The system settings are the top level attributes of the system which apply globally.
Table I.3. system: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
contact | string | - | Contact name |
dos-delay | unsignedInt | 2 | Interrupt DoS restoration counter, leave at default |
dos-limit | unsignedInt | 1000 | Interrupt DoS packet limit, leave at default |
intro | string | - | Home page text |
location | string | - | Location description |
log | string | Web/console | Log system events |
log-debug | string | Not logging | Log system debug messages |
log-error | string | Web/Flash/console | Log system errors |
log-eth | string | Web/console | Log Ethernet messages |
log-eth-debug | string | Not logging | Log Ethernet debug |
log-eth-error | string | Web/Flash/console | Log Ethernet errors |
log-panic | string | Web logs | Log system panic messages |
log-stats | string | Not logging | Log one second stats |
name | string | - | System hostname |
nat64 | IP6Prefix | - | IPv6 NAT6/4 mapping prefix |
nat64-source | IP4Addr | - | IPv6 NAT6/4 return IPv4 |
soft-watchdog | boolean | false | Debug - use only if advised; do not use on an unattended FireBrick |
source | string | - | Source of data, used in automated config management |
sw-update | autoloadtype | factory | Load new software automatically |
sw-update-profile | string | - | Profile name for when to load new s/w |
Table I.4. system: Elements
Element | Type | Instances | Description |
link | link | Optional, unlimited | Home page links |
User names, passwords and abilities for admin users
Table I.6. user: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | - | Restrict logins to be from specific IP addresses |
comment | string | - | Comment |
config | config-access | full | Config access level |
full-name | string | - | Full name |
level | user-level | ADMIN | Login level |
name | (string) username | Not optional | User name |
otp | string | - | OTP serial number |
password | Password | Not optional | User password |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Restrict login to specific routing table |
timeout | duration | 5:00 | Login idle timeout (zero to stay logged in) |
Named logging target
Table I.7. log: Attributes
Attribute | Type | Default | Description |
colour | Colour | - | Colour used in web display |
comment | string | - | Comment |
console | boolean | - | Log immediately to console |
flash | boolean | - | Log immediately to slow flash memory (use with care) |
jtag | boolean | - | Log immediately jtag (development use only) |
name | string | Not optional | Log target name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
Table I.8. log: Elements
Element | Type | Instances | Description |
log-email | Optional, unlimited | Email settings | |
syslog | log-syslog | Optional, unlimited | Syslog settings |
Logging to a syslog server
Table I.9. log-syslog: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
facility | syslog-facility | LOCAL0 | Facility setting |
port | unsignedShort | 514 | Server port |
profile | string | - | Profile name |
server | IPNameAddr | Not optional | Syslog server |
severity | syslog-severity | NOTICE | Severity setting |
source | string | - | Source of data, used in automated config management |
source-ip | IPAddr | - | Use specific source IP |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending syslogs |
Logging to email
Table I.10. log-email: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
delay | duration | 1:00 | Delay before sending, since first event to send |
from | string | One made up using serial number | Source email address |
hold-off | duration | 1:00:00 | Delay before sending, since last email |
log | string | Not logging | Log emailing process |
log-debug | string | Not logging | Log emailing debug |
log-error | string | Not logging | Log emailing errors |
port | unsignedShort | 25 | Server port |
profile | string | - | Profile name |
retry | duration | 10:00 | Delay before sending, since failed send |
server | IPNameAddr | - | Smart host to use rather than MX |
source | string | - | Source of data, used in automated config management |
subject | string | From first line being logged | Subject |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending email |
to | string | Not optional | Target email address |
System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.
Table I.11. services: Elements
Element | Type | Instances | Description |
dns | dns-service | Optional | DNS service settings |
http | http-service | Optional | HTTP server settings |
ntp | ntp-service | Optional | NTP client settings (server not implemented yet) |
radius | radius-service | Optional | RADIUS server/proxy settings |
snmp | snmp-service | Optional | SNMP server settings |
telnet | telnet-service | Optional | Telnet server settings |
The SNMP service has general service settings and also specific attributes for SNMP such as community
Table I.12. snmp-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
community | string | public | Community string |
local-only | boolean | false | Restrict access to locally connected Ethernet subnets only |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
port | unsignedShort | 161 | Service port |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time). The defaults are those that apply to the EU
Table I.13. ntp-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
ntpserver | List of IPNameAddr | ntp.firebrick.ltd.uk | List of time servers (IP or hostname) from which time may be set by ntp |
poll | duration | 1:00:00 | NTP poll rate |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
tz1-name | string | GMT | Timezone 1 name |
tz1-offset | duration | 0 | Timezone 1 offset from UTC |
tz12-date | (unsignedByte 1-31) datenum | 25 | Timezone 1 to 2 earliest date in month |
tz12-day | day | Sun | Timezone 1 to 2 day of week of change |
tz12-month | month | Mar | Timezone 1 to 2 month |
tz12-time | time | 01:00:00 | Timezone 1 to 2 local time of change |
tz2-name | string | BST | Timezone 2 name |
tz2-offset | duration | 1:00:00 | Timezone 2 offset from UTC |
tz21-date | (unsignedByte 1-31) datenum | 25 | Timezone 2 to 1 earliest date in month |
tz21-day | day | Sun | Timezone 2 to 1 day of week of change |
tz21-month | month | Oct | Timezone 2 to 1 month |
tz21-time | time | 02:00:00 | Timezone 2 to 1 local time of change |
Telnet control interface
Table I.14. telnet-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
port | unsignedShort | 23 | Service port |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Web management pages
Table I.15. http-service: Attributes
Attribute | Type | Default | Description |
access-control-allow-origin | string | - | Additional header for cross site javascript |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
css-url | string | - | Additional CSS for web control pages |
local-only | boolean | false | Restrict access to locally connected Ethernet subnets only |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
port | unsignedShort | 80 | Service port |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
trusted | List of IPNameRange | - | List of allowed IP ranges from which additional access to certain functions is available |
DNS forwarding resolver service
Table I.16. dns-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
auto-dhcp | boolean | - | Forward and reverse DNS for names in DHCP using this domain |
comment | string | - | Comment |
domain | string | - | Our domain |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
profile | string | - | Profile name |
resolvers | List of IPAddr | - | Recursive DNS resolvers to use |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
DNS forwarding resolver service
Table I.18. dns-host: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
ip | List of IPAddr | Our IP | IP addresses to serve (or our IP if omitted) |
name | List of string | Not optional | Host names (can use * as a part of a domain) |
profile | string | - | Profile name |
restrict | List of IPNameRange | - | List of IP ranges to which this is served |
reverse | boolean | - | Map reverse DNS as well |
source | string | - | Source of data, used in automated config management |
ttl | unsignedInt | 60 | Time to live |
DNS forwarding resolver service
Table I.19. dns-block: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
name | List of string | Not optional | Host names (can use * as a part of a domain) |
profile | string | - | Profile name |
restrict | List of IPNameRange | - | List of IP ranges to which this is served |
source | string | - | Source of data, used in automated config management |
ttl | unsignedInt | 60 | Time to live |
RADIUS server and proxy definitions
Table I.20. radius-service: Attributes
