (up to 4 real IP) Up to 16 virtual server entries Management and Maintenance Web-based management Firmware upgrade
WAN Support RS-1200 Dual WAN Security Gateway PPPoE Fixed IP DHCP

RS-1200

Dual WAN Security Gateway

Users Manual

Contents

System

Chapter 1 Administration . Admin . Permitted IPs . Logout . Software Update . 11

Chapter 2

Configure . 12 Setting . 17 Date/Time . 22 Multiple Subnet . 23 RouteTable . 26 DHCP . 30 DDNS . . 32 Host Table . 34 Language . . 35

Interface

Chapter 3 Interface . 36 LAN . . 41 WAN . DMZ . 42 50
Policy Object Chapter 4 Address . Example . Chapter 5 Service . Custom . Group . . Chapter 6 Chapter 7 Schedule

. 72

QoS . . 75 Example . . 78 Authentication 81 Example . . 86 Content Filtering URL . Script . . P2P . IM . Download . . 101 103

Chapter 8

Chapter 9

Chapter 10

Virtual Server . 105 Example . . 109 VPN . 124 Example . 132

Chapter 11

Policy Chapter 12
Policy . . 156 Example . . 162

Anti-Attack Chapter13

Alert Setting . 180 Internal Alert 185 Atack Alarm . 189 Internal Alarm . 191 External Alarm 192

Chapter14

Monitor Chapter15
LOG . . Traffic Log . Event Log . Connection Log . . Log Backup .

Chapter16

Accounting 210 Report . . Outbound . 212 Inbound . 217 Statistics . . 223 WAN . . 225 Policy . 227 Status . 229 Interface . . 230 Authentication . 232 ARP Table . . 233 DHCP Clients . . 234

Chapter17

Chapter18

Chapter 1

Administration
System the managing of settings such as the privileges is of packets that pass through the AirLive RS-1200 and monitoring controls. The System Administrators can manage, monitor, and configure AirLive RS-1200 settings. But all configurations are read-only for all users other than the System Administrator; those users are not able to change any setting of the AirLive RS-1200.
Define the required fields of Administrator

Administrator Name:

The username of Administrators and Sub Administrator for the RS-1200. The admin user name cannot be removed; and the sub-admin user can be removed or configure. The default Account: admin; Password: admin

Privilege:

The privileges of Administrators (Admin or Sub Admin). The username of the main Administrator is Administrator with reading / writing privilege. Administrator also can change the system setting, log system status, and to increase or delete sub-administrator. Sub-Admin may be created by the Admin by clicking New Sub Admin. Sub Admin have only read and monitor privilege and cannot change any system setting value.

Configure:

Click Modify to change the Sub-Administrators password or click Remove to delete a Sub Administrator.
Adding a new Sub Administrator
STEP 1In the Admin WebUI, click the New Sub Admin button to create a

new Sub Administrator.

STEP 2In the Add New Sub Administrator WebUI (Figure 1-1) and enter the
following setting: Sub Admin Name: sub_admin Password: 12345 Confirm Password: 12345
STEP 3Click OK to add the user or click Cancel to cancel it.
Figure1-1 Add New Sub Admin
Modify the Administrator Password s
STEP 1In the Admin WebUI, locate the Administrator name you want to edit, and
click on Modify in the Configure field.
STEP 2The Modify Administrator Password WebUI will appear. Enter the
following information: Password: admin New Password: 52364 Confirm Password: 52364 (Figure1-2)
STEP 3Click OK to confirm password change.
Figure1-2 Modify Admin Password

Add Permitted IPs

STEP 1Add the following setting in Permitted IPs of Administration: (Figure1-3)
Name: Enter master IP Address: Enter 163.173.56.11 Netmask: Enter 255.255.255.255 Service: Select Ping and HTTP Click OK Complete add new permitted IPs (Figure1-4)
Figure1-3 Setting Permitted IPs WebUI
Figure1-4 Complete Add New Permitted IPs
To make Permitted IPs be effective, it must cancel the Ping and WebUI selection in the WebUI of RS-1200 that Administrator enter. (LAN, WAN, or DMZ Interface) Before canceling the WebUI selection of Interface, must set up the Permitted IPs first, otherwise, it would cause the situation of cannot enter WebUI by appointed Interface.

