1. Manuals
  2. Brands
  3. FireBrick Manuals
  4. Network Router
  5. FB2700
  6. User manual

FireBrick FB2700 User Manual

Hide thumbs Also See for FB2700:
Table of Contents

Advertisement

Quick Links

Download this manual
FireBrick FB2700

User Manual

FB2700 Versatile Network Appliance

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FB2700 and is the answer not in the manual?

Questions and answers

Related Manuals for FireBrick FB2700

Summary of Contents for FireBrick FB2700

  • Page 1: User Manual

    FireBrick FB2700 User Manual FB2700 Versatile Network Appliance...
  • Page 3 FireBrick FB2700 User Manual This User Manual documents Software version V1.44.000 Copyright © 2012-2015 FireBrick Ltd.

  • Page 4: Table Of Contents

    1.1.3. Ethernet port capabilities ..................2 1.1.4. Differences between the devices in the FB2x00 series ..........2 1.1.5. Software features ....................2 1.1.6. Migration from previous FireBrick models ............2 1.2. About this Manual ....................... 3 1.2.1. Version ......................3 1.2.2.
  • Page 5 FireBrick FB2700 User Manual 4.1.4.1. Restrict by IP address ................22 4.1.4.2. Logged in IP address ................23 4.1.4.3. Restrict by profile ................. 23 4.1.5. Password change ..................... 23 4.1.6. One Time Password (OTP) ................23 4.2. General System settings ....................24 4.2.1.
  • Page 6 FireBrick FB2700 User Manual 6.4.1. Disabling auto-negotiation ................42 6.4.2. Setting port speed .................... 42 6.4.3. Setting duplex mode ..................42 6.4.4. Defining port LED functions ................42 7. Session Handling ......................... 44 7.1. Routing vs. Firewalling ....................44 7.2. Session Tracking ....................... 44 7.2.1.
  • Page 7 12.1.6. NAT Traversal ....................80 12.1.7. Configuring a Road Warrior server ..............81 12.1.8. Connecting to non-FireBrick devices ..............82 12.1.8.1. Using StrongSwan on Linux ..............82 12.1.8.2. Setting up a Road Warrior VPN on an Android client ........ 83 12.1.8.3.
  • Page 8 13. USB Port .......................... 90 13.1. USB configuration ....................90 13.1.1. 3G dongle configuration ................. 90 14. System Services ......................... 91 14.1. Protecting the FB2700 ....................91 14.2. Common settings ..................... 91 14.3. HTTP Server configuration ..................92 14.3.1. Access control ....................92 14.3.1.1.
  • Page 9 FireBrick FB2700 User Manual 17.8.1. Ring Type ....................108 17.8.2. Ring order ....................109 17.8.3. Overflow ....................109 17.8.4. Out of hours ....................109 17.9. Call pickup/steal ..................... 109 17.10. Busy lamp field ....................110 17.11. Using RADIUS ....................110 17.11.1.
  • Page 10 B. CIDR and CIDR Notation ....................133 C. MAC Addresses usage ......................135 C.1. Multiple MAC addresses? ..................135 C.2. How the FireBrick allocates MAC addresses ..............136 C.2.1. Interface ...................... 136 C.2.2. Subnet ......................136 C.2.3. PPPoE ......................136 C.2.4.
  • Page 11 G.4. Accounting Interim ....................156 G.5. Accounting Stop ...................... 157 G.6. Disconnect ......................157 G.7. Change of Authorisation ................... 158 H. FireBrick specific SNMP objects ..................159 H.1. BGP information ..................... 159 H.2. L2TP information ....................159 H.3. Monitoring information .................... 160 I.
  • Page 12 FireBrick FB2700 User Manual I.7. OSPF commands ...................... 166 I.8. PPPoE commands ..................... 166 I.9. VoIP commands ....................... 166 I.10. Dongle/USB commands ................... 166 I.11. Advanced commands ....................166 I.11.1. Panic ......................166 I.11.2. Reboot ......................166 I.11.3. Screen width ....................166 I.11.4.
  • Page 13 FireBrick FB2700 User Manual K.2.23. subnet: Subnet settings ................. 187 K.2.24. vrrp: VRRP settings ..................188 K.2.25. dhcps: DHCP server settings ................. 189 K.2.26. dhcp-attr-hex: DHCP server attributes (hex) ............. 190 K.2.27. dhcp-attr-string: DHCP server attributes (string) ..........190 K.2.28. dhcp-attr-number: DHCP server attributes (numeric) .......... 191 K.2.29.
  • Page 14 FireBrick FB2700 User Manual K.3. Data types ......................227 K.3.1. autoloadtype: Type of s/w auto load ..............227 K.3.2. config-access: Type of access user has to config ..........227 K.3.3. user-level: User login level ................228 K.3.4. eap-subsystem: Subsystem with EAP access control ..........228 K.3.5.
  • Page 15 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................11 3.2. Icons for layout controls ..................... 12 3.3.
  • Page 16 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 22 4.2.
  • Page 17 FireBrick FB2700 User Manual G.2. Access-Challenge ......................155 G.3. Access-Accept ........................ 155 G.4. Access-Accept ........................ 155 G.5. Access-Reject ......................... 156 G.6. Accounting-Start ......................156 G.7. Accounting-Interim ......................156 G.8. Accounting-Stop ......................157 G.9. Disconnect ........................157 G.10. Change-of-Authorisation ....................158 H.1.
  • Page 18 FireBrick FB2700 User Manual K.40. ppp-route: Attributes ...................... 193 K.41. usb: Attributes ....................... 193 K.42. usb: Elements ........................ 193 K.43. dongle: Attributes ......................193 K.44. dongle: Elements ......................194 K.45. route: Attributes ......................195 K.46. network: Attributes ......................195 K.47. blackhole: Attributes ...................... 195 K.48.
  • Page 19 FireBrick FB2700 User Manual K.96. rule-set: Elements ......................219 K.97. session-rule: Attributes ....................220 K.98. session-rule: Elements ....................221 K.99. session-share: Attributes ....................221 K.100. voip: Attributes ......................221 K.101. voip: Elements ......................223 K.102. carrier: Attributes ......................223 K.103. telephone: Attributes ..................... 224 K.104.
  • Page 20 FireBrick FB2700 User Manual K.152. uknumberformat: Number formatting option ..............238 K.153. recordoption: Recording option ..................238 K.154. ring-group-order: Order of ring ..................238 K.155. ring-group-type: Type of ring when one call in queue ............239 K.156. record-beep-option: Record beep option ................239...

  • Page 21: Preface

    Preface The FB2700 device is the result of several years of intensive effort to create products based on state of the art processing platforms, featuring an entirely new operating system and IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability.

  • Page 22: Introduction

    1.1.1. Where do I start? The FB2700 is shipped in a factory reset state. This means it has a default configuration that allows the unit to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a known IP address for further configuration.

  • Page 23: Ethernet Port Capabilities

    100Mb/s, whilst the FB2700 is faster - typically up to 350Mb/s. The other advantage the FB2700 offers is that you can directly attach an ordinary 3G dongle via the USB port on the front, and use a mobile data connection - this is typically used as a back up for a DSL line.

  • Page 24: About This Manual

    FB105 configuration file, mapping features and functionality across as closely as is possible; the converted configuration should be treated as a starting point for using your FB2700 in place of your FB105, as the result from the converter may be incomplete, or there may be aspects that cannot be carried over. The translator can be accessed at : http://www.firebrick.co.uk/fb105-2700.php...

  • Page 25: Document Conventions

    1.2.6. Comments and feedback If you'd like to make any comments on this Manual, point out errors, make suggestions for improvement or provide any other feedback, we would be pleased to hear from you via e-mail at : docs@firebrick.co.uk. 1.3. Additional Resources 1.3.1.

  • Page 26: Irc Channel

    Many FireBrick resellers also offer general IT support, including installation, configuration, maintenance, and training. You may be able to get your reseller to develop FB2700 configurations for you - although this will typically be chargeable, you may well find this cost-effective, especially if you are new to FireBrick products.

  • Page 27: Getting Started

    • Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network.

  • Page 28: Add A New User

    2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"...

  • Page 29: Setting Up A New User

    On this page there is a "Login" link (in red text)- click on this link and then log in using the username and password you chose. We recommend you read Chapter 3 to understand the design of the FB2700's user interface, and then start working with your FB2700's factory reset configuration. Once you are familiar with how the user interface is...

  • Page 30: Configuration

    3.1. The Object Hierarchy The FB2700 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB2700. The values of the attributes determine how that object affects operation.

  • Page 31: Formal Definition Of The Object Model

    XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s).

  • Page 32: User Interface Layout

    • status information, such as DHCP server allocations, FB105 tunnel information and system logs • network diagnostic tools, such as Ping and Traceroute ; there are also tools to test how the FB2700 will process particular traffic, allowing you to verify your firewalling is as intended •...

  • Page 33: Config Pages And The Object Hierarchy

    Layout settings are stored in a cookie - since cookies are stored on your computer, and are associated with the DNS name or IP address used to browse to the FB2700, this means that settings that apply to a particular FB2700 will automatically be recalled next time you use the same computer/browser to connect to that FB2700.

  • Page 34: Object Settings

    Erase. Simply going back "Up" or moving to another part of the config will leave this newly created empty object and that could have undesirable effects on the operation of your FireBrick if saved. 3.4.2.2. Object settings The details of an object are displayed as a matrix of boxes (giving the appearance of a wall of bricks), one for each attribute associated with that object type.

