Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Summary of Contents for Fido FireBrick FB2700
-
Page 1: User Manual
FireBrick FB2700 User Manual FB2700 Versatile Network Appliance... - Page 3 FireBrick FB2700 User Manual This User Manual documents Software version V1.41.000 Copyright © 2012-2015 FireBrick Ltd.
-
Page 4: Table Of Contents
Table of Contents Preface ..........................xxi 1. Introduction .......................... 1 1.1. The FB2700 ....................... 1 1.1.1. Where do I start? ....................1 1.1.2. What can it do? ....................1 1.1.3. Ethernet port capabilities ..................2 1.1.4. Differences between the devices in the FB2x00 series ..........2 1.1.5. - Page 5 FireBrick FB2700 User Manual 4.1.4.1. Restrict by IP address ................22 4.1.4.2. Logged in IP address ................23 4.1.4.3. Restrict by profile ................. 23 4.1.5. One Time Password ..................23 4.2. General System settings ....................24 4.2.1. System name (hostname) .................. 24 4.2.2.
- Page 6 FireBrick FB2700 User Manual 6.4.3. Setting duplex mode ..................42 6.4.4. Defining port LED functions ................42 7. Session Handling ......................... 44 7.1. Routing vs. Firewalling ....................44 7.2. Session Tracking ....................... 44 7.2.1. Session termination ..................45 7.3. Session Rules ......................45 7.3.1.
- Page 7 FireBrick FB2700 User Manual 11.2. Definining PPPoE links ..................... 69 11.2.1. IPv6 ......................69 11.2.2. Additional options ..................69 11.2.2.1. MTU and TCP fix ................69 11.2.2.2. Service and ac-name ................70 11.2.2.3. Logging ..................... 70 11.2.2.4. Speed and graphs ................70 12.
- Page 8 FireBrick FB2700 User Manual 13.1. USB configuration ....................91 13.1.1. 3G dongle configuration ................. 91 14. System Services ......................... 92 14.1. Protecting the FB2700 ....................92 14.2. Common settings ..................... 92 14.3. HTTP Server configuration ..................93 14.3.1. Access control ....................93 14.3.1.1.
- Page 9 FireBrick FB2700 User Manual 17.8.3. Overflow ....................110 17.8.4. Out of hours ....................110 17.9. Call pickup/steal ..................... 110 17.10. Busy lamp field ....................111 17.11. Using RADIUS ....................111 17.11.1. RADIUS accounting ................... 111 17.11.2. RADIUS authentication ................111 17.11.2.1.
- Page 10 FireBrick FB2700 User Manual 20.8.2. BGP with carrier ..................129 20.8.3. RADIUS session steering ................129 20.8.4. L2TP endpoints ................... 130 20.8.5. ISP RADIUS ....................130 21. Command Line Interface ....................131 A. Factory Reset Procedure ...................... 132 B. CIDR and CIDR Notation ....................134 C.
- Page 11 FireBrick FB2700 User Manual G.2. Authentication response .................... 156 G.2.1. Challenge authentication ................156 G.2.2. Accepted authentication (registration) ............... 156 G.2.3. Accepted authentication (invite) ............... 156 G.2.4. Rejected authentication .................. 157 G.3. Accounting Start ..................... 157 G.4. Accounting Interim ....................157 G.5.
- Page 12 FireBrick FB2700 User Manual I.9. VoIP commands ....................... 167 I.10. Dongle/USB commands ................... 167 I.11. Advanced commands ....................167 I.11.1. Panic ......................167 I.11.2. Reboot ......................167 I.11.3. Screen width ....................167 I.11.4. Make outbound command session ..............168 I.11.5. Show command sessions ................168 I.11.6.
- Page 13 FireBrick FB2700 User Manual K.2.25. dhcp-attr-hex: DHCP server attributes (hex) ............. 190 K.2.26. dhcp-attr-string: DHCP server attributes (string) ..........190 K.2.27. dhcp-attr-number: DHCP server attributes (numeric) .......... 191 K.2.28. dhcp-attr-ip: DHCP server attributes (IP) ............191 K.2.29. pppoe: PPPoE settings .................. 191 K.2.30.
- Page 14 FireBrick FB2700 User Manual K.3.3. user-level: User login level ................228 K.3.4. eap-subsystem: Subsystem with EAP access control ..........228 K.3.5. eap-method: EAP access method ..............228 K.3.6. syslog-severity: Syslog severity ............... 228 K.3.7. syslog-facility: Syslog facility ................. 229 K.3.8. month: Month name (3 letter) ................. 229 K.3.9.
- Page 15 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................11 3.2. Icons for layout controls ..................... 12 3.3.
- Page 16 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 22 4.2.
- Page 17 FireBrick FB2700 User Manual G.2. Access-Challenge ......................156 G.3. Access-Accept ........................ 156 G.4. Access-Accept ........................ 156 G.5. Access-Reject ......................... 157 G.6. Accounting-Start ......................157 G.7. Accounting-Interim ......................157 G.8. Accounting-Stop ......................158 G.9. Disconnect ........................158 G.10. Change-of-Authorisation ....................159 H.1.
- Page 18 FireBrick FB2700 User Manual K.40. usb: Attributes ....................... 193 K.41. usb: Elements ........................ 193 K.42. dongle: Attributes ......................193 K.43. dongle: Elements ......................195 K.44. route: Attributes ......................195 K.45. network: Attributes ......................195 K.46. blackhole: Attributes ...................... 196 K.47. loopback: Attributes ....................... 196 K.48.
- Page 19 FireBrick FB2700 User Manual K.96. session-rule: Attributes ....................220 K.97. session-rule: Elements ....................221 K.98. session-share: Attributes ....................221 K.99. voip: Attributes ......................222 K.100. voip: Elements ......................223 K.101. carrier: Attributes ......................223 K.102. telephone: Attributes ..................... 224 K.103. tone: Attributes ......................225 K.104.
- Page 20 FireBrick FB2700 User Manual K.152. ring-group-type: Type of ring when one call in queue ............239 K.153. record-beep-option: Record beep option ................239 K.154. Basic data types ......................239...
-
Page 21: Preface
Preface The FB2700 device is the result of several years of intensive effort to create products based on state of the art processing platforms, featuring an entirely new operating system and IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability. -
Page 22: Introduction
Chapter 1. Introduction 1.1. The FB2700 1.1.1. Where do I start? The FB2700 is shipped in a factory reset state. This means it has a default configuration that allows the unit to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a known IP address for further configuration. -
Page 23: Ethernet Port Capabilities
Introduction • control the speed of different types of traffic (traffic shaping) • handle IPv6 - ready for the day that all five regional Internet registries (RIRs) exhaust their allocations! • provide 3G dongle support for mobile internet or DSL backup and much more... -
Page 24: About This Manual
Introduction To aid the transition, a translator is provided which will generate an FB2700 XML configuration file from an FB105 configuration file, mapping features and functionality across as closely as is possible; the converted configuration should be treated as a starting point for using your FB2700 in place of your FB105, as the result from the converter may be incomplete, or there may be aspects that cannot be carried over. -
Page 25: Document Conventions
Introduction 1.2.5. Document conventions Various typefaces and presentation styles are used in this document as follows :- • Text that would be typed as-is, for example a command, or an XML attribute name is shown in monospaced_font • Program (including XML) listings, or fragments of listings are shown thus :- /* this is an example program listing*/ printf("Hello World!\n");... -
Page 26: Irc Channel
Introduction Many FireBrick resellers also offer general IT support, including installation, configuration, maintenance, and training. You may be able to get your reseller to develop FB2700 configurations for you - although this will typically be chargeable, you may well find this cost-effective, especially if you are new to FireBrick products. If you are not satisfied with the support you are getting from your reseller, please contact us [http:// www.firebrick.co.uk/contact.php]. -
Page 27: Getting Started
Chapter 2. Getting Started 2.1. IP addressing You can configure your FireBrick using a web browser - to do this, you need IP connectivity between your computer and the FireBrick. For a new FB2700 or one that has been factory reset, there are three methods to set this up, as described below - select the method that you prefer, or that best suits your current network architecture. -
Page 28: Add A New User
Getting Started interested in - if necessary, refer to Appendix C to see how to determine which MAC address you are looking for in the list of allocations. Once you are connected to the FB2700, you should see a page with "Configuration needed" prominently displayed, as shown below :- Figure 2.1. -
Page 29: Setting Up A New User
Getting Started Figure 2.3. Setting up a new user You may also want to increase the login-session idle time-out from the default of 5 minutes, especially if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and enter an appropriate value as minutes, colon, and seconds, e.g. -
Page 30: Configuration
Chapter 3. Configuration 3.1. The Object Hierarchy The FB2700 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB2700. The values of the attributes determine how that object affects operation. -
Page 31: Formal Definition Of The Object Model
Configuration 3.2.1. Formal definition of the object model The object model has a formal definition in the form of an XML Schema Document (XSD) file, which is itself an XML file, normally intended for machine-processing. A more readable version of this information is available in Appendix K. -
Page 32: User Interface Layout
Configuration Additionally, the web User Interface provides access to the following items :- • status information, such as DHCP server allocations, FB105 tunnel information and system logs • network diagnostic tools, such as Ping and Traceroute ; there are also tools to test how the FB2700 will process particular traffic, allowing you to verify your firewalling is as intended •... -
Page 33: Config Pages And The Object Hierarchy
Configuration These customisations are controlled using three icons on the left-hand side of the page footer, as shown in Figure 3.2 below :- Figure 3.2. Icons for layout controls The first icon, an up/down arrow, controls the banner size/visibility and cycles through three settings : full size banner, reduced height banner, no banner. -
Page 34: Object Settings
Configuration Figure 3.4. The "Setup" category Each section is displayed as a tabulated list showing any existing objects of the associated type. Each row of the table corresponds with one object, and a subset (typically those of most interest at a glance) of the object's attributes are shown in the columns - the column heading shows the attribute name. -
Page 35: Editing An "Interface" Object
Configuration Figure 3.5. Editing an "Interface" object By default, more advanced or less frequently used attributes are hidden - if this applies to the object being edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the link "Show all". -
Page 36: Navigating Around The User Interface
Configuration If the attribute value is shown in a 'strike-through' font (with a horizontal line through it mid-way vertically), this illustrates that the attribute can't be set - this will happen where the attribute value would reference an instance of particular type of object, but there are not currently any instances of objects of that type defined. Since the attribute name is a compact, concise and un-ambiguous way of referring to an attribute, please quote attribute names when requesting technical support, and expect technical support staff to discuss your configuration primarily in terms of attribute (and object/element) names, rather than descriptive... -
Page 37: Backing Up / Restoring The Configuration
Configuration Caution If you Add a new object, but don't fill in any parameter values, the object will remain in existence should you navigate away. You should be careful that you don't inadvertently add incompletely setup objects this way, as they may affect operation of the FireBrick, possibly with a detrimental effect. If you have added an object, perhaps for the purposes of looking at what attributes can be set on it, remember to delete the object before you navigate away -- the "Erase"... -
Page 38: The Root Element -
Configuration Since the <, > and " characters have special meaning, there are special ('escape') character sequences starting with the ampersand character that are used to represent these characters. They are :- Table 3.1. Special character sequences Sequence Character represented <... - Page 39 Configuration <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/> </services> <port name="WAN" ports="1"/> <port name="LAN" ports="2"/> <interface name="WAN"...
