04-28-2020 06:28 AM
Good evening to all,
I wish you are in good health ,
i have the following problems with my network setup in my house,
i have an cisco 887va which uses vdsl through isp1
and an fritzbox 6820 lte which uses lte connecton through isp2, fritzbox is connected with c887va in fa2
1. in my lan i have a web server with ip address 192.18.1.10 which serves a web page through internet ,
i use the noip service in order to access that server from internet with the real name h ttps://myservername.noip.net
but from my inside lan 192.168.1.0/24 i get request time out, nslookup myservername.noip.net returns the
real ip.
2. i want to use the fritzbox lte router for failover but wih the following setup i have no luck,
every time i shutdown the dialer0 is logs like
Apr 27 2020 16:15:40.883 EET: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
Apr 27 2020 16:15:45.883 EET: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
but only router gets replies pinging 8.8.8.8 source vlan5,
and all stations from inside my lan 192.168.1.0/24 have no internet access,
!
! Last configuration change at 00:35:39 EET Mon Apr 27 2020 by xxxxxxxxxxxxxxx
! NVRAM config last updated at 00:38:14 EET Mon Apr 27 2020 by xxxxxxxxxxxxxxx
!
version 15.7
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname xxxxxxxxxxxxxxx
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.157-3.M6.bin
boot-end-marker
!
!
security authentication failure rate 5 log
logging count
logging buffered 50000
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone EET 2 0
clock summer-time EET recurring last Sun Mar 3:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-2039298027
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2039298027
revocation-check none
rsakeypair TP-self-signed-2039298027
!
!
crypto pki certificate chain TP-self-signed-2039298027
certificate self-signed 01 nvram:IOS-Self-Sig#E.cer
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
lease infinite
!
ip dhcp pool VPN_ROUTER
import all
host 192.168.2.2 255.255.255.0
client-identifier 0124.f5a2.2d7f.19
default-router 192.168.2.1
dns-server 192.168.2.1
client-name VPN_ROUTER
lease infinite
!
!
!
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method sdm_ddns1
HTTP
add http://xxxxxxxxxxxxxxx
remove http://xxxxxxxxxxxxxxx
interval maximum 0 1 0 0
interval minimum 0 0 5 0
!
ip cef
no ip igmp snooping
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-W-E-K9 sn xxxxxxxxxxxxxxx
!
!
archive
log config
hidekeys
username xxxxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
controller VDSL 0
operating mode vdsl2
no cdp run
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
bridge irb
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip virtual-reassembly in
shutdown
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
no ip redirects
!
interface Ethernet0.835
encapsulation dot1Q 835
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description lan
switchport mode access
no ip address
no cdp enable
!
interface FastEthernet1
description vpn
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
description ### Backup 4G ###
switchport trunk native vlan 5
switchport mode trunk
no ip address
no cdp enable
!
interface FastEthernet3
description ### VoIP ###
switchport access vlan 3
switchport voice vlan 3
no ip address
no cdp enable
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
switchport access vlan 4
switchport mode access
no ip address
no cdp enable
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
!
interface Vlan1
description lan LAN
ip address 192.168.1.1 255.255.255.0
ip broadcast-address 192.168.1.255
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
description vpn LAN
ip address 192.168.2.1 255.255.255.0
ip broadcast-address 192.168.2.255
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description VOIP LAN
ip address 192.168.3.1 255.255.255.248
ip broadcast-address 192.168.3.7
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description WLAN
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan5
description ### Backup 4G 192.168.6.0/24 ###
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
!
interface Dialer0
mtu 1454
ip ddns update hostname xxxxxxxxxxxxxxx
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 111 in
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
encapsulation ppp
ip tcp adjust-mss 1414
shutdown
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
!
ip local policy route-map SLA_ICMP
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat pool voip 192.168.3.2 192.168.3.3 netmask 255.255.255.248 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source list 4 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
ip nat inside source route-map WAN_BACKUP interface Vlan5 overload
ip nat inside source route-map WAN_PRIMARY interface Dialer0 overload
ip nat inside destination list voip pool voip
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Vlan5 dhcp 10
ip ssh maxstartups 2
ip ssh time-out 10
ip ssh version 2
ip scp server enable
!
ip access-list extended voip
permit udp any any range 10000 65000
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer0
frequency 10
ip sla schedule 1 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
route-map WAN_BACKUP permit 10
match ip address 100
match interface Vlan5
!
route-map SLA_ICMP permit 10
match ip address 101
set interface Dialer0
!
