作为一个不专业的网络配置人员，记录华为路由器的配置。

基本需求：

1. 双线（固定IP+拨号）
2. VPN
3. 内网DNS
4. 某些IP分流

网络结构：2光猫 分别连接路由器2口 另外1口做Lan

1. 双线的配置

# 相关访问控制列表
acl number 3001  
 rule 5 permit udp source-port eq 1701 
acl number 3002  
 rule 5 permit ip destination 192.168.1.0 0.0.0.255 
acl number 3003  
 rule 5 permit udp source-port eq 1701 
acl number 3005  
 rule 5 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0 
acl number 3008  
 rule 5 permit ip source 118.31.19.58 0 
acl number 3009  
 rule 5 permit ip source 192.168.1.0 0.0.0.255 
acl number 3100  
 rule 0 permit ip destination 49.65.0.135 0 
 rule 1 permit ip destination 220.181.38.251 0 
 rule 5 permit ip destination 221.226.86.168 0 
 rule 6 permit ip destination 180.96.13.210 0 
acl number 3101  
 rule 5 deny ip source 45.92.161.0 0.0.0.255 
 rule 10 deny ip source 185.153.180.0 0.0.0.255 
 rule 15 deny ip source 185.153.180.198 0 
 rule 100 permit ip 
#
acl name disable 4999  
 rule 5 deny source-mac ac9e-1782-569d
 rule 10 permit

 dialer-rule
 dialer-rule 1 ip permit
interface Dialer1  #拨号相关接口
 link-protocol ppp
 ppp chap user jt01118@ct
 ppp chap password cipher %^%#41Pi@+[mh2D`}LHf&xC38:)RWhq1&70l#NBt~|G%%^%#
 ppp pap local-user jt01118@ct password cipher %^%#41Pi@+[mh2D`}LHf&xC38:)RWhq1&70l#NBt~|G%%^%#
 tcp adjust-mss 1200
 ip address ppp-negotiate
 dialer user arweb
 dialer bundle 1
 dialer-group 1
 nat outbound 2998 
 
 #内网和DHCP
 interface Vlanif1
 ip address 192.168.1.1 255.255.255.0
 traffic-policy xuanlu inbound
 dhcp select interface
 dhcp server excluded-ip-address 192.168.1.2 192.168.1.40 
 dhcp server excluded-ip-address 192.168.1.240 192.168.1.254 
 dhcp server dns-list 192.168.1.1 
 
 
 interface GigabitEthernet0/0/0
 undo port hybrid vlan 1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
# 设置三口拨号
interface GigabitEthernet0/0/3
 undo portswitch
 pppoe-client dial-bundle-number 1 
 
 #四口专线，并做NAT对外开放服务
 interface GigabitEthernet0/0/4
 tcp adjust-mss 1200
 ip address X.X.X.X 255.255.255.248
 nat static protocol tcp global current-interface www inside 192.168.1.X www netmask 255.255.255.255
 nat static protocol tcp global current-interface pop3 inside 192.168.1.X pop3 netmask 255.255.255.255
 nat static protocol tcp global current-interface 143 inside 192.168.1.X 143 netmask 255.255.255.255
 nat static protocol tcp global current-interface 465 inside 192.168.1.X 465 netmask 255.255.255.255
 nat static protocol tcp global current-interface 2222 inside 192.168.1.X 22 netmask 255.255.255.255
 nat static protocol tcp global current-interface 2221 inside 192.168.1.X 22 netmask 255.255.255.255
 nat static protocol tcp global current-interface 587 inside 192.168.1.X 587 netmask 255.255.255.255
 nat static protocol tcp global current-interface 993 inside 192.168.1.X 993 netmask 255.255.255.255
 nat static protocol tcp global current-interface 4190 inside 192.168.1.X 4190 netmask 255.255.255.255
 nat static protocol tcp global current-interface 995 inside 192.168.1.X 995 netmask 255.255.255.255
 nat static protocol tcp global current-interface 3389 inside 192.168.1.X 3389 netmask 255.255.255.255
 nat static protocol tcp global interface GigabitEthernet 0/0/4 smtp inside 192.168.1.X smtp netmask 255.255.255.255
 nat static protocol tcp global current-interface 31280 inside 192.168.1.X 3128 netmask 255.255.255.255 acl 3008
 nat outbound 2999 
 traffic-filter inbound acl 3101 # 分流测v
 ipsec policy l2tp # ipsec  l2tp VPN相关
 
 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/4 180.169.120.217
ip route-static 0.0.0.0 0.0.0.0 Dialer1

2. 选路策略

#
traffic classifier lianlu2 operator or
 if-match acl 3100
traffic classifier disable operator or
 if-match acl disable
traffic classifier lan2lan operator or
 if-match acl 3002
#
traffic behavior lianlu2
 redirect ip-nexthop 180.169.120.217
traffic behavior disable
traffic behavior lan2lan
#
traffic policy xuanlu
 classifier lan2lan behavior lan2lan precedence 5
 classifier lianlu2 behavior lianlu2 precedence 10
traffic policy SAC_manager

3.l2tp over IPSEC

以下配置mac可用

ipsec proposal l2tp
 encapsulation-mode transport
 esp authentication-algorithm sha1 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer l2tp
 undo version 2
 pre-shared-key cipher %^%#BI+)6SJXHB=.$D5Fq4*YD3[x<kj,v;y29<#P"~rC%^%#
 ike-proposal 1
#
ipsec policy-template l2tp_PT 1
 security acl 3003
 ike-peer l2tp
 proposal l2tp
#
ipsec policy l2tp 1 isakmp template l2tp_PT

ip pool l2tpLns1
 gateway-list 10.1.1.1 
 network 10.1.1.0 mask 255.255.255.0 
 
 aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme default
 domain default_admin
  authentication-scheme default
 local-user root password irreversible-cipher $1a$K.uCW(:jm:$vX:'WUK\dS&rWY&/W9>:^@qo$^@=<6j40H:sw[g!$
 local-user root privilege level 15
 local-user root service-type telnet terminal ssh ftp x25-pad http
 local-user admin password irreversible-cipher $1a$!C}0Q:KtK*$,U`Q%)EX{>kZpb+$DUj'D~{iK>^8-)<kyS-9gdL"$
 local-user admin privilege level 15
 local-user admin service-type telnet terminal ssh ftp http
 local-user lokie password cipher %^%#Gj"='ZT2,MAEiK*x]=}Dl<qU)RbYBS9aJ90r1P[5%^%#
 local-user lokie privilege level 0
 local-user lokie service-type ppp
#

4. 内网DNS

ip host mup007.5imakeup.com 192.168.1.14