FireBrick FB2700 User Manual
   Next

FireBrick FB2700 User Manual

This User Manual documents Software version V1.25.010

Copyright © 2012-2013 FireBrick Ltd.

Revision History

Table of Contents

Preface
1. Introduction
1.1. The FB2700
1.1.1. Where do I start?
1.1.2. What can it do?
1.1.3. Ethernet port capabilities
1.1.4. Differences between the devices in the FB2x00 series
1.1.5. Software features
1.1.6. Migration from previous FireBrick models
1.2. About this Manual
1.2.1. Version
1.2.2. Intended audience
1.2.3. Technical details
1.2.4. Document style
1.2.5. Document conventions
1.2.6. Comments and feedback
1.3. Additional Resources
1.3.1. Technical Support
1.3.2. IRC Channel
1.3.3. Application Notes
1.3.4. White Papers
1.3.5. Training Courses
2. Getting Started
2.1. IP addressing
2.2. Accessing the web-based user interface
2.2.1. Add a new user
3. Configuration
3.1. The Object Hierarchy
3.2. The Object Model
3.2.1. Formal definition of the object model
3.2.2. Common attributes
3.3. Configuration Methods
3.4. Web User Interface Overview
3.4.1. User Interface layout
3.4.1.1. Customising the layout
3.4.2. Config pages and the object hierarchy
3.4.2.1. Configuration categories
3.4.2.2. Object settings
3.4.3. Navigating around the User Interface
3.4.4. Backing up / restoring the configuration
3.5. Configuration using XML
3.5.1. Introduction to XML
3.5.2. The root element - <config>
3.5.3. Viewing or editing XML
3.5.4. Example XML configuration
3.6. Downloading/Uploading the configuration
3.6.1. Download
3.6.2. Upload
4. System Administration
4.1. User Management
4.1.1. Login level
4.1.2. Configuration access level
4.1.3. Login idle timeout
4.1.4. Restricting user logins
4.1.4.1. Restrict by IP address
4.1.4.2. Restrict by profile
4.2. General System settings
4.2.1. System name (hostname)
4.2.2. Administrative details
4.2.3. System-level event logging control
4.2.4. Home page web links
4.3. Software Upgrades
4.3.1. Software release types
4.3.1.1. Breakpoint releases
4.3.2. Identifying current software version
4.3.3. Internet-based upgrade process
4.3.3.1. Manually initiating upgrades
4.3.3.2. Controlling automatic software updates
4.3.4. Manual upgrade
4.4. Boot Process
4.4.1. LED indications
4.4.1.1. Power LED status indications
4.4.1.2. Port LEDs
5. Event Logging
5.1. Overview
5.1.1. Log targets
5.1.1.1. Logging to Flash memory
5.1.1.2. Logging to the Console
5.2. Enabling logging
5.3. Logging to external destinations
5.3.1. Syslog
5.3.2. Email
5.3.2.1. E-mail process logging
5.4. Factory reset configuration log targets
5.5. Performance
5.6. Viewing logs
5.6.1. Viewing logs in the User Interface
5.6.2. Viewing logs in the CLI environment
5.7. System-event logging
5.8. Using Profiles
6. Interfaces and Subnets
6.1. Relationship between Interfaces and Physical Ports
6.1.1. Port groups
6.1.2. Interfaces
6.2. Defining port groups
6.3. Defining an interface
6.3.1. Defining subnets
6.3.1.1. Using DHCP to configure a subnet
6.3.2. Setting up DHCP server parameters
6.3.2.1. Fixed/Static DHCP allocations
6.3.2.2. Partial-MAC-address based allocations
6.4. Physical port settings
6.4.1. Disabling auto-negotiation
6.4.2. Setting port speed
6.4.3. Setting duplex mode
6.4.4. Defining port LED functions
7. Session Handling
7.1. Routing vs. Firewalling
7.2. Session Tracking
7.2.1. Session termination
7.3. Session Rules
7.3.1. Overview
7.3.2. Processing flow
