Page 1 FireBrick TEST User Manual FB2700 Versatile Network Appliance...
Page 4: Table Of Contents
1.1.3. Ethernet port capabilities ..................2 1.1.4. Differences between the devices in the FB2x00 series ..........2 1.1.5. Software features ....................2 1.1.6. Migration from previous FireBrick models ............2 1.2. About this Manual ....................... 3 1.2.1. Version ......................3 1.2.2.
Page 5 FireBrick TEST User Manual 4.1.4.1. Restrict by IP address ................22 4.1.4.2. Restrict by profile ................. 23 4.2. General System settings ....................23 4.2.1. System name (hostname) .................. 23 4.2.2. Administrative details ..................23 4.2.3. System-level event logging control ..............23 4.2.4.
Page 6 12.1.3. Viewing tunnel status ..................63 12.1.4. Dynamic routes ..................... 63 12.1.5. Tunnel bonding ..................... 63 12.1.6. Tunnels and NAT ..................64 12.1.6.1. FB2700 doing NAT ................64 12.1.6.2. Another device doing NAT ..............64 13. System Services ......................... 66 13.1. Common settings ..................... 66 13.2.
Page 7 FireBrick TEST User Manual 13.3.1. Access control ....................67 13.4. DNS configuration ....................68 13.4.1. Blocking DNS names ..................68 13.4.2. Local DNS responses ..................68 13.4.3. Auto DHCP DNS ..................68 13.5. NTP configuration ....................68 13.6. SNMP configuration ....................69 13.7.
Page 8 19.2.2. Manual Keying ..................... 92 19.2.3. Routing ......................93 19.2.4. Other parameters ................... 93 19.3. Tunnelling to a non-FireBrick device ................93 19.4. Remote connection - IPsec and L2TP ................94 19.5. Choice of algorithms ....................94 20. Command Line Interface ...................... 95 A.
Page 9 FireBrick TEST User Manual F.3. Accounting Start ...................... 110 F.4. Accounting Interim ....................111 F.5. Accounting Stop ...................... 112 F.6. Disconnect ......................113 F.7. Change of Authorisation ................... 113 F.8. Filter ID ......................... 114 F.9. Notes ........................115 F.9.1. L2TP relay ....................115 F.9.2.
Page 10 FireBrick TEST User Manual H.4. L2TP commands ..................... 125 H.5. BGP commands ...................... 125 H.6. OSPF commands ..................... 125 H.7. GGSN commands ....................125 H.8. PPPoE commands ....................125 H.9. VoIP commands ...................... 125 H.10. Advanced commands ....................125 H.10.1. Panic ......................125 H.10.2.
Page 11 FireBrick TEST User Manual I.2.36. loopback: Locally originated networks ............. 149 I.2.37. ospf: Overall OSPF settings ................150 I.2.38. bgp: Overall BGP settings ................150 I.2.39. bgppeer: BGP peer definitions ................ 151 I.2.40. bgpmap: Mapping and filtering rules of BGP prefixes ......... 152 I.2.41.
Page 12 FireBrick TEST User Manual I.3.21. bgpmode: BGP announcement mode ..............180 I.3.22. sfoption: Source filter option ................180 I.3.23. pppoe-mode: Type of PPPoE connection ............180 I.3.24. ggsn-calling: Calling number options for GGSN ..........181 I.3.25. ggsn-called: Called number options for GGSN ........... 181 I.3.26.
Page 13 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................12 3.2. Icons for layout controls ..................... 13 3.3.
Page 14 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 22 4.2.
Page 15 FireBrick TEST User Manual G.6. Accounting-Start ......................119 G.7. Accounting-Interim ......................119 G.8. Accounting-Stop ......................120 G.9. Disconnect ........................120 G.10. Change-of-Authorisation ....................120 I.1. config: Attributes ......................128 I.2. config: Elements ....................... 128 I.3. system: Attributes ......................129 I.4. system: Elements ......................129 I.5.
Page 16 FireBrick TEST User Manual I.52. bgppeer: Elements ......................152 I.53. bgpmap: Attributes ......................152 I.54. bgpmap: Elements ......................153 I.55. bgprule: Attributes ......................153 I.56. cqm: Attributes ....................... 153 I.57. l2tp: Attributes ....................... 155 I.58. l2tp: Elements ........................ 155 I.59. l2tp-outgoing: Attributes ....................155 I.60.
Page 17 FireBrick TEST User Manual I.108. LinkSpeed: Physical port speed ..................178 I.109. LinkDuplex: Physical port duplex setting ................178 I.110. LinkFlow: Physical port flow control setting ..............178 I.111. LinkClock: Physical port Gigabit clock master/slave setting ..........178 I.112. LinkLED: LED settings ....................178 I.113.
Page 18: Preface
Preface The FB2700 device is the result of several years of intensive effort to create products based on state of the art processing platforms, featuring an entirely new operating system and IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability.
Page 19: Introduction
1.1.1. Where do I start? The FB2700 is shipped in a factory reset state. This means it has a default configuration that allows the unit to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a known IP address for further configuration.
Page 20: Ethernet Port Capabilities
FB2700 is faster - typically up to 350Mb/s. The other advantage the FB2700 offers is that you can directly attach an ordinary 3G dongle via the USB port on the front, and use a mobile data connection - this is typically used as a back up for a DSL line.
Page 21: About This Manual
Introduction configuration should be treated as a starting point for using your FB2700 in place of your FB105, as the result from the converter may be incomplete, or there may be aspects that cannot be carried over. The translator can be accessed at : http://www.firebrick.co.uk/fb105-2700.php...
Page 22: Document Conventions
This Manual aims to be highly usable regardless of your learning style - material is presented in an order that starts with fundamental concepts, and builds to more complex operation of your FireBrick. At all stages we hope to provide a well-written description of how to configure each aspect of the FireBrick, and - where necessary - provide enough insight into the FireBrick's internal operation that you understand why the configuration achieves what it does.
Page 23: Irc Channel
Many FireBrick resellers also offer general IT support, including installation, configuration, maintenance, and training. You may be able to get your reseller to develop FB2700 configurations for you - although this will typically be chargeable, you may well find this cost-effective, especially if you are new to FireBrick products.
Page 24: Getting Started
• Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network.
Page 25: Add A New User
2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"...
Page 26: Setting Up A New User
Getting Started Figure 2.3. Setting up a new user You may also want to increase the login-session idle time-out from the default of 5 minutes, especially if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and enter an appropriate value as minutes, colon, and seconds, e.g.
Page 27 On this page there is a "Login" link (in red text)- click on this link and then log in using the username and password you chose. We recommend you read Chapter 3 to understand the design of the FB2700's user interface, and then start working with your FB2700's factory reset configuration. Once you are familiar with how the user interface is...
Page 28: Configuration
3.1. The Object Hierarchy The FB2700 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB2700. The values of the attributes determine how that object affects operation.
Page 29: Formal Definition Of The Object Model
XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s).
Page 30: User Interface Layout
• status information, such as DHCP server allocations, FB105 tunnel information and system logs • network diagnostic tools, such as Ping and Traceroute ; there are also tools to test how the FB2700 will process particular traffic, allowing you to verify your firewalling is as intended •...
Page 31: Config Pages And The Object Hierarchy
Layout settings are stored in a cookie - since cookies are stored on your computer, and are associated with the DNS name or IP address used to browse to the FB2700, this means that settings that apply to a particular FB2700 will automatically be recalled next time you use the same computer/browser to connect to that FB2700.
Page 32: Object Settings
Configuration Figure 3.4. The "Setup" category Each section is displayed as a tabulated list showing any existing objects of the associated type. Each row of the table corresponds with one object, and a subset (typically those of most interest at a glance) of the object's attributes are shown in the columns - the column heading shows the attribute name.
Page 33: Navigating Around The User Interface
Configuration Figure 3.6. Show hidden attributes Each box in the matrix contains the following :- • a checkbox - if the checkbox is checked, an appropriate value entry widget is displayed, otherwise, a default value is shown and applied for that setting. •...
Page 34: Backing Up / Restoring The Configuration
To back up / save or restore the configuration, start by clicking on the "Config" main-menu item. This will show a page with a form to upload a configuration file (in XML) to the FB2700 - also on the page is a link "Download/save config"...
Page 35: Special Character Sequences
(spaces and line breaks). Generally, the content of an element can be other child elements or text. However, the FB2700 doesn't use text content in elements - all configuration data is specified via attributes. Therefore you will see that elements only contain one or more child elements, or no content at all.
Page 36: The Root Element -
At the top level, an XML file normally only has one element (the root element), which contains the entire element hierarchy. In the FB2700 the root element is <config>, and it contains 'top-level' configuration elements that cover major areas of the configuration, such as overall system settings, interface definitions, firewall rule sets etc.

