Page 1: User Manual
FireBrick NULL User Manual FB2700 Versatile Network Appliance...
Page 4: Table Of Contents
1.1.3. Ethernet port capabilities ..................2 1.1.4. Differences between the devices in the FB2x00 series ..........2 1.1.5. Software features ....................2 1.1.6. Migration from previous FireBrick models ............2 1.2. About this Manual ....................... 3 1.2.1. Version ......................3 1.2.2.
Page 5 FireBrick NULL User Manual 4.1.4.1. Restrict by IP address ................21 4.1.4.2. Logged in IP address ................21 4.1.4.3. Restrict by profile ................. 22 4.2. General System settings ....................22 4.2.1. System name (hostname) .................. 22 4.2.2. Administrative details ..................22 4.2.3.
Page 6 9.1.4. Long term shapers ................... 48 9.2. Multiple shapers ......................48 9.3. Basic principles ......................49 10. System Services ......................... 50 10.1. Protecting the FB2700 ....................50 10.2. Common settings ..................... 50 10.3. HTTP Server configuration ..................51 10.3.1. Access control ....................51 10.3.1.1.
Page 7 FireBrick NULL User Manual 12.4. VRRP versions ......................59 12.4.1. VRRP version 2 .................... 59 12.4.2. VRRP version 3 .................... 60 12.5. Compatibility ......................60 13. Command Line Interface ...................... 61 A. Factory Reset Procedure ....................... 62 B. CIDR and CIDR Notation ..................... 64 C.
Page 8 FireBrick NULL User Manual F.1.3. Authenticated access ..................76 F.2. Graph display options ....................76 F.2.1. Data points ....................76 F.2.2. Additional text ....................76 F.2.3. Other colours and spacing ................77 F.3. Overnight archiving ....................77 F.3.1. Full URL format ..................... 77 F.3.2.
Page 9 FireBrick NULL User Manual G.3.13. LinkClock: Physical port Gigabit clock master/slave setting ........99 G.3.14. LinkLED: LED settings ................. 99 G.3.15. LinkPower: PHY power saving options ............100 G.3.16. LinkFault: Link fault type to send ..............100 G.3.17. ramode: IPv6 route announce level ..............101 G.3.18.
Page 10 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................11 3.2. Icons for layout controls ..................... 12 3.3.
Page 11 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 21 4.2.
Page 12 FireBrick NULL User Manual G.31. dhcp-attr-ip: Attributes ..................... 92 G.32. route: Attributes ......................92 G.33. blackhole: Attributes ......................93 G.34. loopback: Attributes ......................93 G.35. cqm: Attributes ....................... 94 G.36. ip-group: Attributes ......................95 G.37. autoloadtype: Type of s/w auto load ................... 96 G.38.
Page 13: Preface
Preface The FB2700 device is the result of several years of intensive effort to create products based on state of the art processing platforms, featuring an entirely new operating system and IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability.
Page 14: Introduction
1.1.1. Where do I start? The FB2700 is shipped in a factory reset state. This means it has a default configuration that allows the unit to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a known IP address for further configuration.
Page 15: Ethernet Port Capabilities
100Mb/s, whilst the FB2700 is faster - typically up to 350Mb/s. The other advantage the FB2700 offers is that you can directly attach an ordinary 3G dongle via the USB port on the front, and use a mobile data connection - this is typically used as a back up for a DSL line.
Page 16: About This Manual
FB105 configuration file, mapping features and functionality across as closely as is possible ; the converted configuration should be treated as a starting point for using your FB2700 in place of your FB105, as the result from the converter may be incomplete, or there may be aspects that cannot be carried over. The translator can be accessed at : http://www.firebrick.co.uk/fb105-2700.php...
