Connecting my 2851 to my ISP over PPPoE

garry.mccandless · ‎01-24-2022

Hi Everyone,

As part of my homelab I purchased a number of older Cisco Routers and Switches. I've managed to learn a great deal about getting these setup and running. Now that I've finally been moved across to FTTP I want to replace my consumer router by using the C2851 instead. More of a just because you can, rather than any technical need.

Although I have managed to get the PPPoE connection in place and can route directly from the C2851 I can't route from any device connected to the router. In addition I have been allocated a small (/29) subnet of public IP's. The configuration details below get's me to the point where I can route traffic from the C2851 out to the Internet. But I'm not able to route traffic from my internal networks.

My firewall has been configured to use the IP address I've assigned below to interface GigabitEthernet0/0 as it's default gateway. Again the firewall can see this and doing basic checks it seem to be able to route out to the Internet as well. But I'm not able to see any of my additional IP's.

I've made no change to my firewall, only switching over from the consumer router to the C2851. The setup works fine with the consumer router.

interface GigabitEthernet0/0
 ip address x.x.x.x 255.255.255.248
 duplex full
 speed 1000
 pppoe enable group global
 pppoe-client dial-pool-number 10
!

interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username@internet.net
 ppp chap password 0 Strong_Password
 ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1

Interface GigabitEthernet0/1 has a number VLANS setup to cover various network configurations. I know this I need to be able to direct all of my internal traffic towards my firewall's internal IP address and this is where I think my problem lies. Without the Dialer1 configuration my default route is indeed the firewall as below.

ip route 0.0.0.0 0.0.0.0 192.168.50.1

I hope I've explained my setup well enough for someone to point me in the right direction. But if not I'm open to any questions you have.

Thanks for looking.

Regards,

Garry

Georg Pauwen · ‎01-24-2022

Hello,

what firewall do you have (brand/model) ? How is the firewall connected to your router ?

Post:

--> show run from the router

--> the configuration of the firewall

garry.mccandless · ‎01-24-2022

I'm running OPNSense for my Firewall on a VM. The external interface is connected to the router with a VLAN. I can't dump my firewall configuration, but as I've stated above no configuration changes have been made. I've only swapped out my consumer router with the C2851. Here's the router config though, I've removed passwords and any detail that could identify my network directly.

!
! Last configuration change at 13:05:00 GMT Mon Jan 24 2022
! NVRAM config last updated at 13:05:02 GMT Mon Jan 24 2022
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw01
!
boot-start-marker
boot-end-marker
!
no logging console
enable password <password here>
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip name-server 192.168.10.1
vpdn enable
!
!
voice-card 0
 no dspfarm
!
!
!
bba-group pppoe global
!
!
interface GigabitEthernet0/0
 ip address X.X.X.X 255.255.255.248
 duplex full
 speed 1000
 pppoe enable group global
 pppoe-client dial-pool-number 10
!
interface GigabitEthernet0/1
 no ip address
 duplex full
 speed 1000
!
interface GigabitEthernet0/1.2
 description int.mycyberspace.net
 encapsulation dot1Q 2
 ip address 192.168.2.30 255.255.255.224
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.3
 description cctv.mycyberspace.net
 encapsulation dot1Q 3
 ip address 192.168.3.250 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.4
 description kodi.mycyberspace.net
 encapsulation dot1Q 4
 ip address 192.168.4.14 255.255.255.240
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.5
 description esxi.mycyberspace.net
 encapsulation dot1Q 5
 ip address 192.168.5.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.6
 description mgmt.mycyberspace.net
 encapsulation dot1Q 6
 ip address 192.168.6.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.10
 description mycyberspace.net
 encapsulation dot1Q 10
 ip address 192.168.10.250 255.255.255.0
!
interface GigabitEthernet0/1.20
 description mycyberspace.net (WIFI)
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.50
 description LANGW01
 encapsulation dot1Q 50
 ip address 192.168.50.6 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.99
 description Build Network
 encapsulation dot1Q 99
 ip address 192.168.99.6 255.255.255.240
!
interface GigabitEthernet0/1.100
 description Storage Network
 encapsulation dot1Q 100
 ip address 192.168.100.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface FastEthernet0/0/0
 description Link to SW03
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 description RackPDU02
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 description iLO Host01
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 shutdown
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname <username here>
 ppp chap password 0 <password here>
 ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
!
!
logging host 192.168.6.2 transport tcp port 1514
snmp-server community public RO
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^CC

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device. All activities performed on this device may be logged.