Time Server (NTP) or by syncing to your computers clock.
GMT: International Standard Time (Greenwich Mean Time)
Define the required fields of Multiple Subnet
Forwarding Mode: To display the mode that Multiple Subnet use. (NAT mode or Routing Mode) WAN Interface Address: The IP address that Multiple Subnet corresponds to WAN. LAN Interface Address/Subnet Netmask: The Multiple Subnet range

NAT Mode:

It allows Internal Network to set multiple subnet address and connect with the Internet through different WAN IP Addresses. For exampleThe lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into R&D department, service, sales department, procurement department, accounting department, the company can distinguish each department by different subnet for the purpose of managing conveniently. The settings are as the following 1. R&D department subnet192.168.1.1/24(LAN) 2. Service department subnet192.168.2.1/24(LAN) 3. Sales department subnet192.168.3.1/24(LAN) 4. Procurement department subnet 192.168.4.1/24(LAN) 168.85.88.250(WAN) 5. Accounting department subnet 192.168.5.1/24(LAN) 168.85.88.249(WAN) 168.85.88.253(WAN) 168.85.88.252(WAN) 168.85.88.251(WAN)
The first department (R&D department) had set while setting interface IP; the other four ones have to be added in Multiple Subnet. After completing the settings, each department uses the different WAN IP Address to connect to the Internet. The settings of each department are as following: Service IP Address Gateway Subnet Netmask 255.255.255.0 192.168.2.1 Sales 255.255.255.0 192.168.3.1 Procurement 255.255.255.0 192.168.4.1 Accounting 255.255.255.0 192.168.5.1
192.168.2.2~254 192.168.3.2~254 192.168.4.2~254 192.168.5.2~254

Routing Mode:

It is the same as NAT mode approximately but does not have to correspond to the real WAN IP address, which let internal PC to access to Internet by its own IP. (External user also can use the IP to connect with the Internet)
Define the required fields of DHCP

Subnet:

The domain name of LAN

NetMask:

The LAN Netmask

Gateway:

The default Gateway IP address of LAN

Client IP Address Range 2:
Enter the starting and the ending IP address dynamically assigning to DHCP clients. But it must in the same subnet as Client IP Address Range 1 and the range cannot be repeated.
DMZ Interface: the same as LAN Interface. (DMZ works only if to enable DMZ Interface) Leased Time: Enter the leased time for Dynamic IP. The default time is 24 hours. Click OK and DHCP setting is completed. (Figure2-14)

Figure 2-14 DHCP WebUI

When selecting Automatically Get DNS, the DNS Server will lock it as LAN Interface IP. (Using Occasion: When the system Administrator starts Authentication, the users first DNS Server must be the same as LAN Interface IP in order to enter Authentication WebUI)

Dynamic DNS Settings

STEP 1Select Dynamic DNS in System function (Figure2-15). Click New Entry button Service providersSelect service providers. Automatically fill in the WAN 1/2 IPCheck to automatically fill in
the WAN 1/2 IP. User NameEnter the registered user name.
PasswordEnter the password Domain nameEnter Your host domain name
Click OK to add Dynamic DNS. (Figure2-16)

Figure2-15 DDNS WebUI

Figure 2-16 Complete DDNS Setting
Chart Meaning Update Incorrect Connecting Unknown error successfully username or to server password
If System Administrator had not registered a DDNS account, click on Sign up then can enter the website of the provider. If you do not select Automatically fill in the WAN IP and then you can enter a specific IP in WAN IP. Let DDNS to correspond to that specific IP address.

Host Table

STEP 1Select Host Table in Settings function and click on New Entry Domain Name: The domain name of the server Virtual IP Address: The virtual IP address respective to Host Table Click OK to add Host Table. (Figure2-17)
Figure2-17 Add New Host Table
To use Host Table, the user PCs first DNS Server must be the same as the LAN Port or DMZ Port IP of RS-1200. That is, the default gateway.

