Page 1 FireBrick FB6602 User Manual FB6000 Versatile Network Appliance...
Page 4: Table Of Contents
1.1. The FB6000 ....................... 1 1.1.1. Where do I start? ..................... 1 1.1.2. What can it do? ....................1 1.1.2.1. FB6602 Mobile GTPv1 GGSN/L2TP gateway ..........2 1.1.3. Ethernet port capabilities ................... 2 1.1.4. Product variants in the FB6000 series ..............2 1.2.
Page 5 FireBrick FB6602 User Manual 4.1.4.2. Restrict by profile ................23 4.2. General System settings ..................... 23 4.2.1. System name (hostname) .................. 23 4.2.2. Administrative details ..................23 4.2.3. System-level event logging control ..............23 4.2.4. Home page web links ..................23 4.3.
Page 6 FireBrick FB6602 User Manual 7.2.3. Special targets ....................41 7.3. Dynamic route creation / deletion ................. 42 7.4. Routing tables ......................42 8. Profiles ..........................43 8.1. Overview ......................... 43 8.2. Creating/editing profiles ..................... 43 8.2.1. Timing control ....................43 8.2.2.
Page 7 FireBrick FB6602 User Manual 13.2.2. Security settings required ................61 13.2.3. IP address matching ..................61 13.2.4. Packet types ....................61 13.2.5. Snaplen specification ..................62 13.2.6. Using the web interface .................. 62 13.2.7. Using an HTTP client ..................62 13.2.7.1.
Page 8 FireBrick FB6602 User Manual F.2.1. Accepted authentication ................... 83 F.2.1.1. Prefix Delegation ................. 84 F.2.2. Rejected authentication ..................84 F.3. Accounting Start ....................... 84 F.4. Accounting Interim ....................85 F.5. Accounting Stop ....................... 86 F.6. Disconnect ....................... 87 F.7. Change of Authorisation .................... 87 F.8.
Page 9 G.7.8. Delete block from flash ................... 96 G.7.9. Boot log ....................... 96 G.7.10. Flash log ..................... 96 H. FireBrick FB6602 V1.24.093 configuration objects ..............97 H.1. Top level ........................ 97 H.1.1. config: Top level config .................. 97 H.2. Objects ........................98 H.2.1.
Page 10 FireBrick FB6602 User Manual H.2.49. ip-group: IP Group ..................126 H.3. Data types ......................127 H.3.1. autoloadtype: Type of s/w auto load ..............127 H.3.2. config-access: Type of access user has to config ..........127 H.3.3. user-level: User login level ................127 H.3.4.
Page 11 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................12 3.2. Icons for layout controls ..................... 13 3.3.
Page 12 List of Tables 2.1. IP addresses for computer ....................6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 22 4.2.
Page 13 FireBrick FB6602 User Manual H.12. snmp-service: Attributes ....................101 H.13. ntp-service: Attributes ....................101 H.14. telnet-service: Attributes ....................102 H.15. http-service: Attributes ....................103 H.16. dns-service: Attributes ....................103 H.17. dns-service: Elements ....................104 H.18. dns-host: Attributes ....................... 104 H.19. dns-block: Attributes ...................... 104 H.20.
Page 14 FireBrick FB6602 User Manual H.68. user-level: User login level ..................... 127 H.69. syslog-severity: Syslog severity ..................128 H.70. syslog-facility: Syslog facility ..................128 H.71. month: Month name (3 letter) ..................129 H.72. day: Day name (3 letter) ....................129 H.73. radiuspriority: Options for controlling platform RADIUS response priority tagging ....129 H.74.
Page 15: Preface
IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability.
Page 16: Introduction
The remainder of this chapter provides an overview of the FB6000's capabilities, and covers your product support options. The latest version of the QuickStart guide for the FB6000 can be obtained from the FireBrick website at : http://www.firebrick.co.uk/pdfs/quickstart-6000.pdf 1.1.2. What can it do? The FB6000 series of products is a family of high speed ISP/telcos grade routers and firewalls providing a range of specific functions.
Page 17: Fb6602 Mobile Gtpv1 Ggsn/L2Tp Gateway
