FireBrick FB2500 V1.51.001 configuration objects

This appendix defines the object definitions used in the FireBrick FB2500 configuration. Copyright © 2008-16 FireBrick Ltd.

Top level config

The top level config element contains all of the FireBrick configuration data.

config: Attributes
AttributeTypeDescriptionDefault
ipIPAddrConfig store IP address
patchintegerInternal use, for s/w updates that change config syntax
serialstringSerial number
timestampdateTimeConfig store time, set automatically when config is saved
versionstringCode version
whostringConfig store username
config: Elements
ElementTypeInstancesDescription
bgpbgpOptional, up to 100BGP config
bgp-filternamedbgpmapOptional, unlimitedMapping and filtering rules for use with BGP peers
blackholeblackholeOptional, unlimitedBlack hole (dropped packets) networks
cqmcqmOptionalConstant Quality Monitoring config
dhcp-relaydhcp-relayOptional, unlimitedDHCP server settings for remote / relayed requests
eapeapOptional, unlimitedUser access control via EAP
ethernetethernetOptional, unlimitedEthernet port settings
etunetunOptional, unlimitedEther tunnel (RFC3378)
fb105fb105Optional, up to 255FB105 tunnel settings
interfaceinterfaceOptional, up to 8192Ethernet interface (port-group/vlan) and subnets
ip-groupip-groupOptional, unlimitedNamed IP groups
ipsec-ikeipsec-ikeOptionalIPsec connection settings
l2tpl2tpOptionalL2TP settings
loglogOptional, up to 50Log target controls
loopbackloopbackOptional, unlimitedExtra local addresses
networknetworkOptional, unlimitedLocally originated networks
nowhereblackholeOptional, unlimitedDead end (icmp error) networks
ospfospfOptional, unlimitedOSPF config
pingpingOptional, up to 100Base ping graph settings
portportdefOptional, up to 4Port grouping and naming
ppppppoeOptional, up to 10PPPoE settings
profileprofileOptional, unlimitedControl profiles
routerouteOptional, unlimitedStatic routes
route-overrideroute-overrideOptional, unlimitedRouting override rules
rule-setrule-setOptional, unlimitedFirewall/mapping rules
samplingsamplingOptionalSampling parameters
servicesservicesOptionalGeneral system services
shapershaperOptional, unlimitedNamed traffic shapers
systemsystemOptionalSystem settings
useruserOptional, unlimitedAdmin users
voipvoipOptionalVoIP config

System settings

The system settings are the top level attributes of the system which apply globally.

system: Attributes
AttributeTypeDescriptionDefault
acme-directorystringACME server directoryhttps://acme-v02.api.letsencrypt.org/directory
acme-hostnameList of stringPublic hostname(s) for FireBrick for https
acme-keygenbooleanAutomatically obtain private keys as neededtrue
acme-renewpositiveIntegerRenewal before expiry (days)30
acme-terms-agreed-emailstringPut your email if you agree CA terms
busy-thresholdunsignedIntMax non-idle time before damping eth rx (millisec)200
commentstringComment
contactstringContact name
cpu-int-reservedpercentage 0-100Min percentage of CPU earmarked for int processing90
emailstringContact email
eth-rx-qsizeunsignedIntSize of eth driver Rx queue256
eth-tx-qsizeunsignedIntSize of eth driver Tx queue512
introstringHome page text
locationstringLocation description
logNMTOKENLog system eventsWeb/console
log-acmeNMTOKENLog ACME
log-acme-debugNMTOKENLog ACME debug
log-acme-errorNMTOKENLog ACME errors
log-configNMTOKENLog config loadWeb/Flash/console
log-debugNMTOKENLog system debug messagesNot logging
log-errorNMTOKENLog system errorsWeb/Flash/console
log-ethNMTOKENLog Ethernet messagesWeb/console
log-eth-debugNMTOKENLog Ethernet debugNot logging
log-eth-errorNMTOKENLog Ethernet errorsWeb/Flash/console
log-route-nexthopNMTOKENLog next hop changesNot logged
log-statsNMTOKENLog one second statsNot logging
log-supportNMTOKENLog support messages (e.g. stack trace)
Also works as log-panic, which is deprecated
Web logs
log-tcp-debugNMTOKENLog TCP stack debug messagesNot logging
namestringSystem hostname
pre-reboot-urlstringURL to GET prior to s/w reboot (typically to warn nagios)
soft-watchdogbooleanDebug - use only if advised; do not use on an unattended FireBrickfalse
sourcestringSource of data, used in automated config management
sw-updateautoloadtypeLoad new software automaticallyfactory
sw-update-profileNMTOKENProfile name for when to load new s/w
tableroutetable 0-99Routing table number for system functions (s/w updates, etc)0
system: Elements
ElementTypeInstancesDescription
linklinkOptional, unlimitedHome page links

Web links

Links to other web pages

link: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namestringLink name
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
textstringLink text
urlstringLink address

Admin users

User names, passwords and abilities for admin users

user: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeRestrict logins to be from specific IP addresses
commentstringComment
configconfig-accessConfig access levelfull
full-namestringFull name
leveluser-levelLogin levelADMIN
nameusername (NMTOKEN)User nameNot optional
otp-seedOTPOTP seed (do not edit by hand)
Also works as otp, which is deprecated
passwordPasswordUser passwordNot optional
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Restrict login to specific routing table0
timeoutdurationLogin idle timeout (zero to stay logged in)5:00

User access controlled by EAP

Identities, passwords and access methods for access controlled with EAP

eap: Attributes
AttributeTypeDescriptionDefault
commentstringComment
full-namestringFull name
methodsSet of eap-methodAllowed methodsNot optional
namestringUser or account nameNot optional
passwordSecretUser passwordNot optional
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
subsystemeap-subsystemAccess controlled subsystemNot optional

Log target controls

Named logging target

log: Attributes
AttributeTypeDescriptionDefault
colourColourColour used in web display
commentstringComment
consolebooleanLog immediately to console
flashbooleanLog immediately to slow flash memory (use with care)
jtagbooleanLog immediately jtag (development use only)
nameNMTOKENLog target nameNot optional
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
systembooleanInclude system logs on web/cli view
log: Elements
ElementTypeInstancesDescription
emaillog-emailOptional, unlimitedEmail settings
sysloglog-syslogOptional, unlimitedSyslog settings

Syslog logger settings

Logging to a syslog server

log-syslog: Attributes
AttributeTypeDescriptionDefault
commentstringComment
facilitysyslog-facilityFacility settingLOCAL0
portunsignedShortServer port514
profileNMTOKENProfile name
serverIPNameAddrSyslog serverNot optional
severitysyslog-severitySeverity settingNOTICE
sourcestringSource of data, used in automated config management
source-ipIPAddrUse specific source IP
system-logsbooleanInclude generic system log messages as well
tableroutetable 0-99Routing table number for sending syslogs0

Email logger settings

Logging to email

log-email: Attributes
AttributeTypeDescriptionDefault
commentstringComment
delaydurationDelay before sending, since first event to send1:00
fromstringSource email addressOne made up using serial number
hold-offdurationDelay before sending, since last email1:00:00
logNMTOKENLog emailing processNot logging
log-debugNMTOKENLog emailing debugNot logging
log-errorNMTOKENLog emailing errorsNot logging
portunsignedShortServer port25
profileNMTOKENProfile name
retrydurationDelay before sending, since failed send10:00
serverIPNameAddrSmart host to use rather than MX
sourcestringSource of data, used in automated config management
subjectstringSubjectFrom first line being logged
tableroutetable 0-99Routing table number for sending email0
tostringTarget email addressNot optional

System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

services: Elements
ElementTypeInstancesDescription
dnsdns-serviceOptionalDNS service settings
httphttp-serviceOptionalWeb server settings
radiusradius-serviceOptionalRADIUS server/proxy settings
snmpsnmp-serviceOptionalSNMP server settings
telnettelnet-serviceOptionalTelnet server settings
timetime-serviceOptionalSystem time server settings
Also works as ntp, which is deprecated

Web service settings

Web management pages

http-service: Attributes
AttributeTypeDescriptionDefault
access-control-allow-originstringAdditional http header
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
allow-acmebooleanAllow limited port 80 http access for ACME during renewaltrue
certlistList of NMTOKENCertificate(s) to be used for https sessionsuse any suitable
commentstringComment
content-security-policystringAdditional http header
css-urlstringAdditional CSS for web control pages
https-portunsignedShortService port for https access443
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
modehttp-modeSecurity moderedirect-to-https-if-acme
portunsignedShortService port for http access80
profileNMTOKENProfile name
referrer-policystringAdditional http headerno-referrer
self-signbooleanCreate self signed certificate for https when necessarytrue
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
trustedList of IPNameRangeList of allowed IP ranges from which additional access to certain functions is available
x-content-type-optionsstringAdditional http headernosniff
x-frame-optionsstringAdditional http headerSAMEORIGIN
x-xss-protectionstringAdditional http header1; mode=block

DNS service settings

DNS forwarding resolver service

dns-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
auto-dhcpbooleanForward and reverse DNS for names in DHCP using this domain
cachingbooleanCache relayed DNS entries locallytrue
commentstringComment
domainstringOur domain
fallbackbooleanFor incoming requests, if no server in required table, relay to any DNS availabletrue
fallback-tableroutetable 0-99For incoming requests, if no server in requesting table, relay to any DNS available in this tableDon't fallback
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
profileNMTOKENProfile name
resolversList of IPAddrRecursive DNS resolvers to use
resolvers-tableroutetable 0-99Routing table for specified resolversas table / 0
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
dns-service: Elements
ElementTypeInstancesDescription
blockdns-blockOptional, unlimitedFixed local DNS host blocks
hostdns-hostOptional, unlimitedFixed local DNS host entries

Fixed local DNS host settings

DNS forwarding resolver service

dns-host: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPAddrIP addresses to serve (or our IP if omitted)Our IP
nameList of stringHost names (can use * as a part of a domain)Not optional
profileNMTOKENProfile name
restrict-interfaceList of NMTOKENOnly apply on certain interface(s)
restrict-toList of IPNameRangeList of IP ranges to which this is served
Also works as restrict, which is deprecated
reversebooleanMap reverse DNS as well
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table applicableany
ttlunsignedIntTime to live60

Fixed local DNS blocks

DNS forwarding resolver service

dns-block: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameList of stringHost names (can use * as a part of a domain)Not optional
profileNMTOKENProfile name
restrict-interfaceList of NMTOKENOnly apply on certain interface(s)
restrict-toList of IPNameRangeList of IP ranges to which this is served
Also works as restrict, which is deprecated
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table applicableany
ttlunsignedIntTime to live60