Attribute | Type | Default | Description |
acct-port | unsignedShort | 1813 | Accounting UDP port |
auth-port | unsignedShort | 1812 | Authentication UDP port |
authenticator | boolean | - | Require message authenticator |
backup-ip | List of IPNameAddr | - | Target IP(s) or hostname for backup L2TP connection |
class | string | - | Class field to send |
comment | string | - | Comment |
context-name | string | - | Juniper Context-Name (SIN502) |
control-port | unsignedShort | 3799 | Control UDP port (CoA/DM) |
dummy-ip | boolean | true | Send dummy framed IP response |
log | string | Not logging | Log events |
log-debug | string | - | Log debug |
log-error | string | Log as event | Log errors |
nsn-conditional | boolean | - | Only send NSN settings if username is not same as calling station id |
nsn-tunnel-override-username | unsignedByte | - | Additional response for GGSN usage |
nsn-tunnel-user-auth-method | unsignedInt | - | Additional response for GGSN usage |
order | radiuspriority | - | Priority tagging of endpoints sent |
profile | string | - | Profile name |
relay-ip | List of IPAddr | - | Address to copy RADIUS request |
relay-port | unsignedShort | 1812 | Authentication UDP port for copy RADIUS request |
relay-table | (unsignedByte 0-99) routetable | - | Routing table number for copy of RADIUS request |
secret | Secret | - | Shared secret for RADIUS requests (needed for replies) |
source | string | - | Source of data, used in automated config management |
tagged | boolean | - | Tag all attributes that can be |
target-hostname | string | - | Hostname for L2TP connection |
target-ip | List of IPNameAddr | - | Target IP(s) or hostname for primary L2TP connection |
target-secret | Secret | - | Shared secret for L2TP connection |
test | List of IPAddr | - | List of IPs that must have routing for this target to be valid (deprecated) |
tunnel-assignment-id | string | - | Tunnel Assignment ID to send |
tunnel-client-return | boolean | - | Return tunnel client as radius IP |
Table I.21. radius-service: Elements
Element | Type | Instances | Description |
match | radius-service-match | Optional, unlimited | Matching rules for specific responses |
server | radius-server | Optional, unlimited | RADIUS server settings |
Rules for matching incoming RADIUS requests
Table I.22. radius-service-match: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | - | Match source IP address of RADIUS request |
authenticator | boolean | - | Require message authenticator |
backup-ip | List of IPNameAddr | - | Target IP(s) or hostname for backup L2TP connection |
called-station-id | List of string | - | One or more patterns to match called-station-id |
calling-station-id | List of string | - | One or more patterns to match calling-station-id |
class | string | - | Class field to send |
comment | string | - | Comment |
context-name | string | - | Juniper Context-Name (SIN502) |
dummy-ip | boolean | true | Send dummy framed IP response |
ip | List of IPNameRange | - | Match target IP address of RADIUS request |
name | string | - | Name |
nsn-conditional | boolean | - | Only send NSN settings if username is not same as calling station id |
nsn-tunnel-override-username | unsignedByte | - | Additional response for GGSN usage |
nsn-tunnel-user-auth-method | unsignedInt | - | Additional response for GGSN usage |
order | radiuspriority | - | Priority tagging of endpoints sent |
profile | string | - | Profile name |
relay-ip | List of IPAddr | - | Address to copy RADIUS request |
relay-port | unsignedShort | 1812 | Authentication UDP port for copy RADIUS request |
relay-table | (unsignedByte 0-99) routetable | - | Routing table number for copy of RADIUS request |
secret | Secret | - | Shared secret for RADIUS requests (needed for replies) |
source | string | - | Source of data, used in automated config management |
tagged | boolean | - | Tag all attributes that can be |
target-hostname | string | - | Hostname for L2TP connection |
target-ip | List of IPNameAddr | - | Target IP(s) or hostname for primary L2TP connection |
target-secret | Secret | - | Shared secret for L2TP connection |
test | List of IPAddr | - | List of IPs that must have routing for this target to be valid (deprecated) |
tunnel-assignment-id | string | - | Tunnel Assignment ID to send |
tunnel-client-return | boolean | - | Return tunnel client as radius IP |
username | List of string | - | One or more patterns to match username |
Server settings for outgoing RADIUS
Table I.23. radius-server: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
host | List of IPNameAddr | Not optional | One or more hostname/IPs of RADIUS servers |
max-timeout | duration | 20 | Maximum final timeout |
min-timeout | duration | 5 | Minimum final timeout |
name | string | - | Name |
port | unsignedShort | From services/radius settings | UDP port |
profile | string | - | Profile name |
queue | unsignedInt | - | Concurrent requests over all of these servers (per type) |
secret | Secret | Not optional | Shared secret for RADIUS requests |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | - | Routing table number |
type | Set of radiustype | All | Server type |
Physical port attributes
Table I.24. ethernet: Attributes
Attribute | Type | Default | Description |
autoneg | boolean | auto negotiate unless manual 10/100 speed and duplex are set | Perform link auto-negotiation |
clocking | LinkClock | prefer-slave | Gigabit clock setting |
crossover | Crossover | auto | Port crossover configuration |
duplex | LinkDuplex | auto | Duplex setting for this port |
flow | LinkFlow | none | Flow control setting |
green | LinkLED | Link/Activity | Green LED setting |
optimise | boolean | true | enable PHY optimisations |
port | port | Not optional | Physical port |
power-saving | LinkPower | full | enable PHY power saving |
send-fault | LinkFault | - | Send fault status |
shutdown | boolean | false | Power down this port |
speed | LinkSpeed | auto | Speed setting for this port |
yellow | LinkLED | Tx | Yellow LED setting |
The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
Table I.26. interface: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
graph | (string) graphname | - | Graph name |
link | string | - | Interface to which this is linked at layer 2 |
log | string | Not logging | Log events including DHCP and related events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
mtu | (unsignedShort 576-1600) mtu | 1500 | MTU for this interface |
name | string | - | Name |
ping | IPAddr | - | Ping address to add loss/latency to graph for interface |
port | string | Not optional | Port group name |
profile | string | - | Profile name |
ra-client | boolean | true | Accept IPv6 RA and create auto config subnets and routes |
restrict-mac | boolean | - | Use only one MAC on this interface |
source | string | - | Source of data, used in automated config management |
source-filter | boolean | - | Source filter traffic received via this interface |
table | (unsignedByte 0-99) routetable | 0 | Routing table applicable |
vlan | (unsignedShort 0-4095) vlan | 0 | VLAN ID (0=untagged) |
Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
Table I.28. subnet: Attributes
Attribute | Type | Default | Description |
accept-dns | boolean | true | Accept DNS servers specified by DHCP |
arp-timeout | unsignedShort | 60 | Max lifetime on ARP and ND |
bgp | bgpmode | - | BGP announce mode for routes |
broadcast | boolean | false | If broadcast address allowed |
comment | string | - | Comment |
gateway | List of IPAddr | - | One or more gateways to install |
ip | List of IPSubnet | Automatic by DHCP | One or more IP/len |
localpref | unsignedInt | 4294967295 | Localpref for subnet (highest wins) |
mtu | (unsignedShort 576-1600) mtu | As interface | MTU for subnet |
name | string | - | Name |
nat | boolean | false | Short cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules) |
profile | string | - | Profile name |
proxy-arp | boolean | false | Answer ARP/ND by proxy if we have routing |
ra | ramode | false | If to announce IPv6 RA for this subnet |
ra-dns | List of IP6Addr | - | List of recursive DNS servers in route announcements |
ra-managed | dhcpv6control | - | RA 'M' (managed) flag |
ra-max | (unsignedShort 4-1800) ra-max | 600 | Max RA send interval |
ra-min | (unsignedShort 3-1350) ra-min | - | Min RA send interval |
ra-mtu | unsignedShort | As subnet | MTU to use on RA |
ra-other | dhcpv6control | - | RA 'O' (other) flag |
ra-profile | string | - | Profile, if inactive then forces low priority RA |
source | string | - | Source of data, used in automated config management |
test | IPAddr | - | Test link state using ARP/ND for this IP |
ttl | unsignedByte | 64 | TTL for originating traffic via subnet |
VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.