Introduction • Gigabit performance The FB600 series are provided in a number of variants. This manual is for the FB6602. This variant includes: • Layer 2 Tunnelling Protocol (L2TP) to terminate PPP connections (e.g. broadband lines) • Border Gateway Protocol, to allow routes to be announced and accepted from peering BGP routers.
Page 18: Intended Audience
1.2.4. Document style At FireBrick, we appreciate that different people learn in different ways - some like to dive in, hands-on, working with examples and tweaking them until they work the way they want, referring to documentation as required.
Page 19: Comments And Feedback
FireBrick are building a library of Application Note documents that you can refer to - each Application Note describes how to use and configure a FireBrick in specific scenarios, such as using the device in a multi-tenant Serviced Office environment, or using the FireBrick to bond multiple WAN connections together.
Page 20: White Papers
Introduction 1.3.4. White Papers FireBrick White Papers cover topics that deserve specific discussion - they are not related to specific Applications, rather they aim to educate interested readers regarding networking protocols, common/best practice, and real-world issues encountered. 1.3.5. Training Courses FireBrick provide training courses for the FB2x00 series products, and also training course on general IP networking that are useful if you are new to networking with IP.
Page 21: Getting Started
• Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network.
Page 22: Add A New User
2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"...
Page 23: Setting Up A New User
Getting Started Figure 2.3. Setting up a new user You may also want to increase the login-session idle time-out from the default of 5 minutes, especially if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and enter an appropriate value as minutes, colon, and seconds, e.g.
Page 24 Getting Started On this page there is a "Login" link (in red text)- click on this link and then log in using the username and password you chose. We recommend you read Chapter 3 to understand the design of the FB6000's user interface, and then start working with your FB6000's factory reset configuration.
Page 25: Configuration
Chapter 3. Configuration 3.1. The Object Hierarchy The FB6000 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB6000. The values of the attributes determine how that object affects operation.
Page 26: Formal Definition Of The Object Model
XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s).
Page 27: User Interface Layout
The User Interface has the following general layout :- • a 'banner' area at the top of the page, containing the FireBrick logo, model number and system name • a main-menu, with sub-menus that access various parts of the user interface ; the main-menu can be shown vertically or horizontally - sub-menu appearance depends on this display style : if the main-menu is vertical, sub-menus are shown by 'expanding' the menu vertically ;...
Page 28: Config Pages And The Object Hierarchy
Configuration Additionally, you can choose to use the default fonts that are defined in your browser setup, or use the fonts specified by the user interface. These customisations are controlled using three icons on the left-hand side of the page footer, as shown in Figure 3.2 below :- Figure 3.2.
Page 29: Object Settings
Configuration Figure 3.4. The "Setup" category Each section is displayed as a tabulated list showing any existing objects of the associated type. Each row of the table corresponds with one object, and a subset (typically those of most interest at a glance) of the object's attributes are shown in the columns - the column heading shows the attribute name.
Page 30: Navigating Around The User Interface
Configuration Figure 3.6. Show hidden attributes Each box in the matrix contains the following :- • a checkbox - if the checkbox is checked, an appropriate value entry widget is displayed, otherwise, a default value is shown and applied for that setting. •...
Page 31: Backing Up / Restoring The Configuration
FB6000. All changes are initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you press the Save button.
Page 32: Special Character Sequences
<?xml version="1.0" encoding="UTF-8"?> This defines the version of XML that the file complies with and the character encoding in use. UTF-8 is used everywhere by the FireBrick. The XML file contains one or more elements, which may be nested into a hiearchy.
Page 33: The Root Element -
<system name="gateway" contact="Peter Smith" location="The Basement" log-panic="fb-support"> </system> <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/>...

