I work from home most of the time, which means my ADSL really is a life line. Without it i’d be making a 35 mile trek to the office every day.
The village i live in doesn’t have the greatest ADSL, but it’s not too bad either. For most stuff it’s perfectly workable, however I have repeatedly had problems with home routers and their inability to work correctly for extended periods. From a ton of reading i guess it’s down to memory leaks etc. A simple power cycle fixes it, but that’s not a great help during a VoIP call when the line keeps breaking up. Power cycles typically take 2-4 minutes to complete, which is often an issue, followed by a 1 min VPN reconnect….
So being an IT guy, I decided to bite the bullet and get hold of a Cisco router and see if that made any difference. I managed to find an old Cisco 857 router on ebay for a decent price, but while I work with Cisco kit every once in a while, i’m definitely not a Cisco guru by any means!
This device is for ADSL over POTS, no wifi (more on that in another post). Wifi shouldn’t be a problem to set up if you have the ‘W’ version…
It took a few hours, lots of Googling, and a huge heap of head shaking, but here is a copy of my Cisco config that actually works!
The info you need to know before you drop this in is:
[router name] The name for this router
[router ip] the IP address for the router on the internal network (i.e. 192.168.1.254)
[network] network i.e. 192.168.1.0 (notice the .0 on the end)
[netmask] most likely 255.255.255.0 for a home network
[inverse mask] opposite of netmask – each number = 255-(number from netmask) so a netmask of 255.255.255.0 becomes 0.0.0.255 (which is most likely what you need)
[dns server] DNS server ip address – use 188.8.131.52 for google’s DNS servers. they’re fast, up to date and pretty great!
[local domain] something like ‘local’ or ‘home’
[isp username] the username to connect to your ADSL – your ISP gave you this
[isp password] as above, your ISP should have given you this
[pvc] this is different for each country it seems. for the UK it’s 0/38 if you’re checking a router you already have it’s often specified as VCI and VPI
! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption service sequence-numbers ! hostname router ! boot-start-marker boot-end-marker ! logging buffered 10240 logging console critical ! no aaa new-model ! dot11 syslog no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address [router ip] ! ip dhcp pool dhcppool import all network [network] [netmask] default-router [router ip] update arp ! ip cef no ip bootp server no ip domain lookup ip domain name [local domain] ip name-server [dns server] ! archive log config hidekeys path flash:config write-memory ! ! ip tcp selective-ack ip tcp timestamp ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc [pvc] encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address [router ip] [netmask] ip access-group 102 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [isp username] ppp chap password 7 [isp password] ppp pap sent-username [isp username] password 7 [isp password] ppp ipcp dns request ppp ipcp route default ! ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ! access-list 1 remark The Local LAN access-list 1 permit [network] [inverse mask] access-list 2 remark Where Management can be done access-list 2 permit [network] [inverse mask] access-list 101 remark Traffic allowed to enter router from Internet access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 184.108.40.206 0.1.255.255 any access-list 101 deny ip 220.127.116.11 0.15.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq telnet access-list 101 deny icmp any any echo access-list 101 deny ip any any log access-list 102 permit ip any any access-list 102 remark traffic from Ethernet access-list 102 permit ip [network] [inverse mask] any access-list 102 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! control-plane ! banner exec ^CYou're entering EXEC mode^C banner login ^CLogin^C ! line con 0 login local no modem enable line aux 0 line vty 0 4 access-class 2 in privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 end
So this pretty much covers the basics and should get you online. the internal LAN can do anything it likes, but everything on the WAN side is blocked from entering. Management can also only be done on the LAN side.
I have a few item’s i’d like to update, for example connecting a wire to one of the FastEthernet ports is slow to come up, but i’ll do some digging and try to update it.
If anyone has any suggestions, i’d love to hear them! As i say, I’m not a Cisco guy, so any suggestions are more than welcome!