Table I.29. vrrp: Attributes
Attribute | Type | Default | Description |
answer-ping | boolean | true | Whether to answer PING to VRRP IPs when master |
comment | string | - | Comment |
delay | unsignedInt | 60 | Delay after routing established before priority returns to normal |
interval | unsignedShort | 100 | Transit interval (centiseconds) |
ip | List of IPAddr | Not optional | One or more IP addresses to announce |
log | string | Not logging | Log events |
log-error | string | log as event | Log errors |
low-priority | unsignedByte | 1 | Lower priority applicable until routing established |
name | string | - | Name |
preempt | boolean | true | Whether pre-empt allowed |
priority | unsignedByte | 100 | Normal priority |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
test | List of IPAddr | - | List of IPs to which routing must exist else low priority (deprecated) |
use-vmac | boolean | true | Whether to use the special VMAC or use normal MAC |
version3 | boolean | v2 for IPv4, v3 for IPv6 | Use only version 3 |
vrid | unsignedByte | 42 | VRID |
Settings for DHCP server
Table I.30. dhcps: Attributes
Attribute | Type | Default | Description |
boot | IP4Addr | - | Next/boot server |
boot-file | string | - | Boot filename |
class | string | - | Class match |
client-name | string | - | Client name match |
comment | string | - | Comment |
dns | List of IP4Addr | Our IP | DNS resolvers |
domain | string | From system settings | DNS domain |
force | boolean | - | Send all options even if not requested |
gateway | List of IP4Addr | Our IP | Gateway |
ip | List of IP4Range | 0.0.0.0/0 | Address pool |
lease | duration | 2:00:00 | Lease length |
log | string | Not logging | Log events (allocations) |
mac | List up to 12 (hexBinary) macprefix | - | Partial or full MAC addresses |
name | string | - | Name |
ntp | List of IP4Addr | From system settings | NTP server |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
syslog | List of IP4Addr | - | Syslog server |
time | List of IP4Addr | Our IP | Time server |
Table I.31. dhcps: Elements
Element | Type | Instances | Description |
send | dhcp-attr-hex | Optional, unlimited | Additional attributes to send (hex) |
send-ip | dhcp-attr-ip | Optional, unlimited | Additional attributes to send (IP) |
send-number | dhcp-attr-number | Optional, unlimited | Additional attributes to send (numeric) |
send-string | dhcp-attr-string | Optional, unlimited | Additional attributes to send (string) |
Additional DHCP server attributes (hex)
Table I.32. dhcp-attr-hex: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
force | boolean | - | Send even if not requested |
id | unsignedByte | Not optional | Attribute type code |
name | string | - | Name |
value | hexBinary | Not optional | Value |
Additional DHCP server attributes (string)
Table I.33. dhcp-attr-string: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
force | boolean | - | Send even if not requested |
id | unsignedByte | Not optional | Attribute type code |
name | string | - | Name |
value | string | Not optional | Value |
Additional DHCP server attributes (numeric)
Table I.34. dhcp-attr-number: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
force | boolean | - | Send even if not requested |
id | unsignedByte | Not optional | Attribute type code |
name | string | - | Name |
value | unsignedInt | Not optional | Value |
Additional DHCP server attributes (IP)
Table I.35. dhcp-attr-ip: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
force | boolean | - | Send even if not requested |
id | unsignedByte | Not optional | Attribute type code |
name | string | - | Name |
value | IP4Addr | Not optional | Value |
PPPoE endpoint settings
Table I.36. pppoe: Attributes
Attribute | Type | Default | Description |
ac-name | string | Any a/c name | Access concentrator name |
accept-dns | boolean | true | Accept DNS servers specified by far end |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
graph | (string) graphname | - | Graph name |
ip-over-lcp | boolean | auto | Sends all IP packets as LCP |
lcp-rate | unsignedByte | 10 | LCP interval (seconds) |
lcp-timeout | unsignedByte | 61 | LCP timeout (seconds) |
local | IP4Addr | - | Local IPv4 address |
localpref | unsignedInt | 4294967295 | Localpref for route (highest wins) |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Not logging | Log as events |
mode | pppoe-mode | client | PPPoE server/client mode |
mtu | (unsignedShort 576-1600) mtu | 1492 | MTU for link |
name | string | - | Name |
nat | boolean | false | NAT traffic to this link unless otherwise set |
password | Secret | - | User password |
pd-interface | List of string | Auto | Interfaces for IPv6 prefix delegation |
port | string | - | Physical port number, or port group name |
profile | string | - | Profile name |
remote | IP4Addr | - | Remote IPv4 address |
routes | List of IPPrefix | Default gateway | Routes when link up |
service | string | Any service | Service name |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | - | Default egress rate limit (b/s) |
table | (unsignedByte 0-99) routetable | - | Routing table number for payload |
tcp-mss-fix | boolean | true | Adjust MSS option in TCP SYN to fix session MSS |
username | string | - | User name |
vlan | (unsignedShort 0-4095) vlan | 0 | VLAN ID (0=untagged) |
Table I.37. pppoe: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when ppp link is up |
Routes that apply when link is up
Table I.38. ppp-route: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
Table I.39. route: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
gateway | List of IPAddr | Not optional | One or more target gateway IPs |
graph | (string) graphname | - | Graph name |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | - | Egress rate limit (b/s) |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but add routing.