Page 34: Downloading/Uploading The Configuration
3.6. Downloading/Uploading the configuration The XML file may be retrieved from the FireBrick, or uploaded to the FireBrick using HTTP transfers done via tools such as curl. Using these methods, configuration of the FB6000 can be integrated with existing administrative systems.
Page 35: Upload
Configuration --user "username:password" --output "filename" Replace username and password with appropriate credentials. The XML configuration file will be stored in the file specified by filename - you can choose any file extension you wish (or none at all), but we suggest that you use .xml for consistency with the file extension used when saving a configuration via the User Interface (see Section 3.4.4).
Page 36: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB6000, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"...
Page 37: Login Level
System Administration 4.1.1. Login level A user's login level is set with the level attribute, and determines what CLI commands the user can run. The default, if the level attribute is not specified, is ADMIN - you may wish to downgrade the level for users who are not classed as 'system administrators'.
Page 38: Restrict By Profile
System Administration web or telnet (for command line interface access) services (see Section 12.2 and Section 12.3), or any firewall rules that affect web or telnet access to the FB6000 itself. 4.1.4.2. Restrict by profile By specifying a profile name using the profile attribute, you can allow logins by the user only when the profile is in the Active state (see Chapter 8).
Page 39: Software Upgrades
As a matter of policy, FireBrick software upgrades are always free to download for all FireBrick customers. To complement the responsive UK-based development process, the FB6000 is capable of downloading and installing new software directly from Firebrick's servers, providing the unit has Internet access.
Page 40: Identifying Current Software Version
System Administration Breakpoint releases are special as they are able to automatically update an existing configuration - used with the previous software release - so that it is compatible with the new release, and functionality is retained where- ever possible. When using the Internet-based upgrade process, the FB6000 will always upgrade to the next available breakpoint version first, so that the configuration is updated appropriately.
Page 41: Controlling Automatic Software Updates
This method is entirely manual, in the sense that the brick itself does not download new software from the FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user. In order to do this, you will first need to download the required software image file (which has the file extension .img) from the FB6000 software downloads website [http://www.firebrick.co.uk/software.php?
Page 42: Boot Process
System Administration 4.4. Boot Process The FB6000 contains internal Flash memory storage that holds two types of software :- • main application software (generally referred to as the app) • a bootloader - runs immediately on power-up, initialises system, and then loads the app It is possible for only one of these types of software, or neither of them, to be present in the Flash, but when shipped from the factory the unit will contain a bootloader and the latest factory-release application software.
Page 43: Event Logging
5.1. Overview Many events in the operation of the FireBrick create a log entry. These are a one-line string of text saying what happened. This could be normal events such as someone logging in to the web interface, or unusual events such as a wrong password used, or DHCP not being able to find any free addresses to allocate.
Page 44: Logging To The Console
Event Logging 5.1.1.2. Logging to the Console The console is the command line environment described in Chapter 17. You can cause log entries to be displayed as soon as possible on the console (assuming an active console session) by setting console="true" on the log target.
Page 45: Email
Event Logging The module name refers to which part of the system caused the log entry, and is also shown in all other types of logging such as web and console. To enable log messages to be sent to a syslog server, you need to create a syslog object that is a child of the log target (log) object.
Page 46: E-Mail Process Logging
5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary.
Page 47: Viewing Logs In The Cli Environment
Event Logging Note This is an "open ended" web page which has been known to upset some browsers, but this is rare. However it does not usually work with any sort of web proxy which expects the page to actually finish. All log targets can be viewed via the web User Interface, regardless of whether they specify any external logging (or logging to Flash memory).
Page 48: Interfaces And Subnets
Chapter 6. Interfaces and Subnets This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those interfaces. For information about other types of 'interfaces', refer to the following chapters :- • Point-to-Point Protocol over Ethernet (PPPoE) - Chapter 10 •...
Page 49: Defining Port Groups
Interfaces and Subnets The interface is associated with an internal (to the FB6000) port in this switch-port group, thus :- • packets arriving at any of the ports in the group and destined for a MAC address belonging to the FB6000 will be received by the associated interface •...
Page 50: Defining An Interface
Interfaces and Subnets <port name="LAN" ports="3 4"/> </config> In this example, "WAN" and "ADMIN" groups consists of a single port each, physical ports 1 and 2 respectively. The "LAN" group consists of two physical ports, numbers 3 and 4. Ports 3 and 4 are members of a single layer 2 broadcast domain, and are equivalent in function in terms of communication between the FB6000 and another device.
Page 51: Using Dhcp To Configure A Subnet
Interfaces and Subnets To create or edit subnets, select the Interface category in the top-level icons, then click Edit next to the appropriate interface - under the section headed "IP subnet on the interface", you will see the list of existing subnet child objects (if any), and an "Add"...
