使用高速上网线路

使用高速线路(光纤)的结构图

这是实现上网的基本结构。
使用RTX系列产品,能够实现使用ADSL(PPPoE)、FTTH(光纤直连)线路等的高速通信。
防火墙功能可以防止来自互联网的非法侵入,保证网络的安全。

■RTX系列的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.0.1/24
WAN的
接口的设置
(PPPoE使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP的ID) (连接ISP的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on #注释1
ppp ipcp msext on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1 #注释2
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 ipcp
nat descriptor address inner 1 auto
DHCP的设置 dhcp service server
dhcp scope 1 192.168.0.2-192.168.0.100/24 #注释3
dhcp server rfc2131 compliant except remain-silent
DNS的设置 dns server pp 1 #注释4
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * * #注释5
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services" #注释6
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
[注释的说明]

注释1:
此设置为:从ADSL拨号自动获得IP地址。
如果是固定IP,请将此命令更换为:ip pp address (固定IP地址)

注释2:
设置默认路由为ADSL拨号。

注释3:
设置的地址范围和LAN1接口的IP地址在同一网段。

注释4:
此设置为:从ADSL拨号自动获得DNS地址。
如果是指定DNS地址,请将此命令更换为:dns server(DNS地址)

注释5:
LAN1接口的IP地址所处的网段。

注释6:
此处可以添加允许通过的服务。
如:pptp服务,设置为ip policy service group 101 name="Open Services" gre tcp/1723。

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.0.1/24
WAN的
接口的设置
(使用LAN2端口)
ip lan2 address (ISP提供的IP地址)
ip lan2 nat descriptor 1
ip route default gateway (ISP提供的网关地址)
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
DHCP的设置 dhcp service server
dhcp scope 1 192.168.0.2-192.168.0.100/24 #注释1
dhcp server rfc2131 compliant except remain-silent
DNS的设置 dns server (ISP提供的DNS地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * * #注释2
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services" #注释3
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1660 reject-nolog * lan2 * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1730 static-pass-nolog * lan2 * * 104
ip policy filter 1900 pass-nolog * lan2 * * *
ip policy filter 1950 reject-nolog lan2 * * * *
ip policy filter 1960 static-pass-nolog * local * * 104
ip policy filter 1970 pass-log * lan1 * * 101
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1900 1130] 1950 [1970 1960] 1600 [1640 1650 1660 1630] 1700 [1710 1730] 2000
ip policy filter set enable 101
[注释的说明]

注释1:
设置的地址范围和LAN1接口的IP地址在同一网段。

注释2:
LAN1接口的IP地址所处的网段。

注释3:
此处可以添加允许通过的服务。
如:pptp服务,设置为ip policy service group 101 name="Open Services" gre tcp/1723。

返回顶部