(Maybe) Routing and/or acl problem?

Unanswered Question
Jul 27th, 2009
User Badges:

Hello!


I have setup an old c836 router for my private dsl connection and going my first steps into the cisco world. A very basic configuration (with nat) looks working fine, but on some points i am not really sure (about a proper config).


eth0 is in use as lan interface with ip nat inside on network 192.168.1.0.


eth2 is setup with ip adress 192.168.254.1 on network 192.168.254.0 AND directly connected to a adsl 2+ device with ip 192.168.254.2 .


I have also added interface Dialer0 (on eth2) that use ip nat outside and PPPOE to establish my internet adsl connection.


My frist problem is now that i cant connect from network 192.168.1.0 through the router to the IP adress 192.168.254.2 which should be reachable over eth2 interface.


I can directly ping 192.168.254.1 (ip directly added on eth2) but i cant ping to IP 192.168.254.2


Is a static routing required? Imho the router "know" that network 192.168.254.0 is reachable on its eth2 interface. Do i think wrong about that?


I guess i have a problem maybe because a missing ACL (and the router block traffic to network 192.168.254.0).


I hope i can get a helping hand here.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Giuseppe Larosa Mon, 07/27/2009 - 11:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stefan,

if you want to use eth2 for PPPoE it shouldn't have an ip address the ip address is assigned to interface dialer.


this could explain why you cannot reach 192.168.254.2 you have added some command to enable pppoe on eth2 and this may have caused eth2 to release its L3 capabilities.


see for example


http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftpppoec_support_TSD_Island_of_Content_Chapter.html#wp1049142


Hope to help

Giuseppe



sf_online Mon, 07/27/2009 - 11:33
User Badges:

Hello Giuseppe,


Thank you for this information. Do you maybe know a workaround for this?


Can you tell me whether i must by default set a static route or place an acl that traffic to this network wont be blocked?


I am sure that cisco directly wont support configurations that i try to use but when it work, i dont care ;)


The device listen on IP 192.168.254.2 should be separate from my lan (just act as dsl modem and do nothing else).


If possible then i like to setup an acl that ONLY permit traffic from one management box from lan network 192.168.1.0 to the IP 192.168.254.2 and drop all other connection requests to this device.


Do you know whether i can set access-lists on a Dialer0 interface?


If possible then i will use eht0 as lan and Dialer0 as wan interface to configure some firewall rules.


Thanks for help me out with any solution :)


btw: Whats about alias interfaces and place an IP adress for example on eth 2.1 or anything like that? I know that there are differences between l2 and l3 but L3 should be downward compatible or not?

Giuseppe Larosa Mon, 07/27/2009 - 12:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stefan,


a dialer interface is a logical interface that has to use a physical interface to send and receive PPP over ethernet frames.

So the used ethernet interface cannot be "L3 indipendent"


Then you are free to spend your time as you like :)


Some newer releases may support PPPoE client over a 802.1Q vlan subinterface but I don't think it is the case of your router.


Hope to help

Giuseppe


sf_online Mon, 07/27/2009 - 12:23
User Badges:

Hello Giuseppe,


Do you have any recommendation what i can do as workaround? When i got it correctly then you tell me that there are technical limitations and i have no chance with that, right? Lets say the router do support this. Do i need to add static routes normaly or is that not needed (because the router know which networks are on its interfaces connected?)


Connecting the dsl modem on eth0 looks not good for me. AFAIK i also have no proper way to filter traffic correcly.


Whats your opinion about that?


When you (and all other experts here) say that i simple cant get that working fine (for technical reasons) then i must give that up.


My reason is that it is a pain when my dsl connection is down and i cant check dsl modem connectivity over https on 192.168.254.2.


BUT other solutions (that i can do for getting more or less the same setup configured) are welcome. Any idea?

Giuseppe Larosa Mon, 07/27/2009 - 21:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stefan,

I would suggest to have a two NICs PC and to have the second NIC connected to a port of the DSL modem.

first NIC can be connected on the inside.


Hope to help

Giuseppe


sf_online Thu, 07/30/2009 - 20:48
User Badges:

Hello Giuseppe,


The modem device has only 1 nic, but i could maybe create a private vlan on my catalyst switch. But then i maybe will have route problems again.


Other question:


When i normal like to setup 2 interfaces on a router and both have 2 ips from different subnets. Do i need then to add static routes on this device or is that not needed?


Thanks for help

sf_online Fri, 07/31/2009 - 13:24
User Badges:

Hi Giuseppe,


Maybe ask again and again different questions to solve a same problem where a pain (sorry) BUT i like to thank you for the whole time you helped me.


I have GOOD news. I never expacted this, BUT the 836 Router now Working with its internal ATM 0 interface. Currently i just have a 6 Mbit UP and 800kbit/s DN Sync but for now i am happy.


There are some other questions that i send to tech support from my ISP. When they can set a fixed speed limit like 1 mbit/s up / 1 mbit/s down then i can (maybe) get a better dsl sync.


I am very happy that it working now!


I also just want to let you know it :-)))

Giuseppe Larosa Fri, 07/31/2009 - 14:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stefan,

good news it's odd that you say upstream speed is higher then downstream speed it should be the opposite.


Actually DLS modems renegotiate speeds from time to time if left in auto adaptive mode.


Best Regards

Giuseppe


sf_online Sat, 08/01/2009 - 05:18
User Badges:

Hi Giuseppe,


Sorry i wrote it wrong.


Of course my downstream is HIGHER then my upstream. In correct words that means my connection is something around 6 Mbit/s downstram and maximum 1 mbit upstram.


When my isp answer the support ticket from me, i will try to arrangement some configuration changes. IMHO the network port for my dsl connection (on the end from my ISP) is set up for maximum adsl 2+ speed. Currently my router uses operating-mode auto on ATM0.


I guess that my router sync with very low connection speed because its a adsl 2+ line (but backward compatible) so that older dsl devices are able to get sync. When my ISP stick to a lower speed then my router can maybe get establish a cleanly connection.


When my router works good with something around 6 mbit/s DOWN and more or less 1 mbit/s UP then is everything fine.


With the other dsl modem i had between 8 and 9 UP and 1 mbit/s down. However speed is not very important.


Better some normal connection speed and a STABLE line.


Best Regards,

Stefan

Actions

This Discussion