Comware

A hello to all!

I want to discuss here my new little small business project.

As mentioned in the title, - this thread is about the migration of the config of an old defective Comware 3 based 3Com OfficeConnect Gigabit VPN Firewall, 3CREVF100-73. I plan to migrate as a transitional solution to a gigabit upgraded 3Com MSR 20-20 (Comware 5) router. It is a provisional solution because that MSR router will be replaced sometimes this year with a HP MSR1002-4 AC (Comware 7) router (JG875A).

So I need some help in “porting” the old Comware 3 stuff which was implemented over Web UI. The migration from Comware 5 to Comware 7 should be no big problem. However, the translation of the old Comware 3 config to Comware 5 seems more tricky.

As mentioned, the original 3Com Gigabit Firewall Router is defunct. So no access is possible, what I have available is the config as XML file.

I was successful in setting up the MSR 20 router. So I have internet access with IPv4 and IPv6 firewall enabled. In the next step I want to implement the SIP VoIP server (FreePBX) network information.

Regarding the MSR 20 router, GigabitEthernet1/0 is WAN port 3 and connected over a gigabit link to a cable-modem. GigabitEthernet2/0 is the so called “WAN port 4” but acts effectively as the internal LAN port which is connected to the Gigabit Baseline Switch 2928.

The simple network topology looks as follow:

Update 01.05.2020

=> Seperation of FreePBX and Macmini Server into VLAN2

VLAN1

192.168.1.1 => 3Com MSR 20 router (will be replaced later through a HP MSR1002-4)

192.168.1.x => 3Com 4800G PoE switch (48 port) [not present in the test network environment]

192.168.1.x => 3Com Baseline Switch 2928 (16 port)

VLAN2

192.168.2.x => FreePBX Server (virtual)

The VoIP Server (CentOS 6.x based) runs as a virtual client under Mac OS X at:

192.168.2.x => Macmini Server

The main company clients (around five computers) are placed in the range above 192.168.1.50.

All mentioned main network devices and main clients belongs to VLAN1. The new config should implement totally three VLANs, every with his own DHCP. VLAN2 will be with around 20 clients (mainly VoIP phones) the “largest” one. VLAN3 contains the password protected guest WiFi SSID.

VLAN1 => 192.168.1.x

VLAN2 => 192.168.2.x

VLAN3 => 192.168.3.x

Update 02.07.2020:

The Comware 5 config is now mostly finished, see the "solution" for more information.

Hi Lorn10!

Looking at your further posts after this one I can see that you are progressing with your task to migrate the router, I even advised you on one ACL configuration question. I see one active topic here, let's clarify what remains.

As a potential candidate I see this question:

------------
According to the Comware 3 config file, the following ports must / should be reachable from the internet for the address 192.168.2.4:

"SIP" type="1" start-port="5060" finish-port="5060"/>
"RTP" type="1" start-port="10000" finish-port="20000"/>
"UDPTL" type="1" start-port="4000" finish-port="4999"/>

Furthermore I must define the corresponding LAN-WAN rules and the port triggering (to address 192.168.2.4). This seems at newer Comware versions quite different implemented.
------------

Do you still need help with this task?

Hi Ivan_B

Thanks for your response, - yes I am working on this and any help is welcome.

I have “outsourced” that last open point into a separate thread. I think this is more helpful also for other users.

https://community.hpe.com/t5/comware-based/acl-rule-example-for-sip-voip/td-p/7086878

SIP protocol has two implementations - over UDP (the most common one) and over TCP. Both use port 5060. For the RTP port mapping I suggest using NAT ALG for SIP that will dynamically scan SIP messages and allocate proper UDP ports for RTP communication:

system-view
#
nat alg sip
#
int Gi1/0
 nat server 1 protocol tcp global current-interface 5060 inside 192.168.2.4 5060
 nat server 2 protocol udp global current-interface 5060 inside 192.168.2.4 5060

Also, consider changing both IPv4 and IPv6 ACLs 2000 and delete " rule 10 deny" - it is not needed there. It does not cause any harm, it is just reduntant as it does nothing there - you permit everything with rule 0 and rule 10 will never match.