Language

Select the Language version (English Version/ Traditional Chinese Version or Simplified Chinese Version) and click OK. (Figure2-18)

Figure2-18 Language Setting WebUI

Chapter 3

In this section, the Administrator can set up the IP addresses for the office network. The Administrator may configure the IP addresses of the LAN network, the WAN 1/2 network, and the DMZ network. The Netmask and gateway IP addresses are also configured in this section.
Define the required fields of Interface
Using the LAN Interface, the Administrator can set up the LAN network of RS-1200.
Select this function to allow the LAN users to ping the Interface IP Address.
Select to enable the user to enter the WebUI of RS-1200 from Interface IP.
The System Administrator can set up the WAN network of RS-1200.
Balance Mode: Auto: The RS-1200 will adjust the WAN 1/2 utility rate automatically according to
the downstream/upstream of WAN. (For users who are using various download bandwidth)
Round-Robin: The RS-1200 distributes the WAN 1/2 download bandwidth 1:1, in
other words, it selects the agent by order. (For users who are using same download bandwidths)
By Traffic: The RS-1200 distributes the WAN 1/2 download bandwidth by accumulative traffic. By Session: The RS-1200distributes the WAN 1/2 download bandwidth by saturated connections. By Packet: The RS-1200 distributes the WAN 1/2 download bandwidth by accumulated packets and saturated connection.
Connect Mode: Display the current connection mode:
PPPoE (ADSL user) Dynamic IP Address (Cable Modem User) Static IP Address

Saturated Connections:

Set the number for saturation whenever session numbers reach it, the RS-1200 switches to the next agent on the list.

Priority:

Set priority of WAN for Internet Access.

Connection Test:

To test if the WAN network can connect to Internet or not. The testing ways are as following:
ICMPTo test if the connection is successful or not by the Ping IP you set. DNSTo test if the connection is successful or not by checking Domain
Upstream/Downstream Bandwidth:
The System Administrator can set up the correct Bandwidth of WAN network Interface here.

Auto Disconnect:

The PPPoE connection will automatically disconnect after a length of idle time (no activities). Enter the amount of idle time before disconnection in the field. Enter 0 if you do not want the PPPoE connection to disconnect at all.
The Administrator uses the DMZ Interface to set up the DMZ network. The DMZ includes:
NAT ModeIn this mode, the DMZ is an independent virtual subnet. This
virtual subnet can be set by the Administrator but cannot be the same as LAN Interface.
Transparent Mode: In this mode, the DMZ and WAN Interface are in the

With easily recognized names of IP addresses and names of address groups shown in the address table, the Administrator can use these names as the source address or destination address of control policies. The address table should be setup before creating control policies, so that the Administrator can pick the names of correct IP addresses from the address table when setting up control policies.
Define the required fields of Address
The System Administrator set up a name as IP Address that is easily recognized.

IP Address:

It can be a PCs IP Address or several IP Address of Subnet. Different network area can be: Internal IP Address, External IP Address, and DMZ IP Address.

Netmask:

When correspond to a specific IP, it should be set as: 255.255.255.255. When correspond to several IP of a specific Domain. Take 192.168.100.1 (C Class subnet) as an example, it should be set as: 255.255.255.0.

MAC Address:

Correspond a specific PCs MAC Address to its IP; it can prevent users changing IP and accessing to the net service through policy without authorizing.
Get Static IP address from DHCP Server:
When enable this function and then the IP obtain from DHCP Server automatically under LAN or DMZ will be distributed to the IP that correspond to the MAC Address.
We set up two Address examples in this chapter: No Ex1 Suitable Situation LAN Example Under DHCP circumstances, assign the specific IP to static users and restrict them to access FTP net service only through policy. Set up a policy that only allows partial users to connect with specific IP (External Specific IP) Page 55

LAN Group WAN

Under DHCP situation, assign the specific IP to static users and restrict them to access FTP net service only through policy
STEP 1Select LAN in Address and enter the following settings:
Click New Entry button (Figure4-1) Name: Enter Rayearth IP Address: Enter 192.168.3.2 Netmask: Enter 255.255.255.255 MAC Address : Enter the users MAC Address00:B0:18:25:F5:89 Select Get static IP address from DHCP Server Click OK (Figure4-2)
Figure 4-1 Setting LAN Address Book WebUI
Figure4-2 Complete the Setting of LAN
STEP 2Adding the following setting in Outgoing Policy: (Figure4-3)
Figure 4-3 Add a Policy of Restricting the Specific IP to Access to Internet