Table I.40. network: Attributes
Attribute | Type | Default | Description |
as-path | List up to 10 unsignedInt | - | Custom AS path as if network received |
bgp | bgpmode | true | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Networks that go nowhere
Table I.41. blackhole: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | false | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Loopback addresses define local IP addresses
Table I.42. loopback: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPAddr | Not optional | One or more local network addresses |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.
Table I.43. bgp: Attributes
Attribute | Type | Default | Description |
as | unsignedInt | - | Our AS |
cluster-id | IP4Addr | - | Our cluster ID |
comment | string | - | Comment |
id | IP4Addr | - | Our router ID |
log | string | Not logging | Log events |
name | string | - | Name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Table I.44. bgp: Elements
Element | Type | Instances | Description |
peer | bgppeer | Optional, up to 50 | List of peers/neighbours |
The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.
Table I.45. bgppeer: Attributes
Attribute | Type | Default | Description |
add-own-as | boolean | - | Add our AS on exported routes |
allow-export | boolean | - | Ignore no-export community and export anyway |
allow-only-their-as | boolean | - | Only accept routes that are solely the peers AS |
allow-own-as | boolean | - | Allow our AS inbound |
as | unsignedInt | - | Peer AS |
capability-as4 | boolean | true | If supporting AS4 |
capability-graceful-restart | boolean | true | If supporting Graceful Restart |
capability-mpe-ipv4 | boolean | true | If supporting MPE for IPv4 |
capability-mpe-ipv6 | boolean | true | If supporting MPE for IPv6 |
capability-route-refresh | boolean | true | If supporting Route Refresh |
comment | string | - | Comment |
drop-default | boolean | false | Ignore default route received |
export-med | unsignedInt | - | Set MED on exported routes (unless export filter sets it) |
holdtime | unsignedInt | 30 | Hold time |
ignore-bad-optional-partial | boolean | true | Ignore routes with a recognised badly formed optional that is flagged partial |
import-localpref | unsignedInt | - | Set localpref on imported routes (unless import filter sets it) |
in-soft | boolean | - | Mark received routes as soft |
ip | List of IPAddr | - | One or more IPs of neighbours (omit to allow incoming) |
log-debug | string | Not logging | Log debug |
max-prefix | (unsignedInt 1-10000) bgp-prefix-limit | 10000 | Limit prefixes (IPv4+IPv6) |
md5 | Secret | - | MD5 signing secret |
name | string | - | Name |
next-hop-self | boolean | false | Force us as next hop outbound |
no-fib | boolean | - | Don't include received routes in packet forwarding |
pad | unsignedByte | - | Pad (prefix stuff) our AS by this many |
profile | string | - | Profile name |
same-ip-type | boolean | true | Only accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers |
send-default | boolean | false | Send a default route to this peer |
send-no-routes | boolean | false | Don't send any normal routes |
shutdown | boolean | - | Shutdown this neighbour (deprecated, use profile) |
source | string | - | Source of data, used in automated config management |
timer-idle | unsignedInt | 60 | Idle time after error |
timer-openwait | unsignedInt | 10 | Time to wait for OPEN on connection |
timer-retry | unsignedInt | 10 | Time to retry the neighbour |
ttl-security | byte | - | Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking. |
type | peertype | normal | Type of neighbour (affects some defaults) |
use-vrrp-as-self | boolean | true | Use VRRP address as self if possible |
This defines the rules for mapping and filtering of prefixes to/from a BGP peer.
Table I.47. bgpmap: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
detag | List of Community | - | List of community tags to remove |
drop | boolean | - | Do not import/export this prefix |
localpref | unsignedInt | - | Set localpref (highest wins) |
med | unsignedInt | - | Set MED |
prefix | List of IPFilter | - | Drop all that are not in this prefix list |
source | string | - | Source of data, used in automated config management |
tag | List of Community | - | List of community tags to add |
Table I.48. bgpmap: Elements
Element | Type | Instances | Description |
match | bgprule | Optional, unlimited | List rules, in order of checking |
An individual rule for BGP mapping/filtering
Table I.49. bgprule: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
community | Community | - | Community that must be present to match |
detag | List of Community | - | List of community tags to remove |
drop | boolean | - | Do not import/export this prefix |
localpref | unsignedInt | - | Set localpref (highest wins) |
med | unsignedInt | - | Set MED |
name | string | - | Name |
prefix | List of IPFilter | - | Prefixes that this rule applies to |
source | string | - | Source of data, used in automated config management |
tag | List of Community | - | List of community tags to add |
Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.