Page 37 <interface name="LAN" port="LAN"> <subnet name="LAN" ip="81.187.96.94/28"/> <dhcp name="LAN" ip="81.187.96.88-92" log="default"/> </interface> <rule-set name="filters" no-match-action="drop"> <rule name="Our-Traffic" source-interface="self" comment="FB originated traffic allowed"/> <rule name="FireBrick UI" target-port="80" target-interface="self" protocol="6"/> <rule name="ICMP" protocol="1" log="default"/> <rule name="All outgoing" source-interface="LAN"/> <rule name="FB-access" source-interface="LAN" target-port="80" target-interface="self"...
Page 38: Downloading/Uploading The Configuration
User Interface (see Section 3.4.4). 3.6.2. Upload To upload the configuration to the FB2700 you need to send the configuration XML file as if posted by a web form, using encoding MIME type multi-part/form-data. An example of doing this using curl, run on a Linux box is shown below :- curl http://<FB2700 IP address or DNS name>/config/config...
Page 39: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB2700, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"...
Page 40: Login Level
System Administration 4.1.1. Login level A user's login level is set with the level attribute, and determines what CLI commands the user can run. The default, if the level attribute is not specified, is ADMIN - you may wish to downgrade the level for users who are not classed as 'system administrators'.
Page 41: Restrict By Profile
4.2.4. Home page web links The home page is the first page you see after logging in to the FB2700, or when you click the Home main- menu item. The home page displays the system name, and, if defined, the text specified by the intro attribute on the system object.
Page 42: Software Upgrades
Note In order to be able to run alpha releases, your FB2700 must be enabled to run alpha software - this is done by changing the entry in the FireBrick capabilities database (hosted on FireBrick company servers) for your specific FB2700, as identified by the unit's Serial Number.
Page 43: Identifying Current Software Version
If automatic installs are allowed, the FB2700 will check for new software on boot up and approximately every 24 hours thereafter - your FB2700 should therefore pick up new software at most ~ 24 hours after it is released. You can choose to allow this process to install only new factory-releases, factory or beta releases, or any release, which then includes alpha releases (if your FB2700 is enabled for alpha software - see Section 4.3.1) - refer to...
Page 44: Controlling Automatic Software Updates
This method is entirely manual, in the sense that the brick itself does not download new software from the FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user. In order to do this, you will first need to download the required software image file (which has the file extension .img) from the FB2700 software downloads website [http://www.firebrick.co.uk/software.php?
Page 45: Boot Process
The FB2700 can store multiple app software images in the Flash, and this is used with an automatic fall-back mechanism - if a new software image proves unreliable, it is 'demoted', and the unit falls back to running older software.
Page 46: Event Logging
5.1.1. Log targets A log target is a named destination (initially internal to the FB2700) for log entries - you can have multiple log targets set up which you can use to separate out log event messages according to some criteria - for example, you could log all firewalling related log events to a log target specifically for that purpose.
Page 47: Logging To The Console
5.3.1. Syslog The FB2700 supports sending of log entries across a network to a syslog server. Syslog is described in RFC5424 [http://tools.ietf.org/html/rfc5424], and the FB2700 includes microsecond resolution time stamps, the hostname (from system settings) and a module name in entries sent via syslog.
Page 48: Email
• retry delay : if an attempt to send the e-mail fails, the FB2700 will wait before re-trying ; the default wait period is 10 minutes, but you can change this by setting the retry attribute...
Page 49: E-Mail Process Logging
5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary.
Page 50: Viewing Logs In The Cli Environment
Specifying system event logging attributes is usually only necessary when diagnosing problems with the FB2700, and will typically be done under guidance from support staff. For example, log-stats causes a log message to be generated every second containing some key system statistics and state information, which are useful for debugging.
Page 51: Interfaces And Subnets
In some situations, auto-negotiation is not supported by connected equipment, and so the FB2700 provides control of port behaviour to allow the port to work with such equipment.
Page 52: Defining Port Groups
An example of such a configuration is a multi-tenant serviced-office environment, where the FB2700 acts as an Internet access router for a number of tenants, firewalling between tenant networks, and maybe providing access to shared resources such as printers.
Page 53: Defining An Interface
You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv6 networking. The primary attributes that define a subnet are the IP address range of the subnet, the IP address of the FB2700 itself on that subnet, and an optional name.
Page 54: Using Dhcp To Configure A Subnet
2001:DB8::1/64 and 10.0.0.1/24. These subnet definitions provide a default IP address that the FB2700 can initially be accessed on, regardless of whether the FB2700 has been able to obtain an address from an existing DHCP server on the network. Once you have added new subnets to suit your requirements, and tested that they work as expected, these temporary definitions should be removed.
Page 55: Fixed/Static Dhcp Allocations
If you are setting up a static allocation, but your client has already obtained an address (from your FB2700) from a pool, you will need to clear the allocation and then force the client to issue another DHCP request (e.g. unplug ethernet cable, do a software 'repair connection' procedure or similar etc.).
Page 56: Physical Port Settings
6.4.3. Setting duplex mode If auto-negotiation is enabled, the FB2700 port will normally advertise that it is capable of either half- or full- duplex operation modes - if you have reason to restrict the operation to either of these modes, you can set the duplex attribute to either half or full.
Page 57: Defining Port Led Functions
Interfaces and Subnets the potential for duplex mis-match problems that can occur when connecting the FB2700 to some vendors' (notably Cisco) equipment that has auto-negotation disabled by default. 6.4.4. Defining port LED functions For each port, the green and yellow port LEDs can be set to indicate any of the conditions shown in Table 6.2, by setting the values of the green and/or yellow attributes.
Page 58 Interfaces and Subnets Link down On/Blinking Link up at 10Mbit/s / Tx or Rx Activity On/Blinking Link up at 100Mbit/s / Tx or Rx Activity On/Blinking On/Blinking Link up at 1Gbit/s / Tx or Rx Activity...
Page 59: Session Handling
Without the session table entry, the FB2700 would have no way of knowing that the return traffic is part of an allowed (by firewalling rules) session, and it would likely be dropped due to firewalling.
Page 60: Session Termination
FB2700. To do so would require support for a very wide range of protocols that are carried over UDP, and this is generally not practical.
Page 61: Processing Flow
Session Handling 7.3.2. Processing flow The following processing flow applies to rules and rule-sets :- • Rule-sets are processed sequentially. • Each rule-set can optionally specify entry-criteria - if present, these criteria must be matched against for the rules within the rule-set to be considered. •...