RADIUS service definition

RADIUS server and proxy definitions

radius-service: Attributes
AttributeTypeDescriptionDefault
acct-portunsignedShortAccounting UDP port1813
auth-portunsignedShortAuthentication UDP port1812
authenticatorbooleanRequire message authenticator
backup-ipList of IPNameAddrTarget IP(s) or hostname for backup L2TP connection
classstringClass field to send
commentstringComment
control-portunsignedShortControl UDP port (CoA/DM)3799
dummy-ipbooleanSend dummy framed IP responsetrue
erx-tunnel-switch-profilestringJuniper attribute 91
erx-tunnel-virtual-routerstringJuniper attribute 8
erx-virtual-router-namestringJuniper attribute 1 (Also SIN502 Context-Name)
Also works as context-name, which is deprecated
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debug
log-errorNMTOKENLog errorsLog as event
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
orderradiuspriorityPriority tagging of endpoints sent
profileNMTOKENProfile name
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
secretSecretShared secret for RADIUS requests (needed for replies)
sourcestringSource of data, used in automated config management
taggedbooleanTag all attributes that can be
target-hostnamestringHostname for L2TP connection
target-ipList of IPNameAddrTarget IP(s) or hostname for primary L2TP connection
target-secretSecretShared secret for L2TP connection
tunnel-assignment-idstringTunnel Assignment ID to send
tunnel-client-returnbooleanReturn tunnel client as radius IP
radius-service: Elements
ElementTypeInstancesDescription
matchradius-service-matchOptional, unlimitedMatching rules for specific responses
serverradius-serverOptional, unlimitedRADIUS server settings

Matching rules for RADIUS service

Rules for matching incoming RADIUS requests

radius-service-match: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeMatch source IP address of RADIUS request
authenticatorbooleanRequire message authenticator
backup-ipList of IPNameAddrTarget IP(s) or hostname for backup L2TP connection
called-station-idList of stringOne or more patterns to match called-station-id
calling-station-idList of stringOne or more patterns to match calling-station-id
classstringClass field to send
commentstringComment
dummy-ipbooleanSend dummy framed IP responsetrue
erx-tunnel-switch-profilestringJuniper attribute 91
erx-tunnel-virtual-routerstringJuniper attribute 8
erx-virtual-router-namestringJuniper attribute 1 (Also SIN502 Context-Name)
Also works as context-name, which is deprecated
ipList of IPNameRangeMatch target IP address of RADIUS request
namestringName
nas-ipList of IPNameRangeMatch NAS-IP address in RADIUS request
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
orderradiuspriorityPriority tagging of endpoints sent
profileNMTOKENProfile name
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
secretSecretShared secret for RADIUS requests (needed for replies)
sourcestringSource of data, used in automated config management
stopbooleanStop checking if this matchestrue
taggedbooleanTag all attributes that can be
target-hostnamestringHostname for L2TP connection
target-ipList of IPNameAddrTarget IP(s) or hostname for primary L2TP connection
target-secretSecretShared secret for L2TP connection
tunnel-assignment-idstringTunnel Assignment ID to send
tunnel-client-returnbooleanReturn tunnel client as radius IP
usernameList of stringOne or more patterns to match username

RADIUS server settings

Server settings for outgoing RADIUS

radius-server: Attributes
AttributeTypeDescriptionDefault
commentstringComment
hostList of IPNameAddrOne or more hostname/IPs of RADIUS serversNot optional
max-timeoutdurationMaximum final timeout10
min-timeoutdurationMinimum final timeout2
namestringName
portunsignedShortUDP portFrom services/radius settings
profileNMTOKENProfile name
queueunsignedIntConcurrent requests over all of these servers (per type)
scale-timeoutunsignedByteTimeout scaling factor2
secretSecretShared secret for RADIUS requestsNot optional
sourcestringSource of data, used in automated config management
source-ipIPAddrFix source IP
tableroutetable 0-99Routing table number
typeSet of radiustypeServer typeAll

Telnet service settings

Telnet control interface

telnet-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
portunsignedShortService port23
profileNMTOKENProfile name
promptstringPromptsystem name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll

SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

snmp-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
communitystringCommunity stringpublic
local-onlybooleanRestrict access to locally connected Ethernet subnets onlyfalse
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
portunsignedShortService port161
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll

System time server settings

The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time). The defaults are those that apply to the EU

time-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
legacy-timeserverbooleanServe legacy TIME service on UDP port 37true
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
maxpolldurationNTP maximum poll rate1024
minpolldurationNTP minimum poll rate64
ntp-control-allowList of IPNameRangeList of IP ranges from which control (ntpq) requests can be accessedAllow from anywhere
ntp-control-local-onlybooleanRestrict control (ntpq) access to locally connected Ethernet subnets onlytrue
ntp-control-tableroutetable 0-99Routing table number for incoming control (ntpq) requestsAll
ntp-peer-tableroutetable 0-99Routing table number used for outgoing ntp peer requests0
ntp-serversList of IPNameAddrList of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP)
Also works as ntpserver, which is deprecated
ntp.firebrick.ltd.uk
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
tz1-namestringTimezone 1 nameGMT
tz1-offsetdurationTimezone 1 offset from UTC0
tz12-datedatenum 1-31Timezone 1 to 2 earliest date in month25
tz12-daydayTimezone 1 to 2 day of week of changeSun
tz12-monthmonthTimezone 1 to 2 monthMar
tz12-timetimeTimezone 1 to 2 local time of change01:00:00
tz2-namestringTimezone 2 nameBST
tz2-offsetdurationTimezone 2 offset from UTC1:00:00
tz21-datedatenum 1-31Timezone 2 to 1 earliest date in month25
tz21-daydayTimezone 2 to 1 day of week of changeSun
tz21-monthmonthTimezone 2 to 1 monthOct
tz21-timetimeTimezone 2 to 1 local time of change02:00:00

Physical port controls

Physical port attributes

ethernet: Attributes
AttributeTypeDescriptionDefault
autonegbooleanPerform link auto-negotiationauto negotiate unless manual 10/100 speed and duplex are set
clockingLinkClockGigabit clock settingprefer-slave
crossoverCrossoverPort crossover configurationauto
duplexLinkDuplexDuplex setting for this portauto
flowLinkFlowFlow control settingnone
greenLinkLEDGreen LED settingLink/Activity
lacpbooleanSent LACP packetsAuto
lldpbooleanSent LLDP packetstrue
optimisebooleanenable PHY optimisationstrue
portportPhysical portNot optional
power-savingLinkPowerenable PHY power savingfull
profileNMTOKENProfile name
send-faultLinkFaultSend fault status
speedLinkSpeedSpeed setting for this portauto
yellowLinkLEDYellow LED settingTx

Packet sampling configuration

Packet sampling configuration

sampling: Attributes
AttributeTypeDescriptionDefault
agent-ipIPAddrIP address used to identify this agentuse source-ip
collector-ipIPAddrIP address of collectorNot optional
collector-portunsignedShortUDP port which collector listens on6343 for sFlow, 4739 for IPFIX
commentstringComment
mtumtu 576-20001500
namestringName
profileNMTOKENProfile name
protocolsampling-protocolProtocol used to export sampling datasflow
sample-flushdurationSample max cache time1 sec for sFlow; 30 for IPFIX
sample-ratesample-rate 100-10000Sample rate (uniform random prob 1/N)1000
snap-lengthunsignedShortPacket header snap length64
sourcestringSource of data, used in automated config management
source-ipIPAddrSource IP address to use
source-portunsignedShortUDP source portUse collector-port
stats-intervaldurationStats export interval60
tableroutetable 0-99Routing table number for sample data0
template-refreshdurationTemplate resend interval600

Port grouping and naming

Port grouping and naming

portdef: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameNMTOKENNameNot optional
portsSet of portPhysical port(s)Not optional
sourcestringSource of data, used in automated config management
trunktrunk-modeTrunk portsfalse

Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

interface: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
cugcug 1-32767Closed user group ID
cug-restrictbooleanClosed user group restricted traffic (only to/from same CUG ID)
dhcp-relayIP4AddrRelay any unresolved requests to external server
fast-l2tpbooleanSet on interfaces that are mainly terminating L2TP traffic
graphgraphname (token)Graph name
linkNMTOKENInterface to which this is linked at layer 2
logNMTOKENLog events including DHCP and related eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
mtumtu 576-2000MTU for this interface1500
nameNMTOKENName
ospfbooleanOSPF announce mode for routetrue
ospf-costunsignedShortOutbound link cost1
pd-pcpbooleanAccept NAT-PMP / PCP on PD subnetstrue
pingIPAddrPing address to add loss/latency to graph for interface
portNMTOKENPort group nameNot optional
profileNMTOKENProfile name
ra-clientbooleanAccept IPv6 RA and create auto config subnets and routestrue
restrict-macbooleanUse only one MAC on this interface
samplingsampling-modePerform samplingoff
sourcestringSource of data, used in automated config management
source-filtersfoptionSource filter traffic received via this interface
source-filter-tableroutetable 0-99Routing table to use for source filtering checksinterface table
tableroutetable 0-99Routing table applicable0
vlanvlan 0-4095VLAN ID (0=untagged)0
wanbooleanDo not consider this interface 'local' for 'local-only' checks
interface: Elements
ElementTypeInstancesDescription
dhcpdhcpsOptional, unlimitedDHCP server settings
subnetsubnetOptional, unlimitedIP subnet on the interface
vrrpvrrpOptional, unlimitedVRRP settings

Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

subnet: Attributes
AttributeTypeDescriptionDefault
accept-dnsbooleanAccept DNS servers specified by DHCPtrue
arp-timeoutunsignedShortMax lifetime on ARP and ND60
bgpbgpmodeBGP announce mode for routesNot announced
broadcastbooleanIf broadcast address allowedfalse
commentstringComment
dhcp-classstringDHCP client option 60 (Class)FB-type
dhcp-client-idstringDHCP client option 61 (Client-Identifier)MAC
gatewayList of IPAddrOne or more gateways to install
ipList of IPSubnetOne or more IP/lenAutomatic by DHCP
localprefunsignedIntLocalpref for subnet (highest wins)4294967295
mtumtu 576-2000MTU for subnetAs interface
namestringName
natbooleanShort cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules)false
ospfbooleanOSPF announce mode for routetrue
pcpbooleanAccept NAT-PMP / PCPIf nat
profileNMTOKENProfile name
proxy-arpbooleanAnswer ARP/ND by proxy if we have routingfalse
raramodeIf to announce IPv6 RA for this subnetfalse
ra-dnsList of IP6AddrList of recursive DNS servers in route announcements
ra-dnsslList of stringList of DNS search domains in route announcements
ra-manageddhcpv6controlRA 'M' (managed) flag
ra-maxra-max 4-1800Max RA send interval600
ra-minra-min 3-1350Min RA send intervalra-max/3
ra-mtuunsignedShortMTU to use on RAAs subnet
ra-otherdhcpv6controlRA 'O' (other) flag
ra-profileNMTOKENProfile, if inactive then forces low priority RA
sourcestringSource of data, used in automated config management
testIPAddrTest link state using ARP/ND for this IP
ttlunsignedByteTTL for originating traffic via subnet64

VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.

vrrp: Attributes
AttributeTypeDescriptionDefault
answer-pingbooleanWhether to answer PING to VRRP IPs when mastertrue
commentstringComment
delayunsignedIntDelay after routing established before priority returns to normal60
intervalunsignedShortTransit interval (centiseconds)100
ipList of IPAddrOne or more IP addresses to announceNot optional
logNMTOKENLog eventsNot logging
log-errorNMTOKENLog errorslog as event
low-priorityunsignedByteLower priority applicable until routing established1
nameNMTOKENName
preemptbooleanWhether pre-empt allowedtrue
priorityunsignedByteNormal priority100
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
use-vmacbooleanWhether to use the special VMAC or use normal MACtrue
version3booleanUse only version 3v2 for IPv4, v3 for IPv6
vridunsignedByteVRID42

DHCP server settings

Settings for DHCP server

dhcps: Attributes
AttributeTypeDescriptionDefault
bootIP4AddrNext/boot server
boot-filestringBoot filename
classstringVendor class match
client-namestringClient name match
commentstringComment
dnsList of IP4AddrDNS resolversOur IP
domainstringDNS domainFrom system settings
domain-searchstringDNS domain search list (list will be truncated to fit one attribute)
forcebooleanSend all options even if not requested
gatewayIP4SubnetGatewayOur IP
ipList of IP4RangeAddress pool0.0.0.0/0
leasedurationLease length2:00:00
logNMTOKENLog events (allocations)Not logging
macList of up to 12 macprefix (hexBinary)Partial or full client hardware (MAC) addresses (or client-id MAC if specified)
namestringName
ntpList of IP4AddrNTP serverOur IP
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
syslogList of IP4AddrSyslog server
timeList of IP4AddrTime serverOur IP
dhcps: Elements
ElementTypeInstancesDescription
senddhcp-attr-hexOptional, unlimitedAdditional attributes to send (hex)
send-ipdhcp-attr-ipOptional, unlimitedAdditional attributes to send (IP)
send-numberdhcp-attr-numberOptional, unlimitedAdditional attributes to send (numeric)
send-stringdhcp-attr-stringOptional, unlimitedAdditional attributes to send (string)

DHCP server attributes (hex)

Additional DHCP server attributes (hex)

dhcp-attr-hex: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valuehexBinaryValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (string)

Additional DHCP server attributes (string)

dhcp-attr-string: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valuestringValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

dhcp-attr-number: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valueunsignedIntValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (IP)

Additional DHCP server attributes (IP)

dhcp-attr-ip: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valueIP4AddrValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

PPPoE settings

PPPoE endpoint settings

pppoe: Attributes
AttributeTypeDescriptionDefault
ac-namestringAccess concentrator nameAny a/c name as client, else same as 'name'
accept-dnsbooleanAccept DNS servers specified by far endtrue
bgpbgpmodeBGP announce mode for routesNot announced
calling-prefixstringPrefix on calling number (BRAS mode)
commentstringComment
cugcug 1-32767Closed user group ID
cug-restrictbooleanClosed user group restricted traffic (only to/from same CUG ID)
ethportPhysical port connected to modem (for port reset)
fast-retrybooleanAggressive re-connect
graphgraphname (token)Graph name
ip-over-lcpbooleanSends all IP packets as LCPauto
lcp-rateunsignedByteLCP interval (seconds)10
lcp-timeoutunsignedByteLCP timeout (seconds)61
localIP4AddrLocal IPv4 address
localprefunsignedIntLocalpref for route (highest wins)4294967295
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog as eventsNot logging
modepppoe-modePPPoE server/client modeclient
mtumtu 576-2000MTU for link1492
nameNMTOKENName
natbooleanNAT IPv4 traffic to this link unless otherwise set by rulesfalse
ospfbooleanOSPF announce mode for routetrue
passwordSecretUser password
pd-interfaceList of NMTOKENInterfaces for IPv6 prefix delegationAuto
portNMTOKENPort group name
profileNMTOKENProfile name
remoteIP4AddrRemote IPv4 address
rfc4638booleanSend RFC4638 PPP-Max-PayloadIf over 1492 MTU
routesList of IPPrefixRoutes when link upDefault gateway
servicestringService nameAny service
sourcestringSource of data, used in automated config management
speedunsignedIntDefault egress rate limit (b/s)
tableroutetable 0-99Routing table number for payload
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
usernamestringUser name
vlanvlan 0-4095VLAN ID (0=untagged)0
pppoe: Elements
ElementTypeInstancesDescription
routeppp-routeOptional, unlimitedRoutes to apply when ppp link is up

PPP routes

Routes that apply when link is up

ppp-route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management

Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
gatewayList of IPAddrOne or more target gateway IPsNot optional
graphgraphname (token)Graph name
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit (b/s)
tableroutetable 0-99Routing table number0

Locally originated networks

Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but add routing.

network: Attributes
AttributeTypeDescriptionDefault
as-pathList of up to 10 unsignedIntCustom AS path as if network received
bgpbgpmodeBGP announce mode for routestrue
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
tagList of CommunityList of community tags

Dead end networks

Networks that go nowhere

blackhole: Attributes
AttributeTypeDescriptionDefault
as-pathList of up to 10 unsignedIntCustom AS path as if network received
bgpbgpmodeBGP announce mode for routesfalse
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
no-fibbooleanRoute not in forwarding, only for EBGP
ospfbooleanOSPF announce mode for route
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
tagList of CommunityList of community tags

Locally originated networks

Loopback addresses define local IP addresses

loopback: Attributes
AttributeTypeDescriptionDefault
as-pathList of up to 10 unsignedIntCustom AS path as if network received
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
ipList of IPAddrOne or more local network addressesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
tagList of CommunityList of community tags

Overall OSPF settings

The OSPF element defines general OSPF settings. Where interfaces/table specified, first matching OSPF config is applied. Only provides OSPF internal and AS-border router functionality.

ospf: Attributes
AttributeTypeDescriptionDefault
area-idIP4AddrArea ID0.0.0.0
auth-algorithmipsec-auth-algorithmAuthentication algorithm for OSPFv3AES-XCBC
auth-keyhexBinaryKey for OSPFv3 authentication
bgpbgpmodeBGP announce mode for routes
commentstringComment
crypt-algorithmipsec-crypt-algorithmEncryption algorithm for OSPFv3null
crypt-keyhexBinaryKey for OSPFv3 encryption
dead-intervaldurationDefault router dead interval45
hello-intervaldurationDefault hello interval9
instanceunsignedByteInstance ID for OSPFv3
interfacesList of NMTOKENEthernet interfaces to which this OSPF config appliesAll
ipsec-typeipsec-typeEncapsulation type for OSPFv3 securityESP
key-idintegerKey ID for OSPFv2 MD5 authentication (-1 for simple auth)1
localprefunsignedIntBase localpref (highest wins)
logNMTOKENLog callsNot logging
log-debugNMTOKENLog debug and SIP messagesNot logging
log-errorNMTOKENLog errorsLog as event
namestringName
passwordSecretSecret for OSPFv2 MD5 authentication
priorityunsignedByteDefault priority1
profileNMTOKENProfile name
router-idIP4AddrRouter ID
rxmt-intervaldurationDefault router retransmit interval3
sourcestringSource of data, used in automated config management
spiipsec-spi 256-4294967295SPI for OSPFv3 security (unset for no security)
stubbooleanStub area
tableroutetable 0-99Routing table0

Mapping and filtering rules of BGP prefixes

This defines a set of named rules for mapping and filtering of prefixes to/from a BGP peer.

namedbgpmap: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameNMTOKENNameNot optional
sourcestringSource of data, used in automated config management
namedbgpmap: Elements
ElementTypeInstancesDescription
matchbgpruleOptional, unlimitedList rules, in order of checking

Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

bgprule: Attributes
AttributeTypeDescriptionDefault
as-originunsignedIntAS that must be last in path to match
as-presentunsignedIntAS that must be present in path to match
commentstringComment
communityCommunityCommunity that must be present to match
detagList of CommunityList of community tags to remove
dropbooleanDo not import/export this prefix
localprefunsignedIntSet localpref (highest wins)
medunsignedIntSet MED
namestringName
no-communityCommunityCommunity that must not be present to match
padunsignedBytePad (prefix stuff) our AS on export by this many, can be zero to not send our AS
prefixList of IPFilterPrefixes that this rule applies to
sourcestringSource of data, used in automated config management
tagList of CommunityList of community tags to add

Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

bgp: Attributes
AttributeTypeDescriptionDefault
asunsignedIntOur AS
blackhole-communityCommunityCommunity tag to mark black hole routes
cluster-idIP4AddrOur cluster ID
commentstringComment
dead-end-communityCommunityCommunity tag to mark dead end routes
greyhole-communityCommunityCommunity tag to mark black hole routes with no-fib
idIP4AddrOur router ID
logNMTOKENLog eventsNot logging
namestringName
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
bgp: Elements
ElementTypeInstancesDescription
peerbgppeerOptional, up to 50List of peers/neighbours

BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

bgppeer: Attributes
AttributeTypeDescriptionDefault
add-own-asbooleanAdd our AS on exported routes
allow-exportbooleanIgnore no-export community and export anywaytrue for customer
allow-only-their-asbooleanOnly accept routes that are solely the peers AS
allow-own-asbooleanAllow our AS inbound
asunsignedIntPeer AS
blackhole-communityCommunityEgress community tag to mark black hole routesNot announced on EBGP, our blackhole-community if IBGP
capability-as4booleanIf supporting AS4true
capability-graceful-restartbooleanIf supporting Graceful Restarttrue
capability-mpe-ipv4booleanIf supporting MPE for IPv4true
capability-mpe-ipv6booleanIf supporting MPE for IPv6true
capability-route-refreshbooleanIf supporting Route Refreshtrue
clean-shutdown-waitdurationSend peers low priority and delay on shutdown
clean-startup-waitdurationDon't announce routes within this time of reboot
commentstringComment
drop-defaultbooleanIgnore default route receivedfalse
export-filtersList of NMTOKENNamed export filters to apply
export-medunsignedIntSet MED on exported routes (unless export filter sets it)
holdtimeunsignedIntHold time30
ignore-bad-optional-partialbooleanIgnore routes with a recognised badly formed optional that is flagged partialtrue
import-filtersList of NMTOKENNamed import filters to apply
import-localprefunsignedIntSet localpref on imported routes (unless import filter sets it)
import-tagList of CommunityList of community tags to add in addition to any import filters
in-softbooleanMark received routes as soft
ipList of IPAddrOne or more IPs of neighbours (omit to allow incoming)
log-debugNMTOKENLog debugNot logging
max-prefixbgp-prefix-limit 1-10000Limit prefixes (IPv4+IPv6)10000
md5SecretMD5 signing secret
namestringName
next-hop-selfbooleanForce us as next hop outboundfalse
no-fibbooleanDon't include received routes in packet forwarding
padunsignedBytePad (prefix stuff) our AS on export by this many
profileNMTOKENProfile name
reduce-recursionbooleanOverride incoming next hop if not local subnetfalse
same-ip-typebooleanOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peerstrue
send-defaultbooleanSend a default route to this peerfalse
send-no-routesbooleanDon't send any normal routesfalse
sourcestringSource of data, used in automated config management
timer-idleunsignedIntIdle time after error60
timer-openwaitunsignedIntTime to wait for OPEN on connection10
timer-retryunsignedIntTime to retry the neighbour10
ttl-securitybyteEnable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking.
typepeertypeType of neighbour (affects some defaults)normal
use-vrrp-as-selfbooleanUse VRRP address as self if possibletrue if customer/transit type
bgppeer: Elements
ElementTypeInstancesDescription
exportbgpmapOptionalMapping and filtering rules of announcing prefixes to peer
importbgpmapOptionalMapping and filtering rules of accepting prefixes from peer

Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

bgpmap: Attributes
AttributeTypeDescriptionDefault
commentstringComment
detagList of CommunityList of community tags to remove
dropbooleanDo not import/export this prefix
localprefunsignedIntSet localpref (highest wins)
medunsignedIntSet MED
prefixList of IPFilterDrop all that are not in this prefix list
sourcestringSource of data, used in automated config management
tagList of CommunityList of community tags to add
bgpmap: Elements
ElementTypeInstancesDescription
matchbgpruleOptional, unlimitedList rules, in order of checking

Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

cqm: Attributes
AttributeTypeDescriptionDefault
aveColourColour for average latency#08f
axisColourAxis colourblack
backgroundColourBackground colourwhite
bottomunsignedBytePixels space at bottom of graph11
dateformatstringDate format%Y-%m-%d
dayformatstringDay format%a
failColourColour for failed (dropped) secondsred
fail-levelunsignedIntFail level not expected on low usage1
fail-level1unsignedByteLoss level 13
fail-level2unsignedByteLoss level 250
fail-scoreunsignedByteScore for fail and low usage200
fail-score1unsignedByteScore for on/above level 1100
fail-score2unsignedByteScore for on/above level 2200
fail-usageunsignedIntUsage below which fail is not expected128000
fblogoColourColour for logo#bd1220
graticuleColourGraticule colourgrey
headingstringHeading of graph
hourformatstringHour format%H
keyunsignedBytePixels space for key90
label-avestringLabel for average latencyAve
label-dampstringLabel for % shaper dampingDamp%
label-failstringLabel for seconds (%) failed%Fail
label-latencystringLabel for latencyLatency
label-maxstringLabel for maximum latencyMax
label-minstringLabel for minimum latencyMin
label-offstringLabel for off line secondsOff
label-periodstringLabel for periodPeriod
label-pollstringLabel for pollsPolls
label-rejstringLabel for rejected seconds%Reject
label-rxstringLabel for Rx traffic levelRx
label-scorestringLabel for scoreScore
label-sentstringLabel for seconds polledSent
label-shaperstringLabel for shaperShaper
label-timestringLabel for timeTime
label-trafficstringLabel for traffic levelTraffic (bit/s)
label-txstringLabel for Tx traffic levelTx
latency-levelunsignedIntLatency level not expected on low usage100000000
latency-level1unsignedIntLatency level 1 (ns)100000000
latency-level2unsignedIntLatency level 2 (ns)500000000
latency-scoreunsignedByteScore for high latency and low usage200
latency-score1unsignedByteScore for on/above level 110
latency-score2unsignedByteScore for on/above level 220
latency-usageunsignedIntUsage below which latency is not expected128000
leftunsignedBytePixels space left of main graph0
logNMTOKENLog eventsNot logging
marker-widthstringMarker + on tx/rx
maxColourColour for maximum latencygreen
minColourColour for minimum latency#008
ms-maxpositiveIntegerms max height500
offColourColour for off line seconds#c8f
outsideColourColour for outer bordertransparent
ping-updatedurationInterval for periodic updates1:00:00
ping-urlstringURL for ping list
rejColourColour for off line seconds#f8c
rightunsignedBytePixels space right of main graph50
rxColourColour for Rx traffic level#800
secretSecretSecret for MD5 coded URLs
sentColourColour for polled seconds#ff8
share-interfaceNMTOKENInterface on which to broadcast data for shaper sharing
share-secretstringSecret to validate shaper sharing
stroke-widthstringStroke line tx/rx
subheadingstringSubheading of graph
svg-cssstringURL for SVG CSS instead of local style settings
svg-titlebooleanInclude mouseover title text on svg
textColourColour for textblack
text1stringText line 1
text2stringText line 2
text3stringText line 3
text4stringText line 4
timeformatstringTime format%Y-%m-%d %H:%M:%S
topunsignedBytePixels space at top of graph4
txColourColour for Tx traffic level#080

L2TP settings

L2TP settings for incoming and outgoing L2TP connections

l2tp: Attributes
AttributeTypeDescriptionDefault
accounting-intervaldurationPeriodic interim accounting interval1:00:00
send-acct-delaybooleanSend Acct-Delay as well as Event-Timestamp on accounting
l2tp: Elements
ElementTypeInstancesDescription
incomingl2tp-incomingOptional, unlimitedIncoming L2TP connections
outgoingl2tp-outgoingOptional, unlimitedOutgoing L2TP connections

L2TP settings for outgoing L2TP connections

L2TP tunnel settings for outgoing L2TP connections

l2tp-outgoing: Attributes
AttributeTypeDescriptionDefault
accept-dnsbooleanAccept DNS servers specified by far endtrue
bgpbgpmodeBGP announce mode for routesNot announced
calledstringcalled-station-idi to send
callingstringcalling-station-id to send
commentstringComment
cugcug 1-32767Closed user group ID
cug-restrictbooleanClosed user group restricted traffic (only to/from same CUG ID)
fail-lockoutunsignedByteInterval kept in failed state1
graphstringGraph name
hdlcbooleanSend HDLC header (FF03) on all PPP framestrue
hello-intervalunsignedByteInterval between HELLO messages10
hostnamestringThe hostname we quote on tunnel connectSystem name
lcp-data-lenunsignedByteLCP echo data field length
lcp-rateunsignedByteLCP interval (seconds)10
lcp-timeoutunsignedByteLCP timeout (seconds)61
localIP4AddrLocal IPv4 address
local-ipIPAddrIP of our end
localprefunsignedIntLocalpref for remote-ip/routes (highest wins)4294967295
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
min-retrydurationMinimum session time before retrying connection10
mtumtu 576-2000Default MTU for sessions in this tunnel
nameNMTOKENName
natbooleanNAT IPv4 traffic to this link unless otherwise set in rulestrue
open-timeoutunsignedByteInterval before OPEN considered failed10
ospfbooleanOSPF announce mode for routetrue
passwordSecretPassword for login
payload-tableroutetable 0-99Routing table number for payload traffic0
profileNMTOKENProfile name
receive-windowunsignedShortReceive window to advise on connectionNot sent
remoteIP4AddrRemote IPv4 address
retry-timeoutunsignedByteInterval to retry sending control messages before fail10
routesList of IPPrefixRoutes when link upDefault gateway
rx-speedunsignedIntSend ingress rate (b/s)
secretSecretShared secret
serverIPNameAddrIP/name of far end
Also works as ip, which is deprecated
Not optional
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for L2TP session0
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSSfalse
tx-speedunsignedIntEgress rate limit (b/s)
usernamestringUser name for login
l2tp-outgoing: Elements
ElementTypeInstancesDescription
routeppp-routeOptional, unlimitedRoutes to apply when link is up

L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

l2tp-incoming: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which connects can be made
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
dampingbooleanApply damping to sessions if limiting on shaperfalse
dhcpv6dnsList of IP6AddrList of IPv6 DNS servers
dos-limitunsignedIntPer second per session tx packet drop limit for DOS protection10000
fail-lockoutunsignedByteInterval kept in failed state60
graphstringGraph name
hdlcbooleanSend HDLC header (FF03) on all PPP framestrue
hello-intervalunsignedByteInterval between HELLO messages60
icmp-pppbooleanUse PPP endpoint for ICMPfalse
ipv6epIP4AddrLocal end IPv4 for IPv6 tunnels
lcp-data-lenunsignedByteLCP data field length
lcp-mru-fixbooleanRestart LCP if RAS negotiated MRU is too highfalse
lcp-rateunsignedByteLCP interval (seconds)1
lcp-timeoutunsignedByteLCP timeout (seconds)10
local-hostnamestringHostname quoted on replySystem name
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
mtumtu 576-2000Default MTU for sessions in this tunnel
namestringName
open-timeoutunsignedByteInterval before OPEN considered failed60
ospfbooleanOSPF announce mode for routetrue
payload-tableroutetable 0-99Routing table number for payload traffic0
pppdns1IP4AddrPPP DNS1 IPv4 default
pppdns2IP4AddrPPP DNS2 IPv4 default
pppipIP4AddrLocal end PPP IPv4
profileNMTOKENProfile name
radiusstringName for RADIUS server config to use
radius-nas-ipradius-nasPass remote (LAC) or local (LNS) as RADIUS NAS IP / port
Also works as relay-nas-ip, which is deprecated
lac
receive-windowunsignedShortReceive window to advise on connectionNot sent
remote-hostnamestringHostname expected on connection
require-platformbooleanAll sessions require a platform RADIUS firstfalse
require-radius-acctbooleanClose session if cannot do RADIUS accounting
retry-timeoutunsignedByteInterval to retry sending control messages before fail60
secretSecretShared secret (for far end to check)
shutdownbooleanRefuse all new sessions or tunnelsfalse
sourcestringSource of data, used in automated config management
source-ipIPAddrIP of our end for relayed (on same table)
Also works as relay-local-ip, which is deprecated
speedunsignedIntDefault egress rate limit (b/s)
tableroutetable 0-99Routing table number for L2TP sessionAny
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSSfalse
l2tp-incoming: Elements
ElementTypeInstancesDescription
matchl2tp-relayOptional, unlimitedRules for relaying connections and local authentication

Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

l2tp-relay: Attributes
AttributeTypeDescriptionDefault
called-station-idList of stringOne or more patterns to match called-station-id
calling-station-idList of stringOne or more patterns to match calling-station-id
commentstringComment
graphgraphname (token)Graph name
ip-over-lcpbooleanSend IP over LCP (local auth)
lcp-echo-mimbooleanHandle LCP echos in the middle on relayed connection
localprefunsignedIntLocalpref for remote-ip/routes (highest wins)4294967295
namestringName
passwordSecretPassword check
payload-tableroutetable 0-99Routing table number for payload traffic (or L2TP relay)As per l2tp-incoming
profileNMTOKENProfile name
relay-hostnamestringHostname for L2TP connection
relay-ipList of IPAddrTarget IP(s) for L2TP connection
relay-pickbooleanIf set, try one of the relay IPs at random first
relay-secretSecretShared secret for L2TP connection
remote-ipIP4AddrRemote end PPP IPv4 (local auth)
remote-netmaskIP4AddrRemote end PPP Netmask (local auth)
routesList of IPPrefixAdditional routes when link up (local auth)
sourcestringSource of data, used in automated config management
usernameList of stringOne or more patterns to match username

