FireBrick FB2500 V2.01.100 configuration objects
This appendix defines the object definitions used in the FireBrick
FB2500 configuration.
Copyright © 2008-2023 FireBrick Ltd.
The top level config element contains all of the FireBrick configuration data.
config: Attributes
Attribute | Type | Description | Default |
ip | IPAddr | Config store IP address | |
patch | integer | Internal use, for s/w updates that change config syntax | |
serial | string | Serial number | |
timestamp | dateTime | Config store time, set automatically when config is saved | |
version | string | Code version | |
who | string | Config store username | |
config: Elements
Element | Type | Instances | Description |
bgp | bgp | Optional, up to 100 | BGP config |
bgp-filter | namedbgpmap | Optional, unlimited | Mapping and filtering rules for use with BGP peers |
blackhole | blackhole | Optional, unlimited | Black hole (dropped packets) networks |
cqm | cqm | Optional | Constant Quality Monitoring config |
dhcp-relay | dhcp-relay | Optional, unlimited | DHCP server settings for remote / relayed requests |
eap | eap | Optional, unlimited | User access control via EAP |
ethernet | ethernet | Optional, unlimited | Ethernet port settings |
etun | etun | Optional, unlimited | Ether tunnel (RFC3378) |
fb105 | fb105 | Optional, up to 255 | FB105 tunnel settings |
interface | interface | Optional, up to 8192 | Ethernet interface (port-group/vlan) and subnets |
ip-group | ip-group | Optional, unlimited | Named IP groups |
ipsec-ike | ipsec-ike | Optional | IPsec connection settings |
l2tp | l2tp | Optional | L2TP settings |
log | log | Optional, up to 63 | Log target controls |
loopback | loopback | Optional, unlimited | Extra local addresses |
network | network | Optional, unlimited | Locally originated networks |
nowhere | blackhole | Optional, unlimited | Dead end (icmp error) networks |
ospf | ospf | Optional, unlimited | OSPF config (experimental) |
ping | ping | Optional, up to 500 | Base ping graph settings |
port | portdef | Optional, up to 4 | Port grouping and naming |
ppp | pppoe | Optional, up to 50 | PPPoE settings |
profile | profile | Optional, unlimited | Control profiles |
route | route | Optional, unlimited | Static routes |
route-override | route-override | Optional, unlimited | Routing override rules |
routing-tables | routing-table | Optional, unlimited | Routing table settings |
rule-set | rule-set | Optional, unlimited | Firewall/mapping rules |
sampling | sampling | Optional | Sampling parameters |
services | services | Optional | General system services |
shaper | shaper | Optional, unlimited | Named traffic shapers |
system | system | Optional | System settings |
user | user | Optional, unlimited | Admin users |
voip | voip | Optional | VoIP config |
The system settings are the top level attributes of the system which apply globally.
system: Attributes
Attribute | Type | Description | Default |
acme-directory | string | ACME server directory | https://acme-v02.api.letsencrypt.org/directory |
acme-hostname | List of string | Public hostname(s) for FireBrick for HTTPS | |
acme-keygen | boolean | Automatically obtain private keys as needed | true |
acme-profile | NMTOKEN | Profile for when to do ACME renewals | |
acme-renew | positiveInteger | Renewal before expiry (days) | 30 |
acme-source-ip | IP46Addr | Source IP for ACME renewal | |
acme-terms-agreed-email | string | Put your email if you agree CA terms | |
auto-backup-url | string | URL to http POST after config changed | |
comment | string | Comment | |
contact | string | Contact name | |
email | string | Contact email | |
eth-rx-qsize | unsignedInt | Size of eth driver Rx queue | 256 |
eth-tx-qsize | unsignedInt | Size of eth driver Tx queue | 512 |
intro | string | Home page text | |
lacp-hot-standby | lacp-hot-standby | Allow LACP to use hot standby | nosync |
location | string | Location description | |
log | NMTOKEN | Log system events | Web/console |
log-acme | NMTOKEN | Log ACME | |
log-acme-debug | NMTOKEN | Log ACME debug | |
log-acme-error | NMTOKEN | Log ACME errors | |
log-config | NMTOKEN | Log config load | Web/Flash/console |
log-debug | NMTOKEN | Log system debug messages | Not logging |
log-diagnostic | NMTOKEN | Log system diagnostic messages | Not logging |
log-error | NMTOKEN | Log system errors | Web/Flash/console |
log-eth | NMTOKEN | Log Ethernet messages | Web/console |
log-eth-debug | NMTOKEN | Log Ethernet debug | Not logging |
log-eth-error | NMTOKEN | Log Ethernet errors | Web/Flash/console |
log-ppp-dump | ppp-dump | PPP dump format | |
log-route-nexthop | NMTOKEN | Log next hop changes | Not logged |
log-stats | NMTOKEN | Log one second stats | Not logging |
log-support | NMTOKEN | Log support messages (e.g. stack trace) Also works as log-panic, which is deprecated | Web logs |
log-tcp-debug | NMTOKEN | Log TCP/TLS debug messages | Not logging |
login-intro | string | Login page text | |
name | string | System hostname | |
panic-stack-bytes | unsignedInt | Stack context for certain panics (bvtes) | 0 |
pre-reboot-url | string | URL to GET prior to s/w reboot (typically to warn nagios) | |
soft-watchdog | boolean | Debug - use only if advised; do not use on an unattended FireBrick | false |
source | string | Source of data, used in automated config management | |
spoof-mac | macspoof (hexBinary) | Spoof MAC base address - use with caution! | |
sw-update | autoloadtype | Load new software automatically | factory |
sw-update-delay | fb-sw-update-delay 0-30 | Number of days after release to wait before automatically upgrading | 0 |
sw-update-profile | NMTOKEN | Profile name for when to load new s/w | |
table | routetable 0-99 | Routing table number for system functions (s/w updates, etc) | 0 |
tcp-stealth | boolean | Ignore (as opposed to reject) TCP to the FireBrick itself that isn't accepted | false |
system: Elements
Element | Type | Instances | Description |
link | link | Optional, unlimited | Intro links |
Links to other web pages
link: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
level | user-level | Login level required | GUEST |
name | string | Link name | |
profile | NMTOKEN | Profile name | |
same-tab | boolean | Open in same tab | false |
source | string | Source of data, used in automated config management | |
text | string | Link text | |
url | string | Link address | |
Default source IP for traffic originated by this FireBrick
routing-table: Attributes
Attribute | Type | Description | Default |
name | string | Name | |
source-ip | IP46Addr | Default source IP for services | |
table | routetable 0-99 | Routing table number | Not optional |
User names, passwords and abilities for admin users
user: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | Restrict logins to be from specific IP addresses | |
comment | string | Comment | |
config | config-access | Config access level | full |
full-name | string | Full name | |
level | user-level | Login level | ADMIN |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | false |
log | NMTOKEN | Log events | Not logged |
name | username (NMTOKEN) | User name | Not optional |
otp-seed | OTP | OTP seed (do not edit by hand) Also works as otp, which is deprecated | |
password | Password | User password | Not optional |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Restrict login to specific routing table | 0 |
timeout | duration | Login idle timeout (zero to stay logged in, not recommended) | 5:00 |
Identities, passwords and access methods for access controlled with EAP
eap: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
full-name | string | Full name | |
methods | Set of eap-method | Allowed methods | Not optional |
name | string | User or account name | Not optional |
password | Secret | User password | Not optional |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
subsystem | eap-subsystem | Access controlled subsystem | Not optional |
Named logging target
log: Attributes
Attribute | Type | Description | Default |
colour | Colour | Colour used in web display | |
comment | string | Comment | |
console | boolean | Log immediately to console | |
flash | boolean | Log immediately to slow flash memory (use with care) | |
jtag | boolean | Log immediately jtag (development use only) | |
name | NMTOKEN | Log target name | Not optional |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
system | boolean | Include system logs on web/cli view | |
log: Elements
Element | Type | Instances | Description |
email | log-email | Optional, unlimited | Email settings |
syslog | log-syslog | Optional, unlimited | Syslog settings |
Logging to a syslog server
log-syslog: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
facility | syslog-facility | Facility setting | LOCAL0 |
port | unsignedShort | Server port | 514 |
profile | NMTOKEN | Profile name | |
server | IPNameAddr | Syslog server | Not optional |
severity | syslog-severity | Severity setting | NOTICE |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | Use specific source IP | |
system-logs | boolean | Include generic system log messages as well | |
table | routetable 0-99 | Routing table number for sending syslogs | 0 |
Logging to email
log-email: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
delay | duration | Delay before sending, since first event to send | 1:00 |
from | string | Source email address | One made up using serial number |
hold-off | duration | Delay before sending, since last email | 1:00:00 |
log | NMTOKEN | Log emailing process | Not logging |
log-debug | NMTOKEN | Log emailing debug | Not logging |
log-error | NMTOKEN | Log emailing errors | Not logging |
port | unsignedShort | Server port | 25 |
profile | NMTOKEN | Profile name | |
retry | duration | Delay before sending, since failed send | 10:00 |
server | IPNameAddr | Smart host to use rather than MX | |
source | string | Source of data, used in automated config management | |
subject | string | Subject | From first line being logged |
table | routetable 0-99 | Routing table number for sending email | 0 |
to | string | Target email address | Not optional |
System services are various generic services that the system provides, and allows access controls and settings for these to be specified.
The service is only active if the corresponding element is included in services, otherwise it is disabled.