Setting a policy that can restrict the user downstream and s upstream bandwidth
STEP 1Enter the following settings in QoS:
Click New Entry (Figure7-3) Name: The name of the QoS you want to configure. Enter the bandwidth in WAN1, WAN2 Select QoS Priority Click OK (Figure7-4)
Figure7-3 QoS WebUI Setting
Figure7-4 Complete the QoS Setting
STEP 2Use the QoS that set by STEP1 in Outgoing Policy. (Figure7-5, 7-6)
Figure7-5 Setting the QoS in Policy
Figure7-6 Complete Policy Setting
When the administrator are setting QoS, the bandwidth range that can be set is the value that system administrator set in the WAN of Interface. So when the System Administrator sets the downstream and upstream bandwidth in WAN of Interface, he/she must set up precisely.

Authentication

By configuring the Authentication, you can control the user s connection authority. The user has to pass the authentication to access to Internet. The RS-1200 configures the authentication of LAN user by setting s account and password to identify the privilege.
Define the required fields of Authentication
Authentication Management Provide the Administrator the port number and valid time to setup RS-1200 authentication. (Have to setup the Authentication first) Authentication Port: The internal user have to pass the authentication to access to the Internet when enable RS-1200. Re-Login if Idle: When the internal user access to Internet, can setup the idle time after passing authentication. If idle time exceeds the time you setup, the authentication will be invalid. The default value is 30 minutes. URL to redirect when authentication succeed: The user who had passes Authentication have to connect to the specific website. (It will connect to the website directly which the user want to login) The default value is blank. Messages to display when user login: It will display the login message in the authentication WebUI. (Support HTML) The default value is blank (display no message in authentication WebUI) Add the following setting in this function: (Figure8-1)
Figure8-1 Authentication Setting WebUI
When the user connect to external network by Authentication, the following page will be displayed: (Figure8-2)
Figure8-2 Authentication Login WebUI
It will connect to the appointed website after passing Authentication: (Figure8-3)
Figure8-3 Connecting to the Appointed Website After Authentication
If the user ask for authentication positively, can enter the LAN IP by the Authentication port number. And then the Authentication WebUI will be displayed.

Define the required fields of Virtual Server

WAN IP

WAN IP Address (Real IP Address)

Map to Virtual IP

Map the WAN Real IP Address into the LAN Private IP Address

Virtual Server Real IP

The WAN IP address which mapped by the Virtual Server.
Service name (Port Number)
The service name that provided by the Virtual Server.

External Service Port

The WAN Service Port that provided by the virtual server. If the service you choose only have one port and then you can change the port number here. (If change the port number to 8080 and then when the external users going to browse the Website; he/she must change the port number first to enter the Website.)

Server Virtual IP

The virtual IP which mapped by the Virtual Server.
We set up four Virtual Server examples in this chapter: No. Ex1 Suitable Situation Mapped IP Example Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy. Page 109
Virtual Server Make several servers that provide a single 112 service, to provide service through policy by Virtual Server. (Take Web service for example) Virtual Server The external user use VoIP to connect with VoIP of LAN. (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328-15333) Virtual Server Make several servers that provide several same services, to provide service through policy by Virtual Server. (Take HTTP, POP3, SMTP, and DNS Group for example) 115

Preparation

Apply for two ADSL that have static IP (WAN1 static IP is 61.11.11.10~ 61.11.11.14) (WAN2 static IP is 211.22.22.18~ 211.22.22.30)
Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy
STEP 1Setting a server that provide several services in LAN, and set up the network cards IP as 192.168.1.100. DNS is External DNS Server. STEP 2Enter the following setting in LAN of Address function: (Figure10-1)
Figure10-1 Mapped IP Settings of Server in Address
STEP 3Enter the following data in Mapped IP of Virtual Server function:
Click New Entry WAN IP: Enter 61.11.11.12 (click Assist for assistance) Map to Virtual IP: Enter 192.168.1.100 Click OK Complete the setting of adding new mapped IP (Figure10-2)
Figure10-2 Mapped IP Setting WebUI
STEP 4Group the services (DNS, FTP, HTTP, POP3, SMTP) that provided and
used by server in Service function. And add a new service group for server to send mails at the same time. (Figure10-3)
Figure10-3 Service Setting
STEP 5Add a policy that includes settings of STEP3, 4 in Incoming Policy.

