After trying in vain to make my BT Home Hub 3 work as a Proper Router™ for my home lab I decided to take the plunge and get something better. Seeing as I work at HP, I thought I’d try the HP MSR 930
First step is to get your Fundamentals configured. The config below is a snippet from my configuration. This will enable SSH, SFTP, and HTTPS access from local IP addresses only.
sysname <Your Hostname>
#
# Change some web timeouts
#
web https-authorization mode auto
web idle-timeout 3
#
# ACL for Local Access
#
acl number 2000
description *** Local Only ***
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 10.0.0.0 0.255.255.255
#
# Secure Web Interface
#
undo ip http enable
ip https enable
ip https port 443
ip https acl 2000
#
# SSH Setup
#
ssh server enable
ssh server authentication-timeout 10
sftp server enable
#
# Restrict VTY to SSH from Local IP's
#
user-interface vty 0 4
acl 2000 in
authentication-mode scheme
protocol inbound ssh
Once we have our fundamentals done, we can get our firewall ready. The configuration snippet below will configure the firewall to block all incoming traffic, and only permit HTTP(S) and TCP/UDP traffic for established connections.
firewall enable
#
aspf-policy 1
detect HTTPS
detect HTTP
detect TCP
detect UDP
#
# ACL
#
acl number 3111
description *** Incoming! ***
rule 100 deny ip
#
Now we are secure, we can get our VLANs set up. Note the TCP-MSS size is 1350 to avoid fragmentation.
vlan 100
name Home
#
interface range GigabitEthernet 0/1 to GigabitEthernet 0/4
port access vlan 100
#
vlan-interface 100
description *** Home LAN ***
ip address 192.168.1.254 24
tcp mss 1350
ip virtual-reassembly
I’m not terminating the VDSL line on the router, instead I’m connecting direct to the BT OpenReach VDSL modem… To get online, you need to set up PPPoE on the MSR.
dialer-rule 1 ip
#
interface Dialer1
description *** WAN: BT Infinity ***
nat outbound
firewall packet-filter 3111 inbound
firewall aspf 1 outbound
link-protocol ppp
ppp chap user [email protected]
ppp chap password simple [email protected]
mtu 1492
ip address ppp-negotiate
dialer user [email protected]
dialer-group 1
dialer bundle 1
ip virtual-reassembly
#
# Physical Interface Config
#
interface GigabitEthernet0/0
port link-mode route
description *** WAN ***
nat outbound
pppoe-client dial-bundle-number 1
tcp mss 1442
ip address dhcp-alloc
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
At this point you should be securely connected to the internet.
Appendix 1: Port Forwarding
If you need to forward some ports for an application, you can do this under the dialer interface. For example, to forward port 8080 to 192.168.1.126
interface Dialer1
nat server 1 protocol tcp global current-interface 8080 inside 192.168.1.126 8080
Appendix 2: PPTP Passthrough
If you want to pass through PPTP in order to use a PPTP VPN you will need to permit GRE and PPTP traffic through your firewall and also to enable NAT Application Layer Gateway for PPTP traffic - this is because GRE can’t easily be NAT’ed.
nat alg pptp
#
acl number 3111
rule 0 permit gre
rule 5 permit tcp destination-port eq 1723
Appendix 3: WLAN Setup
If you want to set up WPA2 wireless you can modify the configuration below:
wlan country-code GB
wlan service-template 1 crypto
ssid <Your SSID>
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface WLAN-BSS1
description *** Home WLAN ***
port-access vlan 100
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase simple <Your Key>
#
interface WLAN-Radio3/0
service-template 1 interface wlan-bss 1
undo shut
#