Many thanks Ivan_B

I have implemented the suggested changes. So far, that nice little config is working absolutely great!

There remains now only one last point, can someone confirm here that the MSR 20 router series is unable to bind an IP to a MAC address? According to different MSR manuals this should work, - maybe this is true only for higher class MSR routers. (At my old 3Com OfficeConnect Gigabit VPN Firewall this was possible.)

According to the HP A-MSR Layer 3 (c02659312-3) the steps are regarding my config:

system-view

dhcp server ip-pool vlan2 extended

static-bind ip-address 192.168.x.x mask 255.255.255.0

static-bind mac-address 0000-xxxx-xxxx

This results always in an % Unrecognized command found at '^' position error.

Also an alternative Comware command is not working, it ends up with the same message:

user-bind static ip-address 192.168.x.x mac-address 08:00:xx:xx:xx:xx

If that is really a limitation of the MSR 20 series, then I hope that the Comware 7 based HP MSR1002-4 has not the same restrictions.

Could you paste 'display version' output from your router, so I can check? 

Thanks!

The firmware should be the newest build from 2017:

<3Com MSR20>display version
H3C Comware Platform Software
Comware Software, Version 5.20, Release 2516P13, Standard
Copyright (c) 2004-2017 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C MSR20-20 uptime is 0 week, 1 day, 0 hour, 44 minutes
Last reboot 2020/05/05 15:49:22
System returned to ROM By <Reboot> Command.

CPU type: FREESCALE PowerPC 8248 400MHz
256M bytes SDRAM Memory
4M bytes Flash Memory
Pcb Version: 3.0
Logic Version: 3.0
Basic BootROM Version: 5.00
Extended BootROM Version: 5.00
[SLOT 0]CON (Hardware)3.0, (Driver)1.0, (Cpld)3.0
[SLOT 0]AUX (Hardware)3.0, (Driver)1.0, (Cpld)3.0
[SLOT 0]ETH0/0 (Hardware)3.0, (Driver)1.0, (Cpld)3.0
[SLOT 0]ETH0/1 (Hardware)3.0, (Driver)1.0, (Cpld)3.0
[SLOT 0]CELLULAR0/0 (Hardware)3.0, (Driver)1.0, (Cpld)3.0
[SLOT 1]SIC-1GEC (Hardware)3.0, (Driver)1.0, (Cpld)2.4
[SLOT 2]SIC-1GEC (Hardware)3.0, (Driver)1.0, (Cpld)2.4

<3Com MSR20>

Extended address pools support dynamic address allocation only. Just use this one for dynamic IP address allocation and create additional common address pools - one per statically allocated address as the guide suggests - " A static binding is a special address pool containing only one IP address. " And do not forget to explicitly exclude statically allocated addresses from that extended address pool with "forbidden-ip" command, just to avoid clashes

Again many thanks Ivan_B for this explanation. I thought that the extended address pool could be the effective reason for that problem.

However, it works now PERFECTLY!

I had also to add at the client-binding pool the corresponding gateway-list and dns-list, - otherwise no Internet access was possible. I should mention that these special address pools work globally across the config. So it is not necessary to apply those to a specific interface. (In my case, that's not possible anyway because for whatever reason I can only bind extended address pools to my sub interfaces.)

dhcp server ip-pool 192.168.1.x

static-bind ip-address 192.168.1.x mask 255.255.255.0

static-bind mac-address xxxx-xxxx-xxxx

gateway-list 192.168.1.1

dns-list 8.8.8.8 8.8.4.4

#

dhcp server ip-pool 192.168.2.x

static-bind ip-address 192.168.2.x mask 255.255.255.0

static-bind mac-address xxxx-xxxx-xxxx

gateway-list 192.168.2.1

dns-list 8.8.8.8 8.8.4.4

All my static IP clients are below the 192.168.x.50 starting range of my DHCP servers. So in my situation the "forbidden-ip" command is not really necessary. Or should I exclude the static addresses despite this?

Whatever, I will update my config file and mark it as solution. As very last point I am trying to add regarding the VLAN2 a last ACL rule. I want to deny all clients above 192.168.2.50 the access to VLAN1.