7.3.3. Defining Rule-Sets and Rules
7.3.3.1. Recommended method of implementing firewalling
7.3.3.2. Changes to session traffic
7.3.3.3. Graphing and traffic shaping
7.3.3.4. Configuring session time-outs
8. Routing
8.1. Routing logic
8.2. Routing targets
8.2.1. Subnet routes
8.2.2. Routing to an IP address (gateway route)
8.2.3. Special targets
8.3. Dynamic route creation / deletion
8.4. Routing tables
8.5. Route overrides
9. Profiles
9.1. Overview
9.2. Creating/editing profiles
9.2.1. Timing control
9.2.2. Tests
9.2.2.1. General tests
9.2.2.2. Time/date tests
9.2.2.3. Ping tests
9.2.3. Inverting overall test result
9.2.4. Manual override
10. Traffic Shaping
10.1. Graphs and Shapers
10.1.1. Graphs
10.1.2. Shapers
11. PPPoE
11.1. Types of DSL line and router in the United Kingdom
11.2. Definining PPPoE links
11.2.1. IPv6
11.2.2. Additional options
11.2.2.1. MTU and TCP fix
11.2.2.2. Service and ac-name
11.2.2.3. Logging
11.2.2.4. Speed and graphs
12. Tunnels
12.1. FB105 tunnels
12.1.1. Tunnel wrapper packets
12.1.2. Setting up a tunnel
12.1.3. Viewing tunnel status
12.1.4. Dynamic routes
12.1.5. Tunnel bonding
12.1.6. Tunnels and NAT
12.1.6.1. FB2700 doing NAT
12.1.6.2. Another device doing NAT
13. USB Port
13.1. USB configuration
13.1.1. 3G dongle configuration
14. System Services
14.1. Common settings
14.2. HTTP Server configuration
14.2.1. Access control
14.2.1.1. Trusted addresses
14.3. Telnet Server configuration
14.3.1. Access control
14.4. DNS configuration
14.4.1. Blocking DNS names
14.4.2. Local DNS responses
14.4.3. Auto DHCP DNS
14.5. NTP configuration
14.6. SNMP configuration
14.7. RADIUS configuration
14.7.1. RADIUS server (platform RADIUS)
14.7.2. RADIUS client
15. Network Diagnostic Tools
15.1. Firewalling check
15.2. Access check
15.3. Packet Dumping
15.3.1. Dump parameters
15.3.2. Security settings required
15.3.3. IP address matching
15.3.4. Packet types
15.3.5. Snaplen specification
15.3.6. Using the web interface
15.3.7. Using an HTTP client
15.3.7.1. Example using curl and tcpdump
16. VRRP
16.1. Virtual Routers
16.2. Configuring VRRP
16.2.1. Advertisement Interval
16.2.2. Priority
16.3. Using a virtual router
16.4. VRRP versions
16.4.1. VRRP version 2
16.4.2. VRRP version 3
16.5. Compatibility
17. VoIP
17.1. What is VoIP?
17.2. Registration and Proxies
17.2.1. Registrar
17.2.2. Proxy
17.3. Home/office phone system
17.4. Network Address Translation
17.5. Number plan
17.6. Telephone handsets
17.7. VoIP call carriers
17.8. Hunt groups
17.8.1. Ring Type
17.8.2. Ring order
17.8.3. Overflow
17.8.4. Out of hours
17.9. Call pickup/steal
17.10. Busy lamp field
17.11. Using RADIUS
17.11.1. RADIUS accounting
17.11.2. RADIUS authentication
17.11.2.1. Call routing by RADIUS
17.12. Call recording
17.13. Voicemail and IVR services
17.14. Call Data Records
17.15. Technical details
17.16. Custom tones
18. BGP
18.1. What is BGP?
18.2. Using BGP in an office network?
19. L2TP
19.1. What is L2TP?
19.2. Incoming L2TP connections
19.3. The importance of CQM graphs
19.4. Local Authentication
19.5. Relaying L2TP connections
19.6. RADIUS Authentication and Accounting
19.7. RADIUS Control messages
19.8. Outgoing L2TP connections
20. IPsec
20.1. What is IPsec?
20.1.1. Authentication
20.1.2. Encryption
20.1.3. IKE
20.2. Setting up a tunnel
20.2.1. IP endpoints
20.2.2. Manual Keying
20.2.3. Routing
20.2.4. Other parameters