Page 62 (i.e. an attribute of the rule-set object). This is particularly true when using XML. If you are unfamiliar with the FB2700's session rule specifications, you may interpret the no-match-action as specifying what happens if the rule-set's entry-criteria are not met (i.e. at the beginning of processing a rule-set).
Page 63: Processing Flow Chart For Rule-Sets And Session-Rules
Session Handling Figure 7.2. Processing flow chart for rule-sets and session-rules Packet arrives, no m at ching session exist s P roce s s ing continue s with ne xt rule -s e t S e s s ion All rule -s e ts proce s s e d? Allowe d Ye s...
Page 64: Defining Rule-Sets And Rules
Session Handling It is helpful to understand that a session rule contributes to the final set of information recorded in the session- table entry - a rule does not necessarily completely define what the session-table will contain, unless it is the only rule that matches the traffic under consideration.
Page 65 Session Handling Although there are likely numerous ways in which you can construct workable rule-sets that implement firewalling in addition to any traffic-shaping or NAT etc., we recommend that you implement firewalling as follows :- • create one or more rule-sets that are specifically for firewalling •...
Page 66: Changes To Session Traffic
For example, a session-rule can specify that the source IP address of the outbound packets be changed, such that they appear to be coming from a different address, typically one owned by the FB2700 itself. Return traffic will then be sent back to this modified address - assuming that the intention is that this traffic reach the original source IP address, the FB2700 will change the destination IP address in return traffic to be the original source IP address.
Page 67: Configuring Session Time-Outs
Two time-out values are configurable :- • Initial time-out : this time-out period begins when the first reply packet of the session arrives at the FB2700 ; it is specified by the set-ongoing-timeout attribute.
Page 68: Routing
Chapter 8. Routing 8.1. Routing logic The routing logic in the FB2700 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e.
Page 69: Routing Targets
In addition, a subnet definition creates a very specific single IP (a "/32" for IPv4, or a "/128" for IPv6) route for the IP address of the FB2700 itself on that subnet. This is a separate loop-back route which effectively internally routes traffic back into the FB2700 itself - i.e.
Page 70: Dynamic Route Creation / Deletion
• 'black-hole' : packets routed to a black-hole are silently dropped. 'Silent' refers to the lack of any ICMP response back to the sender. • 'no-where' (also called 'dead-end') : packets routed to 'no-where' are also dropped but the FB2700 generates ICMP error responses back to the sender.
Page 71 Routing This is done for each direction on the session and remembered. This new target IP is then used on a per packet basis in the same way as above instead of the destination IP address of the packet. Because the route-override just sets a new target routing IP and does not allow you to set a specific tunnel or such, you may want to have a dummy single IP address routed down a tunnel, and then use route-override rules to tell specific sessions to use that IP as the gateway.
Page 72: Profiles
Ping test can be used to alert you via e-mail when a destination is unreachable. The current state of all the profiles configured on your FB2700 can be seen by choosing the "Profiles" item in the "Status" menu.
Page 73: Tests
• VRRP state : the vrrp attribute lists one or more Virtual Router group membership definitions (see Chapter 15) by name - if the FB2700 is not the master device in any of these Virtual Routers, this test will fail If more than one of these general tests is selected (corresponding attribute specified), then they must all pass (along with all other tests defined) for the overall result to be pass.
Page 74 Profiles <profile name="Off" set="false"/> <profile name="On" set="true"/>...
Page 75: Traffic Shaping
The graph is viewable directly (as a PNG image) from the FB2700 via the web User Interface - to view a graph, click the "PNG" item in the "Graphs" menu. This will display all the graphs that are currently configured - it is not currently possible to show a single graph within the web User Interface environment.
Page 76 Traffic Shaping Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object.
Page 77: Pppoe
It is possible to connect more than one PPP device to a single FB2700 port using an Ethernet switch. If you do this then you ideally need a switch that handles VLANs (see Appendix D if you are not familiar with VLANs) so that each router can be logically connected to a different interface on the FireBrick.
Page 78: Definining Pppoe Links
If you are connecting multiple routers/modems via a VLAN capable switch to a single FB2700 port, you will also need to specify the VLAN used for the FB2700 to router/modem layer 2 connection - this is done by setting the value of the vlan attribute too.
Page 79: Service And Ac-Name
PPPoE concentrator cannot handle the larger packets (such as a bridge or a switch). For this reason the default MTU is 1492. 11.2.2.2. Service and ac-name The PPPoE protocol allows multiple services to be offered, and the service setting can be used to select which is available.
Page 80: Tunnels
'tunnel wrappers', and include the digital signature. As with any other UDP traffic originating at the FB2700, the tunnel wrappers are then encapsulated in an IP packet and sent to the IP address of the far- end tunnel end-point.
Page 81: Viewing Tunnel Status
IP address in tunnel definitions on such 'shared' end-points. The latter case is typical where an ISP deploys a FireBrick device to provide a 'head-end' device for tunnel bonding. If you wish to use a different UDP port number than the default of 1, specify the port number using the port attribute.
Page 82: Tunnels And Nat
NAT'ing router. If the FB2700 is behind a NAT router, it will not have a public IP address of its own which you can reference as the far-end IP address on the other end-point device. Instead, you will need to specify the WAN address of the NAT router for this far-end address.
Page 83 Tunnels assumes there is no outgoing 'firewall' rule on the NAT router that would prevent the wrapper packets from being forwarded). The established session will mean that UDP packets that arrive from the WAN side will be passed to the UDP port number that was the source port used in the outgoing wrapper packets. •...
Page 84: System Services
HTTP server serves the web user-interface files to a user's browser on a client machine relays DNS requests from either the FB2700 itself, or client machines to one or more DNS resolvers RADIUS Configuration of RADIUS service for platform RADIUS for L2TP. Configuration of RADIUS client accessing external RADIUS servers.
Page 85: Http Server Configuration
The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based user- interface for the FB2700. It is not a general-purpose web server that can be used to serve user documents, and so there is little to configure.
Page 86: Dns Configuration
LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address back to a name.
Page 87: Snmp Configuration
NTP servers, using either DNS name or IP address. 13.6. SNMP configuration The SNMP service allows other devices to query the FB2700 for management related information, using the Simple Network Management Protocol (SNMP). As with the HTTP server, access can be restricted to :- •...
