FireBrick FB6202 V1.16.001 documentation

FireBrick FB6202 L2TP configuration documentation. Copyright © 2008-11 FireBrick Ltd.

Top level config

The top level config element contains all of the FireBrick configuration data.

config: Attributes
AttributeTypeDescriptionDefault
patchintegerInternal use, for s/w updates that change config syntax
timestampdateTimeConfig store time, set automatically when config is saved
config: Elements
ElementTypeInstancesDescription
bgpbgpOptional, up to 10BGP config
blackholeblackholeOptional, unlimitedBlack hole (dropped packets) networks
cqmcqmOptionalConstant Quality Monitoring config
ethernetethernetOptional, unlimitedEthernet port settings
interfaceinterfaceOptional, up to 8192Ethernet interface (port-group/vlan) and subnets
ip-groupip-groupOptional, unlimitedNamed IP groups
l2tpl2tpOptionalL2TP settings
loglogOptional, up to 50Log target controls
loopbackloopbackOptional, unlimitedExtra local addresses
networknetworkOptional, unlimitedLocally originated networks
nowhereblackholeOptional, unlimitedDead end (icmp error) networks
portportdefOptional, up to 2Port grouping and naming
ppppppoeOptional, up to 10PPPoE settings
profileprofileOptional, unlimitedControl profiles
routerouteOptional, unlimitedStatic routes
servicesservicesOptionalGeneral system services
shapershaperOptional, unlimitedNamed traffic shapers
systemsystemOptionalSystem settings
useruserOptional, unlimitedAdmin users

IP Group

Named IP group

ip-group: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPRangeOne or more IP ranges or IP/len
namestringNameNot optional
sourcestringSource of data, used in automated config management
usersList of stringInclude IP of (time limited) logged in web users

Traffic shaper override based on profile

Settings for a named traffic shaper

shaper-override: Attributes
AttributeTypeDescriptionDefault
commentstringComment
profilestringProfile nameNot optional
rxunsignedIntRx rate limit
rx-maxunsignedIntRx rate limit max
rx-minunsignedIntRx rate limit min
rx-min-burstdurationRx minimum allowed burst time
rx-stepunsignedIntRx rate reduction per per hour
sourcestringSource of data, used in automated config management
txunsignedIntTx rate limit/target
tx-maxunsignedIntTx rate limit max
tx-minunsignedIntTx rate limit min
tx-min-burstdurationTx minimum allowed burst time
tx-stepunsignedIntTx rate reduction per hour

Traffic shaper

Settings for a named traffic shaper

shaper: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namestringGraph nameNot optional
rxunsignedIntRx rate limit
rx-maxunsignedIntRx rate limit max
rx-minunsignedIntRx rate limit min
rx-min-burstdurationRx minimum allowed burst time
rx-stepunsignedIntRx rate reduction per per hour
sharebooleanIf shaper is shared with other devices
sourcestringSource of data, used in automated config management
txunsignedIntTx rate limit/target
tx-maxunsignedIntTx rate limit max
tx-minunsignedIntTx rate limit min
tx-min-burstdurationTx minimum allowed burst time
tx-stepunsignedIntTx rate reduction per hour
shaper: Elements
ElementTypeInstancesDescription
overrideshaper-overrideOptional, unlimitedProfile specific variations on main settings

Test passes if any addresses are pingable

Ping targets

profile-ping: Attributes
AttributeTypeDescriptionDefault
flowunsignedShortFlow label (IPv6)
gatewayIPAddrPing via specific gateway (bypasses session tracking if set)
ipIPAddrTarget IPNot optional
source-ipIPAddrSource IP
ttlunsignedByteTime to live / Hop limit

Test passes if within any of the date/time ranges specified

Time range test in profiles

profile-time: Attributes
AttributeTypeDescriptionDefault
daysSet of dayWhich days of week apply, default all
starttimeStart (HH:MM:SS)
stoptimeEnd (HH:MM:SS)

Test passes if within any of the time ranges specified

Time range test in profiles

profile-date: Attributes
AttributeTypeDescriptionDefault
startdateTimeStart (YYYY-MM-DDTHH:MM:SS)
stopdateTimeEnd (YYYY-MM-DDTHH:MM:SS)

Control profile

General on/off control profile used in various places in the config.

profile: Attributes
AttributeTypeDescriptionDefault
andList of stringTest passes if all specified profiles are active
commentstringComment
initialbooleanDefines state at system startup if not using settrue
intervaldurationTest frequency1
invertbooleanInvert final result of testing
logstringLog targetNot logging
log-debugstringLog additional informationNot logging
namestringProfile nameNot optional
notstringTest passes if specified profile is inactive
orList of stringActive if any of these other profiles active regardless of other tests
pppList of stringPPP link state (any of these are up)
recoverdurationTime before recover (i.e. how long test has been passing for)1
routeList of IPAddrTest passes if all specified addresses are routeable
setbooleanManual override, ignore all tests, ignore invert setting
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table for ping/route
timeoutdurationTime before timeout (i.e. how long test has been failing for)10
vrrpList of stringVRRP state (any of these is master)
profile: Elements
ElementTypeInstancesDescription
dateprofile-dateOptional, unlimitedTest passes if within any date range specified
pingprofile-pingOptionalTest passes if address is answering pings
timeprofile-timeOptional, unlimitedTest passes if within any time range specified

