Cisco 1812 as a home router
I decided to find a replacement for my D-Link DIR-300, because He stubbornly refused to keep a quality connection with my new provider on L2TP, and indeed the hardware was morally obsolete. After reading a bunch of reviews of home routers, I realized that, in principle, they are all the same: with the same features and a boring web-interface. And all sorts of buns, like external drives and torrent clients, I don’t need it for nothing. I have a small apartment, so the option of installing a separate computer by the type of hp micro server does not fit, and even a pity for the money.
It so happened that I live in Vladivostok and Japan at our side, there is also a good one, the Japanese one, which sells everything from comics to cars. There is also a section with server hardware on which I began my searches. Because I was looking not for a rack, but for a home, I was interested in something like the cisco 8xx series. Unfortunately, those were not found, but they were found in large quantities and at ridiculous prices cisco 1812 , but with the letter j, the only difference between which and those in the link above is the absence of a wifi module. Without hesitation, I ordered it, I received it in a week.
So, what we have:
And what we want to get:
Connecting to a regular home provider, with local services and an L2TP tunnel to the outside world, a computer and a laptop. Remote management of the router via ssh and access to the main home computer via RDP. And also dynamic dns.
First, let's connect to the router via the console port (I use PuTTY) and enter the privileged mode:
')
First of all, change the name of our router to something more pleasing to the eye than just “Router” and add the domain name to it (this will be useful in further generating the rsa key to configure ssh), also add the dns addresses of the provider's servers:
Next, let the router encrypt passwords and archive the configuration file:
Now we will create a user and password for remote access to the router, a password for entering privileged mode, and configure local authentication and authorization:
It remains to generate the keys, configure ssh and configure the virtual terminal:
And on this configuration of the basic configuration can be considered complete.
Our router has a fully-featured eight-port managed switch, by default all its 8 ports are in the first VLAN. You can spread each port to your VLAN, but for a regular home LAN, this is completely unnecessary, so let's proceed to the configuration of the first and only VLAN:
In principle, nothing more is needed because All lan ports are by default in the first vlan, then you can turn on the hardware in them, configure the addressing and the “lokalka” is ready. For the lazy, you can configure another dhcp server on the router:
We remove the addresses that we do not want to give by dhcp
Create a dhcp pool
Now you can get addresses dynamically from the range 192.168.0.100 - 192.168.0.110
My provider releases to the global network via L2TP with a dynamic external ip address, so we will configure the tunnel itself and when it is raised, the system will send the received ip address to the dyndns.org server
Let's start with the ddns settings, because they will be used when creating a connection to the provider:
There is one moment, the fact is that in the tsiska by default on the sign "?" a hint for the commands is displayed, and as you can see, this symbol is used in the url line which updates the ip address on dyndns. Therefore, copy-paste will not work here and you will have to write url with pens, and in order to insert the character "?", You need to press the key combination "CTRL + v" before it and then "?" imprinted without problems.
Next, configure the external ethernet interface:
We specified dhcp in the ip address settings of the interface; accordingly, our router will receive the address for the internal network from the provider automatically. Now create a class name for our tunnel connection:
and configure the pseudowire class (I don’t even know how to correctly translate it into Russian):
Well, it remains to actually create the tunnel interface itself:
In the configuration of the tunnel there are 2 lines that may not suit you:
ip mtu 1454 and ip tcp adjust-mss 1414. Without these parameters, the data transmitted through the tunnel was fragmented and, accordingly, nothing worked normally.
I did not get the “default route” through the tunnel, so I had to manually register it:
We also have a local network provider, where there are no speed limits and in order to get into it you also need to register several routes manually, for me it looks like this:
Your local subnets of the provider will most likely be different, it is necessary to clarify with the provider which ones he uses.
After the above settings, your tunnel should go up and your router, theoretically, can surf the Internet, but we want to go to the Internet from your computer, not from the router? To do this, you must configure address translation (NAT). In the configuration of the interfaces, we have already registered some parameters so that they (the interfaces) work in the mode we need:
ip nat inside on the vlan 10 interface and ip nat outside on the FA0 and Virtual-PPP 1 interfaces.