Page 17: Document Conventions
1.2.6. Comments and feedback If you'd like to make any comments on this Manual, point out errors, make suggestions for improvement or provide any other feedback, we would be pleased to hear from you via e-mail at : docs@firebrick.co.uk. 1.3. Additional Resources 1.3.1.
Page 18: Irc Channel
Many FireBrick resellers also offer general IT support, including installation, configuration, maintenance, and training. You may be able to get your reseller to develop FB2700 configurations for you - although this will typically be chargeable, you may well find this cost-effective, especially if you are new to FireBrick products.
Page 19: Getting Started
• Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network.
Page 20: Add A New User
2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"...
Page 21: Setting Up A New User
On this page there is a "Login" link (in red text)- click on this link and then log in using the username and password you chose. We recommend you read Chapter 3 to understand the design of the FB2700's user interface, and then start working with your FB2700's factory reset configuration. Once you are familiar with how the user interface is...
Page 22: Configuration
3.1. The Object Hierarchy The FB2700 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB2700. The values of the attributes determine how that object affects operation.
Page 23: Formal Definition Of The Object Model
XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s).
Page 24: User Interface Layout
• status information, such as DHCP server allocations, FB105 tunnel information and system logs • network diagnostic tools, such as Ping and Traceroute ; there are also tools to test how the FB2700 will process particular traffic, allowing you to verify your firewalling is as intended •...
Page 25: Config Pages And The Object Hierarchy
Layout settings are stored in a cookie - since cookies are stored on your computer, and are associated with the DNS name or IP address used to browse to the FB2700, this means that settings that apply to a particular FB2700 will automatically be recalled next time you use the same computer/browser to connect to that FB2700.
Page 26: Object Settings
Erase. Simply going back "Up" or moving to another part of the config will leave this newly created empty object and that could have undesirable effects on the operation of your FireBrick if saved. 3.4.2.2. Object settings The details of an object are displayed as a matrix of boxes (giving the appearance of a wall of bricks), one for each attribute associated with that object type.
Page 27 Configuration Figure 3.5. Editing an "Interface" object By default, more advanced or less frequently used attributes are hidden - if this applies to the object being edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the link "Show all".
Page 28: Navigating Around The User Interface
Navigating away from an object using the supported navigation controls doesn't cause any modifications to that object to be lost, even if the configuration has not yet been saved back to the FB2700. All changes are initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you press the Save button.
Page 29: Backing Up / Restoring The Configuration
To back up / save or restore the configuration, start by clicking on the "Config" main-menu item. This will show a page with a form to upload a configuration file (in XML) to the FB2700 - also on the page is a link "Download/save config"...
Page 30: The Root Element -
(spaces and line breaks). Generally, the content of an element can be other child elements or text. However, the FB2700 doesn't use text content in elements - all configuration data is specified via attributes. Therefore you will see that elements only contain one or more child elements, or no content at all.