  • Page 35: Editing An "Interface" Object

    Configuration Figure 3.5. Editing an "Interface" object By default, more advanced or less frequently used attributes are hidden - if this applies to the object being edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the link "Show all".

  • Page 36: Navigating Around The User Interface

    Navigating away from an object using the supported navigation controls doesn't cause any modifications to that object to be lost, even if the configuration has not yet been saved back to the FB2700. All changes are initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you press the Save button.

  • Page 37: Backing Up / Restoring The Configuration

    To back up / save or restore the configuration, start by clicking on the "Config" main-menu item. This will show a page with a form to upload a configuration file (in XML) to the FB2700 - also on the page is a link "Download/save config"...

  • Page 38: The Root Element -

    (spaces and line breaks). Generally, the content of an element can be other child elements or text. However, the FB2700 doesn't use text content in elements - all configuration data is specified via attributes. Therefore you will see that elements only contain one or more child elements, or no content at all.
  • Page 39 Configuration <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/> </services> <port name="WAN" ports="1"/> <port name="LAN" ports="2"/>...

  • Page 40: Downloading/Uploading The Configuration

    3.6.1. Download To download the configuration from the FB2700 you need to perform an HTTP GET of the following URL :- http://<FB2700 IP address or DNS name>/config/config An example of doing this using curl, run on a Linux box is shown below :- curl http://<FB2700 IP address or DNS name>/config/config...

  • Page 41: Upload

    Configuration 3.6.2. Upload To upload the configuration to the FB2700 you need to send the configuration XML file as if posted by a web form, using encoding MIME type multi-part/form-data. An example of doing this using curl, run on a Linux box is shown below :- curl http://<FB2700 IP address or DNS name>/config/config...

  • Page 42: System Administration

    Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB2700, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"...

  • Page 43: Configuration Access Level

    System Administration Table 4.1. User login levels Level Description No access to any menu items, but can access control NOBODY switches for which the user has access. Guest user, access to some menu items GUEST Normal unprivileged user USER System administrator ADMIN System debugging user DEBUG...

  • Page 44: Logged In Ip Address

    This can be useful for firewall rules where you may have to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow further access to a network from that IP.

  • Page 45: General System Settings

    4.2.4. Home page web links The home page is the first page you see after logging in to the FB2700, or when you click the Home main- menu item. The home page displays the system name, and, if defined, the text specified by the intro attribute...

  • Page 46: Password Hashing

    4.2.5. Password hashing The user settings on the firebrick have password control (as well as optional OTP). In the config this is entered as a simple password, but when accessed you will see that the password has been replaced with a hash.

  • Page 47: Software Upgrades

    Note In order to be able to run alpha releases, your FB2700 must be enabled to run alpha software - this is done by changing the entry in the FireBrick capabilities database (hosted on FireBrick company servers) for your specific FB2700, as identified by the unit's Serial Number.

  • Page 48: Identifying Current Software Version

    If automatic installs are allowed, the FB2700 will check for new software on boot up and approximately every 24 hours thereafter - your FB2700 should therefore pick up new software at most ~ 24 hours after it is released. You can choose to allow this process to install only new factory-releases, factory or beta releases, or any release, which then includes alpha releases (if your FB2700 is enabled for alpha software - see Section 4.3.1) - refer to...

  • Page 49: Controlling Automatic Software Updates

    This method is entirely manual, in the sense that the brick itself does not download new software from the FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user. In order to do this, you will first need to download the required software image file (which has the file extension .img) from the FB2700 software downloads website [http://www.firebrick.co.uk/software.php?

  • Page 50: Boot Process

    The FB2700 can store multiple app software images in the Flash, and this is used with an automatic fall-back mechanism - if a new software image proves unreliable, it is 'demoted', and the unit falls back to running older software.

  • Page 51: Event Logging

    5.1.1. Log targets A log target is a named destination (initially internal to the FB2700) for log entries - you can have multiple log targets set up which you can use to separate out log event messages according to some criteria - for example, you could log all firewalling related log events to a log target specifically for that purpose.

  • Page 52: Logging To The Console

    5.3.1. Syslog The FB2700 supports sending of log entries across a network to a syslog server. Syslog is described in RFC5424 [http://tools.ietf.org/html/rfc5424], and the FB2700 includes microsecond resolution time stamps, the hostname (from system settings) and a module name in entries sent via syslog.

  • Page 53: Email

    • retry delay : if an attempt to send the e-mail fails, the FB2700 will wait before re-trying ; the default wait period is 10 minutes, but you can change this by setting the retry attribute...

  • Page 54: E-Mail Process Logging

    5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary.

  • Page 55: Viewing Logs In The Cli Environment

    Specifying system event logging attributes is usually only necessary when diagnosing problems with the FB2700, and will typically be done under guidance from support staff. For example, log-stats causes a log message to be generated every second containing some key system statistics and state information, which are useful for debugging.

  • Page 56: Interfaces And Subnets

    In some situations, auto-negotiation is not supported by connected equipment, and so the FB2700 provides control of port behaviour to allow the port to work with such equipment.

  • Page 57: Defining Port Groups

    An example of such a configuration is a multi-tenant serviced-office environment, where the FB2700 acts as an Internet access router for a number of tenants, firewalling between tenant networks, and maybe providing access to shared resources such as printers.

  • Page 58: Defining Subnets

    You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv6 networking. The primary attributes that define a subnet are the IP address range of the subnet, the IP address of the FB2700 itself on that subnet, and an optional name.

  • Page 59: Source Filtering

    You can create a subnet that is configured via DHCP by clearing the ip checkbox - the absence of an IP address/ prefix specification causes the FB2700 to attempt to obtain an address from a DHCP server (which must be in the same broadcast domain).

  • Page 60: Fixed/Static Dhcp Allocations

    </interface> When specifying an explicit range of IP addresses, if you start at the network then the FB2700 will allocate that address. Not all devices cope with this so it is recommended that an explicit range is used, e.g. 192.168.1.100-199. You do not, however, have to be careful of either the FireBrick's own addresses or subnet broadcast addresses as they are automatically excluded.

  • Page 61: Restricted Allocations

    If you are setting up a static allocation, but your client has already obtained an address (from your FB2700) from a pool, you will need to clear the existing allocation and then force the client to issue a new DHCP request (e.g. unplug the ethernet cable, do a software 'repair connection' procedure or similar).

  • Page 62: Special Dhcp Options

    The top level dhcp-relay configuration allows you to configure the FireBrick to be the remote server for a DHCP/BOOTP Relay Agent. The relay attribute allows specific pools to be set up for specific relays. The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources - note that renewal requests come from the allocated IP, or NAT IP if behind NAT and not necessarily from the relay IP.

  • Page 63: Disabling Auto-Negotiation

    6.4.3. Setting duplex mode If auto-negotiation is enabled, the FB2700 port will normally advertise that it is capable of either half- or full- duplex operation modes - if you have reason to restrict the operation to either of these modes, you can set the duplex attribute to either half or full.

  • Page 64: Example Modified Port Led Functions

    Interfaces and Subnets On when link up at 10Mbit/s or 1Gbit/s; blink (off) Link10-1000/Activity when Tx or Rx activity On when link up at 10Mbit/s or 100Mbit/s; blink (off) Link10-100/Activity when Tx or Rx activity On when full-duplex; blink when half-duplex and Duplex/Collision collisions detected Blink (on) when collisions detected...

  • Page 65: Session Handling

    Without the session table entry, the FB2700 would have no way of knowing that the return traffic is part of an allowed (by firewalling rules) session, and it would likely be dropped due to firewalling.

  • Page 66: Session Termination

    FB2700. To do so would require support for a very wide range of protocols that are carried over UDP, and this is generally not practical.

  • Page 67: Processing Flow

    Session Handling 7.3.2. Processing flow The following processing flow applies to rules and rule-sets :- • Rule-sets are processed sequentially. • Each rule-set can optionally specify entry-criteria - if present, these criteria must be matched against for the rules within the rule-set to be considered. •...
  • Page 68 (i.e. an attribute of the rule-set object). This is particularly true when using XML. If you are unfamiliar with the FB2700's session rule specifications, you may interpret the no-match-action as specifying what happens if the rule-set's entry-criteria are not met (i.e. at the beginning of processing a rule-set).

  • Page 69: Processing Flow Chart For Rule-Sets And Session-Rules

    Session Handling Figure 7.2. Processing flow chart for rule-sets and session-rules Packet arrives, no m at ching session exist s P roces s ing continues with next rule-s et S es s ion All rule-s ets proces s ed? Allowed Examine next rule-s et object S tart proces s ing rules...

  • Page 70: Defining Rule-Sets And Rules

    Session Handling It is helpful to understand that a session rule contributes to the final set of information recorded in the session- table entry - a rule does not necessarily completely define what the session-table will contain, unless it is the only rule that matches the traffic under consideration.

  • Page 71: Recommended Method Of Implementing Firewalling

    Session Handling checked for target IP of, say, 0.0.0.0/24, that would pass if the target IP is within the same /24 as the source IP. This only works on IPv4, and only on subnets, not ranges, and only on source-ip and target-ip checks.

  • Page 72: Changes To Session Traffic

    For example, a session-rule can specify that the source IP address of the outbound packets be changed, such that they appear to be coming from a different address, typically one owned by the FB2700 itself. Return traffic will then be sent back to this modified address - assuming that the intention is that this traffic reach the original source IP address, the FB2700 will change the destination IP address in return traffic to be the original source IP address.