Until now I was unfortunately not really successful….

If your extended pool is above .50 then forbidden-ip is not needed.

As for the ACL that should deny VLAN 2 -> VLAN 1 communication for source addresses above 192.168.2.50, it is possible, however we should play a little with wildcard mask and rules, because .50 is kind of a round number for you, not for your router, LOL. Since it counts in binary, .64 is much more round, but nevertheless - routers should serve humans, not vice versa.

I think following rules should block the communication for the host below .50 (including .50 as well) to the whole 192.168.1.0/24 subnet:

rule 10 deny ip source 192.168.2.0 0.0.0.31 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source 192.168.2.32 0.0.0.15 destination 192.168.1.0 0.0.0.255
rule 30 deny ip source 192.168.2.48 0.0.0.1 destination 192.168.1.0 0.0.0.255
rule 40 deny ip source 192.168.2.50 0.0.0.0 destination 192.168.1.0 0.0.0.255

If you do not need to block .50 address, just omit the rule 40.

In order to better understand the logic behind those numbers, try to experiment with those IPs and wildcard masks here - http://www.ip-calc.co.uk/wildcard.php You will see the range each IP-wildcard mask defines so you will see why for such "round" range as 0-50 we need not less than 4 rules. After that it will be easier to compose your own ACL rules.

Of course at the end of this ACL you should have:

rule 999 permit ip

in order to permit the rest of communication. 

Hope it helps!

Many thanks again Ivan_B for this GREAT explanation! Wildcards are definitely not my friends, - I was planing to allow all needed addresses individually with the “0.0.0.0” wildcard. So this would give me then around 50 permit entries and one deny (for the remaining "forbidden" part of the VLAN2 network.)

The following acl should block all address above (beyond) 192.168.2.49 from VLAN1. (Rule 60 is probably not needed because access to / from VLAN3 is already blocked in acl 3333.)

acl number 3334

rule 10 permit ip source 192.168.2.0 0.0.0.31 destination 192.168.1.0 0.0.0.255

rule 20 permit ip source 192.168.2.32 0.0.0.15 destination 192.168.1.0 0.0.0.255

rule 30 permit ip source 192.168.2.48 0.0.0.1 destination 192.168.1.0 0.0.0.255

rule 50 deny ip destination 192.168.1.0 0.0.0.255

rule 60 deny ip destination 192.168.3.0 0.0.0.255

rule 999 permit ip

Or an alternative rule config, - that one is somewhat more logical:

acl number 3334

rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 10 permit ip source 192.168.2.0 0.0.0.31 destination 192.168.1.0 0.0.0.255

rule 20 permit ip source 192.168.2.32 0.0.0.15 destination 192.168.1.0 0.0.0.255

rule 30 permit ip source 192.168.2.48 0.0.0.1 destination 192.168.1.0 0.0.0.255

rule 999 permit ip

Here follows my final Comware 5 config implementation. It corresponds to my old Comware 3 configuration and contains additionally some improvements.

It can be seen as a reference example for smaller business environments. A BIG THANKS goes to all which helped me, - especially Ivan_B, the HPE and Comware professional.

My Comware 7 based router has arrived in the meantime. So the next config migration project is scheduled for the near future....

Update 05.07.2020:
add Central European dalylight saving setting
add ACL 3010 to block remote access at port 22 (SSH), 80 (HTTP) and 443 (HTTPS) at the WAN interface
enable blacklist feature