Page 31 </system> <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/> </services> <port name="WAN" ports="1"/> <port name="LAN"...
Page 32: Downloading/Uploading The Configuration
User Interface (see Section 3.4.4). 3.6.2. Upload To upload the configuration to the FB2700 you need to send the configuration XML file as if posted by a web form, using encoding MIME type multi-part/form-data. An example of doing this using curl, run on a Linux box is shown below :- curl http://<FB2700 IP address or DNS name>/config/config...
Page 33: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB2700, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"...
Page 34: Configuration Access Level
4.1.4.2. Logged in IP address The FireBrick allows a general definition of IP groups which allow a name to be used in place of a range of IP addresses. This is a very general mechanism that can be used for single IP addresses or groups of ranges...
Page 35: Restrict By Profile
This can be useful for firewall rules where you may have to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow further access to a network from that IP.
Page 36: Home Page Web Links
4.2.4. Home page web links The home page is the first page you see after logging in to the FB2700, or when you click the Home main- menu item. The home page displays the system name, and, if defined, the text specified by the intro attribute on the system object.
Page 37: Breakpoint Releases
If automatic installs are allowed, the FB2700 will check for new software on boot up and approximately every 24 hours thereafter - your FB2700 should therefore pick up new software at most ~ 24 hours after it is released. You can choose to allow this process to install only new factory-releases, factory or beta releases, or any release, which then includes alpha releases (if your FB2700 is enabled for alpha software - see Section 4.3.1) - refer to...
Page 38: Manually Initiating Upgrades
4.3.3.1. Manually initiating upgrades Whenever you browse to the main Status page, the FB2700 checks whether there is newer software available, given the current software version in use, and whether alpha releases are allowed. If new software is available, you will be informed of this as shown in Figure 4.2 :-...
Page 39: Boot Process
The FB2700 can store multiple app software images in the Flash, and this is used with an automatic fall-back mechanism - if a new software image proves unreliable, it is 'demoted', and the unit falls back to running older software.
Page 40 System Administration Whilst the bootloader is waiting for an active Ethernet connection, the green and yellow LEDs built into the physical port connectors flash in a continual left-to-right then right-to-left sequence. The port LEDs on the panel on the opposite side to the physical ports also flash, in a clock-wise sequence. Note The same port LED flashing sequences are observed if the app is running and none of the Ethernet ports are connected to an active link-partner.
Page 41: Event Logging
5.1.1. Log targets A log target is a named destination (initially internal to the FB2700) for log entries - you can have multiple log targets set up which you can use to separate out log event messages according to some criteria - for example, you could log all firewalling related log events to a log target specifically for that purpose.
Page 42: Logging To The Console
5.3.1. Syslog The FB2700 supports sending of log entries across a network to a syslog server. Syslog is described in RFC5424 [http://tools.ietf.org/html/rfc5424], and the FB2700 includes microsecond resolution time stamps, the hostname (from system settings) and a module name in entries sent via syslog.
Page 43: Email
• retry delay : if an attempt to send the e-mail fails, the FB2700 will wait before re-trying ; the default wait period is 10 minutes, but you can change this by setting the retry attribute...
Page 44: E-Mail Process Logging
5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary.
Page 45: Viewing Logs In The Cli Environment
Specifying system event logging attributes is usually only necessary when diagnosing problems with the FB2700, and will typically be done under guidance from support staff. For example, log-stats causes a log message to be generated every second containing some key system statistics and state information, which are useful for debugging.
Page 46: Interfaces And Subnets
In some situations, auto-negotiation is not supported by connected equipment, and so the FB2700 provides control of port behaviour to allow the port to work with such equipment.
Page 47: Defining An Interface
The "LAN" group consists of two physical ports, numbers 3 and 4. Ports 3 and 4 are members of a single layer 2 broadcast domain, and are equivalent in function in terms of communication between the FB2700 and another device.
Page 48: Using Dhcp To Configure A Subnet
You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv6 networking. The primary attributes that define a subnet are the IP address range of the subnet, the IP address of the FB2700 itself on that subnet, and an optional name.
Page 49: Fixed/Static Dhcp Allocations
