CLI example: Configuring Internet access through IPv4 PPPoE

Software versions used

This configuration example was created and verified on R9900P2705 of the F5000-AI-55-G device.

Network configuration

As shown in the following figure, an enterprise deploys Device as a border security gateway to enable internal users to access Internet through PPPoE. Configure the network to meet the following requirements:

• Device acts as a PPPoE client, performs authentication with the PPPoE server, and establishes a connection to the PPPoE server. After authentication, a session is established. All internal users share this session for Internet access.

• Device automatically assigns private network addresses and DNS server addresses to internal users.

• After the connection is disconnected, Device automatically tries to reconnect at regular intervals.

Figure-1 Network diagram

Analysis

• Enable DHCP on interface GE 1/0/2, which connects Device to the LAN, to automatically assign addresses to internal users.

• Configure a security policy to allow internal hosts to access Internet. Permit traffic from the security zone of the DHCP-enabled interface to the local security zone.

• Configure a NAT policy to perform source address translation for internal user packets. Use the easy IP mode and configure the fixed public IP from the ISP as the translated source address.

• For the host in the internal network, set the gateway to 192.168.1.1 and DNS server addresses to 8.8.8.8 and 114.114.114.114. This example does not cover the configuration.

Procedure

Configuring Device

1. Assign IPv4 addresses to interfaces.

   # Specify an IPv4 address for each interface according to the network plan.

   <Sysname> system-view

   [Sysname] sysname Device

   [Device] interface gigabitethernet 1/0/2

   [Device-GigabitEthernet1/0/2] ip address 192.168.1.100 255.255.255.0

   [Device-GigabitEthernet1/0/2] quit

2. Configure the PPPoE dialup interface.

   # Create dialer group 1 and configure a dialup rule for it.

   [Device] dialer-group 1 rule ip permit

   # Create interface Dialer1, and configure it to obtain an IP address through negotiation. Enable bundle DDR on the interface, and assign the interface to dialer group 1. Set the local username and password for PAP authentication by the peer to pppoeuser1 and 123456. Set the TCP MSS value to 1452 for the dialer interface.

   [Device] interface dialer 1

   [Device-Dialer1] ip address ppp-negotiate

   [Device-Dialer1] dialer bundle enable

   [Device-Dialer1] dialer-group 1

   [Device-Dialer1] ppp pap local-user pppoeuser1 password simple 123456

   [Device-Dialer1] tcp mss 1452

   [Device-Dialer1] quit

   # Establish a PPPoE session on interface GigabitEthernet 1/0/1 and assign it to dialer bundle 1 (interface Dialer1).

   [Device] interface gigabitethernet 1/0/1

   [Device-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1

   [Device-GigabitEthernet1/0/1] quit

3. Add interfaces to security zones.

   # Add interfaces to security zones according to the network diagram.

   [Device] security-zone name untrust

   [Device-security-zone-Untrust] import interface gigabitethernet 1/0/1

   [Device-security-zone-Untrust] import interface dialer 1

   [Device-security-zone-Untrust] quit

   [Device] security-zone name trust

   [Device-security-zone-Trust] import interface gigabitethernet 1/0/2

   [Device-security-zone-Trust] quit

4. Configure security policies to permit required service packets.

   # Create a security policy rule named trust-untrust to allow users to access Internet.

   [Device] security-policy ip

   [Device-security-policy-ip] rule name trust-untrust

   [Device-security-policy-ip-1-trust-untrust] source-zone trust

   [Device-security-policy-ip-1-trust-untrust] destination-zone untrust

   [Device-security-policy-ip-1-trust-untrust] action pass

   [Device-security-policy-ip-1-trust-untrust] quit

   # Configure security policy rules trust-local and local-trust to allow traffic from the security zone of the DHCP-enabled interface to the local security zone.