-
Page 40: Downloading/Uploading The Configuration
Configuration source-interface="LAN"/> <rule name="FB-access" source-interface="LAN" target-port="80" target-interface="self" protocol="6" comment="FB web config access"/> <rule name="final-no-match" log="default" action="drop" comment="Catch all - sets default logging for no match"/> </rule-set> </config> sets some general system parameters (see Section 4.2) defines a single user with the highest level of access (DEBUG) (see Section 4.1) defines a log target (see Chapter 5) configures key system services (see Chapter 14) defines physical-port group (see Section 6.1) -
Page 41: Upload
Configuration 3.6.2. Upload To upload the configuration to the FB2700 you need to send the configuration XML file as if posted by a web form, using encoding MIME type multi-part/form-data. An example of doing this using curl, run on a Linux box is shown below :- curl http://<FB2700 IP address or DNS name>/config/config --user "username:password"... -
Page 42: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB2700, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"... -
Page 43: Configuration Access Level
System Administration Table 4.1. User login levels Level Description No access to any menu items, but can access control NOBODY switches for which the user has access. Guest user, access to some menu items GUEST Normal unprivileged user USER System administrator ADMIN System debugging user DEBUG... -
Page 44: Logged In Ip Address
System Administration web or telnet (for command line interface access) services (see Section 14.3 and Section 14.4), or any firewall rules that affect web or telnet access to the FB2700 itself. 4.1.4.2. Logged in IP address The FireBrick allows a general definition of IP groups which allow a name to be used in place of a range of IP addresses. -
Page 45: General System Settings
System Administration recommended. The password as typed is the sequence of digits immediately follwoed by the password you have set for the user. Once a sequence is used, it cannot be re-used, so if you login, logout, and login again trying the same code, it will not work and you have to wait for (or request) a new code. -
Page 46: Password Hashing
System Administration • url : link destination URL Additionally, you can name a link, specify a comment, and make the presence of the link on the home page conditional on a profile. 4.2.5. Password hashing The user settings on the firebrick have password control (as well as optional OATH one time pad restrictions). In the config this is entered as a simple password, but when accessed you will see that the password has been replaced with a hash. -
Page 47: Software Release Types
System Administration all L2TP connections first. The reboot will close all BGP sessions first. The reboot will wait for all VoIP calls to complete before rebooting. 4.3.1. Software release types There are three types of software release : factory, beta and alpha. For full details on the differences between these software releases, refer to the FB2700 software downloads website [http://www.firebrick.co.uk/ software.php?PRODUCT=2700] - please follow the 'read the instructions' link that you will find just above the list of software versions. -
Page 48: Internet-Based Upgrade Process
System Administration 4.3.3. Internet-based upgrade process Note 'Out of the box' the FB2700 is configured to automatically download and install new factory releases. This is a safe option, and we expect many users to be happy with this - however, if you would prefer, this process can be disabled - refer to Section 4.3.3.2. -
Page 49: Manual Upgrade
System Administration • alpha : Download/install factory, beta or alpha releases Specifies the name of a profile to use to control when sw-update-profile software upgrades are attempted (see Chapter 9 for details on profiles). The current setting of sw-update (in descriptive form) can be seen on the main Status page, adjacent to the word "Upgrade", as shown in Figure 4.2 (in that example, sw-update is set to, or is defaulting to, factory). -
Page 50: Port Leds
System Administration No AC power applied to unit (or possibly hardware fault) Flashing with approximately 1 second period Bootloader running / waiting for network connection Main application software running After power-up, the normal power LED indication sequence is therefore to go through the ~1 second period flashing phase, and then - if at least one Ethernet port is connected to an active device - change to solid once the app is running. -
Page 51: Event Logging
Chapter 5. Event Logging 5.1. Overview Many events in the operation of the FireBrick create a log entry. These are a one-line string of text saying what happened. This could be normal events such as someone logging in to the web interface, or unusual events such as a wrong password used, or DHCP not being able to find any free addresses to allocate. -
Page 52: Logging To The Console
Event Logging 5.1.1.2. Logging to the Console The console is the command line environment described in Chapter 21. You can cause log entries to be displayed as soon as possible on the console (assuming an active console session) by setting console="true" on the log target. -
Page 53: Email
Event Logging The module name refers to which part of the system caused the log entry, and is also shown in all other types of logging such as web and console. To enable log messages to be sent to a syslog server, you need to create a syslog object that is a child of the log target (log) object. -
Page 54: E-Mail Process Logging
Event Logging </log> A profile can be used to stop emails at certain times, and when the email logging is back on an active profile it tries to catch up any entries still in the RAM buffer if possible. 5.3.2.1. E-mail process logging Since the process of e-mailing can itself encounter problems, it is possible to request that the process itself be logged via the usual log target mechanism. -
Page 55: Viewing Logs In The Cli Environment
Event Logging All log targets can be viewed via the web User Interface, regardless of whether they specify any external logging (or logging to Flash memory). 5.6.2. Viewing logs in the CLI environment The command line allows logs to be viewed, and you can select which log target, or all targets. The logging continues on screen until you press a key such as RETURN. -
Page 56: Interfaces And Subnets
Chapter 6. Interfaces and Subnets This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those interfaces. For information about other types of 'interfaces', refer to the following chapters :- • Point-to-Point Protocol over Ethernet (PPPoE) - Chapter 11 •... -
Page 57: Defining Port Groups
Interfaces and Subnets If you are unfamiliar with VLANs or the concept of broadcast domains, Appendix D contains a brief overview. By combining the FB2700 with a VLAN capable switch, using only a single physical connection between the switch and the FB2700, you can effectively expand the number of distinct physical interfaces, with the upper limit on number being determined by switch capabilities, or by inherent IEEE 802.1Q VLAN or FB2700 MAC address block size. -
Page 58: Defining Subnets
Interfaces and Subnets The primary attributes that define an interface are the name of the physical port group it uses, an optional VLAN ID, and an optional name. If the VLAN ID is not specified, it defaults to "0" which means only untagged packets will be received by the interface. -
Page 59: Source Filtering
Interfaces and Subnets The FB2700 can perform conventional Network Address Translation (NAT) for network connections / flows originating from all machines on a subnet (for example, one using RFC1918 private IP address space) by setting the nat attribute on the subnet object. Behind the scenes, activation of NAT is on a 'per-session' basis, and the nat attribute on a subnet is really a shortcut for a session-rule using the set-nat attribute. -
Page 60: Fixed/Static Dhcp Allocations
Interfaces and Subnets Since the DHCP behaviour needs to be defined for each interface (specifically, each broadcast domain), the behaviour is controlled by one or more dhcp objects, which are children of an interface object. Address allocations are made from a pool of addresses - the pool is either explicitly defined using the ip attribute, or if ip is not specified, it consists of all addresses on the interface, i.e. -
Page 61: Restricted Allocations
Interfaces and Subnets If you are setting up a static allocation, but your client has already obtained an address (from your FB2700) from a pool, you will need to clear the existing allocation and then force the client to issue a new DHCP request (e.g. -
Page 62: Special Dhcp Options
Interfaces and Subnets Note While this may seem rather complex, it achieves the intuitively-expected result in most cases - for example it allows a pool to be set up for a general class of device or a range of MAC addresses, and for more specific pool entries to be included which will take precedence for individual devices, eg with a full MAC address or a specific client-name. -
Page 63: Disabling Auto-Negotiation
Interfaces and Subnets When you first create an ethernet object you will see that none of the attribute checkboxes are ticked, and the defaults described above apply. Ensure that you set the port attribute value correctly to modify the port you intended to. -
Page 64: Example Modified Port Led Functions
Interfaces and Subnets On when link up at 10Mbit/s or 1Gbit/s; blink (off) Link10-1000/Activity when Tx or Rx activity On when link up at 10Mbit/s or 100Mbit/s; blink (off) Link10-100/Activity when Tx or Rx activity On when full-duplex; blink when half-duplex and Duplex/Collision collisions detected Blink (on) when collisions detected... -
Page 65: Session Handling
Chapter 7. Session Handling This chapter describes sessions, session-tracking, and how the rules for session creation can be used to implement Firewalling, subject specific traffic flows to traffic-shaping, and perform address mapping techniques including conventional Network Address Translation (NAT). Session-tracking is also involved in the route override functionality of the FB2700 - this is covered in Section 8.6. -
Page 66: Session Termination
Session Handling The contents of the session-table can be viewed in the web user interface by clicking "Sessions" in the "Status" menu. You will normally see two entries per session, one with a green background and one with a yellow background. -
Page 67: Processing Flow
Session Handling 7.3.2. Processing flow The following processing flow applies to rules and rule-sets :- • Rule-sets are processed sequentially. • Each rule-set can optionally specify entry-criteria - if present, these criteria must be matched against for the rules within the rule-set to be considered. •... - Page 68 Session Handling Note that drop and reject both drop packets, with the difference only being whether notification of this is sent back to the traffic source. For a short period after startup the actions of drop and reject are treated as ignore. This is so that a reboot which would forget all sessions allows sessions that have outbound traffic which is not NAT stand a chance of re-establishing by use of outbound traffic.
