Configuring the HP MSR930 for BT Infinity

Posted by Dave on 12 November 2013

After trying in vain to make my BT Home Hub 3 work as a Proper Router™ for my home lab I decided to take the plunge and get something better. Seeing as I work at HP, I thought I’d try the HP MSR 930

First step is to get your Fundamentals configured. The config below is a snippet from my configuration. This will enable SSH, SFTP, and HTTPS access from local IP addresses only.

sysname <Your Hostname>
# Change some web timeouts
web https-authorization mode auto
web idle-timeout 3
# ACL for Local Access
acl number 2000
    description *** Local Only ***
    rule 0 permit source
    rule 5 permit source
# Secure Web Interface
undo ip http enable
ip https enable
ip https port 443
ip https acl 2000
# SSH Setup
ssh server enable
ssh server authentication-timeout 10
sftp server enable
# Restrict VTY to SSH from Local IP's
user-interface vty 0 4
    acl 2000 in
    authentication-mode scheme
    protocol inbound ssh

Once we have our fundamentals done, we can get our firewall ready. The configuration snippet below will configure the firewall to block all incoming traffic, and only permit HTTP(S) and TCP/UDP traffic for established connections.

firewall enable
aspf-policy 1
    detect HTTPS
    detect HTTP
    detect TCP
    detect UDP
acl number 3111
description *** Incoming! ***
    rule 100 deny ip

Now we are secure, we can get our VLANs set up. Note the TCP-MSS size is 1350 to avoid fragmentation.

vlan 100
    name Home
interface range GigabitEthernet 0/1 to GigabitEthernet 0/4
    port access vlan 100
vlan-interface 100
    description *** Home LAN ***
    ip address 24
    tcp mss 1350
    ip virtual-reassembly

I’m not terminating the VDSL line on the router, instead I’m connecting direct to the BT OpenReach VDSL modem… To get online, you need to set up PPPoE on the MSR.

dialer-rule 1 ip
interface Dialer1
    description *** WAN: BT Infinity ***
    nat outbound
    firewall packet-filter 3111 inbound
    firewall aspf 1 outbound
    link-protocol ppp
    ppp chap user [email protected]
    ppp chap password simple [email protected]
    mtu 1492
    ip address ppp-negotiate
    dialer user [email protected]
    dialer-group 1
    dialer bundle 1
    ip virtual-reassembly
# Physical Interface Config
interface GigabitEthernet0/0
    port link-mode route
    description *** WAN ***
    nat outbound
    pppoe-client dial-bundle-number 1
    tcp mss 1442
    ip address dhcp-alloc
    ip virtual-reassembly
    ip route-static Dialer1

At this point you should be securely connected to the internet.

Appendix 1: Port Forwarding

If you need to forward some ports for an application, you can do this under the dialer interface. For example, to forward port 8080 to

interface Dialer1
    nat server 1 protocol tcp global current-interface 8080 inside 8080

Appendix 2: PPTP Passthrough

If you want to pass through PPTP in order to use a PPTP VPN you will need to permit GRE and PPTP traffic through your firewall and also to enable NAT Application Layer Gateway for PPTP traffic - this is because GRE can’t easily be NAT’ed.

nat alg pptp
acl number 3111
    rule 0 permit gre
    rule 5 permit tcp destination-port eq 1723

Appendix 3: WLAN Setup

If you want to set up WPA2 wireless you can modify the configuration below:

wlan country-code GB
wlan service-template 1 crypto
    ssid <Your SSID>
    cipher-suite ccmp
    security-ie rsn
    service-template enable
interface WLAN-BSS1
    description *** Home WLAN ***
    port-access vlan 100
    port-security port-mode psk
    port-security tx-key-type 11key
    port-security preshared-key pass-phrase simple <Your Key>
interface WLAN-Radio3/0
    service-template 1 interface wlan-bss 1
    undo shut