FireBrick FB2500 User Manual

This User Manual documents Software version V1.18.001

Revision History

Table of Contents

Preface
1. Introduction
1.1. The FB2500
1.1.1. Where do I start?
1.1.2. What can it do?
1.1.3. Ethernet port capabilities
1.1.4. Differences between the devices in the FB2x00 series
1.1.5. Software features
1.1.6. Migration from previous FireBrick models
1.2. About this Manual
1.2.1. Version
1.2.2. Intended audience
1.2.3. Document style
1.2.4. Document conventions
1.2.5. Comments and feedback
1.3. Additional Resources
1.3.1. Technical Support
1.3.2. IRC Channel
1.3.3. Application Notes
1.3.4. White Papers
1.3.5. Training Courses
2. Getting Started
2.1. IP addressing
2.2. Accessing the web-based user interface
2.2.1. Add a new user
3. Configuration
3.1. The Object Hierarchy
3.2. The Object Model
3.2.1. Formal definition of the object model
3.2.2. Common attributes
3.3. Configuration Methods
3.4. Web User Interface Overview
3.4.1. User Interface layout
3.4.1.1. Customising the layout
3.4.2. Config pages and the object hierarchy
3.4.2.1. Configuration categories
3.4.2.2. Object settings
3.4.3. Navigating around the User Interface
3.4.4. Backing up / restoring the configuration
3.5. Configuration using XML
3.5.1. Introduction to XML
3.5.2. The root element - <config>
3.5.3. Viewing or editing XML
3.5.4. Example XML configuration
3.6. Downloading/Uploading the configuration
3.6.1. Download
3.6.2. Upload
4. System Administration
4.1. User Management
4.1.1. Login level
4.1.2. Configuration access level
4.1.3. Login idle timeout
4.1.4. Restricting user logins
4.1.4.1. Restrict by IP address
4.1.4.2. Restrict by profile
4.2. General System settings
4.2.1. System name (hostname)
4.2.2. Administrative details
4.2.3. System-level event logging control
4.2.4. Home page web links
4.3. Software Upgrades
4.3.1. Software release types
4.3.1.1. Breakpoint releases
4.3.2. Identifying current software version
4.3.3. Internet-based upgrade process
4.3.3.1. Manually initiating upgrades
4.3.3.2. Controlling automatic software updates
4.3.4. Manual upgrade
4.4. Boot Process
4.4.1. LED indications
4.4.1.1. Power LED status indications
4.4.1.2. Port LEDs
5. Event Logging
5.1. Overview
5.1.1. Log targets
5.1.1.1. Logging to Flash memory
5.1.1.2. Logging to the Console
5.2. Enabling logging
5.3. Logging to external destinations
5.3.1. Syslog
5.3.2. Email
5.3.2.1. E-mail process logging
5.4. Factory reset configuration log targets
5.5. Performance
5.6. Viewing logs
5.6.1. Viewing logs in the User Interface
5.6.2. Viewing logs in the CLI environment
5.7. System-event logging
5.8. Using Profiles
6. Interfaces and Subnets
6.1. Relationship between Interfaces and Physical Ports
6.1.1. Port groups
6.1.2. Interfaces
6.2. Defining port groups
6.3. Defining an interface
6.3.1. Defining subnets
6.3.1.1. Using DHCP to configure a subnet
6.3.2. Setting up DHCP server parameters
6.3.2.1. Fixed/Static DHCP allocations
6.3.2.2. Partial-MAC-address based allocations
6.4. Physical port settings
6.4.1. Disabling auto-negotiation
6.4.2. Setting port speed
6.4.3. Setting duplex mode
6.4.4. Defining port LED functions
7. Session Handling
7.1. Routing vs. Firewalling
7.2. Session Tracking
7.2.1. Session termination
7.3. Session Rules
7.3.1. Overview
7.3.2. Processing flow
7.3.3. Defining Rule-Sets and Rules
7.3.3.1. Recommended method of implementing firewalling
7.3.3.2. Changes to session traffic
7.3.3.3. Graphing and traffic shaping
7.3.3.4. Configuring session time-outs
8. Routing
8.1. Routing logic
8.2. Routing targets
8.2.1. Subnet routes
8.2.2. Routing to an IP address (gateway route)
8.2.3. Special targets
8.3. Dynamic route creation / deletion
8.4. Routing tables
8.5. Route overrides
9. Profiles
9.1. Overview
9.2. Creating/editing profiles
9.2.1. Timing control
9.2.2. Tests
9.2.2.1. General tests
9.2.2.2. Time/date tests
9.2.2.3. Ping tests
9.2.3. Inverting overall test result
9.2.4. Manual override
10. Traffic Shaping
10.1. Graphs and Shapers
10.1.1. Graphs
10.1.2. Shapers
11. PPPoE
11.1. Types of DSL line and router in the United Kingdom
11.2. Definining PPPoE links
11.2.1. IPv6
11.2.2. Additional options
11.2.2.1. MTU and TCP fix
11.2.2.2. Service and ac-name
11.2.2.3. Logging
11.2.2.4. Speed and graphs
12. Tunnels
12.1. FB105 tunnels
12.1.1. Tunnel wrapper packets
12.1.2. Setting up a tunnel
12.1.3. Viewing tunnel status
12.1.4. Dynamic routes
12.1.5. Tunnel bonding
12.1.6. Tunnels and NAT
12.1.6.1. FB2500 doing NAT
12.1.6.2. Another device doing NAT
13. System Services
13.1. HTTP Server configuration
13.1.1. Access control
13.1.1.1. Trusted addresses
13.2. Telnet Server configuration
13.2.1. Access control
13.3. DNS configuration
13.4. NTP configuration
13.5. SNMP configuration
14. Network Diagnostic Tools
14.1. Firewalling check
14.2. Access check
14.3. Packet Dumping
14.3.1. Dump parameters
14.3.2. Security settings required
14.3.3. IP address matching