FB105 tunnel definition

FB105 tunnel definition

fb105: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
fast-udpbooleanSend UDP packets marked not to be reorderedtrue
graphgraphname (token)Graph name
internal-ipIP4AddrInternal IP for traffic originated and sent down tunnellocal-ip
ipIP4AddrFar end IPdynamic tunnel
keep-alivebooleanConstantly send keep alive packetstrue if ip set
local-idunsignedByteUnique local end tunnel IDNot optional
local-ipIP4AddrForce specific local end IP
localprefunsignedIntLocalpref for route (highest wins)4294967295
logNMTOKENLog eventsNot logging
log-errorNMTOKENLog errorsLog as event
mtuunsignedShortMTU for wrapped packets1500
nameNMTOKENName
obfuscatehex32 (hexBinary)Scramble (not encrypt) data
ospfbooleanOSPF announce mode for routetrue
payload-tableroutetable 0-99Routing table number for payload traffic0
portunsignedShortUDP port to use1
profileNMTOKENProfile name
remote-idunsignedByteUnique remote end tunnel IDNot optional
reorderbooleanReorder incoming tunnel packetsfalse
reorder-maxqfb105-reorder-maxq 1-100Max queue length for out of order packets32
reorder-timeoutfb105-reorder-timeout 10-5000Max time to delay out of order packet (ms)100
routesList of IPPrefixRoutes when link upNone
satellitebooleanMark links that are high speed and latency for split latency bonding (experimental)
secretSecretShared secret for tunnelUnsigned
setunsignedByteSet ID for reorder ID tagging (create a set of tunnels together)
sign-allbooleanAll packets must be signed, not just keepalivesfalse
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit used (b/s)no shaping
tableroutetable 0-99Routing table number for tunnel wrappers0
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
fb105: Elements
ElementTypeInstancesDescription
routefb105-routeOptional, unlimitedRoutes to apply to tunnel when up

FB105 routes

Routes for prefixes that are sent to the FB105 tunnel when up

fb105-route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management

IPsec configuration (IKEv2)

IPsec IKE and manually-keyed connection details

ipsec-ike: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which IKE connections are allowedAllow from anywhere
force-NATList of IPNameRangeList of IP ranges of peers requiring forced NAT-T
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
trustedList of IPNameRangeList of IP ranges given higher priority when establshing new connections
commentstringComment
sourcestringSource of data, used in automated config management
ipsec-ike: Elements
ElementTypeInstancesDescription
IKE-proposalike-proposalOptional, unlimitedProposals for IKE security association
IPsec-proposalipsec-proposalOptional, unlimitedProposals for IPsec AH/ESP security association
connectionike-connection (ipsec-connection-common)Optional, unlimitedIKE connections
manually-keyedipsec-manual (ipsec-connection-common)Optional, unlimitedIPsec manually-keyed connections (not recommended)
roamingike-roamingOptional, unlimitedIKE roaming IP pools

connection configuration

IPsec IKE connection settings

ike-connection: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
graphgraphname (token)Graph name
internal-ipv4IP4AddrInternal IPv4 for traffic originated on the FireBrick and sent down tunnellocal-ip
internal-ipv6IP6AddrInternal IPv6 for traffic originated on the FireBrick and sent down tunnellocal-ip
local-ipIPAddrLocal IP
localprefunsignedIntLocalpref for route (highest wins)4294967295
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
mtuunsignedShortMTU for wrapped packets1500
nameNMTOKENName
ospfbooleanOSPF announce mode for routetrue
payload-tableroutetable 0-99Routing table number for payload traffic0
peer-ipsList of IPNameRangepeer's IP or rangeAccept from anywhere
profileNMTOKENProfile name
routesList of IPPrefixRoutes when link up
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit used (b/s)no shaping
tableroutetable 0-99Routing table number for IKE traffic and tunnel wrappers0
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
typeipsec-typeEncapsulation typeESP
auth-methodike-authmethodmethod for authenticating self to peerNot optional
blackholebooleanBlackhole routed traffic when tunnel is not upfalse
certlistList of NMTOKENCertificate(s) to be used to authenticate selfuse any suitable
dead-peer-detectdurationcheck peer is alive at least this often - 0 to inhibit30
ike-proposalsList of NMTOKENIKE proposal listuse built-in default proposals
ipsec-proposalsList of NMTOKENIPsec proposal listuse built-in default proposals
lifetimedurationmax lifetime before renegotiation1:00:00
local-IDstringLocal IKE ID
local-tsList of IPRangeValid outgoing-source/incoming-destination IPs for tunnelled trafficAllow any
modeike-modeike connection setup modeWait
peer-IDstringPeer IKE ID
peer-auth-methodike-authmethodmethod for authenticating peerUse auth-method
peer-certlistList of NMTOKENCertificate trust anchor(s) acceptable for authenticating peeraccept any suitable
peer-secretSecretshared secret used to authenticate peeruse secret
peer-tsList of IPRangeValid outgoing-destination/incoming-source IPs for tunnelled trafficAllow any
peer-ts-from-routesbooleanSend traffic selector based on routing
Also works as ts-from-routes, which is deprecated
false
query-eap-idbooleanQuery client for EAP identitytrue
roaming-poolNMTOKENIKE roaming IP pool
secretSecretshared secret used to authenticate self to peer
ike-connection: Elements
ElementTypeInstancesDescription
routeipsec-routeOptional, unlimitedRoutes to apply to tunnel when up

IPsec tunnel routes

Routes for prefixes that are sent to the IPsec tunnel

ipsec-route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
ospfbooleanOSPF announce mode for routetrue
profileNMTOKENProfile name
sourcestringSource of data, used in automated config management

IKE roaming IP pools

Pool of IP addresses and associated DNS/NBNS servers for dynamic IP allocation

ike-roaming: Attributes
AttributeTypeDescriptionDefault
DNSList of IPAddrList of DNS servers available to clients
NBNSList of IPAddrList of NetBios name servers available to clients
commentstringComment
ipList of IPRangeList of IP ranges for allocation to road-warrior clientsNot optional
nameNMTOKENNameNot optional
natbooleanNAT incoming IPv4 traffic unless set otherwise in rulesfalse
sourcestringSource of data, used in automated config management

IKE security proposal

Proposal for establishing the IKE security association

ike-proposal: Attributes
AttributeTypeDescriptionDefault
DHsetSet of ike-DHDiffie-Hellman group for IKE negotiationAccept any supported group
PRFsetSet of ike-PRFPseudo-Random function for key generationAccept any supported function
authsetSet of ipsec-auth-algorithmIntegrity check algorithm for IKE messagesAccept any supported algorithm
cryptsetSet of ipsec-crypt-algorithmEncryption algorithm for IKE messagesAccept any supported algorithm
nameNMTOKENNameNot optional

IPsec AH/ESP proposal

Proposal for establishing the IPsec AH/ESP keying information

ipsec-proposal: Attributes
AttributeTypeDescriptionDefault
DHsetSet of ike-DHDiffie-Hellman group for IPsec key negotiationAccept any supported group
ESNSet of ike-ESNSupport for extended sequence numbersAccept ESN or short SN
authsetSet of ipsec-auth-algorithmIntegrity check algorithm for IPsec trafficAccept any supported algorithm
cryptsetSet of ipsec-crypt-algorithmEncryption algorithm for IPsec trafficAccept any supported algorithm
nameNMTOKENNameNot optional

peer configuration

IPsec manually keyed connection settings (not recommended, use IKEv2 and secrets instead)

ipsec-manual: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesNot announced
commentstringComment
graphgraphname (token)Graph name
internal-ipv4IP4AddrInternal IPv4 for traffic originated on the FireBrick and sent down tunnellocal-ip
internal-ipv6IP6AddrInternal IPv6 for traffic originated on the FireBrick and sent down tunnellocal-ip
local-ipIPAddrLocal IP
localprefunsignedIntLocalpref for route (highest wins)4294967295
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
mtuunsignedShortMTU for wrapped packets1500
nameNMTOKENName
ospfbooleanOSPF announce mode for routetrue
payload-tableroutetable 0-99Routing table number for payload traffic0
peer-ipsList of IPNameRangepeer's IP or rangeAccept from anywhere
profileNMTOKENProfile name
routesList of IPPrefixRoutes when link up
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit used (b/s)no shaping
tableroutetable 0-99Routing table number for IKE traffic and tunnel wrappers0
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
typeipsec-typeEncapsulation typeESP
auth-algorithmipsec-auth-algorithmManual setting for authentication algorithmnull
auth-keyhexBinaryManual key for authentication
crypt-algorithmipsec-crypt-algorithmManual setting for encryption algorithmnull
crypt-keyhexBinaryManual key for encryption
local-spiipsec-spi 256-4294967295Local Security Parameters IndexNot optional
modeipsec-encapsulationEncapsulation modetunnel
outer-spiipsec-spi 256-4294967295Security Parameters Index for outer header
remote-spiipsec-spi 256-4294967295Peer Security Parameters IndexNot optional
ipsec-manual: Elements
ElementTypeInstancesDescription
routeipsec-routeOptional, unlimitedRoutes to apply to tunnel when up

Ping/graph definition

Base ping config - additional ping targets set via web API or other means

ping: Attributes
AttributeTypeDescriptionDefault
commentstringComment
graphgraphname (token)Graph nameNot optional
ipIPNameAddrFar end IPNot optional
namestringName
profileNMTOKENProfile name
sizeping-size 0-1472Payload size0
slowbooleanSlow pollingAuto
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for sending pings0

Control profile

General on/off control profile used in various places in the config.

profile: Attributes
AttributeTypeDescriptionDefault
andList of NMTOKENActive if all specified profiles are active as well as all other tests passing, including 'not'
commentstringComment
control-switch-usersList of NMTOKENRestrict users that have access to control switchAny users
expectbooleanDefines state considered 'Good' and shown green on status pagenone
fb105List of NMTOKENFB105 tunnel state (any of these active)
initialbooleanDefines state at system startup, or new config, where not known/fixedtrue
intervaldurationTime between tests1
invertbooleanInvert final result of testing
l2tpList of NMTOKENOutgoing L2TP link state (any of these are up)
logNMTOKENLog targetNot logging
log-debugNMTOKENLog additional informationNot logging
nameNMTOKENProfile nameNot optional
notNMTOKENActive if specified profile is inactive as well as all other tests passing, including 'and'
orList of NMTOKENActive if any of these other profiles are active regardless of other tests (including 'not' or 'and')
portsSet of portTest passes if any of these physical ports are up
pppList of NMTOKENPPP link state (any of these are up)
recoverdurationTime before recover (i.e. how long test has been passing)1
routeList of IPAddrTest passes if all specified addresses are routeable
setswitchManual override. Test settings ignored; Control switches can use and/or/not/invert
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table for ping/route
timeoutdurationTime before timeout (i.e. how long test has been failing)10
vrrpList of NMTOKENVRRP state (any of these is master)
profile: Elements
ElementTypeInstancesDescription
dateprofile-dateOptional, unlimitedTest passes if within any date range specified
pingprofile-pingOptionalTest passes if address is answering pings
timeprofile-timeOptional, unlimitedTest passes if within any time range specified

