After successfully configuring the Cisco 887VA on my Sky Fibre Unlimited Pro connection I started to configure NAT and ACLs to allow all of my devices to work properly. For the most part this wasn’t an issue, until I came to all of the games consoles in the house.
We pretty much have a console in every room in the house, totalling 3 x Xbox 360s, a PS3 and a PS4. I blogged a while ago about setting them all up to use UPnP on pfsense to map inbound ports on demand in order to get an open NAT type in game. Now that worked well, but unfortunately the Cisco box doesn’t support UPnP or NAT-PNP by design. The reason for the deliberate lack of these features is simple; Cisco IOS devices are enterprise devices, and no enterprise want users to be able to dynamically NAT ports to internal resources.
While I agree that UPnP or NAT-PNP is a security risk in the enterprise, many other vendors support the features but provide means to restrict which devices may use them, similar to how pfsense does.
The console all tend to use the same ports to connect to the internet. However, when they use UPnP they can use alternative ports if the UPnP router refuses to open the requested ports because another device is using them. This is all good on consumer routers which tend to have UPnP enable as standard. The biggest problem I have with the 887 is that the ports would have to be manually NATed to the console that as currently in use, and the other console would struggle to work properly.
This issue pretty much rules out the feasibility of using the 887 in our house as a conventional router. I did however wonder is I could simply replace the Openreach Modem with the 887 and continue to use my trusty Firebox x750 running pfsense as my firewall. I started to play with my config. After a quick config erase and reload I had a blank canvas to play with.
I decided to try a bridge group first. I shutdown the ATM interface and created the required sub interface on the eth0 interface as below. I also put the sub interface in a bridge group.
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
encapsulation dot1Q 101
no ip route-cache
bridge-group 1
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
I then tried to pt a FastEthernet interface into the bridge group, which failed as layer 2 interfaces are not allowed in bridge groups. To get around this I created a vlan and placed that into the bridge group. I then stick Fa0 into the clan. Notice the config line “ip virtual-reassembly in”. It is required.
interface Vlan100
no ip address
ip virtual-reassembly in
no ip route-cache
bridge-group 1
!
interface FastEthernet0
description ~ Uplink to Firewall ~
switchport access vlan 100
Then I set the protocol on the bridge group.
bridge 1 protocol ieee
Finally I disable the routers routing engine.
no ip routing
It worked. I was impressed!.
I know many people this the 887VA is an expensive router to just use as a bridge. I disagree. I have had issues with my line for a few months, caused by broken insulation on the drop wire. The drop wire has been replaced now but OpenReach didn’t re-enable DLM, meaning the line never really built any speed up since the drop wire was replaced. Considering it was sitting at 52Mbs sync our of 80, and the DSLAM is approximately 80 meters from my master socket, this wasn’t acceptable. After 8, yes eight, engineer to my house, none of which were interested in the history of the fault and none of which were willing to do the OGEA reset I requested to set the line speed back to 80Mbs to train down to a stable speed, I have pretty much given up on OpenReach.
Enter 887VA. When I started using this router as a bridge two days ago, the sync speed was already 5Mbs up from the OpenReach Modem. I decided to hammer the connection using Iperf and monitor it for errors. I set iperf away all night at the maximum speed of the line and checked it in the morning. There were a total of 7 CRCs and no drop outs. Result. I shutdown “controller vdsl 0” and brought it back up to find another 1.3Mbs sync speed. I repeated this procedure again the next night and yet again gained another 0.9 Mbs sync speed, bringing me to just under 60Mbs.
Another benefit of using the 887VA is the fact I can see my full line stats. Bonus.
I’m going to continue to try and increase my line speed over the next week and see how high I can get it. If only I could use the “del noise-margin” command.
Alright mate….found your site while researching the use of the 887va on Sky Fibre. Thanks for the config on your previous posts, i have just ordered one up. I also came across this post, and thought this link may be of interest to you RE your upnp/gaming issues if you decided you would prefer to have the 887 as router and modem,
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_27876286.html
Cheers,
Daniel
LikeLike
Dan
1: Did they ever re-enable DLM for you?
2: I can only assume that for Ipv6 address requirement, I would use the ipv6 address equivalent for the ipv4 commands you have used/had used?
best
LikeLike
PS:
3: Where did you do the NAT overload part?. Mind sharing your overall set up’s config after masking the sensitive details obviously?