Web management pages
http-service: Attributes
Attribute | Type | Description | Default |
access-control-allow-origin | string | Additional HTTP header | |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
allow-acme | boolean | Allow limited port 80 HTTP access for ACME during renewal | true |
banner-background | Colour | Override default colours | #bd1220 |
certlist | List of NMTOKEN | Certificate(s) to be used for HTTPS sessions | use any suitable |
comment | string | Comment | |
config-boxes | Colour | Config editor colours | from banner |
content-security-policy | string | Additional HTTP header | |
css-url | string | Additional CSS for web control pages | |
highlight-text | Colour | Override default colours | from banner |
https-port | unsignedShort | Service port for HTTPS access | 443 |
js-url | string | Additional javascript for web control pages (logged in/trusted-ip) | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | NMTOKEN | Log events | Not logging |
log-client | NMTOKEN | Log client accesses | Not logging |
log-client-debug | NMTOKEN | Log client accesses (debug) | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mode | http-mode | Security mode | redirect-to-https-if-acme |
port | unsignedShort | Service port for HTTP access | 80 |
referrer-policy | string | Additional HTTP header | no-referrer |
self-sign | boolean | Create self signed certificate for HTTPS when necessary | true |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for access to service | All |
trusted | List of IPNameRange | List of allowed IP ranges from which additional access to certain functions is available | |
x-content-type-options | string | Additional HTTP header | nosniff |
x-frame-options | string | Additional HTTP header | SAMEORIGIN |
x-xss-protection | string | Additional HTTP header | 1; mode=block |
DNS forwarding resolver service
dns-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
auto-dhcp | boolean | Forward and reverse DNS for names in DHCP using this domain | |
auto-dhcp-new | string | Name to use for last new DHCP allocation (since last reboot) | |
caching | boolean | Cache relayed DNS entries locally | true |
comment | string | Comment | |
domain | string | Our domain | |
fallback | boolean | For incoming requests, if no server in required table, relay to any DNS available | true |
fallback-table | routetable 0-99 | For incoming requests, if no server in requesting table, relay to any DNS available in this table | Don't fallback |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
log-interface | List of NMTOKEN | Only do normal log for specific interface(s) | All interfaces |
resolvers | List of IPAddr | Recursive DNS resolvers to use | |
resolvers-table | routetable 0-99 | Routing table for specified resolvers | as table / 0 |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for access to service | All |
dns-service: Elements
Element | Type | Instances | Description |
block | dns-block | Optional, unlimited | Fixed local DNS host blocks |
host | dns-host | Optional, unlimited | Fixed local DNS host entries |
DNS forwarding resolver service
dns-host: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
ip | List of IPAddr | IP addresses to serve (or our IP if omitted) | Our IP |
name | List of string | Host names (can use * as a part of a domain) | Not optional |
profile | NMTOKEN | Profile name | |
restrict-interface | List of NMTOKEN | Only apply on certain interface(s) | |
restrict-to | List of IPNameRange | List of IP ranges to which this is served Also works as restrict, which is deprecated | |
reverse | boolean | Map reverse DNS as well | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table applicable | any |
ttl | unsignedInt | Time to live | 60 |
DNS forwarding resolver service
dns-block: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | List of string | Host names (can use * as a part of a domain) | Not optional |
profile | NMTOKEN | Profile name | |
restrict-interface | List of NMTOKEN | Only apply on certain interface(s) | |
restrict-to | List of IPNameRange | List of IP ranges to which this is served Also works as restrict, which is deprecated | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table applicable | any |
ttl | unsignedInt | Time to live | 60 |
RADIUS server and proxy definitions
radius-service: Attributes
Attribute | Type | Description | Default |
acct-port | unsignedShort | Accounting UDP port | 1813 |
allow | List of IPNameRange | Allowed source IP address of RADIUS request | |
aruba-vlan | vlan 0-4095 | Aruba VLAN | Don't send |
auth-port | unsignedShort | Authentication UDP port | 1812 |
authenticator | boolean | Require message authenticator | |
backup-ip | List of IPNameAddr | Target IP(s) or hostname for backup L2TP connection | |
class | string | Class field to send | |
comment | string | Comment | |
control-port | unsignedShort | Control UDP port (CoA/DM) | 3799 |
dummy-ip | boolean | Send dummy framed IP response | true |
erx-egress-policy-name | string | Juniper attribute 11 | |
erx-ingress-policy-name | string | Juniper attribute 10 | |
erx-tunnel-switch-profile | string | Juniper attribute 91 | |
erx-tunnel-virtual-router | string | Juniper attribute 8 | |
erx-virtual-router-name | string | Juniper attribute 1 (Also SIN502 Context-Name) Also works as context-name, which is deprecated | |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | |
log-error | NMTOKEN | Log errors | Log as event |
mqtt | mqtt-brokers | Generate MQTT for radius events | Don't send |
nsn-conditional | boolean | Only send NSN settings if username is not same as calling station id | |
nsn-tunnel-override-username | unsignedByte | Additional response for GGSN usage | |
nsn-tunnel-user-auth-method | unsignedInt | Additional response for GGSN usage | |
order | radiuspriority | Priority tagging of endpoints sent | |
profile | NMTOKEN | Profile name | |
reject | boolean | Reject request (rarely what you want) | |
relay-ip | List of IPAddr | Address to copy RADIUS request | |
relay-port | unsignedShort | Authentication UDP port for copy RADIUS request | 1812 |
relay-table | routetable 0-99 | Routing table number for copy of RADIUS request | |
secret | Secret | Shared secret for RADIUS requests (needed for replies) | |
source | string | Source of data, used in automated config management | |
tagged | boolean | Tag all attributes that support tagging | |
target-hostname | string | Hostname for L2TP connection | |
target-ip | List of IPNameAddr | Target IP(s) or hostname for primary L2TP connection | |
target-secret | Secret | Shared secret for L2TP connection | |
tunnel-assignment-id | string | Tunnel Assignment ID to send | |
tunnel-client-return | boolean | Return tunnel client as radius IP | |
radius-service: Elements
Element | Type | Instances | Description |
match | radius-service-match | Optional, unlimited | Matching rules for specific responses |
server | radius-server | Optional, unlimited | RADIUS server settings |
Rules for matching incoming RADIUS requests
radius-service-match: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | Allowed source IP address of RADIUS request | |
ap-group | List of string | One or more patterns to match AP Group | |
aruba-vlan | vlan 0-4095 | Aruba VLAN | Don't send |
authenticator | boolean | Require message authenticator | |
backup-ip | List of IPNameAddr | Target IP(s) or hostname for backup L2TP connection | |
called-station-id | List of string | One or more patterns to match called-station-id | |
calling-station-id | List of string | One or more patterns to match calling-station-id | |
class | string | Class field to send | |
comment | string | Comment | |
device-type | List of string | One or more patterns to match Device Type | |
dummy-ip | boolean | Send dummy framed IP response | true |
erx-egress-policy-name | string | Juniper attribute 11 | |
erx-ingress-policy-name | string | Juniper attribute 10 | |
erx-tunnel-switch-profile | string | Juniper attribute 91 | |
erx-tunnel-virtual-router | string | Juniper attribute 8 | |
erx-virtual-router-name | string | Juniper attribute 1 (Also SIN502 Context-Name) Also works as context-name, which is deprecated | |
essid-name | List of string | One or more patterns to match ESSID Name | |
ip | List of IPNameRange | Match target IP address of RADIUS request | |
location-id | List of string | One or more patterns to match Location ID | |
log | NMTOKEN | Log events matching this | Not logging |
mac-local | boolean | Match only local or non local MAC addresses if username is a MAC | |
name | string | Name | |
nas-ip | List of IPNameRange | Match NAS-IP address in RADIUS request | |
nsn-conditional | boolean | Only send NSN settings if username is not same as calling station id | |
nsn-tunnel-override-username | unsignedByte | Additional response for GGSN usage | |
nsn-tunnel-user-auth-method | unsignedInt | Additional response for GGSN usage | |
order | radiuspriority | Priority tagging of endpoints sent | |
profile | NMTOKEN | Profile name | |
reject | boolean | Reject request (rarely what you want) | |
relay-ip | List of IPAddr | Address to copy RADIUS request | |
relay-port | unsignedShort | Authentication UDP port for copy RADIUS request | 1812 |
relay-table | routetable 0-99 | Routing table number for copy of RADIUS request | |
secret | Secret | Shared secret for RADIUS requests (needed for replies) | |
source | string | Source of data, used in automated config management | |
stop | boolean | Stop checking if this matches | true |
tagged | boolean | Tag all attributes that support tagging | |
target-hostname | string | Hostname for L2TP connection | |
target-ip | List of IPNameAddr | Target IP(s) or hostname for primary L2TP connection | |
target-secret | Secret | Shared secret for L2TP connection | |
tunnel-assignment-id | string | Tunnel Assignment ID to send | |
tunnel-client-return | boolean | Return tunnel client as radius IP | |
username | List of string | One or more patterns to match username | |
Server settings for outgoing RADIUS
radius-server: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | Allowed control request source IPs instead of host check | Must match host |
comment | string | Comment | |
host | List of IPNameAddr | One or more hostname/IPs of RADIUS servers | Not optional |
max-timeout | duration | Maximum final timeout | 10 |
min-timeout | duration | Minimum final timeout | 2 |
name | string | Name | |
port | unsignedShort | UDP port | From services/radius settings |
profile | NMTOKEN | Profile name | |
queue | unsignedInt | Concurrent requests over all of these servers (per type) | |
scale-timeout | unsignedByte | Timeout scaling factor | 2 |
secret | Secret | Shared secret for RADIUS requests | Not optional |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | Fix source IP | |
table | routetable 0-99 | Routing table number | |
type | Set of radiustype | Server type | All |
MQTT Services configuration
mqtt-service: Attributes
Attribute | Type | Description | Default |
accept-v5 | boolean | Accept v5 connections (experimental) | |
comment | string | Comment | |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
retain-timeout | duration | Retained message clearing when off line | 1:00:00:00 |
session-timeout | duration | Session state clearing when off line | 1:00:00 |
source | string | Source of data, used in automated config management | |
mqtt-service: Elements
Element | Type | Instances | Description |
external | mqtt-external | Optional | External MQTT/MQTTS config |
map | mqtt-map | Optional, up to 100 | MQTT message mapping |
mqtt | mqtt-config | Optional | Insecure MQTT config |
mqtts | mqtts-config | Optional | Secure MQTTS config |
Secure MQTTS Service configuration
mqtts-config: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | IPs allowed | Allow from anywhere |
allow-weak-cipher | boolean | Accept weaker ciphers as commonly used on IoT devices | true |
certlist | List of NMTOKEN | Certificate(s) to be used for MQTTS sessions | use any suitable |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
password | Secret | Password | |
port | unsignedShort | Service port | 8883 |
relay-external | boolean | Relay received messages to external broker | |
relay-mqtt | boolean | Relay received messages to MQTT | |
self-sign | boolean | Create self signed certificate for MQTTS when necessary | true |
table | routetable 0-99 | Routing table | Any |
username | string | Username | |
Insecure MQTT Service configuration (use with care as no encryption)
mqtt-config: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | IPs allowed | Allow from anywhere |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
password | Secret | Password | |
port | unsignedShort | Service port | 1883 |
relay-external | boolean | Relay received messages to external broker | |
relay-mqtts | boolean | Relay received messages to MQTTS | |
table | routetable 0-99 | Routing table | Any |
username | string | Username | |
External MQTT/MQTTS Connection configuration
mqtt-external: Attributes
Attribute | Type | Description | Default |
clientid | string | MQTT client ID | |
connect-payload | string | Connect payload | |
keep-alive | duration | Keep alive time | 1:00 |
limit-send | boolean | Don't send what we subscribed | |
mqtts | boolean | Use MQTTS (MQTT over TLS) | true |
password | Secret | Password | |
port | unsignedShort | Service port | 1883/8883 |
relay-mqtt | boolean | Relay received messages to MQTT | |
relay-mqtts | boolean | Relay received messages to MQTTS | |
server | string | Server name/ip | Not optional |
subscribe | List of string | Subscriptions | Auto |
table | routetable 0-99 | Routing table | Any |
username | string | Username | |
will-payload | string | Will payload | |
will-retain | boolean | Will/connect retain | |
will-topic | string | Will/connect topic | FireBrick/serial |
Map MQTT topic/payload
mqtt-map: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
from | mqtt-brokers | Where message is from | |
payload | string | Payload pattern to match Also works as from-payload, which is deprecated | |
profile | NMTOKEN | Profile name | |
set-payload | string | New payload Also works as to-payload, which is deprecated | |
set-topic | string | New topic Also works as to-topic, which is deprecated | |
source | string | Source of data, used in automated config management | |
topic | string | Topic to match (can use mqtt wildcard) Also works as from-topic, which is deprecated | Not optional |
Telnet control interface
telnet-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
port | unsignedShort | Service port | 23 |
prompt | string | Prompt | system name |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for access to service | All |
The SNMP service has general service settings and also specific attributes for SNMP such as community
snmp-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
community | Secret | Community string | public |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | false |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
port | unsignedShort | Service port | 161 |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for access to service | All |
The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time).