[3Com MSR20]display current-config                           
#
 version 5.20, Release 2516P13, Standard
#
 sysname 3Com MSR20
#
 clock timezone Amsterdam add 01:00:00
 clock summer-time summer-time repeating 02:00:00 2020 March last Sunday 03:00:00 2020 October last Sunday  01:00:00
#
 firewall enable
#
 domain default enable system
#
 dns proxy enable
 dns server 8.8.8.8
 dns server 8.8.4.4
#
 telnet server enable
#
 firewall ipv6 enable
#
 password-recovery enable
#
 blacklist enable
#
acl number 2000
 step 1
 rule 0 permit  
#               
acl number 3010
 rule 5 deny tcp destination-port eq 22 logging
 rule 10 deny tcp destination-port eq www logging
 rule 15 deny tcp destination-port eq 443 logging
acl number 3333
 rule 10 deny ip destination 192.168.1.0 0.0.0.255
 rule 20 deny ip destination 192.168.2.0 0.0.0.255
 rule 100 permit ip
#               
acl ipv6 number 2000
 step 1         
 rule 0 permit  
#               
igmp-snooping   
#               
vlan 1          
#               
vlan 2 to 3     
#               
domain system   
 access-limit disable
 state active   
 idle-cut disable
 self-service-url disable
#               
dhcp server ip-pool 192.168.1.x
 static-bind ip-address 192.168.1.x mask 255.255.255.0
 static-bind mac-address xxxx-xxxx-xxxx
 gateway-list 192.168.1.1
 dns-list 8.8.8.8 8.8.4.4
#               
dhcp server ip-pool 192.168.2.x
 static-bind ip-address 192.168.2.x mask 255.255.255.0
 static-bind mac-address xxxx-xxxx-xxxx
 gateway-list 192.168.2.1
 dns-list 8.8.8.8 8.8.4.4               
#               
dhcp server ip-pool vlan1 extended
 network ip range 192.168.1.50 192.168.1.200
 network mask 255.255.255.0
 gateway-list 192.168.1.1
 dns-list 8.8.8.8 8.8.4.4
#               
dhcp server ip-pool vlan2 extended
 network ip range 192.168.2.50 192.168.2.200
 network mask 255.255.255.0
 gateway-list 192.168.2.1
 dns-list 8.8.8.8 8.8.4.4
#               
dhcp server ip-pool vlan3 extended
 network ip range 192.168.3.50 192.168.3.200
 network mask 255.255.255.0
 gateway-list 192.168.3.1
 dns-list 8.8.8.8 8.8.4.4
#               
user-group system
 group-attribute allow-guest
#               
local-user admin
 password cipher $c$3$/xyz
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type web
#               
interface Aux0  
 async mode flow
 link-protocol ppp
#               
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#               
interface Ethernet0/0
 port link-mode route
 nat outbound 2000
 rip version 2 multicast
 ip address dhcp-alloc
#               
interface Ethernet0/1
 port link-mode route
 rip version 2 multicast
#               
interface NULL0 
#               
interface Vlan-interface1
 rip version 2 multicast
#               
interface Vlan-interface2
 rip version 2 multicast
#               
interface GigabitEthernet1/0
 port link-mode route
 firewall packet-filter 3010 inbound
 nat outbound 2000
 nat server 1 protocol tcp global current-interface 5060 inside 192.168.x.x 5060
 nat server 2 protocol udp global current-interface 5060 inside 192.168.x.x 5060
 nat server 3 protocol tcp global current-interface 5061 inside 192.168.x.x 5061
 nat server 4 protocol udp global current-interface 5061 inside 192.168.x.x 5061
 rip version 2 multicast
 ip address dhcp-alloc
#               
interface GigabitEthernet2/0
 port link-mode route
 ip address 192.168.1.1 255.255.255.0
 rip version 2 multicast
 dhcp server apply ip-pool vlan1
#               
interface GigabitEthernet2/0.2
 vlan-type dot1q vid 2
 ip address 192.168.2.1 255.255.255.0
 dhcp server apply ip-pool vlan2
#               
interface GigabitEthernet2/0.3
 vlan-type dot1q vid 3
 firewall packet-filter 3333 inbound
 ip address 192.168.3.1 255.255.255.0
 dhcp server apply ip-pool vlan3
#               
 ip route-static 0.0.0.0 0.0.0.0 x.x.x.x
#               
 dhcp enable    
#               
 ntp-service source-interface Vlan-interfaceX
 ntp-service unicast-server x.x.x.x
#               
 ssh server enable
#               
 load xml-configuration
#               
 load tr069-configuration
#               
user-interface con 0
user-interface tty 13
user-interface aux 0
user-interface vty 0 4
 authentication-mode scheme
 protocol inbound ssh
#               
return          
[3Com MSR20]