Page 88: Network Diagnostic Tools
For example, if we submit parameters that describe inbound (i.e. from a WAN connection) traffic that would result from trying to access a service on a host behind the FB2700, we have implemented a 'default drop' policy firewalling method, and we have not explicitly allowed such sessions, we would see :-...
Page 89: Access Check
The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB2700 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB2700 is responding appropriately.
Page 90: Dump Parameters
Network Diagnostic Tools The output is streamed so that, when used with curl and tcpdump, you can monitor traffic in real time. Limited filtering is provided by the FB2700, so you will normally apply any additional filtering you need via tcpdump.
Page 91: Ip Address Matching
Network Diagnostic Tools Note These security requirements are the most likely thing to cause your attempts to packet dump to fail. If you are getting a simple "404" error response, and think you have specified the correct URL (if using an HTTP client), please check security settings are as described here.
Page 92: Using An Http Client
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB2700.
Page 93: Vrrp
You can have multiple virtual routers on the same LAN at the same time, so there is a Virtual Router Identifier (VRID) that is used to distinguish them. The default VRID used by the FB2700 is 42. You must set all devices that are part of the same group (virtual router) to the same VRID, and this VRID must differ from that used by any other virtual routers on the same LAN.
Page 94: Advertisement Interval
VRRP 15.2.1. Advertisement Interval A master indicates that it still 'alive' by periodically sending an advertisement multicast packet to the group members. A failure to receive a multicast packet from the master router for a period longer than three times the advertisement interval timer causes the backup routers to assume that the master router is down.
Page 95: Compatibility
Note that the FB2700 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick.
Page 96: Voip
16.2.2. Proxy To make an outgoing call via a SIP carrier you have to send the call details to a proxy. In the case of the FB2700 acting as the carrier, the same address is used for registrar and proxy.
Page 97: Home/Office Phone System
The FB2700 provides some key ways to tackle the issues of NAT. • An FB2500/FB2700 can be used as a gateway device in a home or office - using PPPoE to connect to the Internet. This means the FireBrick has a real external IP address without NAT. The FireBrick can then connect to SIP handsets on the LAN using private IP addresses.
Page 98: Number Plan
IPv4 and IPv6 devices to interwork with no problems. • The FireBrick, when acting as a call server outside of any NAT connected telephones, can handle cases where devices are behind a simple port mapping NAT which has a timeout of at least 60 seconds. It recognises REGISTER and INVITE requests that appear to be behind NAT and will treat the requester IP/port as the contact rather than the stated contact in the message.
Page 99: Voip Call Carriers
You also need to specify the username and password. For a carrier that sends calls to the FB2700 without registration, you will need to set the to attribute to either the full address used in the To: of the incoming connections, or at least the @domain part. If calls can come in to multiple numbers, you also need to set the incoming-format so that calls can be routed.
Page 100: Ring Type
VoIP It is possible to set a wrap up time on a phone (a per telephone setting), which stops group calls ringing the phone for a period of time after the call ends. This is to allow notes to be made, etc, after the call. 16.8.1.
Page 101: Busy Lamp Field
VoIP You can restrict which phones are allowed to pick up or steal a call in the telephone and hunt group configuration. Using the same code you can also steal an active call from a telephone. This hangs up the telephone and moves the call to the phone that dialled the code.
Page 102: Radius Authentication
To understand how call routing works you need to understand how call legs work. A call leg is a connection to or from the FB2700 to another SIP device. It could be a SIP carrier or a telephone. Typically there is an incoming call leg from a carrier or a phone, which needs to be authenticated, and then a call routing decision is made.
Page 103: Call Recording
16.12. Call recording The FB2700 supports call recording by teeing off the two way audio from a call leg and sending to a SIP endpoint. The SIP endpoint will then record the call and handle it in any way you wish.
Page 104: Voicemail And Ivr Services
16.13. Voicemail and IVR services Voicemail is still in development. The FB2700 will simply pass the call to a voicemail server via SIP. This could be a local device on the network, or a service provided by a carrier. We will include a software package to run on a linux box that will save the recording.
Page 105: Technical Details
• The FireBrick always acts as an audio media endpoint, i.e. it is always in the media path. This minimises call routing and firewalling issues. The FireBrick uses the same IP for media and control messages on each call.
Page 106 VoIP 1000Hz 1000Hz Accessing a url on the FireBrick of /voip/ring.wav serves a WAV format of the tone. You can test tones using a URL like /voip/tone.wav?100ms@1000Hz+200ms@2000Hz but ensure you URL escape the query string.
Page 107: Bgp
Chapter 17. BGP 17.1. What is BGP? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes. 17.2. Using BGP in an office network? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes.
Page 108: L2Tp
FB2700 and other manufacturers equipment. 18.1. What is L2TP? Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes. 18.2. Incoming L2TP connections Note This section of the manual is still in development. Please see www.firebrick.co.uk for technical notes.
Page 109: Ipsec
Chapter 19. IPsec IPsec (IP Security) is a means to authenticate and encrypt traffic sent over the Internet. 19.1. What is IPsec? There are two main aspects to IP Security: authentication and encryption. 19.1.1. Authentication The purpose of authentication is to ensure that the packets of data are genuinely from the sender you think they are.
Page 110: Setting Up A Tunnel
-1. These are configured as local-spi for incoming traffic and remote- spi for outgoing traffic. The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The incoming SPI must match the outgoing SPI of the far end of the link, and vice-versa.
Page 111: Routing
You must configure routing to specify which traffic the FireBrick should send out through the tunnel. The routing configuration uses the same style as used elsewhere in FireBrick configuration. A simple set of IPs and/ or IP ranges can be specified in the routes attribute, or for more complex routing a number of separate route elements can be added to the tunnel config.
Page 112: Remote Connection - Ipsec And L2Tp
Another common configuration is remote computer connections, such as a PC or mobile phone making a VPN (Virtual Private Network) connection to a FireBrick. This is similar to a tunnel, but one end is a single device not a whole network.
Page 113: Command Line Interface
The CLI is accessed via the 'telnet' protocol - the FB2700 implements a telnet server, which you can connect to using any common telnet client program. To learn how to enable the telnet server, and to set-up access restrictions, please refer to Section 13.3.
Page 114: Factory Reset Procedure
IP addresses described in Chapter 2. This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason, or any other situation where it is appropriate to start from scratch.
