topic You're almost there! Being in Routing and SD-WAN

What's Wrong with my Configuration?

seancharter — Tue, 05 Mar 2019 07:06:11 GMT

Hello all, I'm pretty new to all of this, so I'm reaching out for some assistance. I'm trying to configure an 871W ISR with a wireless connection. I have Comcast internet service with their TM602G data and telephony cable modem. I've got a lot set up already as far as the LAN switching, wireless SSID and even the connection to the cable modem. I'm getting stuck where I try to access the internet from the PCs wired or wireless to the router. I can ping google.com from the router. That seems to me that when connected to my cable internet service, I've got everything good to go there. But when I get on my PCs, the ICMP requests always fail. It seems like there's a routing issue from the LAN/WLAN interfaces to the default route somehow. Anyway, here's a copy of my current config with a few extras. I'd be interested to see what anybody thinks. Thanks for the help!

And I should add that trying

seancharter — Thu, 05 Jun 2014 16:53:17 GMT

And I should add that trying different options for the default route doesn't yeild any different results. And in fact, if I change it to anything but ip route 0.0.0.0 0.0.0.0 dhcp, I actually lose the ability to ping anything from the router. So, in the config I've posted, that piece is incorrect.

Hi Sean,You've done a good

M-Square — Thu, 05 Jun 2014 17:38:08 GMT

Hi Sean,

You've done a good job so far on the config. I don't usually have ip nat inside on both the BVI and the VLAN interface. Can you quickly try removing it from the VLAN and only have it on the BVI pls.

The are a couple possible other things but I'm not sure how the router will like having the NAT syntax on both of those interface so it's an easy test.

ps
- Don't worry about adding a default route, if your WAN is DHCP let that handle adding the default route.
- For the moment lets just test with the wired connection and make sure that works prior to testing from the wrls.

Cheers,
Merlin

Also, for nat I generally

M-Square — Thu, 05 Jun 2014 17:43:25 GMT

Also, for nat I generally always use a route map and have had VERY good success with it.
The list setup you have should also be fine but my personal preference has always been the route map.

example:
ip nat inside source route-map NAT interface FastEthernet4 overload

route-map NAT permit 10
match ip address 140

access-list 140 permit ip 192.168.1.0 0.0.0.255 any

Cheers,
~M

Looks like you are having

manish arora — Thu, 05 Jun 2014 17:44:43 GMT

Looks like you are having issues while negotiating IP Address from the cable company, The "show ip int bri" should show an IP Address for Fa0/4 negotiated via DHCP and the line protocol should be UP as well , right now the output shows UP/DOWN.

Ask your ISP ( Comcast) if you need any other commands to bring the Line protocol up.

Manish

As far as IP NAT INSIDE goes,

seancharter — Thu, 05 Jun 2014 18:33:43 GMT

As far as IP NAT INSIDE goes, I did only have that set on BVI 1, and I don't believe that had any different result either. I put it on VLAN 1 as well on a friend's recommendation as something to try. I'll take it off though and see if that gets me anywhere. With the wireless connection, it's working fine, other than just like the wired connection, I can't connect to the internet. But when I connect my laptop to it, I get an IP address from DHCP and can see the wired PC in that workgroup too.

I'm not sure what you mean by not adding a default route. Before I had the static default route set, I couldn't ping from the router, it would tell me the protocol wasn't active, or something like that. So once I set IP ROUTE 0.0.0.0 0.0.0.0 DHCP, it took care of that problem. Is there another way to set the routing protocol?

Thanks for the feedback!

LOL, yeah, that looks wonky

seancharter — Thu, 05 Jun 2014 18:38:29 GMT

LOL, yeah, that looks wonky right now. I had to reconnect my other router to get the intenet connection reestablished for the rest of the house. So the sh int fa 4 doesn't show that the interface is up/up with an IP assigned. But when I do connect my cable modem to Fa 4, I get an IP address via DHCP, and the protocol goes to up/up. Even so, I'm still having the issues I've describe above. And the issues I'm having apply not only to when I have Fa 4 connected to the cable modem, but also when I'm connected to a Switchport on my Belkin router using the same settings. Somehow, everything I'm seeing points to something within the 871W not being able to route traffic from its LAN/WLAN interfaces to the WAN interface and out to the cable modem, or whatever it is attached to. I just can't seem to figure out what that is.