   [Device-security-policy-ip] rule name trust-local

   [Device-security-policy-ip-2-trust-local] source-zone trust

   [Device-security-policy-ip-2-trust-local] destination-zone local

   [Device-security-policy-ip-2-trust-local] action pass

   [Device-security-policy-ip-2-trust-local] quit

   [Device-security-policy-ip] rule name local-trust

   [Device-security-policy-ip-3-local-trust] source-zone local

   [Device-security-policy-ip-3-local-trust] destination-zone trust

   [Device-security-policy-ip-3-local-trust] action pass

   [Device-security-policy-ip-3-local-trust] quit

5. Configure a static route to ensure that internal network traffic can access the ISP router.

   [Device] ip route-static 0.0.0.0 0.0.0.0 Dialer 1

6. Configure the DHCP service.

   # Enable the DHCP service and configure interface GE 1/0/2 as the DHCP server to assign IP addresses and DNS server addresses to internal users.

   [Device] dhcp enable

   [Device] dhcp server ip-pool 1

   [Device-dhcp-pool-1] network 192.168.1.0 mask 255.255.255.0

   [Device-dhcp-pool-1] gateway-list 192.168.1.1

   [Device-dhcp-pool-1] dns-list 8.8.8.8

   [Device-dhcp-pool-1] quit

   [Device] interface gigabitethernet 1/0/2

   [Device-GigabitEthernet1/0/2] dhcp select server

7. Configure NAT.

   # Configure a NAT policy to allow only users in subnet 192.168.1.100/24 of the internal network to access Internet with source address translation, and use the outgoing interface’s IP address as the translated address.

   [Device] nat global-policy

   [Device-nat-global-policy] rule name policynat1

   [Device-nat-global-policy-rule-nat44-policynat1] source-ip subnet 192.168.1.100 24

   [Device-nat-global-policy-rule-nat44-policynat1] source-zone trust

   [Device-nat-global-policy-rule-nat44-policynat1] destination-zone untrust

   [Device-nat-global-policy-rule-nat44-policynat1] action snat easy-ip

   [Device-nat-global-policy-rule-nat44-policynat1] quit

   [Device-nat-global-policy] quit

Configuring Host

# Configure Host to automatically obtain an IP address.

Verifying the configuration

1. After you complete the preceding configuration, execute the following display command to view information about interface GigabitEthernet 1/0/1. Verify that both the physical connection state and link state are up, and verify that the interface has obtained a public IPv4 address.

   [Device]display interface GigabitEthernet 1/0/1 brief

   Brief information on interfaces in route mode:

   Link: ADM - administratively down; Stby - standby

   Protocol: (s) - spoofing

   Interface Link Protocol Primary IP Description

   GE1/0/1 UP UP 10.0.0.11

2. Identify whether Host on the internal network can access Internet by using domain names. If yes, the configuration is successful. If not, check the configuration.

Configuration files

Device

#

sysname Device

#

interface GigabitEthernet1/0/1

pppoe-client dial-bundle-number 1

#

interface GigabitEthernet1/0/2

ip address 192.168.1.100 255.255.255.0

#

dialer-group 1 rule ip permit

#

interface Dialer1

ppp pap local-user pppoeuser1 password cipher $c$3$N6IfLjGJaxQQ09YbepytRGVqre4L

wFy0AA==

dialer bundle enable

dialer-group 1

ip address ppp-negotiate

#

security-zone name Trust

import interface GigabitEthernet1/0/2

#

security-zone name Untrust

import interface Dialer1

import interface GigabitEthernet1/0/1

#

ip route-static 0.0.0.0 0 Dialer1

#

security-policy ip

rule 1 name trust-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 192.168.1.100 255.255.255.0

rule 2 name trust-local

action pass

source-zone trust

destination-zone local

rule 3 name local-trust

action pass

source-zone local

destination-zone trust

#

dhcp enable

#

dhcp server ip-pool 1

gateway-list 192.168.1.1

network 192.168.1.0 mask 255.255.255.0

dns-list 8.8.8.8

#

nat global-policy

rule name policynat1

source-zone Trust

destination-zone Untrust

source-ip subnet 192.168.1.0 24

action snat easy-ip

#