(Figure10-4)

Figure10-4 Complete the Incoming Policy
STEP 6Add a policy that includes STEP2, 4 in Outgoing Policy. It makes the server
to send e-mail to external mail server by mail service. (Figure10-5)

ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main mode in Mode. (Figure11-26)
Figure11-26 IPSec Perfect Forward Secrecy Setting
STEP 9.Complete the IPSec Autokey setting. (Figure11-27)
Figure11-27 Complete Company B IPSec Autokey Setting
STEP 10.Enter the following setting in Tunnel of VPN function: (Figure11-28)
Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. IPSec / PPTP Setting: Select VPN_B. Select Show remote Network Neighborhood. Click OK. (Figure11-29)
Figure11-28 New Entry Tunnel Setting
Figure11-29 Complete New Entry Tunnel Setting
STEP 11.Enter the following setting in Outgoing Policy: (Figure11-30)
Authentication User: Select All_NET. Schedule: Select Schedule_1. QoS: Select QoS_1. Tunnel: Select IPSec_VPN_Tunnel. Click OK.(Figure11-31)
Figure11-30 Setting the VPN Tunnel Outgoing Policy
Figure11-31 Complete the VPN Tunnel Outgoing Policy Setting
STEP 12.Enter the following setting in Incoming Policy: (Figure11-32)
Schedule: Select Schedule_1. QoS: Select QoS_1. Tunnel: Select IPSec_VPN_Tunnel. Click OK.(Figure11-33)
Figure11-32 Setting the VPN Tunnel Incoming Policy
Figure11-33 Complete the VPN Tunnel Incoming Policy Setting
STEP 13. Complete IPSec VPN Connection. (Figure11-34)
Figure 11-34 IPSec VPN Connection Deployment
Setting PPTP VPN connection between two RS-1200
Preparation Company A WAN IP: 61.11.11.11
LAN IP: 192.168.10.X Company B WAN IP: 211.22.22.22 LAN IP: 192.168.20.X This example takes two RS-1200 as flattop. Suppose Company B 192.168.20.100 is going to have VPN connection with Company A 192.168.10.100 and download the resource.
The Default Gateway of Company A is the LAN IP of the RS-1200 192.168.10.1. Follow the steps below: STEP 1.Enter PPTP Server of VPN function in the RS-1200 of Company A. Select
Modify and enable PPTP Server: Select Encryption. Client IP Range: Enter 192.44.75.1-254. Idle Time: Enter 0. (Figure11-35)
Figure11-35 Enable PPTP VPN Server Settings
Idle Time: the setting time that the VPN Connection will auto-disconnect under unused situation. (Unit: minute)
STEP 2.Add the following settings in PPTP Server of VPN function in the RS-1200 of
Company A: Select New Entry. (Figure11-36) User Name: Enter PPTP_Connection. Password: Enter 123456789. Client IP assigned by: Select IP Range. Click OK. (Figure11-37)
Figure 11-36 PPTP VPN Server Setting
Figure 11-37 Complete PPTP VPN Server Setting
STEP 3.Enter the following setting in Tunnel of VPN function: (Figure11-38)
Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. IPSec / PPTP Setting: Select PPTP_Server_PPTP_Connection. Select Show remote Network Neighborhood. Click OK. (Figure11-39)

STEP 7Complete the policy to access mail service by LAN to DMZ (Figure12-31)
Figure12-31 Complete the Policy to access Mail Service by LAN to DMZ
STEP 8Add the following setting in DMZ to WAN Policy:
Click New Entry Source Address: Select Mail_Server Service: Select E-mail Click OK (Figure12-32)
Figure12-32 Setting the Policy of Mail Service by DMZ to WAN
STEP 9Complete the policy access to mail service by DMZ to WAN. (Figure12-33)
Figure12-33 Complete the Policy access to Mail Service by DMZ to WAN