Page 115 This process will start the FireBrick in a factory reset mode temporarily - the configuration stored in flash memory has not yet been altered or deleted at this stage. If you do not save a new configuration at this stage, then the FB2700 will revert to the existing saved configuration when next powered up or restarted.
Page 116: Cidr And Cidr Notation
Appendix B. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
Page 117 Another common use of the CIDR notation is to combine the definition of a network with the specification of the IP address of an end system on that network - this form is used in subnet definitions on the FB2700, and in many popular operating systems.
Page 118: Mac Addresses Usage
In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model.
Page 119: C.1. Dhcp Client Names Used
DHCP allocation in a list, rather than trying to locate it by MAC address. If the FB2700 is in a factory-reset state, then the system name will not be set, and you will have to locate it...
Page 120: Vlans : A Primer
Linux. The FB2700 supports IEEE 802.1Q VLANs, and will accept (and send) packets with 802.1Q VLAN tags. It can therefore work with any Ethernet switch (or other) equipment that also supports 802.1Q VLANs, and therefore allows multiple logical interfaces to be implemented on a single physical port.
Page 121: Supported L2Tp Attribute/Value Pairs
Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Tie Breaker 5 Ignored as FireBrick only accepts Not sent connections for inbound calls Firmware Revision 6 Ignored FireBrick s/w version string Host Name 7 Used to select which incoming L2TP As per config/RADIUS request configuration applies.
Page 122: Start-Control-Connection-Connected
Supported L2TP Attribute/Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined, a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined E.3.
Page 123: Incoming-Call-Reply
Supported L2TP Attribute/Value Pairs Calling Number 22 Accepted, used in RADIUS and passed Passed on incoming value on if relaying Sub-Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent E.7. Incoming-Call-Reply Table E.7. ICRP No. Incoming Outgoing Message Type 0 Value 11 Value 11...
Page 124: Outgoing-Call-Reply
Supported L2TP Attribute/Value Pairs Message Type 0 Value 7 Value 7 Not supported, ignored. E.10. Outgoing-Call-Reply Table E.10. OCRP No. Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported, ignored. E.11. Outgoing-Call-Connected Table E.11. OCCN No. Incoming Outgoing Message Type 0 Value 9 Value 9...
Page 125: Notes
IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping...
Page 126: Supported Radius Attribute/Value Pairs For L2Tp Operation
31 Calling number as received on L2TP Acct-Session-Id 44 Unique ID for session as used on all following accounting records NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...
Page 127: Authentication Response
Supported RADIUS Attribute/ Value Pairs for L2TP operation Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id. F.2. Authentication response F.2.1. Accepted authentication Table F.2.
Page 128: Prefix Delegation
The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing. Once a router solicitation is sent, periodic Router Advertisements will then be sent on the connection by the Firebrick.
Page 129: Accounting Interim
Acct-Event- 55 Session start time (unix timestamp) Timestamp Acct-Session-Id 44 Unique ID for session NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6 NAS-Port 5 L2TP session ID...
Page 130: Accounting Stop
89 Graph name that applies, sanitised to comply with CQM graph name rules.. Identity Connect-Info 77 Text Tx speed/Rx speed in use NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6...
Page 131: Disconnect
Supported RADIUS Attribute/ Value Pairs for L2TP operation F.6. Disconnect A disconnect message is accepted as per RFC5176, if the session can be disconnected, and ACK is sent, else a NAK Table F.7. Disconnect No. Usage Acct-Session-Id 44 Unique ID for session Chargeable-User- 89 This is used as CQM graph name.
Page 132: Filter Id
X Pad packets to 74 bytes if length fields appears to be less - needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode C Send all IPv4 and IPv6 using the LCP type code (only works if FireBrick doing PPP at far end) O Mark session as low-priority (see shaper and damping)
Page 133: Notes
Depending on configuration, LCP echos are faked both ways from the FireBrick, and LCP echos are generated by the FireBrick and responses checked. This allows the CQM graphs to be created. The graph is only created for the outgoing part of the connection. If not configured to fake LCP echos, then these are passed through as normal and no graph is created.
Page 134: Ip Over Lcp
IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping or DPI.
Page 135: Supported Radius Attribute/Value Pairs For Voip Operation
Message- 80 Message signature as per RFC2869 Authenticator Calling-Station-Id 31 Calling number derived from headers NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Requestor IPv4 address if using IPv4 NAS-IPv6-Address 95 Requestor IPv6 address if using IPv6 NAS-Port 5 Requestor UDP port...
Page 136: Authentication Response
Supported RADIUS Attribute/ Value Pairs for VoIP operation Session-Timeout 27 Time from Expires header Acct-Terminate- 49 Only sent for a redirect call routing, the redirect code, e.g. 301/302 Cause G.2. Authentication response G.2.1. Challenge authentication Table G.2. Access-Challenge No. Usage Digest-Realm 104 Digest Realm Digest-Nonce...
Page 137: Accounting Start
50 SIP Call ID for call leg Acct-Event- 55 Time call started trying Timestamp NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Far end IPv4 address for SIP if using IPv4 NAS-IPv6-Address 95 Far end IPv6 address for SIP if using IPv6...
Page 138: Accounting Stop
55 Time call ended Timestamp Chargeable-User- 89 CUI for this call Identity NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 Far end IPv4 address for SIP if using IPv4 NAS-IPv6-Address 95 Far end IPv6 address for SIP if using IPv6 NAS-Port 5 Far end UDP port for SIP G.6.
Page 139: Command Line Reference
Shows how long since the FB2700 restarted. H.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. H.1.5. Memory usage show memory Shows memory usage summary.
Page 140: Logout
Command line reference H.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) H.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen H.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line.
Page 141: Ping And Trace
There are a number of controls allowing you to fine tune what is sent. Obviously you should only send from a source address that will return to the FB2700 correctly. You can also ask for the results to be presented in an XML format.
Page 142: Lock Dhcp Allocations
Command line reference H.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr> [table=<routetable>] Locks a DHCP allocation. This stops the allocation being used for any other MAC address even if long expired. H.2.9. Unlock DHCP allocations unlock dhcp ip=<IP4Addr> [table=<routetable>] Unlocks a DHCP allocation, allowing the address to be re-used if the expired. H.2.10.
Page 143: L2Tp Commands
[<string>] [confirm=<string>] This causes the FB2700 to crash, causing a panic event with a specified message. You need to specify confirm=yes for the command to work. This can be useful to test fallback scenarios by simulating a fatal error.
Page 144: Reboot
FireBrick support team. H.10.5. Show command sessions show command sessions The FB2700 can have multiple telnet connections at the same time. This lists all of the current connections. H.10.6. Kill command session kill command session <IPAddr>...