If you are setting up a static allocation, but your client has already obtained an address (from your FB2700) from a pool, you will need to clear the allocation and then force the client to issue another DHCP request (e.g. unplug ethernet cable, do a software 'repair connection' procedure or similar etc.).
Page 50: Special Dhcp Attributes
If you are connecting a port to a link-partner that does not support auto-negotiation (or has it disabled), it is advisable to disable auto-negotiation on the FB2700 port. To do this, tick the checkbox for the autoneg attribute and select false from the drop-down box. You will then need to set port speed and duplex mode...
Page 51: Setting Port Speed
6.4.3. Setting duplex mode If auto-negotiation is enabled, the FB2700 port will normally advertise that it is capable of either half- or full- duplex operation modes - if you have reason to restrict the operation to either of these modes, you can set the duplex attribute to either half or full.
Page 52 Interfaces and Subnets Permanently off Permanently on On when link up Link On when link up at 1Gbit/s Link1000 On when link up at 100Mbit/s Link100 On when link up at 10Mbit/s Link10 On when link up at 100Mbit/s or 1Gbit/s Link100-1000 On when link up at 10Mbit/s or 1Gbit/s Link10-1000...
Page 53: Routing
Chapter 7. Routing 7.1. Routing logic The routing logic in the FB2700 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e.
Page 54: Routing Targets
In addition, a subnet definition creates a very specific single IP (a "/32" for IPv4, or a "/128" for IPv6) route for the IP address of the FB2700 itself on that subnet. This is a separate loop-back route which effectively internally routes traffic back into the FB2700 itself - i.e.
Page 55: Special Targets
0. 7.5. Bonding A key feature of the FB2700 is the ability to bond multiple links at a per packet level. This feature is only enabled on a fully loaded model of your FB2700.
Page 56 Routing To make this work to the best effect, set the tx speed of the shapers on the links to match the actual link speed. E.g. for broadband lines, set the speed to match the uplink from the FB2700.
Page 57: Profiles
Ping test can be used to alert you via e-mail when a destination is unreachable. The current state of all the profiles configured on your FB2700 can be seen by choosing the "Profiles" item in the "Status" menu.
Page 58: Tests
• VRRP state : the vrrp attribute lists one or more Virtual Router group membership definitions (see Chapter 12) by name - if the FB2700 is not the master device in any of these Virtual Routers, this test will fail If more than one of these general tests is selected (corresponding attribute specified), then they must all pass (along with all other tests defined) for the overall result to be pass.
Page 59 Profiles config. The switch state is automatically stored in the dynamic peristent data (along with DHCP settings, etc), so survives a power cycle / restart. Note that the value of the invert attribute is ignored when manual override is requested. These fixed-state profiles can be used as simple on/off controls for configuration objects.
Page 60: Traffic Shaping
The graph is viewable directly (as a PNG image) from the FB2700 via the web User Interface - to view a graph, click the "PNG" item in the "Graphs" menu. This will display all the graphs that are currently configured - it is not currently possible to show a single graph within the web User Interface environment.
Page 61: Shapers
The overall effect of this means that you can burst up to a specified maximum, but ultimately you cannot transfer more than if the target speed had been applied the whole time. 9.2. Multiple shapers A packet that passes through the FB2700 can pass through multiple shapers, for example...
Page 62: Basic Principles
This is, essentially, tracking how much is likely to be queued at a bottleneck further on. The FB2700 does not delay sending packets and assumes something with a lower speed is probably queuing them up later.
Page 63: System Services
10.1. Protecting the FB2700 The FB2700 does not have a firewall as such. However, the design of the FB2700 is that it should be able to protect itself sensibly without the need for a separate firewall.
Page 64: Http Server Configuration
The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based user- interface for the FB2700. It is not a general-purpose web server that can be used to serve user documents, and so there is little to configure.
Page 65: Access Control
LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address...
Page 66: Ntp Configuration
The NTP service is currently only an NTP client. A future software version is likely to add NTP server functionality, allowing other NTP clients (typically those in your network) to use the FB2700 as an NTP server. Configuration of the NTP (client) service typically only requires setting the timeserver attribute to specify one or more NTP servers, using either DNS name or IP address.
Page 67: Network Diagnostic Tools
11.1. Access check For each network service implemented by the FB2700 (see Chapter 10), this command shows whether a specific IP address will be able to access or utilise the service, based on any access restrictions configured on the service.
Page 68: Packet Dumping
