IX2015買ってみました(1/2)

お家で使ってるブロードバンドルータを変更してみようと思い、ヤフオクでIX2015を落札してみました。ちなみに2/4の夜中に銀行振り込み、2/7に不在通知、2/8の夜受け取り。消費税&送料込みで10,245円。
IX2015はNECが作った、CiscoっぽいCLIで設定を行う(というかWebブラウザからの設定ができない)ファンレス&省スペース&結構高性能なルータです。
個人で使うブロードバンドルータとしてはかなり役不足な感じだけど、安かったから我慢してもらいます。
今まで使っていたブロードバンドルータ(BBR-4HG)は予備として押入れ行き。

設定とかの覚書は以下の通り。NAPTだからこんなにフィルタを設定する必要はなさそうですが。。。

≪お家LANの設計について≫
・自宅鯖やメインPCは1000BASE-TのL2SW配下に設置
・NDSLやFONを接続するセグメントを隔離し、LAN内へのアクセスを遮断
・ISPとFlets Squareの両方と常時PPPoEセッションを張る(Flets ADSL)
・NAPTのテーブルサイズを多めに用意(とりあえず3万くらい？)
・したらば書き込み時にhttp鯖へ逆アクセスしてくる通信を遮断



≪構成図≫

[Flets ADSL]
　|
[modem]
　|
　|Fa0/0　Fa1/0[4portFE]
[IX2015]---------------[FON,DD-WRT]
　|Fa0/1　　　　　　　　　(FONとかNDSL接続用:192.168.10.0/24)
　|
[FXG-08IM(1000Base-T)](自宅鯖,PC:172.16.100.0/24)



≪参考URL≫
http://flets.com/square/routing.html
http://www.nec.co.jp/ixseries/ix2k3k/Support/flets/flets_square_e.html
http://www.nec.co.jp/ixseries/ix2k3k/Manual/index.html
http://www5d.biglobe.ne.jp/~stssk/rfc/rfc3330j.html
http://www.uinet.or.jp/~taka/network/ix2015.html
http://k-net.pinky.ne.jp/port.htm
http://www.microsoft.com/japan/technet/prodtechnol/winxppro/deploy/worki01.mspx



≪本体基本設定≫

hostname ix2015
username admin password plain adminpasswd administrator

ip access-list management permit ip src 172.16.100.0/24 dest any
ip access-list all-forward permit ip src any dest any
ip access-list nbt-block deny tcp src any sport any dest any dport range 137 139
ip access-list nbt-block deny udp src any sport any dest any dport range 137 139
ip access-list nbt-block deny tcp src any sport any dest any dport eq 445
ip access-list nbt-block deny udp src any sport any dest any dport eq 445
ip access-list specialuse deny ip src 0.0.0.0/8 dest any
ip access-list specialuse deny ip src 10.0.0.0/8 dest any
ip access-list specialuse deny ip src 172.16.0.0/12 dest any
ip access-list specialuse deny ip src 192.168.0.0/16 dest any
ip access-list specialuse deny ip src 127.0.0.0/8 dest any
ip access-list specialuse deny ip src 169.254.0.0/16 dest any
ip access-list specialuse deny ip src 192.0.2.0/24 dest any
ip access-list specialuse deny ip src 224.0.0.0/3 dest any
ip access-list drop_prxychk deny tcp src 218.41.48.139/32 sport any dest any dport eq 80
ip access-list guest-in deny ip src any dest 172.16.0.0/16
ip access-list guest-in permit ip src any dest any

telnet-server ip access-list management
telnet-server ip enable
snmp-agent ip community public management
snmp-agent ip enable
logging buffered 4096 cyclic
syslog ip host 172.16.100.1
ntp server 210.173.160.27
ntp server 210.173.160.57
ntp server 210.173.160.87
ntp interval 3600
ntp ip enable

dns cache enable
proxy-dns ip enable
proxy-dns ip query-interval 1
ip ufs-cache enable
ip ufs-cache max-entries 20000

ip dhcp profile dhcp_guest
assignable-range 192.168.10.201 192.168.10.220
subnet-mask 255.255.255.0
dns-server 192.168.10.254


ip dhcp profile dhcp_local
assignable-range 172.16.100.201 172.16.100.220
subnet-mask 255.255.255.0
dns-server 172.16.100.254
exit

ip dhcp enable

interface FastEthernet1/0.0
description GUEST
ip filter guest-in 100 in
ip address 192.168.10.254/24
ip dhcp binding dhcp_guest
no shutdown

interface FastEthernet0/1.0
description LOCAL-NET
ip address 172.16.100.254/24
ip dhcp binding dhcp_local
no shutdown
exit



≪ISP設定等≫

ppp profile internet
authentication myname hogehoge@hoge.ne.jp
authentication password hogehoge@hoge.ne.jp ISP-Password

interface FastEthernet0/0.1
description PPPoE_ISP
encapsulation pppoe
auto-connect
ppp binding internet
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip napt translation max-entries 30000
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter drop_proxychk 100 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
no shutdown
exit

ip route default FastEthernet0/0.1




≪フレッツスクウェア設定≫

proxy-dns interface FastEthernet0/0.1 priority 200

ppp profile flets-square
authentication myname guest@flets
authentication password guest@flets guest

interface FastEthernet0/0.2
description PPPoE_FLETS-SQUARE
encapsulation pppoe
auto-connect
ppp binding flets-square
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
no shutdown
exit

ip route 220.210.194.0/25 FastEthernet0/0.2
ip route 220.210.195.0/26 FastEthernet0/0.2
ip route 220.210.195.64/26 FastEthernet0/0.2
ip route 220.210.197.0/25 FastEthernet0/0.2
ip route 220.210.199.32/27 FastEthernet0/0.2
ip route 220.210.199.200/29 FastEthernet0/0.2
ip route 220.210.199.160/27 FastEthernet0/0.2
ip route 220.210.199.192/27 FastEthernet0/0.2
ip route 220.210.196.0/25 FastEthernet0/0.2
ip route 220.210.196.128/26 FastEthernet0/0.2
ip route 220.210.199.64/28 FastEthernet0/0.2
ip route 220.210.198.0/26 FastEthernet0/0.2
ip route 220.210.199.144/28 FastEthernet0/0.2



≪Static NAPT≫
interface FastEthernet0/0.1
ip napt service http 172.16.100.1
ip napt service ping 172.16.100.1
ip napt service SSH 172.16.100.1 none tcp 22
ip napt service SMTP 172.16.100.1 none tcp 25
ip napt service SMTP-587 172.16.100.1 none tcp 587
ip napt service IMAP4-SSL 172.16.100.1 none tcp 993
ip napt service LimeCHAT_FT 172.16.100.10 none tcp 1096
ip napt service MSNMessenger_APWB 172.16.100.10 none tcp 1503
ip napt service MSNMessenger_FT 172.16.100.10 none tcp 6891-6900



≪QoS設定≫

class-map match-any ch_class1
match input-interface FastEthernet0/1.0 high
match local-generate-packet high
match any low

policy-map qos-policy1
class ch_class1

interface FastEthernet0/0.1
service-policy enable
service-policy output qos-policy1
exit

続き:IX2015買ってみました(2/2)へ