Table I.50. cqm: Attributes
Attribute | Type | Default | Description |
ave | Colour | #08f | Colour for average latency |
axis | Colour | black | Axis colour |
background | Colour | white | Background colour |
bottom | unsignedByte | 11 | Pixels space at bottom of graph |
dateformat | string | %Y-%m-%d | Date format |
dayformat | string | %a | Day format |
fail | Colour | red | Colour for failed (dropped) seconds |
fail-level | unsignedInt | 1 | Fail level not expected on low usage |
fail-level1 | unsignedByte | 3 | Loss level 1 |
fail-level2 | unsignedByte | 50 | Loss level 2 |
fail-score | unsignedByte | 200 | Score for fail and low usage |
fail-score1 | unsignedByte | 100 | Score for on/above level 1 |
fail-score2 | unsignedByte | 200 | Score for on/above level 2 |
fail-usage | unsignedInt | 128000 | Usage below which fail is not expected |
fblogo | Colour | #bd1220 | Colour for logo |
graticule | Colour | grey | Graticule colour |
heading | string | - | Heading of graph |
hourformat | string | %H | Hour format |
key | unsignedByte | 90 | Pixels space for key |
label-ave | string | Av | Label for average latency |
label-damp | string | Damp% | Label for % shaper damping |
label-fail | string | %Fail | Label for seconds (%) failed |
label-latency | string | Latency | Label for latency |
label-max | string | Max | Label for maximum latency |
label-min | string | Min | Label for minimum latency |
label-off | string | Off | Label for off line seconds |
label-period | string | Period | Label for period |
label-poll | string | Polls | Label for polls |
label-rej | string | %Reject | Label for rejected seconds |
label-rx | string | Rx | Label for Rx traffic level |
label-score | string | Score | Label for score |
label-sent | string | Sent | Label for seconds polled |
label-shaper | string | Shaper | Label for shaper |
label-time | string | Time | Label for time |
label-traffic | string | Traffic (bit/s) | Label for traffic level |
label-tx | string | Tx | Label for Tx traffic level |
latency-level | unsignedInt | 100000000 | Latency level not expected on low usage |
latency-level1 | unsignedInt | 100000000 | Latency level 1 (ns) |
latency-level2 | unsignedInt | 500000000 | Latency level 2 (ns) |
latency-score | unsignedByte | 200 | Score for high latency and low usage |
latency-score1 | unsignedByte | 10 | Score for on/above level 1 |
latency-score2 | unsignedByte | 20 | Score for on/above level 2 |
latency-usage | unsignedInt | 128000 | Usage below which latency is not expected |
left | unsignedByte | 0 | Pixels space left of main graph |
log | string | Not logging | Log events |
max | Colour | green | Colour for maximum latency |
min | Colour | #008 | Colour for minimum latency |
ms-max | positiveInteger | 500 | ms max height |
off | Colour | #c8f | Colour for off line seconds |
outside | Colour | transparent | Colour for outer border |
ping-update | duration | 1:00:00 | Interval for periodic updates |
ping-url | string | - | URL for ping list |
rej | Colour | #f8c | Colour for off line seconds |
right | unsignedByte | 50 | Pixels space right of main graph |
rx | Colour | #800 | Colour for Rx traffic level |
secret | Secret | - | Secret for MD5 coded URLs |
sent | Colour | #ff8 | Colour for polled seconds |
share-interface | string | - | Interface on which to broadcast data for shaper sharing |
share-secret | string | - | Secret to validate shaper sharing |
subheading | string | - | Subheading of graph |
text | Colour | black | Colour for text |
text1 | string | - | Text line 1 |
text2 | string | - | Text line 2 |
text3 | string | - | Text line 3 |
text4 | string | - | Text line 4 |
timeformat | string | %Y-%m-%d %H:%M:%S | Time format |
top | unsignedByte | 4 | Pixels space at top of graph |
tx | Colour | #080 | Colour for Tx traffic level |
L2TP settings for incoming and outgoing L2TP connections
Table I.51. l2tp: Attributes
Attribute | Type | Default | Description |
accounting-interval | duration | 1:00:00 | Periodic interim accounting interval |
Table I.52. l2tp: Elements
Element | Type | Instances | Description |
incoming | l2tp-incoming | Optional, unlimited | Incoming L2TP connections |
outgoing | l2tp-outgoing | Optional, unlimited | Outgoing L2TP connections |
L2TP tunnel settings for outgoing L2TP connections
Table I.53. l2tp-outgoing: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
called | string | - | called-station-idi to send |
calling | string | - | calling-station-id to send |
comment | string | - | Comment |
fail-lockout | unsignedByte | 1 | Interval kept in failed state |
graph | string | - | Graph name |
hdlc | boolean | true | Send HDLC header (FF03) on all PPP frames |
hello-interval | unsignedByte | 10 | Interval between HELLO messages |
hostname | string | - | Hostname quoted on incoming tunnel |
ip | IPAddr | Not optional | IP of far end |
lcp-rate | unsignedByte | 10 | LCP interval (seconds) |
lcp-timeout | unsignedByte | 61 | LCP timeout (seconds) |
local | IP4Addr | - | Local IPv4 address |
localpref | unsignedInt | 4294967295 | Localpref for remote-ip/routes (highest wins) |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
min-retry | duration | PT10S | Minimum session time before retrying connection |
mtu | (unsignedShort 576-1600) mtu | - | Default MTU for sessions in this tunnel |
name | string | - | Name |
open-timeout | unsignedByte | 10 | Interval before OPEN considered failed |
password | Secret | - | Password for login |
payload-table | (unsignedByte 0-99) routetable | 0 | Routing table number for payload traffic |
profile | string | - | Profile name |
remote | IP4Addr | - | Remote IPv4 address |
retry-timeout | unsignedByte | 10 | Interval to retry sending control messages before fail |
routes | List of IPPrefix | Default gateway | Routes when link up |
rx-speed | unsignedInt | - | Send ingress rate (b/s) |
secret | Secret | - | Shared secret |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for L2TP session |
tcp-mss-fix | boolean | false | Adjust MSS option in TCP SYN to fix session MSS |
tx-speed | unsignedInt | - | Egress rate limit (b/s) |
username | string | - | User name for login |
Table I.54. l2tp-outgoing: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when link is up |
L2TP tunnel settings for incoming L2TP connections
Table I.55. l2tp-incoming: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | - | List of IP ranges from which connects can be made |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
damping | boolean | false | Apply damping to sessions if limiting on shaper |
dhcpv6dns | List of IP6Addr | - | List of IPv6 DNS servers |
dos-limit | unsignedInt | 10000 | Per second per session tx packet drop limit for DOS protection |
fail-lockout | unsignedByte | 60 | Interval kept in failed state |
graph | string | - | Graph name |
hdlc | boolean | true | Send HDLC header (FF03) on all PPP frames |
hello-interval | unsignedByte | 60 | Interval between HELLO messages |
hostname | string | - | Hostname quoted on incoming tunnel |
icmp-ppp | boolean | false | Use PPP endpoint for ICMP |
ipv6ep | IP4Addr | - | Local end IPv4 for IPv6 tunnels |
lcp-mru-fix | boolean | false | Restart LCP if RAS negotiated MRU is too high |
lcp-rate | unsignedByte | 1 | LCP interval (seconds) |
lcp-timeout | unsignedByte | 10 | LCP timeout (seconds) |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
mtu | (unsignedShort 576-1600) mtu | - | Default MTU for sessions in this tunnel |
name | string | - | Name |
open-timeout | unsignedByte | 60 | Interval before OPEN considered failed |
payload-table | (unsignedByte 0-99) routetable | 0 | Routing table number for payload traffic |
pppdns1 | IP4Addr | - | PPP DNS1 IPv4 default |
pppdns2 | IP4Addr | - | PPP DNS2 IPv4 default |