Chapter 13

Alert Setting
When the RS-1200 had detected attacks from hackers and the internal PC sending large DDoS attacks. The Internal Alert and External Alert will start on blocking these packets to maintain the whole network. In this chapter, we will have the detailed illustration about Internal Alert and External Alert:
Define the required fields of Hacker Alert

Detect SYN Attack:

Select this option to detect TCP SYN attacks that hackers send to server computers continuously to block or cut down all the connections of the servers. These attacks will cause valid users cannot connect to the servers.
SYN Flood Threshold(Total) Pkts/Sec: The system Administrator
can enter the maximum number of SYN packets per second that is allowed to enter the network/RS-1200. If the value exceeds the setting one, and then the device will determine it as an attack.
SYN Flood Threshold(Per Source IP) Pkts/Sec: The system
Administrator can enter the maximum number of SYN packets per second from attacking source IP Address that is allowed to enter the network/RS-1200. And if value exceeds the setting one, and then the device will determine it as an attack.
SYN Flood Threshold Blocking Time(Per Source IP) Seconds:
When the RS-1200 determines as being attacked, it will block the attacking source IP address in the blocking time you set. After blocking for certain seconds, the device will start to calculate the max number of SYN packets from attacking source IP Address. And if the max number still exceed the define value, it will block the attacking IP Address continuously.

Detect ICMP Attack:

When Hackers continuously send PING packets to all the machines of the LAN networks or to the RS-1200 via broadcasting, your network is experiencing an ICMP flood attack.

Figure16-1 Outbound Source IP Statistics Report

STEP 2

Enter Outbound in Accounting Report and select Top Sites to inquire the statistics website of Send/Receive packets, Downstream/Upstream, First packet/Last packet/Duration and the service from the WAN Server to pass the RS-1200. (Figure16-2) TOPSelect the data you want to view, it presents 10 results in one page. Pull-down menu selection Destination IPThe IP address used by WAN service server which uses RS-1200. DownstreamThe percentage of downstream and the value of each WAN service server which uses RS-1200 to LAN user. UpstreamThe percentage of upstream and the value of each LAN user who uses RS-1200 to WAN service server. First PacketWhen the first packet is sent from WAN service server to LAN users, the sent time will be recorded by the RS-1200. Last Packet When the last packet from LAN user is sent to WAN service server, the sent time will be recorded by the RS-1200. DurationThe period of time which starts from the first packet to the last packet to be recorded. Total TrafficThe RS-1200 will record the sum of time and show the percentage of each WAN service servers upstream/downstream to LAN user. Reset CounterClick Reset Counter button to refresh Accounting Report.
Figure16-2 Outbound Destination IP Statistics Report

STEP 3

Enter Outbound in Accounting Report and select Top Services to inquire the statistics website of Send / Receive packets, Downstream/Upstream, First packet/Last packet/Duration and the service from the WAN Server to pass the RS-1200. (Figure16-3) TOPSelect the data you want to view. It presents 10 results in one page. According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart. (Figure16-4) Pull-down menu selection ServiceThe report of Communication Service when LAN users use the RS-1200 to connect to WAN service server. DownstreamThe percentage of downstream and the value of each WAN service server who uses RS-1200 to connect to LAN user. UpstreamThe percentage of upstream and the value of each LAN user who uses RS-1200 to WAN service server. First PacketWhen the first packet is sent to the WAN Service Server, the sent time will be recorded by the RS-1200. Last PacketWhen the last packet is sent from the WAN Service Server, the sent time will be recorded by the RS-1200. DurationThe period of time starts from the first packet to the last packet to be recorded. Total TrafficThe RS-1200 will record the sum of time and show the percentage of each Communication Services upstream/downstream to WAN service server. Reset CounterClick the Reset Counter button to refresh the Accounting Report.

Figure16-3 Outbound Services Statistics Report
Figure16-4 According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart
to return to Accounting Report window.

