Contents

6 Accessing the Internet Using One Interface

6.1 CLI: Example for Accessing the Internet Using a Static IPv4 Address
6.2 CLI: Example for Accessing the Internet Using IPv4 PPPoE
6.3 CLI: Example for Accessing the Internet Using DHCP
6.4 CLI: Example for Configuring a 4G LTE Cellular Interface as the Primary Interface to Connect to the Internet

6 Accessing the Internet Using One Interface

 6.1 CLI: Example for Accessing the Internet Using a Static IPv4 Address
A FW is assigned a static IPv4 address to access the Internet and provides access services for intranet users.

 6.2 CLI: Example for Accessing the Internet Using IPv4 PPPoE
This section provides an example for configuring the device, working as a PPPoE client, to obtain an IP address by
dialing a carrier server through PPPoE and then to access the Internet.

 6.3 CLI: Example for Accessing the Internet Using DHCP

This section provides an example for configuring a FW as a DHCP client that applies for an IPv4 address to access
the Internet.

 6.4 CLI: Example for Configuring a 4G LTE Cellular Interface as the Primary Interface to Connect to the
Internet

6.1 CLI: Example for Accessing the Internet Using a Static IPv4
Address
A FW is assigned a static IPv4 address to access the Internet and provides access services for intranet users.

Networking Requirements
An enterprise deploys a FW as a security gateway on the network shown in Figure 6-1 and purchases broadband services
from an ISP.
The networking requirements are as follows:
 Intranet PCs communicate with each other using addresses on the network segment 10.3.0.0/24.
The FWallocates private network addresses and a DNS server address to the PCs.
 Intranet PCs are able to access the Internet.
Figure 6-1 Ethernet link connecting intranet PCs to the Internet

The following information is used as an example. Obtain the desired service information from your local ISP.
Table 6-1 Parameters provided by an ISP

Item Data Description

Enterprise address 1.1.1.1/24 Public network address that the ISP assigns to the
enterprise

Default gateway address 1.1.1.254 Provided by the ISP

DNS server address 9.9.9.9 Provided by the ISP

Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces and add the interfaces to security zones. Set the default gateway address to
1.1.1.254 for GigabitEthernet 1/0/1.
2. Configure the DHCP server function on the FW to allocate IP addresses and a DNS server address to intranet
PCs.
3. Configure security policies to allow PCs to access the Internet.
4. Configure NAT policies for source address translation. As the FW translates private addresses into a fixed
public network address that is assigned by the ISP, easy-IP is used to simplify the configuration.

Procedure
1. Set the IP addresses of the interfaces, and then assign the interfaces to security zones.
2. <FW> system-view
3. [FW] interface GigabitEthernet 1/0/1
4. [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
5. [FW-GigabitEthernet1/0/1] quit
6. [FW] interface GigabitEthernet 1/0/3
7. [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
8. [FW-GigabitEthernet1/0/3] quit
9. [FW] firewall zone untrust
10. [FW-zone-untrust] add interface GigabitEthernet 1/0/1
11. [FW-zone-untrust] quit
12. [FW] firewall zone trust
13. [FW-zone-trust] add interface GigabitEthernet 1/0/3
14. [FW-zone-trust] quit

15. Configure the FW as a DHCPv4 Server.

# Enable the DHCP function.
 [FW] dhcp enable

# Create an interface address pool and specify the default gateway IP address and the DNS server address for
PCs on the intranet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.254
[FW-GigabitEthernet1/0/3] dhcp server dns-list 9.9.9.9
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit

16. Configure a security policy allowing PCs on the intranet to access the Internet.
17. [FW] security-policy
18. [FW-security-policy] rule name policy_sec_1
19. [FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
20. [FW-security-policy-sec_policy_1] source-zone trust
21. [FW-security-policy-sec_policy_1] destination-zone untrust
22. [FW-security-policy-sec_policy_1] action permit
23. [FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit

24. Configure a NAT policy allowing PCs on the intranet to access the Internet by using the public IP address
derived from network address translation.
25. [FW] nat-policy
26. [FW-policy-nat] rule name policy_nat_1
27. [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
28. [FW-policy-nat-rule-policy_nat_1] source-zone trust
29. [FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
30. [FW-policy-nat-rule-policy_nat_1] action nat easy-ip
31. [FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit

32. Configure the default route whose next hop IP address is 1.1.1.254.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

Configuration Verification
1. View details about GigabitEthernet 1/0/1 and check whether interface GigabitEthernet 1/0/1 has obtained a
public IP address and both the physical and IPv4 states are Up.
2. [FW] display interface GigabitEthernet 1/0/1
3. GigabitEthernet 1/0/1 current state : UP
4. Line protocol current state : UP
5. GigabitEthernet 1/0/1 current firewall zone : untrust
6. Description : GigabitEthernet 1/0/1 Interface, Route Port
7. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
8. Internet Address is 1.1.1.1/24
9. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-a101
10. Media type is twisted pair, loopback not set, promiscuous mode not set
11. 100Mb/s-speed mode, full-duplex mode, link type is auto negotiation
12. max-bandwidth : 100000 Kbps
13. Last physical up time : -
14. Last physical down time : 2015-05-07 20:33:13
15. Current system time: 2015-05-11 10:08:18
16. Max input bit rate:528530448 bits/sec at 2015-05-07 12:53:46
17. Max output bit rate:5280418 bits/sec at 2015-05-07 12:54:26
18. Max input packet rate:750753 packets/sec at 2015-05-07 22:43:46
19. Max output packet rate:7843 packets/sec at 2015-05-07 22:53:58
 20. Last 300 seconds input rate 8 bytes/sec, 0 packets/sec
21. Last 300 seconds output rate 8 bytes/sec, 0 packets/sec
22. Input: 1149 packets, 99478 bytes
23. 12 unicasts, 4 broadcasts, 1133 multicasts, 0 pauses
24. 0 overruns, 0 runts, 0 jumbos, 0 FCS errors
25. 0 length errors, 0 code errors, 0 align errors
26. 0 fragment errors, 0 giants, 0 jabber errors
27. 0 dribble condition detected, 0 other errors
28. Output: 1104 packets, 94646 bytes
29. 7 unicasts, 10 broadcasts, 1087 multicasts, 0 pauses
30. 0 underruns, 0 runts, 0 jumbos, 0 FCS errors
31. 0 fragment errors, 0 giants, 0 jabber errors
32. 0 collisions, 0 late collisions
33. 0 ex. collisions, 0 deferred, 0 other errors

34. Run the ipconfig/all command on a PC to verify that the PC has obtained a valid IP address and DNS address.
The following example uses a PC running Windows XP. The actual command output may vary.
35. Ethernet adapter Local Area Connection:
36.
37. Connection-specific DNS Suffix . :
38. Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network
Connection
39. Physical Address. . . . . . . . . : 00-1B-21-B4-0B-35
40. Dhcp Enabled. . . . . . . . . . . : Yes
41. Autoconfiguration Enabled . . . . : Yes
42. IP Address. . . . . . . . . . . . : 10.3.0.2
43. Subnet Mask . . . . . . . . . . . : 255.255.255.0
44. Default Gateway . . . . . . . . . : 10.3.0.1
45. DHCP Server . . . . . . . . . . . : 10.3.0.1
46. DNS Servers . . . . . . . . . . . : 9.9.9.9
47. Lease Obtained. . . . . . . . . . : Tuesday, December 6, 2011, 05:58:28
AM
Lease Expires . . . . . . . . . . : Friday, December 16, 2011, 05:58:28 AM

48. Check whether an intranet PC can access a domain name on the Internet. If the PC can access the Internet, the
configuration is successful. If the PC fails to access the Internet, modify the configuration and try again.

Configuration Script
#
dhcp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return

6.2 CLI: Example for Accessing the Internet Using IPv4 PPPoE
This section provides an example for configuring the device, working as a PPPoE client, to obtain an IP address by
dialing a carrier server through PPPoE and then to access the Internet.