RADIUS accounting server settings

Server settings for RADIUS Accounting for L2TP

radius-acct: Attributes
AttributeTypeDescriptionDefault
attemptsunsignedIntHow many concurrent requests to this server before trying next200
commentstringComment
fail-countunsignedIntHow many failures in a row before blacklisting20
fail-timedurationHow long to blacklist before retrying (secs)120
ipList of IPAddrOne or more IPs of RADIUS servers (picked at random)Not optional
namestringName
portunsignedShortAccounting UDP port1813
profilestringProfile name
relay-nas-ipbooleanPass remote L2TP endpoint as NAS IP
secretSecretShared secret for RADIUS requestsNot optional
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number
timeoutdurationMin retry timeout on RADIUS requests5

RADIUS authentication server settings

Server settings for RADIUS Authentication for L2TP

radius-auth: Attributes
AttributeTypeDescriptionDefault
attemptsunsignedIntHow many concurrent requests to this server before trying next200
commentstringComment
fail-countunsignedIntHow many failures in a row before blacklisting20
fail-timedurationHow long to blacklist before retrying (secs)120
ipList of IPAddrOne or more IPs of RADIUS servers (picked at random)Not optional
namestringName
portunsignedShortAuthentication UDP port1812
profilestringProfile name
relay-nas-ipbooleanPass remote L2TP endpoint as NAS IP
secretSecretShared secret for RADIUS requestsNot optional
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number
timeoutdurationMin retry timeout on RADIUS requests5

Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

l2tp-relay: Attributes
AttributeTypeDescriptionDefault
called-station-idList of stringOne or more patterns to match called-station-id
calling-station-idList of stringOne or more patterns to match calling-station-id
commentstringComment
graphstringGraph name
ip-over-lcpbooleanSend IP over LCP (local auth)
localprefunsignedIntLocalpref for remote-ip/routes (highest wins)4294967295
namestringName
passwordSecretPassword check
profilestringProfile name
relay-hostnamestringHostname for L2TP connection
relay-ipList of IPAddrTarget IP(s) for L2TP connection
relay-secretSecretShared secret for L2TP connection
remote-ipIP4AddrRemote end PPP IPv4 (local auth)
remote-netmaskIP4AddrRemote end PPP Netmask (local auth)
routesList of IPPrefixAdditional routes when link up (local auth)
sourcestringSource of data, used in automated config management
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
usernameList of stringOne or more patterns to match username

L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

l2tp-incoming: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which connects can be made
bgpbgpmodeBGP announce mode for routes
commentstringComment
dampingbooleanApply damping to sessions if limiting on shaperfalse
dhcpv6dnsList of IP6AddrList of IPv6 DNS servers
dos-limitunsignedIntPer second per session tx packet drop limit for DOS protection10000
graphstringGraph name
hdlcbooleanSend HDLC header (FF03) on all PPP framestrue
hostnamestringHostname quoted on incoming tunnel
icmp-pppbooleanUse PPP endpoint for ICMPfalse
ipv6epIP4AddrLocal end IPv4 for IPv6 tunnels
lcp-mru-fixbooleanRestart LCP if RAS negotiated MRU is too highfalse
lcp-rateunsignedByteLCP interval (seconds)1
lcp-timeoutunsignedByteLCP timeout (seconds)10
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
mtumtu 576-1600Default MTU for sessions in this tunnel
namestringName
payload-tableroutetable 0-99Routing table number for payload traffic0
pppdns1IP4AddrPPP DNS1 IPv4 default
pppdns2IP4AddrPPP DNS2 IPv4 default
pppipIP4AddrLocal end PPP IPv4
profilestringProfile name
require-platformbooleanAll sessions require a platform RADIUS firstfalse
secretSecretShared secret
shutdownbooleanRefuse all new sessions or tunnelsfalse
sourcestringSource of data, used in automated config management
speedunsignedIntDefault egress rate limit
tableroutetable 0-99Routing table number for L2TP session0
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSSfalse
testList of IPAddrList of IPs to which routing must exist else tunnel dropped (deprecated)
l2tp-incoming: Elements
ElementTypeInstancesDescription
matchl2tp-relayOptional, unlimitedRules for relaying connections and local authentication

L2TP settings

L2TP settings for incoming L2TP connections

l2tp: Attributes
AttributeTypeDescriptionDefault
accounting-intervaldurationPeriodic interim accounting interval3600
l2tp: Elements
ElementTypeInstancesDescription
accountingradius-acctOptional, unlimitedRADIUS accounting server settings
authenticationradius-authOptional, unlimitedRADIUS authentication server settings
incomingl2tp-incomingOptional, unlimitedIncoming L2TP connections

Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

cqm: Attributes
AttributeTypeDescriptionDefault
aveColourColour for average latency#0cc
axisColourAxis colourblack
backgroundColourBackground colourwhite
bottomunsignedBytePixels space at bottom of graph11
dateformatstringDate format%Y-%m-%d
dayformatstringDay format%a
failColourColour for failed (dropped) secondsred
fail-levelunsignedIntFail level not expected on low usage1
fail-level1unsignedByteLoss level 13
fail-level2unsignedByteLoss level 250
fail-scoreunsignedByteScore for fail and low usage200
fail-score1unsignedByteScore for on/above level 1100
fail-score2unsignedByteScore for on/above level 2200
fail-usageunsignedIntUsage below which fail is not expected128000
fblogoColourColour for logo#c00
graticuleColourGraticule colourgrey
headingstringHeading of graph
hourformatstringHour format%H
keyunsignedBytePixels space for key90
label-avestringLabel for average latencyAve
label-dampstringLabel for % shaper dampingDamp%
label-failstringLabel for seconds (%) failedFail
label-latencystringLabel for latencyLatency
label-maxstringLabel for maximum latencyMax
label-minstringLabel for minimum latencyMin
label-offstringLabel for off line secondsOff
label-periodstringLabel for periodPeriod
label-pollstringLabel for pollsPolls
label-rxstringLabel for Rx traffic levelRx
label-scorestringLabel for scoreScore
label-sentstringLabel for seconds polledSent
label-shaperstringLabel for shaperShaper
label-timestringLabel for timeTime
label-trafficstringLabel for traffic levelTraffic (bit/s)
label-txstringLabel for Tx traffic levelTx
latency-levelunsignedIntLatency level not expected on low usage100000000
latency-level1unsignedIntLatency level 1 (ns)100000000
latency-level2unsignedIntLatency level 2 (ns)500000000
latency-scoreunsignedByteScore for high latency and low usage200
latency-score1unsignedByteScore for on/above level 110
latency-score2unsignedByteScore for on/above level 220
latency-usageunsignedIntUsage below which latency is not expected128000
leftunsignedBytePixels space left of main graph0
logstringLog eventsNot logging
maxColourColour for maximum latencygreen
minColourColour for minimum latencyblue
offColourColour for off line seconds#c8f
outsideColourColour for outer bordertransparent
rightunsignedBytePixels space right of main graph50
rxColourColour for Rx traffic level#800
secretSecretSecret for MD5 coded URLs
sentColourColour for polled seconds#ff8
share-interfacestringInterface on which to broadcast data for shaper sharing
share-secretstringSecret to validate shaper sharing
subheadingstringSubheading of graph
textColourColour for textblack
text1stringText line 1
text2stringText line 2
text3stringText line 3
text4stringText line 4
timeformatstringTime format%Y-%m-%d %H:%M:%S
topunsignedBytePixels space at top of graph4
txColourColour for Tx traffic level#080

Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

bgprule: Attributes
AttributeTypeDescriptionDefault
commentstringComment
detagList of CommunityList of community tags to remove
dropbooleanDo not import/export this prefixfalse
localprefunsignedIntSet localpref (highest wins)
medunsignedIntSet MED
namestringName
prefixList of IPFilterPrefixes that this rule applies to
sourcestringSource of data, used in automated config management
tagList of CommunityList of community tags to add

Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

bgpmap: Attributes
AttributeTypeDescriptionDefault
commentstringComment
detagList of CommunityList of community tags to remove
dropbooleanDo not import/export this prefixfalse
localprefunsignedIntSet localpref (highest wins)
medunsignedIntSet MED
namestringName
prefixList of IPFilterDrop all that are not in this prefix list
sourcestringSource of data, used in automated config management
tagList of CommunityList of community tags to add
bgpmap: Elements
ElementTypeInstancesDescription
matchbgpruleOptional, unlimitedList rules, in order of checking

BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

bgppeer: Attributes
AttributeTypeDescriptionDefault
add-own-asbooleanAdd our AS on exported routes
allow-exportbooleanIgnore no-export community and export anyway
allow-only-their-asbooleanOnly accept routes that are solely the peers AS
allow-own-asbooleanAllow our AS inbound
asunsignedIntPeer AS
capability-as4booleanIf supporting AS4true
capability-graceful-restartbooleanIf supporting Graceful Restarttrue
capability-mpe-ipv4booleanIf supporting MPE for IPv4true
capability-mpe-ipv6booleanIf supporting MPE for IPv6true
capability-route-refreshbooleanIf supporting Route Refreshtrue
commentstringComment
drop-defaultbooleanIgnore default route receivedfalse
export-medunsignedIntSet MED on exported routes (unless export filter sets it)
holdtimeunsignedIntHold time30
ignore-bad-optional-partialbooleanIgnore routes with a recognised badly formed optional that is flagged partialtrue
import-localprefunsignedIntSet localpref on imported routes (unless import filter sets it)
in-softbooleanMark received routes as soft
ipList of IPAddrOne or more IPs of neighbours (omit to allow incoming)
log-debugstringLog debugNot logging
max-prefixbgp-prefix-limit 1-1000Limit prefixes (IPv4+IPv6)10000
md5SecretMD5 signing secret
namestringName
next-hop-selfbooleanForce us as next hop outboundfalse
no-fibbooleanDon't include received routes in packet forwarding
padunsignedBytePad (prefix stuff) our AS by this many
profilestringProfile name
same-ip-typebooleanOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peerstrue
send-defaultbooleanSend a default route to this peerfalse
send-no-routesbooleanDon't send any normal routesfalse
shutdownbooleanShutdown this neighbour (deprecated, use profile)
sourcestringSource of data, used in automated config management
timer-idleunsignedIntIdle time after error60
timer-openwaitunsignedIntTime to wait for OPEN on connection10
timer-retryunsignedIntTime to retry the neighbour10
ttl-securitybyteEnable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking.
typepeertypeType of neighbour (affects some defaults)normal
bgppeer: Elements
ElementTypeInstancesDescription
exportbgpmapOptional, unlimitedMapping and filtering rules of announcing prefixes to peer
importbgpmapOptional, unlimitedMapping and filtering rules of accepting prefixes from peer

Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

bgp: Attributes
AttributeTypeDescriptionDefault
asunsignedIntOur AS
cluster-idIP4AddrOur cluster ID
commentstringComment
idIP4AddrOur router ID
logstringLog eventsNot logging
namestringName
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
bgp: Elements
ElementTypeInstancesDescription
peerbgppeerOptional, up to 50List of peers/neighbours

Locally originated networks

Loopback addresses define local IP addresses

loopback: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routes
commentstringComment
ipList of IPAddrOne or more local network addressesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

Dead end networks

Networks that go nowhere

blackhole: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routesfalse
commentstringComment
ipList of IPPrefixOne or more local network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

Locally originated networks

Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but add routing.

network: Attributes
AttributeTypeDescriptionDefault
as-pathList of up to 10 unsignedIntCustom AS path as if network received
bgpbgpmodeBGP announce mode for routestrue
commentstringComment
ipList of IPPrefixOne or more local network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routes
commentstringComment
gatewayList of IPAddrOne or more target gateway IPsNot optional
graphstringGraph name
ipList of IPPrefixOne or more local network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
profilestringProfile name
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit
tableroutetable 0-99Routing table number0

PPP routes

Routes that apply when link is up

ppp-route: Attributes
AttributeTypeDescriptionDefault
bgpbgpmodeBGP announce mode for routes
commentstringComment
ipList of IPPrefixOne or more local network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
profilestringProfile name
sourcestringSource of data, used in automated config management

PPPoE settings

PPPoE endpoint settings

pppoe: Attributes
AttributeTypeDescriptionDefault
ac-namestringAccess concentrator nameAny a/c name
accept-dnsbooleanAccept DNS servers specified by far endtrue
bgpbgpmodeBGP announce mode for routes
commentstringComment
cugcug 1-32767Closed user group ID
cug-restrictbooleanClosed user group restricted traffic (only to/from same CUG ID)
graphstringGraph name
ip-over-lcpbooleanSends all IP packets as LCPauto
lcp-rateunsignedByteLCP interval (seconds)10
lcp-timeoutunsignedByteLCP timeout (seconds)61
localIP4AddrLocal IPv4 address
localprefunsignedIntLocalpref for route (highest wins)4294967295
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog as eventsNot logging
modepppoe-modePPPoE server/client modeclient
mtumtu 576-1600MTU for link1492
namestringName
passwordSecretUser password
pd-interfaceList of stringInterfaces for IPv6 prefix delegationAuto
portstringPhysical port number, or port group name
profilestringProfile name
remoteIP4AddrRemote IPv4 address
routesList of IPPrefixRoutes when link upDefault gateway
servicestringService nameAny service
sourcestringSource of data, used in automated config management
speedunsignedIntDefault egress rate limit
tableroutetable 0-99Routing table number for payloadFrom interface
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
usernamestringUser name
vlanvlan 0-4095VLAN ID (0=untagged)0
pppoe: Elements
ElementTypeInstancesDescription
routeppp-routeOptional, unlimitedRoutes to apply when ppp link is up

DHCP server attributes (IP)

Additional DHCP server attributes (IP)

dhcp-attr-ip: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type codeNot optional
namestringName
valueIP4AddrValueNot optional

DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

dhcp-attr-number: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type codeNot optional
namestringName
valueunsignedIntValueNot optional

DHCP server attributes (string)

Additional DHCP server attributes (string)

dhcp-attr-string: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type codeNot optional
namestringName
valuestringValueNot optional

DHCP server attributes (hex)

Additional DHCP server attributes (hex)

dhcp-attr-hex: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type codeNot optional
namestringName
valuehexBinaryValueNot optional

DHCP server settings

Settings for DHCP server

dhcps: Attributes
AttributeTypeDescriptionDefault
bootIP4AddrNext/boot server
boot-filestringBoot filename
classstringCLass match
client-namestringClient name match
commentstringComment
dnsList of IP4AddrDNS resolversOur IP
domainstringDNS domainFrom system settings
forcebooleanSend all options ever if not requested
gatewayList of IP4AddrGatewayOur IP
ipList of IP4RangeAddress pool0.0.0.0/0
leasedurationLease lengthPT2H
logstringLog events (allocations)Not logging
macList of up to 12 macprefix (hexBinary)Partial or full MAC addresses
namestringName
ntpList of IP4AddrNTP serverFrom system settings
profilestringProfile name
sourcestringSource of data, used in automated config management
syslogList of IP4AddrSyslog server
timeList of IP4AddrTime serverOur IP
dhcps: Elements
ElementTypeInstancesDescription
senddhcp-attr-hexOptional, unlimitedAdditional attributes to send (hex)
send-ipdhcp-attr-ipOptional, unlimitedAdditional attributes to send (IP)
send-numberdhcp-attr-numberOptional, unlimitedAdditional attributes to send (numeric)
send-stringdhcp-attr-stringOptional, unlimitedAdditional attributes to send (string)

VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority.