pppip | IP4Addr | - | Local end PPP IPv4 |
profile | string | - | Profile name |
radius | string | - | Name for RADIUS server config to use |
relay-nas-ip | boolean | true | Pass remote L2TP endpoint as NAS IP |
require-platform | boolean | false | All sessions require a platform RADIUS first |
require-radius-acct | boolean | - | Close session if cannot do RADIUS accounting |
retry-timeout | unsignedByte | 60 | Interval to retry sending control messages before fail |
secret | Secret | - | Shared secret |
shutdown | boolean | false | Refuse all new sessions or tunnels |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | - | Default egress rate limit (b/s) |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for L2TP session |
tcp-mss-fix | boolean | false | Adjust MSS option in TCP SYN to fix session MSS |
test | List of IPAddr | - | List of IPs to which routing must exist else tunnel dropped (deprecated) |
Table I.56. l2tp-incoming: Elements
Element | Type | Instances | Description |
match | l2tp-relay | Optional, unlimited | Rules for relaying connections and local authentication |
Rules for relaying L2TP or local authentication
Table I.57. l2tp-relay: Attributes
Attribute | Type | Default | Description |
called-station-id | List of string | - | One or more patterns to match called-station-id |
calling-station-id | List of string | - | One or more patterns to match calling-station-id |
comment | string | - | Comment |
graph | (string) graphname | - | Graph name |
ip-over-lcp | boolean | - | Send IP over LCP (local auth) |
localpref | unsignedInt | 4294967295 | Localpref for remote-ip/routes (highest wins) |
name | string | - | Name |
password | Secret | - | Password check |
profile | string | - | Profile name |
relay-hostname | string | - | Hostname for L2TP connection |
relay-ip | List of IPAddr | - | Target IP(s) for L2TP connection |
relay-pick | boolean | - | If set, try one of the relay IPs at random first |
relay-secret | Secret | - | Shared secret for L2TP connection |
remote-ip | IP4Addr | - | Remote end PPP IPv4 (local auth) |
remote-netmask | IP4Addr | - | Remote end PPP Netmask (local auth) |
routes | List of IPPrefix | - | Additional routes when link up (local auth) |
source | string | - | Source of data, used in automated config management |
test | List of IPAddr | - | List of IPs that must have routing for this target to be valid (deprecated) |
username | List of string | - | One or more patterns to match username |
FB105 tunnel definition
Table I.58. fb105: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
fast-udp | boolean | true | Send UDP packets marked not to be reordered |
graph | (string) graphname | - | Graph name |
internal-ip | IP4Addr | local-ip | Internal IP for traffic originated and sent down tunnel |
ip | IP4Addr | dynamic tunnel | Far end IP |
keep-alive | boolean | true if ip set | Constantly send keep alive packets |
local-id | unsignedByte | Not optional | Unique local end tunnel ID |
local-ip | IP4Addr | - | Force specific local end IP |
localpref | unsignedInt | 4294967295 | Localpref for route (highest wins) |
log | string | Not logging | Log events |
log-error | string | Log as event | Log errors |
mtu | unsignedShort | 1500 | MTU for wrapped packets |
name | string | - | Name |
ospf-cost | unsignedShort | 1000 | Link cost, forces default OSPF on link if set even if OSPF not otherwise configured |
payload-table | (unsignedByte 0-99) routetable | 0 | Routing table number for payload traffic |
port | unsignedShort | 1 | UDP port to use |
profile | string | - | Profile name |
remote-id | unsignedByte | Not optional | Unique remote end tunnel ID |
reorder | boolean | false | Reorder incoming tunnel packets |
reorder-maxq | (unsignedInt 1-100) fb105-reorder-maxq | 32 | Max queue length for out of order packets |
reorder-timeout | (unsignedInt 10-5000) fb105-reorder-timeout | 100 | Max time to delay out of order packet (ms) |
routes | List of IPPrefix | - | Routes when link up |
secret | Secret | Unsigned | Shared secret for tunnel |
set | unsignedByte | - | Set ID for reorder ID tagging (create a set of tunnels together) |
sign-all | boolean | false | All packets must be signed, not just keepalives |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | no shaping | Egress rate limit used (b/s) |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for tunnel wrappers |
tcp-mss-fix | boolean | true | Adjust MSS option in TCP SYN to fix session MSS |
Table I.59. fb105: Elements
Element | Type | Instances | Description |
route | fb105-route | Optional, unlimited | Routes to apply to tunnel when up |
Routes for prefixes that are sent to the FB105 tunnel when up
Table I.60. fb105-route: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
IPsec configuration
Table I.61. ipsec: Attributes
Attribute | Type | Default | Description |
auth-algorithm | ipsec-auth-algorithm | null | Manual setting for authentication algorithm |
auth-key | hexBinary | - | Manual key for authentication |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
crypt-algorithm | ipsec-crypt-algorithm | null | Manual setting for encryption algorithm |
crypt-key | hexBinary | - | Manual key for encryption |
graph | (string) graphname | - | Graph name |
internal-ipv4 | IP4Addr | local-ip | Internal IPv4 for traffic originated on the FireBrick and sent down tunnel |
internal-ipv6 | IP6Addr | local-ip | Internal IPv6 for traffic originated on the FireBrick and sent down tunnel |
local-ip | IPAddr | - | Local end IP for tunnel |
local-spi | (unsignedInt 256-4294967295) ipsec-spi | Not optional | Local Security Parameters Index |
localpref | unsignedInt | 4294967295 | Localpref for route (highest wins) |
log | string | Not logging | Log events |
log-debug | string | Not logging | Log debug |
log-error | string | Log as event | Log errors |
mode | ipsec-mode | tunnel | Encapsulation mode |
mtu | unsignedShort | 1500 | MTU for wrapped packets |
name | string | - | Name |
ospf-cost | unsignedShort | 1000 | Link cost, forces default OSPF on link if set even if OSPF not otherwise configured |
outer-spi | (unsignedInt 256-4294967295) ipsec-spi | - | Security Parameters Index for outer header |
payload-table | (unsignedByte 0-99) routetable | 0 | Routing table number for payload traffic |
profile | string | - | Profile name |
remote-ip | IPAddr | - | Far end IP for tunnel |
remote-spi | (unsignedInt 256-4294967295) ipsec-spi | Not optional | Remote Security Parameters Index |
routes | List of IPPrefix | - | Routes when link up |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | no shaping | Egress rate limit used (b/s) |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for tunnel wrappers |
tcp-mss-fix | boolean | true | Adjust MSS option in TCP SYN to fix session MSS |
type | ipsec-type | ESP | Encapsulation type |
Table I.62. ipsec: Elements
Element | Type | Instances | Description |
route | ipsec-route | Optional, unlimited | Routes to apply to tunnel when up |
Routes for prefixes that are sent to the IPsec tunnel when up
Table I.63. ipsec-route: Attributes
Attribute | Type | Default | Description |
bgp | bgpmode | - | BGP announce mode for routes |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
Base ping config - additional ping targets set via web API or other means
Table I.64. ping: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
graph | (string) graphname | Not optional | Graph name |
ip | IPNameAddr | Not optional | Far end IP |
name | string | - | Name |
size | (unsignedInt 0-1472) ping-size | 0 | Payload size |
slow | boolean | Auto | Slow polling |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending pings |
General on/off control profile used in various places in the config.