-
Page 69: Processing Flow Chart For Rule-Sets And Session-Rules
Session Handling Figure 7.2. Processing flow chart for rule-sets and session-rules Packet arrives, no m atching session ex ists P roces s ing continues with next rule-s et S es s ion All rule-s ets proces s ed? Allowed Examine next rule-s et object S tart proces s ing rules within the rule-s et... -
Page 70: Defining Rule-Sets And Rules
Session Handling It is helpful to understand that a session rule contributes to the final set of information recorded in the session- table entry - a rule does not necessarily completely define what the session-table will contain, unless it is the only rule that matches the traffic under consideration. -
Page 71: Recommended Method Of Implementing Firewalling
Session Handling checked for target IP of, say, 0.0.0.0/24, that would pass if the target IP is within the same /24 as the source IP. This only works on IPv4, and only on subnets, not ranges, and only on source-ip and target-ip checks. -
Page 72: Changes To Session Traffic
Session Handling protocol="6" comment="WAN access to company web server"/> </rule-set> Rule-set is named "firewall_to_LAN". The rule-set only applies to sessions targetting the "LAN" interface, from any other interface. The action to perform when no rule within the rule-set applies, is to "drop". -
Page 73: Graphing And Traffic Shaping
Session Handling 7.3.3.3. Graphing and traffic shaping The set-graph and set-reverse-graph attributes cause the session traffic to be graphed, and therefore possibly be subject to traffic shaping ; they perform the same function as the graph attribute that can be specified on many different objects, as described in Chapter 10. -
Page 74: Network Address Translation
Session Handling Normally the choice is random, but there is an option (hash) which can be set to make the choice determined based on a has of the source and target IP address. This allows consistent mapping of sessions to the same server. -
Page 75: Setting Nat In Rules
Session Handling The real solution to all of the issues with NAT is not ALGs, as they are simply not a scalable work-around for problems. The solution is the use of IPv6, the current Internet Protocol version. The FireBrick is designed from the ground up to support IPv6 and we recommend the use of IPv6 wherever possible. -
Page 76: Nat With Dongles
Session Handling It is possible, of course, to use rule-sets and rules to control exactly when NAT applies rather than using the NAT setting on the PPPoE config. However, if the PPPoE connection only has one IPv4 address assigned, as is often the case, then setting NAT on the PPPoE config is usually the simplest way to achieve the configuration. -
Page 77: Using Nat Setting On Subnets
Session Handling Ideally you should try and make use Internet connections without CGN, but if you have to then you are likely to encounter additional issues with NAT. CGNs do often include some ALGs, but they bring all of the issues with NAT to a new level. -
Page 78: Routing
Chapter 8. Routing 8.1. Routing logic The routing logic in the FB2700 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e. -
Page 79: Routing Targets
Routing You can show the route(s) that apply for a specific destination IP address or address range using the CLI command show route. You can also see a list of all routes in a routing table using the CLI command show routes. There is also a routing display on the Diagnostics control web pages. 8.2. -
Page 80: Special Targets
Routing Example: <route ip="0.0.0.0/0" gateway="192.168.0.100"/> creates a default IPv4 route that forwards traffic to 192.168.0.100. The routing for 192.168.0.100 then has to be looked up to find the final target, e.g. it may be to an Ethernet interface, in which case an ARP is done for 192.168.0.100 to find the MAC to send the traffic. -
Page 81: Bonding
Routing 8.5. Bonding A key feature of the FB2700 is the ability to bond multiple links at a per packet level. This feature is only enabled on a fully loaded model of your FB2700. Bonding works with routing and shapers together. (See Chapter 10 for details of shapers.) The basic principle is that you have two or more routes that are identical (same target IP prefix) and have the same localpref, so that there is nothing to decide between them. - Page 82 Routing rarely useful, and probably not the configuration setting you are looking for (waves hand in front of your face).
-
Page 83: Profiles
Chapter 9. Profiles Profiles allow you to enable/disable various aspects of the FB2700's configuration (and thus functionality) based on things such as time-of-day or presence/absence of Ping responses from a specified device. 9.1. Overview A profile is a two-state control entity - it is either Active or Inactive ("On" or "Off", like a switch). Once a profile is defined, it can be referenced in various configuration objects where the profile state will control the behaviour of that object. -
Page 84: Tests
Profiles • recover : the duration that the overall test must have been passing for before the profile state changes to Active The timeout and recover parameters do not apply to manually set profiles (see Section 9.2.4) and those based on time-of-day (see Section 9.2.2.2). 9.2.2. -
Page 85: Inverting Overall Test Result
Profiles 9.2.3. Inverting overall test result The tests described in the previous section are used to form an overall test result. Normally this overall result is used to determine the profile state using the mapping Pass > Active and Fail > Inactive. By setting the invert attribute to true, the overall result is inverted (Pass changed to Fail and vice-versa) first before applying the mapping. -
Page 86: Traffic Shaping
Chapter 10. Traffic Shaping The FB2700 includes traffic shaping functionality that allows you to control the speed of specific traffic flows through the FB2700. The FB2700 also provides graphing functionality, allowing specific traffic flows to be plotted on a graph image (PNG format) that the FB2700 generates. Within the FB2700, traffic shaping and graphing are closely associated, and this is reflected in how you configure traffic shaping - in order to be able to perform traffic shaping, you must first graph the traffic flow. -
Page 87: Shapers
Traffic Shaping 10.1.2. Shapers Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object. -
Page 88: Multiple Shapers
Traffic Shaping 10.2. Multiple shapers A packet that passes through the FB2700 can pass through multiple shapers, for example • The ingress interface can have a defined shaper • When the packet passes through session tracking, the two sides of the session tracking (forward and reverse) can each have shapers that apply. -
Page 89: Pppoe
Chapter 11. PPPoE The FB2700 can operate as a PPPoE client. This is typically used to connect to an Internet service provider, either via a suitable PPPoE modem, bridging router, or direct connection. The typical usage is to use one or more ports on the FB2700 each connected directly to a suitable PPPoE device such as a bridging router. -
Page 90: Definining Pppoe Links
PPPoE A significant benefit of the Vigor V-120 is that it works with no configuration on BT 20CN and 21CN lines as well as Be/O2 PPPoA lines and TalkTalk lines - you just plug it in to the line and the FB2700 and it just works. -
Page 91: Service And Ac-Name
PPPoE Testing has been done which confirms setting mtu="1500" works correctly on BT FTTC and FTTP lines, as well as BT 21CN and TalkTalk lines via a suitable bridging modem (Dlink 320B). Note Testing using a Zyxel P660R in bridge mode confirms that BT 21CN ADSL lines will negotiate 1500 byte MTU, but it seems the Zyxel will not bridge more than 1496 bytes of PPP payload. -
Page 92: Tunnels
Chapter 12. Tunnels The FB2700 supports the following tunnelling protocols :- • IPsec (IP security) • FB105 lightweight tunnelling protocol • L2TP • ETUN (Ether tunnelling) IPsec is an implementation of the IPsec protocol and IKEv2 key management protocol, as defined in various RFCs. -
Page 93: Authentication
Tunnels IPsec provides two ways to encapsulate data - AH (Authentication Header) which integrity checks the packet data and also some of the header fields (IP addresses), and ESP (Encapsulation Security Payload) - which both encrypts and integrity checks the packet data. 12.1.1.3. -
Page 94: Identities And The Authentication Mechanism
Tunnels 12.1.1.6. Identities and the Authentication Mechanism To fully appreciate the mechanism of authentication, it is necessary to understand the concept of IKE Identities. Each end of an IPsec/IKE peering has an identity, and the purpose of the IKE authentication process is to establish the identity to the peer - ie prove to the peer that you are the identity you proclaim to be. -
Page 95: Ike Proposals
Tunnels 12.1.2.2. IKE proposals When IKE connections are negotiated, a selection of compatible algorithms and keys for integrity checking and encryption are negotiated. The initiating end of the connection provides proposals of various combinations of algorithms it is willing to use, and the responding end picks a suitable set. The IKE implementation has built-in default proposal lists, which are suitable for normal use, but for tighter control further proposals can be configured. -
Page 96: Authentication And Ike Identities
Tunnels 12.1.2.4.3. Authentication and IKE identities The FireBrick supports three authentication methods: • Secret: (AKA pre-shared key, or PSK) A secret key is entered in the local configuration and the same key is set up in the peer's configuration • Certificate: an X.509 certificate is used (see below for full details) •... -
Page 97: Road Warrior Connections
Tunnels specified as a permissible range. Note that in this case the identity the peer provides when it attempts to set up the connection will be used to select the matching configuration connection details. The local-ip is optional - if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely, and the FireBrick chooses a suitable source IP when it initiates a connection. -
Page 98: Ip Endpoints
Tunnels 12.1.2.5.1. IP endpoints The local-ip, peer-ips, internal-ipv4 and internal-ipv6 items have the same meanings as for IKE connections as described above. For manully-keyed connections, local-ip and peer-ips are not optional and must be set to single IP addresses. 12.1.2.5.2. Algorithms and keys Select the required encapsulation type - either AH (providing just authentication) or ESP (providing authentication and/or encryption). -
Page 99: Other Parameters
Tunnels both AH and ESP protection to encapsulated packets; AH authentication with ESP encryption can provide marginally better authentication but is rarely used. To configure this, set up a manually-keyed ESP tunnel with just encryption, and set up a separate manually-keyed AH IPsec entry in transport mode. Each must have their own separate SPIs, and the ESP entry should have the outer-spi field set to the local-spi of the AH entry. - Page 100 Tunnels Future FireBrick development will introduce TLS/HTTPS and when this is available private key upload will be restricted to secure encrypted connections. There are a number of different formats in use for holding certificates and private keys. The FireBrick accepts standard DER-format (binary) and PEM-format (base64 armoured text) X.509 certificates, and DER-format and unencrypted PEM-format private keys in raw or PKCS#8 form, as generated by utilities such as OpenSSL.