The defaults are those that apply to the EU
time-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
legacy-timeserver | boolean | Serve legacy TIME service on UDP port 37 | false |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
maxpoll | duration | NTP maximum poll rate | 1024 |
minpoll | duration | NTP minimum poll rate | 64 |
ntp-control-allow | List of IPNameRange | List of IP ranges from which control (ntpq) requests can be accessed | Allow from anywhere |
ntp-control-local-only | boolean | Restrict control (ntpq) access to locally connected Ethernet subnets only | true |
ntp-control-table | routetable 0-99 | Routing table number for incoming control (ntpq) requests | All |
ntp-peer-table | routetable 0-99 | Routing table number used for outgoing ntp peer requests | 0 |
ntp-servers | List of IPNameAddr | List of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP) Also works as ntpserver, which is deprecated | ntp.firebrick.ltd.uk |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for access to service | All |
tz1-name | string | Timezone 1 name | GMT |
tz1-offset | duration | Timezone 1 offset from UTC | 0 |
tz12-date | datenum 1-31 | Timezone 1 to 2 earliest date in month | 25 |
tz12-day | day | Timezone 1 to 2 day of week of change | Sun |
tz12-month | month | Timezone 1 to 2 month | Mar |
tz12-time | time | Timezone 1 to 2 local time of change | 01:00:00 |
tz2-name | string | Timezone 2 name | BST |
tz2-offset | duration | Timezone 2 offset from UTC | 1:00:00 |
tz21-date | datenum 1-31 | Timezone 2 to 1 earliest date in month | 25 |
tz21-day | day | Timezone 2 to 1 day of week of change | Sun |
tz21-month | month | Timezone 2 to 1 month | Oct |
tz21-time | time | Timezone 2 to 1 local time of change | 02:00:00 |
Physical port attributes
ethernet: Attributes
Attribute | Type | Description | Default |
autoneg | boolean | Perform link auto-negotiation | auto negotiate unless manual 10/100 speed and duplex are set |
clocking | LinkClock | Gigabit clock setting | prefer-slave |
crossover | Crossover | Port crossover configuration | auto |
duplex | LinkDuplex | Duplex setting for this port | auto |
flow | LinkFlow | Flow control setting | none |
green | LinkLED | Green LED setting | Link/Activity |
lacp | boolean | Send LACP packets | Auto |
lldp | boolean | Send LLDP packets | true |
optimise | boolean | enable PHY optimisations | true |
port | port | Physical port | Not optional |
power-saving | LinkPower | enable PHY power saving | full |
profile | NMTOKEN | Profile name | |
send-fault | LinkFault | Send fault status | |
speed | LinkSpeed | Speed setting for this port | auto |
yellow | LinkLED | Yellow LED setting | Tx |
Packet sampling configuration
sampling: Attributes
Attribute | Type | Description | Default |
agent-ip | IPAddr | IP address used to identify this agent | use source-ip |
collector-ip | IPAddr | IP address of collector | Not optional |
collector-port | unsignedShort | UDP port which collector listens on | 6343 for sFlow, 4739 for IPFIX |
comment | string | Comment | |
mtu | mtu 576-2000 | | 1500 |
name | string | Name | |
profile | NMTOKEN | Profile name | |
protocol | sampling-protocol | Protocol used to export sampling data | sflow |
sample-flush | duration | Sample max cache time | 1 sec for sFlow; 30 for IPFIX |
sample-rate | sample-rate 100-10000 | Sample rate (uniform random prob 1/N) | 1000 |
snap-length | unsignedShort | Packet header snap length | 64 |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | Source IP address to use | |
source-port | unsignedShort | UDP source port | Use collector-port |
stats-interval | duration | Stats export interval | 60 |
table | routetable 0-99 | Routing table number for sample data | 0 |
template-refresh | duration | Template resend interval | 600 |
Port grouping and naming
portdef: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | NMTOKEN | Name | Not optional |
ports | Set of port | Physical port(s) | Not optional |
source | string | Source of data, used in automated config management | |
trunk | trunk-mode | Trunk ports | false |
The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
interface: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
cug | cug 1-32767 | Closed user group ID | |
cug-restrict | boolean | Closed user group restricted traffic (only to/from same CUG ID) | |
dhcp-relay | IP4Addr | Relay any unresolved requests to external server | |
fast-l2tp | boolean | Set on interfaces that are mainly terminating L2TP traffic | |
graph | graphname (token) | Graph name | |
link | NMTOKEN | Interface to which this is linked at layer 2 | |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-dhcp | NMTOKEN | Log DHCP events not related to a pool | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mac-suffix | macsuffix (hexBinary) | Interface MAC ends with this hex value | |
mtu | mtu 576-2000 | MTU for this interface | 1500 |
name | NMTOKEN | Name | |
ospf | boolean | OSPF announce mode for route | true |
ospf-cost | unsignedShort | Outbound link cost | 1 |
pd | boolean | Available for IPv6 prefix delegation | If not WAN and no ra-subnet-templates and no ra subnets |
pd-pcp | boolean | Accept NAT-PMP / PCP on PD subnets | true |
ping | IPAddr | Ping address to add loss/latency to graph for interface | |
port | NMTOKEN | Port group name | Not optional |
profile | NMTOKEN | Profile name | |
restrict-mac | boolean | Use only one MAC on this interface | |
sampling | sampling-mode | Perform sampling | off |
source | string | Source of data, used in automated config management | |
source-filter | sfoption | Source filter traffic received via this interface | |
source-filter-table | routetable 0-99 | Routing table to use for source filtering checks | interface table |
table | routetable 0-99 | Routing table applicable | 0 |
vlan | vlan 0-4095 | VLAN ID (0=untagged) | 0 |
wan | boolean | Do not consider this interface 'local' for 'local-only' checks | |
interface: Elements
Element | Type | Instances | Description |
dhcp | dhcps | Optional, unlimited | DHCP server settings |
dhcp6-client | dhcp6-client | Optional | DHCPv6 Client |
ra-subnet-template | subnet-template | Optional, unlimited | Subnet options for RA client |
subnet | subnet | Optional, unlimited | IP subnet on the interface |
vrrp | vrrp | Optional, unlimited | VRRP settings |
Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
subnet: Attributes
Attribute | Type | Description | Default |
accept-dns | boolean | Accept DNS servers specified by DHCP | true |
arp-timeout | unsignedShort | Max lifetime on ARP and ND | 60 |
bgp | bgpmode | BGP announce mode for routes | Auto |
broadcast | boolean | If broadcast address allowed | false |
comment | string | Comment | |
dhcp-class | string | DHCP client option 60 (Class) | FB-type |
dhcp-client-id | string | DHCP client option 61 (Client-Identifier) | MAC |
gateway | List of IPAddr | One or more gateways to install | |
ip | List of IPSubnet | One or more IP/len | Automatic by DHCP |
localpref | unsignedInt | Localpref for subnet (highest wins) | 4294967295 |
mac-suffix | macsuffix (hexBinary) | Subnet MAC ends with this hex value | |
mtu | mtu 576-2000 | MTU for subnet | As interface |
name | string | Name | |
nat | boolean | Short cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules) | false |
ospf | boolean | OSPF announce mode for route | true |
pcp | boolean | Accept NAT-PMP / PCP | If nat |
profile | NMTOKEN | Profile name | |
proxy-arp | boolean | Answer ARP/ND by proxy if we have routing | false |
ra | ramode | If to announce IPv6 RA for this subnet | false |
ra-autonomous | boolean | RA 'A' (autonomous) flag | If managed not set |
ra-dns | List of IP6Addr | List of recursive DNS servers in route announcements | Our IP |
ra-dnssl | List of string | List of DNS search domains in route announcements | |
ra-managed | boolean | RA 'M' (managed) flag | |
ra-max | ra-max 4-1800 | Max RA send interval | 600 |
ra-min | ra-min 3-1350 | Min RA send interval | ra-max/3 |
ra-mtu | unsignedShort | MTU to use on RA | As subnet |
ra-onlink | boolean | RA 'L' (onlink) flag | true |
ra-other | boolean | RA 'O' (other) flag | |
ra-profile | NMTOKEN | Profile, if inactive then forces low priority RA | |
simple-dhcpv6 | boolean | Simple DHCPv6 server (fixed addresses) | |
source | string | Source of data, used in automated config management | |
test | IPAddr | Test link state using ARP/ND for this IP | |
ttl | unsignedByte | TTL for originating traffic via subnet | 64 |
subnet-template: Attributes
Attribute | Type | Description | Default |
accept-dns | boolean | Accept DNS servers specified by DHCP/SLAAC | True if not set elsewhere |
comment | string | Comment | |
gateway-match | List of IPNameRange | Apply only to received RAs with a gateway in these IPs | Any IP |
match-dhcp6-client | boolean | Allow matching RAs to be used for an explicit DHCP6 client | true |
name | string | Name | |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
dhcp6-client: Attributes
Attribute | Type | Description | Default |
accept-dns | boolean | | true |
arp-timeout | unsignedShort | Max lifetime on ARP and ND | 60 |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
localpref | unsignedInt | Localpref for subnet (highest wins) | 4294967295 |
mac-suffix | macsuffix (hexBinary) | DHCPC MAC ends with this hex value | |
mtu | mtu 576-2000 | MTU for subnet | As interface |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
ttl | unsignedByte | TTL for originating traffic via subnet | 64 |
VRRP settings provide virtual router redundancy for the FireBrick.
Profile inactive does not disable vrrp but forces vrrp low priority.
Use different VRID on different VLANs.
vrrp: Attributes
Attribute | Type | Description | Default |
answer-ping | boolean | Whether to answer PING to VRRP IPs when master | true |
comment | string | Comment | |
delay | unsignedInt | Delay after routing established before priority returns to normal | 60 |
interval | unsignedShort | Transit interval (centiseconds) | 100 |
ip | List of IPAddr | One or more IP addresses to announce | Not optional |
log | NMTOKEN | Log events | Not logging |
log-error | NMTOKEN | Log errors | log as event |
low-priority | unsignedByte | Lower priority applicable until routing established | 1 |
name | NMTOKEN | Name | |
preempt | boolean | Whether pre-empt allowed | true |
priority | unsignedByte | Normal priority | 100 |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
use-vmac | boolean | Whether to use the special VMAC or use normal MAC | true |
version3 | boolean | Use only version 3 | v2 for IPv4, v3 for IPv6 |
vrid | unsignedByte | VRID | 42 |
Settings for DHCP server
dhcps: Attributes
Attribute | Type | Description | Default |
boot | IP4Addr | Next/boot server | |
boot-file | string | Boot filename | |
broadcast | boolean | Broadcast replies even if not requested | |
circuit | string | Agent info circuit match | |
class | string | Vendor class match | |
client-name | string | Client name match | |
comment | string | Comment | |
dns | List of IP4Addr | DNS resolvers | Our IP |
domain | string | DNS domain | From system settings |
domain-search | string | DNS domain search list (list will be truncated to fit one attribute) | |
force | boolean | Send all options even if not requested | |
gateway | IP4Subnet | Gateway | Our IP |
graph-prefix | string | Prefix to use for allocation auto graphs | |
ip | List of IP4Range | Address pool | 0.0.0.0/0 |
lease | duration | Lease length | 2:00:00 |
log | NMTOKEN | Log events | Not logging |
log-decline | NMTOKEN | Log events (declined) | Not logging |
log-move | NMTOKEN | Log events (moved) | Not logging |
log-new | NMTOKEN | Log events (new) | Not logging |
log-release | NMTOKEN | Log events (released) | Not logging |
log-renew | NMTOKEN | Log events (renewed) | Not logging |
log-reuse | NMTOKEN | Log events (reused) | Not logging |
mac | List of up to 12 macprefix (hexBinary) | Partial or full client hardware (MAC) addresses (or client-id MAC if specified) | |
mac-local | boolean | Match only local or non local MAC addresses | |
mqtt | mqtt-brokers | Generate MQTT for allocate/renew | Don't send |
mqtt-all | boolean | Include renewed/declined/released | |
name | string | Name | |
ntp | List of IP4Addr | NTP server | Our IP |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
syslog | List of IP4Addr | Syslog server | |
time | List of IP4Addr | Time server | Our IP |
dhcps: Elements
Element | Type | Instances | Description |
send | dhcp-attr-hex | Optional, unlimited | Additional attributes to send (hex) |
send-ip | dhcp-attr-ip | Optional, unlimited | Additional attributes to send (IP) |
send-number | dhcp-attr-number | Optional, unlimited | Additional attributes to send (numeric) |
send-string | dhcp-attr-string | Optional, unlimited | Additional attributes to send (string) |
Additional DHCP server attributes (hex)
dhcp-attr-hex: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code/tag | Not optional |
name | string | Name | |
value | hexBinary | Value | Not optional |
vendor | boolean | Add as vendor specific option (under option 43) | |
Additional DHCP server attributes (string)
dhcp-attr-string: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code/tag | Not optional |
name | string | Name | |
value | string | Value | Not optional |
vendor | boolean | Add as vendor specific option (under option 43) | |
Additional DHCP server attributes (numeric)
dhcp-attr-number: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code/tag | Not optional |
name | string | Name | |
value | unsignedInt | Value | Not optional |
vendor | boolean | Add as vendor specific option (under option 43) | |
Additional DHCP server attributes (IP)
dhcp-attr-ip: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code/tag | Not optional |
name | string | Name | |
value | IP4Addr | Value | Not optional |
vendor | boolean | Add as vendor specific option (under option 43) | |
PPPoE endpoint settings
pppoe: Attributes
Attribute | Type | Description | Default |
ac-name | string | Access concentrator name | Any a/c name as client, else same as 'name' |
accept-dns | boolean | Accept DNS servers specified by far end | true |
auto-percent | unsignedByte | Try to set egress based on connect message, percentage | N/A |
bgp | bgpmode | BGP announce mode for routes | Auto |
calling-id | pppoe-calling | Add mac and/or vlan(s) after prefix | |
calling-prefix | string | Prefix on calling number (BRAS mode) | |
calling-suffix | pppoe-calling-suffix | Override the calling suffix | |
comment | string | Comment | |
cug | cug 1-32767 | Closed user group ID | |
cug-restrict | boolean | Closed user group restricted traffic (only to/from same CUG ID) | |
eth | port | Physical port connected to modem (for port reset) | |
fast-retry | boolean | Aggressive re-connect | |
graph | graphname (token) | Graph name | |
incoming-profile | NMTOKEN | Profile for responding to PADIs | |
incoming-vlans | List of vlan 0-4095 | VLAN IDs to accept connections on | |
ip-over-lcp | boolean | Sends all IP packets as LCP | auto |
lcp-rate | unsignedByte | LCP interval (seconds) | 10 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 61 |
local | IP4Addr | Local IPv4 address | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log as events | Not logging |
mac-suffix | macsuffix (hexBinary) | MAC ends with this hex value | |
mode | pppoe-mode | PPPoE server/client mode | client |
mtu | mtu 576-2000 | MTU for link | 1492 |
name | NMTOKEN | Name | |
nat | boolean | NAT IPv4 traffic to this link unless otherwise set by rules | false |
ospf | boolean | OSPF announce mode for route | true |
password | Secret | User password | |
port | NMTOKEN | Port group name | Not optional |
profile | NMTOKEN | Profile name | |
remote | IP4Addr | Remote IPv4 address | |
rfc4638 | boolean | Send RFC4638 PPP-Max-Payload | If over 1492 MTU |
routes | List of IPPrefix | Routes when link up | Default gateway |
service | string | Service name | Any service |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Default egress rate limit (b/s) | |
table | routetable 0-99 | Routing table number for payload | |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
username | string | User name | |
vlan | vlan 0-4095 | VLAN ID (0=untagged) | 0 |
pppoe: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when ppp link is up |
Routes that apply when link is up
ppp-route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
route: Attributes
Attribute | Type | Description | Default |
as-path | List of up to 10 unsignedInt | Custom AS path as if network received | |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
gateway | List of IPAddr | One or more target gateway IPs | Not optional |
graph | graphname (token) | Graph name | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit (b/s) | |
table | routetable 0-99 | Routing table number | 0 |
tag | List of Community | List of community tags | |
Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but not add routing.
network: Attributes
Attribute | Type | Description | Default |
as-path | List of up to 10 unsignedInt | Custom AS path as if network received | |
bgp | bgpmode | BGP announce mode for routes | true |
comment | string | Comment | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
tag | List of Community | List of community tags | |
Networks that go nowhere
blackhole: Attributes
Attribute | Type | Description | Default |
as-path | List of up to 10 unsignedInt | Custom AS path as if network received | |
bgp | bgpmode | BGP announce mode for routes | false |
comment | string | Comment | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
no-fib | boolean | Route not in forwarding, only for EBGP | |
ospf | boolean | OSPF announce mode for route | |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
tag | List of Community | List of community tags | |
Loopback addresses define local IP addresses
loopback: Attributes
Attribute | Type | Description | Default |
as-path | List of up to 10 unsignedInt | Custom AS path as if network received | |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
ip | List of IPAddr | One or more local network addresses | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
tag | List of Community | List of community tags | |
The OSPF element defines general OSPF settings.
Where interfaces/table specified, first matching OSPF config is applied.
Only provides OSPF internal and AS-border router functionality.
OSPF is not necessarily fully functional and suggested only for experimental use at present - please do give us feedback.
ospf: Attributes
Attribute | Type | Description | Default |
area-id | IP4Addr | Area ID | 0.0.0.0 |
auth-algorithm | ipsec-auth-algorithm | Authentication algorithm for OSPFv3 | AES-XCBC |
auth-key | hexBinary | Key for OSPFv3 authentication | |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
crypt-algorithm | ipsec-crypt-algorithm | Encryption algorithm for OSPFv3 | null |
crypt-key | hexBinary | Key for OSPFv3 encryption | |
dead-interval | duration | Default router dead interval | 45 |
hello-interval | duration | Default hello interval | 9 |
instance | unsignedByte | Instance ID for OSPFv3 | |
interfaces | List of NMTOKEN | Ethernet interfaces to which this OSPF config applies | All |
ipsec-type | ipsec-type | Encapsulation type for OSPFv3 security | ESP |
key-id | integer | Key ID for OSPFv2 MD5 authentication (-1 for simple auth) | 1 |
localpref | unsignedInt | Base localpref (highest wins) | |
log | NMTOKEN | Log calls | Not logging |
log-debug | NMTOKEN | Log debug and SIP messages | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
name | string | Name | |
password | Secret | Secret for OSPFv2 MD5 authentication | |
priority | unsignedByte | Default priority | 1 |
profile | NMTOKEN | Profile name | |
router-id | IP4Addr | Router ID | |
rxmt-interval | duration | Default router retransmit interval | 3 |
source | string | Source of data, used in automated config management | |
spi | ipsec-spi 256-4294967295 | SPI for OSPFv3 security (unset for no security) | |
stub | boolean | Stub area | |
table | routetable 0-99 | Routing table | 0 |
This defines a set of named rules for mapping and filtering of prefixes to/from a BGP peer.
namedbgpmap: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | NMTOKEN | Name | Not optional |
source | string | Source of data, used in automated config management | |
namedbgpmap: Elements
Element | Type | Instances | Description |
match | bgprule | Optional, unlimited | List rules, in order of checking |
An individual rule for BGP mapping/filtering
bgprule: Attributes
Attribute | Type | Description | Default |
as-origin | unsignedInt | AS that must be last in path to match | |
as-present | unsignedInt | AS that must be present in path to match | |
comment | string | Comment | |
community | Community | Community that must be present to match | |
detag | List of Community | List of community tags to remove | |
drop | boolean | Do not import/export this prefix | |
localpref | unsignedInt | Set localpref (highest wins) | |
med | unsignedInt | Set MED | |
name | string | Name | |
no-community | Community | Community that must not be present to match | |
pad | unsignedByte | Pad (prefix stuff) our AS on export by this many, can be zero to not send our AS | |
prefix | List of IPFilter | Prefixes that this rule applies to | |
source | string | Source of data, used in automated config management | |
tag | List of Community | List of community tags to add | |
The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.
bgp: Attributes
Attribute | Type | Description | Default |
as | unsignedInt | Our AS | |
blackhole-community | Community | Community tag to mark black hole routes | |
cluster-id | IP4Addr | Our cluster ID | |
comment | string | Comment | |
dead-end-community | Community | Community tag to mark dead end routes | |
greyhole-community | Community | Community tag to mark black hole routes with no-fib | |
id | IP4Addr | Our router ID | |
log | NMTOKEN | Log events | Not logging |
name | string | Name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
bgp: Elements
Element | Type | Instances | Description |
peer | bgppeer | Optional, up to 50 | List of peers/neighbours |
The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.
bgppeer: Attributes
Attribute | Type | Description | Default |
add-own-as | boolean | Add our AS on exported routes | |
allow-export | boolean | Ignore no-export community and export anyway | true for customer |
allow-only-their-as | boolean | Only accept routes that are solely the peers AS | |
allow-own-as | boolean | Allow our AS inbound | |
as | unsignedInt | Peer AS | |
blackhole-community | Community | Egress community tag to mark black hole routes | Not announced on EBGP, our blackhole-community if IBGP |
capability-as4 | boolean | If supporting AS4 | true |
capability-graceful-restart | boolean | If supporting Graceful Restart | true |
capability-mpe-ipv4 | boolean | If supporting MPE for IPv4 | true |
capability-mpe-ipv6 | boolean | If supporting MPE for IPv6 | true |
capability-route-refresh | boolean | If supporting Route Refresh | true |
clean-shutdown-wait | duration | Resend routes at low priority when +ve, withdraw routes when -ve and delay for the absolute value on shutdown | |
clean-startup-wait | duration | Don't announce routes within this time of reboot | |
comment | string | Comment | |
drop-default | boolean | Ignore default route received | false |
export-filters | List of NMTOKEN | Named export filters to apply | |
export-med | unsignedInt | Set MED on exported routes (unless export filter sets it) | |
holdtime | unsignedInt | Hold time | 30 |
ignore-bad-optional-partial | boolean | Ignore routes with a recognised badly formed optional that is flagged partial | true |
import-filters | List of NMTOKEN | Named import filters to apply | |
import-localpref | unsignedInt | Set localpref on imported routes (unless import filter sets it) | |
import-tag | List of Community | List of community tags to add in addition to any import filters | |
in-soft | boolean | Mark received routes as soft | |
ip | List of IPAddr | One or more IPs of neighbours (omit to allow incoming) | |
log-debug | NMTOKEN | Log debug | Not logging |
max-prefix | bgp-prefix-limit 1-10000 | Limit prefixes (IPv4+IPv6) | 10000 |
md5 | Secret | MD5 signing secret | |
name | string | Name | |
next-hop-self | boolean | Force us as next hop outbound | false |
no-fib | boolean | Don't include received routes in packet forwarding | |
pad | unsignedByte | Pad (prefix stuff) our AS on export by this many | |
profile | NMTOKEN | Profile name | |
reduce-recursion | boolean | Override incoming next hop if not local subnet | false |
restart-time | unsignedShort | Time to tell other end to expect us to take to restart (defaults to holdtime) | |
same-ip-type | boolean | Only accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers | true |
send-default | boolean | Send a default route to this peer | false |
send-no-routes | boolean | Don't send any normal routes | false |
source | string | Source of data, used in automated config management | |
timer-idle | unsignedInt | Idle time after error | 60 |
timer-openwait | unsignedInt | Time to wait for OPEN on connection | 10 |
timer-retry | unsignedInt | Time to retry the neighbour | 10 |
ttl-security | byte | Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking. | |
type | peertype | Type of neighbour (affects some defaults) | normal |
use-vrrp-as-self | boolean | Use VRRP address as self if possible | true if customer/transit type |
bgppeer: Elements
Element | Type | Instances | Description |
export | bgpmap | Optional | Mapping and filtering rules of announcing prefixes to peer |
import | bgpmap | Optional | Mapping and filtering rules of accepting prefixes from peer |
This defines the rules for mapping and filtering of prefixes to/from a BGP peer.
bgpmap: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
detag | List of Community | List of community tags to remove | |
drop | boolean | Do not import/export this prefix | |
localpref | unsignedInt | Set localpref (highest wins) | |
med | unsignedInt | Set MED | |
prefix | List of IPFilter | Drop all that are not in this prefix list | |
source | string | Source of data, used in automated config management | |
tag | List of Community | List of community tags to add | |
bgpmap: Elements
Element | Type | Instances | Description |
match | bgprule | Optional, unlimited | List rules, in order of checking |
Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.
cqm: Attributes
Attribute | Type | Description | Default |
auto-refresh-list | boolean | Auto refresh graph list pages (for trusted IPs) | true |
ave | Colour | Colour for average latency | #08f |
axis | Colour | Axis colour | black |
background | Colour | Background colour | white |
bottom | unsignedByte | Pixels space at bottom of graph | 11 |
dateformat | string | Date format | %Y-%m-%d |
dayformat | string | Day format | %a |
fail | Colour | Colour for failed (dropped) seconds | red |
fail-level | unsignedInt | Fail level not expected on low usage | 1 |
fail-level1 | unsignedByte | Loss level 1 | 3 |
fail-level2 | unsignedByte | Loss level 2 | 50 |
fail-score | unsignedByte | Score for fail and low usage | 200 |
fail-score1 | unsignedByte | Score for on/above level 1 | 100 |
fail-score2 | unsignedByte | Score for on/above level 2 | 200 |
fail-usage | unsignedInt | Usage below which fail is not expected | 128000 |
fblogo | Colour | Colour for logo | #bd1220 |
graticule | Colour | Graticule colour | grey |
heading | string | Heading of graph | |
hourformat | string | Hour format | %H |
key | unsignedByte | Pixels space for key | 90 |
label-ave | string | Label for average latency | Ave |
label-damp | string | Label for % shaper damping | Damp% |
label-fail | string | Label for seconds (%) failed | %Fail |
label-latency | string | Label for latency | Latency |
label-max | string | Label for maximum latency | Max |
label-min | string | Label for minimum latency | Min |
label-off | string | Label for off line seconds | Off |
label-period | string | Label for period | Period |
label-poll | string | Label for polls | Polls |
label-rej | string | Label for rejected seconds | %Reject |
label-rx | string | Label for Rx traffic level | Rx |
label-score | string | Label for score | Score |
label-sent | string | Label for seconds polled | Sent |
label-shaper | string | Label for shaper | Shaper |
label-time | string | Label for time | Time |
label-traffic | string | Label for traffic level | Traffic (bit/s) |
label-tx | string | Label for Tx traffic level | Tx |
latency-level | unsignedInt | Latency level not expected on low usage | 100000000 |
latency-level1 | unsignedInt | Latency level 1 (ns) | 100000000 |
latency-level2 | unsignedInt | Latency level 2 (ns) | 500000000 |
latency-score | unsignedByte | Score for high latency and low usage | 200 |
latency-score1 | unsignedByte | Score for on/above level 1 | 10 |
latency-score2 | unsignedByte | Score for on/above level 2 | 20 |
latency-usage | unsignedInt | Usage below which latency is not expected | 128000 |
left | unsignedByte | Pixels space left of main graph | 0 |
log | NMTOKEN | Log events | Not logging |
marker-width | string | Stroke width for marker (+) on tx/rx (e.g. 4) | |
max | Colour | Colour for maximum latency | green |
min | Colour | Colour for minimum latency | #008 |
ms-max | positiveInteger | ms max height | 500 |
off | Colour | Colour for off line seconds | #c8f |
outside | Colour | Colour for outer border | transparent |
ping-list-source-ip | IP46Addr | Source address to use when fetching the ping list | |
ping-update | duration | Interval for periodic updates | 1:00:00 |
ping-url | string | URL for ping list | |
pppoe-dos-limit | unsignedInt | Per poll tx packet drop limit for DOS protection on PPPoE incoming sessions | 10000 |
rej | Colour | Colour for off line seconds | #f8c |
right | unsignedByte | Pixels space right of main graph | 50 |
rx | Colour | Colour for Rx traffic level | #800 |
secret | Secret | Secret for SHA1 coded URLs | |
sent | Colour | Colour for polled seconds | #ff8 |
share-interface | NMTOKEN | Interface on which to broadcast data for shaper sharing | |
share-secret | Secret | Secret to validate shaper sharing | |
stroke-width | string | Stroke line for tx/rx | 4 if no marker |
subheading | string | Subheading of graph | |
svg-css | string | URL for SVG CSS instead of local style settings | |
svg-title | boolean | Include mouseover title text on svg | |
text | Colour | Colour for text | black |
text1 | string | Text line 1 | |
text2 | string | Text line 2 | |
text3 | string | Text line 3 | |
text4 | string | Text line 4 | |
timeformat | string | Time format | %Y-%m-%d %H:%M:%S |
top | unsignedByte | Pixels space at top of graph | 4 |
tx | Colour | Colour for Tx traffic level | #080 |
L2TP settings for incoming and outgoing L2TP connections
l2tp: Attributes
Attribute | Type | Description | Default |
accounting-interval | duration | Periodic interim accounting interval | 1:00:00 |
send-acct-delay | boolean | Send Acct-Delay as well as Event-Timestamp on accounting | |
l2tp: Elements
Element | Type | Instances | Description |
incoming | l2tp-incoming | Optional, unlimited | Incoming L2TP connections |
outgoing | l2tp-outgoing | Optional, unlimited | Outgoing L2TP connections |
L2TP tunnel settings for outgoing L2TP connections
l2tp-outgoing: Attributes
Attribute | Type | Description | Default |
accept-dns | boolean | Accept DNS servers specified by far end | true |
bgp | bgpmode | BGP announce mode for routes | Auto |
called-station-id | string | called-station-id to send Also works as called, which is deprecated | |
calling-station-id | string | calling-station-id to send (present but empty means use the unit's serial number) Also works as calling, which is deprecated | |
comment | string | Comment | |
cug | cug 1-32767 | Closed user group ID | |
cug-restrict | boolean | Closed user group restricted traffic (only to/from same CUG ID) | |
fail-lockout | unsignedByte | Interval kept in failed state | 1 |
graph | string | Graph name | |
hdlc | boolean | Send HDLC header (FF03) on all PPP frames | true |
hello-interval | unsignedByte | Interval between HELLO messages | 10 |
ip6-checksum | boolean | Calculate checksum on IPv6 tunnels | true |
lcp-data-len | unsignedByte | LCP echo data field length | |
lcp-rate | unsignedByte | LCP interval (seconds) | 10 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 61 |
local | IP46Addr | Local (internal/PPP) IPv4 address | |
local-hostname | string | The hostname we quote on tunnel connect Also works as hostname, which is deprecated | System name |
local-ip | IPAddr | Wrapper IP of our end | |
localpref | unsignedInt | Localpref for remote-ip/routes (highest wins) | 4294967295 |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
min-retry | duration | Minimum session time before retrying connection | 10 |
mtu | mtu 576-2000 | Default MTU for sessions in this tunnel | |
name | NMTOKEN | Name | |
nat | boolean | NAT IPv4 traffic to this link unless otherwise set in rules | true |
open-timeout | unsignedByte | Interval before OPEN considered failed | 10 |
ospf | boolean | OSPF announce mode for route | true |
pap | boolean | Use PAP to authenticate | |
password | Secret | Password for login | |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
ppp-final-timeout | unsignedByte | PPP total timeout (seconds) | 60 |
ppp-init-timeout | unsignedByte | PPP initial timeout (seconds) | 10 |
profile | NMTOKEN | Profile name | |
proxy | boolean | Send proxy auth details (faster) | true |
receive-window | unsignedShort | Receive window to advise on connection | Not sent |
remote | IP4Addr | Remote (internal/PPP) IPv4 address | |
retry-timeout | unsignedByte | Interval to retry sending control messages before fail | 10 |
routes | List of IPPrefix | Routes when link up | Default gateway |
rx-speed | unsignedInt | Send ingress rate (b/s) | |
secret | Secret | Shared secret | |
server | IPNameAddr | IP/name of far end Also works as ip, which is deprecated | Not optional |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for L2TP session | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | false |
tx-speed | unsignedInt | Egress rate limit (b/s) | |
username | string | User name for login | |
l2tp-outgoing: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when link is up |
L2TP tunnel settings for incoming L2TP connections
l2tp-incoming: Attributes
Attribute | Type | Description | Default |
advise-speed | unsignedInt | Advise clients of their egress rate (may be overridden by RADIUS) (b/s) - This is a FireBrick specific mechanism | |
allow | List of IPNameRange | List of IP ranges from which connects can be made | |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
damping | boolean | Apply damping to sessions if limiting on shaper | false |
dhcpv6dns | List of IP6Addr | List of IPv6 DNS servers | System DNS resolvers |
dos-limit | unsignedInt | Per second per session tx packet drop limit for DOS protection | 10000 |
fail-lockout | unsignedByte | Interval kept in failed state | 60 |
graph | string | Graph name | |
hdlc | boolean | Send HDLC header (FF03) on all PPP frames | true |
hello-interval | unsignedByte | Interval between HELLO messages | 60 |
icmp-ppp | boolean | Use PPP endpoint for ICMP | false |
ip6-checksum | boolean | Calculate checksum on IPv6 tunnels | true |
ipv6ep | IP4Addr | Local end IPv4 for IPv6 tunnels | |
lcp-data-len | unsignedByte | LCP data field length | |
lcp-mru-fix | boolean | Restart LCP if RAS negotiated MRU is too high | false |
lcp-rate | unsignedByte | LCP interval (seconds) | 1 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 10 |
local-hostname | string | Hostname quoted on reply | System name |
local-ppp-ip | IP4Addr | Local end PPP IPv4 Also works as pppip, which is deprecated | |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mtu | mtu 576-2000 | Default MTU for sessions in this tunnel | |
name | string | Name | |
open-timeout | unsignedByte | Interval before OPEN considered failed | 60 |
operator-name | string | Value to send for Operator-Name AVP | |
ospf | boolean | OSPF announce mode for route | true |
payload-source-ip | IP46Addr | IP of our end when originating traffic to LAC | |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
ppp-final-timeout | unsignedByte | PPP total timeout (seconds) | 60 |
ppp-init-timeout | unsignedByte | PPP initial timeout (seconds) | 10 |
pppdns1 | IP4Addr | PPP DNS1 IPv4 default | |
pppdns2 | IP4Addr | PPP DNS2 IPv4 default | |
profile | NMTOKEN | Profile name | |
radius | string | Name for RADIUS server config to use | |
radius-nas-ip | radius-nas | Pass remote (LAC) or local (LNS) as RADIUS NAS IP / port Also works as relay-nas-ip, which is deprecated | lac |
receive-window | unsignedShort | Receive window to advise on connection | Not sent |
remote-hostname | string | Hostname expected on connection | |
require-platform | boolean | All sessions require a platform RADIUS first | false |
require-radius-acct | boolean | Close session if cannot do RADIUS accounting | |
retry-timeout | unsignedByte | Interval to retry sending control messages before fail | 60 |
secret | Secret | Shared secret (for far end to check) | |
session-timeout | duration | Default session timeout | |
shutdown | boolean | Refuse all new sessions or tunnels | false |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | IP of our end for relayed (on same table) Also works as relay-local-ip, which is deprecated | |
speed | unsignedInt | Default egress rate limit (b/s) | |
table | routetable 0-99 | Routing table number for L2TP session | Any |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | false |
l2tp-incoming: Elements
Element | Type | Instances | Description |
match | l2tp-relay | Optional, unlimited | Rules for relaying connections and local authentication |
Rules for relaying L2TP or local authentication
l2tp-relay: Attributes
Attribute | Type | Description | Default |
called-station-id | List of string | One or more patterns to match called-station-id | |
calling-station-id | List of string | One or more patterns to match calling-station-id | |
comment | string | Comment | |
graph | graphname (token) | Graph name | |
group-graph | graphname (token) | Secondary graph name | |
ip-over-lcp | boolean | Send IP over LCP (local auth) | |
lcp-echo-mim | boolean | Handle LCP echos in the middle on relayed connection | |
localpref | unsignedInt | Localpref for remote-ppp-ip/routes (highest wins) | 4294967295 |
name | string | Name | |
password | Secret | Password check | |
payload-table | routetable 0-99 | Routing table number for payload traffic (or L2TP relay) | As per l2tp-incoming |
profile | NMTOKEN | Profile name | |
relay-hostname | string | Hostname for L2TP connection | |
relay-ip | List of IPAddr | Target IP(s) for L2TP connection | |
relay-pick | boolean | If set, try one of the relay IPs at random first | |
relay-secret | Secret | Shared secret for L2TP connection | |
remote-netmask | IP4Addr | Remote end PPP Netmask (local auth) | |
remote-ppp-ip | IP4Addr | Remote end PPP IPv4 (local auth) Also works as remote-ip, which is deprecated | |
routes | List of IPPrefix | Additional routes when link up (local auth) | |
rx-speed | unsignedInt | Send ingress rate (b/s) | |
source | string | Source of data, used in automated config management | |
tx-speed | unsignedInt | Egress rate limit (b/s) | |
username | List of string | One or more patterns to match username | |
FB105 tunnel definition
fb105: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
fast-udp | boolean | Send UDP packets marked not to be reordered | true |
graph | graphname (token) | Graph name | |
internal-ip | IP46Addr | Internal IP for traffic originated and sent down tunnel | local-ip |
ip | IP4Addr | Far end IP | dynamic tunnel |
keep-alive | boolean | Constantly send keep alive packets | true if ip set |
local-id | unsignedByte | Unique local end tunnel ID | Not optional |
local-ip | IP4Addr | Force specific local end IP | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | NMTOKEN | Log events | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mtu | unsignedShort | MTU for wrapped packets | 1500 |
name | NMTOKEN | Name | |
obfuscate | hex32 (hexBinary) | Scramble (not encrypt) data | |
ospf | boolean | OSPF announce mode for route | true |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
port | unsignedShort | UDP port to use | 1 |
profile | NMTOKEN | Profile name | |
remote-id | unsignedByte | Unique remote end tunnel ID | Not optional |
reorder | boolean | Reorder incoming tunnel packets | false |
reorder-maxq | fb105-reorder-maxq 1-100 | Max queue length for out of order packets | 32 |
reorder-timeout | fb105-reorder-timeout 10-5000 | Max time to delay out of order packet (ms) | 100 |
routes | List of IPPrefix | Routes when link up | None |
satellite | boolean | Mark links that are high speed and latency for split latency bonding (experimental) | |
secret | Secret | Shared secret for tunnel | Unsigned |
set | unsignedByte | Set ID for reorder ID tagging (create a set of tunnels together) | |
sign-all | boolean | All packets must be signed, not just keepalives | false |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit used (b/s) | no shaping |
table | routetable 0-99 | Routing table number for tunnel wrappers | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
fb105: Elements
Element | Type | Instances | Description |
route | fb105-route | Optional, unlimited | Routes to apply to tunnel when up |
Routes for prefixes that are sent to the FB105 tunnel when up
fb105-route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
IPsec IKE and manually-keyed connection details
ipsec-ike: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which IKE connections are allowed | Allow from anywhere |
comment | string | Comment | |
force-NAT | List of IPNameRange | List of IP ranges of peers requiring forced NAT-T | |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
source | string | Source of data, used in automated config management | |
trusted | List of IPNameRange | List of IP ranges given higher priority when establshing new connections | |
ipsec-ike: Elements
Element | Type | Instances | Description |
IKE-proposal | ike-proposal | Optional, unlimited | Proposals for IKE security association |
IPsec-proposal | ipsec-proposal | Optional, unlimited | Proposals for IPsec AH/ESP security association |
connection | ike-connection (ipsec-connection-common) | Optional, unlimited | IKE connections |
manually-keyed | ipsec-manual (ipsec-connection-common) | Optional, unlimited | IPsec manually-keyed connections (not recommended) |
roaming | ike-roaming | Optional, unlimited | IKE roaming IP pools |
IPsec IKE connection settings
ike-connection: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
graph | graphname (token) | Graph name | |
internal-ip | IP46Addr | Internal IP for traffic originated on the FireBrick and sent down tunnel Also works as internal-ipv, which is deprecated | local-ip |
local-ip | IPAddr | Local IP | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mtu | unsignedShort | MTU for wrapped packets | 1500 |
name | NMTOKEN | Name | |
ospf | boolean | OSPF announce mode for route | true |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
peer-ips | List of IPNameRange | peer's IP or range | Accept from anywhere |
profile | NMTOKEN | Profile name | |
routes | List of IPPrefix | Routes when link up | |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit used (b/s) | no shaping |
table | routetable 0-99 | Routing table number for IKE traffic and tunnel wrappers | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
type | ipsec-type | Encapsulation type | ESP |
auth-method | ike-authmethod | method for authenticating self to peer | Not optional |
blackhole | boolean | Blackhole routed traffic when tunnel is not up | false |
certlist | List of NMTOKEN | Certificate(s) to be used to authenticate self | use any suitable |
dead-peer-detect | duration | check peer is alive at least this often - 0 to inhibit | 30 |
ike-proposals | List of NMTOKEN | IKE proposal list | use built-in default proposals |
ipsec-proposals | List of NMTOKEN | IPsec proposal list | use built-in default proposals |
lifetime | duration | max lifetime before renegotiation | 1:00:00 |
local-ID | string | Local IKE ID | |
local-ts | List of IPRange | Valid outgoing-source/incoming-destination IPs for tunnelled traffic | Allow any |
mode | ike-mode | ike connection setup mode | Wait |
peer-ID | string | Peer IKE ID | |
peer-auth-method | ike-authmethod | method for authenticating peer | Use auth-method |
peer-certlist | List of NMTOKEN | Certificate trust anchor(s) acceptable for authenticating peer | accept any suitable |
peer-eaplist | List of NMTOKEN | Admissible EAP users | allow any EAP user |
peer-secret | Secret | shared secret used to authenticate peer | use secret |
peer-ts | List of IPRange | Valid outgoing-destination/incoming-source IPs for tunnelled traffic | Allow any |
peer-ts-from-routes | boolean | Send traffic selector based on routing Also works as ts-from-routes, which is deprecated | false |
query-eap-id | boolean | Query client for EAP identity | true |
roaming-pool | NMTOKEN | IKE roaming IP pool | |
secret | Secret | shared secret used to authenticate self to peer | |
ike-connection: Elements
Element | Type | Instances | Description |
route | ipsec-route | Optional, unlimited | Routes to apply to tunnel when up |
Routes for prefixes that are sent to the IPsec tunnel
ipsec-route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
ip | List of IPPrefix | One or more network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
ospf | boolean | OSPF announce mode for route | true |
profile | NMTOKEN | Profile name | |
source | string | Source of data, used in automated config management | |
Pool of IP addresses and associated DNS/NBNS servers for dynamic IP allocation
ike-roaming: Attributes
Attribute | Type | Description | Default |
DNS | List of IPAddr | List of DNS servers available to clients | |
NBNS | List of IPAddr | List of NetBios name servers available to clients | |
comment | string | Comment | |
ip | List of IPRange | List of IP ranges for allocation to road-warrior clients | Not optional |
name | NMTOKEN | Name | Not optional |
nat | boolean | NAT incoming IPv4 traffic unless set otherwise in rules | false |
source | string | Source of data, used in automated config management | |
Proposal for establishing the IKE security association
ike-proposal: Attributes
Attribute | Type | Description | Default |
DHset | Set of ike-DH | Diffie-Hellman group for IKE negotiation | Accept any supported group |
PRFset | Set of ike-PRF | Pseudo-Random function for key generation | Accept any supported function |
authset | Set of ipsec-auth-algorithm | Integrity check algorithm for IKE messages | Accept any supported algorithm |
cryptset | Set of ipsec-crypt-algorithm | Encryption algorithm for IKE messages | Accept any supported algorithm |
name | NMTOKEN | Name | Not optional |
Proposal for establishing the IPsec AH/ESP keying information
ipsec-proposal: Attributes
Attribute | Type | Description | Default |
DHset | Set of ike-DH | Diffie-Hellman group for IPsec key negotiation | Accept any supported group |
ESN | Set of ike-ESN | Support for extended sequence numbers | Accept ESN or short SN |
authset | Set of ipsec-auth-algorithm | Integrity check algorithm for IPsec traffic | Accept any supported algorithm |
cryptset | Set of ipsec-crypt-algorithm | Encryption algorithm for IPsec traffic | Accept any supported algorithm |
name | NMTOKEN | Name | Not optional |
IPsec manually keyed connection settings (not recommended, use IKEv2 and secrets instead)
ipsec-manual: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | Auto |
comment | string | Comment | |
graph | graphname (token) | Graph name | |
internal-ip | IP46Addr | Internal IP for traffic originated on the FireBrick and sent down tunnel Also works as internal-ipv, which is deprecated | local-ip |
local-ip | IPAddr | Local IP | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
mtu | unsignedShort | MTU for wrapped packets | 1500 |
name | NMTOKEN | Name | |
ospf | boolean | OSPF announce mode for route | true |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
peer-ips | List of IPNameRange | peer's IP or range | Accept from anywhere |
profile | NMTOKEN | Profile name | |
routes | List of IPPrefix | Routes when link up | |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit used (b/s) | no shaping |
table | routetable 0-99 | Routing table number for IKE traffic and tunnel wrappers | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
type | ipsec-type | Encapsulation type | ESP |
auth-algorithm | ipsec-auth-algorithm | Manual setting for authentication algorithm | null |
auth-key | hexBinary | Manual key for authentication | |
crypt-algorithm | ipsec-crypt-algorithm | Manual setting for encryption algorithm | null |
crypt-key | hexBinary | Manual key for encryption | |
local-spi | ipsec-spi 256-4294967295 | Local Security Parameters Index | Not optional |
mode | ipsec-encapsulation | Encapsulation mode | tunnel |
outer-spi | ipsec-spi 256-4294967295 | Security Parameters Index for outer header | |
remote-spi | ipsec-spi 256-4294967295 | Peer Security Parameters Index | Not optional |
ipsec-manual: Elements
Element | Type | Instances | Description |
route | ipsec-route | Optional, unlimited | Routes to apply to tunnel when up |
Base ping config - additional ping targets set via web API or other means
ping: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
gateway | IP46Addr | IP of gateway | |
graph | graphname (token) | Graph name | Not optional |
ip | IPNameAddr | Far end IP | Not optional |
name | string | Name | |
profile | NMTOKEN | Profile name | |
size | ping-size 0-60000 | Payload size | 0 |
slow | boolean | Slow polling | Auto |
source | string | Source of data, used in automated config management | |
source-ip | IP46Addr | Source IP | |
table | routetable 0-99 | Routing table number for sending pings | 0 |
General on/off control profile used in various places in the config.
profile: Attributes
Attribute | Type | Description | Default |
and | List of NMTOKEN | Active if all specified profiles are active as well as all other tests passing, including 'not' | |
comment | string | Comment | |
control-switch-group | string | Heading to use when grouping in UI | |
control-switch-locks | boolean | Control switch requires unlock before use. | false |
control-switch-users | List of NMTOKEN | Restrict users that have access to control switch | Any users |
dhcp | List of IPNameAddr | Test passes if any specified addresses are active in DHCP | |
expect | boolean | Defines state considered 'Good' and shown green on status page | none |
fb105 | List of NMTOKEN | FB105 tunnel state (any of these active) | |
initial | boolean | Defines state at system startup (unless set), or new config, where not known/fixed | true |
interval | duration | Time between tests | 1 |
invert | boolean | Invert final result of testing | |
l2tp | List of NMTOKEN | Outgoing L2TP link state (any of these are up) | |
log | NMTOKEN | Log target | Not logging |
log-debug | NMTOKEN | Log additional information | Not logging |
mqtt | mqtt-brokers | Generate MQTT activate/deactivate if topic set | all |
mqtt-control | mqtt-brokers | Allow profile control via MQTT via specific brokers | |
mqtt-off | string | Payload for MQTT message when profile de-activated | |
mqtt-on | string | Payload for MQTT message when profile activated | |
mqtt-retain | boolean | Set message as retained | |
mqtt-topic | string | Topic for MQTT message on profile change | |
name | NMTOKEN | Profile name | Not optional |
not | NMTOKEN | Active if specified profile is inactive as well as all other tests passing, including 'and' | |
or | List of NMTOKEN | Active if any of these other profiles are active regardless of other tests (including 'not' or 'and') | |
ports | Set of port | Test passes if any of these physical ports are up | |
ppp | List of NMTOKEN | PPP link state (any of these are up) | |
recover | duration | Time before recover (i.e. how long test has been passing) | 1 |
route | List of IPAddr | Test passes if all specified addresses are routeable | |
set | switch | Manual override. Test settings ignored; Control switches can use and/or/not/invert | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table for ping/route/dhcp | |
timeout | duration | Time before timeout (i.e. how long test has been failing) | 10 |
uptime | unsignedShort | Minimum uptime (seconds) | |
vrrp | List of NMTOKEN | VRRP state (any of these is master) | |
profile: Elements
Element | Type | Instances | Description |
date | profile-date | Optional, unlimited | Test passes if within any date range specified |
ping | profile-ping | Optional | Test passes if address is answering pings |
time | profile-time | Optional, unlimited | Test passes if within any time range specified |
Time range test in profiles
profile-date: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
source | string | Source of data, used in automated config management | |
start | dateTime | Start (YYYY-MM-DDTHH:MM:SS) | |
stop | dateTime | End (YYYY-MM-DDTHH:MM:SS) | |
Time range test in profiles
profile-time: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
days | Set of day | Which days of week apply, default all | |
source | string | Source of data, used in automated config management | |
start | time | Start (HH:MM:SS) | |
stop | time | End (HH:MM:SS) | |
Ping targets
profile-ping: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
flow | unsignedShort | Flow label (IPv6) | |
gateway | IPAddr | Ping via specific gateway (bypasses session tracking if set) | |
ip | IPAddr | Target IP | Not optional |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | Source IP | |
ttl | unsignedByte | Time to live / Hop limit | |
Settings for a named traffic shaper
shaper: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | graphname (token) | Graph name | Not optional |
rx | unsignedLong | Rx rate limit/target (b/s) | |
rx-limit | shaper-limit 0-1000 | Rx low level burst limit (ms) - ½ for large packets | 400ms |
rx-max | unsignedLong | Rx rate limit max | |
rx-min | unsignedLong | Rx rate limit min | |
rx-min-burst | duration | Rx minimum allowed burst time | |
rx-step | unsignedLong | Rx rate reduction per hour | |
share | boolean | If shaper is shared with other devices | false |
source | string | Source of data, used in automated config management | |
tx | unsignedLong | Tx rate limit/target (b/s) | |
tx-limit | shaper-limit 0-1000 | Tx low level burst limit (ms) - ½ for large packets | 400ms |
tx-max | unsignedLong | Tx rate limit max | |
tx-min | unsignedLong | Tx rate limit min | |
tx-min-burst | duration | Tx minimum allowed burst time | |
tx-step | unsignedLong | Tx rate reduction per hour | |
shaper: Elements
Element | Type | Instances | Description |
override | shaper-override | Optional, unlimited | Profile specific variations on main settings |
Settings for a named traffic shaper
Named IP group
ip-group: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
ip | List of IPRange | One or more IP ranges or IP/len | |
name | string | Name | Not optional |
source | string | Source of data, used in automated config management | |
users | List of NMTOKEN | Include IP of (time limited) logged in web users | |
Routing override rules
route-override: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Applicable routing table | 0 |
route-override: Elements
Element | Type | Instances | Description |
rule | session-route-rule | Optional, unlimited | Individual rules, first match applies |
Routing override rule
session-route-rule: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
cug | List of PortRange | Closed user group ID(s) | |
hash | boolean | Use hash of IPs for load sharing | |
name | string | Name | |
profile | NMTOKEN | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging (if not set by rule-set) | |
set-nat | boolean | Changed source IP and port to local for NAT | |
source | string | Source of data, used in automated config management | |
source-interface | List of NMTOKEN | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-port | List of PortRange | Source port(s) | |
target-interface | List of NMTOKEN | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
session-route-rule: Elements
Element | Type | Instances | Description |
share | session-route-share | Optional, unlimited | Load shared actions |
Route override setting for load sharing
session-route-share: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
profile | NMTOKEN | Profile name | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging (if not set by rule-set) | |
set-nat | boolean | Changed source IP and port to local for NAT | |
weight | positiveInteger | Weighting of load share | 1 |
Firewalling rule set with entry criteria and default actions
rule-set: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
cug | List of PortRange | Closed user group ID(s) | |
interface | List of NMTOKEN | Source or target interface(s) | |
ip | List of IPNameRange | Source or target IP address range(s) | |
log | NMTOKEN | Log session start | Not logging |
log-end | NMTOKEN | Log session end | Not logging |
log-no-match | NMTOKEN | Log if no match | log-start |
name | string | Name | |
no-match-action | firewall-action | Default if no rule matches | Not optional |
profile | NMTOKEN | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
source | string | Source of data, used in automated config management | |
source-interface | List of NMTOKEN | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-port | List of PortRange | Source port(s) | |
startup-delay | duration | Startup interval to use ignore instead of reject/drop | 1:00 |
table | routetable 0-99 | Applicable routing table | 0 |
target-interface | List of NMTOKEN | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
rule-set: Elements
Element | Type | Instances | Description |
ip-group | ip-group | Optional, unlimited | Named IP groups |
rule | session-rule | Optional, unlimited | Individual rules, first match applies |
Firewall rule
The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.
session-rule: Attributes
Attribute | Type | Description | Default |
action | firewall-action | Action taken on match | continue |
comment | string | Comment | |
cug | List of PortRange | Closed user group ID(s) | |
hash | boolean | Use hash of IPs for load sharing | |
interface | List of NMTOKEN | Source or target interface(s) | |
ip | List of IPNameRange | Source or target IP address range(s) | |
log | NMTOKEN | Log session start | As rule-set |
log-end | NMTOKEN | Log session end | As rule-set |
name | string | Name | |
obf-checksum | chksum-action | Obfuscation's handling of packet checksums | |
obfuscate | hex64 (hexBinary) | Scramble (not encrypt) data | |
pcp | boolean | If mapped by NAT-PMP / PCP | |
profile | NMTOKEN | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
set-dscp | unsignedByte | Override IP DSCP | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging | |
set-graph-dynamic | dynamic-graph | Dynamically create graph | |
set-initial-timeout | duration | Initial time-out | |
set-nat | boolean | Change source IP and port to local for NAT | |
set-ongoing-timeout | duration | Ongoing time-out | |
set-reverse-graph | string | Graph name for shaping/logging (far side of session) | |
set-source-ip | IPRange | New source IP | |
set-source-port | unsignedShort | New source port | |
set-table | routetable 0-99 | Set new routing table | |
set-target-ip | IPRange | New target IP | |
set-target-port | unsignedShort | New target port | |
source | string | Source of data, used in automated config management | |
source-interface | List of NMTOKEN | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-mac | List of up to 12 macprefix (hexBinary) | Source MAC check if from Ethernet | |
source-port | List of PortRange | Source port(s) | |
target-interface | List of NMTOKEN | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
session-rule: Elements
Element | Type | Instances | Description |
share | session-share | Optional, unlimited | Load shared actions |
Firewall actions for load sharing
session-share: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
obf-checksum | chksum-action | Obfuscation's handling of packet checksums | |
obfuscate | hex64 (hexBinary) | Scramble (not encrypt) data | |
profile | NMTOKEN | Profile name | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging | |
set-nat | boolean | Change source IP and port to local for NAT | |
set-reverse-graph | string | Graph name for shaping/logging (far side of session) | |
set-source-ip | IPRange | New source IP | |
set-source-port | unsignedShort | New source port | |
set-table | routetable 0-99 | Set new routing table | |
set-target-ip | IPRange | New target IP | |
set-target-port | unsignedShort | New target port | |
weight | positiveInteger | Weighting of load share | 1 |
Voice over IP config
voip: Attributes
Attribute | Type | Description | Default |
area-code | string | Local area code (without national prefix) | |
auth-source-ip | IP46Addr | Default source address to use when sending authenticated messages | |
backup-carrier | NMTOKEN | Backup carrier to use for external calls | |
call-progress | boolean | Send call progress at 3 seconds | true |
comment | string | Comment | |
country | string | Local country code | 44 |
default-carrier | NMTOKEN | Default carrier to use for external calls | |
domain | string | Domain to use for us on outgoing SIP connections | |
emergency | List of string | Emergency numbers | 112 999 |
emergency-uri | string | SIP URI for emergency calls | Use outbound carrier |
international | string | International dialling prefix | 00 |
local-digits | string | Local numbers start with these digits | 23456789 |
local-min-len | unsignedByte | Local numbers min length | 5 |
log | NMTOKEN | Log calls | Not logging |
log-cdr | NMTOKEN | Log CDR records | Not logged |
log-debug | NMTOKEN | Log debug and SIP messages | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
log-sip-blf | NMTOKEN | SUBSCRIBE, NOTIFY, PUBLISH | Not logged |
log-sip-call | NMTOKEN | INVITE, ACK, CANCEL, BYE, REFER | Not logged |
log-sip-other | NMTOKEN | OPTIONS, INFO, etc | Not logged |
log-sip-register | NMTOKEN | REGISTER | Not logged |
long-headers | boolean | Send long SIP headers | false |
max-ring | duration | Max time limit on call setup | 5:00 |
mqtt | mqtt-brokers | Generate MQTT for call events | Don't send |
mqtt-blf | mqtt-brokers | Generate MQTT for BLF | Don't send |
national | string | National dialling prefix | 0 |
pabx | boolean | Operate as office PABX | true |
pickup | string | Call pickup/steal prefix | * |
radius-call | string | Name for RADIUS server config to use call routing | |
radius-cdr | string | Name for RADIUS server config to use for CDRs | |
radius-challenge | boolean | Send RADIUS auth to get challenge response | |
radius-register | string | Name for RADIUS server config to use for registrations | |
realm | string | Default realm | FireBrick |
record-beep | record-beep-option | Send beep at start of recording | true |
record-mandatory | boolean | Drop call if recording fails | |
record-server | string | Call recording server hostname or address | |
release | string | CLI release prefix | 1470 |
security-replies | boolean | Don't challenge or error reply to unrecognised non local IP request | true |
send-pre-auth | boolean | Send Auth header with username before receiving challenge | true |
source | string | Source of data, used in automated config management | |
source-ip | IP46Addr | Default source address to use when sending messages | |
user-agent | string | User-Agent to send | Version specific |
withhold | string | CLI withhold prefix | 141 |
wrap-headers | boolean | Wrap long SIP header lines | true |
voip: Elements
Element | Type | Instances | Description |
carrier | carrier | Optional, up to 300 | VoIP carriers |
directory | directory | Optional, up to 300 | Directory |
group | ringgroup | Optional, up to 100 | Ring groups |
telephone | telephone | Optional, up to 300 | VoIP users |
tone | tone | Optional, up to 25 | Defined tones |
VoIP carrier details
carrier: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which invite accepted | Allow from anywhere |
comment | string | Comment | |
cui | string | Chargeable user identity for call accounting of incoming calls | |
display-name | string | Text name to use | |
expires | duration | Registration expiry time | 1:00:00 |
extn | string | Local number assumed for incoming call, use X for digits from end of called numbers | |
force-dtmf | boolean | Always send DTMF in-band | |
from | string | From SIP address for outbound registration and invites | |
hold-tone | boolean | Send hold tones to carrier | true |
incoming-cli | voip-format | CLI number format on incoming calls Also works as cli-format, which is deprecated | transparent |
incoming-format | voip-format | Dialled number format on incoming calls | national |
map-404 | sip-error 400-699 | Map SIP error 404 to an alternative | |
max-calls | unsignedInt | Maximum simultaneous calls allowed | |
name | NMTOKEN | Carrier name | Not optional |
outgoing-cli | voip-format | CLI number format for outgoing calls Also works as cli-format, which is deprecated | national |
outgoing-format | voip-format | Dialled number format for outgoing calls | national |
password | Secret | Carrier password for outbound registration or inbound authenticated calls | |
pre-expire | duration | Re-register time before expiry | 30 |
profile | NMTOKEN | Profile name | |
proxy | string | Carrier proxy hostname or address for registration and calls | |
proxy-ip | IPAddr | Target proxy IP to use | |
proxy-port | unsignedShort | Target proxy port to use | |
registrar | string | Carrier hostname for registration | |
send-hold | boolean | Pass hold state to carrier | true |
send-p-a-id | boolean | Send P-Asserted-Identity | true |
send-pre-auth | boolean | Send Auth header with username before receiving challenge | As general config |
send-privacy | privacy-type | Send Privacy (if withheld) | id |
source | string | Source of data, used in automated config management | |
source-ip | IPAddr | Source IP to use | |
table | routetable 0-99 | Routing table number | 0 |
to | List of string | To SIP request address for inbound invites, may be @domain for any at a domain | |
tone-hold | string | Name of tone to generate for hold with no media | |
tone-progress | string | Name of tone to generate for progress with no media | |
tone-queue | string | Name of tone to generate for queue with no media | |
tone-ring | string | Name of tone to generate for ring with no media | |
tone-wait | string | Name of tone to generate for wait with no media | |
trust-cli | boolean | Trust inbound calling line identity | true |
username | string | Carrier username for outbound registration or inbound authenticated calls | |
withhold | string | Mark withheld outbound calls using this dial prefix and send CLI in p-asserted-identity or remote-party-id | |
VoIP telephone details
telephone: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which registration accepted | Allow from anywhere |
allow-pickup | List of string | Only allow pickup from these extensions | Allow all if PABX mode |
allow-subscribe | List of string | Only allow subscribe (Busy Lamp Field) from these extensions | |
anon-numeric | boolean | Mark anonymous calls just using withhold prefix, and leave display name | |
area-code | string | Local area code (without national prefix) for use from this phone | |
carrier | NMTOKEN | Carrier to use for outbound calls | |
comment | string | Comment | |
cui | string | Chargeable user identity for call accounting | |
ddi | string | Full telephone number (international format starting +) | |
display-name | string | Text name to use | |
email | string | Email address (sent to call recording server) | |
expires | duration | Registration expiry time | 1:00:00 |
extn | string | Local extension number | |
force-dtmf | boolean | Always send DTMF in-band | |
local-only | boolean | Restrict access to registrations from subnets tagged as local | true |
max-calls | unsignedInt | Maximum simultaneous calls allowed | |
name | NMTOKEN | User name (local part of 'from') | Not optional |
outgoing-cli | voip-format | CLI number format passed to telephone Also works as cli-format, which is deprecated | auto |
password | Secret | Authentication password | |
profile | NMTOKEN | Profile name | |
realm | string | Realm | |
record | recordoption | Automatically record calls | |
screen | voip-screen | Screen calls Also works as acr, which is deprecated | non-rejected |
send-p-a-id | boolean | Send P-Asserted-Identity | true |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
uk-cli-text | uknumberformat | Send display name as UK formatted number | Auto |
uri | string | Direct URI for extn | |
username | string | Authentication username | |
wrap-up | duration | Wrap up time before new call | |
Definition of tones used
tone: Attributes
Attribute | Type | Description | Default |
name | NMTOKEN | Tone name | Not optional |
plan | string | Plan for frequency and duration, e.g. 400ms@400Hz-3dB+450Hz-3dB | Not optional |
Ring groups
ringgroup: Attributes
Attribute | Type | Description | Default |
allow-pickup | List of string | Only allow pickup from these extensions | |
allow-subscribe | List of string | Only allow subscribe (Busy Lamp Field) from these extensions | |
answer-time | duration | Answer caller if ringing this long | 30 |
carrier | NMTOKEN | Carrier to use for external calls | |
comment | string | Comment | |
cui | string | Chargeable user identity for call accounting | |
ddi | List of string | Full telephone number (international format starting +) | |
display-name | string | Text name to use | |
email | string | Email address (sent to call recording server) | |
extn | List of string | Local extension number | |
initial-time | duration | Don't progress to second number until this time | |
limit | unsignedByte | Number allowed to queue | |
name | NMTOKEN | Group name | Not optional |
order | ring-group-order | Order of ring | strict |
out-of-hours-group | NMTOKEN | Alternative group if this is out of profile (cascades) | |
out-of-hours-ring | List of string | Numbers to ring if out of profile and no out-of-hours-group set Also works as out-of-hours, which is deprecated | |
overflow | List of string | Numbers to ring when more than one call in queue | |
overflow-time | duration | Include overflow after this time at head of queue | 30 |
profile | NMTOKEN | Profile name | |
progress-time | duration | Time between each target called | 6 |
redirect | boolean | Allow calls to be diverted before ringing | |
ring | List of string | Numbers to ring | |
ringall-time | duration | Switch to ring all after this time at head of queue | |
screen | voip-screen | Screen calls | non-rejected |
source | string | Source of data, used in automated config management | |
type | ring-group-type | Type of ring when one call in queue | all |
Directory
directory: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Display name | |
number | string | Calling number | Not optional |
screen | voip-screen-set | Screen/categorise this call | |
source | string | Source of data, used in automated config management | |
Ether tunnel
etun: Attributes
Attribute | Type | Description | Default |
eth-port | NMTOKEN | Port group name | Not optional |
ip | IPAddr | Far end IP address | Not optional |
log | NMTOKEN | Log events | Not logging |
log-debug | NMTOKEN | Log debug | Not logging |
log-error | NMTOKEN | Log errors | Log as event |
name | string | Name | |
profile | NMTOKEN | Profile name | |
source-ip | IPAddr | Our IP address | |
table | routetable 0-99 | Routing table number | 0 |
Settings for DHCP server for relayed connections
dhcp-relay: Attributes
Attribute | Type | Description | Default |
allocation-table | routetable 0-99 | Routing table for allocations - suggest using separate tables for remote DHCP | Allocate same as request table |
allow | List of IPNameRange | IPs allowed (e.g. allocated IPs for renewal) | Allow from anywhere |
relay | List of IPNameRange | Relay server IP(s) | Any relay |
table | routetable 0-99 | Routing table applicable | Allow any |
dhcp-relay: Elements
Element | Type | Instances | Description |
dhcp | dhcps | Optional, unlimited | DHCP server settings |
User login level - commands available are restricted according to assigned level.
Tag | Description |
NOBODY | Unknown or not logged in user |
GUEST | Guest user |
USER | Normal unprivileged user |
ADMIN | System administrator |
DEBUG | System debugger |
Tag | Description |
default | Mixed hex/decode |
decoded | Decoded only |
decoded+raw | Decoded + raw |
raw | Raw hex |
Tag | Description |
false | Do no auto load |
factory | Load factory releases |
beta | Load beta test releases |
alpha | Load test releases |
Tag | Description |
enabled | Normal hot standby |
nosync | Don't set SYNC (helps with some switches) |
disabled | Don't do hot standby |
Tag | Description |
none | No access unless explicitly listed |
view | View only access (no passwords) |
read | Read only access (with passwords) |
demo | Full view and edit access but can only test config, not save |
test | Full view and edit access but must test save config first |
full | Full view and edit access |
Tag | Description |
IPsec | IPsec/IKEv2 VPN |
Tag | Description |
MD5 | MD5 Challenge |
MSChapV2 | MS Challenge |
Log severity - different loggable events log at different levels.
Tag | Description |
EMERG | System is unstable |
ALERT | Action must be taken immediately |
CRIT | Critical conditions |
ERR | Error conditions |
WARNING | Warning conditions |
NOTICE | Normal but significant events |
INFO | Informational |
DEBUG | Debug level messages |
NO-LOGGING | No logging |
Syslog facility, usually used to control which log file the syslog is written to.
Tag | Description |
KERN | Kernel messages |
USER | User level messges |
MAIL | Mail system |
DAEMON | System Daemons |
AUTH | Security/auth |
SYSLOG | Internal to syslogd |
LPR | Printer |
NEWS | News |
UUCP | UUCP |
CRON | Cron deamon |
AUTHPRIV | private security/auth |
FTP | File transfer |
12 | Unused |
13 | Unused |
14 | Unused |
15 | Unused |
LOCAL0 | Local 0 |
LOCAL1 | Local 1 |
LOCAL2 | Local 2 |
LOCAL3 | Local 3 |
LOCAL4 | Local 4 |
LOCAL5 | Local 5 |
LOCAL6 | Local 6 |
LOCAL7 | Local 7 |
Tag | Description |
http-only | No HTTPS access |
http+https | Both HTTP and HTTPS access |
https-only | No HTTP access |
redirect-to-https | HTTP accesses are redirected to use HTTPS |
redirect-to-https-if-acme | HTTP accesses are redirected to use HTTPS if ACME set up for hostname |
redirect-to-https-except-trusted | HTTP accesses are redirected to use HTTPS (except trusted IPs) |
Tag | Description |
equal | All the same priority |
strict | In order specified |
random | Random order |
calling | Hashed on calling station id |
called | Hashed on called station id |
username | Hashed on full username |
user | Hashed on username before @ |
realm | Hashed on username after @ |
prefix | Hashed on username initial letters and numbers only |
Tag | Description |
authentication | Authentication server |
accounting | Accounting server |
control | Allowed to send control (CoA/DM) |
Tag | Description |
none | No broker/internal |
mqtt | MQTT only |
mqtts | MQTTS only |
mqtt+mqtts | MQTT and MQTTS |
external | External only |
external+mqtt | External ant MQTT |
external+mqtts | External ant MQTTS |
all | All brokers |
Tag | Description |
Jan | January |
Feb | February |
Mar | March |
Apr | April |
May | May |
Jun | June |
Jul | July |
Aug | August |
Sep | September |
Oct | October |
Nov | November |
Dec | December |
Tag | Description |
Sun | Sunday |
Mon | Monday |
Tue | Tuesday |
Wed | Wednesday |
Thu | Thursday |
Fri | Friday |
Sat | Saturday |
Tag | Description |
0 | Port 0 (not valid) (deprecated) |
1 | Port 1 |
2 | Port 2 |
3 | Port 3 |
4 | Port 4 |
Physical port crossover configuration.
Tag | Description |
auto | Crossover is determined automatically |
MDI | Force no crossover |
Tag | Description |
10M | 10Mbit/sec |
100M | 100Mbit/sec |
1G | 1Gbit/sec |
auto | Speed determined by autonegotiation |
Tag | Description |
half | Half-duplex |
full | Full-duplex |
auto | Duplex determined by autonegotiation |
Tag | Description |
none | No flow control |
symmetric | Can support two-way flow control |
send-pauses | Can send pauses but does not support pause reception |
any | Can receive pauses and may send pauses if required |
Tag | Description |
prefer-master | Master status negotiated; preference for master |
prefer-slave | Master status negotiated; preference for slave |
force-master | Master status forced |
force-slave | Slave status forced |
Tag | Description |
Link/Activity | On when link up; blink when Tx or Rx activity |
Link1000/Activity | On when link up at 1G; blink when Tx or Rx activity |
Link100/Activity | On when link up at 100M; blink when Tx or Rx activity |
Link10/Activity | On when link up at 10M; blink when Tx or Rx activity |
Link100-1000/Activity | On when link up at 100M or 1G; blink when Tx or Rx activity |
Link10-1000/Activity | On when link up at 10M or 1G; blink when Tx or Rx activity |
Link10-100/Activity | On when link up at 10M or 100M; blink when Tx or Rx activity |
Duplex/Collision | On when full-duplex; blink when half-duplex and collisions detected |
Collision | Blink when collisions detected |
Tx | Blink when Tx activity |
Rx | Blink when Rx activity |
Off | Permanently off |
On | Permanently on |
Link | On when link up |
Link1000 | On when link up at 1G |
Link100 | On when link up at 100M |
Link10 | On when link up at 10M |
Link100-1000 | On when link up at 100M or 1G |
Link10-1000 | On when link up at 10M or 1G |
Link10-100 | On when link up at 10M or 100M |
Duplex | On when full-duplex |
Tag | Description |
none | No power saving |
link-down | Power save only when link is down |
link-up | Power save only when link is up |
full | Full power saving |
Tag | Description |
false | No fault |
true | Send fault |
off-line | Send offline fault (1G) |
ane | Send ANE fault (1G) |
Tag | Description |
sflow | Use sFlow protocol |
ipfix-psamp | Use IPFIX/PSAMP protocol |
ipfix-legacy | Use legacy (Cisco-style) IPFIX |
Tag | Description |
false | Not trunking |
random | Random trunking |
l2-hash | L2 hashed trunking |
l23-hash | L2 and L3 hashed trunking |
l3-hash | L3 hashed trunking |
IPv6 route announcement mode and level
Tag | Description |
false | Do not announce |
low | Announce as low priority |
medium | Announce as medium priority |
high | Announce as high priority |
true | Announce as default (medium) priority |
dhcp6triggered | When triggered by DHCPv6 |
BGP mode defines the default advertisement mode for prefixes, based on well-known community tags
Tag | Description |
false | Not included in BGP at all |
no-advertise | Not included in BGP, not advertised at all |
no-export | Not normally exported from local AS/confederation |
local-as | Not exported from local AS |
no-peer | Exported with no-peer community tag |
true | Exported as normal with no special tags added |
Tag | Description |
off | Don't perform sampling |
ingress | Sample incoming traffic |
egress | Sample outgoing traffic |
both | Sample incoming and outgoing traffic |
Tag | Description |
false | No source filter checks |
blackhole | Check replies blackholed |
nowhere | Check replies valid |
self | Check replies valid and not self |
true | Check replies down same port/vlan |
Tag | Description |
client | Normal PPPoE client connects to access controller |
bras-l2tp | PPPoE server mode linked to L2TP operation |
Tag | Description |
none | None |
mac | MAC |
vlan | Inner VLAN |
mac-vlan | MAC and inner VLAN |
vlanvlan | Outer and inner VLANs padded to 4 digits |
Tag | Description |
none | No suffix |
mac | MAC address suffix |
Tag | Description |
AH | Authentication Header |
ESP | Encapsulating Security Payload |
Tag | Description |
null | No authentication |
HMAC-MD5 | HMAC-MD5-96 (RFC 2403) |
HMAC-SHA1 | HMAC-SHA1-96 (RFC 2404) |
AES-XCBC | AES-XCBC-MAC-96 (RFC 3566) |
HMAC-SHA256 | HMAC-SHA-256-128 (RFC 4868) |
Tag | Description |
null | No encryption (RFC 2410) |
3DES-CBC | 3DES-CBC (RFC 2451) |
blowfish | Blowfish CBC (RFC 2451) with 16-byte key |
blowfish-192 | Blowfish CBC (RFC 2451) with 24-byte key |
blowfish-256 | Blowfish CBC (RFC 2451) with 32-byte key |
AES-CBC | AES-CBC (Rijndael) (RFC 3602) with 16-byte key |
AES-192-CBC | AES-CBC (Rijndael) (RFC 3602) with 24-byte key |
AES-256-CBC | AES-CBC (Rijndael) (RFC 3602) with 32-byte key |
Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer.
Tag | Description |
normal | Normal BGP operation |
transit | EBGP Mark received as no-export |
peer | EBGP Mark received as no-export, only accept peer AS |
customer | EBGP Allow export as if confederate, only accept peer AS |
internal | IBGP allowing own AS |
reflector | IBGP allowing own AS and working in route reflector mode |
confederate | EBGP confederate |
ixp | Internet exchange point peer on route server, soft routes EBGP only |
Tag | Description |
false | Local LNS IP (deprecated) |
lns | Local LNS IP |
both | Send NAS IP twice (LAC then LNS) |
lac | Remote LAC IP |
true | Remote LAC IP (deprecated) |
Tag | Description |
Secret | Shared Secret |
Certificate | X.509 certificate |
EAP | Use EAP for authentication |
Tag | Description |
Wait | Wait for peer to initiate the connection |
On-demand | Bring up when needed for traffic |
Immediate | Always attempt to bring up connection |
Tag | Description |
HMAC-MD5 | HMAC-MD5 |
HMAC-SHA1 | HMAC-SHA1 |
AES-XCBC-128 | AES-XCBC with 128-bit key |
HMAC-SHA256 | PRF-HMAC-SHA-256 (rfc4868) |
Tag | Description |
none | No D-H negotiation (only used with AH/ESP) |
MODP-1024 | 1024-bit Sophie Germain Prime MODP Group |
MODP-2048 | 2048-bit Sophie Germain Prime MODP Group |
Tag | Description |
ALLOW-ESN | Allow Extended Sequence Numbers (64 bits) |
ALLOW-SHORT-SN | Allow short sequence numbers (32 bits) |
Tag | Description |
tunnel | IPsec tunnel |
transport | IPsec transport |
Manual setting control for profile
Tag | Description |
false | Profile set to OFF |
true | Profile set to ON |
control-switch | Profile set based on control switch on home page |
Tag | Description |
leave | Don't correct checksum |
udp-remove | Remove checksum for UDP packets |
recalc | Recalculate new checksum |
check-recalc | Check old value and recalculate new |
Tag | Description |
false | No dynamic graph |
ip | Use source IP address |
mac | Use source MAC address |
Tag | Description |
continue | Continue rule-set checking |
accept | Allow but no more rule-set checking |
reject | End all rule checking now and set to send ICMP reject |
drop | End all rule checking now and set to drop |
ignore | End all rule checking and ignore (drop) just this packet, not making a session |
Tag | Description |
false | Do not send Privacy header |
id | Send Privacy:id to mark withheld |
user | Send Privacy:user to mark withheld |
user-id | Send Privacy:user;id to mark withheld |
Tag | Description |
transparent | Unchanged |
international | Full international number |
int-no-plus | International without leading plus |
national | With nat/int prefix |
local | Local number/extension |
block | Do not use for calls |
Tag | Description |
false | Don't format numbers for display |
true | Format numbers for display with spacing |
replace-zero | Format numbers for display with spacing and replacing zeros - may look clearer on some CLI devices |
Tag | Description |
false | Don't automatically record calls |
in-only | Automatically record incoming calls |
out-only | Automatically record outgoing calls |
true | Automatically record all calls |
Tag | Description |
false | Non ACR (deprecated) |
no-calls | Reject all calls |
accepted | Only directory screen accept calls |
found | Only directory screen found calls |
non-rejected | All non rejected calls |
acr | All non withhled calls |
true | ACR (deprecated) |
Tag | Description |
strict | Order in config |
random | Random order |
cyclic | Cycling from last call |
oldest | Oldest used phone first |
Tag | Description |
all | All phones |
cascade | Increasing number of phones |
sequence | One phone at a time |
Tag | Description |
reject | Reject call |
accept | Accept call |
Tag | Description |
false | No beep |
button | Beep on record button press |
true | Beep on start of record |
Basic types