Ta Dan
LikeLike
OK,
So I disabled WAN ETHERNET and Enabled WAN AS DSL, and see the following, but there is no ip address on the WAN interface of the firewall. Have done MAC spoofing.:
HS-ROUTER#sh controllers vdsL 0
Controller VDSL 0 is UP
Daemon Status: NA
XTU-R (DS) XTU-C (US)
Chip Vendor ID: ‘BDCM’ ‘BDCM’
Chip Vendor Specific: 0x0000 0xB12D
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: ‘CSCO’ ‘BDCM’
Modem Vendor Specific: 0x4602 0xB12D
Modem Vendor Country: 0xB500 0xB500
Modem Version Near: 15.5(1)
Modem Version Far: 0xB12D
Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Full inits: 1
Failed full inits: 0
Short inits: 0
Failed short inits: 0
Firmware Source File Name
——– —— ———-
VDSL embedded N/A
Modem FW Version: 23j
Modem PHY Version: A2pv6C035j.d23j
Trellis: ON ON
SRA: disabled disabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 59 0
Line Attenuation: 0.0 dB 0.0 dB
Signal Attenuation: 0.0 dB 0.0 dB
Noise Margin: 3.1 dB 7.6 dB
Attainable Rate: 72700 kbits/s 22896 kbits/s
Actual Power: 12.7 dBm 7.5 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 11.2 24.3 37.3 3.9 19.5 29.1 N/A
Signal Attenuation(dB): 11.2 24.3 37.3 3.9 19.1 28.7 N/A
Noise Margin(dB): 3.2 3.1 3.1 7.7 7.6 7.5 N/A
Total FECC: 432 0
Total ES: 0 0
Total SES: 0 0
Total LOSS: 0 0
Total UAS: 32 32
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 73536 0 20000
SRA Previous Speed: 0 0 0 0
Previous Speed: 0 0 0 0
Reed-Solomon EC: 0 432 0 0
CRC Errors: 0 0 0 0
Header Errors: 0 0 0 0
Interleave (ms): 3.00 0.00 0.00 0.00
Actual INP: 4.01 49.00 0.00 0.00
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin
LikeLike
Can you share your config?
LikeLike
No bother. Change window closing now with wife and bairns on head!! 🙂
HS-ROUTER#
HS-ROUTER#
HS-ROUTER#sh ru
Building configuration…
Current configuration : 1509 bytes
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HS-ROUTER
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
wan mode dsl
no ip routing
!
!
no ip cef
no ipv6 cef
!
controller VDSL 0
!
!
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description * SFBB NUMBER*
mac-address donaldduck
no ip address
no ip redirects
no ip proxy-arp
no ip route-cache
no cdp enable
!
interface Ethernet0.101
encapsulation dot1Q 101
no ip route-cache
bridge-group 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description ~ Uplink to Firewall ~
switchport access vlan 100
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan100
no ip address
ip virtual-reassembly in
no ip route-cache
bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
bridge 1 protocol ieee
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 60000 1000
!
end
LikeLike
Have you got your hostname set on your firewall?
LikeLike
Absolutely Dan. Alas cant share pictures here.
LikeLike
Heres the config (or relevant bits) i’m running on my 887 with EE Fibre at the minute. I’m running the c880data-universalk9-mz.151-3.T2.bin image. this has been rock solid for the past 3 years.
ip source-route
no ip routing
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39m_B_38h3_24h.bin
modem UKfeature
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
encapsulation dot1Q 101
no ip route-cache
bridge-group 1
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description ~ Uplink to Firewall ~
switchport access vlan 50
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan50
no ip address
ip virtual-reassembly in
no ip route-cache
bridge-group 1
!
ip forward-protocol nd
!
bridge 1 protocol ieee
LikeLike
Ta Dan! Yup I did shamelessly copied and pasted from your original blog.
New change window would be tonight! 🙂
Will give it a shot bud.
LikeLike
Dan, just a thought. I remember this from my Nortel switch days, that for many reasons the vlans or native vlans of Nortel Switches and Cisco never liked each other.
Could it be something similar here?
I simply patched the interface fa2 (on vlan 100) to the WAN interface of the Firewall, without making any vlan configuration changes on the WAN interface.
LikeLike
Do a no cdp enable on the router port. That might should help if this is the issue. Unless your using a sub interface or trunk it shouldn’t matter though.
LikeLike
hello would you be able to help me set-up pfsense with draytech vigor 132, sky fibre.
thanks Paul
LikeLike
Sorry Paul, I haven’t used Sky fibre for over 5 years now.
LikeLike
Hi Please check your firmware anything later than c880data-universalk9-mz.151-4.M4.bin has some issue .
LikeLike
I haven’t used Sky fibre for more than 5 years, so I couldn’t comment on firmware compatibility unfortunately.
LikeLike
Curious. In this configuration there is no username or password?
Or those username and password will be entered into the BRIDGED ROUTER (me thinks!).
CISCO router as VDSL Bridge >>>> WAN port of the Firewall in PPoE mode.
Would this work?
LikeLike
That’s how it works, yes. Still using the same setup today but with a different ISP.
LikeLike
Sorry, but was that the yes or no to this part of the question as well?
“Or those username and password will be entered into the BRIDGED ROUTER (me thinks!).”
best
LikeLike
Yes
LikeLike
Does anyone know how I might achieve a bridged connection with an 887VA for an ADSL line provided by the Post Office?
LikeLike