-
Page 101: Creating Certificates
Tunnels 12.1.4.1. Creating certificates Generating suitable certificates can be a painful experience for the uninitiated, so we have provided some useful tools which can be downloaded from the FireBrick website. These are bash scripts which use the OpenSSL tools, and can be run on Linux or MacOS systems, or on Windows using Cygwin. They should be downloaded and saved locally (eg by cut-and-paste from the displayed web page text, or using the browser save source function). -
Page 102: Nat Traversal
Tunnels • PRF: A pseudo-random function used to generate further keying info from the Diffie-Hellman key (control channel only) • ESN: A flag indicating whether extended sequence numbers are supported for the data channel Manually-keyed connections do not have a control channel, and use only integrity and encryption algorithms. Both integrity checking and encryption allow a choice of algorithms. -
Page 103: Configuring A Road Warrior Server
Tunnels connection is used, AH is incompatible with NAT. A NAT device usually requires regular traffic to ensure dynamic address and port mappings are maintained. Additionally, some NAT devices incorrectly attempt to modify IPsec traffic en route. IKE attempts to work around these problems, by detecting whether there are any NAT devices in the transmission path, and modifying its behaviour accordingly. -
Page 104: Connecting To Non-Firebrick Devices
Tunnels • Mode: The connection mode should be set to Wait. An example of a Road Warrior connection xml config may be: <eap name="arthur" password="CorrectHorseBatteryStaple" subsystem="IPsec" methods="MSChapV2"/> <eap name="ford" password="JosephGodspell" subsystem="IPsec" methods="MSChapV2"/> <ipsec-ike> <roaming name="natpool" ip="10.100.100.0/24" DNS="8.8.8.8" nat="true"/> <connection name="VPN service" graph="eap-[ip]"... -
Page 105: Setting Up A Road Warrior Vpn On An Android Client
Tunnels <ipsec-ike> <connection name = "StrongSwan IKE" local-ip="192.168.1.1" peer-ips="192.168.2.2" mode="Immediate" blackhole="true" auth-method="Secret" secret="Nobody will ever guess this!" routes="10.2.2.0/24" /> </ipsec-ike> A corresponding /etc/ipsec.config connection entry would be: conn FireBrick left=192.168.2.2 leftsubnet=10.2.2.0/24 right=192.168.1.1 rightsubnet=10.1.1.0/24 reauth=no auto=add leftauth=psk rightauth=psk The secret should be entered in /etc/ipsec.secrets as follows: FireBrick : PSK "Nobody will ever guess this!"... -
Page 106: Setting Up A Road Warrior Vpn On An Ios (Iphone/Ipad) Client
Tunnels 12.1.8.3. Setting up a Road Warrior VPN on an iOS (iPhone/iPad) client Apple have only recently introduced support for IKEv2 on iOS (since iOS version 8.1) and it is currently somewhat incomplete with rough edges. There is not yet a way to configure an IKEv2 VPN using the device UI. -
Page 107: Fb105 Tunnels
Tunnels • ESP encapsulation using HMAC-SHA1 authentication and AES-CBC encryption • Authentication key 0123456789012345678901234567890123456789 • Encryption key 00010203040506070809101112131415 • Incoming SPI 1000, Outgoing SPI 2000 • FireBrick is providing connectivity for a local user subnet 10.1.1.0/24 • Linux system is providing connectivity for a local user subnet 10.2.2.0/24 A suitable FireBrick xml config for this would be: <ipsec-ike>... -
Page 108: Tunnel Wrapper Packets
Tunnels The protocol supports multiple simultaneous tunnels to/from an end-point device, and Local Tunnel ID values are used on an end-point device to identify each tunnel. The 'scope' of the Local ID is restricted to a single end- point device - as such, the tunnel itself does not possess a (single) ID value, and is instead identified by the Local IDs in use at both ends, which may well differ. -
Page 109: Viewing Tunnel Status
Tunnels If you wish to use a different UDP port number than the default of 1, specify the port number using the port attribute. 12.2.3. Viewing tunnel status The status of all configured FB105 tunnels can be seen in the web User Interface by selecting "FB105" from the "Status"... -
Page 110: Fb2700 Doing Nat
Tunnels 12.2.6.1. FB2700 doing NAT If you have a bonded tunnel set implementing a single logical WAN connection, then the FB2700 will typically have multiple WAN-side IP addresses, one per physical WAN connection. If you are using the FB2700 to NAT traffic to the WAN, the real source IP address of the traffic will be translated by the NAT process to one of the IP addresses used by the FB2700. - Page 111 Tunnels The two ETUN'ed ports will behave as if they were two ports on a single link layer 2 hub or switch, apart from the extra latency introduced by the carrier network traversal. It is important to note that *all* ethernet packets are transported.
-
Page 112: Usb Port
Chapter 13. USB Port The FB2700 features a USB port that supports a wide variety of dongles providing backup data connection via a 3G mobile network. USB hubs are supported, so that you can connect multiple USB devices to the FB2700. In the web user interface and CLI, specific USB devices are identified by a "Socket"... -
Page 113: System Services
Chapter 14. System Services A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling. Table 14.1 lists the services that the FB2700 can provide :- Table 14.1. List of system services Service Function SNMP server provides clients with access to management information using the Simple Network Management Protocol... -
Page 114: Http Server Configuration
System Services Table 14.2. List of system services Attribute Function If specified, then the service only accepts requests/connections on the specified table routing table. If not specified then the service works on any routing table. Where the service is also a client then this specifies the routing table to use (default 0). If specified then this is a list of ranges of IP addresses and ip group names from allow which connections are allowed. -
Page 115: Telnet Server Configuration
System Services 14.4. Telnet Server configuration The Telnet server allows standard telnet-protocol clients (available for most client platforms) to connect to the FB2700 and access a command-line interface (CLI). The CLI is documented in Chapter 21 and in the Appendix I. 14.4.1. -
Page 116: Auto Dhcp Dns
System Services 14.5.3. Auto DHCP DNS The FB2700 can also look for specific matching names and IP addresses for forward and reverse DNS that match machines on your LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. -
Page 117: Radius Client Settings
System Services 14.8.2.1. RADIUS client settings The system settings for a RADIUS client allow multiple different client settings to be created by name. L2TP uses RADIUS by default, and if not set then the first settings found are used. However, you can set a named RADIUS client setting to be used for each L2TP server setting. -
Page 118: Network Diagnostic Tools
Chapter 15. Network Diagnostic Tools Various network diagnostic tools are provided by the FB2700, accessible through either the web user interface or the CLI :- • Packet dump : low level diagnostics to for detailed examination of network traffic passing through the FB2700 •... -
Page 119: Access Check
Network Diagnostic Tools no-match-action is DROP, no further rule-sets considered Final action is to DROP the session. 15.2. Access check For each network service implemented by the FB2700 (see Chapter 14), this command shows whether a specific IP address will be able to access or utilise the service, based on any access restrictions configured on the service. For example, the following shows some service configurations (expressed in XML), and the access check result when checking access for an external address, 1.2.3.4 :- <http local-only="false"/>... -
Page 120: Dump Parameters
Network Diagnostic Tools The output is streamed so that, when used with curl and tcpdump, you can monitor traffic in real time. Limited filtering is provided by the FB2700, so you will normally apply any additional filtering you need via tcpdump. -
Page 121: Ip Address Matching
Network Diagnostic Tools Note These security requirements are the most likely thing to cause your attempts to packet dump to fail. If you are getting a simple "404" error response, and think you have specified the correct URL (if using an HTTP client), please check security settings are as described here. -
Page 122: Using An Http Client
Network Diagnostic Tools 15.3.7. Using an HTTP client To perform a packet dump using an HTTP client, you first construct an appropriate URL that contains standard HTTP URL form-style parameters from the list shown in Table 15.1. Then you retreive the dump from the FB2700 using a tool such as curl. -
Page 123: Vrrp
Chapter 16. VRRP The FB2700 supports VRRP (Virtual Router Redundancy Protocol), which is a system that provides routing redundancy, by enabling more than one hardware device on a network to act as a gateway for routing traffic. Hardware redundancy means VRRP can provide resilience in the event of device failure, by allowing a backup device to automatically assume the role of actively routing traffic. -
Page 124: Configuring Vrrp
VRRP 16.2. Configuring VRRP VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB2700 comes under the scope of an interface definition. As such, to set-up your FB2700 to participate in a Virtual Router group, you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where the VRRP operates. -
Page 125: Vrrp Version 3
VRRP 16.4.2. VRRP version 3 VRRP version 3 works in much the same way, but allows the advertisement interval to be any multiple of 10ms (1/100th of a second). The default interval is still 1 second, but it can now be set much faster - so although the timeout is still 3 times the interval, this means the backup could take over in as little as 30ms. -
Page 126: Voip
Chapter 17. VoIP 17.1. What is VoIP? Voice over IP (VoIP) is simply a means of carrying voice (telephone calls) over Internet Protocol (the Internet). Instead of using pairs of wires to carry the signal electrically, the sound is sampled and converted to a sequence of bytes. -
Page 127: Home/Office Phone System
VoIP You can have a case of incoming calls working and not outgoing, which means registration has worked but somehow you have incorrect proxy details. The other way around, where outgoing calls work and incoming do not would mean the registration is not working, but the proxy details are correct. The logging options can be very useful to help diagnose problems. -
Page 128: Number Plan
VoIP • The FireBrick can make use of the current Internet Protcol (IPv6). At present there are few carriers and handsets that work with IPv6, but this is improving all of the time. IPv6 avoids the need for NAT. The FireBrick acts as a media gateway which makes firewalling rules simple even when using IPv6, and allows IPv4 and IPv6 devices to interwork with no problems. -
Page 129: Voip Call Carriers
VoIP On the handset you will need to set a registrar and/or proxy which is usually either a host name or an IP address. This will need to refer to the FB2700's address. The handset will also have some form of login or username and a password. Typically you would use the extension number or DDI as the username, but in an office PABX you may want people's names as the user name. -
Page 130: Hunt Groups
VoIP • The request is unauthorized, and has a SIP target or To header of a registered contact from an outgoing registration from the carrier (can be from any allowed IP). • The SIP target matches exactly one of the to entries in a carrier, or if a blank to attribute and the Authorization username matches the username. -
Page 131: Ring Order
VoIP sequence Ring phones in a sequence, ringing one phone at a time You can set the timing used for calls to progress through the list of phones. 17.8.2. Ring order When not ringing all phones at once, you can control the order they are rung: Table 17.2. -
Page 132: Busy Lamp Field
VoIP 17.10. Busy lamp field Busy lamp fields are normally a light and button on a phone. The snom phones can have BLF enabled. In your handset you set up BLF by specifying an extension number of a handset to be monitored. The busy light will typically be on solidly when in a call, or flashing when there is an incoming call ringing. -
Page 133: Call Routing By Radius
VoIP for a non local request where the user is not recognised as a local telephone user. Otherwise the FB2700 will send a challenge automatically and only send a RADIUS authentication when the authenticated message is received. This also happens if an Authorization header is presented without a response value. For an unauthenticated request you can respond with an Access Challenge including the paramaters to challenge, but any attributes you omit will be completed automatically, so you can simply respond with an empty challenge to confirm the FB2700 is to go ahead and do the challenge itself. -
Page 134: Call Recording
VoIP Table 17.3. Access-Accept No. Usage Calling-Station-Id 31 Replaces CLI of current call leg. Called-Station-Id 30 Replaces Dialled number of current call leg. User-Name 1 Replaces the Name of the current call leg. Filter-Id 11 Adds a call recording email address to the current call leg. Chargeable-User- 89 Adds a CDR record with this CUI, and current CLI and Dialled attributes to Identity... -
Page 135: Voicemail And Ivr Services
VoIP 17.13. Voicemail and IVR services Voicemail is still in development. The FB2700 will simply pass the call to a voicemail server via SIP. This could be a local device on the network, or a service provided by a carrier. We will include a software package to run on a linux box that will save the recording. -
Page 136: Technical Details
VoIP Note RADIUS CDR are only available on a fully-loaded model. Log (e.g. syslog) CDRs are available on all models. 17.15. Technical details The FireBrick operates according to well established technical standards within specific design constraints which allow it to operate efficiently handling thousands of calls. •... - Page 137 VoIP progress 1000ms 1000ms@400Hz-3dB+450Hz-3dB 1000ms ring 1000ms 400ms@400Hz-3dB+450Hz-3dB 200ms 400ms@400Hz-3dB+450Hz-3dB 1000ms queue 700ms 400ms@400Hz-3dB+450Hz-3dB 200ms 400ms@400Hz-3dB+450Hz-3dB 200ms 400ms@400Hz-3dB+450Hz-3dB 700ms busy 375ms@400Hz 375ms hold 100ms@400Hz-3dB+450Hz-3dB 200ms 100ms@400Hz-3dB+450Hz-3dB 2600ms wait 2600ms 100ms@400Hz-3dB+450Hz-3dB 200ms 100ms@400Hz-3dB+450Hz-3dB close-encounter 1000ms 300ms@588Hz^ 300ms@654Hz^ 400ms@524Hz^ 600ms@262Hz^ 1000ms@392Hz^ 1000ms 50ms 345ms@122Hz 35ms 300ms@525Hz 2000ms 1000Hz 1000Hz...