It remains to configure NAT itself. Since we actually have two directions outside (the local network of the provider and the Internet itself), we will release traffic to these directions through different interfaces (FA0 and Vritual-PPP1). This is done with the help of access-lists:
Create 2 access-list, one for LAN, another for WAN
and actually NAT, all that is sent to the provider's LAN is allowed through FA0:
and everything else in virtual-ppp1:
In principle, this is all, now we have to go to the Internet quietly from a computer connected to a tsiska. If you need RDP to any machine from your local network - we forward, using the same NAT, the ports to this machine:
Having examined the tsiska itself, I saw a slot for a memory module, as well as a minipci slot for a wifi module. I didn’t understand wifi yet, but the memory came standard from a 256MB SDRAM laptop, and now my router has 384MB of RAM, which is good news.
It so happened that I live in Vladivostok and Japan at our side, there is also a good one, the Japanese one, which sells everything from comics to cars. There is also a section with server hardware on which I began my searches. Because I was looking not for a rack, but for a home, I was interested in something like the cisco 8xx series. Unfortunately, those were not found, but they were found in large quantities and at ridiculous prices cisco 1812 , but with the letter j, the only difference between which and those in the link above is the absence of a wifi module. Without hesitation, I ordered it, I received it in a week.
So, what we have:
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
Cisco 1812-J (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
62592K bytes of ATA CompactFlash (Read/Write)
And what we want to get:
Connecting to a regular home provider, with local services and an L2TP tunnel to the outside world, a computer and a laptop. Remote management of the router via ssh and access to the main home computer via RDP. And also dynamic dns.
1. General settings
First, let's connect to the router via the console port (I use PuTTY) and enter the privileged mode:
')
Router>en
Router#
First of all, change the name of our router to something more pleasing to the eye than just “Router” and add the domain name to it (this will be useful in further generating the rsa key to configure ssh), also add the dns addresses of the provider's servers:
Router#conf t
Router(config)#hostname home
home(config)#ip domain-name home.lan
home(config)#ip name-server xxxx
home(config)#ip name-server yyyy
Next, let the router encrypt passwords and archive the configuration file:
home(config)#service password-encryption
home(config)#service compress-config
Now we will create a user and password for remote access to the router, a password for entering privileged mode, and configure local authentication and authorization:
home(config)#username yourname secret yourpass
home(config)#enable secret your_enable_pass
home(config)#aaa new-model
home(config)#aaa authentication login default local
home(config)#aaa authorization exec default local
It remains to generate the keys, configure ssh and configure the virtual terminal:
home(config)#crypto key generate rsa
home(config)#ip ssh version 2
home(config)#line vty 0 4
home(config-line)#exec-timeout 0 0
home(config-line)#transport preferred ssh
home(config-line)#transport input ssh
home(config-line)#exit
And on this configuration of the basic configuration can be considered complete.
2. LAN
Our router has a fully-featured eight-port managed switch, by default all its 8 ports are in the first VLAN. You can spread each port to your VLAN, but for a regular home LAN, this is completely unnecessary, so let's proceed to the configuration of the first and only VLAN:
home(config)#int vlan 1
home(config-if)#ip address 192.168.0.1 255.255.255.0
home(config-if)#no ip redirects
home(config-if)#no ip unreachables
home(config-if)#no ip proxy-arp
home(config-if)#no cdp enable
home(config-if)#ip nat inside
home(config-if)#load-interval 30
home(config-if)#exit
In principle, nothing more is needed because All lan ports are by default in the first vlan, then you can turn on the hardware in them, configure the addressing and the “lokalka” is ready. For the lazy, you can configure another dhcp server on the router:
We remove the addresses that we do not want to give by dhcp
home(config)ip dhcp excluded-address 192.168.0.1 192.168.0.99
Home(config)ip dhcp excluded-address 192.168.0.111 192.168.0.254
Create a dhcp pool
home(config)ip dhcp pool dhcp
home(dhcp-config)#import all
home(dhcp-config)#network 192.168.0.0 255.255.255.0
home(dhcp-config)#default-router 192.168.0.1
home(dhcp-config)#dns-server 192.168.1.1
home(dhcp-config)#domain-name home.lan
home(dhcp-config)#lease infinite
Now you can get addresses dynamically from the range 192.168.0.100 - 192.168.0.110
3. WAN
My provider releases to the global network via L2TP with a dynamic external ip address, so we will configure the tunnel itself and when it is raised, the system will send the received ip address to the dyndns.org server
Let's start with the ddns settings, because they will be used when creating a connection to the provider:
home(config)#ip ddns update method dyndns
home(DDNS-update-method)#HTTP
home(DDNS-HTTP)#add http://ddnsuser:ddnspass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
home(DDNS-HTTP)#end
home(config)#ip ddns update method dyndns
home(DDNS-update-method)#HTTP
home(DDNS-HTTP)#add http://ddnsuser:ddnspass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
home(DDNS-HTTP)#end
There is one moment, the fact is that in the tsiska by default on the sign "?" a hint for the commands is displayed, and as you can see, this symbol is used in the url line which updates the ip address on dyndns. Therefore, copy-paste will not work here and you will have to write url with pens, and in order to insert the character "?", You need to press the key combination "CTRL + v" before it and then "?" imprinted without problems.
Next, configure the external ethernet interface:
home(config)#interface FastEthernet0
home(config-if)#ip dhcp client update dns
home(config-if)#ip address dhcp
home(config-if)#ip nat outside
home(config-if)#load-interval 30
home(config-if)#end
We specified dhcp in the ip address settings of the interface; accordingly, our router will receive the address for the internal network from the provider automatically. Now create a class name for our tunnel connection:
home(config)l2tp-class "class name you like"
and configure the pseudowire class (I don’t even know how to correctly translate it into Russian):
home(config)#pseudowire-class " "
home(config-pw-class)#encapsulation l2tpv2
home(config-pw-class)#protocol l2tpv2 class1
home(config-pw-class)#ip local interface FastEthernet0
Well, it remains to actually create the tunnel interface itself:
home(config)#int virtual-PPP 1
home(config-if)#ip ddns update hostname your-domain-on-dyndns.org
home(config-if)#ip ddns update dyndns
home(config-if)#ip address negotiated
home(config-if)#ip mtu 1454
home(config-if)#ip nat outside
home(config-if)#no ip virtual-reassembly
home(config-if)#ip tcp adjust-mss 1414
home(config-if)#ppp chap hostname username-from-your-isp
home(config-if)#ppp chap password pass-from-your-isp
home(config-if)#pseudowire xxxx 10 pw-class " "
home(config-if)#end
In the configuration of the tunnel there are 2 lines that may not suit you:
ip mtu 1454 and ip tcp adjust-mss 1414. Without these parameters, the data transmitted through the tunnel was fragmented and, accordingly, nothing worked normally.
I did not get the “default route” through the tunnel, so I had to manually register it:
home(config)#ip route 0.0.0.0 0.0.0.0 virtual-ppp 1 permanent
We also have a local network provider, where there are no speed limits and in order to get into it you also need to register several routes manually, for me it looks like this:
home(config)ip route 10.0.0.0 255.0.0.0 FastEthernet0
home(config)ip route 172.16.0.0 255.240.0.0 FastEthernet0
Your local subnets of the provider will most likely be different, it is necessary to clarify with the provider which ones he uses.
4. NAT
After the above settings, your tunnel should go up and your router, theoretically, can surf the Internet, but we want to go to the Internet from your computer, not from the router? To do this, you must configure address translation (NAT). In the configuration of the interfaces, we have already registered some parameters so that they (the interfaces) work in the mode we need:
ip nat inside on the vlan 10 interface and ip nat outside on the FA0 and Virtual-PPP 1 interfaces.
It remains to configure NAT itself. Since we actually have two directions outside (the local network of the provider and the Internet itself), we will release traffic to these directions through different interfaces (FA0 and Vritual-PPP1). This is done with the help of access-lists:
Create 2 access-list, one for LAN, another for WAN
home(config)ip access-list extended LAN
home(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
home(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
home(config-ext-nacl)#exit
home(config)ip access-list extended WAN
home(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 any
and actually NAT, all that is sent to the provider's LAN is allowed through FA0:
home(config)ip nat inside source list LAN interface FastEthernet0 overload
and everything else in virtual-ppp1:
home(config)ip nat inside source list WAN interface Virtual-PPP1 overload
In principle, this is all, now we have to go to the Internet quietly from a computer connected to a tsiska. If you need RDP to any machine from your local network - we forward, using the same NAT, the ports to this machine:
home(config)ip nat inside source static tcp 192.168.0.100 3389 interface Virtual-PPP1 3389
5. Instead of conclusion
Having examined the tsiska itself, I saw a slot for a memory module, as well as a minipci slot for a wifi module. I didn’t understand wifi yet, but the memory came standard from a 256MB SDRAM laptop, and now my router has 384MB of RAM, which is good news.
Source: https://habr.com/ru/post/136342/
All Articles