Test passes if within any of the time ranges specified

Time range test in profiles

profile-date: Attributes
AttributeTypeDescriptionDefault
commentstringComment
sourcestringSource of data, used in automated config management
startdateTimeStart (YYYY-MM-DDTHH:MM:SS)
stopdateTimeEnd (YYYY-MM-DDTHH:MM:SS)

Test passes if within any of the date/time ranges specified

Time range test in profiles

profile-time: Attributes
AttributeTypeDescriptionDefault
commentstringComment
daysSet of dayWhich days of week apply, default all
sourcestringSource of data, used in automated config management
starttimeStart (HH:MM:SS)
stoptimeEnd (HH:MM:SS)

Test passes if any addresses are pingable

Ping targets

profile-ping: Attributes
AttributeTypeDescriptionDefault
commentstringComment
flowunsignedShortFlow label (IPv6)
gatewayIPAddrPing via specific gateway (bypasses session tracking if set)
ipIPAddrTarget IPNot optional
sourcestringSource of data, used in automated config management
source-ipIPAddrSource IP
ttlunsignedByteTime to live / Hop limit

Traffic shaper

Settings for a named traffic shaper

shaper: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namegraphname (token)Graph nameNot optional
rxunsignedLongRx rate limit/target (b/s)
rx-maxunsignedLongRx rate limit max
rx-minunsignedLongRx rate limit min
rx-min-burstdurationRx minimum allowed burst time
rx-stepunsignedLongRx rate reduction per hour
sharebooleanIf shaper is shared with other devices
sourcestringSource of data, used in automated config management
txunsignedLongTx rate limit/target (b/s)
tx-maxunsignedLongTx rate limit max
tx-minunsignedLongTx rate limit min
tx-min-burstdurationTx minimum allowed burst time
tx-stepunsignedLongTx rate reduction per hour
shaper: Elements
ElementTypeInstancesDescription
overrideshaper-overrideOptional, unlimitedProfile specific variations on main settings

Traffic shaper override based on profile

Settings for a named traffic shaper

shaper-override: Attributes
AttributeTypeDescriptionDefault
commentstringComment
profileNMTOKENProfile nameNot optional
rxunsignedLongRx rate limit/target (b/s)
rx-maxunsignedLongRx rate limit max
rx-minunsignedLongRx rate limit min
rx-min-burstdurationRx minimum allowed burst time
rx-stepunsignedLongRx rate reduction per hour
sourcestringSource of data, used in automated config management
txunsignedLongTx rate limit/target (b/s)
tx-maxunsignedLongTx rate limit max
tx-minunsignedLongTx rate limit min
tx-min-burstdurationTx minimum allowed burst time
tx-stepunsignedLongTx rate reduction per hour

IP Group

Named IP group

ip-group: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPRangeOne or more IP ranges or IP/len
namestringNameNot optional
sourcestringSource of data, used in automated config management
usersList of NMTOKENInclude IP of (time limited) logged in web users

Routing override rules

Routing override rules

route-override: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namestringName
sourcestringSource of data, used in automated config management
tableroutetable 0-99Applicable routing table0
route-override: Elements
ElementTypeInstancesDescription
rulesession-route-ruleOptional, unlimitedIndividual rules, first match applies

Routing override rule

Routing override rule

session-route-rule: Attributes
AttributeTypeDescriptionDefault
commentstringComment
cugList of PortRangeClosed user group ID(s)
hashbooleanUse hash of IPs for load sharing
namestringName
profileNMTOKENProfile name
protocolList of unsignedByteProtocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-gatewayIPAddrNew gateway
set-graphstringGraph name for shaping/logging (if not set by rule-set)
set-natbooleanChanged source IP and port to local for NAT
sourcestringSource of data, used in automated config management
source-interfaceList of NMTOKENSource interface(s)
source-ipList of IPNameRangeSource IP address range(s)
source-portList of PortRangeSource port(s)
target-interfaceList of NMTOKENTarget interface(s)
target-ipList of IPNameRangeTarget IP address range(s)
target-portList of PortRangeTarget port(s)
session-route-rule: Elements
ElementTypeInstancesDescription
sharesession-route-shareOptional, unlimitedLoad shared actions

Route override load sharing

Route override setting for load sharing

session-route-share: Attributes
AttributeTypeDescriptionDefault
commentstringComment
profileNMTOKENProfile name
set-gatewayIPAddrNew gateway
set-graphstringGraph name for shaping/logging (if not set by rule-set)
set-natbooleanChanged source IP and port to local for NAT
weightpositiveIntegerWeighting of load share1

Firewall/mapping rule set

Firewalling rule set with entry criteria and default actions

rule-set: Attributes
AttributeTypeDescriptionDefault
commentstringComment
cugList of PortRangeClosed user group ID(s)
interfaceList of NMTOKENSource or target interface(s)
ipList of IPNameRangeSource or target IP address range(s)
logNMTOKENLog session startNot logging
log-endNMTOKENLog session endNot logging
log-no-matchNMTOKENLog if no matchlog-start
namestringName
no-match-actionfirewall-actionDefault if no rule matchesNot optional
profileNMTOKENProfile name
protocolList of unsignedByteProtocol(s) [1=ICMP, 6=TCP, 17=UDP]
sourcestringSource of data, used in automated config management
source-interfaceList of NMTOKENSource interface(s)
source-ipList of IPNameRangeSource IP address range(s)
source-portList of PortRangeSource port(s)
startup-delaydurationStartup interval to use ignore instead of reject/drop1:00
tableroutetable 0-99Applicable routing table0
target-interfaceList of NMTOKENTarget interface(s)
target-ipList of IPNameRangeTarget IP address range(s)
target-portList of PortRangeTarget port(s)
rule-set: Elements
ElementTypeInstancesDescription
ip-groupip-groupOptional, unlimitedNamed IP groups
rulesession-ruleOptional, unlimitedIndividual rules, first match applies

Firewall rules

Firewall rule

The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.

session-rule: Attributes
AttributeTypeDescriptionDefault
actionfirewall-actionAction taken on matchcontinue
commentstringComment
cugList of PortRangeClosed user group ID(s)
hashbooleanUse hash of IPs for load sharing
interfaceList of NMTOKENSource or target interface(s)
ipList of IPNameRangeSource or target IP address range(s)
logNMTOKENLog session startAs rule-set
log-endNMTOKENLog session endAs rule-set
namestringName
pcpbooleanIf mapped by NAT-PMP / PCP
profileNMTOKENProfile name
protocolList of unsignedByteProtocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-gatewayIPAddrNew gateway
set-graphstringGraph name for shaping/logging
set-graph-dynamicdynamic-graphDynamically create graph
set-initial-timeoutdurationInitial time-out
set-natbooleanChanged source IP and port to local for NAT
set-ongoing-timeoutdurationOngoing time-out
set-reverse-graphstringGraph name for shaping/logging (far side of session)
set-source-ipIPRangeNew source IP
set-source-portunsignedShortNew source port
set-tableroutetable 0-99Set new routing table
set-target-ipIPRangeNew target IP
set-target-portunsignedShortNew target port
sourcestringSource of data, used in automated config management
source-interfaceList of NMTOKENSource interface(s)
source-ipList of IPNameRangeSource IP address range(s)
source-macList of up to 12 macprefix (hexBinary)Source MAC check if from Ethernet
source-portList of PortRangeSource port(s)
target-interfaceList of NMTOKENTarget interface(s)
target-ipList of IPNameRangeTarget IP address range(s)
target-portList of PortRangeTarget port(s)
session-rule: Elements
ElementTypeInstancesDescription
sharesession-shareOptional, unlimitedLoad shared actions

Firewall load sharing

Firewall actions for load sharing

session-share: Attributes
AttributeTypeDescriptionDefault
commentstringComment
profileNMTOKENProfile name
set-gatewayIPAddrNew gateway
set-graphstringGraph name for shaping/logging
set-natbooleanChanged source IP and port to local for NAT
set-reverse-graphstringGraph name for shaping/logging (far side of session)
set-source-ipIPRangeNew source IP
set-source-portunsignedShortNew source port
set-tableroutetable 0-99Set new routing table
set-target-ipIPRangeNew target IP
set-target-portunsignedShortNew target port
weightpositiveIntegerWeighting of load share1

Voice over IP config

Voice over IP config

voip: Attributes
AttributeTypeDescriptionDefault
area-codestringLocal area code (without national prefix)
auth-source-ip4IP4AddrDefault IPv4 source address to use when sending authenticated messages
auth-source-ip6IP6AddrDefault IPv6 source address to use when sending authenticated messages
backup-carrierNMTOKENBackup carrier to use for external calls
call-progressbooleanSend call progress at 3 secondstrue
commentstringComment
countrystringLocal country code44
default-carrierNMTOKENDefault carrier to use for external calls
domainstringDomain to use for us on outgoing SIP connections
emergencyList of stringEmergency numbers112 999
emergency-uristringSIP URI for emergency callsUse outbound carrier
internationalstringInternational dialling prefix00
local-digitsstringLocal numbers start with these digits23456789
local-min-lenunsignedByteLocal numbers min length5
logNMTOKENLog callsNot logging
log-cdrNMTOKENLog CDR recordsNot logged
log-debugNMTOKENLog debug and SIP messagesNot logging
log-errorNMTOKENLog errorsLog as event
log-sip-blfNMTOKENSUBSCRIBE, NOTIFY, PUBLISHNot logged
log-sip-callNMTOKENINVITE, ACK, CANCEL, BYE, REFERNot logged
log-sip-otherNMTOKENOPTIONS, INFO, etcNot logged
log-sip-registerNMTOKENREGISTERNot logged
long-headersbooleanSend long SIP headersfalse
max-ringdurationMax time limit on call setup5:00
nationalstringNational dialling prefix0
pabxbooleanOperate as office PABXtrue
pickupstringCall pickup/steal prefix*
radius-callstringName for RADIUS server config to use call routing
radius-cdrstringName for RADIUS server config to use for CDRs
radius-challengebooleanSend RADIUS auth to get challenge response
radius-registerstringName for RADIUS server config to use for registrations
realmstringDefault realmFireBrick
record-beeprecord-beep-optionSend beep at start of recordingtrue
record-mandatorybooleanDrop call if recording fails
record-serverstringCall recording server hostname or address
releasestringCLI release prefix1470
security-repliesbooleanDon't challenge or error reply to unrecognised non local IP requesttrue
send-pre-authbooleanSend Auth header with username before receiving challengetrue
sourcestringSource of data, used in automated config management
source-ip4IP4AddrDefault IPv4 source address to use when sending messages
source-ip6IP6AddrDefault IPv6 source address to use when sending messages
user-agentstringUser-Agent to sendVersion specific
withholdstringCLI withhold prefix141
wrap-headersbooleanWrap long SIP header linestrue
voip: Elements
ElementTypeInstancesDescription
carriercarrierOptional, up to 250VoIP carriers
groupringgroupOptional, up to 50Ring groups
telephonetelephoneOptional, up to 250VoIP users
tonetoneOptional, up to 25Defined tones