Violations of this policy may result in disciplinary action and may be reported to the relevant law enforcement agencies. There is no right to privacy on this device

^C
privilege exec level 1 ping
!
line con 0
line aux 0
line vty 0 4
 password <password here>
 login
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180203
ntp server 192.168.50.1
!
end

garry.mccandless · ‎01-24-2022

I'm running a VM with OPNSense installed, not easy outputting the config. As I said though, I haven't made any chances to my firewall which connects to the router using a VLAN connection.

Here's my router config in full, I have removed sensitive information.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw01
!
boot-start-marker
boot-end-marker
!
no logging console
enable password <password here>
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip name-server 192.168.10.1
vpdn enable
!
!
voice-card 0
 no dspfarm
!
bba-group pppoe global
!
!
interface GigabitEthernet0/0
 ip address X.X.X.X 255.255.255.248
 duplex full
 speed 1000
 pppoe enable group global
 pppoe-client dial-pool-number 10
!
interface GigabitEthernet0/1
 no ip address
 duplex full
 speed 1000
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.30 255.255.255.224
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3
 ip address 192.168.3.250 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 4
 ip address 192.168.4.14 255.255.255.240
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.5
 encapsulation dot1Q 5
 ip address 192.168.5.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.6
 encapsulation dot1Q 6
 ip address 192.168.6.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.250 255.255.255.0
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.6 255.255.255.0
 ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.99
 description Build Network
 encapsulation dot1Q 99
 ip address 192.168.99.6 255.255.255.240
!
interface GigabitEthernet0/1.100
 description Storage Network
 encapsulation dot1Q 100
 ip address 192.168.100.6 255.255.255.248
 ip helper-address 192.168.10.1
!
interface FastEthernet0/0/0
 description Link to SW03
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 description RackPDU02
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 description iLO Host01
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 shutdown
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname <username here>
 ppp chap password 0 <password here>
 ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
!
logging host 192.168.6.2 transport tcp port 1514
snmp-server community public RO
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^CC

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device. All activities performed on this device may be logged.

Violations of this policy may result in disciplinary action and may be reported to the relevant law enforcement agencies. There is no right to privacy on this device

^C
privilege exec level 1 ping
!
line con 0
line aux 0
line vty 0 4
 password <password here>
 login
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180203
ntp server 192.168.50.1
!
end

Georg Pauwen · ‎01-24-2022

Hello,

make the changes marked in bold:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw01
!
boot-start-marker
boot-end-marker
!
no logging console
enable password <password here>
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip cef
!
ip name-server 192.168.10.1
vpdn enable
!
voice-card 0
no dspfarm
!
bba-group pppoe global
!
interface GigabitEthernet0/0
ip address X.X.X.X 255.255.255.248
--> ip nat outside
duplex full
speed 1000
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface GigabitEthernet0/1
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.30 255.255.255.224
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.250 255.255.255.0
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.14 255.255.255.240
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.5
encapsulation dot1Q 5
ip address 192.168.5.6 255.255.255.248
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.6
encapsulation dot1Q 6
ip address 192.168.6.6 255.255.255.248
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.250 255.255.255.0
--> ip nat inside
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.6 255.255.255.0
--> ip nat inside
ip helper-address 192.168.10.1
!
interface GigabitEthernet0/1.99
description Build Network
encapsulation dot1Q 99
ip address 192.168.99.6 255.255.255.240
--> ip nat inside
!
interface GigabitEthernet0/1.100
description Storage Network
encapsulation dot1Q 100
ip address 192.168.100.6 255.255.255.248
--> ip nat inside
ip helper-address 192.168.10.1
!
interface FastEthernet0/0/0
description Link to SW03
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/0/1
description RackPDU02
duplex full
speed 100
!
interface FastEthernet0/0/2
description iLO Host01
duplex full
speed 100
!
interface FastEthernet0/0/3
shutdown
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0

--> ip nat inside
!
interface Dialer1
ip address negotiated
--> ip nat outside
ip mtu 1492
encapsulation ppp
dialer pool 10
no cdp enable
ppp authentication chap callin
ppp chap hostname <username here>
ppp chap password 0 <password here>
ppp ipcp route default
!
--> ip nat inside source list 1 interface Dialer1 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> access-list 1 permit 192.168.0.0 0.0.255.255
!
no ip http server
no ip http secure-server
!
logging host 192.168.6.2 transport tcp port 1514
snmp-server community public RO
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password <password here>
login
transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180203
ntp server 192.168.50.1
!

garry.mccandless · ‎01-25-2022

Thanks,

I made a little progress last night and found something that maybe of interest. My attempt to get NAT in place didn't go as I'd hope but showed me something interesting.