Networking Requirements
As shown in Figure 6-2, FW provides an Internet egress for PCs on the LAN. The company network is planned as
follows:
 All PCs on the LAN are deployed on network segment 10.1.1.0/24, and they dynamically obtain IP addresses
through DHCP.
 The device connects to all company PCs over the downstream link.
 The device applies for Internet service from the carrier over the upstream link. The Internet access service is
provided using the PPPoE protocol.
According to the previous requirements, specify the FW as a PPPoE client. After the client obtains IP and DNS
addresses from the carrier server, intranet users can access the Internet.
Figure 6-2 Networking diagram of accessing the Internet through PPPoE

In this example, the information provided by the carrier is used only for reference.

Data Description

Interface number: GigabitEthernet 1/0/1 The device obtains IP and DNS addresses from the PPPoE server
(deployed by the carrier) through dial-up.
 Data Description

Security zone: Uuntrust  Dial-up user name: user

 Dial-up password: password

Interface number: GigabitEthernet 1/0/3 DHCP is used to dynamically assign IP addresses to PCs on the LAN.
IP address: 10.3.0.1/24
Security zone: Trust

Configuration Roadmap
1. Configure the downstream link.
Enable DHCP server on the GigabitEthernet 1/0/3 interface so that it dynamically assigns IP addresses to PCs,
and specify the IP address of the GigabitEthernet 1/0/3 interface as the gateway and DNS server addresses for
the PCs.
PCs typically require domain name resolution to access the Internet. For this reason, a DNS server must be
specified. In this example, FW works as a DNS relay.
2. Configure the upstream link and use PPPoE to obtain IP and DNS addresses.
3. Add the interfaces into security zones and configure security policies.
Add the interface connected to the LAN to a high-priority security zone (Trust zone), and the upstream
interface connected to the Internet to a low-priority security zone (Untrust zone).
4. The IP addresses used on LANs are private IP addresses, which are converted by NAT to public IP addresses
for Internet access if needed. In this example, the upstream interface obtains its IP address by dial-up. The IP
address obtained may vary for each dial-up connection. Therefore, easy IP is recommended.

Procedure
1. Configure the IP address of the interface GigabitEthernet 1/0/3.
2. <FW> system-view
3. [FW] interface GigabitEthernet 1/0/3
4. [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
5. [FW-GigabitEthernet1/0/3] quit

6. Assign the interfaces to the security zones.

7. [FW] firewall zone untrust
8. [FW-zone-untrust] add interface GigabitEthernet 1/0/1
9. [FW-zone-untrust] quit
10. [FW] firewall zone trust
11. [FW-zone-trust] add interface GigabitEthernet 1/0/3
12. [FW-zone-trust] quit

13. Configure the device as a DHCP server to assign IP addresses to PCs on the LAN.
# Enable the DHCP function.
[FW] dhcp enable

# Create an interface address pool on the interface and specify the DNS server for the intranet PCs.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.254
[FW-GigabitEthernet1/0/3] dhcp server dns-list 9.9.9.9
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
 [FW-GigabitEthernet1/0/3] quit

14. Configure interface GigabitEthernet 1/0/1 so that it obtains IP and DNS addresses using PPPoE.
15. [FW] dialer-rule 1 ip permit
16. [FW] interface Dialer 1
17. [FW-Dialer1] link-protocol ppp
18. [FW-Dialer1] dialer user user
19. [FW-Dialer1] ip address ppp-negotiate
20. [FW-Dialer1] ppp ipcp dns admit-any
21. [FW-Dialer1] dialer-group 1
22. [FW-Dialer1] dialer bundle 1
23. [FW-Dialer1] ppp pap local-user user password cipher password
24. [FW-Dialer1] quit
25. [FW] firewall zone untrust
26. [FW-zone-untrust] add interface Dialer 1
27. [FW-zone-untrust] quit
28. [FW] interface GigabitEthernet 1/0/1
29. [FW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4
[FW-GigabitEthernet1/0/1] quit

30. Configure a security policy to allow intranet PCs to access the Internet.
31. [FW] security-policy
32. [FW-security-policy] rule name policy_sec_1
33. [FW-security-policy-policy_sec_1] source-address 10.3.0.0 mask 255.255.255.0
34. [FW-security-policy-policy_sec_1] source-zone trust
35. [FW-security-policy-policy_sec_1] destination-zone untrust
36. [FW-security-policy-policy_sec_1] action permit
37. [FW-security-policy-policy_sec_1] quit
[FW-security-policy] quit