  • Page 73: Graphing And Traffic Shaping

    Two time-out values are configurable :- • Initial time-out : this time-out period begins when the first reply packet of the session arrives at the FB2700 ; it is specified by the set-ongoing-timeout attribute.

  • Page 74: Network Address Translation

    (assuming they do the current Internet Protocol, which is version 6). Remember, NAT is not a means of protection - the FireBrick has a firewall for that, NAT is a workaround for IP address sharing, something that is simply not necessary with IPv6 and should not be encouraged.

  • Page 75: Setting Nat In Rules

    7.4.4. What NAT does What the NAT setting does is cause the FireBrick to change the source IP and port used for the session. It picks an IP based on the interface to which the traffic will finally be sent, and uses the most appropriate IP address that it can to try and ensure correct return traffic to that IP address.

  • Page 76: Nat With Dongles

    Session Handling It is possible, of course, to use rule-sets and rules to control exactly when NAT applies rather than using the NAT setting on the PPPoE config. However, if the PPPoE connection only has one IPv4 address assigned, as is often the case, then setting NAT on the PPPoE config is usually the simplest way to achieve the configuration.

  • Page 77: Using Nat Setting On Subnets

    NAT to a new level. As ever we recommend using PPPoE to avoid an extra layer of NAT in a broadband router. In some cases the FireBrick may be expected to provide a carrier level of NAT in terms of number of sessions handled.

  • Page 78: Routing

    Chapter 8. Routing 8.1. Routing logic The routing logic in the FB2700 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e.

  • Page 79: Routing Targets

    In addition, a subnet definition creates a very specific single IP (a "/32" for IPv4, or a "/128" for IPv6) route for the IP address of the FB2700 itself on that subnet. This is a separate loop-back route which effectively internally routes traffic back into the FB2700 itself - i.e.

  • Page 80: Special Targets

    0. 8.5. Bonding A key feature of the FB2700 is the ability to bond multiple links at a per packet level. This feature is only enabled on a fully loaded model of your FB2700.

  • Page 81: Route Overrides

    However the FB2700 also allows the possibility of route overrides which control routing in more more detail. This feature is part of session tracking functionality, and so applies on a per-session basis (contrasting with the per-packet basis for the conventional routing).

  • Page 82: Profiles

    Ping test can be used to alert you via e-mail when a destination is unreachable. The profile logic tests are also done based on the defined interval. The current state of all the profiles configured on your FB2700 can be seen by choosing the "Profiles" item in the "Status" menu.

  • Page 83: Tests

    • VRRP state : the vrrp attribute lists one or more Virtual Router group membership definitions (see Chapter 16) by name - if the FB2700 is not the master device in any of these Virtual Routers, this test will fail •...

  • Page 84: Inverting Overall Test Result

    Profiles 9.2.3. Inverting overall test result The tests described in the previous section are used to form an overall test result. Normally this overall result is used to determine the profile state using the mapping Pass > Active and Fail > Inactive. By setting the invert attribute to true, the overall result is inverted (Pass changed to Fail and vice-versa) first before applying the mapping.

  • Page 85: Traffic Shaping

    The graph is viewable directly (as a PNG image) from the FB2700 via the web User Interface - to view a graph, click the "PNG" item in the "Graphs" menu. This will display all the graphs that are currently configured - it is not currently possible to show a single graph within the web User Interface environment.

  • Page 86: Shapers

    Traffic Shaping 10.1.2. Shapers Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object.

  • Page 87: Multiple Shapers

    This is, essentially, tracking how much is likely to be queued at a bottleneck further on. The FB2700 does not delay sending packets and assumes something with a lower speed is probably queuing them up later.

  • Page 88: Pppoe

    It is possible to connect more than one PPP device to a single FB2700 port using an Ethernet switch. If you do this then you ideally need a switch that handles VLANs (see Appendix D if you are not familiar with VLANs) so that each router can be logically connected to a different interface on the FireBrick.

  • Page 89: Definining Pppoe Links

    A significant benefit of the Vigor V-120 is that it works with no configuration on BT 20CN and 21CN lines as well as Be/O2 PPPoA lines and TalkTalk lines - you just plug it in to the line and the FB2700 and it just works.

  • Page 90: Service And Ac-Name

    PPPoE Testing has been done which confirms setting mtu="1500" works correctly on BT FTTC and FTTP lines, as well as BT 21CN and TalkTalk lines via a suitable bridging modem (Dlink 320B). Note Testing using a Zyxel P660R in bridge mode confirms that BT 21CN ADSL lines will negotiate 1500 byte MTU, but it seems the Zyxel will not bridge more than 1496 bytes of PPP payload.

  • Page 91: Tunnels

    Ether tunnelling provides a mechanism to tunnel layer 2 ethernet traffic between two devices, using the protocol defined in RFC3378. Support for FB105 tunnels means the FB2700 can inter-work with existing FB105 hardware. FB105 tunnels can also be set up between any two FireBricks from the FB2x00 and FB6000 ranges which support FB105 tunnelling.

  • Page 92: Authentication

    The FireBrick supports version 2 of the IKE protocol (IKEv2). IKE uses Public Key Cryptographic mechanisms to select the keys to be used, using the Diffie-Hellman key exchange mechanism. IKE also performs authentication between the two link endpoints using for example X.509 certificates, pre-shared secrets or other methods...

  • Page 93: Identities And The Authentication Mechanism

    IPs not in the allow or trusted lists are not accepted. There is also a Force-NAT option which will force the FireBrick to assume that remote devices on the list are behind NAT boxes. IKE has built-in NAT detection so this option is rarely needed. See the separate section...

  • Page 94: Ike Proposals

    FireBrick perform network address translation on sessions initiated by the client. Note that there is a restriction on the total number of IPs (both IPv4 and IPv6 combined) of approximately 65536 addresses - ie a single IPv4 range of /16, or a single IPv6 range of /112.

  • Page 95: Authentication And Ike Identities

    FQDN or EMAIL forms of ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all. If the prefix (IP:, FQDN: etc) is omitted in the identity, the FireBrick chooses the most appropriate type, based on the syntax of the identity used.

  • Page 96: Road Warrior Connections

    The local-ip is optional - if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely, and the FireBrick chooses a suitable source IP when it initiates a connection. You can also optionally specify an internal-ipv4 and/or an internal-ipv6 address.

  • Page 97: Ip Endpoints

    The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The current FireBrick implementation requires that the local SPI for manual connections to be in the range 256 to 65535. The local-spi must match the outgoing SPI of the far end of the link, and vice-versa.

  • Page 98: Other Parameters

    IPsec/IKE authentication data payloads. When a certificate is installed on the FireBrick, a short local name must be chosen to accompany it. This name appears in the certificate store contents list but need bear no relation to the actual certificate identity. The local names are displayed on the UI certificate configuration page, and are also used to form the filename (with .pem...
  • Page 99 (and for security should not be installed). During the IKE authentication procedure the FireBrick sends a copy of the certificate identifying itself to the peer, and also sends the trust chain of certificate(s) used to sign the end-entity certificate. The peer does not need to have the end-entity certificate installed, but must have a CA certificate (usually the self-signed "root"...

  • Page 100: Creating Certificates

    Generating suitable certificates can be a painful experience for the uninitiated, so we have provided some useful tools which can be downloaded from the FireBrick website. These are bash scripts which use the OpenSSL tools, and can be run on Linux or MacOS systems, or on Windows using Cygwin. They should be downloaded and saved locally (eg by cut-and-paste from the displayed web page text, or using the browser save source function).

  • Page 101: Nat Traversal

    Tunnels • PRF: A pseudo-random function used to generate further keying info from the Diffie-Hellman key (control channel only) • ESN: A flag indicating whether extended sequence numbers are supported for the data channel Manually-keyed connections do not have a control channel, and use only integrity and encryption algorithms. Both integrity checking and encryption allow a choice of algorithms.

  • Page 102: Configuring A Road Warrior Server

    FireBrick so it can be sent over the VPN. One of three methods is typically used: • Use a range in private address space - eg 10.42.42.1-100. As these are not internet-routable, if the clients require internet access through the VPN, incoming sessions from the client should be NATed by the FireBrick.

  • Page 103: Connecting To Non-Firebrick Devices

    </ipsec-ike> 12.1.8. Connecting to non-FireBrick devices The FireBrick IPsec implementation should be compatible with any IPsec IKEv2 implementation. Note that IKE version 1 is not supported. Older equipment may not support IKEv2 yet, in which case manual keying may be possible. Several vendors have released IKEv2 support only recently; it is worth checking with your vendor for firmware upgrades.

  • Page 104: Setting Up A Road Warrior Vpn On An Android Client

    To set up a client VPN connection on an Android device, perform the following steps • The FireBrick connection should be configured as a Road Warrior connection, and client usernames and passwords should be configured, as described earlier, using certificate authentication for the FireBrick and EAP for the peers.

  • Page 105: Setting Up A Road Warrior Vpn On An Ios (Iphone/Ipad) Client

    IKE identity. Names used to identify the VPN on the client settings pages can also be supplied. The client IKE identity may be freely chosen - the Firebrick RoadWarrior server will accept any client ID, and it will be displayed in the FireBrick IPsec status information and logging. Note that the server address should be entered as an IP address rather than a domain name for reliable operation;...