-
Page 138: Bgp
Chapter 18. BGP 18.1. What is BGP? BGP (Border Gateway Protocol) is the protocol used between ISPs to advise peers of routes that are available. Each ISP tells its peers the routes it can see, being the routes it knows itself and those that it has been advised by other peers. -
Page 139: Simple Example Setup
• RFC2796 Route reflector peers • RFC3392 Capabilities negotiation • RFC3065 Confederation peers • RFC5082 TTL Security • Multiple independent routing tables allowing independent BGP operations • Multiple AS operation 18.2.3. Simple example setup A typical installation may have transit connections from which a complete internet routing table is received, peers which provide their own routes only, internal peers making an IBGP mesh, customers to which transit is provided and customer routes may be accepted. -
Page 140: Route Filtering
Must be EBGP, and sets default of no-fib and not add-own-as. Routes from this peer are marked as IXP routes which affects filtering on route announcements 18.2.5. Route filtering Each peer has a set of import and export rules which are applied to routes that are imported or exported from the peer. -
Page 141: Well Known Community Tags
ordered list of filters, and then the local filters, is what applies. Multiple tag do not cause all the tags to be added, just the latest listed tags in the action. There are plans to improve this in the future to work step by step and even allow MED and localpref adjustments to compund. -
Page 142: Announcing Dead End Routes
18.2.8. Announcing dead end routes The top level bgp object includes a dead-end-community attribute which can be set to a tag that is used to mark routes as a dead end within your network. Any route received on a BGP peer within that config object which includes the specified community is treated as a dead end route. -
Page 143: Diagnostics
18.2.13. Diagnostics The web control pages have diagnostics allowing routing to be show, either for a specific target IP (finding the most specific route which applies), or for a specified prefix. This lists the routes that exist in order, and indicates if they are supressed (e.g. -
Page 144: Ospf
Chapter 19. OSPF 19.1. What is OSPF? OSPF is an interior gatway protocol that allows devices connected together in a network to learn the routes that each other has. It works out the best path across a network of routers and links automatically, and handles failures of links and re-routing traffic another way automatically. -
Page 145: Simple Example Setup
OSPF Note Note that this does not yet offer OSPF via interfaces (e.g. tunnels) other than Ethernet. 19.2.3. Simple example setup <ospf/> Yes, that is all you need for an unauthenticated OSPF set up working on all Ethernet interfaces and announcing all connected subnets! 19.2.4. -
Page 146: Internet Service Providers
Chapter 20. Internet Service Providers The FireBrick can be used by Internet Service Providers (ISPs) to provide Internet connectivity by acting as a gateway between a carrier network (e.g. Broadband or mobile carrier) and the Internet. This chapter covers the ISP use of a FireBrick including L2TP , and PPPoE. L2TP can also be used on a smaller scale to create point to point tunnels. -
Page 147: Broadband
Internet Service Providers 20.1.4. Broadband In a typical broadband network we don't have dialup modems in the same. The modems are jumpered to the phone line at the exchanged and are part of an Access Node, usually called a DSLAM or MSAN. This then passes PPP packets on to a Remote Access Server, usually called a BRAS. -
Page 148: The Importance Of Cqm Graphs
Internet Service Providers shaping. You could even use the hostname to separate different grades of service, or, if the ISP is providing wholesale connections, for different ISP customers. The incoming connection configuration includes the password, and the RADIUS servers to use to validate the users, and various defaults that apply to the PPP connections. -
Page 149: Accounting
Internet Service Providers In an ISP scenario this is typically used for special cases, test lines, etc. The main use of this feature is for a corporate LNS handling direct point to point tunnels, e.g. from other offices or roaming users. 20.5. -
Page 150: Bgp With Carrier
Internet Service Providers 20.8.2. BGP with carrier This interlink is usually ised soley for the purpose of a BGP link to the carrier, and all other IPs used by the ISP or carrier are announced via that BGP connection. You may want to configure filters on the BGP connection to limit the prefixes accepted from the carrier or announced to the carrier. -
Page 151: L2Tp Endpoints
Internet Service Providers 20.8.4. L2TP endpoints The FB2700 will accept L2TP connections on any of its IP addresses, but again we recommend allocating a loopback address or using the address from the LAN rather than the interlink address as we know some carriers cannot handle that. -
Page 152: Command Line Interface
Chapter 21. Command Line Interface The FB2700 provides a traditional command-line interface (CLI) environment that can be used to check status information, and control some aspects of the unit's operation. The CLI is accessed via the 'telnet' protocol - the FB2700 implements a telnet server, which you can connect to using any common telnet client program. -
Page 153: Factory Reset Procedure
Appendix A. Factory Reset Procedure The FireBrick has a simple factory reset process to erase the configuration allowing you to reconnect using the default IP addresses described in Chapter 2. This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason, or any other situation where it is appropriate to start from scratch. - Page 154 Factory Reset Procedure • Connect network to left hand port. Power LED comes on solidly. This process will start the FireBrick in a factory reset mode temporarily - the configuration stored in flash memory has not yet been altered or deleted at this stage. If you disconnect the power then the config will revert to the previous state and no longer be reset, so it is important to connect your laptop, etc, to the FB2700 after removing the looped cable and not power cycle in-between.
-
Page 155: Cidr And Cidr Notation
Appendix B. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632]. - Page 156 CIDR and CIDR Notation routing table entry - 10.1.2.0/24 and 10.1.3.0/24 - routing table entries for these subnets would appear in a downstream router. Note that in either a network/subnet or routing destination specification, the address will be the starting address of the IP address range being expressed, such that there will be M least significant bits of the address set to zero, where M = 32 - prefix_length Combined interface IP address and subnet definitions...
-
Page 157: Mac Addresses Usage
Appendix C. MAC Addresses usage Ethernet networks use 48 bit MAC addresses. These are globally unique and allocated by the equipment manufacturer from a pool of addresses that is defined by the first three octets (bytes), which identify the organization, and are known as the Organizationally Unique Identifier (OUI). OUIs are issued by the IEEE - more information, and a searchable database of existing OUIs are available at http://standards.ieee.org/develop/ regauth/oui/ MAC addresses are commonly written as six groups of two hexadecimal digits, separated by colons or hyphens. -
Page 158: How The Firebrick Allocates Mac Addresses
MAC Addresses usage The interface settings in the configuration have a restrict-mac setting which, when set to true causes the same MAC to be used for all subnets and operations on that specific interface (port group / VLAN combination). C.2. Changing MAC address There is no reason for any network device to maintain the same MAC address for ever. -
Page 159: Running Out Of Macs
MAC Addresses usage C.2.5. Running out of MACs The allocations are recorded in persistent data, so if an object is removed from the config and later put back it should get the same MAC address. If however there are not enough MAC addresses when loading a config, then previous assignments are re-used. -
Page 160: Using With A Dhcp Server
MAC Addresses usage • the first address in the range has zero for the remaining digits (00) • the last address in the range has F for the remaining digits (FF) Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7C:FF inclusive (256 addresses). C.4. -
Page 161: Vlans : A Primer
Appendix D. VLANs : A primer An Ethernet (Layer 2) broadcast domain consists of a group of Ethernet devices that are interconnected, typically via switches, such that an Ethernet broadcast packet (which specifies a reserved broadcast address as the destination Ethernet address of the packet) sent by one of the devices is always received by all the other devices in the group. -
Page 162: Supported L2Tp Attribute/Value Pairs
Appendix E. Supported L2TP Attribute/Value Pairs This appendix details the L2TP protocol messages supported, and the attribute/value pairs (AVPs) which are sent and expected for each message. E.1. Start-Control-Connection-Request Table E.1. SCCRQ No. Incoming Outgoing Message Type 0 Value 1 Value 1 Protocol Version 2 Mandatory, value 1 expected... -
Page 163: Start-Control-Connection-Connected
Supported L2TP Attribute/Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined, a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined E.3. -
Page 164: Incoming-Call-Reply
Supported L2TP Attribute/Value Pairs Calling Number 22 Accepted, used in RADIUS and passed Passed on incoming value on if relaying Sub-Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent E.7. Incoming-Call-Reply Table E.7. ICRP No. Incoming Outgoing Message Type 0 Value 11 Value 11... -
Page 165: Outgoing-Call-Reply
Supported L2TP Attribute/Value Pairs Message Type 0 Value 7 Value 7 Not supported, ignored. E.10. Outgoing-Call-Reply Table E.10. OCRP No. Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported, ignored. E.11. Outgoing-Call-Connected Table E.11. OCCN No. Incoming Outgoing Message Type 0 Value 9 Value 9... -
Page 166: Notes
Supported L2TP Attribute/Value Pairs Message Type 0 Value 16 Value 16 Not supported, ignored. E.15. Notes E.15.1. BT specific notes The L2TP and PPP specifications are clear that the HDLC framing bytes are not sent or received within the L2TP packet. However, BT send type bytes (FF03) on the start of all PPP frames. This is silently discarded. Also, BT will not process packets if these type bytes are not included in outgoing packets. -
Page 167: Supported Radius Attribute/Value Pairs For L2Tp Operation
Appendix F. Supported RADIUS Attribute/Value Pairs for L2TP operation RADIUS is used for authentication and accounting of L2TP connections. If no authentication servers are configured then authentication is not performed. If no accounting servers are configured then no accounting is generated. Multiple servers can be configured and they are processed in order. Each can have multiple IP addresses. -
