Solved: IR829 Wireless AP with Internet Connection

julioegb · ‎01-02-2018

Hello everyone, I'm in the challenge of configuring a IR829GW, It's was a little hard but I'm finishing.

I already configured the cellular interface(I'm going to use this interface for internet connection using a SIM).

I already configured a DHCP server for the LAN interfaces and NAT to that network segment. If I connect a device to one of the LAN interfaces with a wired connection I would have Internet connectivity.

I finished the confuration of the AP, I can connect clients using WPA encryption, I use this config:

dot11 ssid ALGO_SSID
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 0 this_is_a_password

exit

!

ip dhcp excluded-address 192.168.7.1
!
ip dhcp pool WIRELESS
network 192.168.7.0 255.255.255.0
default-router 192.168.7.1
dns-server 8.8.8.8

!

interface BVI1
mac-address 00f6.6318.efae
ip address 192.168.7.1 255.255.255.0
no ip route-cache

!

bridge 1 protocol ieee

bridge 1 route ip

!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid ALGO_SSID
!
antenna gain 0
packet retries 64 drop-packet
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

But I need help because I don't know why I have to do to have Internet access from the wifi clients.

I can't reach the IP of the interface wlan-ap0 or the network I had int the Giga interfaces from the wifi clients, the Internet isn't reacheable too

Please help me.

Regards,

Julio Guzmán

Georg Pauwen · ‎01-02-2018

Hello,

here is what the config should look like. Make sure that Vlan 1 and the BVI on the wireless AP are on the same network:

Router

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IR800
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 20
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid IR829GW-LTE-GA-ZK9 sn FGL19472082
!
redundancy
!
controller Cellular 0
lte sim max-retry 0
lte failovertimer 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
interface GigabitEthernet0
no ip address
shutdown
!
interface wlan-ap0
ip unnumbered Vlan1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface Wlan-GigabitEthernet0
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
!
interface Cellular1
no ip address
encapsulation slip
!
interface Vlan1
ip address 192.168.7.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit 192.168.7.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line 1
stopbits 1
line 2
script dialer lte
stopbits 1
line 3
script dialer lte
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
login
transport input none
!
no scheduler max-task-time
!
end

WiFi AP

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 $1$PwiT$mShklLd6pD1DL8j0Kjh78.
!
no aaa new-model
no ip source-route
no ip cef
!
ip dhcp excluded-address 192.168.7.1 192.168.7.2
!
ip dhcp pool WIRELESS
network 192.168.7.0 255.255.255.0
default-router 192.168.7.1
dns-server 8.8.8.8
!
dot11 syslog
!
dot11 ssid ALGO_SSID
authentication open
authentication shared
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 0 this_is_a_password
!
no ipv6 cef
!
username Cisco password 7 0802455D0A16
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid ALGO_SSID
!
antenna gain 0
packet retries 64 drop-packet
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address 00f6.6318.efae
ip address 192.168.7.1 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 protocol ieee
!
bridge 1 route ip
!
line con 0
line vty 0 4
login local
transport input all
!
end

View solution in original post

Georg Pauwen · ‎01-02-2018

Hello,

we need to see the rest of the configuration as well. Post the full configuration...

julioegb · ‎01-02-2018

Thanks Georg, the conf. of the IR829 is:

Mobile_Router#sho runn
Building configuration...

Current configuration : 3412 bytes
!
! Last configuration change at 22:41:53 UTC Tue Jan 2 2018
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Mobile_Router
!
boot-start-marker
boot system flash:ir800-universalk9-mz.SPA.156-3.M
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 900
!
ignition undervoltage threshold 9
!
no ignition enable
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.43.1 192.168.43.6
!
ip dhcp pool W_DHCP
network 192.168.43.0 255.255.255.0
default-router 192.168.43.1
domain-name Allied.network
dns-server 8.8.8.8
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
license udi pid IR829GW-LTE-NA-AK9 sn FTX2043Z010
!
!
!
redundancy
!
!
!
!
!
controller Cellular 0
lte sim data-profile 15 attach-profile 15 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
!
!
!
!
!
!
!
!
interface Virtual-LPWA1
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 101
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
switchport access vlan 101
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 101
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 101
no ip address
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
no ip address
!
interface GigabitEthernet5
no ip address
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer string lte
dialer-group 1
no peer default ip address
async mode interactive
routing dynamic
!
interface Cellular1
no ip address
encapsulation slip
!
interface wlan-ap0
ip address 192.168.42.1 255.255.255.0
!
interface Vlan1
no ip address
!
interface Vlan101
ip address 192.168.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
!
access-list 1 permit any
access-list 1 permit 192.168.43.0 0.0.0.255
!
control-plane
!
!
!
!
line con 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
speed 384000
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
speed 384000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
login
transport input none
!
no scheduler max-task-time
!
!
!
!
!
!
end

The AP config is:

ap#show running-config
Building configuration...