  • Page 106: Fb105 Tunnels

    12.2. FB105 tunnels The FB105 tunnelling protocol is a FireBrick proprietary protocol that was first implemented in the FireBrick FB105 device, and is popular with FB105 users for setting up VPNs etc. It is 'lightweight' in as much as it is relatively simple, with low overhead and easy setup, but it does not currently offer encryption.

  • Page 107: Tunnel Wrapper Packets

    'tunnel wrappers', and include the digital signature. As with any other UDP traffic originating at the FB2700, the tunnel wrappers are then encapsulated in an IP packet and sent to the IP address of the far- end tunnel end-point.

  • Page 108: Viewing Tunnel Status

    Tunnels If you wish to use a different UDP port number than the default of 1, specify the port number using the port attribute. 12.2.3. Viewing tunnel status The status of all configured FB105 tunnels can be seen in the web User Interface by selecting "FB105" from the "Status"...

  • Page 109: Fb2700 Doing Nat

    NAT'ing router. If the FB2700 is behind a NAT router, it will not have a public IP address of its own which you can reference as the far-end IP address on the other end-point device. Instead, you will need to specify the WAN address of the NAT router for this far-end address.
  • Page 110 Configuring an ETUN connection is very simple. Select "Add: New: Ether tunnel (RFC3378)" on the tunnel configuration page, and enter the IP of the remote Firebrick and the local port to be used for ETUN. The local IP can be optionally set, and the usual log, profile and table options are also available. The local ETUN port is specified by selecting a port group.

  • Page 111: Usb Port

    The Socket value is a sequence of one or more numbers separated by full stops. The numbers indicate the number of each port along the chain from FB through any hubs to the final device. The USB port on the FB2700 itself is always shown as port 1, so if the dongle is attached directly to the FB2700 the Socket value will just be 1.

  • Page 112: System Services

    14.1. Protecting the FB2700 Whilst the FB2700 does have a comprehensive firewall, the design of the FB2700 is that it should be able to protect itself sensibly without the need for a separate firewall. You can, of course, configure the fireall settings to control access to system services as well, if you want.

  • Page 113: Http Server Configuration

    The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based user- interface for the FB2700. It is not a general-purpose web server that can be used to serve user documents, and so there is little to configure.

  • Page 114: Telnet Server Configuration

    14.4. Telnet Server configuration The Telnet server allows standard telnet-protocol clients (available for most client platforms) to connect to the FB2700 and access a command-line interface (CLI). The CLI is documented in Chapter 21 and in the Appendix I. 14.4.1. Access control Access control can be restricted in the same way as the HTTP (web) service, including per user access restrictions.

  • Page 115: Auto Dhcp Dns

    LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address back to a name.

  • Page 116: Radius Client Settings

    However, it is quite possible for a server to go away when there are no current RADIUS requests, or even come back when not being used for current requests. To allow for this the FireBrick sends status-server requests to the server periodically, and records the responses in the 64 bit response queue. This means a blacklisted server will be recorded as usable again once it starts answering such requests.

  • Page 117: Network Diagnostic Tools

    For example, if we submit parameters that describe inbound (i.e. from a WAN connection) traffic that would result from trying to access a service on a host behind the FB2700, we have implemented a 'default drop' policy firewalling method, and we have not explicitly allowed such sessions, we would see :-...

  • Page 118: Access Check

    The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB2700 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB2700 is responding appropriately.

  • Page 119: Dump Parameters

    Network Diagnostic Tools The output is streamed so that, when used with curl and tcpdump, you can monitor traffic in real time. Limited filtering is provided by the FB2700, so you will normally apply any additional filtering you need via tcpdump.

  • Page 120: Ip Address Matching

    Network Diagnostic Tools Note These security requirements are the most likely thing to cause your attempts to packet dump to fail. If you are getting a simple "404" error response, and think you have specified the correct URL (if using an HTTP client), please check security settings are as described here.

  • Page 121: Using An Http Client

    Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB2700.

  • Page 122: Vrrp

    You can have multiple virtual routers on the same LAN at the same time, so there is a Virtual Router Identifier (VRID) that is used to distinguish them. The default VRID used by the FB2700 is 42. You must set all devices that are part of the same group (virtual router) to the same VRID, and this VRID must differ from that used by any other virtual routers on the same LAN.

  • Page 123: Configuring Vrrp

    VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB2700 comes under the scope of an interface definition. As such, to set-up your FB2700 to participate in a Virtual Router group, you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where the VRRP operates.

  • Page 124: Vrrp Version 3

    Note that the FB2700 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick.

  • Page 125: Voip

    17.2.2. Proxy To make an outgoing call via a SIP carrier you have to send the call details to a proxy. In the case of the FB2700 acting as the carrier, the same address is used for registrar and proxy.

  • Page 126: Home/Office Phone System

    The FB2700 provides some key ways to tackle the issues of NAT. • An FB2500/FB2700 can be used as a gateway device in a home or office - using PPPoE to connect to the Internet. This means the FireBrick has a real external IP address without NAT. The FireBrick can then connect to SIP handsets on the LAN using private IP addresses.

  • Page 127: Number Plan

    VoIP • The FireBrick can make use of the current Internet Protcol (IPv6). At present there are few carriers and handsets that work with IPv6, but this is improving all of the time. IPv6 avoids the need for NAT. The FireBrick acts as a media gateway which makes firewalling rules simple even when using IPv6, and allows IPv4 and IPv6 devices to interwork with no problems.

  • Page 128: Voip Call Carriers

    VoIP carrier to send calls to the FB2700 using a fixed pre-set configuration. To set up a VoIP carrier where the FB2700 registers with the carrier you need to specify the registrar attribute. This can be a host name or IP address. You also need to specify the username and password. For incoming calls you need to specify the extn that is logically dialled when a call comes in from this carrier - this can be the extension number of a telephone or hunt group.

  • Page 129: Hunt Groups

    - in such case the carrier selection will only match entries that have that username set and can match entries with no to attribute defined. When a FireBrick attempts an authenticated call it can send such a pre-challenge Authorization header.

  • Page 130: Ring Order

    VoIP sequence Ring phones in a sequence, ringing one phone at a time You can set the timing used for calls to progress through the list of phones. 17.8.2. Ring order When not ringing all phones at once, you can control the order they are rung: Table 17.2.

  • Page 131: Busy Lamp Field

    REFER, SUBSCRIBE, OPTIONS etc. The Digest-Method is always included to indicate a VoIP request and identify the type of request. You can have a RADIUS authentication before the FireBrick challenges the requestor setting the radius- challenge settings, allowing a RADIUS challenge response to customise the challenge. This also happens...

  • Page 132: Call Routing By Radius

    To understand how call routing works you need to understand how call legs work. A call leg is a connection to or from the FB2700 to another SIP device. It could be a SIP carrier or a telephone. Typically there is an incoming call leg from a carrier or a phone, which needs to be authenticated, and then a call routing decision is made.

  • Page 133: Call Recording

    17.12. Call recording The FB2700 supports call recording by teeing off the two way audio from a call leg and sending to a SIP endpoint. The SIP endpoint will then record the call and handle it in any way you wish.

  • Page 134: Voicemail And Ivr Services

    17.13. Voicemail and IVR services Voicemail is still in development. The FB2700 will simply pass the call to a voicemail server via SIP. This could be a local device on the network, or a service provided by a carrier. We will include a software package to run on a linux box that will save the recording.

  • Page 135: Technical Details

    • The FireBrick always acts as an audio media endpoint, i.e. it is always in the media path. This minimises call routing and firewalling issues. The FireBrick uses the same IP for media and control messages on each call.
  • Page 136 30ms@400Hz 10ms 30ms@400Hz 6000ms 125ms@400Hz 125ms 20000ms@1400Hz 200ms@400Hz 400ms 2000ms@400Hz 400ms Accessing a url on the FireBrick of /voip/ring.wav serves a WAV format of the tone. You can test tones using a URL like /voip/tone.wav?100ms@1000Hz+200ms@2000Hz but ensure you URL escape the query string.

  • Page 137: Bgp

    In practice things are not that simple and you will have some specific relationships with peers when using BGP. For most people there will be transit providers with which you peer. The FB2700 cannot take a full table (map of the whole Internet) from a transit provider so you would typically have a default route to them. You can advise the transit provider of your own routes for your own network so that they can route to you, and they tell their peers that they can route to you via that provider.

  • Page 138: Simple Example Setup

    • RFC2796 Route reflector peers • RFC3392 Capabilities negotiation • RFC3065 Confederation peers • RFC5082 TTL Security • Multiple independent routing tables allowing independent BGP operations • Multiple AS operation 18.2.3. Simple example setup A typical installation may have transit connections from which a complete internet routing table is received, peers which provide their own routes only, internal peers making an IBGP mesh, customers to which transit is provided and customer routes may be accepted.

  • Page 139: Route Filtering

    Must be EBGP, and sets default of no-fib and not add-own-as. Routes from this peer are marked as IXP routes which affects filtering on route announcements 18.2.5. Route filtering Each peer has a set of import and export rules which are applied to routes that are imported or exported from the peer.

  • Page 140: Well Known Community Tags

    18.2.7. Announcing black hole routes The FireBrick allows black hole routes to be defined using the the blackhole object. Routing for such addresses is simply dropped with no ICMP error. Such routes can be marked for BGP announcement just like any other routes.