Page 145: Boot Log
Command line reference Delete a block from flash memory. This cannot be undone. You have to specify the correct type of block, and specify confirm=yes for the command to work. H.10.9. Boot log show boot log [<unsignedInt>] Show log of recent boots. You can specify the number of bytes of recent log to show. H.10.10.
Page 146: Configuration Objects
Appendix I. Configuration Objects This appendix defines the object definitions used in the FireBrick Test configuration. Copyright © 2008-13 FireBrick Ltd. I.1. Top level I.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data.
Page 147: Objects
IPv6 NAT6/4 mapping prefix nat64-source IP4Addr IPv6 NAT6/4 return IPv4 soft-watchdog boolean false Debug - use only if advised; do not use on an unattended FireBrick source string Source of data, used in automated config management sw-update autoloadtype factory Load new software automatically...
Page 148: Link: Web Links
Configuration Objects link link Optional, unlimited Home page links I.2.2. link: Web links Links to other web pages Table I.5. link: Attributes Attribute Type Default Description comment string Comment name string Link name profile string Profile name source string Source of data, used in automated config management text string...
Page 149: Log-Syslog: Syslog Logger Settings
Configuration Objects colour Colour Colour used in web display comment string Comment console boolean Log immediately to console flash boolean Log immediately to slow flash memory (use with care) jtag boolean Log immediately jtag (development use only) name string Not optional Log target name profile string...
Page 150: Services: System Services
Configuration Objects from string One made up using Source email address serial number hold-off duration 1:00:00 Delay before sending, since last email string Not logging Log emailing process log-debug string Not logging Log emailing debug log-error string Not logging Log emailing errors port unsignedShort Server port...
Page 151: Ntp-Service: Ntp Service Settings
Not logging Log debug log-error string Log as event Log errors ntpserver List of IPNameAddr ntp.firebrick.ltd.uk List of time servers (IP or hostname) from which time may be set by ntp poll duration 1:00:00 NTP poll rate profile string...
Page 152: Telnet-Service: Telnet Service Settings
Configuration Objects tz21-month month Timezone 2 to 1 month tz21-time time 02:00:00 Timezone 2 to 1 local time of change I.2.10. telnet-service: Telnet service settings Telnet control interface Table I.14. telnet-service: Attributes Attribute Type Default Description allow List Allow from List of IP ranges from which service can be IPNameRange anywhere...
Page 153: Dns-Service: Dns Service Settings
Configuration Objects table (unsignedByte 0-99) Routing table number routetable trusted List List of allowed IP ranges from which IPNameRange additional access to certain functions is available I.2.12. dns-service: DNS service settings DNS forwarding resolver service Table I.16. dns-service: Attributes Attribute Type Default Description...
Page 154: Dns-Block: Fixed Local Dns Blocks
Configuration Objects profile string Profile name restrict List List of IP ranges to which this is served IPNameRange reverse boolean Map reverse DNS as well source string Source of data, used in automated config management unsignedInt Time to live I.2.14. dns-block: Fixed local DNS blocks DNS forwarding resolver service Table I.19.
Page 155: Radius-Service-Match: Matching Rules For Radius Service
Configuration Objects nsn-tunnel-override- unsignedByte Additional response for GGSN usage username nsn-tunnel-user- unsignedInt Additional response for GGSN usage auth-method order radiuspriority Priority tagging of endpoints sent profile string Profile name relay-ip List of IPAddr Address to copy RADIUS request relay-port unsignedShort 1812 Authentication port...
Page 156: Radius-Server: Radius Server Settings
Configuration Objects calling-station-id List of string One or more patterns to match calling- station-id class string Class field to send comment string Comment context-name string Juniper Context-Name (SIN502) dummy-ip boolean true Send dummy framed IP response List Match target IP address of RADIUS IPNameRange request name...
Page 157: Ethernet: Physical Port Controls
Configuration Objects host List of IPNameAddr Not optional One or more hostname/IPs of RADIUS servers max-timeout duration Maximum final timeout min-timeout duration Minimum final timeout name string Name port unsignedShort From services/radius UDP port settings profile string Profile name queue unsignedInt Concurrent requests over all of these servers (per type)
Page 158: Interface: Port-Group/Vlan Interface Settings
Configuration Objects comment string Comment name string Not optional Name ports Set of port Not optional Physical port(s) profile string Profile name source string Source of data, used in automated config management I.2.20. interface: Port-group/VLAN interface settings The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
Page 159: Subnet: Subnet Settings
Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings I.2.21. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set. Table I.28. subnet: Attributes Attribute Type Default...
Page 160: Vrrp: Vrrp Settings
TTL for originating traffic via subnet I.2.22. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs. Table I.29. vrrp: Attributes...
Page 161: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)
Configuration Objects List of IP4Addr Our IP DNS resolvers domain string From system settings DNS domain force boolean Send all options even if not requested gateway List of IP4Addr Our IP Gateway List of IP4Range 0.0.0.0/0 Address pool lease duration 2:00:00 Lease length string...
Page 162: Dhcp-Attr-Number: Dhcp Server Attributes (Numeric)
Configuration Objects unsignedByte Not optional Attribute type code name string Name value string Not optional Value I.2.26. dhcp-attr-number: DHCP server attributes (numeric) Additional DHCP server attributes (numeric) Table I.34. dhcp-attr-number: Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested unsignedByte Not optional...
Page 163: Ppp-Route: Ppp Routes
Configuration Objects lcp-rate unsignedByte LCP interval (seconds) lcp-timeout unsignedByte LCP timeout (seconds) local IP4Addr Local IPv4 address localpref unsignedInt 4294967295 Localpref for route (highest wins) string Not logging Log events log-debug string Not logging Log debug log-error string Not logging Log as events mode pppoe-mode...
Page 164: Ggsn: Gtp Ggsn Settings
Configuration Objects localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name ospf boolean true OSPF announce mode for route profile string Profile name source string Source of data, used in automated config management I.2.30. ggsn: GTP GGSN settings GTP GGSN settings Table I.39.
Page 165: Dongle: 3G/Dongle Settings
Configuration Objects Table I.41. usb: Elements Element Type Instances Description dongle dongle Optional, up to 10 USB 3G/dongle settings I.2.32. dongle: 3G/dongle settings 3G/dongle config settings Table I.42. dongle: Attributes Attribute Type Default Description accept-dns boolean true Accept DNS servers specified by far end string From SIM Mobile access point name...
Page 166: Route: Static Routes
Configuration Objects source string Source of data, used in automated config management speed unsignedInt Default egress rate limit (b/s) table (unsignedByte 0-99) From interface Routing table number for payload routetable tcp-mss-fix boolean true Adjust MSS option in TCP SYN to fix session MSS username string...