Current configuration : 3629 bytes
!
! Last configuration change at 00:12:12 UTC Mon Mar 1 1993 by cisco
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$f8R6$LT02mxwz/3dxi5gWEPIOa1
!
no aaa new-model
no ip source-route
no ip cef
ip dhcp excluded-address 192.168.7.1
!
ip dhcp pool WIRELESS
network 192.168.7.0 255.255.255.0
default-router 192.168.7.1
dns-server 8.8.8.8
!
!
!
!
dot11 syslog
!
dot11 ssid MY_SSID
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 14361E0705572E1460
!
!
!
no ipv6 cef
!
!
username cisco privilege 15 secret 5 $1$t2wv$n/LDtLDTu6AayyuPzau8R/
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid MY_SSID
!
antenna gain 0
packet retries 64 drop-packet
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
peakdetect
dfs band 3 block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address 00f6.6318.efae
ip address 192.168.7.1 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
banner exec ^CC
% Password change notice.
-----------------------------------------------------------------------

Default username/password setup on AP is cisco/cisco with privilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.

-----------------------------------------------------------------------
^C
banner login ^CC
% Password change notice.
-----------------------------------------------------------------------

Default username/password setup on AP is cisco/cisco with privilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.

-----------------------------------------------------------------------
^C
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
transport input all
!
cns dhcp
end

Georg Pauwen · ‎01-02-2018

Hello,

here is what the config should look like. Make sure that Vlan 1 and the BVI on the wireless AP are on the same network:

Router

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IR800
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 20
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid IR829GW-LTE-GA-ZK9 sn FGL19472082
!
redundancy
!
controller Cellular 0
lte sim max-retry 0
lte failovertimer 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
interface GigabitEthernet0
no ip address
shutdown
!
interface wlan-ap0
ip unnumbered Vlan1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface Wlan-GigabitEthernet0
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
!
interface Cellular1
no ip address
encapsulation slip
!
interface Vlan1
ip address 192.168.7.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit 192.168.7.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line 1
stopbits 1
line 2
script dialer lte
stopbits 1
line 3
script dialer lte
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
login
transport input none
!
no scheduler max-task-time
!
end

WiFi AP

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 $1$PwiT$mShklLd6pD1DL8j0Kjh78.
!
no aaa new-model
no ip source-route
no ip cef
!
ip dhcp excluded-address 192.168.7.1 192.168.7.2
!
ip dhcp pool WIRELESS
network 192.168.7.0 255.255.255.0
default-router 192.168.7.1
dns-server 8.8.8.8
!
dot11 syslog
!
dot11 ssid ALGO_SSID
authentication open
authentication shared
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 0 this_is_a_password
!
no ipv6 cef
!
username Cisco password 7 0802455D0A16
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid ALGO_SSID
!
antenna gain 0
packet retries 64 drop-packet
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address 00f6.6318.efae
ip address 192.168.7.1 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 protocol ieee
!
bridge 1 route ip
!
line con 0
line vty 0 4
login local
transport input all
!
end

julioegb · ‎01-03-2018

Thanks for your help on this week Georg, now the IR829GW is configured. I'm just curious, I want to give IP addresses via DHCP for the Giga interfaces and for the Wireless clients, now I have working that on my IR829 after I configured two DHCP servers, one for the router and other for the AP, is this the right way to do that? I excluded some Ip addresses on the AP but It doesn't work.

DCHP server config on the IR829:

ip dhcp excluded-address 192.168.7.1 192.168.7.5
ip dhcp excluded-address 192.168.7.129 192.168.7.254
!
ip dhcp pool W_DHCP
network 192.168.7.0 255.255.255.0
domain-name my_domain.com
dns-server 8.8.8.8
default-router 192.168.7.2

DHCP server on the AP module:

ip dhcp excluded-address 192.168.7.1 192.168.7.128
!
ip dhcp pool WIRELESS
network 192.168.7.0 255.255.255.0
default-router 192.168.7.3
dns-server 8.8.8.8
domain-name my_domain.com

When I connected a device via wireless I obtained IP addresses from 192.168.7.6, the same as when I connected device on the LAN interfaces.

Regards and thanks.

Julio Guzmán

Georg Pauwen · ‎01-03-2018

Hello,

if you want to have a different pool for the wired clients (on the router), add the below to the router module:

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool LAN_WIRED
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4

!

interface Vlan 2
ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet1
switchport acccess vlan 2
spanning-tree portfast
!
interface GigabitEthernet2
switchport acccess vlan 2
spanning-tree portfast
!
interface GigabitEthernet3
switchport acccess vlan 2
spanning-tree portfast
!
interface GigabitEthernet4
switchport acccess vlan 2
spanning-tree portfast

Ben Walters · ‎01-03-2018

The 829 should be handling DHCP for both wired and wireless. It makes it easier for configuration, but if you want to have separate DHCP scopes you will have to follow George's example and create a new VLAN and use a different subnets for the WLAN/LAN.

You could even make it seem like the same subnet by using a /25 mask instead of a /24 mask so you could have for example wired clients on 192.168.7.1-127 and wireless clients on 192.168.7.128-254

If you don't mind the wireless and wired clients on the same VLAN just leave the configuration as is as long as it is working for you as expected.