Table I.65. profile: Attributes
Attribute | Type | Default | Description |
and | List of string | - | Active if all specified profiles are active as well as all other tests passing, including 'not' |
comment | string | - | Comment |
fb105 | List of string | - | FB105 tunnel state (any of these active) |
initial | boolean | true | Defines state at system startup if not using set |
interval | duration | 1 | Time between tests (e.g. seconds) |
invert | boolean | - | Invert final result of testing |
log | string | Not logging | Log target |
log-debug | string | Not logging | Log additional information |
name | string | Not optional | Profile name |
not | string | - | Active if specified profile is inactive as well as all other tests passing, including 'and' |
or | List of string | - | Active if any of these other profiles active regardless of other tests (including 'not' or 'and') |
ppp | List of string | - | PPP link state (any of these are up) |
recover | duration | 1 | Time before recover (i.e. how long test has been passing) |
route | List of IPAddr | - | Test passes if all specified addresses are routeable |
set | boolean | - | Manual override, ignore ALL other settings |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | - | Routing table for ping/route |
timeout | duration | 10 | Time before timeout (i.e. how long test has been failing) |
vrrp | List of string | - | VRRP state (any of these is master) |
Table I.66. profile: Elements
Element | Type | Instances | Description |
date | profile-date | Optional, unlimited | Test passes if within any date range specified |
ping | profile-ping | Optional | Test passes if address is answering pings |
time | profile-time | Optional, unlimited | Test passes if within any time range specified |
Ping targets
Table I.69. profile-ping: Attributes
Attribute | Type | Default | Description |
flow | unsignedShort | - | Flow label (IPv6) |
gateway | IPAddr | - | Ping via specific gateway (bypasses session tracking if set) |
ip | IPAddr | Not optional | Target IP |
source-ip | IPAddr | - | Source IP |
ttl | unsignedByte | - | Time to live / Hop limit |
Settings for a named traffic shaper
Table I.70. shaper: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
name | (string) graphname | Not optional | Graph name |
rx | unsignedInt | - | Rx rate limit/target (b/s) |
rx-max | unsignedInt | - | Rx rate limit max |
rx-min | unsignedInt | - | Rx rate limit min |
rx-min-burst | duration | - | Rx minimum allowed burst time |
rx-step | unsignedInt | - | Rx rate reduction per per hour |
share | boolean | - | If shaper is shared with other devices |
source | string | - | Source of data, used in automated config management |
tx | unsignedInt | - | Tx rate limit/target (b/s) |
tx-max | unsignedInt | - | Tx rate limit max |
tx-min | unsignedInt | - | Tx rate limit min |
tx-min-burst | duration | - | Tx minimum allowed burst time |
tx-step | unsignedInt | - | Tx rate reduction per hour |
Table I.71. shaper: Elements
Element | Type | Instances | Description |
override | shaper-override | Optional, unlimited | Profile specific variations on main settings |
Settings for a named traffic shaper
Table I.72. shaper-override: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
profile | string | Not optional | Profile name |
rx | unsignedInt | - | Rx rate limit/target (b/s) |
rx-max | unsignedInt | - | Rx rate limit max |
rx-min | unsignedInt | - | Rx rate limit min |
rx-min-burst | duration | - | Rx minimum allowed burst time |
rx-step | unsignedInt | - | Rx rate reduction per per hour |
source | string | - | Source of data, used in automated config management |
tx | unsignedInt | - | Tx rate limit/target (b/s) |
tx-max | unsignedInt | - | Tx rate limit max |
tx-min | unsignedInt | - | Tx rate limit min |
tx-min-burst | duration | - | Tx minimum allowed burst time |
tx-step | unsignedInt | - | Tx rate reduction per hour |
Routing override rules
Table I.74. route-override: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
name | string | - | Name |
profile | string | - | Profile name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Applicable routing table |
Table I.75. route-override: Elements
Element | Type | Instances | Description |
rule | session-route-rule | Optional, unlimited | Individual rules, first match applies |
Routing override rule
Table I.76. session-route-rule: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
name | string | - | Name |
profile | string | - | Profile name |
protocol | List of unsignedByte | - | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] |
set-gateway | IPAddr | - | New gateway |
set-graph | string | - | Graph name for shaping/logging (if not set by rule-set) |
set-nat | boolean | - | Changed source IP and port to local for NAT |
source | string | - | Source of data, used in automated config management |
source-interface | List of string | - | Source interface(s) |
source-ip | List of IPNameRange | - | Source IP address range(s) |
source-port | List of PortRange | - | Source port(s) |
target-interface | List of string | - | Target interface(s) |
target-ip | List of IPNameRange | - | Target IP address range(s) |
target-port | List of PortRange | - | Target port(s) |
Table I.77. session-route-rule: Elements
Element | Type | Instances | Description |
share | session-route-share | Optional, unlimited | Load shared actions |
Firewalling rule set with entry criteria and default actions
Table I.79. rule-set: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
interface | List of string | - | Source or target interface(s) |
ip | List of IPNameRange | - | Source or target IP address range(s) |
log | string | Not logging | Log session start |
log-end | string | Not logging | Log session end |
log-no-match | string | log-start | Log if no match |
name | string | - | Name |
no-match-action | firewall-action | Not optional | Default if no rule matches |
profile | string | - | Profile name |
protocol | List of unsignedByte | - | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] |
source | string | - | Source of data, used in automated config management |
source-interface | List of string | - | Source interface(s) |
source-ip | List of IPNameRange | - | Source IP address range(s) |
source-port | List of PortRange | - | Source port(s) |
table | (unsignedByte 0-99) routetable | 0 | Applicable routing table |
target-interface | List of string | - | Target interface(s) |
target-ip | List of IPNameRange | - | Target IP address range(s) |
target-port | List of PortRange | - | Target port(s) |
Table I.80. rule-set: Elements
Element | Type | Instances | Description |
ip-group | ip-group | Optional, unlimited | Named IP groups |
rule | session-rule | Optional, unlimited | Individual rules, first match applies |
Firewall rule
The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.