Page 167: Blackhole: Dead End Networks
Configuration Objects bgpmode true BGP announce mode for routes comment string Comment List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name ospf boolean true OSPF announce mode for route profile string Profile name...
Page 168: Ospf: Overall Ospf Settings
Configuration Objects table (unsignedByte 0-99) Routing table number routetable I.2.37. ospf: Overall OSPF settings The OSPF element defines general OSPF settings. Where interafces/table specified, first matching OSPF config is applied Not an area border gateway or virtual link gateway Table I.48. ospf: Attributes Attribute Type Default...
Page 169: Bgppeer: Bgp Peer Definitions
Configuration Objects name string Name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable Table I.50. bgp: Elements Element Type Instances Description peer bgppeer Optional, up to 500 List of peers/neighbours I.2.39. bgppeer: BGP peer definitions The peer definition specifies the attributes of an individual peer.
Page 170: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes
Configuration Objects Secret MD5 signing secret name string Name next-hop-self boolean false Force us as next hop outbound no-fib boolean Don't include received routes in packet forwarding unsignedByte Pad (prefix stuff) our AS by this many profile string Profile name same-ip-type boolean true...
Page 171: Bgprule: Individual Mapping/Filtering Rule
Configuration Objects prefix List of IPFilter Drop all that are not in this prefix list source string Source of data, used in automated config management List of Community - List of community tags to add Table I.54. bgpmap: Elements Element Type Instances Description...
Page 172 Configuration Objects fail-score1 unsignedByte Score for on/above level 1 fail-score2 unsignedByte Score for on/above level 2 fail-usage unsignedInt 128000 Usage below which fail is not expected fblogo Colour #bd1220 Colour for logo graticule Colour grey Graticule colour heading string Heading of graph hourformat string Hour format...
Page 173: L2Tp: L2Tp Settings
Configuration Objects Colour #f8c Colour for off line seconds right unsignedByte Pixels space right of main graph Colour #800 Colour for Rx traffic level secret Secret Secret for MD5 coded URLs sent Colour #ff8 Colour for polled seconds share-interface string Interface on which to broadcast data for shaper sharing share-secret...
Page 174 Configuration Objects comment string Comment (unsignedShort Closed user group ID 1-32767) cug cug-restrict boolean Closed user group restricted traffic (only to/ from same CUG ID) fail-lockout unsignedByte Interval kept in failed state graph string Graph name hdlc boolean true Send HDLC header (FF03) on all PPP frames hello-interval unsignedByte...
Page 175: L2Tp-Incoming: L2Tp Settings For Incoming L2Tp Connections
Configuration Objects username string User name for login Table I.60. l2tp-outgoing: Elements Element Type Instances Description route ppp-route Optional, unlimited Routes to apply when link is up I.2.45. l2tp-incoming: L2TP settings for incoming L2TP connections L2TP tunnel settings for incoming L2TP connections Table I.61.
Page 176: L2Tp-Relay: Relay And Local Authentication Rules For L2Tp
Configuration Objects pppdns1 IP4Addr PPP DNS1 IPv4 default pppdns2 IP4Addr PPP DNS2 IPv4 default pppip IP4Addr Local end PPP IPv4 profile string Profile name radius string Name for RADIUS server config to use relay-nas-ip boolean true Pass remote L2TP endpoint as NAS IP require-platform boolean false...
Page 177: Fb105: Fb105 Tunnel Definition
Configuration Objects name string Name password Secret Password check profile string Profile name relay-hostname string Hostname for L2TP connection relay-ip List of IPAddr Target IP(s) for L2TP connection relay-pick boolean If set, try one of the relay IPs at random first relay-secret Secret Shared secret for L2TP connection...
Page 178: Fb105-Route: Fb105 Routes
Configuration Objects profile string Profile name remote-id unsignedByte Not optional Unique remote end tunnel ID reorder boolean false Reorder incoming tunnel packets reorder-maxq (unsignedInt 1-100) Max queue length for out of order packets fb105-reorder-maxq reorder-timeout (unsignedInt Max time to delay out of order packet (ms) 10-5000) fb105- reorder-timeout...
Page 179: I.67. Ipsec: Attributes
Manual key for encryption graph (string) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr...
Page 180: Ipsec-Route: Ipsec Tunnel Routes
Configuration Objects tcp-mss-fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec-type Encapsulation type Table I.68. ipsec: Elements Element Type Instances Description route ipsec-route Optional, unlimited Routes to apply to tunnel when up I.2.50. ipsec-route: IPsec tunnel routes Routes for prefixes that are sent to the IPsec tunnel when up Table I.69.
Page 181: I.71. Profile: Attributes
Configuration Objects Table I.71. profile: Attributes Attribute Type Default Description List of string Active if all specified profiles are active as well as all other tests passing, including 'not' comment string Comment dongle List of string Dongle state (any of these are up) fb105 List of string FB105 tunnel state (any of these active)
Page 182: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified
Configuration Objects I.2.53. profile-date: Test passes if within any of the time ranges specified Time range test in profiles Table I.73. profile-date: Attributes Attribute Type Default Description comment string Comment start dateTime Start (YYYY-MM-DDTHH:MM:SS) stop dateTime End (YYYY-MM-DDTHH:MM:SS) I.2.54. profile-time: Test passes if within any of the date/time ranges specified Time range test in profiles Table I.74.
Page 183: Shaper-Override: Traffic Shaper Override Based On Profile
Configuration Objects unsignedInt Rx rate limit/target (b/s) rx-max unsignedInt Rx rate limit max rx-min unsignedInt Rx rate limit min rx-min-burst duration Rx minimum allowed burst time rx-step unsignedInt Rx rate reduction per per hour share boolean If shaper is shared with other devices source string Source of data, used in automated config...
Page 184: Route-Override: Routing Override Rules
Configuration Objects Table I.79. ip-group: Attributes Attribute Type Default Description comment string Comment List of IPRange One or more IP ranges or IP/len name string Not optional Name source string Source of data, used in automated config management users List of string Include IP of (time limited) logged in web users I.2.59.
Page 185: Session-Route-Share: Route Override Load Sharing
Configuration Objects source string Source of data, used in automated config management source-interface List of string Source interface(s) source-ip List Source IP address range(s) IPNameRange source-port List of PortRange Source port(s) target-interface List of string Target interface(s) target-ip List Target IP address range(s) IPNameRange target-port List of PortRange...
Page 186: Session-Rule: Firewall Rules
Configuration Objects name string Name no-match-action firewall-action Not optional Default if no rule matches profile string Profile name protocol List of unsignedByte - Protocol(s) [1=ICMP, 6=TCP, 17=UDP] source string Source of data, used in automated config management source-interface List of string Source interface(s) source-ip List...
Page 187: Session-Share: Firewall Load Sharing
Configuration Objects set-gateway IPAddr New gateway set-graph string Graph name for shaping/logging set-initial-timeout duration Initial time-out set-nat boolean Changed source IP and port to local for set-ongoing-timeout duration Ongoing time-out set-reverse-graph string Graph name for shaping/logging (far side of session) set-source-ip IPAddr New source IP...
