Configuring the HP MSR930 for BT Infinity

Posted by Dave Tucker on Tue 12 November 2013

After trying in vain to make my BT Home Hub 3 work as a Proper Router™ for my home lab I decided to take the plunge and get something better. Seeing as I work at HP, I thought I’d try the HP MSR 930

First step is to get your Fundamentals configured. The config below is a snippet from my configuration. This will enable SSH, SFTP, and HTTPS access from local IP addresses only.

sysname <Your Hostname>
# Change some web timeouts
web https-authorization mode auto
web idle-timeout 3
# ACL for Local Access
acl number 2000
 description *** Local Only ***
 rule 0 permit source
 rule 5 permit source
# Secure Web Interface
undo ip http enable
ip https enable
ip https port 443
ip https acl 2000
# SSH Setup
ssh server enable
ssh server authentication-timeout 10
sftp server enable
# Restrict VTY to SSH from Local IP's
user-interface vty 0 4
 acl 2000 in
 authentication-mode scheme
 protocol inbound ssh

Once we have our fundamentals done, we can get our firewall ready. The configuration snippet below will configure the firewall to block all incoming traffic, and only permit HTTP(S) and TCP/UDP traffic for established connections.

firewall enable
aspf-policy 1
 detect HTTPS
 detect HTTP
 detect TCP
 detect UDP
acl number 3111
description *** Incoming! ***
 rule 100 deny ip

Now we are secure, we can get our VLANs set up. Note the TCP-MSS size is 1350 to avoid fragmentation.

vlan 100
 name Home
interface range GigabitEthernet 0/1 to GigabitEthernet 0/4
 port access vlan 100
vlan-interface 100
 description *** Home LAN ***
  ip address 24
  tcp mss 1350
  ip virtual-reassembly

I’m not terminating the VDSL line on the router, instead I’m connecting direct to the BT OpenReach VDSL modem… To get online, you need to set up PPPoE on the MSR.

dialer-rule 1 ip
interface Dialer1
 description *** WAN: BT Infinity ***
 nat outbound
 firewall packet-filter 3111 inbound
 firewall aspf 1 outbound
 link-protocol ppp
 ppp chap user
 ppp chap password simple
 mtu 1492
 ip address ppp-negotiate
 dialer user
 dialer-group 1
 dialer bundle 1
 ip virtual-reassembly
# Physical Interface Config
interface GigabitEthernet0/0
 port link-mode route
 description *** WAN ***
 nat outbound
 pppoe-client dial-bundle-number 1
 tcp mss 1442
 ip address dhcp-alloc
 ip virtual-reassembly
 ip route-static Dialer1

At this point you should be securely connected to the internet.

Appendix 1: Port Forwarding

If you need to forward some ports for an application, you can do this under the dialer interface. For example, to forward port 8080 to

interface Dialer1
 nat server 1 protocol tcp global current-interface 8080 inside 8080

Appendix 2: PPTP Passthrough

If you want to pass through PPTP in order to use a PPTP VPN you will need to permit GRE and PPTP traffic through your firewall and also to enable NAT Application Layer Gateway for PPTP traffic - this is because GRE can’t easily be NAT’ed.

nat alg pptp
acl number 3111
    rule 0 permit gre
    rule 5 permit tcp destination-port eq 1723

Appendix 3: WLAN Setup

If you want to set up WPA2 wireless you can modify the configuration below:

wlan country-code GB
wlan service-template 1 crypto
 ssid <Your SSID>
 cipher-suite ccmp
 security-ie rsn
 service-template enable
interface WLAN-BSS1
 description *** Home WLAN ***
 port-access vlan 100
 port-security port-mode psk
 port-security tx-key-type 11key
 port-security preshared-key pass-phrase simple <Your Key>
interface WLAN-Radio3/0
 service-template 1 interface wlan-bss 1
 undo shut

Comments !