The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB2700 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB2700 is responding appropriately.
Page 69: Security Settings Required
Network Diagnostic Tools with care else you dump your own dump traffic. 11.2.2. Security settings required The following criteria must be met in order to use the packet dump facility :- • You must be accessing from an IP listed as trusted in the HTTP service configuration (see Section 10.3). •...
Page 70: Using The Web Interface
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB2700.
Page 71: Vrrp
You can have multiple virtual routers on the same LAN at the same time, so there is a Virtual Router Identifier (VRID) that is used to distinguish them. The default VRID used by the FB2700 is 42. You must set all devices that are part of the same group (virtual router) to the same VRID, and this VRID must differ from that used by any other virtual routers on the same LAN.
Page 72: Configuring Vrrp
VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB2700 comes under the scope of an interface definition. As such, to set-up your FB2700 to participate in a Virtual Router group, you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where the VRRP operates.
Page 73: Vrrp Version 3
Note that the FB2700 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick.
Page 74: Command Line Interface
The CLI is accessed via the 'telnet' protocol - the FB2700 implements a telnet server, which you can connect to using any common telnet client program. To learn how to enable the telnet server, and to set-up access restrictions, please refer to Section 10.4.
Page 75: Factory Reset Procedure
IP addresses described in Chapter 2. This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason, or any other situation where it is appropriate to start from scratch.
Page 76 If you disconnect the power then the config will revert to the previous state and no longer be reset, so it is important to connect your laptop, etc, to the FB2700 after removing the looped cable and not power cycle in-between.
Page 77: Cidr And Cidr Notation
Appendix B. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
Page 78 Another common use of the CIDR notation is to combine the definition of a network with the specification of the IP address of an end system on that network - this form is used in subnet definitions on the FB2700, and in many popular operating systems.
Page 79: Mac Addresses Usage
In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model.
Page 80 DHCP allocation in a list, rather than trying to locate it by MAC address. If the FB2700 is in a factory-reset state, then the system name will not be set, and you will have to locate it...
Page 81: Vlans : A Primer
Linux. The FB2700 supports IEEE 802.1Q VLANs, and will accept (and send) packets with 802.1Q VLAN tags. It can therefore work with any Ethernet switch (or other) equipment that also supports 802.1Q VLANs, and therefore allows multiple logical interfaces to be implemented on a single physical port.
Page 82: Command Line Reference
Shows how long since the FB2700 restarted. E.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. E.1.5. Memory usage show memory Shows memory usage summary.
Page 83: Logout
Command line reference E.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) E.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen E.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line.
Page 84: Networking Commands
There are a number of controls allowing you to fine tune what is sent. Obviously you should only send from a source address that will return to the FB2700 correctly. You can also ask for the results to be presented in an XML format.
Page 85: See Dhcp Allocations
Command line reference E.2.6. See DHCP allocations show dhcp [<IP4Addr>] [table=<routetable>] Shows DHCP allocations, with option to show details for specific allocation. E.2.7. Clear DHCP allocations clear dhcp [ip=<IP4Range>] [table=<routetable>] Allows you to remove one or more DHCP allocations. E.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr>...
Page 86: Check Access To Services
[<string>] [confirm=<string>] This causes the FB2700 to crash, causing a panic event with a specified message. You need to specify confirm=yes for the command to work. This can be useful to test fallback scenarios by simulating a fatal error.
Page 87: Flash Memory List
Command line reference You can kill a command session by IP address. This is useful if you know you have left a telnet connected from somewhere else. Telnet sessions usually have a timeout, but this can be overridden in the configuration for each user.
Page 88: Constant Quality Monitoring - Technical Details
Appendix F. Constant Quality Monitoring - technical details The FireBrick provides constant quality monitoring. The main purpose of this is to provide a graphical representation of the performance of an interface or traffic shaper • 100 second interval statistics available graphically as png and in text as csv covering at least the last 25 hours (one day) •...
Page 89: Authenticated Access