VoIP carrier details

VoIP carrier details

carrier: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which invite acceptedAllow from anywhere
cli-formatvoip-formatCLI number format for outgoing callsnational
commentstringComment
cuistringChargeable user identity for call accounting of incoming calls
display-namestringText name to use
expiresdurationRegistration expiry time1:00:00
extnstringLocal number assumed for incoming call, use X for digits from end of called numbers
force-dtmfbooleanAlways send DTMF in-band
fromstringFrom SIP address for outbound registration and invites
hold-tonebooleanSend hold tones to carriertrue
incoming-formatvoip-formatDialled number format for incoming callsnational
map-404sip-error 400-699Map SIP error 404 to an alternative
max-callsunsignedIntMaximum simultaneous calls allowed
nameNMTOKENCarrier nameNot optional
outgoing-formatvoip-formatDialled number format for outgoing callsnational
passwordSecretCarrier password for outbound registration or inbound authenticated calls
profileNMTOKENProfile name
proxystringCarrier proxy hostname or address for registration and calls
registrarstringCarrier hostname for registration
send-holdbooleanPass hold state to carriertrue
send-p-a-idbooleanSend P-Asserted-Identitytrue
send-pre-authbooleanSend Auth header with username before receiving challengeAs general config
send-privacybooleanSend Privacy (if withheld)true
sourcestringSource of data, used in automated config management
source-ipIPAddrSource IP to use
tableroutetable 0-99Routing table number0
toList of stringTo SIP request address for inbound invites, may be @domain for any at a domain
tone-holdstringName of tone to generate for hold with no media
tone-progressstringName of tone to generate for progress with no media
tone-queuestringName of tone to generate for queue with no media
tone-ringstringName of tone to generate for ring with no media
tone-waitstringName of tone to generate for wait with no media
trust-clibooleanTrust inbound calling line identitytrue
usernamestringCarrier username for outbound registration or inbound authenticated calls
withholdstringMark withheld outbound calls using this dial prefix and send CLI in p-asserted-identity or remote-party-id

VoIP telephone authentication user details

VoIP telephone details

telephone: Attributes
AttributeTypeDescriptionDefault
acrbooleanReject calls with CLI withheld
allowList of IPNameRangeList of IP ranges from which registration acceptedAllow from anywhere
allow-pickupList of stringOnly allow pickup from these extensionsAllow all if PABX mode
allow-subscribeList of stringOnly allow subscribe (Busy Lamp Field) from these extensions
anon-numericbooleanMark anonymous calls just using withhold prefix, and leave display name
area-codestringLocal area code (without national prefix) for use from this phone
carrierNMTOKENCarrier to use for outbound calls
cli-formatvoip-formatCLI number format passed to telephoneauto
commentstringComment
cuistringChargeable user identity for call accounting
ddistringFull telephone number (international format starting +)
display-namestringText name to use
emailstringEmail address (sent to call recording server)
expiresdurationRegistration expiry time1:00:00
extnstringLocal extension number
force-dtmfbooleanAlways send DTMF in-band
local-onlybooleanRestrict access to registrations from Ethernet subnets onlytrue
max-callsunsignedIntMaximum simultaneous calls allowed
nameNMTOKENUser name (local part of 'from')Not optional
passwordSecretAuthentication password
profileNMTOKENProfile name
realmstringRealm
recordrecordoptionAutomatically record calls
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
uk-cli-textuknumberformatSend display name as UK formatted numberAuto
uristringDirect URI for extn
usernamestringAuthentication username
wrap-updurationWrap up time before new call

Tone definitions

Definition of tones used

tone: Attributes
AttributeTypeDescriptionDefault
nameNMTOKENTone nameNot optional
planstringPlan for frequency and duration, e.g. 400ms@400Hz-3dB+450Hz-3dBNot optional

Ring groups

Ring groups

ringgroup: Attributes
AttributeTypeDescriptionDefault
allow-pickupList of stringOnly allow pickup from these extensions
allow-subscribeList of stringOnly allow subscribe (Busy Lamp Field) from these extensions
answer-timedurationAnswer caller if ringing this long30
carrierNMTOKENCarrier to use for external calls
commentstringComment
cuistringChargeable user identity for call accounting
ddiList of stringFull telephone number (international format starting +)
display-namestringText name to use
emailstringEmail address (sent to call recording server)
extnList of stringLocal extension number
initial-timedurationDon't progress to second number until this time
limitunsignedByteNumber allowed to queue
nameNMTOKENGroup nameNot optional
orderring-group-orderOrder of ringstrict
out-of-hours-groupNMTOKENAlternative group if this is out of profile (cascades)
out-of-hours-ringList of stringNumbers to ring if out of profile and no out-of-hours-group set
Also works as out-of-hours, which is deprecated
overflowList of stringNumbers to ring when more than one call in queue
overflow-timedurationInclude overflow after this time at head of queue30
profileNMTOKENProfile name
progress-timedurationTime between each target called6
redirectbooleanAllow calls to be diverted before ringing
ringList of stringNumbers to ring
ringall-timedurationSwitch to ring all after this time at head of queue
sourcestringSource of data, used in automated config management
typering-group-typeType of ring when one call in queueall

Ether tunnel

Ether tunnel

etun: Attributes
AttributeTypeDescriptionDefault
eth-portNMTOKENPort group nameNot optional
ipIPAddrFar end IP addressNot optional
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
namestringName
profileNMTOKENProfile name
source-ipIPAddrOur IP address
tableroutetable 0-99Routing table number0

DHCP server settings for remote / relayed requests

Settings for DHCP server for relayed connections

dhcp-relay: Attributes
AttributeTypeDescriptionDefault
allocation-tableroutetable 0-99Routing table for allocations - suggest using separate tables for remote DHCPAllocate same as request table
allowList of IPNameRangeIPs allowed (e.g. allocated IPs for renewal)Allow from anywhere
relayList of IPNameRangeRelay server IP(s)Any relay
tableroutetable 0-99Routing table applicableAllow any
dhcp-relay: Elements
ElementTypeInstancesDescription
dhcpdhcpsOptional, unlimitedDHCP server settings

Type of s/w auto load

TagDescription
falseDo no auto load
factoryLoad factory releases
betaLoad beta test releases
alphaLoad test releases

Type of access user has to config

TagDescription
noneNo access unless explicitly listed
viewView only access (no passwords)
readRead only access (with passwords)
testFull view and edit access but must test save config first
fullFull view and edit access

User login level

User login level - commands available are restricted according to assigned level.

TagDescription
NOBODYUnknown or not logged in user
GUESTGuest user
USERNormal unprivileged user
ADMINSystem administrator
DEBUGSystem debugger

Subsystem with EAP access control

TagDescription
IPsecIPsec/IKEv2 VPN

EAP access method

TagDescription
MD5MD5 Challenge
MSChapV2MS Challenge

Syslog severity

Log severity - different loggable events log at different levels.

TagDescription
EMERGSystem is unstable
ALERTAction must be taken immediately
CRIT Critical conditions
ERRError conditions
WARNINGWarning conditions
NOTICENormal but significant events
INFOInformational
DEBUGDebug level messages
NO-LOGGINGNo logging

Syslog facility

Syslog facility, usually used to control which log file the syslog is written to.

TagDescription
KERNKernel messages
USERUser level messges
MAILMail system
DAEMONSystem Daemons
AUTHSecurity/auth
SYSLOGInternal to syslogd
LPRPrinter
NEWSNews
UUCPUUCP
CRONCron deamon
AUTHPRIVprivate security/auth
FTPFile transfer
12Unused
13Unused
14Unused
15Unused
LOCAL0Local 0
LOCAL1Local 1
LOCAL2Local 2
LOCAL3Local 3
LOCAL4Local 4
LOCAL5Local 5
LOCAL6Local 6
LOCAL7Local 7

HTTP/HTTPS security mode

TagDescription
http-onlyNo HTTPS access
http+httpsBoth HTTP and HTTPS access
https-onlyNo HTTP access
redirect-to-httpsHTTP accesses are redirected to use HTTPS
redirect-to-https-if-acmeHTTP accesses are redirected to use HTTPS if ACME set up for hostname
redirect-to-https-except-trustedHTTP accesses are redirected to use HTTPS (except trusted IPs)

Options for controlling platform RADIUS response priority tagging

TagDescription
equalAll the same priority
strictIn order specified
randomRandom order
callingHashed on calling station id
calledHashed on called station id
usernameHashed on full username
userHashed on username before @
realmHashed on username after @
prefixHashed on username initial letters and numbers only

Type of RADIUS server

TagDescription
authenticationAuthentication server
accountingAccounting server
controlAllowed to send control (CoA/DM)

Month name (3 letter)

TagDescription
JanJanuary
FebFebruary
MarMarch
AprApril
MayMay
JunJune
JulJuly
AugAugust
SepSeptember
OctOctober
NovNovember
DecDecember

Day name (3 letter)

TagDescription
SunSunday
MonMonday
TueTuesday
WedWednesday
ThuThursday
FriFriday
SatSaturday

Physical port

TagDescription
0Port 0 (not valid) (deprecated)
1Port 1
2Port 2
3Port 3
4Port 4

Crossover configuration

Physical port crossover configuration.