Table I.81. session-rule: Attributes
Attribute | Type | Default | Description |
action | firewall-action | continue | Action taken on match |
comment | string | - | Comment |
interface | List of string | - | Source or target interface(s) |
ip | List of IPNameRange | - | Source or target IP address range(s) |
log | string | As rule-set | Log session start |
log-end | string | As rule-set | Log session end |
name | string | - | Name |
profile | string | - | Profile name |
protocol | List of unsignedByte | - | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] |
set-gateway | IPAddr | - | New gateway |
set-graph | string | - | Graph name for shaping/logging |
set-initial-timeout | duration | - | Initial time-out |
set-nat | boolean | - | Changed source IP and port to local for NAT |
set-ongoing-timeout | duration | - | Ongoing time-out |
set-reverse-graph | string | - | Graph name for shaping/logging (far side of session) |
set-source-ip | IPAddr | - | New source IP |
set-source-port | unsignedShort | - | New source port |
set-table | (unsignedByte 0-99) routetable | - | Set new routing table |
set-target-ip | IPAddr | - | New target IP |
set-target-port | unsignedShort | - | New target port |
source | string | - | Source of data, used in automated config management |
source-interface | List of string | - | Source interface(s) |
source-ip | List of IPNameRange | - | Source IP address range(s) |
source-port | List of PortRange | - | Source port(s) |
target-interface | List of string | - | Target interface(s) |
target-ip | List of IPNameRange | - | Target IP address range(s) |
target-port | List of PortRange | - | Target port(s) |
Table I.82. session-rule: Elements
Element | Type | Instances | Description |
share | session-share | Optional, unlimited | Load shared actions |
Firewall actions for load sharing
Table I.83. session-share: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
profile | string | - | Profile name |
set-gateway | IPAddr | - | New gateway |
set-graph | string | - | Graph name for shaping/logging |
set-nat | boolean | - | Changed source IP and port to local for NAT |
set-reverse-graph | string | - | Graph name for shaping/logging (far side of session) |
set-source-ip | IPAddr | - | New source IP |
set-source-port | unsignedShort | - | New source port |
set-table | (unsignedByte 0-99) routetable | - | Set new routing table |
set-target-ip | IPAddr | - | New target IP |
set-target-port | unsignedShort | - | New target port |
weight | positiveInteger | 1 | Weighting of load share |
Voice over IP config
Table I.84. voip: Attributes
Attribute | Type | Default | Description |
area-code | string | - | Local area code (without national prefix) |
comment | string | - | Comment |
country | string | 44 | Local country code |
emergency | List of string | 112 999 | Emergency numbers |
international | string | 00 | International dialling prefix |
local-digits | string | 23456789 | Local numbers start with these digits |
local-min-len | unsignedByte | 5 | Local numbers min length |
log | string | Not logging | Log calls |
log-blf-debug | string | Not logging | Log subscribe/notify SIP messages |
log-cdr | string | Not logged | Log CDR records |
log-debug | string | Not logging | Log debug and SIP messages |
log-error | string | Log as event | Log errors |
log-register | string | Not logging | Log registrations |
log-register-debug | string | Not logging | Log registration SIP messages |
national | string | 0 | National dialling prefix |
pabx | boolean | true | Operate as office PABX |
pickup | string | * | Call pickup/steal prefix |
radius-call | string | - | Name for RADIUS server config to use call routing |
radius-cdr | string | - | Name for RADIUS server config to use for CDRs |
radius-challenge | boolean | - | Send RADIUS auth to get challenge response |
radius-register | string | - | Name for RADIUS server config to use for registrations |
realm | string | FireBrick | Default realm |
record-mandatory | boolean | - | Drop call if recording fails |
record-server | string | - | Call recording server hostname or address |
release | string | 1470 | CLI release prefix |
security-replies | boolean | true | Don't challenge or error reply to unrecognised non local IP request |
source | string | - | Source of data, used in automated config management |
withhold | string | 141 | CLI withhold prefix |
VoIP carrier details
Table I.86. carrier: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which invite accepted |
cli-format | voip-format | national | CLI number format for outgoing calls |
comment | string | - | Comment |
cui | string | - | Chargeable user identity for call accounting of incoming calls |
display-name | string | - | Text name to use |
expires | duration | 1:00:00 | Registration expiry time |
extn | string | - | Local number assumed dialled for incoming calls |
force-dtmf | boolean | - | Always send DTMF in-band |
from | string | - | From SIP address for outbound registration and invites |
incoming-format | voip-format | national | Dialled number format for incoming calls |
max-calls | unsignedInt | - | Maximum simultaneous calls allowed |
name | string | Not optional | Carrier name |
outgoing-format | voip-format | national | Dialled number format for outgoing calls |
password | Secret | - | Carrier password for outbound registration or inbound authenticated calls |
profile | string | - | Profile name |
proxy | string | - | Carrier proxy hostname or address for registration and calls |
registrar | string | - | Carrier hostname for registration |
source | string | - | Source of data, used in automated config management |
source-ip | IPAddr | - | Source IP to use |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
to | string | - | To SIP request address for inbound invites, may be @domain for any at a domain |
trust-cli | boolean | true | Trust inbound calling line identity |
username | string | - | Carrier username for outbound registration or inbound authenticated calls |
withhold | string | - | Mark withheld outbound calls using this dial prefix and send CLI in remote party id |
VoIP telephone details
Table I.87. telephone: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which registration accepted |
allow-pickup | List of string | Allow all if PABX mode | Only allow pickup from these extensions |
allow-subscribe | List of string | - | Only allow subscribe (Busy Lamp Field) from these extensions |
area-code | string | - | Local area code (without national prefix) for use from this phone |
carrier | string | - | Carrier to use for outbound calls |
comment | string | - | Comment |
cui | string | - | Chargeable user identity for call accounting |
ddi | string | - | Full telephone number (international format starting +) |
display-name | string | - | Text name to use |
string | - | Email address (sent to call recording server) | |
expires | duration | 1:00:00 | Registration expiry time |
extn | string | - | Local extension number |
local-only | boolean | true | Restrict access to registrations from Ethernet subnets only |
max-calls | unsignedInt | - | Maximum simultaneous calls allowed |
name | string | Not optional | User name (local part of 'from') |
password | Secret | - | Authentication password |
profile | string | - | Profile name |
realm | string | - | Realm |
record | recordoption | - | Automatically record calls |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
uk-cli-text | uknumberformat | Auto | Send display name as UK formatted number |
username | string | - | Authentication username |
wrap-up | duration | - | Wrap up time before new call |
Ring groups
Table I.89. ringgroup: Attributes
Attribute | Type | Default | Description |
allow-pickup | List of string | - | Only allow pickup from these extensions |
allow-subscribe | List of string | - | Only allow subscribe (Busy Lamp Field) from these extensions |
answer-time | duration | 30 | Answer caller if ringing this long |
comment | string | - | Comment |
cui | string | - | Chargeable user identity for call accounting |
ddi | string | - | Full telephone number (international format starting +) |
display-name | string | - | Text name to use |
string | - | Email address (sent to call recording server) | |
extn | string | - | Local extension number |
limit | unsignedByte | - | Number allowed to queue |
name | string | Not optional | Group name |
order | ring-group-order | strict | Order of ring |
out-of-hours | List of string | - | Numbers to ring if out of profile |
overflow | List of string | - | Numbers to ring when more than one call in queue |
overflow-time | duration | 30 | Include overflow after this time at head of queue |
profile | string | - | Profile name |
progress-time | duration | 6 | Progress to next number after this time |
redirect | boolean | - | Allow calls to be diverted before ringing |
ring | List of string | - | Numbers to ring |
source | string | - | Source of data, used in automated config management |
type | ring-group-type | all | Type of ring when one call in queue |