Constant Quality Monitoring - technical details F.1.3. Authenticated access Authenticate access requires a prefix of a hex sha1 string. e.g. http://host:port/cqm/longhexsha1/circuit.png or http://host:port/cqm/longhexsha1/YYYY-MM-DD/circuit.png. The SHA1 is 40 character hex of the SHA1 hash made from the graph name, the date, and the http-secret. The date is in the form YYYY-MM-DD, and is today's date for undated access (based on local time).
Page 90: Other Colours And Spacing
Constant Quality Monitoring - technical details Clean and clear, as z but also sets inside background and off-line colours to transparent so graphs are easy to merge with those other LNSs Line 1 top left text, default if not set in config is system name Line 2 top left text Line 3 top left text Line 4 top left text...
Page 91: Load Handling
Constant Quality Monitoring - technical details Table F.5. URL formats Meaning /cqm/ All CQM URLs start with this 32-hex- Optional authentication string needed for untrusted access. Can be used with trusted access characters/ to test the authentication is right YYYY-MM- Optional date to restrict output.
Page 92 Constant Quality Monitoring - technical details Graphs can be defined in some configuration settings such as interface names. Whilst the FB2700 can manage thousands of graphs, new graphs will not be greated if memory is not available.
Page 93: Configuration Objects
Appendix G. Configuration Objects This appendix defines the object definitions used in the FireBrick Null (dummy application) configuration. Copyright © 2008-13 FireBrick Ltd. G.1. Top level G.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data.
Page 94: Link: Web Links
Log one second stats name string System hostname soft-watchdog boolean false Debug - use only if advised; do not use on an unattended FireBrick source string Source of data, used in automated config management sw-update autoloadtype factory Load new software automatically Table G.4.
Page 95: Log: Log Target Controls
Configuration Objects allow List Restrict logins to be from specific IP IPNameRange addresses comment string Comment config config-access full Config access level full-name string Full name level user-level ADMIN Login level name (NMTOKEN) Not optional User name username string OTP serial number password Password Not optional...
Page 96: Log-Email: Email Logger Settings
Configuration Objects facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port server IPNameAddr Not optional Syslog server severity syslog-severity NOTICE Severity setting source string Source of data, used in automated config management source-ip IPAddr Use specific source IP table (unsignedByte 0-99) Routing table number for sending syslogs routetable G.2.6.
Page 97: Snmp-Service: Snmp Service Settings
NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors ntpserver List of IPNameAddr ntp.firebrick.ltd.uk List of time servers (IP or hostname) from which time may be set by ntp poll duration 1:00:00 NTP poll rate source string...
Page 98: Telnet-Service: Telnet Service Settings
Configuration Objects table (unsignedByte 0-99) Routing table number routetable tz1-name string Timezone 1 name tz1-offset duration Timezone 1 offset from UTC tz12-date (unsignedByte 1-31) Timezone 1 to 2 earliest date in month datenum tz12-day Timezone 1 to 2 day of week of change tz12-month month Timezone 1 to 2 month...
Page 99: Dns-Service: Dns Service Settings
Configuration Objects allow List Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment css-url string Additional CSS for web control pages local-only boolean true Restrict access to locally connected Ethernet subnets only NMTOKEN Not logging Log events...
Page 100: Dns-Host: Fixed Local Dns Host Settings
Configuration Objects G.2.13. dns-host: Fixed local DNS host settings DNS forwarding resolver service Table G.18. dns-host: Attributes Attribute Type Default Description comment string Comment List of IPAddr Our IP IP addresses to serve (or our IP if omitted) name List of string Not optional Host names (can use * as a part of a domain) restrict...
Page 101: Portdef: Port Grouping And Naming
Configuration Objects optimise boolean true enable PHY optimisations port port Not optional Physical port power-saving LinkPower full enable PHY power saving send-fault LinkFault Send fault status shutdown boolean false Power down this port speed LinkSpeed auto Speed setting for this port yellow LinkLED Yellow LED setting...
Page 102: Subnet: Subnet Settings
Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings G.2.18. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set. Table G.24. subnet: Attributes Attribute Type Default...
Page 103: Vrrp: Vrrp Settings
Configuration Objects G.2.19. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs. Table G.25. vrrp: Attributes Attribute Type Default Description...
Page 104: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)
Configuration Objects domain-search string DNS domain search list (list will be truncated to fit one attribute) force boolean Send all options even if not requested gateway List of IP4Addr Our IP Gateway List of IP4Range 0.0.0.0/0 Address pool lease duration 2:00:00 Lease length NMTOKEN...
Page 105: Dhcp-Attr-Number: Dhcp Server Attributes (Numeric)