TagDescription
autoCrossover is determined automatically
MDIForce no crossover

Physical port speed

TagDescription
10M10Mbit/sec
100M100Mbit/sec
1G1Gbit/sec
autoSpeed determined by autonegotiation

Physical port duplex setting

TagDescription
halfHalf-duplex
fullFull-duplex
autoDuplex determined by autonegotiation

Physical port flow control setting

TagDescription
noneNo flow control
symmetricCan support two-way flow control
send-pausesCan send pauses but does not support pause reception
anyCan receive pauses and may send pauses if required

Physical port Gigabit clock master/slave setting

TagDescription
prefer-masterMaster status negotiated; preference for master
prefer-slaveMaster status negotiated; preference for slave
force-masterMaster status forced
force-slaveSlave status forced

LED settings

TagDescription
Link/ActivityOn when link up; blink when Tx or Rx activity
Link1000/ActivityOn when link up at 1G; blink when Tx or Rx activity
Link100/ActivityOn when link up at 100M; blink when Tx or Rx activity
Link10/ActivityOn when link up at 10M; blink when Tx or Rx activity
Link100-1000/ActivityOn when link up at 100M or 1G; blink when Tx or Rx activity
Link10-1000/ActivityOn when link up at 10M or 1G; blink when Tx or Rx activity
Link10-100/ActivityOn when link up at 10M or 100M; blink when Tx or Rx activity
Duplex/CollisionOn when full-duplex; blink when half-duplex and collisions detected
CollisionBlink when collisions detected
TxBlink when Tx activity
RxBlink when Rx activity
OffPermanently off
OnPermanently on
LinkOn when link up
Link1000On when link up at 1G
Link100On when link up at 100M
Link10On when link up at 10M
Link100-1000On when link up at 100M or 1G
Link10-1000On when link up at 10M or 1G
Link10-100On when link up at 10M or 100M
DuplexOn when full-duplex

PHY power saving options

TagDescription
noneNo power saving
link-downPower save only when link is down
link-upPower save only when link is up
fullFull power saving

Link fault type to send

TagDescription
falseNo fault
trueSend fault
off-lineSend offline fault (1G)
aneSend ANE fault (1G)

Sampling protocol

TagDescription
sflowUse sFlow protocol
ipfix-psampUse IPFIX/PSAMP protocol
ipfix-legacyUse legacy (Cisco-style) IPFIX

Trunk port mode

TagDescription
falseNot trunking
randomRandom trunking
l2-hashL2 hashed trunking
l23-hashL2 and L3 hashed trunking
l3-hashL3 hashed trunking

IPv6 route announce level

IPv6 route announcement mode and level

TagDescription
falseDo not announce
lowAnnounce as low priority
mediumAnnounce as medium priority
highAnnounce as high priority
trueAnnounce as default (medium) priority

Control for RA and DHCPv6 bits

TagDescription
falseDon't set bit or answer on DHCPv6
trueSet bit but do not answer on DHCPv6
dhcpv6Set bit and do answer on DHCPv6

BGP announcement mode

BGP mode defines the default advertisement mode for prefixes, based on well-known community tags

TagDescription
falseNot included in BGP at all
no-advertiseNot included in BGP, not advertised at all
no-exportNot normally exported from local AS/confederation
local-asNot exported from local AS
no-peerExported with no-peer community tag
trueExported as normal with no special tags added

Sampling mode

TagDescription
offDon't perform sampling
ingressSample incoming traffic
egressSample outgoing traffic
bothSample incoming and outgoing traffic

Source filter option

TagDescription
falseNo source filter checks
blackholeCheck replies have any valid route
trueCheck replies down same port/vlan

Type of PPPoE connection

TagDescription
clientNormal PPPoE client connects to access controller
bras-l2tpPPPoE server mode linked to L2TP operation

IPsec encapsulation type

TagDescription
AHAuthentication Header
ESPEncapsulating Security Payload

IPsec authentication algorithm

TagDescription
nullNo authentication
HMAC-MD5HMAC-MD5-96 (RFC 2403)
HMAC-SHA1HMAC-SHA1-96 (RFC 2404)
AES-XCBCAES-XCBC-MAC-96 (RFC 3566)
HMAC-SHA256HMAC-SHA-256-128 (RFC 4868)

IPsec encryption algorithm

TagDescription
nullNo encryption (RFC 2410)
3DES-CBC3DES-CBC (RFC 2451)
blowfishBlowfish CBC (RFC 2451) with 16-byte key
blowfish-192Blowfish CBC (RFC 2451) with 24-byte key
blowfish-256Blowfish CBC (RFC 2451) with 32-byte key
AES-CBCAES-CBC (Rijndael) (RFC 3602) with 16-byte key
AES-192-CBCAES-CBC (Rijndael) (RFC 3602) with 24-byte key
AES-256-CBCAES-CBC (Rijndael) (RFC 3602) with 32-byte key

BGP peer type

Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer.

TagDescription
normalNormal BGP operation
transitEBGP Mark received as no-export
peerEBGP Mark received as no-export, only accept peer AS
customerEBGP Allow export as if confederate, only accept peer AS
internalIBGP allowing own AS
reflectorIBGP allowing own AS and working in route reflector mode
confederateEBGP confederate
ixpInternet exchange point peer on route server, soft routes EBGP only

NAS IP to report

TagDescription
falseLocal LNS IP (deprecated)
lnsLocal LNS IP
bothSend NAS IP twice (LAC then LNS)
lacRemote LAC IP
trueRemote LAC IP (deprecated)

authentication method

TagDescription
SecretShared Secret
CertificateX.509 certificate
EAPUse EAP for authentication

connection setup mode

TagDescription
WaitWait for peer to initiate the connection
On-demandBring up when needed for traffic
ImmediateAlways attempt to bring up connection

IKE Pseudo-Random Function

TagDescription
HMAC-MD5HMAC-MD5
HMAC-SHA1HMAC-SHA1
AES-XCBC-128AES-XCBC with 128-bit key
HMAC-SHA256PRF-HMAC-SHA-256 (rfc4868)

IKE Diffie-Hellman group

TagDescription
noneNo D-H negotiation (only used with AH/ESP)
MODP-10241024-bit Sophie Germain Prime MODP Group
MODP-20482048-bit Sophie Germain Prime MODP Group

IKE Sequence Number support

TagDescription
ALLOW-ESNAllow Extended Sequence Numbers (64 bits)
ALLOW-SHORT-SNAllow short sequence numbers (32 bits)

Manually keyed IPsec encapsulation mode

TagDescription
tunnelIPsec tunnel
transportIPsec transport

Profile manual setting

Manual setting control for profile

TagDescription
falseProfile set to OFF
trueProfile set to ON
control-switchProfile set based on control switch on home page

Type of dynamic graph

TagDescription
falseNo dynamic graph
ipUse source IP address
macUse source MAC address

Firewall action

TagDescription
continueContinue rule-set checking
acceptAllow but no more rule-set checking
rejectEnd all rule checking now and set to send ICMP reject
dropEnd all rule checking now and set to drop
ignoreEnd all rule checking and ignore (drop) just this packet, not making a session

Number presentation format

TagDescription
internationalFull international number
int-no-plusInternational without leading plus
nationalWith nat/int prefix
localLocal number/extension
transparentUnchanged
blockDo not use for calls

Number formatting option

TagDescription
falseDon't format numbers for display
trueFormat numbers for display with spacing
replace-zeroFormat numbers for display with spacing and replacing zeros - may look clearer on some CLI devices

Recording option

TagDescription
falseDon't automatically record calls
in-onlyAutomatically record incoming calls
out-onlyAutomatically record outgoing calls
trueAutomatically record all calls

Order of ring

TagDescription
strictOrder in config
randomRandom order
cyclicCycling from last call
oldestOldest used phone first

Type of ring when one call in queue

TagDescription
allAll phones
cascadeIncreasing number of phones
sequenceOne phone at a time

Record beep option

TagDescription
falseNo beep
buttonBeep on record button press
trueBeep on start of record

Basic types

TypeDescription
stringtext string
tokentext string
hexBinaryhex coded binary data
integerinteger (-2147483648-2147483647)
positiveIntegerpositive integer (1-4294967295)
unsignedLongunsigned long 64 bit integer (0-9223372036854775807)
unsignedIntunsigned integer (0-4294967295)
unsignedShortunsigned short integer (0-65535)
bytebyte integer (-128-127)
unsignedByteunsigned byte integer (0-255)
booleanBoolean
dateTimeYYYY-MM-DDTHH:MM:SS date/time
timeHH:MM:SS time
NMTOKENString with no spaces
voidInternal use
IPAddrIP address
IPNameAddrIP address or name
IP4AddrIPv4 address
IP6AddrIPv6 address
IPPrefixIP address / bitlen
IPRangeIP address / bitlen or range
IPNameRangeIP address / bitlen or range or name
IP4RangeIPv4 address / bitlen or range
IP4PrefixIPv4 address / bitlen
IP6PrefixIPv6 address / bitlen
IPSubnetIP address / bitlen
IP4SubnetIPv4 address / bitlen
IPFilterRoute filter
PasswordPassword
OTPOTP
Communityxxx:xxx community
PortRangexxx-xxx port range
Colour#rgb #rrggbb #rgba #rrggbbaa colour
SecretSecret/passphrase
durationPeriod [[HH:]MM:]SS
stringlist[string] List of strings
percentage[unsignedByte] Percentage (0 .. 100) (0-100)
routetable[unsignedByte] Route table number (0-99)
username[NMTOKEN] Login name
ipnamerangelist[IPNameRange] List of IPranges or ip groups
nmtokenlist[NMTOKEN] List of NMTOKEN
iplist[IPAddr] List of IP addresses
ipnamelist[IPNameAddr] List of IP addresses or domain names
datenum[unsignedByte] Day number in month (1-31)
sample-rate[unsignedShort] Sampling rate (100-10000)
mtu[unsignedShort] Max transmission unit (576-2000)
subnetlist[IPSubnet] List of subnets
ra-max[unsignedShort] Route announcement max interval (seconds) (4-1800)
ra-min[unsignedShort] Route announcement min interval (seconds) (3-1350)
ip6list[IP6Addr] List of IPv6 addresses
vlan[unsignedShort] VLAN ID (0=untagged) (0-4095)
ip4rangelist[IP4Range] List of IP4ranges
macprefixlist[macprefix] List of strings
macprefix[hexBinary] MAC prefix
ip4list[IP4Addr] List of IPv4 addresses
graphname[token] Graph name
cug[unsignedShort] CUG ID (1-32767)
prefixlist[IPPrefix] List of IP Prefixes
aslist[unsignedIntList] List of AS numbers
unsignedIntList[unsignedInt] List of integers
communitylist[Community] List of BGP communities
ipsec-spi[unsignedInt] IPsec Security Parameters Index (256-4294967295)
filterlist[IPFilter] List of IP Prefix filters
bgp-prefix-limit[unsignedInt] Maximum prefixes accepted on BGP session (1-10000)
fb105-reorder-timeout[unsignedInt] Maximum time to queue out of order packet (ms) (10-5000)
fb105-reorder-maxq[unsignedInt] Maximum size of out of order packet queue (1-100)
hex32[hexBinary] Hex value up to 32 bits (4 bytes)
iprangelist[IPRange] List of IPranges
ping-size[unsignedInt] Data payload size to be sent in ping packet (0-1472)
portlist[PortRange] List of protocol port ranges
protolist[unsignedByte] List of IP protocols
sip-error[unsignedShort] SIP error code (400-699)
userlist[username] List of user names
prefix4list[IP4Prefix] List of IPv4 Prefixes
routetableset[routetable] Set of routetables
vlan-nz[unsignedShort] VLAN ID (1-4095)
dates[datenum] Set of dates
tun-id[unsignedShort] Local tunnel ID (1-100)
ses-id[unsignedShort] Local session ID (1-500)
hostname[NMTOKEN] Host name