route-map WAN_PRIMARY permit 10
match ip address 100
match interface Dialer0
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.3.0 0.0.0.7
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 23 permit 194.110.218.101
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.7 any
access-list 101 permit icmp any host 8.8.8.8
access-list 111 remark CCP_ACL Category=17
access-list 111 bla bla bla
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
alias exec speed show controllers vdSL 0 | include Speed
alias exec noise show controllers vdSL 0 | include Noise
alias exec ap service-module wlan-ap0 session
alias exec vdsl show controllers vdSL 0
alias exec uptime show version | include uptime
alias exec clients show ip dhcp binding
alias exec cpu show processes cpu history
alias exec aliases show running-config | include alias
alias exec temp show environment all
alias exec updown show logging | include %CONTROLLER-5-UPDOWN: Controller VDSL 0
alias exec attainable show controllers vdSL 0 | include Attainable
alias exec attenuation show controllers vdsl 0 | include Attenuation
alias exec nslookup tclsh flash:nslookupv3.tcl
alias exec FECC show controllers vdSL 0 | include FECC
alias exec CRC show controllers vdSL 0 | include CRC
alias exec errors show controllers vdSL 0 | include Errors:
alias exec mspant ssh -l xxxxxxxxx -p 5400 xxxxxxxx
alias exec clearcounters clear controller vdSL 0
alias exec espant ssh -l xxxxx xxxxxx
banner exec ^C
You have entered device $(hostname).$(domain) at line $(line) $(line-desc)
^C
banner login ^C
Welcome Authorized Users , Unauthorized access to this device is prohibited!
^C
!
line con 0
exec-timeout 0 0
privilege level 15
no modem enable
transport preferred none
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input telnet ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
privilege level 15
length 0
transport preferred none
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 62.103.129.253
ntp server 194.177.210.54 minpoll 10
!
!
!
!
!
!
event manager applet Fritz_Down
event track 1 state up
action 1.0 cli command "enable"
action 2.0 mail server "192.168.1.10" to "xxxxxxxxxxxxxxx@localhost" from "xxxxxxxxxxxxxxx@localhost" subject "ip sla restored" body "primary line restored"
action 3.0 cli command "clear ip nat translation forced"
action 4.0 cli command "exit"
event manager applet Dialer0_Down
event track 1 state down
action 1.0 cli command "enable"
action 2.0 mail server "192.168.1.10" to "xxxxxxxxxxxxxxx@localhost" from "xxxxxxxxxxxxxxx@localhost" subject "ip sla timeout" body "timeout on primary line"
action 3.0 cli command "clear ip nat translation forced"
action 4.0 cli command "exit"
!
end
04-28-2020 07:33 AM
Hello,
make the changes marked in bold. Which DDNS service are you using ?
interface FastEthernet0
description lan
switchport mode access
no ip address
no cdp enable
!
interface FastEthernet1
description vpn
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
description ### Backup 4G ###
switchport trunk native vlan 5
switchport mode trunk
no ip address
no cdp enable
!
interface FastEthernet3
description ### VoIP ###
switchport access vlan 3
switchport voice vlan 3
no ip address
no cdp enable
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
switchport access vlan 4
switchport mode access
no ip address
no cdp enable
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
!
interface Vlan1
description lan LAN
ip address 192.168.1.1 255.255.255.0
ip broadcast-address 192.168.1.255
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
description vpn LAN
ip address 192.168.2.1 255.255.255.0
ip broadcast-address 192.168.2.255
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description VOIP LAN
ip address 192.168.3.1 255.255.255.248
ip broadcast-address 192.168.3.7
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description WLAN
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan5
description ### Backup 4G 192.168.6.0/24 ###
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
!
interface Dialer0
mtu 1454
ip ddns update hostname xxxxxxxxxxxxxxx
ip ddns update sdm_ddns1
ip address negotiated
--> no ip access-group 111 in
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
encapsulation ppp
ip tcp adjust-mss 1414
shutdown
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
!
--> no ip local policy route-map SLA_ICMP
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat pool voip 192.168.3.2 192.168.3.3 netmask 255.255.255.248 type rotary
--> no ip nat inside source list 1 interface Dialer0 overload
--> no ip nat inside source list 2 interface Dialer0 overload
--> no ip nat inside source list 3 interface Dialer0 overload
--> no ip nat inside source list 4 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
ip nat inside source route-map WAN_BACKUP interface Vlan5 overload
ip nat inside source route-map WAN_PRIMARY interface Dialer0 overload
ip nat inside destination list voip pool voip
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Vlan5 dhcp 10
ip ssh maxstartups 2
ip ssh time-out 10
ip ssh version 2
ip scp server enable
!
ip access-list extended voip
permit udp any any range 10000 65000
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer0
frequency 10
!
ip sla schedule 1 life forever start-time now
!
logging trap debugging
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
route-map WAN_BACKUP permit 10
match ip address 100
match interface Vlan5
!
--> no route-map SLA_ICMP permit 10
match ip address 101
set interface Dialer0
!
route-map WAN_PRIMARY permit 10
match ip address 100
match interface Dialer0
!
--> no access-list 1 remark SDM_ACL Category=2
--> no access-list 1 permit 192.168.1.0 0.0.0.255
--> no access-list 2 permit 192.168.2.0 0.0.0.255
--> no access-list 3 remark SDM_ACL Category=2
--> no access-list 3 permit 192.168.3.0 0.0.0.7
--> no access-list 4 remark SDM_ACL Category=2
--> no access-list 4 permit 192.168.4.0 0.0.0.255
--> no access-list 5 permit 192.168.6.0 0.0.0.255
access-list 23 permit 194.110.218.101
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.7 any
access-list 101 permit icmp any host 8.8.8.8
--> no access-list 111 remark CCP_ACL Category=17
access-list 111 bla bla bla
!
control-plane
!