Configuration Objects comment string Comment force boolean Send even if not requested unsignedByte Not optional Attribute type code name string Name value string Not optional Value vendor boolean Add as vendor specific option (under option 43) G.2.23. dhcp-attr-number: DHCP server attributes (numeric) Additional DHCP server attributes (numeric) Table G.30.
Page 106: Blackhole: Dead End Networks
Configuration Objects comment string Comment gateway List of IPAddr Not optional One or more target gateway IPs graph (token) graphname - Graph name List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name...
Page 107: Cqm: Attributes
Configuration Objects Table G.35. cqm: Attributes Attribute Type Default Description Colour #08f Colour for average latency axis Colour black Axis colour background Colour white Background colour bottom unsignedByte Pixels space at bottom of graph dateformat string %Y-%m-%d Date format dayformat string Day format fail...
Page 108: Ip-Group: Ip Group
Configuration Objects latency-score2 unsignedByte Score for on/above level 2 latency-usage unsignedInt 128000 Usage below which latency is not expected left unsignedByte Pixels space left of main graph NMTOKEN Not logging Log events Colour green Colour for maximum latency Colour #008 Colour for minimum latency ms-max positiveInteger...
Page 109: Data Types
Configuration Objects G.3. Data types G.3.1. autoloadtype: Type of s/w auto load Table G.37. autoloadtype: Type of s/w auto load Value Description false Do no auto load factory Load factory releases beta Load beta test releases alpha Load test releases G.3.2.
Page 110: Syslog-Facility: Syslog Facility
Configuration Objects WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO-LOGGING No logging G.3.5. syslog-facility: Syslog facility Syslog facility, usually used to control which log file the syslog is written to. Table G.41. syslog-facility: Syslog facility Value Description KERN...
Page 111: Day: Day Name (3 Letter)
Configuration Objects February March April June July August September October November December G.3.7. day: Day name (3 letter) Table G.43. day: Day name (3 letter) Value Description Sunday Monday Tuesday Wednesday Thursday Friday Saturday G.3.8. port: Physical port Table G.44. port: Physical port Value Description Port 0 (not valid) (deprecated)
Page 112: Linkspeed: Physical Port Speed
Configuration Objects G.3.10. LinkSpeed: Physical port speed Table G.46. LinkSpeed: Physical port speed Value Description 10Mbit/sec 100M 100Mbit/sec 1Gbit/sec auto Speed determined by autonegotiation G.3.11. LinkDuplex: Physical port duplex setting Table G.47. LinkDuplex: Physical port duplex setting Value Description half Half-duplex full Full-duplex...
Page 113: Linkpower: Phy Power Saving Options
Configuration Objects Link1000/ On when link up at 1G; blink when Tx or Rx activity Activity Link100/ On when link up at 100M; blink when Tx or Rx activity Activity Link10/Activity On when link up at 10M; blink when Tx or Rx activity Link100-1000/ On when link up at 100M or 1G;...
Page 114: Ramode: Ipv6 Route Announce Level
Configuration Objects G.3.17. ramode: IPv6 route announce level IPv6 route announcement mode and level Table G.53. ramode: IPv6 route announce level Value Description false Do not announce Announce as low priority medium Announce as medium priority high Announce as high priority true Announce as default (medium) priority G.3.18.
Page 115 Configuration Objects dateTime YYYY-MM-DDTHH:MM:SS date/time time HH:MM:SS time NMTOKEN String with no spaces void Internal use IPAddr IP address IPNameAddr IP address or name IP4Addr IPv4 address IP6Addr IPv6 address IPPrefix IP address / bitlen IPRange IP address / bitlen or range IPNameRange IP address / bitlen or range or name IP4Range...
Page 116 Configuration Objects nmtokenlist List of NMTOKEN (NMTOKEN) userlist List of user names (username) prefix4list List of IPv4 Prefixes (IP4Prefix) filterlist List of IP Prefix filters (IPFilter) communitylist List of BGP communities (Community) portlist List of protocol port ranges (PortRange) protolist List of IP protocols (unsignedByte) unsignedIntList List of integers (unsignedInt)
Page 117: Index
relationship with physical ports, 33 Index LEDs Power LED - status indications, 26 Boot process, 26 Log targets, 28 Breadcrumbs, 12 Logging (see Event logging) Configuration Navigation buttons backing up and restoring, 16 in user interface, 15 categories (user interface), 12 NTP (Network Time Protocol) methods, 10 configuring time servers to use, 53...
Page 118 Index configuration, 51 Time-out login sessions, 21 Traffic shaping overview, 47 User Interface customising layout, 11 general layout, 11 navigation, 15 overview, 10 Users creating / configuring, 20 login level, 20 restricting logins by IP address, 21 Virtual Router Redundancy Protocol (VRRP), 58 virtual router, definition of, 58 VRRP versions, 59 VLANs...

FireBrick FB2700 User Manual

1 Introduction

2 Getting Started

3 Configuration

4 System Administration

5 Event Logging

6 Interfaces and Subnets

7 Routing

8 Profiles

9 Traffic Shaping

10 System Services

11 Network Diagnostic Tools

12 Vrrp

13 Command Line Interface

Quick Links

User Manual

Need help?

Questions and answers

Related Manuals for FireBrick FB2700

Summary of Contents for FireBrick FB2700

Table of Contents