38. Configure a NAT policy to allow intranet users to access the Internet.
39. [FW] nat-policy
40. [FW-policy-nat] rule name policy_nat_1
41. [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
42. [FW-policy-nat-rule-policy_nat_1] source-zone trust
43. [FW-policy-nat-rule-policy_nat_1] egress-interface dialer 1
44. [FW-policy-nat-rule-policy_nat_1] action nat easy-ip
45. [FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit

46. Configure a default route to ensure that the LAN users are routable to the Internet. The next hop is the
gateway address assigned by the carrier to the enterprise.
[FW] ip route-static 0.0.0.0 0.0.0.0 Dialer 1

Verification
1. Display the detailed information of GigabitEthernet 1/0/1 and check whether the physical status and IPv4
status of the interface is Up.
2. [FW] display interface GigabitEthernet 1/0/1
3. GigabitEthernet 1/0/1 current state : UP
4. Line protocol current state : UP
5. GigabitEthernet 1/0/1 current firewall zone : untrust
6. Description : GigabitEthernet 1/0/1 Interface, Route Port
7. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
8. Internet Address is 1.1.1.1/24
9. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-a101
10. Media type is twisted pair, loopback not set, promiscuous mode not set
11. 100Mb/s-speed mode, full-duplex mode, link type is auto negotiation
12. max-bandwidth : 100000 Kbps
13. Max input bit rate:528530448 bits/sec at 2015-05-07 12:53:46
14. Max output bit rate:5280418 bits/sec at 2015-05-07 12:54:26
15. Max input packet rate:750753 packets/sec at 2015-05-07 22:43:46
16. Max output packet rate:7843 packets/sec at 2015-05-07 22:53:58
17. Last 300 seconds input rate 8 bytes/sec, 0 packets/sec
18. Last 300 seconds output rate 8 bytes/sec, 0 packets/sec
19. Input: 1149 packets, 99478 bytes
20. 12 unicasts, 4 broadcasts, 1133 multicasts, 0 pauses
21. 0 overruns, 0 runts, 0 jumbos, 0 FCS errors
22. 0 length errors, 0 code errors, 0 align errors
23. 0 fragment errors, 0 giants, 0 jabber errors
24. 0 dribble condition detected, 0 other errors
25. Output: 1104 packets, 94646 bytes
26. 7 unicasts, 10 broadcasts, 1087 multicasts, 0 pauses
27. 0 underruns, 0 runts, 0 jumbos, 0 FCS errors
28. 0 fragment errors, 0 giants, 0 jabber errors
29. 0 collisions, 0 late collisions
30. 0 ex. collisions, 0 deferred, 0 other errors

31. Check whether the PPPoE status of FW is Up. Check whether the value of the PPPoE session output packets
(OutP) is non-0.
32. [FW] display pppoe-client session summary
33. PPPoE Client Session:
34. ID Bundle Dialer Intf Client-MAC Server-MAC State
35. 0 1 1 GE1/0/1 00e0fc0254f3 00049a23b050 PPPUP
36. [FW] display pppoe-client session packet
37. 17:17:05 2015/11/28
38. PPPoE Client Session:
39. ID InP InO InD OutP OutO OutD
40. 0 0 0 0 254 7620 0

41. On a LAN PC, run the ipconfig/all command to check whether the private IP and DNS addresses have been
correctly configured for the network adapter. The following uses Windows XP as an example.
42. Ethernet adapter Local:
43.
44. Connection-specific DNS Suffix . :
45. Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network
Connection
46. Physical Address. . . . . . . . . : 00-1B-21-B4-0B-35
47. Dhcp Enabled. . . . . . . . . . . : Yes
48. Autoconfiguration Enabled . . . . : Yes
49. IP Address. . . . . . . . . . . . : 10.3.0.3
50. Subnet Mask . . . . . . . . . . . : 255.255.255.0
51. Default Gateway . . . . . . . . . : 10.3.0.1
52. DHCP Server . . . . . . . . . . . : 10.3.0.1
53. DNS Servers . . . . . . . . . . . : 9.9.9.9
54. Lease Obtained. . . . . . . . . . : 2012-8-2 9:38:14
Lease Expires . . . . . . . . . . : 2012-8-13 9:38:14