vrrp: Attributes
AttributeTypeDescriptionDefault
answer-pingbooleanWhether to answer PING to VRRP IPs when mastertrue
commentstringComment
delayunsignedIntDelay after routing established before priority returns to normal10
intervalunsignedShortTransit interval (centiseconds)100
ipList of IPAddrOne or more IP addresses to announceNot optional
logstringLog eventsNot logging
log-errorstringLog errorslog as event
low-priorityunsignedByteLower priority applicable until routing established1
namestringName
preemptbooleanWhether pre-empt allowedtrue
priorityunsignedByteNormal priority100
profilestringProfile name
sourcestringSource of data, used in automated config management
testList of IPAddrList of IPs to which routing must exist else low priority (deprecated)
use-vmacbooleanWhether to use the special VMAC or use normal MACtrue
version3booleanUse only version 3v2 for IPv4, v3 for IPv6
vridunsignedByteVRID42

Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

subnet: Attributes
AttributeTypeDescriptionDefault
accept-dnsbooleanAccept DNS servers specified by DHCPtrue
arp-timeoutunsignedShortMax lifetime on ARP and ND60
bgpbgpmodeBGP announce mode for routes
broadcastbooleanIf broadcast address allowedfalse
commentstringComment
gatewayList of IPAddrOne or more gateways to install
ipList of IPSubnetOne or more IP/lenAutomatic by DHCP
localprefunsignedIntLocalpref for subnet (highest wins)4294967295
mtumtu 576-1600MTU for subnetAs interface
namestringName
profilestringProfile name
proxy-arpbooleanAnswer ARP/ND by proxy if we have routingfalse
raramodeIf to announce IPv6 RA for this subnetfalse
ra-dnsList of IP6AddrList of recursive DNS servers in route announcements
ra-manageddhcpv6controlRA 'M' (managed) flag
ra-maxra-max 4-1800Max RA send interval600
ra-minra-min 3-1350Min RA send interval
ra-mtuunsignedShortMTU to use on RAAs subnet
ra-otherdhcpv6controlRA 'O' (other) flag
ra-profilestringProfile, if inactive then forces low priority RA
sourcestringSource of data, used in automated config management
ttlunsignedByteTTL for originating traffic via subnet64

Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

interface: Attributes
AttributeTypeDescriptionDefault
commentstringComment
cugcug 1-32767Closed user group ID
cug-restrictbooleanClosed user group restricted traffic (only to/from same CUG ID)
graphstringGraph name
logstringLog events including DHCP and related eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
mtumtu 576-1600MTU for this interface1500
namestringName
pingIPAddrPing address to add loss/latency to graph for interface
portstringPort group nameNot optional
profilestringProfile name
ra-clientbooleanAccept IPv6 RA and create auto config subnets and routestrue
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table applicable0
vlanvlan 0-4095VLAN ID (0=untagged)0
interface: Elements
ElementTypeInstancesDescription
dhcpdhcpsOptional, unlimitedDHCP server settings
subnetsubnetOptional, unlimitedIP subnet on the interface
vrrpvrrpOptional, unlimitedVRRP settings

Port grouping and naming

Port grouping and naming

portdef: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namestringNameNot optional
portsSet of portPhysical port(s)Not optional
profilestringProfile name
sourcestringSource of data, used in automated config management

Physical port controls

Physical port attributes

ethernet: Attributes
AttributeTypeDescriptionDefault
autonegbooleanPerform link auto-negotiationauto negotiate unless manual 10/100 speed and duplex are set
clockingLinkClockGigabit clock settingprefer-slave
crossoverCrossoverPort crossover configurationauto
duplexLinkDuplexDuplex setting for this portauto
flowLinkFlowFlow control settingnone
greenLinkLED-gGreen LED settingLink/Activity
optimisebooleanenable PHY optimisationstrue
portportPhysical portNot optional
power-savingLinkPowerenable PHY power savingfull
send-faultLinkFaultSend fault status
shutdownbooleanPower down this portfalse
speedLinkSpeedSpeed setting for this portauto
yellowLinkLED-yYellow LED settingTx

Matching rules for platform RADIUS

Rules for matching RADIUS requests

platform-radius-match: Attributes
AttributeTypeDescriptionDefault
backup-ipList of IPNameAddrTarget IP(s) or hostname for backup L2TP connection
called-station-idList of stringOne or more patterns to match called-station-id
calling-station-idList of stringOne or more patterns to match calling-station-id
classstringClass field to send
commentstringComment
context-namestringJuniper Context-Name (SIN502)
dummy-ipbooleanSend dummy framed IP responsetrue
namestringName
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
orderradiuspriorityPriority tagging of endpoints sent
profilestringProfile name
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
sourcestringSource of data, used in automated config management
taggedbooleanTag all attributes that can be
target-hostnamestringHostname for L2TP connection
target-ipList of IPNameAddrTarget IP(s) or hostname for primary L2TP connection
target-secretSecretShared secret for L2TP connection
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
tunnel-assignment-idstringTunnel Assignment ID to send
tunnel-client-returnbooleanReturn tunnel client as radius IP
usernameList of stringOne or more patterns to match username