  • Page 141: Announcing Dead End Routes

    18.2.12. Route feasibility testing The FB2700 has an aggressive route feasibility test that confirms not only routability of each next-hop but also that it is answering ARP/ND requests. Whenever a next-hop is infeasible then all routes using that next-hop are removed.

  • Page 142: Diagnostics

    18.2.15. TTL security The FireBrick supports RFC5082 standard TTL security. Simply setting ttl-security="1" on the peer settings causes all of the BGP control packets to have a TTL of 255 and expects all received packets to be TTL 255 as well.

  • Page 143: Ospf

    OSPF can also be used to create very large networks with multiple areas. Whilst the FireBrick can be a part of such a network, it does not act as an area gateway router. The FireBrick can, however, feed routes from OSPF in to BGP routing and so act as an AS-Border gateway rouetr.

  • Page 144: Simple Example Setup

    OSPF Note Note that this does not yet offer OSPF via interfaces (e.g. tunnels) other than Ethernet. 19.2.3. Simple example setup <ospf/> Yes, that is all you need for an unauthenticated OSPF set up working on all Ethernet interfaces and announcing all connected subnets! 19.2.4.

  • Page 145: Internet Service Providers

    Chapter 20. Internet Service Providers The FireBrick can be used by Internet Service Providers (ISPs) to provide Internet connectivity by acting as a gateway between a carrier network (e.g. Broadband or mobile carrier) and the Internet. This chapter covers the ISP use of a FireBrick including L2TP , and PPPoE.

  • Page 146: Broadband

    20.2. Incoming L2TP connections To allow a connection to the FireBrick you have to decide on a hostname. This is not a DNS hostname and is more like a login or username. It can be anything you like. You can pre-agree with your carrier the hostname they will use and the IP address of your LNS.

  • Page 147: The Importance Of Cqm Graphs

    L2TP connection. This can also be set in the RADIUS response. This limits the speed of traffic to the line. This is usually done so that the LNS is in control of the speed of the line as the FireBrick will drop larger packets before smaller packets, which helps VoIP and many other protocols work well even on a full link.

  • Page 148: Accounting

    20.8.1. Interlink subnet A carrier will normally have an interlink - this could be a dedicated port on the FB2700 or a VLAN perhaps via a suitable switch. In any case this is an interface in the configuration. Some carriers use a /30 IPv4...

  • Page 149: Bgp With Carrier

    (as well as hostname and password to use). The reply can be a single LNS or can be more than one reply with a priority tagging if the carrier supports this. The FB2700 can pick an LNS randomly from a set, or pick one based on a hash of the username, part of the username, or circuit ID.

  • Page 150: L2Tp Endpoints

    You would normally have more than one RADIUS server. You can set these in a priority order, a set of main servers and a set of backup. The FB2700 will find a config line for RADIUS based on the named RADIUS server in the L2TP incoming configuration, or pick any if this is not set.

  • Page 151: Command Line Interface

    The CLI is accessed via the 'telnet' protocol - the FB2700 implements a telnet server, which you can connect to using any common telnet client program. To learn how to enable the telnet server, and to set-up access restrictions, please refer to Section 14.4.

  • Page 152: Factory Reset Procedure

    IP addresses described in Chapter 2. This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason, or any other situation where it is appropriate to start from scratch.
  • Page 153 If you disconnect the power then the config will revert to the previous state and no longer be reset, so it is important to connect your laptop, etc, to the FB2700 after removing the looped cable and not power cycle in-between.

  • Page 154: Cidr And Cidr Notation

    Appendix B. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
  • Page 155 Another common use of the CIDR notation is to combine the definition of a network with the specification of the IP address of an end system on that network - this form is used in subnet definitions on the FB2700, and in many popular operating systems.

  • Page 156: Mac Addresses Usage

    In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model.

  • Page 157: How The Firebrick Allocates Mac Addresses

    ISP links as above where ports are locked to only accept one MAC. The way the FireBrick manages MAC addresses is designed to be a bit sticky so that a config change will not usually cause a MAC address assigned to a subnet or interface to change.

  • Page 158: Running Out Of Macs

    MAC and not one per subnet. C.3. MAC address on label The label attached to the bottom of the FB2700 shows what MAC address range that unit uses, using a compact notation, as highlighted in Figure C.1 :- Figure C.1. Product label showing MAC address range...

  • Page 159: Using With A Dhcp Server

    DHCP allocation in a list, rather than trying to locate it by MAC address. If the FB2700 is in a factory-reset state, then the system name will not be set, and you will have to locate it...

  • Page 160: Vlans : A Primer

    Linux. The FB2700 supports IEEE 802.1Q VLANs, and will accept (and send) packets with 802.1Q VLAN tags. It can therefore work with any Ethernet switch (or other) equipment that also supports 802.1Q VLANs, and therefore allows multiple logical interfaces to be implemented on a single physical port.

  • Page 161: Supported L2Tp Attribute/Value Pairs

    Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Tie Breaker 5 Ignored as FireBrick only accepts Not sent connections for inbound calls Firmware Revision 6 Ignored FireBrick s/w version string Host Name 7 Used to select which incoming L2TP As per config/RADIUS request configuration applies.

  • Page 162: Start-Control-Connection-Connected

    Supported L2TP Attribute/Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined, a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined E.3.

  • Page 163: Incoming-Call-Reply

    Supported L2TP Attribute/Value Pairs Calling Number 22 Accepted, used in RADIUS and passed Passed on incoming value on if relaying Sub-Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent E.7. Incoming-Call-Reply Table E.7. ICRP No. Incoming Outgoing Message Type 0 Value 11 Value 11...

  • Page 164: Outgoing-Call-Reply

    Supported L2TP Attribute/Value Pairs Message Type 0 Value 7 Value 7 Not supported, ignored. E.10. Outgoing-Call-Reply Table E.10. OCRP No. Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported, ignored. E.11. Outgoing-Call-Connected Table E.11. OCCN No. Incoming Outgoing Message Type 0 Value 9 Value 9...

  • Page 165: Notes

    IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping...

  • Page 166: Supported Radius Attribute/Value Pairs For L2Tp Operation

    31 Calling number as received on L2TP Acct-Session-Id 44 Unique ID for session as used on all following accounting records NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...

  • Page 167: Authentication Response

    Supported RADIUS Attribute/ Value Pairs for L2TP operation local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages. Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id.

  • Page 168: Prefix Delegation

    The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing. Once a router solicitation is sent, periodic Router Advertisements will then be sent on the connection by the Firebrick.

  • Page 169: Rejected Authentication

    Acct-Event- 55 Session start time (unix timestamp) Timestamp Acct-Session-Id 44 Unique ID for session NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6 NAS-Port 5 L2TP session ID...

  • Page 170: Accounting Interim

    89 Graph name that applies, sanitised to comply with CQM graph name rules.. Identity Connect-Info 77 Text Tx speed/Rx speed in use NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...

  • Page 171: Accounting Stop

    Supported RADIUS Attribute/ Value Pairs for L2TP operation Tunnel-Assignment- 82 Present for relayed L2TP, text local L2TP tunnel ID Tunnel-Client-Auth- 90 Present for relayed L2TP, local end hostname quoted by outgoing tunnel Tunnel-Server-Auth- 91 Present for relayed L2TP, far end hostname quoted by outgoing tunnel F.5.

  • Page 172: Filter Id

    Supported RADIUS Attribute/ Value Pairs for L2TP operation Delegated-IPv6- 123 IPv6 prefix to be routed to line. Maximum localpref used. Prefix Framed-IPv6-Prefix 97 IPv6 prefix to be routed to line. Maximum locapref used. Framed-IPv6-Route 99 May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax.

  • Page 173: Notes

    X Pad packets to 74 bytes if length fields appears to be less - needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode C Send all IPv4 and IPv6 using the LCP type code (only works if FireBrick doing PPP at far end) O Mark session as low-priority (see shaper and damping)

  • Page 174: Lcp Echo And Cqm Graphs

    RADIUS reply sets the LCP rate/timeout and provides tunnel relay, then the incoming side of the relayed connection will use LCP echos from the FireBrick in the middle of the connection and not pass these through - this means on the o/g connection the FireBrick answers LCP echos from the relayed LNS.

  • Page 175: Supported Radius Attribute/Value Pairs For Voip Operation

    Authenticator Called-Station-Id 30 Local part of To: header Calling-Station-Id 31 Local part of From: header NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Requestor IPv4 address if using IPv4 NAS-IPv6-Address 95 Requestor IPv6 address if using IPv6 NAS-Port 5 Requestor UDP port...

  • Page 176: Authentication Response

    Supported RADIUS Attribute/ Value Pairs for VoIP operation Digest-CNonce 113 Digest CNonce Digest-Nonce-Count 114 Digest Nonce Count (NC) Digest-Username 115 Digest Username Digest-Opaque 116 Digest Opaque SIP-AOR 121 Contact URI Session-Timeout 27 Time from Expires header Acct-Terminate- 49 Only sent for a redirect call routing, the redirect code, e.g. 301/302 Cause G.2.

  • Page 177: Rejected Authentication

    50 SIP Call ID for call leg Acct-Event- 55 Time call started trying Timestamp NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Far end IPv4 address for SIP if using IPv4 NAS-IPv6-Address 95 Far end IPv6 address for SIP if using IPv6...