Page 168: Authentication Response
Supported RADIUS Attribute/ Value Pairs for L2TP operation local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages. Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id. -
Page 169: Prefix Delegation
Supported RADIUS Attribute/ Value Pairs for L2TP operation Framed-MTU 12 Set MTU for session Connect-Info 77 Text tx/rx speed limit to apply to session (see below) Tunnel-Type 64 If specified must be 3 (L2TP), L2TP is assumed. Also allows special 'R' and 'S' types, see below. -
Page 170: Rejected Authentication
Supported RADIUS Attribute/ Value Pairs for L2TP operation As you can see, it is possible to send back CHAP-Challenge and CHAP-Password or User-Password to override those received by proxy or negotiation. This is mainly used when relaying the L2TP onwards and changes the proxy authentication field sent. -
Page 171: Accounting Interim
Supported RADIUS Attribute/ Value Pairs for L2TP operation Tunnel-Client- 66 Present for relayed L2TP, text IPv4 or IPv6 address of our address on the Endpoint outbound tunnel Tunnel-Server- 67 Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of Endpoint the outbound tunnel Tunnel-Assignment-... -
Page 172: Accounting Stop
Supported RADIUS Attribute/ Value Pairs for L2TP operation Tunnel-Assignment- 82 Present for relayed L2TP, text local L2TP tunnel ID Tunnel-Client-Auth- 90 Present for relayed L2TP, local end hostname quoted by outgoing tunnel Tunnel-Server-Auth- 91 Present for relayed L2TP, far end hostname quoted by outgoing tunnel F.5. -
Page 173: Filter Id
Supported RADIUS Attribute/ Value Pairs for L2TP operation Delegated-IPv6- 123 IPv6 prefix to be routed to line. Maximum localpref used. Prefix Framed-IPv6-Prefix 97 IPv6 prefix to be routed to line. Maximum locapref used. Framed-IPv6-Route 99 May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax. -
Page 174: Notes
Supported RADIUS Attribute/ Value Pairs for L2TP operation h Sets the connection not to send HDLC framing headers on all PPP packets. This is in accordance with the L2TP/PPP RFCs. This does not work on BT 21CN BRASs. F Sets TCP MTU fix flag which causes the MTU option in TCP SYN to be adjusted if necessary to fit MTU. -
Page 175: Lcp Echo And Cqm Graphs
Supported RADIUS Attribute/ Value Pairs for L2TP operation If there is no proxy authentication, PPP authentication is start until a response/login is received from the peer (assuming authentication is required in the config). At this point a further check is made for a configured relay which can now be based on a login if one was not present before. -
Page 176: Supported Radius Attribute/Value Pairs For Voip Operation
Appendix G. Supported RADIUS Attribute/Value Pairs for VoIP operation RADIUS is used to authenticate REGISTRATION requests allowing registration of telephones. It is also used to authenticate INVITE requests and provide call routing information. RADIUS Accounting is used to provide details of calls in progress. G.1. -
Page 177: Authentication Response
Supported RADIUS Attribute/ Value Pairs for VoIP operation Digest-CNonce 113 Digest CNonce Digest-Nonce-Count 114 Digest Nonce Count (NC) Digest-Username 115 Digest Username Digest-Opaque 116 Digest Opaque SIP-AOR 121 Contact URI Session-Timeout 27 Time from Expires header Acct-Terminate- 49 Only sent for a redirect call routing, the redirect code, e.g. 301/302 Cause G.2. -
Page 178: Rejected Authentication
Supported RADIUS Attribute/ Value Pairs for VoIP operation Filter-Id 11 Adds a call recording email address to this call. SIP-AOR 121 Creates a new outgoing call leg. See Section 17.11.2.1 for details of call routing. G.2.4. Rejected authentication Table G.5. Access-Reject No. -
Page 179: Accounting Stop
Supported RADIUS Attribute/ Value Pairs for VoIP operation Acct-Event- 55 Time call answered Timestamp NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Far end IPv4 address for SIP if using IPv4 NAS-IPv6-Address 95 Far end IPv6 address for SIP if using IPv6 NAS-Port 5 Far end UDP port for SIP Note... -
Page 180: Change Of Authorisation
Supported RADIUS Attribute/ Value Pairs for VoIP operation G.7. Change of Authorisation A change of authorisation message is accepted as per RFC5176 Table G.10. Change-of-Authorisation No. Usage Acct-Session-Id 44 Unique ID for session... -
Page 181: Firebrick Specific Snmp Objects
Appendix H. FireBrick specific SNMP objects This appendix details the SNMP objects that are specific to the FireBrick. H.1. BGP information Information about specific BGP peers. Note The OID contains the IP. This is coded as either 4.a.b.c.d for IPv4 address a.b.c.d, or 6 followed by 32 entries each 0 to 15 for each hex character in the IPv6 address. -
Page 182: Monitoring Information
FireBrick specific SNMP objects Integer Number of sessions in NEGOTIATING state Integer Number of sessions in AUTH-PENDING state Integer Number of sessions in STARTED state Integer Number of sessions in LIVE state Integer Number of sessions in ACCT-PENDING state Integer Number of sessions in CLOSING state Integer Number of sessions in CLOSED state... -
Page 183: Command Line Reference
Appendix I. Command line reference I.1. General commands I.1.1. Trace off troff Stop interactive logging to this CLI session, lasts until logout or tron. I.1.2. Trace on tron Restart interactive logging to this CLI session. Some types of logging can be set to log to console which shows on the CLI. -
Page 184: Logout
Command line reference I.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) I.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen I.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line. -
Page 185: Networking Commands
Command line reference Shows current DNS resolver list and status. I.2. Networking commands I.2.1. Subnets show subnets show subnet <integer> You can list all current subnets, or details of a specific subnet. This shows the same information as the web status pages for subnets. -
Page 186: See Dhcp Allocations
Command line reference I.2.6. See DHCP allocations show dhcp [<IP4Addr>] [table=<routetable>] Shows DHCP allocations, with option to show details for specific allocation. I.2.7. Clear DHCP allocations clear dhcp [ip=<IP4Range>] [table=<routetable>] Allows you to remove one or more DHCP allocations. I.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr>... -
Page 187: Firewalling Commands
Command line reference I.3. Firewalling commands I.3.1. Check access to services check access <IPAddr> [table=<routetable>] Reports access control checks for a source address to various internal services. This is separate from any firewalling. I.3.2. Check firewall logic check firewall source-ip=<IPAddr> target-ip=<IPAddr> protocol=<unsignedByte>... -
Page 188: Ospf Commands
Command line reference I.7. OSPF commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details I.8. PPPoE commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details I.9. VoIP commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details I.10. -
Page 189: Make Outbound Command Session
Command line reference I.11.4. Make outbound command session start command session <IPAddr> [port=<unsignedShort>] [table=<routetable>] This allows a reverse telnet connection to be made. A TCP connection is made to the IP address (and port) where a user can login. This can be useful where a firewall policy prevents incoming access to allow someone to have access from outside, e.g. -
Page 190: Constant Quality Monitoring - Technical Details
Appendix J. Constant Quality Monitoring - technical details The FireBrick provides constant quality monitoring. The main purpose of this is to provide a graphical representation of the performance of an interface or traffic shaper - typically used for broadband lines on L2TP. •... -
Page 191: Dated Information
Constant Quality Monitoring - technical details J.2.2. Dated information Without any date the data returned is the latest. For csv it is all data points available. For graph it is the last 24 to 25 hours. You can display data for a specific date. This only makes sense for today, and during the first couple of hours of the day you can get yesterday in full. -
Page 192: Additional Text
Constant Quality Monitoring - technical details J.3.2. Additional text Additional text is shown on the graph based on the values in the configuration if not specified. There are 4 lines on the top left in small text and two heading lines top right in large text. Table J.3. -
Page 193: Full Url Format
Constant Quality Monitoring - technical details The recommended command to run just after midnight is wget -m http://host:port/cqm/`date +%F -dyesterday`/z/ as this will create a directory for the server, cqm, date, and z, and then the files. The use of z clears text off the graphs to make them clean. J.4.1. -
Page 194: Creating Graphs, And Graph Names
Constant Quality Monitoring - technical details and xml list of all graphs. This total is done by multiplying the last score by 864, the previous by 863, and so on for the previous 24 hours. J.6. Creating graphs, and graph names Graph names are text and up to 20 characters. -
Page 195: Configuration Objects
Appendix K. Configuration Objects This appendix defines the object definitions used in the FireBrick FB2700 configuration. Copyright © 2008-16 FireBrick Ltd. K.1. Top level K.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data. -
Page 196: Objects
Configuration Objects pppoe Optional, up to 10 PPPoE settings profile profile Optional, unlimited Control profiles route route Optional, unlimited Static routes route-override route-override Optional, unlimited Routing override rules rule-set rule-set Optional, unlimited Firewall/mapping rules services services Optional General system services shaper shaper Optional, unlimited Named traffic shapers... -
Page 197: Link: Web Links
Configuration Objects pre-reboot-url string URL to GET prior to s/w reboot (typically to warn nagios) soft-watchdog boolean false Debug - use only if advised; do not use on an unattended FireBrick source string Source of data, used in automated config management sw-update autoloadtype... -
Page 198: Eap: User Access Controlled By Eap
Configuration Objects profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Restrict login to specific routing table routetable timeout duration 5:00 Login idle timeout (zero to stay logged in) K.2.4. eap: User access controlled by EAP Identities, passwords and access methods for access controlled with EAP Table K.7. -
Page 199: Log-Syslog: Syslog Logger Settings
Configuration Objects K.2.6. log-syslog: Syslog logger settings Logging to a syslog server Table K.10. log-syslog: Attributes Attribute Type Default Description comment string Comment facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port profile NMTOKEN Profile name server IPNameAddr Not optional Syslog server severity syslog-severity... -