Inbound

Enter Inbound in Accounting Report and select Top Users to inquire the statistics website of Send / Receive packets, Downstream / Upstream, First packet/Last packet / Duration and the service from the WAN user to pass the RS-1200. (Figure16-5) TOPSelect the data you want to view. It presents 10 pages in one page. Select from the Pull-down menu Source IPThe IP address used by WAN users who use RS-1200. DownstreamThe percentage of Downstream and the value of each WAN user who uses RS-1200 to LAN service server. UpstreamThe percentage of Upstream and the value of each LAN service server who uses RS-1200 to WAN users. First PacketWhen the first packet is sent from WAN users to LAN service server, the sent time will be recorded by the RS-1200. Last PacketWhen the last packet is sent from LAN service server to WAN users, the sent time will be recorded by the RS-1200. DurationThe period of time starts from the first packet to the last packet to be recorded. Total TrafficThe RS-1200 will record the sum of time and show the percentage of each WAN users upstream / downstream to LAN service server. Reset CounterClick the Reset Counter button to refresh the Accounting Report.
Figure16-5 Inbound Top Users Statistics Report
Enter Inbound in Accounting Report and select Top Sites to inquire the statistics website of Send / Receive packets, Downstream / Upstream, First packet/Last packet / Duration and the service from the WAN user to pass the RS-1200. (Figure16-6) TOPSelect the data you want to view. It presents 10 pages in one page. Pull-down menu selection Destination IPThe IP address used by WAN users who uses RS-1200. DownstreamThe percentage of Downstream and the value of each WAN user who uses RS-1200 to LAN service server. UpstreamThe percentage of Upstream and the value of each LAN service server who uses RS-1200 to WAN users. First PacketWhen the first packet is sent from WAN users to LAN service server, the sent time will be recorded by the RS-1200. Last PacketWhen the last packet is sent from LAN service server to WAN users, the sent time will be recorded by the RS-1200. DurationThe period of time starts from the first packet to the last packet to be recorded. Total TrafficThe RS-1200 will record the sum of time and show the percentage of each WAN users upstream / downstream to LAN service server. Reset CounterClick the Reset Counter button to refresh the Accounting Report.

Figure16-6 Inbound Destination IP Statistics Report
Enter Inbound in Accounting Report and select Top Services to inquire the statistics website of Send/Receive packets, Downstream/Upstream, First packet/Last packet/Duration and the service from the WAN Server to pass the RS-1200. (Figure16-7) TOPSelect the data you want to view. It presents 10 results in one page. According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart. (Figure16-8) Pull-down menu selection ServiceThe report of Communication Service when WAN users use the RS-1200 to connect to LAN service server. DownstreamThe percentage of downstream and the value of each WAN user who uses RS-1200 to LAN service server. UpstreamThe percentage of upstream and the value of each LAN service server who uses RS-1200 to WAN user. First PacketWhen the first packet is sent to the LAN Service Server, the sent time will be recorded by the RS-1200. Last PacketWhen the last packet is sent from the LAN Service Server, the sent time will be recorded by the RS-1200. DurationThe period of time starts from the first packet to the last packet to be recorded. Total TrafficThe RS-1200 will record the sum of time and show the percentage of each Communication Services upstream / downstream to LAN service server. Reset CounterClick the Reset Counter button to refresh the Accounting Report.
Figure16-7 Inbound Services Statistics Report
Figure16-8 According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart

Chapter 17

Statistics
WAN Statistics: The statistics of Downstream / Upstream packets and Downstream/Upstream traffic record that pass WAN Interface Policy Statistics: The statistics of Downstream / Upstream packets and Downstream/Upstream traffic record that pass Policy
In this chapter, the Administrator can inquire the RS-1200 for statistics of packets and data that passes across the RS-1200. The statistics provides the Administrator with information about network traffics and network loads.
Define the required fields of Statistics:
Statistics Chart: Y-CoordinateNetwork TrafficKbytes/Sec X-CoordinateTimeHour/Minute Source IP, Destination IP, Service, and Action: These fields record the original data of Policy. From the information above, the Administrator can know which Policy is the Policy Statistics belonged to. Time: To detect the statistics by minutes, hours, days, months, or years. Bits/sec, Bytes/sec, Utilization, Total: The unit that used by Y-Coordinate, which the Administrator can change the unit of the Statistics Chart here. UtilizationThe percentage of the traffic of the Max. Bandwidth that System Manager set in Interface function. Total: To consider the accumulative total traffic during a unit time as Y-Coordinate