55. Check whether LAN PCs can access domain names on the Internet. If so, the configurations are correct. If not,
check and correct the configurations.
Configuration Script
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 24
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
dhcp enable
#
interface Dialer1
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp pap local-user user password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
dialer-group 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
source-address 10.3.0.0 24
egress-interface dialer 1
action nat easy-ip
#
return
6.3 CLI: Example for Accessing the Internet Using DHCP
This section provides an example for configuring a FW as a DHCP client that applies for an IPv4 address to access the
Internet.

Applicable Products
USG6000

Networking Requirements
Figure 6-3 shows that a FW functions as an egress gateway and connect PCs in an intranet to the Internet. The network
plan is as follows:
 An administrator manually specifies an IPv4 address for each PC on the network segment 10.3.0.0/24.
 An interface with a static IPv4 address connects the FW to the intranet.
 Another interface on the FW that functions as a DHCP client applies for a client IPv4 address and a DNS server
IP address from a DHCP server and connects the intranet to the Internet.
Figure 6-3 Networking diagram for accessing the Internet using DHCP

Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP client function on GigabitEthernet 1/0/1 of the FW to obtain a client IPv4 address and a
DNS server address from a DHCP server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the FW to the intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the FW.
4. Set the IP address of the gateway and the DNS server to 10.3.0.1. This example provides the configuration
procedure on the FW. The configuration procedure for the PCs is not provided here.

NOTE:
After the FW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to the FW that function as a DHCP client.
The next hop of the default route is a carrier device. Therefore, it is not necessary to configure a default route.

Procedure
1. Set the IP address of the interface and assign the interface to a security zone.
2. <FW> system-view
3. [FW] interface GigabitEthernet 1/0/3
4. [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
5. [FW-GigabitEthernet1/0/3] quit
6. [FW] firewall zone trust
7. [FW-zone-trust] add interface GigabitEthernet 1/0/3
8. [FW] firewall zone untrust
9. [FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit

10. Configure the DNS proxy function.

11. [FW] dns proxy enable
12. [FW] dns resolve
[FW] dns server unnumbered interface GigabitEthernet1/0/1

13. Configure GigabitEthernet 1/0/1 as a DHCP client.

14. [FW] interface GigabitEthernet 1/0/1
15. [FW-GigabitEthernet1/0/1] ip address dhcp-alloc
[FW-GigabitEthernet1/0/1] quit

16. Configure a security policy to allow the PCs to access the Internet.
17. [FW] security-policy
18. [FW-security-policy] rule name policy_sec_1
19. [FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
20. [FW-security-policy-sec_policy_1] source-zone trust
21. [FW-security-policy-sec_policy_1] destination-zone untrust
22. [FW-security-policy-sec_policy_1] action permit
23. [FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit

24. Configure a NAT policy to translate private network IP addresses into public network IP addresses before PCs
access the Internet.
25. [FW] nat-policy
26. [FW-policy-nat] rule name policy_nat_1
27. [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
28. [FW-policy-nat-rule-policy_nat_1] source-zone trust
29. [FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
30. [FW-policy-nat-rule-policy_nat_1] action nat easy-ip
31. [FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit

Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the connection type is
DHCP, and the interface obtained an IPv4 address.
 2. Check whether the PC on the intranet can access domain names on the Internet. If the PC can access the
Internet, the configuration is successful. If the PC fails to access the Internet, modify the configuration and try
again.

Configuration Script
#
dns resolve
dns server unnumbered interface GigabitEthernet1/0/1
#
dns proxy enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address dhcp-alloc
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 preference 245
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return

6.4 CLI: Example for Configuring a 4G LTE Cellular Interface as the

Primary Interface to Connect to the Internet
Applicable Products
USG6000

Networking Requirements
A remote branch of the enterprise needs to exchange large volumes of service traffic with external networks, but it
cannot obtain the wired WAN access service. As shown in Figure 6-4, the branch uses the FW as the egress gateway and
uses a 4G LTE cellular interface to connect to the Internet through the 4G LTE network, meeting service transmission
requirements.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10. The branch requires that
the FW should assign IP addresses to branch intranet users and the users access external networks.
The branch has subscribed to the service of 30 Gbit/s bandwidth and connects to the Internet in dial-on-demand mode.
The branch obtains the following information from the carrier:
 APN: ltenet
 Dialer number: *99#
Figure 6-4 Networking diagram of configuring a 4G LTE cellular interface as the primary interface to connect to the Internet

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure to assign the 4G LTE cellular interface to the security zone.
2. Set the connection parameters of the 4G LTE cellular interface.
3. Configure C-DCC for dial-up connection so that the 4G LTE cellular interface can connect to the 4G LTE
network.
4. Configure the enterprise intranet and configure the FW to assign IP addresses to branch intranet users.
5. Configure the security policies and the NAT policies of Easy-IP mode to allow branch intranet users to access
external networks.
6. Configure a default route and specify the 4G LTE cellular interface as the outbound interface so that traffic
from the branch intranet is forwarded to the Internet through the 4G LTE cellular interface.

Procedure
1. Assign the interfaces to the security zones.
2. <FW> system-view
3. [FW] firewall zone untrust
4. [FW-zone-untrust] add interface cellular 0/0/0
5. [FW-zone-untrust] quit
6. [FW] firewall zone trust
7. [FW-zone-trust] add interface GigabitEthernet 1/0/1
8. [FW-zone-trust] quit

9. Set the connection parameters of the 4G LTE cellular interface.

# Create an APN profile.
[FW] apn profile lteprofile
[FW-apn-profile-lteprofile] apn ltenet
[FW-apn-profile-lteprofile] quit

# Configure a network connection mode.

[FW] interface cellular 0/0/0
[FW-Cellular0/0/0] mode lte auto

# Bind the APN profile to the 4G LTE cellular interface.

 [FW-Cellular0/0/0] dialer enable-circular
[FW-Cellular0/0/0] apn-profile lteprofile
[FW-Cellular0/0/0] shutdown
[FW-Cellular0/0/0] undo shutdown
[FW-Cellular0/0/0] quit

10. Configure C-DCC for dial-up connection.

# Configure a dialer control list.
[FW] dialer-rule 1 ip permit

# Obtain IP addresses dynamically.

[FW] interface cellular 0/0/0
[FW-Cellular0/0/0] ip address negotiate

# Associate Cellular0/0/0 to the dialer control list.

[FW-Cellular0/0/0] dialer-group 1

NOTE:
Ensure that the group-number value in the dialer-group command is the same as the dialer-number value in the dialer-
rulecommand.

# Configure the dialer number.

[FW-Cellular0/0/0] dialer number *99#
[FW-Cellular0/0/0] quit

11. Configure the enterprise intranet.

# Enable DHCP.
[FW] dhcp enable

# Create a global address pool.

[FW] ip pool 4gpool
[FW-ip-pool-4gpool] network 192.168.100.0 mask 255.255.255.0
[FW-ip-pool-4gpool] gateway-list 192.168.100.1
[FW-ip-pool-4gpool] quit

# Configure the interface to work in global address pool mode.

[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 192.168.100.1 255.255.255.0
[FW-GigabitEthernet1/0/1] dhcp select global
[FW-GigabitEthernet1/0/1] quit

12. Configure security policies to allow users on the subnet 192.168.100.0/24 to access the Internet.
13. [FW] security-policy
14. [FW-policy-security] rule name sec_policy_1
15. [FW-policy-security-rule-sec_policy_1] source-address 192.168.100.0 mask
255.255.255.0
16. [FW-policy-security-rule-sec_policy_1] source-zone trust
17. [FW-policy-security-rule-sec_policy_1] destination-zone untrust
18. [FW-policy-security-rule-sec_policy_1] action permit
19. [FW-policy-security-rule-sec_policy_1] quit
 20. [FW-policy-security] quit