Platform RADIUS definition

Platform RADIUS server and proxy definitions

platform-radius: Attributes
AttributeTypeDescriptionDefault
acct-portunsignedShortAccounting UDP port1813
backup-ipList of IPNameAddrTarget IP(s) or hostname for backup L2TP connection
classstringClass field to send
commentstringComment
context-namestringJuniper Context-Name (SIN502)
dummy-ipbooleanSend dummy framed IP responsetrue
logstringLog eventsNot logging
log-errorstringLog errorsLog as event
namestringName
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
orderradiuspriorityPriority tagging of endpoints sent
portunsignedShortAuthentication UDP port1812
profilestringProfile name
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
secretSecretShared secret for RADIUS requests (needed for replies)
sourcestringSource of data, used in automated config management
taggedbooleanTag all attributes that can be
target-hostnamestringHostname for L2TP connection
target-ipList of IPNameAddrTarget IP(s) or hostname for primary L2TP connection
target-secretSecretShared secret for L2TP connection
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
tunnel-assignment-idstringTunnel Assignment ID to send
tunnel-client-returnbooleanReturn tunnel client as radius IP
platform-radius: Elements
ElementTypeInstancesDescription
matchplatform-radius-matchOptional, unlimitedMatching rules for specific responses

Fixed local DNS blocks

DNS forwarding resolver service

dns-block: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameList of stringHost names (can use * as a part of a domain)Not optional
profilestringProfile name
restrictList of IPNameRangeList of IP ranges to which this is served
sourcestringSource of data, used in automated config management
ttlunsignedIntTime to live60

Fixed local DNS host settings

DNS forwarding resolver service

dns-host: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPAddrIP addresses to serve (or our IP if omitted)Our IP
nameList of stringHost names (can use * as a part of a domain)Not optional
profilestringProfile name
restrictList of IPNameRangeList of IP ranges to which this is served
reversebooleanMap reverse DNS as well
sourcestringSource of data, used in automated config management
ttlunsignedIntTime to live60

DNS service settings

DNS forwarding resolver service

dns-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
auto-dhcpbooleanForward and reverse DNS for names in DHCP using this domain
commentstringComment
domainstringOur domain
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
profilestringProfile name
resolversList of IPAddrRecursive DNS resolvers to use
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
dns-service: Elements
ElementTypeInstancesDescription
blockdns-blockOptional, unlimitedFixed local DNS host blocks
hostdns-hostOptional, unlimitedFixed local DNS host entries

HTTP service settings

Web management pages

http-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
local-onlybooleanRestrict access to locally connected Ethernet subnets onlyfalse
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
portunsignedShortService port80
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
trustedList of IPNameRangeList of allowed IP ranges from which additional access to certain functions is available

Telnet service settings

Telnet control interface

telnet-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
portunsignedShortService port23
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

NTP service settings

The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time). The defaults are those that apply to the EU

ntp-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0
timeserverList of IPNameAddrList of time servers (IP or hostname) from which time may be set by ntp
tz1-namestringTimezone 1 nameGMT
tz1-offsetdurationTimezone 1 offset from UTC00:00:00
tz12-datedatenum 1-31Timezone 1 to 2 earliest date in month25
tz12-daydayTimezone 1 to 2 day of week of changeSun
tz12-monthmonthTimezone 1 to 2 monthMar
tz12-timedurationTimezone 1 to 2 local time of change01:00:00
tz2-namestringTimezone 2 nameBST
tz2-offsetdurationTimezone 2 offset from UTC01:00:00
tz21-datedatenum 1-31Timezone 2 to 1 earliest date in month25
tz21-daydayTimezone 2 to 1 day of week of changeSun
tz21-monthmonthTimezone 2 to 1 monthOct
tz21-timedurationTimezone 2 to 1 local time of change02:00:00

SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

snmp-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
communitystringCommunity stringpublic
local-onlybooleanRestrict access to locally connected Ethernet subnets onlyfalse
logstringLog eventsNot logging
log-debugstringLog debugNot logging
log-errorstringLog errorsLog as event
portunsignedShortService port161
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

services: Elements
ElementTypeInstancesDescription
dnsdns-serviceOptionalDNS service settings
httphttp-serviceOptionalHTTP server settings
ntpntp-serviceOptionalNTP client settings (server not implemented yet)
platform-radiusplatform-radiusOptionalPlatform RADIUS server/proxy settings
snmpsnmp-serviceOptionalSNMP server settings
telnettelnet-serviceOptionalTelnet server settings

SNMP trap logger settings

Logging by SNMP trap

log-snmp: Attributes
AttributeTypeDescriptionDefault
OIDstringOID to sendNot optional
commentstringComment
portunsignedShortServer port25
profilestringProfile name
serverIPNameAddrSNMP serverNot optional
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for sending syslogs0

Email logger settings

Logging to email

log-email: Attributes
AttributeTypeDescriptionDefault
commentstringComment
delaydurationDelay before sending, since first event to sendPT1M
fromstringSource email addressOne made up using serial number
hold-offdurationDelay before sending, since last emailPT1H
logstringLog emailing processNot logging
log-debugstringLog emailing debugNot logging
log-errorstringLog emailing errorsNot logging
portunsignedShortServer port25
profilestringProfile name
retrydurationDelay before sending, since failed sendPT10M
serverIPNameAddrSmart host to use rather than MX
sourcestringSource of data, used in automated config management
subjectstringSubjectFrom first line being logged
tableroutetable 0-99Routing table number for sending syslogs0
tostringTarget email addressNot optional

Syslog logger settings

Logging to a syslog server

log-syslog: Attributes
AttributeTypeDescriptionDefault
commentstringComment
facilitysyslog-facilityFacility settingLOCAL0
portunsignedShortServer port514
profilestringProfile name
serverIPNameAddrSyslog serverNot optional
severitysyslog-severitySeverity settingNOTICE
sourcestringSource of data, used in automated config management
source-ipIPAddrUse specific source IP
tableroutetable 0-99Routing table number for sending syslogs0