Page 200: Services: System Services
Configuration Objects string Not optional Target email address K.2.8. services: System services System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled. -
Page 201: Telnet-Service: Telnet Service Settings
Configuration Objects allow List Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment fast-retry boolean Aggressive re-try until clock first set local-only boolean true Restrict access to locally connected Ethernet subnets only NMTOKEN Not logging Log events... -
Page 202: Http-Service: Http Service Settings
Configuration Objects log-error NMTOKEN Log as event Log errors port unsignedShort Service port profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable K.2.12. http-service: HTTP service settings Web management pages Table K.16. -
Page 203: Dns-Host: Fixed Local Dns Host Settings
Configuration Objects domain string Our domain fallback boolean true For incoming requests, if no server in required table, relay to any DNS available local-only boolean true Restrict access to locally connected Ethernet subnets only NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug... -
Page 204: Radius-Service: Radius Service Definition
Configuration Objects comment string Comment name List of string Not optional Host names (can use * as a part of a domain) profile NMTOKEN Profile name restrict List List of IP ranges to which this is served IPNameRange source string Source of data, used in automated config management table... -
Page 205: Radius-Service-Match: Matching Rules For Radius Service
Configuration Objects source string Source of data, used in automated config management tagged boolean Tag all attributes that can be target-hostname string Hostname for L2TP connection target-ip List of IPNameAddr - Target IP(s) or hostname for primary L2TP connection target-secret Secret Shared secret for L2TP connection test... -
Page 206: Radius-Server: Radius Server Settings
Configuration Objects nsn-tunnel-override- unsignedByte Additional response for GGSN usage username nsn-tunnel-user- unsignedInt Additional response for GGSN usage auth-method order radiuspriority Priority tagging of endpoints sent profile NMTOKEN Profile name relay-ip List of IPAddr Address to copy RADIUS request relay-port unsignedShort 1812 Authentication port... -
Page 207: Ethernet: Physical Port Controls
Configuration Objects secret Secret Not optional Shared secret for RADIUS requests source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable type Set of radiustype Server type K.2.19. ethernet: Physical port controls Physical port attributes Table K.25. -
Page 208: Interface: Port-Group/Vlan Interface Settings
Configuration Objects trunk trunk-mode false Trunk ports K.2.21. interface: Port-group/VLAN interface settings The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface. Table K.27. interface: Attributes Attribute Type Default Description bgpmode... -
Page 209: Subnet: Subnet Settings
Configuration Objects Table K.28. interface: Elements Element Type Instances Description dhcp dhcps Optional, unlimited DHCP server settings subnet subnet Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings K.2.22. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set. Table K.29. -
Page 210: Vrrp: Vrrp Settings
Configuration Objects test IPAddr Test link state using ARP/ND for this IP unsignedByte TTL for originating traffic via subnet K.2.23. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs. Table K.30. -
Page 211: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)
Configuration Objects List of IP4Addr Our IP DNS resolvers domain string From system settings DNS domain domain-search string DNS domain search list (list will be truncated to fit one attribute) force boolean Send all options even if not requested gateway IP4Subnet Our IP Gateway... -
Page 212: Dhcp-Attr-Number: Dhcp Server Attributes (Numeric)
Configuration Objects Table K.34. dhcp-attr-string: Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested unsignedByte Not optional Attribute type code/tag name string Name value string Not optional Value vendor boolean Add as vendor specific option (under option 43) K.2.27. - Page 213 Configuration Objects ac-name string Any a/c name Access concentrator name accept-dns boolean true Accept DNS servers specified by far end bgpmode Not announced BGP announce mode for routes comment string Comment (unsignedShort Closed user group ID 1-32767) cug cug-restrict boolean Closed user group restricted traffic (only to/ from same CUG ID) fast-retry...
-
Page 214: Ppp-Route: Ppp Routes
Configuration Objects Table K.38. pppoe: Elements Element Type Instances Description route ppp-route Optional, unlimited Routes to apply when ppp link is up K.2.30. ppp-route: PPP routes Routes that apply when link is up Table K.39. ppp-route: Attributes Attribute Type Default Description bgpmode Not announced... - Page 215 Configuration Objects context pdp-context-type Type of connection to make (unsignedShort Closed user group ID 1-32767) cug cug-restrict boolean Closed user group restricted traffic (only to/ from same CUG ID) dial-string string ATV1 ATE0 AT Space separated AT command strings +CFUN=1 which can include [apn] and [context] AT&D2&C1S0=0S7=60 +CGDCONT=1,"[context]","[apn]"...
-
Page 216: Route: Static Routes
Configuration Objects Table K.43. dongle: Elements Element Type Instances Description route ppp-route Optional, unlimited Routes to apply when link is up K.2.33. route: Static routes Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not. -
Page 217: Blackhole: Dead End Networks
Configuration Objects table (unsignedByte 0-99) Routing table number routetable List of Community - List of community tags K.2.35. blackhole: Dead end networks Networks that go nowhere Table K.46. blackhole: Attributes Attribute Type Default Description as-path List Custom AS path as if network received unsignedInt bgpmode false... -
Page 218: Ospf: Overall Ospf Settings
Configuration Objects List of Community - List of community tags K.2.37. ospf: Overall OSPF settings The OSPF element defines general OSPF settings. Where interfaces/table specified, first matching OSPF config is applied. Only provides OSPF internal and AS-border router functionality. Table K.48. ospf: Attributes Attribute Type Default... -
Page 219: Namedbgpmap: Mapping And Filtering Rules Of Bgp Prefixes
Configuration Objects K.2.38. namedbgpmap: Mapping and filtering rules of BGP prefixes This defines a set of named rules for mapping and filtering of prefixes to/from a BGP peer. Table K.49. namedbgpmap: Attributes Attribute Type Default Description comment string Comment name NMTOKEN Not optional Name... -
Page 220: Bgppeer: Bgp Peer Definitions
Configuration Objects blackhole- Community Community tag to mark black hole routes community cluster-id IP4Addr Our cluster ID comment string Comment dead-end- Community Community tag to mark dead end routes community IP4Addr Our router ID NMTOKEN Not logging Log events name string Name source... - Page 221 Configuration Objects drop-default boolean false Ignore default route received export-filters List of NMTOKEN - Named export filters to apply export-med unsignedInt Set MED on exported routes (unless export filter sets it) holdtime unsignedInt Hold time ignore-bad-optional- boolean true Ignore routes with a recognised badly partial formed optional that is flagged partial import-filters...
-
Page 222: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes
Configuration Objects Table K.55. bgppeer: Elements Element Type Instances Description export bgpmap Optional Mapping and filtering rules of announcing prefixes to peer import bgpmap Optional Mapping and filtering rules of accepting prefixes from peer K.2.42. bgpmap: Mapping and filtering rules of BGP prefixes This defines the rules for mapping and filtering of prefixes to/from a BGP peer. - Page 223 Configuration Objects fail-level2 unsignedByte Loss level 2 fail-score unsignedByte Score for fail and low usage fail-score1 unsignedByte Score for on/above level 1 fail-score2 unsignedByte Score for on/above level 2 fail-usage unsignedInt 128000 Usage below which fail is not expected fblogo Colour #bd1220 Colour for logo...
-
Page 224: L2Tp: L2Tp Settings
Configuration Objects ping-update duration 1:00:00 Interval for periodic updates ping-url string URL for ping list Colour #f8c Colour for off line seconds right unsignedByte Pixels space right of main graph Colour #800 Colour for Rx traffic level secret Secret Secret for MD5 coded URLs sent Colour #ff8... -
Page 225: Hello
Configuration Objects called string called-station-idi to send calling string calling-station-id to send comment string Comment (unsignedShort Closed user group ID 1-32767) cug cug-restrict boolean Closed user group restricted traffic (only to/ from same CUG ID) fail-lockout unsignedByte Interval kept in failed state graph string Graph name... -
Page 226: L2Tp-Incoming: L2Tp Settings For Incoming L2Tp Connections
Configuration Objects table (unsignedByte 0-99) Routing table number for L2TP session routetable tcp-mss-fix boolean false Adjust MSS option in TCP SYN to fix session MSS tx-speed unsignedInt Egress rate limit (b/s) username string User name for login Table K.62. l2tp-outgoing: Elements Element Type Instances... -
Page 227: L2Tp-Relay: Relay And Local Authentication Rules For L2Tp
Configuration Objects (unsignedShort Default MTU for sessions in this tunnel 576-2000) mtu name string Name open-timeout unsignedByte Interval before OPEN considered failed ospf boolean true OSPF announce mode for route payload-table (unsignedByte 0-99) Routing table number for payload traffic routetable pppdns1 IP4Addr PPP DNS1 IPv4 default... -
Page 228: Fb105: Fb105 Tunnel Definition
Configuration Objects called-station-id List of string One or more patterns to match called- station-id calling-station-id List of string One or more patterns to match calling- station-id comment string Comment graph (token) graphname - Graph name ip-over-lcp boolean Send IP over LCP (local auth) localpref unsignedInt 4294967295... -
Page 229: Fb105-Route: Fb105 Routes
Configuration Objects log-error NMTOKEN Log as event Log errors unsignedShort 1500 MTU for wrapped packets name NMTOKEN Name ospf boolean true OSPF announce mode for route payload-table (unsignedByte 0-99) Routing table number for payload traffic routetable port unsignedShort UDP port to use profile NMTOKEN Profile name... -
Page 230: Ipsec-Ike: Ipsec Configuration (Ikev2)
Configuration Objects name string Name ospf boolean true OSPF announce mode for route profile NMTOKEN Profile name source string Source of data, used in automated config management K.2.50. ipsec-ike: IPsec configuration (IKEv2) IPsec IKE and manually-keyed connection details Table K.69. ipsec-ike: Attributes Attribute Type Default... - Page 231 Configuration Objects graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr Local IP localpref unsignedInt...