  • Page 178: Accounting Stop

    Value Pairs for VoIP operation Acct-Event- 55 Time call answered Timestamp NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Far end IPv4 address for SIP if using IPv4 NAS-IPv6-Address 95 Far end IPv6 address for SIP if using IPv6 NAS-Port...

  • Page 179: Change Of Authorisation

    Supported RADIUS Attribute/ Value Pairs for VoIP operation G.7. Change of Authorisation A change of authorisation message is accepted as per RFC5176 Table G.10. Change-of-Authorisation No. Usage Acct-Session-Id 44 Unique ID for session...

  • Page 180: Firebrick Specific Snmp Objects

    Appendix H. FireBrick specific SNMP objects This appendix details the SNMP objects that are specific to the FireBrick. H.1. BGP information Information about specific BGP peers. Note The OID contains the IP. This is coded as either 4.a.b.c.d for IPv4 address a.b.c.d, or 6 followed by 32 entries each 0 to 15 for each hex character in the IPv6 address.

  • Page 181: Monitoring Information

    FireBrick specific SNMP objects Integer Number of sessions in NEGOTIATING state Integer Number of sessions in AUTH-PENDING state Integer Number of sessions in STARTED state Integer Number of sessions in LIVE state Integer Number of sessions in ACCT-PENDING state Integer...

  • Page 182: Command Line Reference

    Shows how long since the FB2700 restarted. I.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. I.1.5. Memory usage show memory Shows memory usage summary.

  • Page 183: Logout

    Command line reference I.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) I.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen I.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line.

  • Page 184: Networking Commands

    There are a number of controls allowing you to fine tune what is sent. Obviously you should only send from a source address that will return to the FB2700 correctly. You can also ask for the results to be presented in an XML format.

  • Page 185: See Dhcp Allocations

    Command line reference I.2.6. See DHCP allocations show dhcp [<IP4Addr>] [table=<routetable>] Shows DHCP allocations, with option to show details for specific allocation. I.2.7. Clear DHCP allocations clear dhcp [ip=<IP4Range>] [table=<routetable>] Allows you to remove one or more DHCP allocations. I.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr>...

  • Page 186: Firewalling Commands

    Resets the data connection on a specified dongle. The dongle will then restart connection automatically. I.5. L2TP commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details I.6. BGP commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details...

  • Page 187: Ospf Commands

    [<string>] [confirm=<string>] This causes the FB2700 to crash, causing a panic event with a specified message. You need to specify confirm=yes for the command to work. This can be useful to test fallback scenarios by simulating a fatal error.

  • Page 188: Make Outbound Command Session

    FireBrick support team. I.11.5. Show command sessions show command sessions The FB2700 can have multiple telnet connections at the same time. This lists all of the current connections. I.11.6. Kill command session kill command session <IPAddr>...

  • Page 189: Constant Quality Monitoring - Technical Details

    J.1. Broadband back-haul providers When using the FB2700 as an LNS the CQM graphs are invaluable for diagnosing line faults. They are useful to the ISP but also useful to the back-haul provider which is often a separate company (e.g. BT or Be). We recommend that you consider providing access to graphs for live circuits and archived data to your back- haul provider when discussing faults with them.

  • Page 190: Dated Information

    Constant Quality Monitoring - technical details J.2.2. Dated information Without any date the data returned is the latest. For csv it is all data points available. For graph it is the last 24 to 25 hours. You can display data for a specific date. This only makes sense for today, and during the first couple of hours of the day you can get yesterday in full.

  • Page 191: Additional Text

    Constant Quality Monitoring - technical details J.3.2. Additional text Additional text is shown on the graph based on the values in the configuration if not specified. There are 4 lines on the top left in small text and two heading lines top right in large text. Table J.3.

  • Page 192: Full Url Format

    Constant Quality Monitoring - technical details The recommended command to run just after midnight is wget -m http://host:port/cqm/`date +%F -dyesterday`/z/ as this will create a directory for the server, cqm, date, and z, and then the files. The use of z clears text off the graphs to make them clean. J.4.1.

  • Page 193: Creating Graphs, And Graph Names

    Chargeable-User-Id, Calling-Station-Id or User-Name for a connected line, and so can be defined from the RADIUS authentication response. It is recommended that the circuit ID is used where available, e.g. from BT platform RADIUS. Whilst the FB2700 can manage thousands of graphs, new graphs will not be greated if memory is not available.

  • Page 194: Configuration Objects

    Appendix K. Configuration Objects This appendix defines the object definitions used in the FireBrick FB2700 configuration. Copyright © 2008-16 FireBrick Ltd. K.1. Top level K.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data.

  • Page 195: Objects

    Configuration Objects profile profile Optional, unlimited Control profiles route route Optional, unlimited Static routes route-override route-override Optional, unlimited Routing override rules rule-set rule-set Optional, unlimited Firewall/mapping rules sampling sampling Optional Sampling parameters services services Optional General system services shaper shaper Optional, unlimited Named traffic shapers system system...

  • Page 196: Link: Web Links

    URL to GET prior to s/w reboot (typically to warn nagios) soft-watchdog boolean false Debug - use only if advised; do not use on an unattended FireBrick source string Source of data, used in automated config management sw-update autoloadtype...

  • Page 197: Eap: User Access Controlled By Eap

    Configuration Objects profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Restrict login to specific routing table routetable timeout duration 5:00 Login idle timeout (zero to stay logged in) K.2.4. eap: User access controlled by EAP Identities, passwords and access methods for access controlled with EAP Table K.7.

  • Page 198: Log-Syslog: Syslog Logger Settings

    Configuration Objects K.2.6. log-syslog: Syslog logger settings Logging to a syslog server Table K.10. log-syslog: Attributes Attribute Type Default Description comment string Comment facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port profile NMTOKEN Profile name server IPNameAddr Not optional Syslog server severity syslog-severity...

  • Page 199: Services: System Services

    Configuration Objects string Not optional Target email address K.2.8. services: System services System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

  • Page 200: Telnet-Service: Telnet Service Settings

    NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors ntpserver List of IPNameAddr ntp.firebrick.ltd.uk List of time servers (IP or hostname) from which time may be set by ntp poll duration 1:00:00 NTP poll rate profile NMTOKEN...

  • Page 201: Http-Service: Http Service Settings

    Configuration Objects log-error NMTOKEN Log as event Log errors port unsignedShort Service port profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable K.2.12. http-service: HTTP service settings Web management pages Table K.16.

  • Page 202: Dns-Host: Fixed Local Dns Host Settings

    Configuration Objects comment string Comment domain string Our domain fallback boolean true For incoming requests, if no server in required table, relay to any DNS available local-only boolean true Restrict access to locally connected Ethernet subnets only NMTOKEN Not logging Log events log-debug NMTOKEN...

  • Page 203: Radius-Service: Radius Service Definition

    Configuration Objects Table K.20. dns-block: Attributes Attribute Type Default Description comment string Comment name List of string Not optional Host names (can use * as a part of a domain) profile NMTOKEN Profile name restrict-interface List of NMTOKEN - Only apply on certain interface(s) restrict-to List List of IP ranges to which this is served...

  • Page 204: Radius-Service-Match: Matching Rules For Radius Service

    Configuration Objects relay-table (unsignedByte 0-99) Routing table number for copy of RADIUS routetable request secret Secret Shared secret for RADIUS requests (needed for replies) source string Source of data, used in automated config management tagged boolean Tag all attributes that can be target-hostname string Hostname for L2TP connection...

  • Page 205: Radius-Server: Radius Server Settings

    Configuration Objects name string Name nsn-conditional boolean Only send NSN settings if username is not same as calling station id nsn-tunnel-override- unsignedByte Additional response for GGSN usage username nsn-tunnel-user- unsignedInt Additional response for GGSN usage auth-method order radiuspriority Priority tagging of endpoints sent profile NMTOKEN Profile name...

  • Page 206: Ethernet: Physical Port Controls

    Configuration Objects queue unsignedInt Concurrent requests over all of these servers (per type) scale-timeout unsignedByte Timeout scaling factor secret Secret Not optional Shared secret for RADIUS requests source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable type...

  • Page 207: Portdef: Port Grouping And Naming

    Configuration Objects comment string Comment (unsignedShort 1500 576-2000) mtu name string Name profile NMTOKEN Profile name protocol sampling-protocol sflow Protocol used to export sampling data sample-flush duration 1 sec for sFlow; 30 Sample max cache time for IPFIX sample-rate (unsignedShort 1000 Sample rate (uniform random prob 1/N) 100-10000) sample-...

  • Page 208: Subnet: Subnet Settings

    Optional, unlimited DHCP server settings subnet subnet Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings K.2.23. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

  • Page 209: Vrrp: Vrrp Settings

    TTL for originating traffic via subnet K.2.24. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs. Table K.31. vrrp: Attributes...

  • Page 210: Dhcps: Dhcp Server Settings

    Configuration Objects answer-ping boolean true Whether to answer PING to VRRP IPs when master comment string Comment delay unsignedInt Delay after routing established before priority returns to normal interval unsignedShort Transit interval (centiseconds) List of IPAddr Not optional One or more IP addresses to announce NMTOKEN Not logging Log events...

  • Page 211: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)

    Configuration Objects NMTOKEN Not logging Log events (allocations) List Partial or full MAC addresses (hexBinary) macprefix name string Name List of IP4Addr From system settings NTP server profile NMTOKEN Profile name source string Source of data, used in automated config management syslog List of IP4Addr...