Log target controls

Named logging target

log: Attributes
AttributeTypeDescriptionDefault
commentstringComment
consolebooleanLog immediately to console
flashbooleanLog immediately to slow flash memory (use with care)
jtagbooleanLog immediately jtag (development use only)
namestringLog target nameNot optional
profilestringProfile name
sourcestringSource of data, used in automated config management
log: Elements
ElementTypeInstancesDescription
emaillog-emailOptional, unlimitedEmail settings
snmplog-snmpOptional, unlimitedSNMP settings (TBA)
sysloglog-syslogOptional, unlimitedSyslog settings

Admin users

User names, passwords and abilities for admin users

user: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeRestrict logins to be from specific IP addresses
commentstringComment
configconfig-accessConfig access levelfull
full-namestringFull name
leveluser-levelLogin levelADMIN
nameusername (string)User nameNot optional
otpstringOTP serial number
passwordPasswordUser passwordNot optional
profilestringProfile name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Restrict login to specific routing table0
timeoutdurationLogin idle timeout (zero to stay logged in)PT5M

Web links

Links to other web pages

link: Attributes
AttributeTypeDescriptionDefault
commentstringComment
namestringLink name
profilestringProfile name
sourcestringSource of data, used in automated config management
textstringLink text
urlstringLink address

System settings

The system settings are the top level attributes of the system which apply globally.

system: Attributes
AttributeTypeDescriptionDefault
commentstringComment
contactstringContact name
css-urlstringAdditional CSS for web control pages
dos-delayunsignedIntInterrupt DoS restoration counter, leave at default2
dos-limitunsignedIntInterrupt DoS packet limit, leave at default1000
fast-rebootbooleanDebug - causes fast reboot on new code load
introstringHome page text
locationstringLocation description
logstringLog system eventsWeb logs
log-debugstringLog system debug messagesNot logging
log-errorstringLog system errorsWeb/Flash/console
log-ethstringLog Ethernet messagesConsole
log-eth-debugstringLog Ethernet debugWeb/Console
log-eth-errorstringLog Ethernet errorsWeb/Flash/console
log-panicstringLog system panic messagesWeb logs
log-statsstringLog one second statsNot logging
namestringSystem hostname
sourcestringSource of data, used in automated config management
sw-updateautoloadtypeLoad new software automaticallyfalse
sw-update-profilestringProfile name for when to load new s/w
system: Elements
ElementTypeInstancesDescription
linklinkOptional, unlimitedHome page links

BGP peer type

Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer.

TagDescription
normalNormal BGP operation
transitEBGP Mark received as no-export
peerEBGP Mark received as no-export, only accept peer AS
customerEBGP Allow export as if confederate, only accept peer AS
internalIBGP allowing own AS
reflectorIBGP allowing own AS and working in route reflector mode
confederateEBGP confederate
ixpInternet exchange point peer on route server

Type of PPPoE connection

TagDescription
clientNormal PPPoE client connects to access controller
bras-l2tpPPPoE server mode linked to L2TP operation

BGP announcement mode

BGP mode defines the default advertisement mode for prefixes, based on well-known community tags

TagDescription
falseNot included in BGP at all
no-advertiseNot included in BGP, not advertised at all
no-exportNot normally exported from local AS/confederation
local-asNot exported from local AS
no-peerExported with no-peer community tag
trueExported as normal with no special tags added

Control for RA and DHCPv6 bits

TagDescription
falseDon't set bit or answer on DHCPv6
trueSet bit but do not answer on DHCPv6
dhcpv6Set bit and do answer on DHCPv6

IPv6 route announce level

IPv6 route announcement mode and level

TagDescription
falseDo not announce
lowAnnounce as low priority
mediumAnnounce as medium priority
highAnnounce as high priority
trueAnnounce as default (medium) priority

Link fault type to send

TagDescription
falseNo fault
trueSend fault
off-lineSend offline fault (1G)
aneSend ANE fault (1G)

PHY power saving options

TagDescription
noneNo power saving
fullFull power saving

Green LED setting

TagDescription
Link/ActivityOn when link up; blink when Tx or Rx activity
Duplex/CollisionOn when full-duplex; blink when half-duplex and collisions detected
RxBlink when Rx activity
OffPermanently off
OnPermanently on
CyclingCycling pattern

Yellow LED setting

TagDescription
Duplex/CollisionOn when full-duplex; blink when half-duplex and collisions detected
ActivityBlink when Tx or Rx activity
FaultOn when autonegotiation mismatch
TxBlink when Tx activity
OffPermanently off
OnPermanently on
CyclingCycling pattern

Physical port Gigabit clock master/slave setting

TagDescription
prefer-masterMaster status negotiated; preference for master
prefer-slaveMaster status negotiated; preference for slave
force-masterMaster status forced
force-slaveSlave status forced

Physical port flow control setting

TagDescription
noneNo flow control
symmetricCan support two-way flow control
send-pausesCan send pauses but does not support pause reception
anyCan receive pauses and may send pauses if required

Physical port duplex setting

TagDescription
halfHalf-duplex
fullFull-duplex
autoDuplex determined by autonegotiation

Physical port speed

TagDescription
10M10Mbit/sec
100M100Mbit/sec
1G1Gbit/sec
autoSpeed determined by autonegotiation

Crossover configuration

Physical port crossover configuration.

TagDescription
autoCrossover is determined automatically
MDIForce no crossover

Physical port

TagDescription
0Port 0 (left)
1Port 1 (right)

Options for controlling platform RADIUS response priority tagging

TagDescription
equalAll the same priority
strictIn order specified
randomRandom order
callingHashed on calling station id
calledHashed on called station id
usernameHashed on full username
userHashed on username before @
realmHashed on username after @
prefixHashed on username initial letters and numbers only

Day name (3 letter)

TagDescription
SunSunday
MonMonday
TueTuesday
WedWednesday
ThuThursday
FriFriday
SatSaturday

Month name (3 letter)

TagDescription
JanJanuary
FebFebruary
MarMarch
AprApril
MayMay
JunJune
JulJuly
AugAugust
SepSeptember
OctOctober
NovNovember
DecDecember

Syslog facility

Syslog facility, usually used to control which log file the syslog is written to.

TagDescription
KERNKernel messages
USERUser level messges
MAILMail system
DAEMONSystem Daemons
AUTHSecurity/auth
SYSLOGInternal to syslogd
LPRPrinter
NEWSNews
UUCPUUCP
CRONCron deamon
AUTHPRIVprivate security/auth
FTPFile transfer
12Unused
13Unused
14Unused
15Unused
LOCAL0Local 0
LOCAL1Local 1
LOCAL2Local 2
LOCAL3Local 3
LOCAL4Local 4
LOCAL5Local 5
LOCAL6Local 6
LOCAL7Local 7

Syslog severity

Log severity - different loggable events log at different levels.

TagDescription
EMERGSystem is unstable
ALERTAction must be taken immediately
CRIT Critical conditions
ERRError conditions
WARNINGWarning conditions
NOTICENormal but significant events
INFOInformational
DEBUGDebug level messages
NO-LOGGINGNo logging

User login level

User login level - commands available are restricted according to assigned level.

TagDescription
NOBODYUnknown or not logged in user
GUESTGuest user
USERNormal unprivileged user
ADMINSystem administrator
DEBUGSystem debugger

Type of access user has to config

TagDescription
noneNo access unless explicitly listed
viewView only access (no passwords)
readRead only access (with passwords)
fullFull view and edit access

Type of s/w auto load

TagDescription
falseDo no auto load
factoryLoad factory releases
betaLoad beta test releases
alphaLoad test releases

Basic types

TypeDescription
ses-id[unsignedShort] Local session ID (1-65535)
tun-id[unsignedShort] Local tunnel ID (1-20000)
dates[datenum] Set of dates
routetableset[routetable] Set of routetables
protolist[unsignedByte] List of IP protocols
portlist[PortRange] List of protocol port ranges
prefix4list[IP4Prefix] List of IPv4 Prefixes
userlist[username] List of user names
iprangelist[IPRange] List of IPranges
bgp-prefix-limit[unsignedInt] Maximum prefixes accepted on BGP session (1-1000)
filterlist[IPFilter] List of IP Prefix filters
communitylist[Community] List of BGP communities
unsignedIntList[unsignedInt] List of integers
aslist[unsignedIntList] List of AS numbers
prefixlist[IPPrefix] List of IP Prefixes
cug[unsignedShort] CUG ID (1-32767)
ip4list[IP4Addr] List of IPv4 addresses
macprefix[hexBinary] MAC prefix
macprefixlist[macprefix] List of strings
ip4rangelist[IP4Range] List of IP4ranges
vlan[unsignedShort] VLAN ID (0=untagged) (0-4095)
mtu[unsignedShort] Max transmission unit (576-1600)
ip6list[IP6Addr] List of IPv6 addresses
ra-min[unsignedShort] Route announcement min interval (seconds) (3-1350)
ra-max[unsignedShort] Route announcement max interval (seconds) (4-1800)
subnetlist[IPSubnet] List of subnets
iplist[IPAddr] List of IP addresses
stringlist[string] List of strings
datenum[unsignedByte] Day number in month (1-31)
ipnamelist[IPNameAddr] List of IP addresses or domain names
routetable[unsignedByte] Route table number (0-99)
ipnamerangelist[IPNameRange] List of IPranges or ip groups
username[string] Login name
SecretSecret/passphrase
Colour#rgb #rrggbb #rgba #rrggbbaa colour
PortRangexxx-xxx port range
Communityxxx:xxx community
PasswordPassword
IPFilterRoute filter
IPSubnetIP address / bitlen
IP4PrefixIPv4 address / bitlen
IP4RangeIPv4 address / bitlen or range
IPNameRangeIP address / bitlen or range or name
IPRangeIP address / bitlen or range
IPPrefixIP address / bitlen
IP6AddrIPv6 address
IP4AddrIPv4 address
IPNameAddrIP address or name
IPAddrIP address
voidInternal use
timeHH:MM:SS time
dateTimeYYYY-MM-DDTHH:MM:SS date/time
durationPeriod
booleanBoolean
unsignedByteunsigned byte integer (0-255)
bytebyte integer (-128-127)
unsignedShortunsigned short integer (0-65535)
unsignedIntunsigned integer (0-4294967295)
integerinteger (-2147483648-2147483647)
hexBinaryhex coded binary data
stringtext string