20.3. Tunnelling to a non-FireBrick device
20.4. Remote connection - IPsec and L2TP
20.5. Choice of algorithms
21. Command Line Interface
A. Factory Reset Procedure
B. CIDR and CIDR Notation
C. MAC Addresses usage
D. VLANs : A primer
E. Supported L2TP Attribute/Value Pairs
E.1. Start-Control-Connection-Request
E.2. Start-Control-Connection-Reply
E.3. Start-Control-Connection-Connected
E.4. Stop-Control-Connection-Notification
E.5. Hello
E.6. Incoming-Call-Request
E.7. Incoming-Call-Reply
E.8. Incoming-Call-Connected
E.9. Outgoing-Call-Request
E.10. Outgoing-Call-Reply
E.11. Outgoing-Call-Connected
E.12. Call-Disconnect-Notify
E.13. WAN-Error-Notify
E.14. Set-Link-Info
E.15. Notes
E.15.1. BT specific notes
E.15.2. IP over LCP
F. Supported RADIUS Attribute/Value Pairs for L2TP operation
F.1. Authentication request
F.2. Authentication response
F.2.1. Accepted authentication
F.2.1.1. Prefix Delegation
F.2.2. Rejected authentication
F.3. Accounting Start
F.4. Accounting Interim
F.5. Accounting Stop
F.6. Disconnect
F.7. Change of Authorisation
F.8. Filter ID
F.9. Notes
F.9.1. L2TP relay
F.9.2. LCP echo and CQM graphs
F.9.3. IP over LCP
F.9.4. Closed User Group
F.9.5. Routing table
G. Supported RADIUS Attribute/Value Pairs for VoIP operation
G.1. Authentication request
G.2. Authentication response
G.2.1. Challenge authentication
G.2.2. Accepted authentication (registration)
G.2.3. Accepted authentication (invite)
G.2.4. Rejected authentication
G.3. Accounting Start
G.4. Accounting Interim
G.5. Accounting Stop
G.6. Disconnect
G.7. Change of Authorisation
H. Command line reference
H.1. General commands
H.1.1. Trace off
H.1.2. Trace on
H.1.3. Uptime
H.1.4. General status
H.1.5. Memory usage
H.1.6. Process/task usage
H.1.7. Login
H.1.8. Logout
H.1.9. See XML configuration
H.1.10. Load XML configuration
H.1.11. Show profile status
H.1.12. Show RADIUS servers
H.1.13. Show DNS resolvers
H.2. Networking commands
H.2.1. Subnets
H.2.2. Ping and trace
H.2.3. Show a route from the routing table
H.2.4. List routes
H.2.5. List routing next hops
H.2.6. See DHCP allocations
H.2.7. Clear DHCP allocations
H.2.8. Lock DHCP allocations
H.2.9. Unlock DHCP allocations
H.2.10. Name DHCP allocations
H.2.11. Show ARP/ND status
H.2.12. Show VRRP status
H.2.13. Send Wake-on-LAN packet
H.3. Firewalling commands
H.3.1. Check access to services
H.3.2. Check firewall logic
H.4. USB/dongle commands
H.4.1. Show dongle connectoons
H.4.2. Reset USB interface and all attached devices
H.4.3. Reset PPP/Dongle data connection
H.5. L2TP commands
H.6. BGP commands
H.7. PPPoE commands
H.8. VoIP commands
H.9. Dongle/USB commands
H.10. Advanced commands
H.10.1. Panic
H.10.2. Reboot
H.10.3. Screen width
H.10.4. Make outbound command session
H.10.5. Show command sessions
H.10.6. Kill command session
H.10.7. Flash memory list
H.10.8. Delete block from flash
H.10.9. Boot log
H.10.10. Flash log
I. Configuration Objects
I.1. Top level
I.1.1. config: Top level config
I.2. Objects
I.2.1. system: System settings
I.2.2. link: Web links
I.2.3. user: Admin users
I.2.4. log: Log target controls
I.2.5. log-syslog: Syslog logger settings
I.2.6. log-email: Email logger settings
I.2.7. services: System services
I.2.8. snmp-service: SNMP service settings
I.2.9. ntp-service: NTP service settings
I.2.10. telnet-service: Telnet service settings
I.2.11. http-service: HTTP service settings
I.2.12. dns-service: DNS service settings