My IP range is x.x.148.72/29

x.x.148.73 <-- Router

x.x.148.74 <-- Firewall

x.x.148.75 <-- Additional IP

x.x.148.76 <-- Additional IP

x.x.148.77 <-- Additional IP

x.x.148.78 <-- Additional IP

When I bring the Dialer1 online the IP allocated is x.x.134.148.

I'll update my configuration as suggested.

Georg Pauwen · ‎01-25-2022

Hello,

the problem is most likely the fact that you assigned an IP address to the physical interface, and that physical interface is also tied to the dialer. Try and remove the IP address from the physical interface altogether:

interface GigabitEthernet0/0
--> no ip address
--> ip nat outside
duplex full
speed 1000
pppoe enable group global
pppoe-client dial-pool-number 10

garry.mccandless · ‎01-25-2022

Thanks,

But if I remove the IP from the interface then I no route to the Internet as that's the gateway address used by the Firewall. Or am I missing something else?

Georg Pauwen · ‎01-25-2022

Hello,

the dialer interface is your external interface, pointing towards the ISP. The pfSense is on the inside.

garry.mccandless · ‎01-25-2022

The Dialer interface IP address is not one that's in my range of IP's. The TP-Link router has the IP x.x.148.73/29 at present and is able to route all of my public IP addresses. Hopefully these images will show you want I mean. How the NAT rules work for this is beyond me at the moment and hopefully we'll find a solution.

I've attempted to draw my network below, hopefully it makes sense.

Georg Pauwen · ‎01-25-2022

Hello,

it becomes very confusing now. We still do not know what devices you have, and how they are connected. I would suggest the following: take a picture with your smartphone that shows the physical devices you have, line them up in the way they are connected. The drawing shows an ISP router with a dialer interface, then another external router, than an external firewall (the pfsense I assume ?

Richard Burts · ‎01-25-2022

I am not clear where the firewall is connected. What and where are these:

x.x.148.73 <-- Router

x.x.148.74 <-- Firewall

What is connected on G0/1 with all the vlan subinterfaces? And what are the switches that are indicated on the FastEthernet interfaces?

I am also wondering if these various vlans/subnets existed when the consumer router was being used? Or are they recent additions to the network (reflecting the purchase of additional equipment - including this router)?

Am I correct in assuming that the switches that are deployed are operating as layer 2, or are any of them operating as layer 3?

HTH

Rick

garry.mccandless · ‎01-25-2022

The external interface on the firewall is connected directly to the router on G0/0. G0/1 on the router is connected to a WS-C3750G which is in turn connected to a WS-C3560.

Yes all of the VLANS/Subnets were already in place and working as expected with the TP-Link in place. The C2851 has been running just as an internal router. I only started looking at using the C2851 as a replacement for the TP-Link since moving to a FTTP connection.

As shown above, the configuration of the TP-Link is very simple. I entered the PPPoE details and assigned what is my routers public IP address to the first LAN interface. The LAN interface is then connected to the Firewall. No NAT configuration on the TP-Link router.

Richard Burts · ‎01-25-2022

Garry posted a drawing that shows Internet/ISP connecting to router using a Public IP (obtained via pppoe?) and router connected to firewall using a second Public IP (/29). That makes a lot of sense. In terms of the 2851 I would expect the ISP connection to be on G0/0 and the firewall on G0/1. All of the things in his config at this point (multiple vlan subinterfaces) should somehow be connected to the firewall and not to the 2851.

HTH

Rick

garry.mccandless · ‎01-24-2022

Thanks for the reply,

My firewall is a VM running OPNSense (pfsense) so a little difficult exporting the config. It's connected to the Router via a VLAN connection.

Rather than posting my entire config, what part are you interested in?