Page 52: Fixed/Static Dhcp Allocations
Interfaces and Subnets by its MAC address) requests an IP address. However, if a new MAC address requests an allocation, and there are no available IPs (excluding expired allocations) in the allocation pool, then the oldest expired allocation IP address is re-used for the new client. 6.3.2.1.
Page 53: Disabling Auto-Negotiation
Interfaces and Subnets • Link auto-negotiation is enabled - both speed and duplex mode are determined via auto-negotiation, which should configure the link for highest performance possible for the given link-partner (which will need to be capable of, and participating in, auto-negotiation for this to happen) •...
Page 54: Example Modified Port Led Functions
Interfaces and Subnets On when link up (any speed); blink (off) when Tx or Link/Activity Rx activity (Default for Green LED) On when link up at 1Gbit/s; blink (off) when Tx or Rx Link1000/Activity activity On when link up at 100Mbit/s; blink (off) when Tx or Link100/Activity Rx activity On when link up at 10Mbit/s;...
Page 55: Routing
Chapter 7. Routing 7.1. Routing logic The routing logic in the FB6000 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e.
Page 56: Routing Targets
Routing 7.2. Routing targets A route can specify various targets for the packet :- Table 7.1. Route targets Target Notes an Ethernet interface (locally-atached subnet) requires ARP or ND to find the device on the LAN to which the traffic is to be sent. a specific IP address (a "gateway") the packet is forwarded to another router (gateway) ;...
Page 57: Dynamic Route Creation / Deletion
Routing • 'black-hole' : packets routed to a black-hole are silently dropped. 'Silent' refers to the lack of any ICMP response back to the sender. • 'no-where' (also called 'dead-end') : packets routed to 'no-where' are also dropped but the FB6000 generates ICMP error responses back to the sender.
Page 58: Profiles
Chapter 8. Profiles Profiles allow you to enable/disable various aspects of the FB6000's configuration (and thus functionality) based on things such as time-of-day or presence/absence of Ping responses from a specified device. 8.1. Overview A profile is a two-state control entity - it is either Active or Inactive. Once a profile is defined, it can be referenced in various configuration objects where the profile state will control the behaviour of that object.
Page 59: Tests
Profiles 8.2.2. Tests 8.2.2.1. General tests 'General' tests are provided for the following :- • FB105 tunnel state : the fb105 attribute lists one or more FB105 tunnel names (see Section 11.1) - if any of the specified tunnels are in the Active state, this tunnel-state test will pass •...
Page 60 Profiles <profile name="Off" set="false"/> <profile name="On" set="true"/>...
Page 61: Traffic Shaping
Chapter 9. Traffic Shaping The FB6000 includes traffic shaping functionality that allows you to control the speed of specific traffic flows through the FB6000. The FB6000 also provides graphing functionality, allowing specific traffic flows to be plotted on a graph image (PNG format) that the FB6000 generates. Within the FB6000, traffic shaping and graphing are closely associated, and this is reflected in how you configure traffic shaping - in order to be able to perform traffic shaping, you must first graph the traffic flow.
Page 62 Traffic Shaping Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object.
Page 63: Pppoe
VLANs (see Appendix D if you are not familiar with VLANs) so that each router can be logically connected to a different interface on the FireBrick. It is also a good idea to have a switch that supports jumbo frames if using FTTC or FTTP services in this way.
Page 64: Definining Pppoe Links
PPPoE For fibre to the cabinet (FTTC) and fibre to the premises (FTTP) service you connect the FB6000 directly to the service with no extra equipment. 10.2. Definining PPPoE links A PPPoE link is defined by a ppp top-level object. To create or edit PPPoE links in the web user interface, select the "Interface"...
Page 65: Service And Ac-Name
PPPoE concentrator cannot handle the larger packets (such as a bridge or a switch). For this reason the default MTU is 1492. 10.2.2.2. Service and ac-name The PPPoE protocol allows multiple services to be offered, and the service setting can be used to select which is available.
Page 66: Tunnels
11.1. FB105 tunnels The FB105 tunnelling protocol is a FireBrick proprietary protocol that was first implemented in the FireBrick FB105 device, and is popular with FB105 users for setting up VPNs etc. It is 'lightweight' in as much as it is relatively simple, with low overhead and easy setup, but it does not currently offer encryption.
Page 67: Viewing Tunnel Status
IP address in tunnel definitions on such 'shared' end-points. The latter case is typical where an ISP deploys a FireBrick device to provide a 'head-end' device for tunnel bonding. If you wish to use a different UDP port number than the default of 1, specify the port number using the port attribute.
Page 68: Tunnels And Nat
Tunnels i.e. the first packet to be sent is routed down the first tunnel in the set, each subsequent packet is routed down the subsequent tunnel in the set, and the (N+1)'th packet (where N is the number of tunnels in the set) is again routed down the first tunnel.
Page 69 Tunnels assumes there is no outgoing 'firewall' rule on the NAT router that would prevent the wrapper packets from being forwarded). The established session will mean that UDP packets that arrive from the WAN side will be passed to the UDP port number that was the source port used in the outgoing wrapper packets. •...
Page 70: System Services
Chapter 12. System Services A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling. Table 12.1 lists the services that the FB6000 can provide :- Table 12.1. List of system services Service Function SNMP server provides clients with access to management information using the Simple Network Management Protocol...
Page 71: Http Server Configuration