-
Page 232: Ipsec-Route: Ipsec Tunnel Routes
Configuration Objects peer-certlist List of NMTOKEN accept any suitable Certificate trust anchor(s) acceptable for authenticating peer peer-secret Secret use secret shared secret used to authenticate peer peer-ts List of IPRange Allow any Valid outgoing-destination/incoming- source IPs for tunnelled traffic peer-ts-from-routes boolean false Send traffic selector based on routing query-eap-id... -
Page 233: Ike-Proposal: Ike Security Proposal
Configuration Objects boolean false NAT incoming IPv4 traffic unless set otherwise in rules source string Source of data, used in automated config management K.2.54. ike-proposal: IKE security proposal Proposal for establishing the IKE security association Table K.75. ike-proposal: Attributes Attribute Type Default Description... -
Page 234: K.78. Ipsec-Manual: Elements
Configuration Objects graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr Local IP localpref unsignedInt... -
Page 235: Ping: Ping/Graph Definition
Configuration Objects route ipsec-route Optional, unlimited Routes to apply to tunnel when up K.2.57. ping: Ping/graph definition Base ping config - additional ping targets set via web API or other means Table K.79. ping: Attributes Attribute Type Default Description comment string Comment graph... -
Page 236: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified
Configuration Objects List of NMTOKEN - Active if any of these other profiles are active regardless of other tests (including 'not' or 'and') ports Set of port Test passes if any of these physical ports are up List of NMTOKEN - PPP link state (any of these are up) recover duration... -
Page 237: Profile-Ping: Test Passes If Any Addresses Are Pingable
Configuration Objects comment string Comment days Set of day Which days of week apply, default all start time Start (HH:MM:SS) stop time End (HH:MM:SS) K.2.61. profile-ping: Test passes if any addresses are pingable Ping targets Table K.84. profile-ping: Attributes Attribute Type Default Description... -
Page 238: Shaper-Override: Traffic Shaper Override Based On Profile
Configuration Objects override shaper-override Optional, unlimited Profile specific variations on main settings K.2.63. shaper-override: Traffic shaper override based on profile Settings for a named traffic shaper Table K.87. shaper-override: Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Not optional Profile name unsignedInt Rx rate limit/target (b/s) -
Page 239: Session-Route-Rule: Routing Override Rule
Configuration Objects comment string Comment name string Name profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Applicable routing table routetable Table K.90. route-override: Elements Element Type Instances Description rule session-route-rule Optional, unlimited Individual rules, first match applies K.2.66. -
Page 240: Session-Route-Share: Route Override Load Sharing
Configuration Objects K.2.67. session-route-share: Route override load sharing Route override setting for load sharing Table K.93. session-route-share: Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Profile name set-gateway IPAddr New gateway set-graph string Graph name for shaping/logging (if not set by rule-set) set-nat boolean... -
Page 241: Session-Rule: Firewall Rules
Configuration Objects target-interface List of NMTOKEN - Target interface(s) target-ip List Target IP address range(s) IPNameRange target-port List of PortRange Target port(s) Table K.95. rule-set: Elements Element Type Instances Description ip-group ip-group Optional, unlimited Named IP groups rule session-rule Optional, unlimited Individual rules, first match applies K.2.69. -
Page 242: Session-Share: Firewall Load Sharing
Configuration Objects set-target-ip IPAddr New target IP set-target-port unsignedShort New target port source string Source of data, used in automated config management source-interface List of NMTOKEN - Source interface(s) source-ip List Source IP address range(s) IPNameRange source-mac List Source MAC check if from Ethernet (hexBinary) macprefix source-port... -
Page 243: K.99. Voip: Attributes
Configuration Objects Table K.99. voip: Attributes Attribute Type Default Description area-code string Local area code (without national prefix) auth-source-ip4 IP4Addr Default IPv4 source address to use when sending authenticated messages auth-source-ip6 IP6Addr Default IPv6 source address to use when sending authenticated messages backup-carrier NMTOKEN Backup carrier to use for external calls... -
Page 244: Carrier: Voip Carrier Details
Configuration Objects record-server string Call recording server hostname or address release string 1470 CLI release prefix security-replies boolean true Don't challenge error reply unrecognised non local IP request send-pre-auth boolean true Send Auth header with username before receiving challenge source string Source of data, used in automated config management... -
Page 245: Telephone: Voip Telephone Authentication User Details
Configuration Objects max-calls unsignedInt Maximum simultaneous calls allowed name NMTOKEN Not optional Carrier name outgoing-format voip-format national Dialled number format for outgoing calls password Secret Carrier password for outbound registration or inbound authenticated calls profile NMTOKEN Profile name proxy string Carrier proxy hostname or address for registration and calls registrar... -
Page 246: Tone: Tone Definitions
Configuration Objects anon-numeric boolean Mark anonymous calls just using withhold prefix, and leave display name area-code string Local area code (without national prefix) for use from this phone carrier NMTOKEN Carrier to use for outbound calls cli-format voip-format auto CLI number format passed to telephone comment string Comment... -
Page 247: Etun: Ether Tunnel
Configuration Objects Table K.104. ringgroup: Attributes Attribute Type Default Description allow-pickup List of string Only allow pickup from these extensions allow-subscribe List of string Only allow subscribe (Busy Lamp Field) from these extensions answer-time duration Answer caller if ringing this long carrier NMTOKEN Carrier to use for external calls... -
Page 248: Dhcp-Relay: Dhcp Server Settings For Remote / Relayed Requests
Configuration Objects eth-port NMTOKEN Not optional Port group name IPAddr Not optional Far end IP address NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors name string Name profile NMTOKEN Profile name source-ip IPAddr Our IP address... -
Page 249: Config-Access: Type Of Access User Has To Config
Configuration Objects K.3.2. config-access: Type of access user has to config Table K.109. config-access: Type of access user has to config Value Description none No access unless explicitly listed view View only access (no passwords) read Read only access (with passwords) full Full view and edit access K.3.3. -
Page 250: Syslog-Facility: Syslog Facility
Configuration Objects CRIT Critical conditions Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO-LOGGING No logging K.3.7. syslog-facility: Syslog facility Syslog facility, usually used to control which log file the syslog is written to. Table K.114. -
Page 251: Day: Day Name (3 Letter)
Configuration Objects January February March April June July August September October November December K.3.9. day: Day name (3 letter) Table K.116. day: Day name (3 letter) Value Description Sunday Monday Tuesday Wednesday Thursday Friday Saturday K.3.10. radiuspriority: Options for controlling platform RADIUS response priority tagging Table K.117. -
Page 252: Radiustype: Type Of Radius Server
Configuration Objects K.3.11. radiustype: Type of RADIUS server Table K.118. radiustype: Type of RADIUS server Value Description authentication Authentication server accounting Accounting server control Allowed to send control (CoA/DM) K.3.12. port: Physical port Table K.119. port: Physical port Value Description Port 0 (not valid) (deprecated) Port 1 Port 2... -
Page 253: Linkflow: Physical Port Flow Control Setting
Configuration Objects full Full-duplex auto Duplex determined by autonegotiation K.3.16. LinkFlow: Physical port flow control setting Table K.123. LinkFlow: Physical port flow control setting Value Description none No flow control symmetric Can support two-way flow control send-pauses Can send pauses but does not support pause reception Can receive pauses and may send pauses if required K.3.17. -
Page 254: Linkpower: Phy Power Saving Options
Configuration Objects Permanently off Permanently on Link On when link up Link1000 On when link up at 1G Link100 On when link up at 100M Link10 On when link up at 10M Link100-1000 On when link up at 100M or 1G Link10-1000 On when link up at 10M or 1G Link10-100... -
Page 255: Dhcpv6Control: Control For Ra And Dhcpv6 Bits
Configuration Objects Table K.129. ramode: IPv6 route announce level Value Description false Do not announce Announce as low priority medium Announce as medium priority high Announce as high priority true Announce as default (medium) priority K.3.23. dhcpv6control: Control for RA and DHCPv6 bits Table K.130. -
Page 256: Pdp-Context-Type: Type Of Ip Connection
Configuration Objects client Normal PPPoE client connects to access controller bras-l2tp PPPoE server mode linked to L2TP operation K.3.27. pdp-context-type: Type of IP connection Table K.134. pdp-context-type: Type of IP connection Value Description IPv4 only IPv6 only ip4ip6 IPv4/IPv6 dial stack End to end PPP K.3.28. -
Page 257: Peertype: Bgp Peer Type
Configuration Objects AES-192-CBC AES-CBC (Rijndael) (RFC 3602) with 24-byte key AES-256-CBC AES-CBC (Rijndael) (RFC 3602) with 32-byte key K.3.31. peertype: BGP peer type Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer. -
Page 258: Ike-Dh: Ike Diffie-Hellman Group
Configuration Objects HMAC-SHA256 PRF-HMAC-SHA-256 (rfc4868) K.3.35. ike-DH: IKE Diffie-Hellman group Table K.142. ike-DH: IKE Diffie-Hellman group Value Description none No D-H negotiation (only used with AH/ESP) MODP-1024 1024-bit Sophie Germain Prime MODP Group MODP-2048 2048-bit Sophie Germain Prime MODP Group K.3.36. -
Page 259: Firewall-Action: Firewall Action
Configuration Objects K.3.40. firewall-action: Firewall action Table K.147. firewall-action: Firewall action Value Description continue Continue rule-set checking accept Allow but no more rule-set checking reject End all rule checking now and set to send ICMP reject drop End all rule checking now and set to drop ignore End all rule checking and ignore (drop) just this packet, not making a session K.3.41. -
Page 260: Ring-Group-Type: Type Of Ring When One Call In Queue
Configuration Objects strict Order in config random Random order cyclic Cycling from last call oldest Oldest used phone first K.3.45. ring-group-type: Type of ring when one call in queue Table K.152. ring-group-type: Type of ring when one call in queue Value Description All phones... - Page 261 Configuration Objects IP4Addr IPv4 address IP6Addr IPv6 address IPPrefix IP address / bitlen IPRange IP address / bitlen or range IPNameRange IP address / bitlen or range or name IP4Range IPv4 address / bitlen or range IP4Prefix IPv4 address / bitlen IP6Prefix IPv6 address / bitlen IPSubnet...
- Page 262 Configuration Objects ipsec-spi IPsec Security Parameters Index (256-4294967295) (unsignedInt) filterlist List of IP Prefix filters (IPFilter) bgp-prefix-limit Maximum prefixes accepted on BGP session (1-10000) (unsignedInt) fb105-reorder- Maximum time to queue out of order packet (ms) (10-5000) (unsignedInt) timeout fb105-reorder-maxq Maximum size of out of order packet queue (1-100) (unsignedInt) iprangelist List of IPranges (IPRange) ping-size...
-
Page 263: Index
definition of, 44 Index Firewalling recommended method, 50 Symbols Graphs, 65 USB dongle configuration, 91 Hostname setting, 24 overview, 117 HTTP service Boot process, 28 configuration, 93 Breadcrumbs, 12 Interfaces Configuration defining, 36 backing up and restoring, 16 Ethernet, 35 categories (user interface), 12 relationship with physical ports, 35 methods, 10... - Page 264 Index "socket" identification value, 91 3G dongle configuration, 91 RADIUS overview, 91 configuring service, 95 subsystem, configuration, 91 Route User Interface definition of, 57 customising layout, 11 Router general layout, 11 definition of, 44 navigation, 15 Routing overview, 10 route targets, 58 Users Rule-Sets creating / configuring, 21...
Need help?
Do you have a question about the FireBrick FB2700 and is the answer not in the manual?
Questions and answers