Page 188: Voip: Voice Over Ip Config
Send RADIUS auth to get challenge response radius-register string Name for RADIUS server config to use for registrations realm string FireBrick Default realm record-mandatory boolean Drop call if recording fails record-server string Call recording server hostname or address release...
Page 189: Carrier: Voip Carrier Details
Configuration Objects source string Source of data, used in automated config management withhold string CLI withhold prefix Table I.91. voip: Elements Element Type Instances Description carrier carrier Optional, up to 200 VoIP carriers group ringgroup Optional, up to 20 Ring groups telephone telephone Optional, up to 200 VoIP users...
Page 190: Telephone: Voip Telephone Authentication User Details
Configuration Objects string To SIP request address for inbound invites, may be @domain for any at a domain trust-cli boolean true Trust inbound calling line identity username string Carrier username for outbound registration or inbound authenticated calls withhold string Mark withheld outbound calls using this dial prefix and send CLI in remote party id I.2.67.
Page 191: Tone: Tone Definitions
Configuration Objects uk-cli-text uknumberformat Auto Send display name as UK formatted number username string Authentication username wrap-up duration Wrap up time before new call I.2.68. tone: Tone definitions Definition of tones used Table I.94. tone: Attributes Attribute Type Default Description name string Not optional...
Page 192: Etun: Ether Tunnel (Experimental)
Configuration Objects source string Source of data, used in automated config management type ring-group-type Type of ring when one call in queue I.2.70. etun: Ether tunnel (experimental) Ether tunnel (experimental) Table I.96. etun: Attributes Attribute Type Default Description eth-port string Not optional Port group name IPAddr...
Page 193: Syslog-Severity: Syslog Severity
Configuration Objects Table I.99. user-level: User login level Value Description NOBODY Unknown or not logged in user GUEST Guest user USER Normal unprivileged user ADMIN System administrator DEBUG System debugger I.3.4. syslog-severity: Syslog severity Log severity - different loggable events log at different levels. Table I.100.
Page 194: Month: Month Name (3 Letter)
Configuration Objects Unused Unused Unused Unused LOCAL0 Local 0 LOCAL1 Local 1 LOCAL2 Local 2 LOCAL3 Local 3 LOCAL4 Local 4 LOCAL5 Local 5 LOCAL6 Local 6 LOCAL7 Local 7 I.3.6. month: Month name (3 letter) Table I.102. month: Month name (3 letter) Value Description January...
Page 195: Radiuspriority: Options For Controlling Platform Radius Response Priority Tagging
Configuration Objects I.3.8. radiuspriority: Options for controlling platform RADIUS response priority tagging Table I.104. radiuspriority: Options for controlling platform RADIUS response priority tagging Value Description equal All the same priority strict In order specified random Random order calling Hashed on calling station id called Hashed on called station id username...
Page 196: Linkspeed: Physical Port Speed
Configuration Objects I.3.12. LinkSpeed: Physical port speed Table I.108. LinkSpeed: Physical port speed Value Description 10Mbit/sec 100M 100Mbit/sec 1Gbit/sec auto Speed determined by autonegotiation I.3.13. LinkDuplex: Physical port duplex setting Table I.109. LinkDuplex: Physical port duplex setting Value Description half Half-duplex full Full-duplex...
Page 197: Linkpower: Phy Power Saving Options
Configuration Objects Link1000/ On when link up at 1G; blink when Tx or Rx activity Activity Link100/ On when link up at 100M; blink when Tx or Rx activity Activity Link10/Activity On when link up at 10M; blink when Tx or Rx activity Link100-1000/ On when link up at 100M or 1G;...
Page 198: Ramode: Ipv6 Route Announce Level
Configuration Objects I.3.19. ramode: IPv6 route announce level IPv6 route announcement mode and level Table I.115. ramode: IPv6 route announce level Value Description false Do not announce Announce as low priority medium Announce as medium priority high Announce as high priority true Announce as default (medium) priority I.3.20.
Page 199: Ggsn-Calling: Calling Number Options For Ggsn
Configuration Objects client Normal PPPoE client connects to access controller bras-l2tp PPPoE server mode linked to L2TP operation I.3.24. ggsn-calling: Calling number options for GGSN Table I.120. ggsn-calling: Calling number options for GGSN Value Description imsi IMSI msisdn MSISDN (or IMSI) imei IMEI (or IMSI or MSISDN) I.3.25.
Page 200: Ipsec-Type: Ipsec Encapsulation Type
Configuration Objects Table I.124. peertype: BGP peer type Value Description normal Normal BGP operation transit EBGP Mark received as no-export peer EBGP Mark received as no-export, only accept peer AS customer EBGP Allow export as if confederate, only accept peer AS internal IBGP allowing own AS reflector...
Page 201: Firewall-Action: Firewall Action
Configuration Objects null No encryption (RFC 2410) 3DES-CBC 3DES-CBC (RFC 2451) blowfish Blowfish CBC (RFC 2451) AES-CBC AES-CBC (Rijndael) (RFC 3602) I.3.33. firewall-action: Firewall action Table I.129. firewall-action: Firewall action Value Description continue Continue rule-set checking accept Allow but no more rule-set checking reject End all rule checking now and set to send ICMP reject drop...
Page 202: Ring-Group-Order: Order Of Ring
Configuration Objects I.3.37. ring-group-order: Order of ring Table I.133. ring-group-order: Order of ring Value Description strict Order in config random Random order cyclic Cycling from last call oldest Oldest used phone first I.3.38. ring-group-type: Type of ring when one call in queue Table I.134.
Page 203 Configuration Objects IP4Range IPv4 address / bitlen or range IP4Prefix IPv4 address / bitlen IP6Prefix IPv6 address / bitlen IPSubnet IP address / bitlen IPFilter Route filter Password Password Community xxx:xxx community PortRange xxx-xxx port range Colour #rgb #rrggbb #rgba #rrggbbaa colour Secret Secret/passphrase duration...
Page 204 Configuration Objects portlist List of protocol port ranges (PortRange) protolist List of IP protocols (unsignedByte) userlist List of user names (username) prefix4list List of IPv4 Prefixes (IP4Prefix) routetableset Set of routetables (routetable) vlan-nz VLAN ID (1-4095) (unsignedShort) dates Set of dates (datenum) tun-id Local tunnel ID (1-20000) (unsignedShort) ses-id...
Page 205: Index
Index Graphs, 57 Hostname Attributes setting, 23 value syntax HTTP service IP address groups, 20 configuration, 67 Interfaces overview, 89 defining, 35 Boot process, 27 Ethernet, 33 Breadcrumbs, 13 logical to physical associations, 33 relationship with physical ports, 33 IP Address Groups, 20 Configuration IPsec backing up and restoring, 16...
Page 206 Index configuring service, 69 overview, 11 Route Users definition of, 50 creating / configuring, 21 Router login level, 22 definition of, 41 restricting logins by IP address, 22 Routing route targets, 51 Rule-Sets Virtual Router Redundancy Protocol (VRRP), 75 defining, 46 virtual router, definition of, 75 VRRP versions, 76 VLANs...

FireBrick FB2700 User Manual

1 Introduction

2 Getting Started

3 Configuration

4 System Administration

5 Event Logging

6 Interfaces and Subnets

7 Session Handling

8 Routing

9 Profiles

10 Traffic Shaping

11 Pppoe

12 Tunnels

13 System Services

14 Network Diagnostic Tools

15 Vrrp

16 Voip

17 Bgp

18 L2Tp

19 Ipsec

20 Command Line Interface

Quick Links

Need help?

Questions and answers

Related Manuals for FireBrick FB2700

Summary of Contents for FireBrick FB2700