System Services The standard log, log-error, and log-debug settings can be used to specified levels of logging for the service. A locally-attached subnet is one which can be directly reached via one of the defined interfaces, i.e. is not accessed via a gateway. Address ranges in allow can be entered using either <first address>-<last_address>...
Page 72: Dns Configuration
LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address back to a name.
Page 73: Snmp Configuration
System Services Configuration of the NTP (client) service typically only requires setting the timeserver attribute to specify one or more NTP servers, using either DNS name or IP address. 12.6. SNMP configuration The SNMP service allows other devices to query the FB6000 for management related information, using the Simple Network Management Protocol (SNMP).
Page 74: Network Diagnostic Tools
Chapter 13. Network Diagnostic Tools Various network diagnostic tools are provided by the FB6000, accessible through either the web user interface or the CLI :- • Packet dump : low level diagnostics to for detailed examination of network traffic passing through the FB6000 •...
Page 75: Packet Dumping
This address is not on a local Ethernet subnet and so not allowed access. 13.2. Packet Dumping The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB6000 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB6000 is responding appropriately.
Page 76: Security Settings Required
Network Diagnostic Tools IP address (2-off) Up to two IPs can be specified to filter packets self Include my IP By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded. This option allows such traffic.
Page 77: Snaplen Specification
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB6000.
Page 78: Vrrp
Note You can disable the use of the special MAC if you wish, and use a normal FireBrick MAC. However, this can lead to problems in some cases.
Page 79: Advertisement Interval
VRRP 14.2.1. Advertisement Interval A master indicates that it still 'alive' by periodically sending an advertisement multicast packet to the group members. A failure to receive a multicast packet from the master router for a period longer than three times the advertisement interval timer causes the backup routers to assume that the master router is down.
Page 80: Compatibility
Note that the FB6000 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick.
Page 81: Bgp
Chapter 15. BGP 15.1. What is BGP? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes. 15.2. Using BGP in an ISP network? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes.
Page 82: L2Tp
FB6000 and other manufacturers equipment. 16.1. What is L2TP? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes. 16.2. Basic ISP model Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes.
Page 83: Outgoing L2Tp Connections
L2TP 16.9. Outgoing L2TP connections Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes.
Page 84: Command Line Interface
Chapter 17. Command Line Interface The FB6000 provides a traditional command-line interface (CLI) environment that can be used to check status information, and control some aspects of the unit's operation. The CLI is accessed via the 'telnet' protocol - the FB6000 implements a telnet server, which you can connect to using any common telnet client program.
Page 85: Factory Reset Procedure
IP addresses described in Chapter 2. This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason, or any other situation where it is appropriate to start from scratch.
Page 86 • Connect network to left hand port. Power LED comes on solidly. This process will start the FireBrick in a factory reset mode temporarily - the configuration stored in flash memory has not yet been altered or deleted at this stage.
Page 87: Cidr And Cidr Notation
Appendix B. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
Page 88 CIDR and CIDR Notation routing table entry - 10.1.2.0/24 and 10.1.3.0/24 - routing table entries for these subnets would appear in a downstream router. Note that in either a network/subnet or routing destination specification, the address will be the starting address of the IP address range being expressed, such that there will be M least significant bits of the address set to zero, where M = 32 - prefix_length Combined interface IP address and subnet definitions...
Page 89: Mac Addresses Usage
In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model.
Page 90: C.1. Dhcp Client Names Used
MAC Addresses usage 000397:147C is interpreted as : • All addresses in the range start with 00:03:97:14:7C • the first address in the range has zero for the remaining digits (00) • the last address in the range has F for the remaining digits (FF) Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7F:FF inclusive (256 addresses).
Page 91: Vlans : A Primer
Appendix D. VLANs : A primer An Ethernet (Layer 2) broadcast domain consists of a group of Ethernet devices that are interconnected, typically via switches, such that an Ethernet broadcast packet (which specifies a reserved broadcast address as the destination Ethernet address of the packet) sent by one of the devices is always received by all the other devices in the group.
Page 92: Supported L2Tp Attribute/Value Pairs
Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Tie Breaker 5 Ignored as FireBrick only accepts Not sent connections for inbound calls Firmware Revision 6 Ignored FireBrick s/w version string Host Name 7 Used to select which incoming L2TP As per config/RADIUS request configuration applies.
Page 93: Start-Control-Connection-Connected
Supported L2TP Attribute/Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined, a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined E.3.
Page 94: Incoming-Call-Reply
Supported L2TP Attribute/Value Pairs Calling Number 22 Accepted, used in RADIUS and passed Passed on incoming value on if relaying Sub-Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent E.7. Incoming-Call-Reply Table E.7. ICRP No. Incoming Outgoing Message Type 0 Value 11 Value 11...
Page 95: Outgoing-Call-Reply
Supported L2TP Attribute/Value Pairs Message Type 0 Value 7 Value 7 Not supported, ignored. E.10. Outgoing-Call-Reply Table E.10. OCRP No. Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported, ignored. E.11. Outgoing-Call-Connected Table E.11. OCCN No. Incoming Outgoing Message Type 0 Value 9 Value 9...
Page 96: Notes
IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping...
Page 97: Supported Radius Attribute/Value Pairs For L2Tp Operation
31 Calling number as received on L2TP Acct-Session-Id 44 Unique ID for session as used on all following accounting records NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...
Page 98: Authentication Response
Supported RADIUS Attribute/ Value Pairs for L2TP operation Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id. F.2. Authentication response F.2.1. Accepted authentication Table F.2.
Page 99: Prefix Delegation
The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing. Once a router solicitation is sent, periodic Router Advertisements will then be sent on the connection by the Firebrick.
Page 100: Accounting Interim
Acct-Event- 55 Session start time (unix timestamp) Timestamp Acct-Session-Id 44 Unique ID for session NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6 NAS-Port 5 L2TP session ID...
Page 101: Accounting Stop
89 Graph name that applies, sanitised to comply with CQM graph name rules.. Identity Connect-Info 77 Text Tx speed/Rx speed in use NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...
Page 102: Disconnect
Supported RADIUS Attribute/ Value Pairs for L2TP operation F.6. Disconnect A disconnect message is accepted as per RFC5176, if the session can be disconnected, and ACK is sent, else a NAK Table F.7. Disconnect No. Usage Acct-Session-Id 44 Unique ID for session Chargeable-User- 89 This is used as CQM graph name.
Page 103: Filter Id
X Pad packets to 74 bytes if length fields appears to be less - needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode C Send all IPv4 and IPv6 using the LCP type code (only works if FireBrick doing PPP at far end) O Mark session as low-priority (see shaper and damping)
Page 104: Notes
Depending on configuration, LCP echos are faked both ways from the FireBrick, and LCP echos are generated by the FireBrick and responses checked. This allows the CQM graphs to be created. The graph is only created for the outgoing part of the connection. If not configured to fake LCP echos, then these are passed through as normal and no graph is created.
Page 105: Ip Over Lcp
IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping or DPI.
Page 106: Command Line Reference
Shows how long since the FB6000 restarted. G.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. G.1.5. Memory usage show memory Shows memory usage summary.
Page 107: Logout
Command line reference G.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) G.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen G.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line.
Page 108: Ping And Trace
Command line reference G.2.2. Ping and trace ping <IPNameAddr> [table=<routetable>] [source=<IPAddr>] [gateway=<IPAddr>] [flow=<unsignedShort>] [count=<positiveInteger>] [ttl=<unsignedByte>] [size=<unsignedShort>] [xml=<boolean>] traceroute <IPNameAddr> [table=<routetable>] [source=<IPAddr>] [gateway=<IPAddr>] [flow=<unsignedShort>] [count=<positiveInteger>] [ttl=<unsignedByte>] [size=<unsignedShort>] [xml=<boolean>] This sends a series of ICMP echo requests (ping) to a specified destination and confirms a response is received and the round trip time.
Page 109: Lock Dhcp Allocations
G.2.14. Check access to services check access <IPAddr> [table=<routetable>] Reports access control checks for a source address to various internal services. This is separate from any firewalling. G.3. L2TP commands Note This command summary is not yet complete, please see www.firebrick.co.uk for details...
Page 110: Bgp Commands
This can be useful to test fallback scenarios by simulating a fatal error. Note that panic crash logs are emailed to the FireBrick support by default, so please use a meaningful string. e.g. panic "testing fallback" confirm=yes G.7.2.
Page 111: Show Command Sessions
Command line reference G.7.5. Show command sessions show command sessions The FB6000 can have multiple telnet connections at the same time. This lists all of the current connections. G.7.6. Kill command session kill command session <IPAddr> You can kill a command session by IP address. This is useful if you know you have left a telnet connected from somewhere else.
Page 112: Firebrick Fb6602 V1.24.093 Configuration Objects
Appendix H. FireBrick FB6602 V1.24.093 configuration objects This appendix defines the object definitions used in the FireBrick FB6602 GGSN configuration. Copyright © 2008-13 FireBrick Ltd. H.1. Top level H.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data.
Page 113: Objects
FireBrick FB6602 V1.24.093 configuration objects H.2. Objects H.2.1. system: System settings The system settings are the top level attributes of the system which apply globally. Table H.3. system: Attributes Attribute Type Default Description comment string Comment contact string Contact name...
Page 114: User: Admin Users
FireBrick FB6602 V1.24.093 configuration objects text string Link text string Link address H.2.3. user: Admin users User names, passwords and abilities for admin users Table H.6. user: Attributes Attribute Type Default Description allow List Restrict logins to be from specific IP...
Page 115: Log-Syslog: Syslog Logger Settings
FireBrick FB6602 V1.24.093 configuration objects syslog log-syslog Optional, unlimited Syslog settings H.2.5. log-syslog: Syslog logger settings Logging to a syslog server Table H.9. log-syslog: Attributes Attribute Type Default Description comment string Comment facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port...
Page 116: Services: System Services
FireBrick FB6602 V1.24.093 configuration objects string Not optional Target email address H.2.7. services: System services System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.
Page 117: Telnet-Service: Telnet Service Settings
FireBrick FB6602 V1.24.093 configuration objects allow List Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment local-only boolean true Restrict access to locally connected Ethernet subnets only string Not logging Log events...
Page 118: Http-Service: Http Service Settings
FireBrick FB6602 V1.24.093 configuration objects port unsignedShort Service port profile string Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable H.2.11. http-service: HTTP service settings Web management pages Table H.15. http-service: Attributes...
Page 119: Dns-Host: Fixed Local Dns Host Settings
FireBrick FB6602 V1.24.093 configuration objects domain string Our domain local-only boolean true Restrict access to locally connected Ethernet subnets only string Not logging Log events log-debug string Not logging Log debug log-error string Log as event Log errors profile string...
Page 120: Radius-Service: Radius Service Definition
FireBrick FB6602 V1.24.093 configuration objects profile string Profile name restrict List List of IP ranges to which this is served IPNameRange source string Source of data, used in automated config management unsignedInt Time to live H.2.15. radius-service: RADIUS service definition RADIUS server and proxy definitions Table H.20.
Page 121: Radius-Service-Match: Matching Rules For Radius Service
FireBrick FB6602 V1.24.093 configuration objects target-ip List of IPNameAddr - Target IP(s) or hostname for primary L2TP connection target-secret Secret Shared secret for L2TP connection test List of IPAddr List of IPs that must have routing for this target to be valid (deprecated)
Page 122: Radius-Server: Radius Server Settings
FireBrick FB6602 V1.24.093 configuration objects profile string Profile name relay-ip List of IPAddr Address to copy RADIUS request relay-port unsignedShort 1812 Authentication port copy RADIUS request relay-table (unsignedByte 0-99) Routing table number for copy of RADIUS routetable request secret Secret...
Page 123: Portdef: Port Grouping And Naming
FireBrick FB6602 V1.24.093 configuration objects Table H.24. ethernet: Attributes Attribute Type Default Description autoneg boolean auto negotiate unless Perform link auto-negotiation manual 10/100 speed and duplex are set clocking LinkClock prefer-slave Gigabit clock setting crossover Crossover auto Port crossover configuration...
Page 124: Subnet: Subnet Settings
Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings H.2.21. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set. Table H.28. subnet: Attributes Attribute Type Default...
Page 125: Vrrp: Vrrp Settings
Test link state using ARP/ND for this IP unsignedByte TTL for originating traffic via subnet H.2.22. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Table H.29. vrrp: Attributes Attribute...
Page 126: Dhcps: Dhcp Server Settings
FireBrick FB6602 V1.24.093 configuration objects use-vmac boolean true Whether to use the special VMAC or use normal MAC version3 boolean v2 for IPv4, v3 for Use only version 3 IPv6 vrid unsignedByte VRID H.2.23. dhcps: DHCP server settings Settings for DHCP server Table H.30.
Page 127: Dhcp-Attr-String: Dhcp Server Attributes (String)
FireBrick FB6602 V1.24.093 configuration objects Table H.32. dhcp-attr-hex: Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested unsignedByte Not optional Attribute type code name string Name value hexBinary Not optional Value H.2.25. dhcp-attr-string: DHCP server attributes...
Page 128: Pppoe: Pppoe Settings
FireBrick FB6602 V1.24.093 configuration objects name string Name value IP4Addr Not optional Value H.2.28. pppoe: PPPoE settings PPPoE endpoint settings Table H.36. pppoe: Attributes Attribute Type Default Description ac-name string Any a/c name Access concentrator name accept-dns boolean true Accept DNS servers specified by far end...
Page 129: Ppp-Route: Ppp Routes
FireBrick FB6602 V1.24.093 configuration objects username string User name vlan (unsignedShort VLAN ID (0=untagged) 0-4095) vlan Table H.37. pppoe: Elements Element Type Instances Description route ppp-route Optional, unlimited Routes to apply when ppp link is up H.2.29. ppp-route: PPP routes Routes that apply when link is up Table H.38.
Page 130: Route: Static Routes
FireBrick FB6602 V1.24.093 configuration objects t3-response duration Message retry time table (unsignedByte 0-99) Routing table for GTP packets routetable tcp-mss-fix boolean true Adjust MSS option in TCP SYN to fix session MSS H.2.31. route: Static routes Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
Page 131: Blackhole: Dead End Networks
FireBrick FB6602 V1.24.093 configuration objects H.2.33. blackhole: Dead end networks Networks that go nowhere Table H.42. blackhole: Attributes Attribute Type Default Description bgpmode false BGP announce mode for routes comment string Comment List of IPPrefix Not optional One or more network prefixes...
Page 132: Bgppeer: Bgp Peer Definitions
FireBrick FB6602 V1.24.093 configuration objects name string Name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable Table H.45. bgp: Elements Element Type Instances Description peer bgppeer Optional, up to 500 List of peers/neighbours H.2.36.
Page 133: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes
FireBrick FB6602 V1.24.093 configuration objects Secret MD5 signing secret name string Name next-hop-self boolean false Force us as next hop outbound no-fib boolean Don't include received routes in packet forwarding unsignedByte Pad (prefix stuff) our AS by this many profile...
Page 134: Bgprule: Individual Mapping/Filtering Rule
FireBrick FB6602 V1.24.093 configuration objects source string Source of data, used in automated config management List of Community - List of community tags to add Table H.49. bgpmap: Elements Element Type Instances Description match bgprule Optional, unlimited List rules, in order of checking H.2.38.
Page 135 FireBrick FB6602 V1.24.093 configuration objects fail-score2 unsignedByte Score for on/above level 2 fail-usage unsignedInt 128000 Usage below which fail is not expected fblogo Colour #bd1220 Colour for logo graticule Colour grey Graticule colour heading string Heading of graph hourformat string...
Page 136: L2Tp: L2Tp Settings
FireBrick FB6602 V1.24.093 configuration objects secret Secret Secret for MD5 coded URLs sent Colour #ff8 Colour for polled seconds share-interface string Interface on which to broadcast data for shaper sharing share-secret string Secret to validate shaper sharing subheading string Subheading of graph...
Page 137: Hello
FireBrick FB6602 V1.24.093 configuration objects graph string Graph name hdlc boolean true Send HDLC header (FF03) on all PPP frames hello-interval unsignedByte Interval between HELLO messages hostname string Hostname quoted on incoming tunnel icmp-ppp boolean false Use PPP endpoint for ICMP...
Page 138: L2Tp-Relay: Relay And Local Authentication Rules For L2Tp
FireBrick FB6602 V1.24.093 configuration objects Table H.55. l2tp-incoming: Elements Element Type Instances Description match l2tp-relay Optional, unlimited Rules for relaying connections and local authentication H.2.42. l2tp-relay: Relay and local authentication rules for L2TP Rules for relaying L2TP or local authentication Table H.56.
Page 139: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified
FireBrick FB6602 V1.24.093 configuration objects List of string Active if all specified profiles are active as well as all other tests passing, including 'not' comment string Comment initial boolean true Defines state at system startup if not using interval duration Time between tests (e.g.
Page 140: Profile-Time: Test Passes If Within Any Of The Date/Time Ranges Specified
FireBrick FB6602 V1.24.093 configuration objects comment string Comment start dateTime Start (YYYY-MM-DDTHH:MM:SS) stop dateTime End (YYYY-MM-DDTHH:MM:SS) H.2.45. profile-time: Test passes if within any of the date/time ranges specified Time range test in profiles Table H.60. profile-time: Attributes Attribute Type Default...
Page 141: Shaper-Override: Traffic Shaper Override Based On Profile
FireBrick FB6602 V1.24.093 configuration objects share boolean If shaper is shared with other devices source string Source of data, used in automated config management unsignedInt Tx rate limit/target (b/s) tx-max unsignedInt Tx rate limit max tx-min unsignedInt Tx rate limit min...
Page 142: Data Types
FireBrick FB6602 V1.24.093 configuration objects name string Not optional Name source string Source of data, used in automated config management users List of string Include IP of (time limited) logged in web users H.3. Data types H.3.1. autoloadtype: Type of s/w auto load Table H.66.
Page 143: Syslog-Facility: Syslog Facility
FireBrick FB6602 V1.24.093 configuration objects Table H.69. syslog-severity: Syslog severity Value Description EMERG System is unstable ALERT Action must be taken immediately CRIT Critical conditions Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO-LOGGING No logging H.3.5.
Page 144: Month: Month Name (3 Letter)
FireBrick FB6602 V1.24.093 configuration objects H.3.6. month: Month name (3 letter) Table H.71. month: Month name (3 letter) Value Description January February March April June July August September October November December H.3.7. day: Day name (3 letter) Table H.72. day: Day name (3 letter)
Page 145: Radiustype: Type Of Radius Server
FireBrick FB6602 V1.24.093 configuration objects user Hashed on username before @ realm Hashed on username after @ prefix Hashed on username initial letters and numbers only H.3.9. radiustype: Type of RADIUS server Table H.74. radiustype: Type of RADIUS server Value...
Page 146: Linkflow: Physical Port Flow Control Setting
FireBrick FB6602 V1.24.093 configuration objects auto Duplex determined by autonegotiation H.3.14. LinkFlow: Physical port flow control setting Table H.79. LinkFlow: Physical port flow control setting Value Description none No flow control symmetric Can support two-way flow control send-pauses Can send pauses but does not support pause reception Can receive pauses and may send pauses if required H.3.15.
Page 147: Linkpower: Phy Power Saving Options
FireBrick FB6602 V1.24.093 configuration objects Permanently off Permanently on Cycling Cycling pattern H.3.18. LinkPower: PHY power saving options Table H.83. LinkPower: PHY power saving options Value Description none No power saving full Full power saving H.3.19. LinkFault: Link fault type to send Table H.84.
Page 148: Pppoe-Mode: Type Of Pppoe Connection
FireBrick FB6602 V1.24.093 configuration objects Table H.87. bgpmode: BGP announcement mode Value Description false Not included in BGP at all no-advertise Not included in BGP, not advertised at all no-export Not normally exported from local AS/confederation local-as Not exported from local AS...
Page 149: Peertype: Bgp Peer Type
FireBrick FB6602 V1.24.093 configuration objects H.3.27. peertype: BGP peer type Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer. Table H.92. peertype: BGP peer type...
Page 150 FireBrick FB6602 V1.24.093 configuration objects IPSubnet IP address / bitlen IPFilter Route filter Password Password Community xxx:xxx community PortRange xxx-xxx port range Colour #rgb #rrggbb #rgba #rrggbbaa colour Secret Secret/passphrase duration Period [[HH:]MM:]SS username Login name (string) ipnamerangelist List of IPranges or ip groups (IPNameRange)
Page 151: Index
HTTP service Index configuration, 56 Interfaces Attributes defining, 35 value syntax Ethernet, 33 IP address groups, 20 logical to physical associations, 33 relationship with physical ports, 33 IP Address Groups, 20 overview, 66 Boot process, 27 L2TP Breadcrumbs, 13 overview, 67 LEDs Power LED - status indications, 27 Configuration...
Page 152 Index Software identifying current version, 25 Software upgrades breakpoint releases, 24 controlling auto-upgrade behaviour, 26 overview, 24 software release types, 24 System name (see Hostname) System services checking access to, 59 configuring, 55 definition of, 55 list of, 55 Telnet service configuration, 56 Time-out login sessions, 22...

FireBrick FB6602 User Manual

1 Introduction

2 Getting Started

3 Configuration

4 System Administration

5 Event Logging

6 Interfaces and Subnets

7 Routing

8 Profiles

9 Traffic Shaping

10 Pppoe

11 Tunnels

12 System Services

13 Network Diagnostic Tools

14 Vrrp

15 Bgp

16 L2Tp

17 Command Line Interface

Quick Links

Need help?

Questions and answers

Related Manuals for FireBrick FB6602

Summary of Contents for FireBrick FB6602