M.2. Objects

M.2.1. system: System settings

The system settings are the top level attributes of the system which apply globally.

Table M.3. system: Attributes

AttributeTypeDefaultDescription
acme-directory string https://acme-v02.api.letsencrypt.org/directoryACME server directory
acme-hostname List of string -Public hostname(s) for FireBrick for HTTPS
acme-keygen boolean trueAutomatically obtain private keys as needed
acme-profile NMTOKEN -Profile for when to do ACME renewals
acme-renew positiveInteger 30Renewal before expiry (days)
acme-source-ip IP46Addr -Source IP for ACME renewal
acme-terms-agreed-email string -Put your email if you agree CA terms
busy-threshold unsignedInt 200Max non-idle time before damping eth rx (millisec)
comment string -Comment
contact string -Contact name
cpu-int-reserved (unsignedByte 0-100) percentage 95Min percentage of CPU earmarked for int processing
email string -Contact email
eth-rx-qsize unsignedInt 256Size of eth driver Rx queue
eth-tx-qsize unsignedInt 512Size of eth driver Tx queue
intro string -Home page text
location string -Location description
log NMTOKEN Web/consoleLog system events
log-acme NMTOKEN -Log ACME
log-acme-debug NMTOKEN -Log ACME debug
log-acme-error NMTOKEN -Log ACME errors
log-config NMTOKEN Web/Flash/consoleLog config load
log-debug NMTOKEN Not loggingLog system debug messages
log-diagnostic NMTOKEN Not loggingLog system diagnostic messages
log-error NMTOKEN Web/Flash/consoleLog system errors
log-eth NMTOKEN Web/consoleLog Ethernet messages
log-eth-debug NMTOKEN Not loggingLog Ethernet debug
log-eth-error NMTOKEN Web/Flash/consoleLog Ethernet errors
log-ppp-dump ppp-dump -PPP dump format
log-route-nexthop NMTOKEN Not loggedLog next hop changes
log-stats NMTOKEN Not loggingLog one second stats
log-support NMTOKEN Web logsLog support messages (e.g. stack trace)
log-tcp-debug NMTOKEN Not loggingLog TCP/TLS debug messages
login-intro string -Login page text
name string -System hostname
pre-reboot-url string -URL to GET prior to s/w reboot (typically to warn nagios)
soft-watchdog boolean falseDebug - use only if advised; do not use on an unattended FireBrick
source string -Source of data, used in automated config management
sw-update autoloadtype factoryLoad new software automatically
sw-update-delay (unsignedByte 0-30) fb-sw-update-delay 0Number of days after release to wait before automatically upgrading
sw-update-profile NMTOKEN -Profile name for when to load new s/w
table (unsignedByte 0-99) routetable 0Routing table number for system functions (s/w updates, etc)

Table M.4. system: Elements

ElementTypeInstancesDescription
link link Optional, unlimitedIntro links

M.2.2. link: Web links

Links to other web pages

Table M.5. link: Attributes

AttributeTypeDefaultDescription
comment string -Comment
level user-level GUESTLogin level required
name string -Link name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
text string -Link text
url string -Link address

M.2.3. routing-table: Default source IP for services using a given table

Default source IP for traffic originated by this FireBrick

Table M.6. routing-table: Attributes

AttributeTypeDefaultDescription
name string -Name
source-ip IP46Addr -Default source IP for services
table (unsignedByte 0-99) routetable Not optional Routing table number

M.2.4. user: Admin users

User names, passwords and abilities for admin users

Table M.7. user: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Restrict logins to be from specific IP addresses
comment string -Comment
config config-access fullConfig access level
full-name string -Full name
level user-level ADMINLogin level
local-only boolean falseRestrict access to locally connected Ethernet subnets only
name (NMTOKEN) username Not optional User name
otp-seed OTP -OTP seed (do not edit by hand)
password Password Not optional User password
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Restrict login to specific routing table
timeout duration 5:00Login idle timeout (zero to stay logged in, not recommended)

M.2.5. eap: User access controlled by EAP

Identities, passwords and access methods for access controlled with EAP

Table M.8. eap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
full-name string -Full name
methods Set of eap-method Not optional Allowed methods
name string Not optional User or account name
password Secret Not optional User password
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
subsystem eap-subsystem Not optional Access controlled subsystem

M.2.6. log: Log target controls

Named logging target

Table M.9. log: Attributes

AttributeTypeDefaultDescription
colour Colour -Colour used in web display
comment string -Comment
console boolean -Log immediately to console
flash boolean -Log immediately to slow flash memory (use with care)
jtag boolean -Log immediately jtag (development use only)
name NMTOKEN Not optional Log target name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
system boolean -Include system logs on web/cli view

Table M.10. log: Elements

ElementTypeInstancesDescription
email log-email Optional, unlimitedEmail settings
syslog log-syslog Optional, unlimitedSyslog settings

M.2.7. log-syslog: Syslog logger settings

Logging to a syslog server

Table M.11. log-syslog: Attributes

AttributeTypeDefaultDescription
comment string -Comment
facility syslog-facility LOCAL0Facility setting
port unsignedShort 514Server port
profile NMTOKEN -Profile name
server IPNameAddr Not optional Syslog server
severity syslog-severity NOTICESeverity setting
source string -Source of data, used in automated config management
source-ip IPAddr -Use specific source IP
system-logs boolean -Include generic system log messages as well
table (unsignedByte 0-99) routetable 0Routing table number for sending syslogs

M.2.8. log-email: Email logger settings

Logging to email

Table M.12. log-email: Attributes

AttributeTypeDefaultDescription
comment string -Comment
delay duration 1:00Delay before sending, since first event to send
from string One made up using serial numberSource email address
hold-off duration 1:00:00Delay before sending, since last email
log NMTOKEN Not loggingLog emailing process
log-debug NMTOKEN Not loggingLog emailing debug
log-error NMTOKEN Not loggingLog emailing errors
port unsignedShort 25Server port
profile NMTOKEN -Profile name
retry duration 10:00Delay before sending, since failed send
server IPNameAddr -Smart host to use rather than MX
source string -Source of data, used in automated config management
subject string From first line being loggedSubject
table (unsignedByte 0-99) routetable 0Routing table number for sending email
to string Not optional Target email address

M.2.9. services: System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

Table M.13. services: Elements

ElementTypeInstancesDescription
dns dns-service OptionalDNS service settings
http http-service OptionalWeb server settings
mqtt mqtt-service OptionalMQTT config
radius radius-service OptionalRADIUS server/proxy settings
snmp snmp-service OptionalSNMP server settings
telnet telnet-service OptionalTelnet server settings
time time-service OptionalSystem time server settings

M.2.10. http-service: Web service settings

Web management pages

Table M.14. http-service: Attributes

AttributeTypeDefaultDescription
access-control-allow-origin string -Additional HTTP header
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
allow-acme boolean trueAllow limited port 80 HTTP access for ACME during renewal
certlist List of NMTOKEN use any suitableCertificate(s) to be used for HTTPS sessions
comment string -Comment
content-security-policy string -Additional HTTP header
css-url string -Additional CSS for web control pages
https-port unsignedShort 443Service port for HTTPS access
js-url string -Additional javascript for web control pages (logged in/trusted-ip)
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-client NMTOKEN Not loggingLog client accesses
log-client-debug NMTOKEN Not loggingLog client accesses (debug)
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mode http-mode redirect-to-https-if-acmeSecurity mode
port unsignedShort 80Service port for HTTP access
profile NMTOKEN -Profile name
referrer-policy string no-referrerAdditional HTTP header
self-sign boolean trueCreate self signed certificate for HTTPS when necessary
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service
trusted List of IPNameRange -List of allowed IP ranges from which additional access to certain functions is available
x-content-type-options string nosniffAdditional HTTP header
x-frame-options string SAMEORIGINAdditional HTTP header
x-xss-protection string 1; mode=blockAdditional HTTP header

M.2.11. dns-service: DNS service settings

DNS forwarding resolver service

Table M.15. dns-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
auto-dhcp boolean -Forward and reverse DNS for names in DHCP using this domain
caching boolean trueCache relayed DNS entries locally
comment string -Comment
domain string -Our domain
fallback boolean trueFor incoming requests, if no server in required table, relay to any DNS available
fallback-table (unsignedByte 0-99) routetable Don't fallbackFor incoming requests, if no server in requesting table, relay to any DNS available in this table
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
log-interface List of NMTOKEN All interfacesOnly do normal log for specific interface(s)
profile NMTOKEN -Profile name
resolvers List of IPAddr -Recursive DNS resolvers to use
resolvers-table (unsignedByte 0-99) routetable as table / 0Routing table for specified resolvers
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

Table M.16. dns-service: Elements

ElementTypeInstancesDescription
block dns-block Optional, unlimitedFixed local DNS host blocks
host dns-host Optional, unlimitedFixed local DNS host entries

M.2.12. dns-host: Fixed local DNS host settings

DNS forwarding resolver service

Table M.17. dns-host: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPAddr Our IPIP addresses to serve (or our IP if omitted)
name List of string Not optional Host names (can use * as a part of a domain)
profile NMTOKEN -Profile name
restrict-interface List of NMTOKEN -Only apply on certain interface(s)
restrict-to List of IPNameRange -List of IP ranges to which this is served
reverse boolean -Map reverse DNS as well
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable anyRouting table applicable
ttl unsignedInt 60Time to live