  • Page 212: Dhcp-Attr-Number: Dhcp Server Attributes (Numeric)

    Configuration Objects vendor boolean Add as vendor specific option (under option 43) K.2.28. dhcp-attr-number: DHCP server attributes (numeric) Additional DHCP server attributes (numeric) Table K.36. dhcp-attr-number: Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested unsignedByte Not optional Attribute type code/tag...

  • Page 213: Ppp-Route: Ppp Routes

    Configuration Objects cug-restrict boolean Closed user group restricted traffic (only to/ from same CUG ID) fast-retry boolean Aggressive re-connect graph (token) graphname - Graph name ip-over-lcp boolean auto Sends all IP packets as LCP lcp-rate unsignedByte LCP interval (seconds) lcp-timeout unsignedByte LCP timeout (seconds) local...

  • Page 214: Usb: Usb 3G/Dongle Settings

    Configuration Objects Table K.40. ppp-route: Attributes Attribute Type Default Description bgpmode Not announced BGP announce mode for routes comment string Comment List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name ospf...

  • Page 215: Route: Static Routes

    Configuration Objects +CGDCONT=1,"[context]","[apn]" ATDT*99# graph (token) graphname - Graph name local IP4Addr Local IPv4 address localpref unsignedInt 4294967295 Localpref for route (highest wins) NMTOKEN Log as specified in Log events parent usb config log-debug NMTOKEN Log as specified in Log debug parent usb config log-error NMTOKEN...

  • Page 216: Network: Locally Originated Networks

    Configuration Objects Table K.45. route: Attributes Attribute Type Default Description bgpmode Not announced BGP announce mode for routes comment string Comment gateway List of IPAddr Not optional One or more target gateway IPs graph (token) graphname - Graph name List of IPPrefix Not optional One or more network prefixes localpref...

  • Page 217: Loopback: Locally Originated Networks

    Configuration Objects as-path List Custom AS path as if network received unsignedInt bgpmode false BGP announce mode for routes comment string Comment List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name...

  • Page 218: Namedbgpmap: Mapping And Filtering Rules Of Bgp Prefixes

    Configuration Objects auth-key hexBinary Key for OSPFv3 authentication bgpmode BGP announce mode for routes comment string Comment crypt-algorithm ipsec-crypt- null Encryption algorithm for OSPFv3 algorithm crypt-key hexBinary Key for OSPFv3 encryption dead-interval duration Default router dead interval hello-interval duration Default hello interval instance unsignedByte Instance ID for OSPFv3...

  • Page 219: Bgprule: Individual Mapping/Filtering Rule

    Configuration Objects Table K.51. namedbgpmap: Elements Element Type Instances Description match bgprule Optional, unlimited List rules, in order of checking K.2.40. bgprule: Individual mapping/filtering rule An individual rule for BGP mapping/filtering Table K.52. bgprule: Attributes Attribute Type Default Description comment string Comment community...

  • Page 220: Bgppeer: Bgp Peer Definitions

    Configuration Objects table (unsignedByte 0-99) Routing table number routetable Table K.54. bgp: Elements Element Type Instances Description peer bgppeer Optional, up to 50 List of peers/neighbours K.2.42. bgppeer: BGP peer definitions The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

  • Page 221: K.56. Bgppeer: Elements

    Configuration Objects import-tag List of Community - List of community tags to add in addition to any import filters in-soft boolean Mark received routes as soft List of IPAddr One or more IPs of neighbours (omit to allow incoming) log-debug NMTOKEN Not logging Log debug...

  • Page 222: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes

    Configuration Objects K.2.43. bgpmap: Mapping and filtering rules of BGP prefixes This defines the rules for mapping and filtering of prefixes to/from a BGP peer. Table K.57. bgpmap: Attributes Attribute Type Default Description comment string Comment detag List of Community - List of community tags to remove drop boolean...
  • Page 223 Configuration Objects heading string Heading of graph hourformat string Hour format unsignedByte Pixels space for key label-ave string Label for average latency label-damp string Damp% Label for % shaper damping label-fail string %Fail Label for seconds (%) failed label-latency string Latency Label for latency label-max...

  • Page 224: L2Tp: L2Tp Settings

    Configuration Objects share-interface NMTOKEN Interface on which to broadcast data for shaper sharing share-secret string Secret to validate shaper sharing subheading string Subheading of graph text Colour black Colour for text text1 string Text line 1 text2 string Text line 2 text3 string Text line 3...
  • Page 225 Configuration Objects graph string Graph name hdlc boolean true Send HDLC header (FF03) on all PPP frames hello-interval unsignedByte Interval between HELLO messages hostname string System name The hostname we quote on tunnel connect IPAddr Not optional IP of far end lcp-data-len unsignedByte LCP data field length...

  • Page 226: L2Tp-Incoming: L2Tp Settings For Incoming L2Tp Connections

    Configuration Objects Table K.63. l2tp-outgoing: Elements Element Type Instances Description route ppp-route Optional, unlimited Routes to apply when link is up K.2.47. l2tp-incoming: L2TP settings for incoming L2TP connections L2TP tunnel settings for incoming L2TP connections Table K.64. l2tp-incoming: Attributes Attribute Type Default...

  • Page 227: L2Tp-Relay: Relay And Local Authentication Rules For L2Tp

    Configuration Objects pppdns1 IP4Addr PPP DNS1 IPv4 default pppdns2 IP4Addr PPP DNS2 IPv4 default pppip IP4Addr Local end PPP IPv4 profile NMTOKEN Profile name radius string Name for RADIUS server config to use receive-window unsignedShort Not sent Receive window to advise on connection relay-nas-ip boolean true...

  • Page 228: Fb105: Fb105 Tunnel Definition

    Configuration Objects ip-over-lcp boolean Send IP over LCP (local auth) lcp-echo-mim boolean Handle LCP echos in the middle on relayed connection localpref unsignedInt 4294967295 Localpref for remote-ip/routes (highest wins) name string Name password Secret Password check profile NMTOKEN Profile name relay-hostname string Hostname for L2TP connection...

  • Page 229: Fb105-Route: Fb105 Routes

    Configuration Objects payload-table (unsignedByte 0-99) Routing table number for payload traffic routetable port unsignedShort UDP port to use profile NMTOKEN Profile name remote-id unsignedByte Not optional Unique remote end tunnel ID reorder boolean false Reorder incoming tunnel packets reorder-maxq (unsignedInt 1-100) Max queue length for out of order packets fb105-reorder-maxq reorder-timeout...

  • Page 230: Ipsec-Ike: Ipsec Configuration (Ikev2)

    Table K.72. ike-connection: Attributes Attribute Type Default Description bgpmode Not announced BGP announce mode for routes comment string Comment graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel...
  • Page 231 Configuration Objects internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr Local IP localpref unsignedInt 4294967295 Localpref for route (highest wins) NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug...

  • Page 232: Ipsec-Route: Ipsec Tunnel Routes

    Configuration Objects peer-ts List of IPRange Allow any Valid outgoing-destination/incoming- source IPs for tunnelled traffic peer-ts-from-routes boolean false Send traffic selector based on routing query-eap-id boolean true Query client for EAP identity roaming-pool NMTOKEN IKE roaming IP pool secret Secret shared secret used to authenticate self to peer Table K.73.

  • Page 233: Ike-Proposal: Ike Security Proposal

    BGP announce mode for routes comment string Comment graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel...

  • Page 234: Ping: Ping/Graph Definition

    Configuration Objects local-ip IPAddr Local IP localpref unsignedInt 4294967295 Localpref for route (highest wins) NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors unsignedShort 1500 MTU for wrapped packets name NMTOKEN Name ospf boolean...

  • Page 235: Profile: Control Profile

    Configuration Objects Table K.80. ping: Attributes Attribute Type Default Description comment string Comment graph (token) graphname Not optional Graph name IPNameAddr Not optional Far end IP name string Name profile NMTOKEN Profile name size (unsignedInt Payload size 0-1472) ping-size slow boolean Auto Slow polling...

  • Page 236: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified

    Configuration Objects List of NMTOKEN - PPP link state (any of these are up) recover duration Time before recover (i.e. how long test has been passing) route List of IPAddr Test passes if all specified addresses are routeable switch Manual override. Test settings ignored; Control switches can use and/or/not/invert source string...

  • Page 237: Profile-Ping: Test Passes If Any Addresses Are Pingable

    Configuration Objects K.2.62. profile-ping: Test passes if any addresses are pingable Ping targets Table K.85. profile-ping: Attributes Attribute Type Default Description flow unsignedShort Flow label (IPv6) gateway IPAddr Ping via specific gateway (bypasses session tracking if set) IPAddr Not optional Target IP source-ip IPAddr...

  • Page 238: Ip-Group: Ip Group

    Configuration Objects Table K.88. shaper-override: Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Not optional Profile name unsignedInt Rx rate limit/target (b/s) rx-max unsignedInt Rx rate limit max rx-min unsignedInt Rx rate limit min rx-min-burst duration Rx minimum allowed burst time rx-step unsignedInt Rx rate reduction per hour...

  • Page 239: Session-Route-Rule: Routing Override Rule

    Configuration Objects Table K.91. route-override: Elements Element Type Instances Description rule session-route-rule Optional, unlimited Individual rules, first match applies K.2.67. session-route-rule: Routing override rule Routing override rule Table K.92. session-route-rule: Attributes Attribute Type Default Description comment string Comment List of PortRange Closed user group ID(s) hash boolean...