21. Configure NAT policies.

22. [FW] nat-policy
23. [FW-policy-nat] rule name abc
24. [FW-policy-nat-rule-abc] source-address 192.168.100.0 24
25. [FW-policy-nat-rule-abc] source-zone trust
26. [FW-policy-nat-rule-abc] egress-interface Cellular 0/0/0
27. [FW-policy-nat-rule-abc] action nat easy-ip
28. [FW-policy-nat-rule-abc] quit
[FW-policy-nat] quit

29. Configure a default route and specify Cellular0/0/0 as the outbound interface.
[FW] ip route-static 0.0.0.0 0 cellular 0/0/0

Configuration Verification
# View the interface status and traffic statistics. The command output shows that if traffic is forwarded through the
interface, both the physical layer status and link layer status of the interface are Up and the IP address dynamically
obtained by the interface is 10.1.1.2/24. The USG6680 is used as an example.
[FW] display interface Cellular 0/0/0
Cellular0/0/0 current state : UP
Line protocol current state : UP
Description:HUAWEI, USG6680 Series, Cellular0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.1.1.2/24
Current system time: 2011-06-08 11:35:23
Modem State: Present
Last 300 seconds input rate 555 bytes/sec 4440 bits/sec 12 packets/sec
Last 300 seconds output rate 11230 bytes/sec 89840 bits/sec 311 packets/sec
Input: 210 packets, 87205 bytes
Unicast: 200, Ununicast: 10
Output:225340 packets, 6760917 bytes
Unicast: 225300, Ununicast: 40
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.01%

# View information about all call sessions on the 4G LTE data card. The following command output shows that the APN
is ltenet, the network type is Automatic, and the network connection mode is 4G LTE (LTE).
[FW] display Cellular 0/0/0 all
Modem State:
Hardware Information.
=====================
Model = E392
Modem Firmware Version = 11.833.15.00.000
Hardware Version = CD2E392UM
Integrate circuit card identity (ICCID) = 986810112xxxxxxxxxxx
International Mobile Subscriber Identity (IMSI) = 4600160xxxxxxxx
International Mobile Equipment Identity (IMEI) = 8612300xxxxxxxx
Factory Serial Number (FSN) = T2Y01A92xxxxxxxx
Modem Status = Online
Profile Information.
====================
Profile 1 = ACTIVE
--------
PDP Type = IPv4, Header Compression = OFF
Data Compression = OFF
Access Point Name (APN) = ltenet
Packet Session Status = Active
* - Default profile
Network Information.
====================
Current Service Status = Service available
Current Service = Combined
Packet Service = Attached
Packet Session Status = Active
Current Roaming Status = Home
Network Selection Mode = Automatic
Network Connection Mode = Automatic
Current Network Connection = LTE(LTE)
Mobile Country Code (MCC) = 460
Mobile Network Code (MNC) = 01
Mobile Operator Information = "CHN-CULTE"
Location Area Code (LAC) = 53515
Cell ID = 55924
Upstream Bandwidth = 50mbps
Downstream Bandwidth = 100mbps
Radio Information.
==================
Current Band = AUTO
Current RSSI = -55 dBm
Modem Security Information.
===========================
PIN Verification = Disabled
PIN Status = Ready
Number of Retries remaining = 3
SIM Status = OK

Configuration Script
#
dialer-rule 1 ip permit
#
dhcp enable
#
ip pool 4gpool
gateway-list 192.168.100.1
network 192.168.100.0 mask 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.100.1 255.255.255.0
dhcp select global
#
interface Cellular0/0/0
dialer enable-circular
dialer-group 1
apn-profile lteprofile
dialer number *99#
ip address negotiate
#
apn profile lteprofile
apn ltenet
#
firewall zone trust
 set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface Cellular0/0/0
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
#
security-policy
rule name sec_policy_1
source-zone trust
destination-zone untrust
source-address 192.168.100.0 24
action permit
#
nat-policy
rule name abc
source-zone trust
egress-interface Cellular0/0/0
source-address 192.168.100.0 24
action nat easy-ip
#
return