I.2.13. dns-host: Fixed local DNS host settings
I.2.14. dns-block: Fixed local DNS blocks
I.2.15. radius-service: RADIUS service definition
I.2.16. radius-service-match: Matching rules for RADIUS service
I.2.17. radius-server: RADIUS server settings
I.2.18. ethernet: Physical port controls
I.2.19. portdef: Port grouping and naming
I.2.20. interface: Port-group/VLAN interface settings
I.2.21. subnet: Subnet settings
I.2.22. vrrp: VRRP settings
I.2.23. dhcps: DHCP server settings
I.2.24. dhcp-attr-hex: DHCP server attributes (hex)
I.2.25. dhcp-attr-string: DHCP server attributes (string)
I.2.26. dhcp-attr-number: DHCP server attributes (numeric)
I.2.27. dhcp-attr-ip: DHCP server attributes (IP)
I.2.28. pppoe: PPPoE settings
I.2.29. ppp-route: PPP routes
I.2.30. usb: USB 3G/dongle settings
I.2.31. dongle: 3G/dongle settings
I.2.32. route: Static routes
I.2.33. network: Locally originated networks
I.2.34. blackhole: Dead end networks
I.2.35. loopback: Locally originated networks
I.2.36. bgp: Overall BGP settings
I.2.37. bgppeer: BGP peer definitions
I.2.38. bgpmap: Mapping and filtering rules of BGP prefixes
I.2.39. bgprule: Individual mapping/filtering rule
I.2.40. cqm: Constant Quality Monitoring settings
I.2.41. l2tp: L2TP settings
I.2.42. l2tp-outgoing: L2TP settings for outgoing L2TP connections
I.2.43. l2tp-incoming: L2TP settings for incoming L2TP connections
I.2.44. l2tp-relay: Relay and local authentication rules for L2TP
I.2.45. fb105: FB105 tunnel definition
I.2.46. fb105-route: FB105 routes
I.2.47. ipsec: IPsec onfiguration
I.2.48. ipsec-route: IPsec tunnel routes
I.2.49. ping: Ping/graph definition
I.2.50. profile: Control profile
I.2.51. profile-date: Test passes if within any of the time ranges specified
I.2.52. profile-time: Test passes if within any of the date/time ranges specified
I.2.53. profile-ping: Test passes if any addresses are pingable
I.2.54. shaper: Traffic shaper
I.2.55. shaper-override: Traffic shaper override based on profile
I.2.56. ip-group: IP Group
I.2.57. route-override: Routing override rules
I.2.58. session-route-rule: Routing override rule
I.2.59. session-route-share: Route override load sharing
I.2.60. rule-set: Firewall/mapping rule set
I.2.61. session-rule: Firewall rules
I.2.62. session-share: Firewall load sharing
I.2.63. voip: Voice over IP config
I.2.64. carrier: VoIP carrier details
I.2.65. telephone: VoIP telephone authentication user details
I.2.66. tone: Tone definitions
I.2.67. ringgroup: Ring groups
I.3. Data types
I.3.1. autoloadtype: Type of s/w auto load
I.3.2. config-access: Type of access user has to config
I.3.3. user-level: User login level
I.3.4. syslog-severity: Syslog severity
I.3.5. syslog-facility: Syslog facility
I.3.6. month: Month name (3 letter)
I.3.7. day: Day name (3 letter)
I.3.8. radiuspriority: Options for controlling platform RADIUS response priority tagging
I.3.9. radiustype: Type of RADIUS server
I.3.10. port: Physical port
I.3.11. Crossover: Crossover configuration
I.3.12. LinkSpeed: Physical port speed
I.3.13. LinkDuplex: Physical port duplex setting
I.3.14. LinkFlow: Physical port flow control setting
I.3.15. LinkClock: Physical port Gigabit clock master/slave setting
I.3.16. LinkLED: LED settings
I.3.17. LinkPower: PHY power saving options
I.3.18. LinkFault: Link fault type to send
I.3.19. ramode: IPv6 route announce level
I.3.20. dhcpv6control: Control for RA and DHCPv6 bits
I.3.21. bgpmode: BGP announcement mode
I.3.22. pppoe-mode: Type of PPPoE connection
I.3.23. pdp-context-type: Type of IP connection
I.3.24. peertype: BGP peer type
I.3.25. ipsec-type: IPsec encapsulation type
I.3.26. ipsec-mode: IPsec encapsulation mode
I.3.27. ipsec-auth-algorithm: IPsec authentication algorithm
I.3.28. ipsec-crypt-algorithm: IPsec encryption algorithm
I.3.29. firewall-action: Firewall action
I.3.30. voip-format: Number presentation format
I.3.31. uknumberformat: Number formatting option
I.3.32. recordoption: Recording option
I.3.33. ring-group-order: Order of ring
I.3.34. ring-group-type: Type of ring when one call in queue
I.4. Basic types
Index

List of Figures

2.1. Initial web page in factory reset state
2.2. Initial "Users" page
2.3. Setting up a new user
2.4. Configuration being stored
3.1. Main menu
3.2. Icons for layout controls
3.3. Icons for configuration categories
3.4. The "Setup" category
3.5. Editing an "Interface" object
3.6. Show hidden attributes
3.7. Attribute definitions
3.8. Navigation controls
4.1. Setting up a new user
4.2. Software upgrade available notification
4.3. Manual Software upload
7.1. Example sessions created by drop and reject actions
7.2. Processing flow chart for rule-sets and session-rules
C.1. Product label showing MAC address range

List of Tables

2.1. IP addresses for computer
2.2. IP addresses to access the FireBrick
2.3. IP addresses to access the FireBrick
3.1. Special character sequences
4.1. User login levels
4.2. Configuration access levels
4.3. General administrative details attributes
4.4. Attributes controlling auto-upgrades
4.5. Power LED status indications
5.1. Logging attributes
5.2. System-Event Logging attributes
6.1. Physical port usage options
6.2. Port LED functions
6.3. Example modified Port LED functions
7.1. Action attribute values
8.1. Route targets
14.1. List of system services
14.2. List of system services
15.1. Packet dump parameters
15.2. Packet types that can be captured
17.1. Ring Type
17.2. Ring Order
17.3. Access-Accept
17.4. Default tones
20.1. IPsec algorithm key lengths
C.1. DHCP client names used
E.1. SCCRQ
E.2. SCCRP
E.3. SCCCN
E.4. StopCCN
E.5. HELLO
E.6. ICRQ
E.7. ICRP
E.8. ICCN
E.9. OCRQ
E.10. OCRP
E.11. OCCN
E.12. CDN
E.13. WEN
E.14. SLI
F.1. Access-request
F.2. Access-Accept
F.3. Access-Reject
F.4. Accounting-Start
F.5. Accounting-Interim
F.6. Accounting-Stop
F.7. Disconnect
F.8. Change-of-Authorisation
F.9. Filter-ID
G.1. Access-request
G.2. Access-Challenge
G.3. Access-Accept
G.4. Access-Accept
G.5. Access-Reject
G.6. Accounting-Start
G.7. Accounting-Interim
G.8. Accounting-Stop
G.9. Disconnect
G.10. Change-of-Authorisation
I.1. config: Attributes
I.2. config: Elements
I.3. system: Attributes
I.4. system: Elements
I.5. link: Attributes
I.6. user: Attributes
I.7. log: Attributes
I.8. log: Elements
I.9. log-syslog: Attributes
I.10. log-email: Attributes
I.11. services: Elements
I.12. snmp-service: Attributes
I.13. ntp-service: Attributes
I.14. telnet-service: Attributes
I.15. http-service: Attributes
I.16. dns-service: Attributes
I.17. dns-service: Elements
I.18. dns-host: Attributes
I.19. dns-block: Attributes
I.20. radius-service: Attributes
I.21. radius-service: Elements
I.22. radius-service-match: Attributes
I.23. radius-server: Attributes
I.24. ethernet: Attributes
I.25. portdef: Attributes
I.26. interface: Attributes
I.27. interface: Elements
I.28. subnet: Attributes
I.29. vrrp: Attributes
I.30. dhcps: Attributes
I.31. dhcps: Elements
I.32. dhcp-attr-hex: Attributes
I.33. dhcp-attr-string: Attributes
I.34. dhcp-attr-number: Attributes
I.35. dhcp-attr-ip: Attributes
I.36. pppoe: Attributes
I.37. pppoe: Elements
I.38. ppp-route: Attributes
I.39. usb: Attributes
I.40. usb: Elements
I.41. dongle: Attributes
I.42. dongle: Elements
I.43. route: Attributes
I.44. network: Attributes
I.45. blackhole: Attributes
I.46. loopback: Attributes
I.47. bgp: Attributes
I.48. bgp: Elements
I.49. bgppeer: Attributes
I.50. bgppeer: Elements
I.51. bgpmap: Attributes
I.52. bgpmap: Elements
I.53. bgprule: Attributes
I.54. cqm: Attributes
I.55. l2tp: Attributes
I.56. l2tp: Elements
I.57. l2tp-outgoing: Attributes
I.58. l2tp-outgoing: Elements
I.59. l2tp-incoming: Attributes
I.60. l2tp-incoming: Elements
I.61. l2tp-relay: Attributes
I.62. fb105: Attributes
I.63. fb105: Elements
I.64. fb105-route: Attributes
I.65. ipsec: Attributes
I.66. ipsec: Elements
I.67. ipsec-route: Attributes
I.68. ping: Attributes
I.69. profile: Attributes
I.70. profile: Elements
I.71. profile-date: Attributes
I.72. profile-time: Attributes
I.73. profile-ping: Attributes
I.74. shaper: Attributes
I.75. shaper: Elements
I.76. shaper-override: Attributes
I.77. ip-group: Attributes
I.78. route-override: Attributes
I.79. route-override: Elements
I.80. session-route-rule: Attributes
I.81. session-route-rule: Elements
I.82. session-route-share: Attributes
I.83. rule-set: Attributes
I.84. rule-set: Elements
I.85. session-rule: Attributes
I.86. session-rule: Elements
I.87. session-share: Attributes
I.88. voip: Attributes
I.89. voip: Elements
I.90. carrier: Attributes
I.91. telephone: Attributes
I.92. tone: Attributes
I.93. ringgroup: Attributes
I.94. autoloadtype: Type of s/w auto load
I.95. config-access: Type of access user has to config
I.96. user-level: User login level
I.97. syslog-severity: Syslog severity
I.98. syslog-facility: Syslog facility
I.99. month: Month name (3 letter)
I.100. day: Day name (3 letter)
I.101. radiuspriority: Options for controlling platform RADIUS response priority tagging
I.102. radiustype: Type of RADIUS server
I.103. port: Physical port
I.104. Crossover: Crossover configuration
I.105. LinkSpeed: Physical port speed
I.106. LinkDuplex: Physical port duplex setting
I.107. LinkFlow: Physical port flow control setting
I.108. LinkClock: Physical port Gigabit clock master/slave setting
I.109. LinkLED: LED settings
I.110. LinkPower: PHY power saving options
I.111. LinkFault: Link fault type to send
I.112. ramode: IPv6 route announce level
I.113. dhcpv6control: Control for RA and DHCPv6 bits
I.114. bgpmode: BGP announcement mode
I.115. pppoe-mode: Type of PPPoE connection
I.116. pdp-context-type: Type of IP connection
I.117. peertype: BGP peer type
I.118. ipsec-type: IPsec encapsulation type
I.119. ipsec-mode: IPsec encapsulation mode
I.120. ipsec-auth-algorithm: IPsec authentication algorithm
I.121. ipsec-crypt-algorithm: IPsec encryption algorithm
I.122. firewall-action: Firewall action
I.123. voip-format: Number presentation format
I.124. uknumberformat: Number formatting option
I.125. recordoption: Recording option
I.126. ring-group-order: Order of ring
I.127. ring-group-type: Type of ring when one call in queue
I.128. Basic data types
   Next
   Preface