14.3.4. Packet types
14.3.5. Snaplen specification
14.3.6. Using the web interface
14.3.7. Using an HTTP client
14.3.7.1. Example using curl and tcpdump
15. VRRP
15.1. Virtual Routers
15.2. Configuring VRRP
15.2.1. Advertisement Interval
15.2.2. Priority
15.3. Using a virtual router
15.4. VRRP versions
15.4.1. VRRP version 2
15.4.2. VRRP version 3
15.5. Compatibility
16. Command Line Interface
I. Command Line Reference
check access — Check whether an IP address can access/utilise network services provided by the FB2500
check firewall — Checks firewalling rules behaviour.
clear bgp — ** TBC ? **
clear dhcp — Clears one or all of the stored allocations made by the FB2500's DHCP server.
clear l2tp all — ** TBC ? **
clear l2tp session — ** TBC ? **
clear l2tp tunnel — ** TBC ? **
clear pppoe — ** TBC ? **
delete config — Delete a configuration from the Flash memory
delete data — Delete a data item from the Flash memory
delete image — Delete a software image from the Flash memory
ethernet reset — ** TBC ? **
ethernet stall — ** TBC ? **
exit — Logout and end a command-line session.
kill command session — ** TBC ? **
kill session — Kills an active session in the session-table.
login — Login to a command-line session.
logout — Log-out from a command-line session.
panic — Force a system panic.
ping — Ping an IP address.
quit — Logout and end a command-line session.
reboot — Reboots the FB2500.
set boot block — ** TBC ? **
set command screen width — ** TBC ? **
show arp — Prints the ARP table.
show bgp — ** TBC ? **
show bgp nexthop — ** TBC ? **
show bgp peer — ** TBC ? **
show bgp routes — ** TBC ? **
show bgp summary — ** TBC ? **
show boot log — ** TBC ? **
show command sessions — Print a list of command-line sessions.
show dhcp — Print list of IP address allocations made by the FB2500's DHCP server.
show dns — Displays the DNS resolvers that are currently configured for use.
show ethernet counters — Print values of counters maintained by the Ethernet hardware.
show ethernet status — Print current status of the Ethernet ports
show fb105 — Print information about FB105 tunnels.
show flash contents — Print a list of what is currently stored in the internal Flash memory.
show flash log — Print log text stored in the 'Flash log'.
show l2tp — Print overview of L2TP status.
show l2tp session — ** TBC ? **
show l2tp sessions — ** TBC ? **
show l2tp tunnel — ** TBC ? **
show l2tp tunnels — ** TBC ? **
show log — Prints the stored log text for a specified log target.
show memory — Print information about memory usage by the FB2500 application software.
show pppoe — Print information about PPPoE sessions.
show profiles — Print the current state of all the profiles that are defined.
show radius — **TBC ? **
show route — Print information about a specific route.
show routes — Print the list of route destinations from a routing table.
show sessions — Displays the session table.
show status — Print general FB2500 status information.
show subnet — Print information about a specific locally-attached subnet.
show subnets — Print list of locally-attached subnets.
show uptime — Print up-time since last bootup.
show tasks — Prints the list of software tasks running on the FB2500.
show vrrp — Prints VRRP status information.
start command session — ** TBC ? **
traceroute — Runs a classical traceroute procedure.
troff — Prevents log messages sent to the console from being displayed.
tron — Enables log messages sent to the console to be displayed.
uptime — Print up-time since last bootup.
A. Factory Reset Procedure
B. CIDR and CIDR Notation
C. MAC Addresses usage
D. VLANs : A primer
Index

List of Figures

2.1. Initial web page in factory reset state
2.2. Initial "Users" page
2.3. Setting up a new user
2.4. Configuration being stored
3.1. Main menu
3.2. Icons for layout controls
3.3. Icons for configuration categories
3.4. The "Setup" category
3.5. Editing an "Interface" object
3.6. Show hidden attributes
3.7. Attribute definitions
3.8. Navigation controls
4.1. Setting up a new user
4.2. Software upgrade available notification
4.3. Manual Software upload
7.1. Example sessions created by drop and reject actions
7.2. Processing flow chart for rule-sets and session-rules
C.1. Product label showing MAC address range

List of Tables

2.1. IP addresses for computer
2.2. IP addresses to access the FireBrick
3.1. Special character sequences
4.1. User login levels
4.2. Configuration access levels
4.3. General administrative details attributes
4.4. Attributes controlling auto-upgrades
4.5. Power LED status indications
5.1. Logging attributes
5.2. System-Event Logging attributes
6.1. Physical port usage options
6.2. Port LED functions
6.3. Example modified Port LED functions
7.1. Action attribute values
8.1. Route targets
13.1. List of system services
14.1. Packet dump parameters
14.2. Packet types that can be captured
19. Information provided by show fb105 command
C.1. DHCP client names used