--> no bridge 1 protocol ieee
--> no bridge 1 route ip
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
alias exec speed show controllers vdSL 0 | include Speed
alias exec noise show controllers vdSL 0 | include Noise
alias exec ap service-module wlan-ap0 session
alias exec vdsl show controllers vdSL 0
alias exec uptime show version | include uptime
alias exec clients show ip dhcp binding
alias exec cpu show processes cpu history
alias exec aliases show running-config | include alias
alias exec temp show environment all
alias exec updown show logging | include %CONTROLLER-5-UPDOWN: Controller VDSL 0
alias exec attainable show controllers vdSL 0 | include Attainable
alias exec attenuation show controllers vdsl 0 | include Attenuation
alias exec nslookup tclsh flash:nslookupv3.tcl
alias exec FECC show controllers vdSL 0 | include FECC
alias exec CRC show controllers vdSL 0 | include CRC
alias exec errors show controllers vdSL 0 | include Errors:
alias exec mspant ssh -l xxxxxxxxx -p 5400 xxxxxxxx
alias exec clearcounters clear controller vdSL 0
alias exec espant ssh -l xxxxx xxxxxx
banner exec ^C
You have entered device $(hostname).$(domain) at line $(line) $(line-desc)
^C
banner login ^C
Welcome Authorized Users , Unauthorized access to this device is prohibited!
^C
!
line con 0
exec-timeout 0 0
privilege level 15
no modem enable
transport preferred none
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input telnet ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
privilege level 15
length 0
transport preferred none
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 62.103.129.253
ntp server 194.177.210.54 minpoll 10
!
event manager applet Fritz_Down
event track 1 state up
action 1.0 cli command "enable"
action 2.0 mail server "192.168.1.10" to "xxxxxxxxxxxxxxx@localhost" from "xxxxxxxxxxxxxxx@localhost" subject "ip sla restored" body "primary line restored"
action 3.0 cli command "clear ip nat translation forced"
action 4.0 cli command "exit"
event manager applet Dialer0_Down
event track 1 state down
action 1.0 cli command "enable"
action 2.0 mail server "192.168.1.10" to "xxxxxxxxxxxxxxx@localhost" from "xxxxxxxxxxxxxxx@localhost" subject "ip sla timeout" body "timeout on primary line"
action 3.0 cli command "clear ip nat translation forced"
action 4.0 cli command "exit"
!
end
04-28-2020 08:48 AM
Dear Georg thank you for helping me ,
my ddns service is in the noip.com,
it's working , i have internet from my lan through lte router :)
my remarks so far are:
1. i shutdown dialer0 and the default route became through vlan5
2. i re-enable dialer0 and the default route is still through vlan5
3. i have no access-list and incoming nat , voip devices does not work
4. from my lan 192.168.1.0 i am able now to access devices that are directly connected to lte router
04-28-2020 09:19 AM - edited 04-28-2020 09:20 AM
Hello
@mspant wrote:
1. i shutdown dialer0 and the default route became through vlan5
2. i re-enable dialer0 and the default route is still through vlan5
3. i have no access-list and incoming nat , voip devices does not work
4. from my lan 192.168.1.0 i am able now to access devices that are directly connected to lte router
Deny acess to 8.8.8.8 via the secondary path so your tracking doesnt reestablish
ip route 8.8.8.8 255.255.255.255 Null0 2
04-28-2020 10:12 AM - edited 04-28-2020 12:27 PM
do you have any clue if its possible to access my web page from my lan with its public ip ?
i want it because the web page is also a mailserver, and when i am in my house mobile email clients that are configured with
that public ip does not work from lan, i have to disable wifi in order get access through mobile 4g
04-28-2020 12:17 PM - edited 04-28-2020 12:20 PM
Hello
@mspant wrote:
do you have any clue if its possible to access my web page from my lan with its public ip ?
i want it because the web page is also a mailserver, and when i am in my house mobile email clients that are configured with
that public ip does not work from lan, i have to disable wifi in order get access through mobile 4g
You have two options,
1) Change your NAT to Domainless-nat configuration ( no inside or outside domains, = ip nat enable)
2) Nat hairpinning with policy based routing
Example of option 2 - Nat hairpining for your primary interface
conf t
no access-list 100
access-list 100 deny ip 192.168.0.0 0 0.0.7.255 192.168.0.0 0 0.0.7.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.7 any
ip access-list extended hairpin-nat
permit ip 192.168.0.0 0 0.0.7.255 host 192.168.1.10
interface loopback 100
ip address 169.254.255.1 255.255.255.255
ip nat inside
route-map PBR
set interface loopback 100
int dailer 0
ip nat outside
no ip redirects
ip policy-route PBR
ip nat inside source list hairpin-nat interface dialer 0
Lastly dont forget to add that static null route for your ip sla tracking i mentioned in my last post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide