HPE Community
Comware Based
1834279 Members
1875 Online
110066 Solutions
New Discussion

Super easy noob question, - the routing table, firewall & ACL

 
SOLVED
Go to solution
lorn10
Valued Contributor

‎01-08-2019 01:35 PM - edited ‎01-13-2019 06:50 AM

‎01-08-2019 01:35 PM - edited ‎01-13-2019 06:50 AM

Super easy noob question, - the routing table, firewall & ACL

Okay folks, - my internet isn't working at my MSR20 Router. I think there is something wrong with my routing table and/or the DNS configuration. (Well it could also be that the “routing” between the two Ethernet ports isn’t properly established.)

It is really a super easy topology. I have one cable modem, the MSR20 router and several clients on a 3Com 4800G PWR Gigabit switch. The MSR20 router should act as a DHCP server and firewall. Currently there is no complex VLAN config established so all computers are in VLAN1. I will change this sometime when I am more familiar with the Comware CLI. ;-)

So what are the hard facts? The ISP has gateway at 178.83.160.1, the DNS1 is 62.2.17.60 and the DNS2 is 62.2.24.162.

Ethernet 0/0 (WAN port 0) is connected to the cable modem. Ethernet 0/1 (WAN port 1 set as LAN port 1) is connected to the switch (currently to a computer).

Here is my current MSR20 routing table:

<3Com MSR20>display ip routing-table

Routing Tables: Public

        Destinations : 9        Routes : 9

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

 

0.0.0.0/0           Static 70   0            178.83.160.1    Eth0/0

62.2.17.60/32       Static 60   0            178.83.160.1    Eth0/0

62.2.24.162/32      Static 60   0            178.83.160.1    Eth0/0

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

178.83.160.0/22     Direct 0    0            178.83.160.180  Eth0/0

178.83.160.180/32   Direct 0    0            127.0.0.1       InLoop0

192.168.1.0/24      Direct 0    0            192.168.1.1     Eth0/1

192.168.1.1/32      Direct 0    0            127.0.0.1       InLoop0

 

<3Com MSR20>

I have added only the second and the third DNS related route, - all others were generated automatically.

The table looks similar to the routing table of my old (working) 3CRWER300-73 WiFi router (see attachment) and the former (but now defective) 3CREVF100-73 firewall. However, there are differences. I think one problem is that the address 178.83.160.1 (ISP gateway) is missing on the left “Destination/Mask” column. I have tried to set it manually but it didn’t work.

My full current MSR20 config can be watched here:

[3Com MSR20]display  current-config

#
 version 5.20, Release 2516P13, Standard

#
 sysname 3Com MSR20

#
 firewall enable

#
 domain default enable system

#
 dns proxy enable
 dns server 62.2.17.60
 dns server 62.2.24.162

#
 telnet server enable

#
 firewall ipv6 enable

#
 password-recovery enable

#
igmp-snooping

#
vlan 1

#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

#
dhcp server ip-pool hotel
 network 192.168.1.0 mask 255.255.255.0
 gateway-list 192.168.1.1
 dns-list 192.168.1.1 62.2.17.60 62.2.24.162

#
dhcp server ip-pool vlan1 extended

#
user-group system
 group-attribute allow-guest

#
local-user admin
 password cipher ...
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type web

#
interface Aux0
 async mode flow
 link-protocol ppp

#
interface Cellular0/0
 async mode protocol
 link-protocol ppp

#
interface Ethernet0/0
 port link-mode route
 rip version 2 multicast
 ip address dhcp-alloc

#
interface Ethernet0/1
 port link-mode route
 ip address 192.168.1.1 255.255.255.0
 rip version 2 multicast

#
interface NULL0

#
interface Vlan-interface1
 rip version 2 multicast
 undo dhcp select server global-pool

#
 ip route-static 0.0.0.0 0.0.0.0 178.83.160.1

#
 dhcp server forbidden-ip 192.168.1.1 192.168.1.9

#
 dhcp enable

#
 ntp-service source-interface Vlan-interface1
 ntp-service unicast-server 192.168.1.4

#
 ssh server enable

#
 load xml-configuration

#
 load tr069-configuration

#
user-interface con 0
user-interface tty 13
user-interface aux 0
user-interface vty 0 4
 authentication-mode scheme

#
return

[3Com MSR20]
0 Kudos
1 REPLY 1
lorn10
Valued Contributor

‎01-10-2019 07:26 AM - edited ‎01-13-2019 06:35 AM

‎01-10-2019 07:26 AM - edited ‎01-13-2019 06:35 AM

Solution

Re: Super easy noob question, - the routing table, firewall & ACL

Well, I am now online with my MSR20 router. J  I have forgotten to set the ACL’s for ipv4 and ipv6. So my problem was not directly related to the routing table.

The commands which I had to execute under system-view were, first for ipv4:

acl number 2000
 step 1
 rule 0 permit
 rule 10 deny

And then the same for ipv6:

acl ipv6 number 2000
 step 1
 rule 0 permit
 rule 10 deny

Finally you have to set at the Internet connection port (usually the WAN port) the nat outbound command.

interface Ethernet0/0
 nat outbound 2000

I have found this solution at the following website. It shows a simple CLI configuration example in conjunction with a newer Comware 7 based HP MSR router :
http://www.juniperlab.info/2017/08/hpe-msr-series-router-nat-dhcp-ssh_8.html

So a BIG thanks goes to the people at juniperlab!

Whatever, I know that my current config is far away from perfect. Will optimize it during the time, - as mentioned when I have more Comware CLI experience. I have realized meanwhile the big difference of this professional MSR router in comparison with the old 3Com gigabit firewall. Regarding the functionality the old 3CREVF100-73 firewall was a joke. The really only advantage was that it had gigabit Ethernet support; the A-MSR series has it only optional through (very expensive) SIC modules.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.