After trying in vain to make my BT Home Hub 3 work as a Proper Router™ for my home lab I decided to take the plunge and get something better. Seeing as I work at HP, I thought I’d try the HP MSR 930
First step is to get your Fundamentals configured. The config below is a snippet from my configuration. This will enable SSH, SFTP, and HTTPS access from local IP addresses only.
sysname <Your Hostname> # # Change some web timeouts # web https-authorization mode auto web idle-timeout 3 # # ACL for Local Access # acl number 2000 description *** Local Only *** rule 0 permit source 192.168.1.0 0.0.0.255 rule 5 permit source 10.0.0.0 0.255.255.255 # # Secure Web Interface # undo ip http enable ip https enable ip https port 443 ip https acl 2000 # # SSH Setup # ssh server enable ssh server authentication-timeout 10 sftp server enable # # Restrict VTY to SSH from Local IP's # user-interface vty 0 4 acl 2000 in authentication-mode scheme protocol inbound ssh
Once we have our fundamentals done, we can get our firewall ready. The configuration snippet below will configure the firewall to block all incoming traffic, and only permit HTTP(S) and TCP/UDP traffic for established connections.
firewall enable # aspf-policy 1 detect HTTPS detect HTTP detect TCP detect UDP # # ACL # acl number 3111 description *** Incoming! *** rule 100 deny ip #
Now we are secure, we can get our VLANs set up. Note the TCP-MSS size is 1350 to avoid fragmentation.
vlan 100 name Home # interface range GigabitEthernet 0/1 to GigabitEthernet 0/4 port access vlan 100 # vlan-interface 100 description *** Home LAN *** ip address 192.168.1.254 24 tcp mss 1350 ip virtual-reassembly
I’m not terminating the VDSL line on the router, instead I’m connecting direct to the BT OpenReach VDSL modem… To get online, you need to set up PPPoE on the MSR.
dialer-rule 1 ip # interface Dialer1 description *** WAN: BT Infinity *** nat outbound firewall packet-filter 3111 inbound firewall aspf 1 outbound link-protocol ppp ppp chap user email@example.com ppp chap password simple firstname.lastname@example.org mtu 1492 ip address ppp-negotiate dialer user email@example.com dialer-group 1 dialer bundle 1 ip virtual-reassembly # # Physical Interface Config # interface GigabitEthernet0/0 port link-mode route description *** WAN *** nat outbound pppoe-client dial-bundle-number 1 tcp mss 1442 ip address dhcp-alloc ip virtual-reassembly # ip route-static 0.0.0.0 0.0.0.0 Dialer1
At this point you should be securely connected to the internet.
Appendix 1: Port Forwarding
If you need to forward some ports for an application, you can do this under the dialer interface. For example, to forward port 8080 to 192.168.1.126
interface Dialer1 nat server 1 protocol tcp global current-interface 8080 inside 192.168.1.126 8080
Appendix 2: PPTP Passthrough
If you want to pass through PPTP in order to use a PPTP VPN you will need to permit GRE and PPTP traffic through your firewall and also to enable NAT Application Layer Gateway for PPTP traffic - this is because GRE can’t easily be NAT’ed.
nat alg pptp # acl number 3111 rule 0 permit gre rule 5 permit tcp destination-port eq 1723
Appendix 3: WLAN Setup
If you want to set up WPA2 wireless you can modify the configuration below:
wlan country-code GB wlan service-template 1 crypto ssid <Your SSID> cipher-suite ccmp security-ie rsn service-template enable # interface WLAN-BSS1 description *** Home WLAN *** port-access vlan 100 port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase simple <Your Key> # interface WLAN-Radio3/0 service-template 1 interface wlan-bss 1 undo shut #