  • Page 240: Rule-Set: Firewall/Mapping Rule Set

    Configuration Objects profile NMTOKEN Profile name set-gateway IPAddr New gateway set-graph string Graph name for shaping/logging (if not set by rule-set) set-nat boolean Changed source IP and port to local for weight positiveInteger Weighting of load share K.2.69. rule-set: Firewall/mapping rule set Firewalling rule set with entry criteria and default actions Table K.95.

  • Page 241: Session-Rule: Firewall Rules

    Configuration Objects K.2.70. session-rule: Firewall rules Firewall rule The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered. Table K.97.

  • Page 242: Session-Share: Firewall Load Sharing

    Configuration Objects target-interface List of NMTOKEN - Target interface(s) target-ip List Target IP address range(s) IPNameRange target-port List of PortRange Target port(s) Table K.98. session-rule: Elements Element Type Instances Description share session-share Optional, unlimited Load shared actions K.2.71. session-share: Firewall load sharing Firewall actions for load sharing Table K.99.
  • Page 243 Send RADIUS auth to get challenge response radius-register string Name for RADIUS server config to use for registrations realm string FireBrick Default realm record-beep record-beep-option true Send beep at start of recording record-mandatory boolean Drop call if recording fails...

  • Page 244: Carrier: Voip Carrier Details

    Configuration Objects source-ip6 IP6Addr Default IPv6 source address to use when sending messages user-agent string Version specific User-Agent to send withhold string CLI withhold prefix Table K.101. voip: Elements Element Type Instances Description carrier carrier Optional, up to 250 VoIP carriers group ringgroup Optional, up to 50...

  • Page 245: Telephone: Voip Telephone Authentication User Details

    Configuration Objects send-hold boolean true Pass hold state to carrier send-pre-auth boolean As general config Send Auth header with username before receiving challenge source string Source of data, used in automated config management source-ip IPAddr Source IP to use table (unsignedByte 0-99) Routing table number routetable...

  • Page 246: Tone: Tone Definitions

    Configuration Objects string Chargeable user identity for call accounting string Full telephone number (international format starting +) display-name string Text name to use email string Email address (sent to call recording server) expires duration 1:00:00 Registration expiry time extn string Local extension number force-dtmf boolean...

  • Page 247: Etun: Ether Tunnel

    Configuration Objects answer-time duration Answer caller if ringing this long carrier NMTOKEN Carrier to use for external calls comment string Comment string Chargeable user identity for call accounting List of string Full telephone number (international format starting +) display-name string Text name to use email string...

  • Page 248: Dhcp-Relay: Dhcp Server Settings For Remote / Relayed Requests

    Configuration Objects profile NMTOKEN Profile name source-ip IPAddr Our IP address table (unsignedByte 0-99) Routing table number routetable K.2.78. dhcp-relay: DHCP server settings for remote / relayed requests Settings for DHCP server for relayed connections Table K.107. dhcp-relay: Attributes Attribute Type Default Description...

  • Page 249: User-Level: User Login Level

    Configuration Objects read Read only access (with passwords) full Full view and edit access K.3.3. user-level: User login level User login level - commands available are restricted according to assigned level. Table K.111. user-level: User login level Value Description NOBODY Unknown or not logged in user GUEST Guest user...

  • Page 250: Syslog-Facility: Syslog Facility

    Configuration Objects K.3.7. syslog-facility: Syslog facility Syslog facility, usually used to control which log file the syslog is written to. Table K.115. syslog-facility: Syslog facility Value Description KERN Kernel messages USER User level messges MAIL Mail system DAEMON System Daemons AUTH Security/auth SYSLOG...

  • Page 251: Day: Day Name (3 Letter)

    Configuration Objects August September October November December K.3.9. day: Day name (3 letter) Table K.117. day: Day name (3 letter) Value Description Sunday Monday Tuesday Wednesday Thursday Friday Saturday K.3.10. radiuspriority: Options for controlling platform RADIUS response priority tagging Table K.118. radiuspriority: Options for controlling platform RADIUS response priority tagging Value Description...

  • Page 252: Port: Physical Port

    Configuration Objects K.3.12. port: Physical port Table K.120. port: Physical port Value Description Port 0 (not valid) (deprecated) Port 1 Port 2 Port 3 Port 4 K.3.13. Crossover: Crossover configuration Physical port crossover configuration. Table K.121. Crossover: Crossover configuration Value Description auto Crossover is determined automatically...

  • Page 253: Linkclock: Physical Port Gigabit Clock Master/Slave Setting

    Configuration Objects Can receive pauses and may send pauses if required K.3.17. LinkClock: Physical port Gigabit clock master/ slave setting Table K.125. LinkClock: Physical port Gigabit clock master/slave setting Value Description prefer-master Master status negotiated; preference for master prefer-slave Master status negotiated; preference for slave force-master Master status forced force-slave...

  • Page 254: Linkpower: Phy Power Saving Options

    Configuration Objects K.3.19. LinkPower: PHY power saving options Table K.127. LinkPower: PHY power saving options Value Description none No power saving link-down Power save only when link is down link-up Power save only when link is up full Full power saving K.3.20.

  • Page 255: Dhcpv6Control: Control For Ra And Dhcpv6 Bits

    Configuration Objects Announce as low priority medium Announce as medium priority high Announce as high priority true Announce as default (medium) priority K.3.24. dhcpv6control: Control for RA and DHCPv6 bits Table K.132. dhcpv6control: Control for RA and DHCPv6 bits Value Description false Don't set bit or answer on DHCPv6...

  • Page 256: Pppoe-Mode: Type Of Pppoe Connection

    Configuration Objects K.3.28. pppoe-mode: Type of PPPoE connection Table K.136. pppoe-mode: Type of PPPoE connection Value Description client Normal PPPoE client connects to access controller bras-l2tp PPPoE server mode linked to L2TP operation K.3.29. pdp-context-type: Type of IP connection Table K.137. pdp-context-type: Type of IP connection Value Description IPv4 only...

  • Page 257: Peertype: Bgp Peer Type

    Configuration Objects blowfish-192 Blowfish CBC (RFC 2451) with 24-byte key blowfish-256 Blowfish CBC (RFC 2451) with 32-byte key AES-CBC AES-CBC (Rijndael) (RFC 3602) with 16-byte key AES-192-CBC AES-CBC (Rijndael) (RFC 3602) with 24-byte key AES-256-CBC AES-CBC (Rijndael) (RFC 3602) with 32-byte key K.3.33.

  • Page 258: Ike-Dh: Ike Diffie-Hellman Group

    Configuration Objects AES-XCBC-128 AES-XCBC with 128-bit key HMAC-SHA256 PRF-HMAC-SHA-256 (rfc4868) K.3.37. ike-DH: IKE Diffie-Hellman group Table K.145. ike-DH: IKE Diffie-Hellman group Value Description none No D-H negotiation (only used with AH/ESP) MODP-1024 1024-bit Sophie Germain Prime MODP Group MODP-2048 2048-bit Sophie Germain Prime MODP Group K.3.38.

  • Page 259: Firewall-Action: Firewall Action

    Configuration Objects K.3.42. firewall-action: Firewall action Table K.150. firewall-action: Firewall action Value Description continue Continue rule-set checking accept Allow but no more rule-set checking reject End all rule checking now and set to send ICMP reject drop End all rule checking now and set to drop ignore End all rule checking and ignore (drop) just this packet, not making a session K.3.43.

  • Page 260: Ring-Group-Type: Type Of Ring When One Call In Queue

    Configuration Objects strict Order in config random Random order cyclic Cycling from last call oldest Oldest used phone first K.3.47. ring-group-type: Type of ring when one call in queue Table K.155. ring-group-type: Type of ring when one call in queue Value Description All phones...
  • Page 261 Configuration Objects IP4Addr IPv4 address IP6Addr IPv6 address IPPrefix IP address / bitlen IPRange IP address / bitlen or range IPNameRange IP address / bitlen or range or name IP4Range IPv4 address / bitlen or range IP4Prefix IPv4 address / bitlen IP6Prefix IPv6 address / bitlen IPSubnet...
  • Page 262 Configuration Objects unsignedIntList List of integers (unsignedInt) communitylist List of BGP communities (Community) ipsec-spi IPsec Security Parameters Index (256-4294967295) (unsignedInt) filterlist List of IP Prefix filters (IPFilter) bgp-prefix-limit Maximum prefixes accepted on BGP session (1-10000) (unsignedInt) fb105-reorder- Maximum time to queue out of order packet (ms) (10-5000) (unsignedInt) timeout fb105-reorder-maxq Maximum size of out of order packet queue (1-100) (unsignedInt) iprangelist...

  • Page 263: Index

    definition of, 44 Index Firewalling recommended method, 50 Symbols Graphs, 64 USB dongle configuration, 90 Hostname setting, 24 overview, 116 HTTP service Boot process, 29 configuration, 92 Breadcrumbs, 12 Interfaces Configuration defining, 36 backing up and restoring, 16 Ethernet, 35 categories (user interface), 12 relationship with physical ports, 35 methods, 10...
  • Page 264 Index "socket" identification value, 90 3G dongle configuration, 90 RADIUS overview, 90 configuring service, 94 subsystem, configuration, 90 Route User Interface definition of, 57 customising layout, 11 Router general layout, 11 definition of, 44 navigation, 15 Routing overview, 10 route targets, 58 Users Rule-Sets creating / configuring, 21...

Table of Contents