Hi Sean,Good to hear the

M-Square — Thu, 05 Jun 2014 19:16:52 GMT

Hi Sean,

Good to hear the wired/wrls can see each other. I only suggest to focus on the wired to ensure the wrls stuff does not muddy the waters right now.

DHCP, we use DHCP on the WAN interface all the time and generally adding the default route manually is not required. Once you plug in your WAN to the cable modem the DHCP request is triggered and carrier will hand you an IP address and default route. If this is not working I would troubleshoot that a little more, i.e. reboot cable modem etc. With regards to routing I hear what you are saying. When you indicate from the router you can ping google but not from a PC I suspect routing or NAT is not functioning correct.

One item I see missing is;
bridge 1 protocol ieee
bridge 1 route ip

Can you please add the one line. As mentioned also my personal preference for NAT is the route map (I have set this up hundreds of times) Just thought I would add that again 🙂

To test from the router you can use this;
ping 4.2.2.2 source bvi1

Let me know if the above two lines resolves thx.

Regards,
~M

I have tried resetting and

seancharter — Thu, 05 Jun 2014 19:48:38 GMT

I have tried resetting and unplugging the cable modem to no avail. The only thing I didn't do, because it's all installed in the tiny upper portion of a closet is to remove the battery backup to power it down completely. From some things I've heard with cable modems, that may be necessary to clear the MAC info from the cable modem's configuration so this new device can access it. My hesitation with that solution is I can ping from my router out, so I don't think it's an issue within the cable modem. Plus when I got the Belkin router I'm currently using, I just plugged it in and it worked.

I like the bridge 1 ip protocol ieee idea though. I've been trying to zero in on a solution that would be universal among all interfaces, so modifying the bridge makes sense. I've got bridge 1 route ip set already, but I'll throw in the other one tonight and see what I can get.

So I've gone through the

seancharter — Fri, 06 Jun 2014 05:42:20 GMT

So I've gone through the configuration changes recommended so far. I removed NAT from VLAN 1, set the route map that you suggested above, and set the bridge 1 protocol ieee. SOMETHING is working, but now I don't know if it's because of the changes I've made, or if its worked all along. I still can't ping "www.google.com" from PCs wired to the router. I can ping from the router itself though. What I can ping is the dotted decimal ip address of www.google.com. And when I type that number into the URL bar in a browser, it takes me to Google's homepage. I've verified that I can successfully ping beyond the router though, so that seems to be working as it should. Now I'm wondering how I might check if the appropriate ports are forwarded for my access interfaces. Because if I can type the ip address of google and get to google, but I can't get there by the URL, maybe the DNS request isn't going beyond Fa 0. I don't know why the port would be blocked by default, but I'd at least like to check and verify what kind of port forwarding is happening.

You're almost there! Being

M-Square — Fri, 06 Jun 2014 15:29:27 GMT

You're almost there! Being able to reach the google via the IP means you are NATing through the firewall. When you try www.google.ca instead and it fails indicates a DNS issue. As for the route map, awesome.

In your DHCP server settings you need to remove dns-server 192.168.1.1
You already have import all which tells the server to hand DNS info that it received from the carrier to the clients when they lease an address. Pls remove that one line then reboot your DHCP client PC and test again.

FYI: You can see what DNS info the carrier handed to the router using the show dhcp server command. You don't need to do anything with it but it is a good command to see what the router is doing.

p.s. With your present config the router is not blocking any outbound traffic as part of security so don't worry about that. The only item that might be a gotcha is spanning tree, the ports by default will block all traffic for approx 30sec when you first connect a cable. This is by design and after the block period the port will once again forward all traffic. I only mention this as sometimes it can mess with your PC when it tries to obtain a DHCP address. But I digress...

So I played around with the

seancharter — Fri, 06 Jun 2014 16:44:37 GMT

So I played around with the DNS server in my DHCP pool before throwing in the towel last night, and when I checked on things this morning, everything works like a charm! I set 8.8.8.8 8.8.4.4 as a public DNS server. Perhaps logging out of the router and back in got that working, or something along those lines. I don't know exactly what configuration change was the magic bullet, but I can break/fix test to find that. I suspect, because this was something affecting all interfaces, that bridge 1 ip protocol ieee was what did the trick. So, wired works, wireless works; it's all good! Thank you so much for your help Merlin! Just for informational purposes, I've attached the final config.