M.2.13. dns-block: Fixed local DNS blocks

DNS forwarding resolver service

Table M.18. dns-block: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name List of string Not optional Host names (can use * as a part of a domain)
profile NMTOKEN -Profile name
restrict-interface List of NMTOKEN -Only apply on certain interface(s)
restrict-to List of IPNameRange -List of IP ranges to which this is served
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable anyRouting table applicable
ttl unsignedInt 60Time to live

M.2.14. radius-service: RADIUS service definition

RADIUS server and proxy definitions

Table M.19. radius-service: Attributes

AttributeTypeDefaultDescription
acct-port unsignedShort 1813Accounting UDP port
aruba-vlan (unsignedShort 0-4095) vlan Don't sendAruba VLAN
auth-port unsignedShort 1812Authentication UDP port
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
class string -Class field to send
comment string -Comment
control-port unsignedShort 3799Control UDP port (CoA/DM)
dummy-ip boolean trueSend dummy framed IP response
erx-tunnel-switch-profile string -Juniper attribute 91
erx-tunnel-virtual-router string -Juniper attribute 8
erx-virtual-router-name string -Juniper attribute 1 (Also SIN502 Context-Name)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN -Log debug
log-error NMTOKEN Log as eventLog errors
mqtt mqtt-brokers Don't sendGenerate MQTT for radius events
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile NMTOKEN -Profile name
reject boolean -Reject request (rarely what you want)
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
tagged boolean -Tag all attributes that can be
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP

Table M.20. radius-service: Elements

ElementTypeInstancesDescription
match radius-service-match Optional, unlimitedMatching rules for specific responses
server radius-server Optional, unlimitedRADIUS server settings

M.2.15. radius-service-match: Matching rules for RADIUS service

Rules for matching incoming RADIUS requests

Table M.21. radius-service-match: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Match source IP address of RADIUS request
ap-group List of string -One or more patterns to match AP Group
aruba-vlan (unsignedShort 0-4095) vlan Don't sendAruba VLAN
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
class string -Class field to send
comment string -Comment
device-type List of string -One or more patterns to match Device Type
dummy-ip boolean trueSend dummy framed IP response
erx-tunnel-switch-profile string -Juniper attribute 91
erx-tunnel-virtual-router string -Juniper attribute 8
erx-virtual-router-name string -Juniper attribute 1 (Also SIN502 Context-Name)
essid-name List of string -One or more patterns to match ESSID Name
ip List of IPNameRange -Match target IP address of RADIUS request
location-id List of string -One or more patterns to match Location ID
mac-local boolean -Match only local or non local MAC addresses if username is a MAC
name string -Name
nas-ip List of IPNameRange -Match NAS-IP address in RADIUS request
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile NMTOKEN -Profile name
reject boolean -Reject request (rarely what you want)
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
stop boolean trueStop checking if this matches
tagged boolean -Tag all attributes that can be
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP
username List of string -One or more patterns to match username

M.2.16. radius-server: RADIUS server settings

Server settings for outgoing RADIUS

Table M.22. radius-server: Attributes

AttributeTypeDefaultDescription
comment string -Comment
host List of IPNameAddr Not optional One or more hostname/IPs of RADIUS servers
max-timeout duration 10Maximum final timeout
min-timeout duration 2Minimum final timeout
name string -Name
port unsignedShort From services/radius settingsUDP port
profile NMTOKEN -Profile name
queue unsignedInt -Concurrent requests over all of these servers (per type)
scale-timeout unsignedByte 2Timeout scaling factor
secret Secret Not optional Shared secret for RADIUS requests
source string -Source of data, used in automated config management
source-ip IPAddr -Fix source IP
table (unsignedByte 0-99) routetable -Routing table number
type Set of radiustype AllServer type

M.2.17. mqtt-service: MQTT

MQTT Services configuration

Table M.23. mqtt-service: Attributes

AttributeTypeDefaultDescription
accept-v5 boolean -Accept v5 connections (experimental)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
retain-timeout duration 1:00:00:00Retained message clearing when off line
session-timeout duration 1:00:00Session state clearing when off line
comment string -Comment
source string -Source of data, used in automated config management

Table M.24. mqtt-service: Elements

ElementTypeInstancesDescription
external mqtt-external OptionalExternal MQTT/MQTTS config
map mqtt-map Optional, up to 100MQTT message mapping
mqtt mqtt-config OptionalInsecure MQTT config
mqtts mqtts-config OptionalSecure MQTTS config

M.2.18. mqtts-config: Secure MQTTS service

Secure MQTTS Service configuration

Table M.25. mqtts-config: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereIPs allowed
allow-weak-cipher boolean trueAccept weaker ciphers as commonly used on IoT devices
certlist List of NMTOKEN use any suitableCertificate(s) to be used for MQTTS sessions
local-only boolean trueRestrict access to locally connected Ethernet subnets only
password Secret -Password
port unsignedShort 8883Service port
relay-external boolean -Relay received messages to external broker
relay-mqtt boolean -Relay received messages to MQTT
self-sign boolean trueCreate self signed certificate for MQTTS when necessary
table (unsignedByte 0-99) routetable AnyRouting table
username string -Username

M.2.19. mqtt-config: Insecure MQTT service

Insecure MQTT Service configuration (use with care as no encryption)

Table M.26. mqtt-config: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereIPs allowed
local-only boolean trueRestrict access to locally connected Ethernet subnets only
password Secret -Password
port unsignedShort 1883Service port
relay-external boolean -Relay received messages to external broker
relay-mqtts boolean -Relay received messages to MQTTS
table (unsignedByte 0-99) routetable AnyRouting table
username string -Username

M.2.20. mqtt-external: External MQTT/MQTTS connection

External MQTT/MQTTS Connection configuration

Table M.27. mqtt-external: Attributes

AttributeTypeDefaultDescription
clientid string -MQTT client ID
connect-payload string -Connect payload
keep-alive duration 1:00Keep alive time
mqtts boolean trueUse MQTTS (MQTT over TLS)
password Secret -Password
port unsignedShort 1883/8883Service port
relay-mqtt boolean -Relay received messages to MQTT
relay-mqtts boolean -Relay received messages to MQTTS
server string Not optional Server name/ip
table (unsignedByte 0-99) routetable AnyRouting table
username string -Username
will-payload string -Will payload
will-retain boolean -Will/connect retain
will-topic string FireBrick/serialWill/connect topic

M.2.21. mqtt-map: MQTT message mapping

Map MQTT topic/payload

Table M.28. mqtt-map: Attributes

AttributeTypeDefaultDescription
comment string -Comment
from mqtt-brokers -Where message is from
payload string -Payload pattern to match
profile NMTOKEN -Profile name
set-payload string -New payload
set-topic string -New topic
source string -Source of data, used in automated config management
topic string Not optional Topic to match (can use mqtt wildcard)

M.2.22. telnet-service: Telnet service settings

Telnet control interface

Table M.29. telnet-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 23Service port
profile NMTOKEN -Profile name
prompt string system namePrompt
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

M.2.23. snmp-service: SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

Table M.30. snmp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
community Secret publicCommunity string
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 161Service port
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

M.2.24. time-service: System time server settings

The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time). The defaults are those that apply to the EU

Table M.31. time-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
legacy-timeserver boolean trueServe legacy TIME service on UDP port 37
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
maxpoll duration 1024NTP maximum poll rate
minpoll duration 64NTP minimum poll rate
ntp-control-allow List of IPNameRange Allow from anywhereList of IP ranges from which control (ntpq) requests can be accessed
ntp-control-local-only boolean trueRestrict control (ntpq) access to locally connected Ethernet subnets only
ntp-control-table (unsignedByte 0-99) routetable AllRouting table number for incoming control (ntpq) requests
ntp-peer-table (unsignedByte 0-99) routetable 0Routing table number used for outgoing ntp peer requests
ntp-servers List of IPNameAddr ntp.firebrick.ltd.ukList of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP)
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service
tz1-name string GMTTimezone 1 name
tz1-offset duration 0Timezone 1 offset from UTC
tz12-date (unsignedByte 1-31) datenum 25Timezone 1 to 2 earliest date in month
tz12-day day SunTimezone 1 to 2 day of week of change
tz12-month month MarTimezone 1 to 2 month
tz12-time time 01:00:00Timezone 1 to 2 local time of change
tz2-name string BSTTimezone 2 name
tz2-offset duration 1:00:00Timezone 2 offset from UTC
tz21-date (unsignedByte 1-31) datenum 25Timezone 2 to 1 earliest date in month
tz21-day day SunTimezone 2 to 1 day of week of change
tz21-month month OctTimezone 2 to 1 month
tz21-time time 02:00:00Timezone 2 to 1 local time of change

M.2.25. ethernet: Physical port controls

Physical port attributes

Table M.32. ethernet: Attributes

AttributeTypeDefaultDescription
autoneg boolean auto negotiate unless manual 10/100 speed and duplex are setPerform link auto-negotiation
clocking LinkClock prefer-slaveGigabit clock setting
crossover Crossover autoPort crossover configuration
duplex LinkDuplex autoDuplex setting for this port
flow LinkFlow noneFlow control setting
green LinkLED Link/ActivityGreen LED setting
lacp boolean AutoSend LACP packets
lldp boolean trueSend LLDP packets
optimise boolean trueenable PHY optimisations
port port Not optional Physical port
power-saving LinkPower fullenable PHY power saving
profile NMTOKEN -Profile name
send-fault LinkFault -Send fault status
speed LinkSpeed autoSpeed setting for this port
yellow LinkLED TxYellow LED setting

M.2.26. sampling: Packet sampling configuration

Packet sampling configuration

Table M.33. sampling: Attributes

AttributeTypeDefaultDescription
agent-ip IPAddr use source-ipIP address used to identify this agent
collector-ip IPAddr Not optional IP address of collector
collector-port unsignedShort 6343 for sFlow, 4739 for IPFIXUDP port which collector listens on
comment string -Comment
mtu (unsignedShort 576-2000) mtu 1500 
name string -Name
profile NMTOKEN -Profile name
protocol sampling-protocol sflowProtocol used to export sampling data
sample-flush duration 1 sec for sFlow; 30 for IPFIXSample max cache time
sample-rate (unsignedShort 100-10000) sample-rate 1000Sample rate (uniform random prob 1/N)
snap-length unsignedShort 64Packet header snap length
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP address to use
source-port unsignedShort Use collector-portUDP source port
stats-interval duration 60Stats export interval
table (unsignedByte 0-99) routetable 0Routing table number for sample data
template-refresh duration 600Template resend interval

M.2.27. portdef: Port grouping and naming

Port grouping and naming

Table M.34. portdef: Attributes

AttributeTypeDefaultDescription
comment string -Comment
dongle NMTOKEN -USB dongle config name (for eth/4G dongle)
name NMTOKEN Not optional Name
ports Set of port Not optional Physical port(s)
source string -Source of data, used in automated config management
trunk trunk-mode falseTrunk ports

M.2.28. interface: Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

Table M.35. interface: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
dhcp-relay IP4Addr -Relay any unresolved requests to external server
fast-l2tp boolean -Set on interfaces that are mainly terminating L2TP traffic
graph (token) graphname -Graph name
link NMTOKEN -Interface to which this is linked at layer 2
log NMTOKEN Not loggingLog events including DHCP and related events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu (unsignedShort 576-2000) mtu 1500MTU for this interface
name NMTOKEN -Name
ospf boolean trueOSPF announce mode for route
ospf-cost unsignedShort 1Outbound link cost
pd-pcp boolean trueAccept NAT-PMP / PCP on PD subnets
ping IPAddr -Ping address to add loss/latency to graph for interface
port NMTOKEN Not optional Port group name
profile NMTOKEN -Profile name
ra-client boolean trueAccept IPv6 RA and create auto config subnets and routes
restrict-mac boolean -Use only one MAC on this interface
sampling sampling-mode offPerform sampling
source string -Source of data, used in automated config management
source-filter sfoption -Source filter traffic received via this interface
source-filter-table (unsignedByte 0-99) routetable interface tableRouting table to use for source filtering checks
table (unsignedByte 0-99) routetable 0Routing table applicable
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)
wan boolean -Do not consider this interface 'local' for 'local-only' checks

Table M.36. interface: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings
subnet subnet Optional, unlimitedIP subnet on the interface
vrrp vrrp Optional, unlimitedVRRP settings

M.2.29. subnet: Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

Table M.37. subnet: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by DHCP
arp-timeout unsignedShort 60Max lifetime on ARP and ND
bgp bgpmode AutoBGP announce mode for routes
broadcast boolean falseIf broadcast address allowed
comment string -Comment
dhcp-class string FB-typeDHCP client option 60 (Class)
dhcp-client-id string MACDHCP client option 61 (Client-Identifier)
gateway List of IPAddr -One or more gateways to install
ip List of IPSubnet Automatic by DHCPOne or more IP/len
localpref unsignedInt 4294967295Localpref for subnet (highest wins)
mtu (unsignedShort 576-2000) mtu As interfaceMTU for subnet
name string -Name
nat boolean falseShort cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules)
ospf boolean trueOSPF announce mode for route
pcp boolean If natAccept NAT-PMP / PCP
profile NMTOKEN -Profile name
proxy-arp boolean falseAnswer ARP/ND by proxy if we have routing
ra ramode falseIf to announce IPv6 RA for this subnet
ra-dns List of IP6Addr Our IPList of recursive DNS servers in route announcements
ra-dnssl List of string -List of DNS search domains in route announcements
ra-managed dhcpv6control -RA 'M' (managed) flag
ra-max (unsignedShort 4-1800) ra-max 600Max RA send interval
ra-min (unsignedShort 3-1350) ra-min ra-max/3Min RA send interval
ra-mtu unsignedShort As subnetMTU to use on RA
ra-other dhcpv6control -RA 'O' (other) flag
ra-profile NMTOKEN -Profile, if inactive then forces low priority RA
source string -Source of data, used in automated config management
test IPAddr -Test link state using ARP/ND for this IP
ttl unsignedByte 64TTL for originating traffic via subnet

M.2.30. vrrp: VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.

Table M.38. vrrp: Attributes

AttributeTypeDefaultDescription
answer-ping boolean trueWhether to answer PING to VRRP IPs when master
comment string -Comment
delay unsignedInt 60Delay after routing established before priority returns to normal
interval unsignedShort 100Transit interval (centiseconds)
ip List of IPAddr Not optional One or more IP addresses to announce
log NMTOKEN Not loggingLog events
log-error NMTOKEN log as eventLog errors
low-priority unsignedByte 1Lower priority applicable until routing established
name NMTOKEN -Name
preempt boolean trueWhether pre-empt allowed
priority unsignedByte 100Normal priority
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
use-vmac boolean trueWhether to use the special VMAC or use normal MAC
version3 boolean v2 for IPv4, v3 for IPv6Use only version 3
vrid unsignedByte 42VRID

M.2.31. dhcps: DHCP server settings

Settings for DHCP server

Table M.39. dhcps: Attributes

AttributeTypeDefaultDescription
boot IP4Addr -Next/boot server
boot-file string -Boot filename
broadcast boolean -Broadcast replies even if not requested
circuit string -Agent info circuit match
class string -Vendor class match
client-name string -Client name match
comment string -Comment
dns List of IP4Addr Our IPDNS resolvers
domain string From system settingsDNS domain
domain-search string -DNS domain search list (list will be truncated to fit one attribute)
force boolean -Send all options even if not requested
gateway IP4Subnet Our IPGateway
ip List of IP4Range 0.0.0.0/0Address pool
lease duration 2:00:00Lease length
log NMTOKEN Not loggingLog events (allocations)
mac List up to 12 (hexBinary) macprefix -Partial or full client hardware (MAC) addresses (or client-id MAC if specified)
mac-local boolean -Match only local or non local MAC addresses
mqtt mqtt-brokers Don't sendGenerate MQTT for allocate/renew
mqtt-all boolean -Include renewed/declined/released
name string -Name
ntp List of IP4Addr Our IPNTP server
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
syslog List of IP4Addr -Syslog server
time List of IP4Addr Our IPTime server

Table M.40. dhcps: Elements

ElementTypeInstancesDescription
send dhcp-attr-hex Optional, unlimitedAdditional attributes to send (hex)
send-ip dhcp-attr-ip Optional, unlimitedAdditional attributes to send (IP)
send-number dhcp-attr-number Optional, unlimitedAdditional attributes to send (numeric)
send-string dhcp-attr-string Optional, unlimitedAdditional attributes to send (string)

M.2.32. dhcp-attr-hex: DHCP server attributes (hex)

Additional DHCP server attributes (hex)

Table M.41. dhcp-attr-hex: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value hexBinary Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

M.2.33. dhcp-attr-string: DHCP server attributes (string)

Additional DHCP server attributes (string)

Table M.42. dhcp-attr-string: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value string Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

M.2.34. dhcp-attr-number: DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

Table M.43. dhcp-attr-number: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value unsignedInt Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

M.2.35. dhcp-attr-ip: DHCP server attributes (IP)

Additional DHCP server attributes (IP)

Table M.44. dhcp-attr-ip: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value IP4Addr Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

M.2.36. pppoe: PPPoE settings

PPPoE endpoint settings

Table M.45. pppoe: Attributes

AttributeTypeDefaultDescription
ac-name string Any a/c name as client, else same as 'name'Access concentrator name
accept-dns boolean trueAccept DNS servers specified by far end
auto-percent unsignedByte N/ATry to set egress based on connect message, percentage
bgp bgpmode AutoBGP announce mode for routes
calling-id pppoe-calling -Add mac and/or vlan after prefix
calling-prefix string -Prefix on calling number (BRAS mode)
comment string -Comment
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
eth port -Physical port connected to modem (for port reset)
fast-retry boolean -Aggressive re-connect
graph (token) graphname -Graph name
ip-over-lcp boolean autoSends all IP packets as LCP
lcp-rate unsignedByte 10LCP interval (seconds)
lcp-timeout unsignedByte 61LCP timeout (seconds)
local IP4Addr -Local IPv4 address
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Not loggingLog as events
mode pppoe-mode clientPPPoE server/client mode
mtu (unsignedShort 576-2000) mtu 1492MTU for link
name NMTOKEN -Name
nat boolean falseNAT IPv4 traffic to this link unless otherwise set by rules
ospf boolean trueOSPF announce mode for route
password Secret -User password
pd-interface List of NMTOKEN AutoInterfaces for IPv6 prefix delegation
port NMTOKEN -Port group name
profile NMTOKEN -Profile name
remote IP4Addr -Remote IPv4 address
rfc4638 boolean If over 1492 MTUSend RFC4638 PPP-Max-Payload
routes List of IPPrefix Default gatewayRoutes when link up
service string Any serviceService name
source string -Source of data, used in automated config management
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable -Routing table number for payload
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
username string -User name
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)

Table M.46. pppoe: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when ppp link is up

M.2.37. ppp-route: PPP routes

Routes that apply when link is up

Table M.47. ppp-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management

M.2.38. usb: USB 3G/dongle settings

USB config settings including 3G data

Table M.48. usb: Attributes

AttributeTypeDefaultDescription
log NMTOKEN Web/consoleLog events
log-debug NMTOKEN Not loggedLog errors
log-error NMTOKEN Web/Flash/consoleLog errors
profile NMTOKEN -Profile name

Table M.49. usb: Elements

ElementTypeInstancesDescription
dongle dongle Optional, up to 10USB 3G/dongle settings

M.2.39. dongle: 3G/dongle settings

3G/dongle config settings

Table M.50. dongle: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by far end
apn string From SIMMobile access point name
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
context pdp-context-type ipType of connection to make
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
dial-string string ATV1 ATE0 AT+CFUN=1 AT&D2&C1S0=0S7=60 AT+CGDCONT=1,"[context]","[apn]" ATDT*99#Space separated AT command strings which can include [apn] and [context]
graph (token) graphname -Graph name
local IP4Addr -Local IPv4 address
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Log as specified in parent usb configLog events
log-debug NMTOKEN Log as specified in parent usb configLog debug
log-error NMTOKEN Log as specified in parent usb configLog errors
modeswitch string standard switchingMode switch mechanism
mtu (unsignedShort 576-2000) mtu 1500MTU for link
name NMTOKEN -Name
nat boolean trueNAT IPv4 traffic to this link unless otherwise set in rules
ospf boolean trueOSPF announce mode for route
password Secret -User password
product hexBinary -Product ID - used to match a configuration with specific device vendor
profile NMTOKEN -Profile name
remote IP4Addr -Remote IPv4 address
routes List of IPPrefix Default gatewayRoutes when link up
socket string -What USB socket ID should this config apply to
source string -Source of data, used in automated config management
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable From interfaceRouting table number for payload
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
username string -User name
vendor hexBinary -Vendor ID - used to match a configuration with specific device vendor

Table M.51. dongle: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when link is up

M.2.40. route: Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

Table M.52. route: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
gateway List of IPAddr Not optional One or more target gateway IPs
graph (token) graphname -Graph name
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
speed unsignedInt -Egress rate limit (b/s)
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

M.2.41. network: Locally originated networks

Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but not add routing.

Table M.53. network: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode trueBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

M.2.42. blackhole: Dead end networks

Networks that go nowhere

Table M.54. blackhole: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode falseBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
no-fib boolean -Route not in forwarding, only for EBGP
ospf boolean -OSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

M.2.43. loopback: Locally originated networks

Loopback addresses define local IP addresses

Table M.55. loopback: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPAddr Not optional One or more local network addresses
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

M.2.44. ospf: Overall OSPF settings

The OSPF element defines general OSPF settings. Where interfaces/table specified, first matching OSPF config is applied. Only provides OSPF internal and AS-border router functionality. OSPF is not necessarily fully functional and suggested only for experimental use at present - please do give us feedback.

Table M.56. ospf: Attributes

AttributeTypeDefaultDescription
area-id IP4Addr 0.0.0.0Area ID
auth-algorithm ipsec-auth-algorithm AES-XCBCAuthentication algorithm for OSPFv3
auth-key hexBinary -Key for OSPFv3 authentication
bgp bgpmode -BGP announce mode for routes
comment string -Comment
crypt-algorithm ipsec-crypt-algorithm nullEncryption algorithm for OSPFv3
crypt-key hexBinary -Key for OSPFv3 encryption
dead-interval duration 45Default router dead interval
hello-interval duration 9Default hello interval
instance unsignedByte -Instance ID for OSPFv3
interfaces List of NMTOKEN AllEthernet interfaces to which this OSPF config applies
ipsec-type ipsec-type ESPEncapsulation type for OSPFv3 security
key-id integer 1Key ID for OSPFv2 MD5 authentication (-1 for simple auth)
localpref unsignedInt -Base localpref (highest wins)
log NMTOKEN Not loggingLog calls
log-debug NMTOKEN Not loggingLog debug and SIP messages
log-error NMTOKEN Log as eventLog errors
name string -Name
password Secret -Secret for OSPFv2 MD5 authentication
priority unsignedByte 1Default priority
profile NMTOKEN -Profile name
router-id IP4Addr -Router ID
rxmt-interval duration 3Default router retransmit interval
source string -Source of data, used in automated config management
spi (unsignedInt 256-4294967295) ipsec-spi -SPI for OSPFv3 security (unset for no security)
stub boolean -Stub area
table (unsignedByte 0-99) routetable 0Routing table

M.2.45. namedbgpmap: Mapping and filtering rules of BGP prefixes

This defines a set of named rules for mapping and filtering of prefixes to/from a BGP peer.

Table M.57. namedbgpmap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name NMTOKEN Not optional Name
source string -Source of data, used in automated config management

Table M.58. namedbgpmap: Elements

ElementTypeInstancesDescription
match bgprule Optional, unlimitedList rules, in order of checking

M.2.46. bgprule: Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

Table M.59. bgprule: Attributes

AttributeTypeDefaultDescription
as-origin unsignedInt -AS that must be last in path to match
as-present unsignedInt -AS that must be present in path to match
comment string -Comment
community Community -Community that must be present to match
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
name string -Name
no-community Community -Community that must not be present to match
pad unsignedByte -Pad (prefix stuff) our AS on export by this many, can be zero to not send our AS
prefix List of IPFilter -Prefixes that this rule applies to
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

M.2.47. bgp: Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

Table M.60. bgp: Attributes

AttributeTypeDefaultDescription
as unsignedInt -Our AS
blackhole-community Community -Community tag to mark black hole routes
cluster-id IP4Addr -Our cluster ID
comment string -Comment
dead-end-community Community -Community tag to mark dead end routes
greyhole-community Community -Community tag to mark black hole routes with no-fib
id IP4Addr -Our router ID
log NMTOKEN Not loggingLog events
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

Table M.61. bgp: Elements

ElementTypeInstancesDescription
peer bgppeer Optional, up to 50List of peers/neighbours

M.2.48. bgppeer: BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

Table M.62. bgppeer: Attributes

AttributeTypeDefaultDescription
add-own-as boolean -Add our AS on exported routes
allow-export boolean true for customerIgnore no-export community and export anyway
allow-only-their-as boolean -Only accept routes that are solely the peers AS
allow-own-as boolean -Allow our AS inbound
as unsignedInt -Peer AS
blackhole-community Community Not announced on EBGP, our blackhole-community if IBGPEgress community tag to mark black hole routes
capability-as4 boolean trueIf supporting AS4
capability-graceful-restart boolean trueIf supporting Graceful Restart
capability-mpe-ipv4 boolean trueIf supporting MPE for IPv4
capability-mpe-ipv6 boolean trueIf supporting MPE for IPv6
capability-route-refresh boolean trueIf supporting Route Refresh
clean-shutdown-wait duration -Send peers low priority and delay on shutdown
clean-startup-wait duration -Don't announce routes within this time of reboot
comment string -Comment
drop-default boolean falseIgnore default route received
export-filters List of NMTOKEN -Named export filters to apply
export-med unsignedInt -Set MED on exported routes (unless export filter sets it)
holdtime unsignedInt 30Hold time
ignore-bad-optional-partial boolean trueIgnore routes with a recognised badly formed optional that is flagged partial
import-filters List of NMTOKEN -Named import filters to apply
import-localpref unsignedInt -Set localpref on imported routes (unless import filter sets it)
import-tag List of Community -List of community tags to add in addition to any import filters
in-soft boolean -Mark received routes as soft
ip List of IPAddr -One or more IPs of neighbours (omit to allow incoming)
log-debug NMTOKEN Not loggingLog debug
max-prefix (unsignedInt 1-10000) bgp-prefix-limit 10000Limit prefixes (IPv4+IPv6)
md5 Secret -MD5 signing secret
name string -Name
next-hop-self boolean falseForce us as next hop outbound
no-fib boolean -Don't include received routes in packet forwarding
pad unsignedByte -Pad (prefix stuff) our AS on export by this many
profile NMTOKEN -Profile name
reduce-recursion boolean falseOverride incoming next hop if not local subnet
same-ip-type boolean trueOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers
send-default boolean falseSend a default route to this peer
send-no-routes boolean falseDon't send any normal routes
source string -Source of data, used in automated config management
timer-idle unsignedInt 60Idle time after error
timer-openwait unsignedInt 10Time to wait for OPEN on connection
timer-retry unsignedInt 10Time to retry the neighbour
ttl-security byte -Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking.
type peertype normalType of neighbour (affects some defaults)
use-vrrp-as-self boolean true if customer/transit typeUse VRRP address as self if possible

Table M.63. bgppeer: Elements

ElementTypeInstancesDescription
export bgpmap OptionalMapping and filtering rules of announcing prefixes to peer
import bgpmap OptionalMapping and filtering rules of accepting prefixes from peer

M.2.49. bgpmap: Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

Table M.64. bgpmap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
prefix List of IPFilter -Drop all that are not in this prefix list
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

Table M.65. bgpmap: Elements

ElementTypeInstancesDescription
match bgprule Optional, unlimitedList rules, in order of checking

M.2.50. cqm: Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

Table M.66. cqm: Attributes

AttributeTypeDefaultDescription
ave Colour #08fColour for average latency
axis Colour blackAxis colour
background Colour whiteBackground colour
bottom unsignedByte 11Pixels space at bottom of graph
dateformat string %Y-%m-%dDate format
dayformat string %aDay format
fail Colour redColour for failed (dropped) seconds
fail-level unsignedInt 1Fail level not expected on low usage
fail-level1 unsignedByte 3Loss level 1
fail-level2 unsignedByte 50Loss level 2
fail-score unsignedByte 200Score for fail and low usage
fail-score1 unsignedByte 100Score for on/above level 1
fail-score2 unsignedByte 200Score for on/above level 2
fail-usage unsignedInt 128000Usage below which fail is not expected
fblogo Colour #bd1220Colour for logo
graticule Colour greyGraticule colour
heading string -Heading of graph
hourformat string %HHour format
key unsignedByte 90Pixels space for key
label-ave string AveLabel for average latency
label-damp string Damp%Label for % shaper damping
label-fail string %FailLabel for seconds (%) failed
label-latency string LatencyLabel for latency
label-max string MaxLabel for maximum latency
label-min string MinLabel for minimum latency
label-off string OffLabel for off line seconds
label-period string PeriodLabel for period
label-poll string PollsLabel for polls
label-rej string %RejectLabel for rejected seconds
label-rx string RxLabel for Rx traffic level
label-score string ScoreLabel for score
label-sent string SentLabel for seconds polled
label-shaper string ShaperLabel for shaper
label-time string TimeLabel for time
label-traffic string Traffic (bit/s)Label for traffic level
label-tx string TxLabel for Tx traffic level
latency-level unsignedInt 100000000Latency level not expected on low usage
latency-level1 unsignedInt 100000000Latency level 1 (ns)
latency-level2 unsignedInt 500000000Latency level 2 (ns)
latency-score unsignedByte 200Score for high latency and low usage
latency-score1 unsignedByte 10Score for on/above level 1
latency-score2 unsignedByte 20Score for on/above level 2
latency-usage unsignedInt 128000Usage below which latency is not expected
left unsignedByte 0Pixels space left of main graph
log NMTOKEN Not loggingLog events
marker-width string -Marker + on tx/rx
max Colour greenColour for maximum latency
min Colour #008Colour for minimum latency
ms-max positiveInteger 500ms max height
off Colour #c8fColour for off line seconds
outside Colour transparentColour for outer border
ping-list-source-ip IP46Addr -Source address to use when fetching the ping list
ping-update duration 1:00:00Interval for periodic updates
ping-url string -URL for ping list
rej Colour #f8cColour for off line seconds
right unsignedByte 50Pixels space right of main graph
rx Colour #800Colour for Rx traffic level
secret Secret -Secret for SHA1 coded URLs
sent Colour #ff8Colour for polled seconds
share-interface NMTOKEN -Interface on which to broadcast data for shaper sharing
share-secret Secret -Secret to validate shaper sharing
stroke-width string -Stroke line tx/rx
subheading string -Subheading of graph
svg-css string -URL for SVG CSS instead of local style settings
svg-title boolean -Include mouseover title text on svg
text Colour blackColour for text
text1 string -Text line 1
text2 string -Text line 2
text3 string -Text line 3
text4 string -Text line 4
timeformat string %Y-%m-%d %H:%M:%STime format
top unsignedByte 4Pixels space at top of graph
tx Colour #080Colour for Tx traffic level

M.2.51. l2tp: L2TP settings

L2TP settings for incoming and outgoing L2TP connections

Table M.67. l2tp: Attributes

AttributeTypeDefaultDescription
accounting-interval duration 1:00:00Periodic interim accounting interval
send-acct-delay boolean -Send Acct-Delay as well as Event-Timestamp on accounting

Table M.68. l2tp: Elements

ElementTypeInstancesDescription
incoming l2tp-incoming Optional, unlimitedIncoming L2TP connections
outgoing l2tp-outgoing Optional, unlimitedOutgoing L2TP connections

M.2.52. l2tp-outgoing: L2TP settings for outgoing L2TP connections

L2TP tunnel settings for outgoing L2TP connections

Table M.69. l2tp-outgoing: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by far end
bgp bgpmode AutoBGP announce mode for routes
called-station-id string -called-station-idi to send
calling-station-id string -calling-station-id to send
comment string -Comment
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
fail-lockout unsignedByte 1Interval kept in failed state
graph string -Graph name
hdlc boolean trueSend HDLC header (FF03) on all PPP frames
hello-interval unsignedByte 10Interval between HELLO messages
lcp-data-len unsignedByte -LCP echo data field length
lcp-rate unsignedByte 10LCP interval (seconds)
lcp-timeout unsignedByte 61LCP timeout (seconds)
local IP46Addr -Local (internal/PPP) IPv4 address
local-hostname string System nameThe hostname we quote on tunnel connect
local-ip IPAddr -Wrapper IP of our end
localpref unsignedInt 4294967295Localpref for remote-ip/routes (highest wins)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
min-retry duration 10Minimum session time before retrying connection
mtu (unsignedShort 576-2000) mtu -Default MTU for sessions in this tunnel
name NMTOKEN -Name
nat boolean trueNAT IPv4 traffic to this link unless otherwise set in rules
open-timeout unsignedByte 10Interval before OPEN considered failed
ospf boolean trueOSPF announce mode for route
pap boolean -Use PAP to authenticate
password Secret -Password for login
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
ppp-final-timeout unsignedByte 60PPP total timeout (seconds)
ppp-init-timeout unsignedByte 10PPP initial timeout (seconds)
profile NMTOKEN -Profile name
proxy boolean trueSend proxy auth details (faster)
receive-window unsignedShort Not sentReceive window to advise on connection
remote IP4Addr -Remote (internal/PPP) IPv4 address
retry-timeout unsignedByte 10Interval to retry sending control messages before fail
routes List of IPPrefix Default gatewayRoutes when link up
rx-speed unsignedInt -Send ingress rate (b/s)
secret Secret -Shared secret
server IPNameAddr Not optional IP/name of far end
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number for L2TP session
tcp-mss-fix boolean falseAdjust MSS option in TCP SYN to fix session MSS
tx-speed unsignedInt -Egress rate limit (b/s)
username string -User name for login

Table M.70. l2tp-outgoing: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when link is up

M.2.53. l2tp-incoming: L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

Table M.71. l2tp-incoming: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -List of IP ranges from which connects can be made
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
damping boolean falseApply damping to sessions if limiting on shaper
dhcpv6dns List of IP6Addr -List of IPv6 DNS servers
dos-limit unsignedInt 10000Per second per session tx packet drop limit for DOS protection
fail-lockout unsignedByte 60Interval kept in failed state
graph string -Graph name
hdlc boolean trueSend HDLC header (FF03) on all PPP frames
hello-interval unsignedByte 60Interval between HELLO messages
icmp-ppp boolean falseUse PPP endpoint for ICMP
ipv6ep IP4Addr -Local end IPv4 for IPv6 tunnels
lcp-data-len unsignedByte -LCP data field length
lcp-mru-fix boolean falseRestart LCP if RAS negotiated MRU is too high
lcp-rate unsignedByte 1LCP interval (seconds)
lcp-timeout unsignedByte 10LCP timeout (seconds)
local-hostname string System nameHostname quoted on reply
local-ppp-ip IP4Addr -Local end PPP IPv4
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu (unsignedShort 576-2000) mtu -Default MTU for sessions in this tunnel
name string -Name
open-timeout unsignedByte 60Interval before OPEN considered failed
ospf boolean trueOSPF announce mode for route
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
ppp-final-timeout unsignedByte 60PPP total timeout (seconds)
ppp-init-timeout unsignedByte 10PPP initial timeout (seconds)
pppdns1 IP4Addr -PPP DNS1 IPv4 default
pppdns2 IP4Addr -PPP DNS2 IPv4 default
profile NMTOKEN -Profile name
radius string -Name for RADIUS server config to use
radius-nas-ip radius-nas lacPass remote (LAC) or local (LNS) as RADIUS NAS IP / port
receive-window unsignedShort Not sentReceive window to advise on connection
remote-hostname string -Hostname expected on connection
require-platform boolean falseAll sessions require a platform RADIUS first
require-radius-acct boolean -Close session if cannot do RADIUS accounting
retry-timeout unsignedByte 60Interval to retry sending control messages before fail
secret Secret -Shared secret (for far end to check)
session-timeout duration -Default session timeout
shutdown boolean falseRefuse all new sessions or tunnels
source string -Source of data, used in automated config management
source-ip IPAddr -IP of our end for relayed (on same table)
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable AnyRouting table number for L2TP session
tcp-mss-fix boolean falseAdjust MSS option in TCP SYN to fix session MSS

Table M.72. l2tp-incoming: Elements

ElementTypeInstancesDescription
match l2tp-relay Optional, unlimitedRules for relaying connections and local authentication

M.2.54. l2tp-relay: Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

Table M.73. l2tp-relay: Attributes

AttributeTypeDefaultDescription
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
comment string -Comment
graph (token) graphname -Graph name
ip-over-lcp boolean -Send IP over LCP (local auth)
lcp-echo-mim boolean -Handle LCP echos in the middle on relayed connection
localpref unsignedInt 4294967295Localpref for remote-ppp-ip/routes (highest wins)
name string -Name
password Secret -Password check
payload-table (unsignedByte 0-99) routetable As per l2tp-incomingRouting table number for payload traffic (or L2TP relay)
profile NMTOKEN -Profile name
relay-hostname string -Hostname for L2TP connection
relay-ip List of IPAddr -Target IP(s) for L2TP connection
relay-pick boolean -If set, try one of the relay IPs at random first
relay-secret Secret -Shared secret for L2TP connection
remote-netmask IP4Addr -Remote end PPP Netmask (local auth)
remote-ppp-ip IP4Addr -Remote end PPP IPv4 (local auth)
routes List of IPPrefix -Additional routes when link up (local auth)
source string -Source of data, used in automated config management
username List of string -One or more patterns to match username

M.2.55. fb105: FB105 tunnel definition

FB105 tunnel definition

Table M.74. fb105: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
fast-udp boolean trueSend UDP packets marked not to be reordered
graph (token) graphname -Graph name
internal-ip IP46Addr local-ipInternal IP for traffic originated and sent down tunnel
ip IP4Addr dynamic tunnelFar end IP
keep-alive boolean true if ip setConstantly send keep alive packets
local-id unsignedByte Not optional Unique local end tunnel ID
local-ip IP4Addr -Force specific local end IP
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Not loggingLog events
log-error NMTOKEN Log as eventLog errors
mtu unsignedShort 1500MTU for wrapped packets
name NMTOKEN -Name
obfuscate (hexBinary) hex32 -Scramble (not encrypt) data
ospf boolean trueOSPF announce mode for route
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
port unsignedShort 1UDP port to use
profile NMTOKEN -Profile name
remote-id unsignedByte Not optional Unique remote end tunnel ID
reorder boolean falseReorder incoming tunnel packets
reorder-maxq (unsignedInt 1-100) fb105-reorder-maxq 32Max queue length for out of order packets
reorder-timeout (unsignedInt 10-5000) fb105-reorder-timeout 100Max time to delay out of order packet (ms)
routes List of IPPrefix NoneRoutes when link up
satellite boolean -Mark links that are high speed and latency for split latency bonding (experimental)
secret Secret UnsignedShared secret for tunnel
set unsignedByte -Set ID for reorder ID tagging (create a set of tunnels together)
sign-all boolean falseAll packets must be signed, not just keepalives
source string -Source of data, used in automated config management
speed unsignedInt no shapingEgress rate limit used (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for tunnel wrappers
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS

Table M.75. fb105: Elements

ElementTypeInstancesDescription
route fb105-route Optional, unlimitedRoutes to apply to tunnel when up

M.2.56. fb105-route: FB105 routes

Routes for prefixes that are sent to the FB105 tunnel when up

Table M.76. fb105-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management

M.2.57. ipsec-ike: IPsec configuration (IKEv2)

IPsec IKE and manually-keyed connection details

Table M.77. ipsec-ike: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which IKE connections are allowed
force-NAT List of IPNameRange -List of IP ranges of peers requiring forced NAT-T
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
trusted List of IPNameRange -List of IP ranges given higher priority when establshing new connections
comment string -Comment
source string -Source of data, used in automated config management

Table M.78. ipsec-ike: Elements

ElementTypeInstancesDescription
IKE-proposal ike-proposal Optional, unlimitedProposals for IKE security association
IPsec-proposal ipsec-proposal Optional, unlimitedProposals for IPsec AH/ESP security association
connection (ipsec-connection-common) ike-connection Optional, unlimitedIKE connections
manually-keyed (ipsec-connection-common) ipsec-manual Optional, unlimitedIPsec manually-keyed connections (not recommended)
roaming ike-roaming Optional, unlimitedIKE roaming IP pools

M.2.58. ike-connection: connection configuration

IPsec IKE connection settings

Table M.79. ike-connection: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
graph (token) graphname -Graph name
internal-ip IP46Addr local-ipInternal IP for traffic originated on the FireBrick and sent down tunnel
local-ip IPAddr -Local IP
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu unsignedShort 1500MTU for wrapped packets
name NMTOKEN -Name
ospf boolean trueOSPF announce mode for route
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
peer-ips List of IPNameRange Accept from anywherepeer's IP or range
profile NMTOKEN -Profile name
routes List of IPPrefix -Routes when link up
source string -Source of data, used in automated config management
speed unsignedInt no shapingEgress rate limit used (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for IKE traffic and tunnel wrappers
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
type ipsec-type ESPEncapsulation type
auth-method ike-authmethod Not optional method for authenticating self to peer
blackhole boolean falseBlackhole routed traffic when tunnel is not up
certlist List of NMTOKEN use any suitableCertificate(s) to be used to authenticate self
dead-peer-detect duration 30check peer is alive at least this often - 0 to inhibit
ike-proposals List of NMTOKEN use built-in default proposalsIKE proposal list
ipsec-proposals List of NMTOKEN use built-in default proposalsIPsec proposal list
lifetime duration 1:00:00max lifetime before renegotiation
local-ID string -Local IKE ID
local-ts List of IPRange Allow anyValid outgoing-source/incoming-destination IPs for tunnelled traffic
mode ike-mode Waitike connection setup mode
peer-ID string -Peer IKE ID
peer-auth-method ike-authmethod Use auth-methodmethod for authenticating peer
peer-certlist List of NMTOKEN accept any suitableCertificate trust anchor(s) acceptable for authenticating peer
peer-eaplist List of NMTOKEN allow any EAP userAdmissible EAP users
peer-secret Secret use secretshared secret used to authenticate peer
peer-ts List of IPRange Allow anyValid outgoing-destination/incoming-source IPs for tunnelled traffic
peer-ts-from-routes boolean falseSend traffic selector based on routing
query-eap-id boolean trueQuery client for EAP identity
roaming-pool NMTOKEN -IKE roaming IP pool
secret Secret -shared secret used to authenticate self to peer

Table M.80. ike-connection: Elements

ElementTypeInstancesDescription
route ipsec-route Optional, unlimitedRoutes to apply to tunnel when up

M.2.59. ipsec-route: IPsec tunnel routes

Routes for prefixes that are sent to the IPsec tunnel

Table M.81. ipsec-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
ospf boolean trueOSPF announce mode for route
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management

M.2.60. ike-roaming: IKE roaming IP pools

Pool of IP addresses and associated DNS/NBNS servers for dynamic IP allocation

Table M.82. ike-roaming: Attributes

AttributeTypeDefaultDescription
DNS List of IPAddr -List of DNS servers available to clients
NBNS List of IPAddr -List of NetBios name servers available to clients
comment string -Comment
ip List of IPRange Not optional List of IP ranges for allocation to road-warrior clients
name NMTOKEN Not optional Name
nat boolean falseNAT incoming IPv4 traffic unless set otherwise in rules
source string -Source of data, used in automated config management

M.2.61. ike-proposal: IKE security proposal

Proposal for establishing the IKE security association

Table M.83. ike-proposal: Attributes

AttributeTypeDefaultDescription
DHset Set of ike-DH Accept any supported groupDiffie-Hellman group for IKE negotiation
PRFset Set of ike-PRF Accept any supported functionPseudo-Random function for key generation
authset Set of ipsec-auth-algorithm Accept any supported algorithmIntegrity check algorithm for IKE messages
cryptset Set of ipsec-crypt-algorithm Accept any supported algorithmEncryption algorithm for IKE messages
name NMTOKEN Not optional Name

M.2.62. ipsec-proposal: IPsec AH/ESP proposal

Proposal for establishing the IPsec AH/ESP keying information

Table M.84. ipsec-proposal: Attributes

AttributeTypeDefaultDescription
DHset Set of ike-DH Accept any supported groupDiffie-Hellman group for IPsec key negotiation
ESN Set of ike-ESN Accept ESN or short SNSupport for extended sequence numbers
authset Set of ipsec-auth-algorithm Accept any supported algorithmIntegrity check algorithm for IPsec traffic
cryptset Set of ipsec-crypt-algorithm Accept any supported algorithmEncryption algorithm for IPsec traffic
name NMTOKEN Not optional Name

M.2.63. ipsec-manual: peer configuration

IPsec manually keyed connection settings (not recommended, use IKEv2 and secrets instead)

Table M.85. ipsec-manual: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
graph (token) graphname -Graph name
internal-ip IP46Addr local-ipInternal IP for traffic originated on the FireBrick and sent down tunnel
local-ip IPAddr -Local IP
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu unsignedShort 1500MTU for wrapped packets
name NMTOKEN -Name
ospf boolean trueOSPF announce mode for route
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
peer-ips List of IPNameRange Accept from anywherepeer's IP or range
profile NMTOKEN -Profile name
routes List of IPPrefix -Routes when link up
source string -Source of data, used in automated config management
speed unsignedInt no shapingEgress rate limit used (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for IKE traffic and tunnel wrappers
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
type ipsec-type ESPEncapsulation type
auth-algorithm ipsec-auth-algorithm nullManual setting for authentication algorithm
auth-key hexBinary -Manual key for authentication
crypt-algorithm ipsec-crypt-algorithm nullManual setting for encryption algorithm
crypt-key hexBinary -Manual key for encryption
local-spi (unsignedInt 256-4294967295) ipsec-spi Not optional Local Security Parameters Index
mode ipsec-encapsulation tunnelEncapsulation mode
outer-spi (unsignedInt 256-4294967295) ipsec-spi -Security Parameters Index for outer header
remote-spi (unsignedInt 256-4294967295) ipsec-spi Not optional Peer Security Parameters Index

Table M.86. ipsec-manual: Elements

ElementTypeInstancesDescription
route ipsec-route Optional, unlimitedRoutes to apply to tunnel when up

M.2.64. ping: Ping/graph definition

Base ping config - additional ping targets set via web API or other means

Table M.87. ping: Attributes

AttributeTypeDefaultDescription
comment string -Comment
gateway IP46Addr -IP of gateway
graph (token) graphname Not optional Graph name
ip IPNameAddr Not optional Far end IP
name string -Name
profile NMTOKEN -Profile name
size (unsignedInt 0-60000) ping-size 0Payload size
slow boolean AutoSlow polling
source string -Source of data, used in automated config management
source-ip IP46Addr -Source IP
table (unsignedByte 0-99) routetable 0Routing table number for sending pings

M.2.65. profile: Control profile

General on/off control profile used in various places in the config.

Table M.88. profile: Attributes

AttributeTypeDefaultDescription
and List of NMTOKEN -Active if all specified profiles are active as well as all other tests passing, including 'not'
comment string -Comment
control-switch-users List of NMTOKEN Any usersRestrict users that have access to control switch
dhcp List of IPNameAddr -Test passes if any specified addresses are active in DHCP
dongle List of NMTOKEN -3G Dongle state (any of these are ppp up)
expect boolean noneDefines state considered 'Good' and shown green on status page
fb105 List of NMTOKEN -FB105 tunnel state (any of these active)
initial boolean trueDefines state at system startup, or new config, where not known/fixed
interval duration 1Time between tests
invert boolean -Invert final result of testing
l2tp List of NMTOKEN -Outgoing L2TP link state (any of these are up)
log NMTOKEN Not loggingLog target
log-debug NMTOKEN Not loggingLog additional information
mqtt mqtt-brokers allGenerate MQTT activate/deactivate if topic set
mqtt-control mqtt-brokers -Allow profile control via MQTT via specific brokers
mqtt-off string -Payload for MQTT message when profile de-activated
mqtt-on string -Payload for MQTT message when profile activated
mqtt-retain boolean -Set message as retained
mqtt-topic string -Topic for MQTT message on profile change
name NMTOKEN Not optional Profile name
not NMTOKEN -Active if specified profile is inactive as well as all other tests passing, including 'and'
or List of NMTOKEN -Active if any of these other profiles are active regardless of other tests (including 'not' or 'and')
ports Set of port -Test passes if any of these physical ports are up
ppp List of NMTOKEN -PPP link state (any of these are up)
recover duration 1Time before recover (i.e. how long test has been passing)
route List of IPAddr -Test passes if all specified addresses are routeable
set switch -Manual override. Test settings ignored; Control switches can use and/or/not/invert
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable -Routing table for ping/route/dhcp
timeout duration 10Time before timeout (i.e. how long test has been failing)
vrrp List of NMTOKEN -VRRP state (any of these is master)

Table M.89. profile: Elements

ElementTypeInstancesDescription
date profile-date Optional, unlimitedTest passes if within any date range specified
ping profile-ping OptionalTest passes if address is answering pings
time profile-time Optional, unlimitedTest passes if within any time range specified

M.2.66. profile-date: Test passes if within any of the time ranges specified

Time range test in profiles

Table M.90. profile-date: Attributes

AttributeTypeDefaultDescription
comment string -Comment
source string -Source of data, used in automated config management
start dateTime -Start (YYYY-MM-DDTHH:MM:SS)
stop dateTime -End (YYYY-MM-DDTHH:MM:SS)

M.2.67. profile-time: Test passes if within any of the date/time ranges specified

Time range test in profiles

Table M.91. profile-time: Attributes

AttributeTypeDefaultDescription
comment string -Comment
days Set of day -Which days of week apply, default all
source string -Source of data, used in automated config management
start time -Start (HH:MM:SS)
stop time -End (HH:MM:SS)

M.2.68. profile-ping: Test passes if any addresses are pingable

Ping targets

Table M.92. profile-ping: Attributes

AttributeTypeDefaultDescription
comment string -Comment
flow unsignedShort -Flow label (IPv6)
gateway IPAddr -Ping via specific gateway (bypasses session tracking if set)
ip IPAddr Not optional Target IP
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP
ttl unsignedByte -Time to live / Hop limit

M.2.69. shaper: Traffic shaper

Settings for a named traffic shaper

Table M.93. shaper: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name (token) graphname Not optional Graph name
rx unsignedLong -Rx rate limit/target (b/s)
rx-limit (unsignedShort 0-1000) shaper-limit 400msRx low level burst limit (ms) - ½ for large packets
rx-max unsignedLong -Rx rate limit max
rx-min unsignedLong -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedLong -Rx rate reduction per hour
share boolean falseIf shaper is shared with other devices
source string -Source of data, used in automated config management
tx unsignedLong -Tx rate limit/target (b/s)
tx-limit (unsignedShort 0-1000) shaper-limit 400msTx low level burst limit (ms) - ½ for large packets
tx-max unsignedLong -Tx rate limit max
tx-min unsignedLong -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedLong -Tx rate reduction per hour

Table M.94. shaper: Elements

ElementTypeInstancesDescription
override shaper-override Optional, unlimitedProfile specific variations on main settings

M.2.70. shaper-override: Traffic shaper override based on profile

Settings for a named traffic shaper

Table M.95. shaper-override: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile NMTOKEN Not optional Profile name
rx unsignedLong -Rx rate limit/target (b/s)
rx-limit (unsignedShort 0-1000) shaper-limit 400msRx low level burst limit (ms) - ½ for large packets
rx-max unsignedLong -Rx rate limit max
rx-min unsignedLong -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedLong -Rx rate reduction per hour
source string -Source of data, used in automated config management
tx unsignedLong -Tx rate limit/target (b/s)
tx-limit (unsignedShort 0-1000) shaper-limit 400msTx low level burst limit (ms) - ½ for large packets
tx-max unsignedLong -Tx rate limit max
tx-min unsignedLong -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedLong -Tx rate reduction per hour

M.2.71. ip-group: IP Group

Named IP group

Table M.96. ip-group: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPRange -One or more IP ranges or IP/len
name string Not optional Name
source string -Source of data, used in automated config management
users List of NMTOKEN -Include IP of (time limited) logged in web users

M.2.72. route-override: Routing override rules

Routing override rules

Table M.97. route-override: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Applicable routing table

Table M.98. route-override: Elements

ElementTypeInstancesDescription
rule session-route-rule Optional, unlimitedIndividual rules, first match applies

M.2.73. session-route-rule: Routing override rule

Routing override rule

Table M.99. session-route-rule: Attributes

AttributeTypeDefaultDescription
comment string -Comment
cug List of PortRange -Closed user group ID(s)
hash boolean -Use hash of IPs for load sharing
name string -Name
profile NMTOKEN -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging (if not set by rule-set)
set-nat boolean -Changed source IP and port to local for NAT
source string -Source of data, used in automated config management
source-interface List of NMTOKEN -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-port List of PortRange -Source port(s)
target-interface List of NMTOKEN -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table M.100. session-route-rule: Elements

ElementTypeInstancesDescription
share session-route-share Optional, unlimitedLoad shared actions

M.2.74. session-route-share: Route override load sharing

Route override setting for load sharing

Table M.101. session-route-share: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile NMTOKEN -Profile name
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging (if not set by rule-set)
set-nat boolean -Changed source IP and port to local for NAT
weight positiveInteger 1Weighting of load share

M.2.75. rule-set: Firewall/mapping rule set

Firewalling rule set with entry criteria and default actions

Table M.102. rule-set: Attributes

AttributeTypeDefaultDescription
comment string -Comment
cug List of PortRange -Closed user group ID(s)
interface List of NMTOKEN -Source or target interface(s)
ip List of IPNameRange -Source or target IP address range(s)
log NMTOKEN Not loggingLog session start
log-end NMTOKEN Not loggingLog session end
log-no-match NMTOKEN log-startLog if no match
name string -Name
no-match-action firewall-action Not optional Default if no rule matches
profile NMTOKEN -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
source string -Source of data, used in automated config management
source-interface List of NMTOKEN -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-port List of PortRange -Source port(s)
startup-delay duration 1:00Startup interval to use ignore instead of reject/drop
table (unsignedByte 0-99) routetable 0Applicable routing table
target-interface List of NMTOKEN -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table M.103. rule-set: Elements

ElementTypeInstancesDescription
ip-group ip-group Optional, unlimitedNamed IP groups
rule session-rule Optional, unlimitedIndividual rules, first match applies

M.2.76. session-rule: Firewall rules

Firewall rule

The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.

Table M.104. session-rule: Attributes

AttributeTypeDefaultDescription
action firewall-action continueAction taken on match
comment string -Comment
cug List of PortRange -Closed user group ID(s)
hash boolean -Use hash of IPs for load sharing
interface List of NMTOKEN -Source or target interface(s)
ip List of IPNameRange -Source or target IP address range(s)
log NMTOKEN As rule-setLog session start
log-end NMTOKEN As rule-setLog session end
name string -Name
pcp boolean -If mapped by NAT-PMP / PCP
profile NMTOKEN -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-dscp unsignedByte -Override IP DSCP
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging
set-graph-dynamic dynamic-graph -Dynamically create graph
set-initial-timeout duration -Initial time-out
set-nat boolean -Change source IP and port to local for NAT
set-ongoing-timeout duration -Ongoing time-out
set-reverse-graph string -Graph name for shaping/logging (far side of session)
set-source-ip IPRange -New source IP
set-source-port unsignedShort -New source port
set-table (unsignedByte 0-99) routetable -Set new routing table
set-target-ip IPRange -New target IP
set-target-port unsignedShort -New target port
source string -Source of data, used in automated config management
source-interface List of NMTOKEN -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-mac List up to 12 (hexBinary) macprefix -Source MAC check if from Ethernet
source-port List of PortRange -Source port(s)
target-interface List of NMTOKEN -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table M.105. session-rule: Elements

ElementTypeInstancesDescription
share session-share Optional, unlimitedLoad shared actions

M.2.77. session-share: Firewall load sharing

Firewall actions for load sharing

Table M.106. session-share: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile NMTOKEN -Profile name
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging
set-nat boolean -Change source IP and port to local for NAT
set-reverse-graph string -Graph name for shaping/logging (far side of session)
set-source-ip IPRange -New source IP
set-source-port unsignedShort -New source port
set-table (unsignedByte 0-99) routetable -Set new routing table
set-target-ip IPRange -New target IP
set-target-port unsignedShort -New target port
weight positiveInteger 1Weighting of load share

M.2.78. voip: Voice over IP config

Voice over IP config

Table M.107. voip: Attributes

AttributeTypeDefaultDescription
area-code string -Local area code (without national prefix)
auth-source-ip IP46Addr -Default source address to use when sending authenticated messages
backup-carrier NMTOKEN -Backup carrier to use for external calls
call-progress boolean trueSend call progress at 3 seconds
comment string -Comment
country string 44Local country code
default-carrier NMTOKEN -Default carrier to use for external calls
domain string -Domain to use for us on outgoing SIP connections
emergency List of string 112 999Emergency numbers
emergency-uri string Use outbound carrierSIP URI for emergency calls
international string 00International dialling prefix
local-digits string 23456789Local numbers start with these digits
local-min-len unsignedByte 5Local numbers min length
log NMTOKEN Not loggingLog calls
log-cdr NMTOKEN Not loggedLog CDR records
log-debug NMTOKEN Not loggingLog debug and SIP messages
log-error NMTOKEN Log as eventLog errors
log-sip-blf NMTOKEN Not loggedSUBSCRIBE, NOTIFY, PUBLISH
log-sip-call NMTOKEN Not loggedINVITE, ACK, CANCEL, BYE, REFER
log-sip-other NMTOKEN Not loggedOPTIONS, INFO, etc
log-sip-register NMTOKEN Not loggedREGISTER
long-headers boolean falseSend long SIP headers
max-ring duration 5:00Max time limit on call setup
mqtt mqtt-brokers Don't sendGenerate MQTT for call events
mqtt-blf mqtt-brokers Don't sendGenerate MQTT for BLF
national string 0National dialling prefix
pabx boolean trueOperate as office PABX
pickup string *Call pickup/steal prefix
radius-call string -Name for RADIUS server config to use call routing
radius-cdr string -Name for RADIUS server config to use for CDRs
radius-challenge boolean -Send RADIUS auth to get challenge response
radius-register string -Name for RADIUS server config to use for registrations
realm string FireBrickDefault realm
record-beep record-beep-option trueSend beep at start of recording
record-mandatory boolean -Drop call if recording fails
record-server string -Call recording server hostname or address
release string 1470CLI release prefix
security-replies boolean trueDon't challenge or error reply to unrecognised non local IP request
send-pre-auth boolean trueSend Auth header with username before receiving challenge
source string -Source of data, used in automated config management
source-ip IP46Addr -Default source address to use when sending messages
user-agent string Version specificUser-Agent to send
withhold string 141CLI withhold prefix
wrap-headers boolean trueWrap long SIP header lines

Table M.108. voip: Elements

ElementTypeInstancesDescription
carrier carrier Optional, up to 250VoIP carriers
directory directory Optional, up to 200Directory
group ringgroup Optional, up to 50Ring groups
telephone telephone Optional, up to 250VoIP users
tone tone Optional, up to 25Defined tones

M.2.79. carrier: VoIP carrier details

VoIP carrier details

Table M.109. carrier: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which invite accepted
comment string -Comment
cui string -Chargeable user identity for call accounting of incoming calls
display-name string -Text name to use
expires duration 1:00:00Registration expiry time
extn string -Local number assumed for incoming call, use X for digits from end of called numbers
force-dtmf boolean -Always send DTMF in-band
from string -From SIP address for outbound registration and invites
hold-tone boolean trueSend hold tones to carrier
incoming-cli voip-format transparentCLI number format on incoming calls
incoming-format voip-format nationalDialled number format on incoming calls
map-404 (unsignedShort 400-699) sip-error -Map SIP error 404 to an alternative
max-calls unsignedInt -Maximum simultaneous calls allowed
name NMTOKEN Not optional Carrier name
outgoing-cli voip-format nationalCLI number format for outgoing calls
outgoing-format voip-format nationalDialled number format for outgoing calls
password Secret -Carrier password for outbound registration or inbound authenticated calls
pre-expire duration 30Re-register time before expiry
profile NMTOKEN -Profile name
proxy string -Carrier proxy hostname or address for registration and calls
proxy-ip IPAddr -Target proxy IP to use
proxy-port unsignedShort -Target proxy port to use
registrar string -Carrier hostname for registration
send-hold boolean truePass hold state to carrier
send-p-a-id boolean trueSend P-Asserted-Identity
send-pre-auth boolean As general configSend Auth header with username before receiving challenge
send-privacy boolean trueSend Privacy (if withheld)
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP to use
table (unsignedByte 0-99) routetable 0Routing table number
to List of string -To SIP request address for inbound invites, may be @domain for any at a domain
tone-hold string -Name of tone to generate for hold with no media
tone-progress string -Name of tone to generate for progress with no media
tone-queue string -Name of tone to generate for queue with no media
tone-ring string -Name of tone to generate for ring with no media
tone-wait string -Name of tone to generate for wait with no media
trust-cli boolean trueTrust inbound calling line identity
username string -Carrier username for outbound registration or inbound authenticated calls
withhold string -Mark withheld outbound calls using this dial prefix and send CLI in p-asserted-identity or remote-party-id

M.2.80. telephone: VoIP telephone authentication user details

VoIP telephone details

Table M.110. telephone: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which registration accepted
allow-pickup List of string Allow all if PABX modeOnly allow pickup from these extensions
allow-subscribe List of string -Only allow subscribe (Busy Lamp Field) from these extensions
anon-numeric boolean -Mark anonymous calls just using withhold prefix, and leave display name
area-code string -Local area code (without national prefix) for use from this phone
carrier NMTOKEN -Carrier to use for outbound calls
comment string -Comment
cui string -Chargeable user identity for call accounting
ddi string -Full telephone number (international format starting +)
display-name string -Text name to use
email string -Email address (sent to call recording server)
expires duration 1:00:00Registration expiry time
extn string -Local extension number
force-dtmf boolean -Always send DTMF in-band
local-only boolean trueRestrict access to registrations from Ethernet subnets only
max-calls unsignedInt -Maximum simultaneous calls allowed
name NMTOKEN Not optional User name (local part of 'from')
outgoing-cli voip-format autoCLI number format passed to telephone
password Secret -Authentication password
profile NMTOKEN -Profile name
realm string -Realm
record recordoption -Automatically record calls
screen voip-screen non-rejectedScreen calls
send-p-a-id boolean trueSend P-Asserted-Identity
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
uk-cli-text uknumberformat AutoSend display name as UK formatted number
uri string -Direct URI for extn
username string -Authentication username
wrap-up duration -Wrap up time before new call

M.2.81. tone: Tone definitions

Definition of tones used

Table M.111. tone: Attributes

AttributeTypeDefaultDescription
name NMTOKEN Not optional Tone name
plan string Not optional Plan for frequency and duration, e.g. 400ms@400Hz-3dB+450Hz-3dB

M.2.82. ringgroup: Ring groups

Ring groups

Table M.112. ringgroup: Attributes

AttributeTypeDefaultDescription
allow-pickup List of string -Only allow pickup from these extensions
allow-subscribe List of string -Only allow subscribe (Busy Lamp Field) from these extensions
answer-time duration 30Answer caller if ringing this long
carrier NMTOKEN -Carrier to use for external calls
comment string -Comment
cui string -Chargeable user identity for call accounting
ddi List of string -Full telephone number (international format starting +)
display-name string -Text name to use
email string -Email address (sent to call recording server)
extn List of string -Local extension number
initial-time duration -Don't progress to second number until this time
limit unsignedByte -Number allowed to queue
name NMTOKEN Not optional Group name
order ring-group-order strictOrder of ring
out-of-hours-group NMTOKEN -Alternative group if this is out of profile (cascades)
out-of-hours-ring List of string -Numbers to ring if out of profile and no out-of-hours-group set
overflow List of string -Numbers to ring when more than one call in queue
overflow-time duration 30Include overflow after this time at head of queue
profile NMTOKEN -Profile name
progress-time duration 6Time between each target called
redirect boolean -Allow calls to be diverted before ringing
ring List of string -Numbers to ring
ringall-time duration -Switch to ring all after this time at head of queue
screen voip-screen non-rejectedScreen calls
source string -Source of data, used in automated config management
type ring-group-type allType of ring when one call in queue

M.2.83. directory: Directory entry

Directory

Table M.113. directory: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Display name
number string Not optional Calling number
screen voip-screen-set -Screen/categorise this call
source string -Source of data, used in automated config management

M.2.84. etun: Ether tunnel

Ether tunnel

Table M.114. etun: Attributes

AttributeTypeDefaultDescription
eth-port NMTOKEN Not optional Port group name
ip IPAddr Not optional Far end IP address
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
name string -Name
profile NMTOKEN -Profile name
source-ip IPAddr -Our IP address
table (unsignedByte 0-99) routetable 0Routing table number

M.2.85. dhcp-relay: DHCP server settings for remote / relayed requests

Settings for DHCP server for relayed connections

Table M.115. dhcp-relay: Attributes

AttributeTypeDefaultDescription
allocation-table (unsignedByte 0-99) routetable Allocate same as request tableRouting table for allocations - suggest using separate tables for remote DHCP
allow List of IPNameRange Allow from anywhereIPs allowed (e.g. allocated IPs for renewal)
relay List of IPNameRange Any relayRelay server IP(s)
table (unsignedByte 0-99) routetable Allow anyRouting table applicable

Table M.116. dhcp-relay: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings