K.2. Objects

K.2.1. system: System settings

The system settings are the top level attributes of the system which apply globally.

Table K.3. system: Attributes

AttributeTypeDefaultDescription
acme-directory string https://acme-v02.api.letsencrypt.org/directoryACME server directory
acme-hostname List of string -Public hostname(s) for FireBrick for HTTPS
acme-keygen boolean trueAutomatically obtain private keys as needed
acme-profile NMTOKEN -Profile for when to do ACME renewals
acme-renew positiveInteger 30Renewal before expiry (days)
acme-source-ip IP46Addr -Source IP for ACME renewal
acme-terms-agreed-email string -Put your email if you agree CA terms
auto-backup-url string -URL to http POST after config changed
comment string -Comment
contact string -Contact name
email string -Contact email
eth-rx-batch unsignedInt 20Max packets serviced on one port before rechecking other port for idle
eth-rx-qsize unsignedInt 2000Size of eth driver Rx queue
eth-tx-qsize unsignedInt 2000Size of eth driver Tx queue
intro string -Home page text
lacp-hot-standby lacp-hot-standby nosyncAllow LACP to use hot standby
location string -Location description
log NMTOKEN Web/consoleLog system events
log-acme NMTOKEN -Log ACME
log-acme-debug NMTOKEN -Log ACME debug
log-acme-error NMTOKEN -Log ACME errors
log-config NMTOKEN Web/Flash/consoleLog config load
log-debug NMTOKEN Not loggingLog system debug messages
log-diagnostic NMTOKEN Not loggingLog system diagnostic messages
log-error NMTOKEN Web/Flash/consoleLog system errors
log-eth NMTOKEN Web/consoleLog Ethernet messages
log-eth-debug NMTOKEN Not loggingLog Ethernet debug
log-eth-error NMTOKEN Web/Flash/consoleLog Ethernet errors
log-ppp-dump ppp-dump -PPP dump format
log-route-nexthop NMTOKEN Not loggedLog next hop changes
log-stats NMTOKEN Not loggingLog one second stats
log-support NMTOKEN Web logsLog support messages (e.g. stack trace)
log-tcp-debug NMTOKEN Not loggingLog TCP/TLS debug messages
login-intro string -Login page text
name string -System hostname
panic-stack-bytes unsignedInt 0Stack context for certain panics (bvtes)
pre-reboot-url string -URL to GET prior to s/w reboot (typically to warn nagios)
source string -Source of data, used in automated config management
spoof-mac (hexBinary) macspoof -Spoof MAC base address - use with caution!
sw-update autoloadtype falseLoad new software automatically
sw-update-delay (unsignedByte 0-30) fb-sw-update-delay 0Number of days after release to wait before automatically upgrading
sw-update-profile NMTOKEN -Profile name for when to load new s/w
table (unsignedByte 0-99) routetable 0Routing table number for system functions (s/w updates, etc)
tcp-stealth boolean falseIgnore (as opposed to reject) TCP to the FireBrick itself that isn't accepted

Table K.4. system: Elements

ElementTypeInstancesDescription
link link Optional, unlimitedIntro links

K.2.2. link: Web links

Links to other web pages

Table K.5. link: Attributes

AttributeTypeDefaultDescription
comment string -Comment
level user-level GUESTLogin level required
name string -Link name
profile NMTOKEN -Profile name
same-tab boolean falseOpen in same tab
source string -Source of data, used in automated config management
text string -Link text
url string -Link address

K.2.3. routing-table: Default source IP for services using a given table

Default source IP for traffic originated by this FireBrick

Table K.6. routing-table: Attributes

AttributeTypeDefaultDescription
name string -Name
source-ip IP46Addr -Default source IP for services
table (unsignedByte 0-99) routetable Not optional Routing table number

K.2.4. user: Admin users

User names, passwords and abilities for admin users

Table K.7. user: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Restrict logins to be from specific IP addresses
comment string -Comment
config config-access fullConfig access level
full-name string -Full name
level user-level ADMINLogin level
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggedLog events
name (NMTOKEN) username Not optional User name
otp-seed OTP -OTP seed (do not edit by hand)
password Password Not optional User password
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Restrict login to specific routing table
timeout duration 5:00Login idle timeout (zero to stay logged in, not recommended)

K.2.5. eap: User access controlled by EAP

Identities, passwords and access methods for access controlled with EAP

Table K.8. eap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
full-name string -Full name
methods Set of eap-method Not optional Allowed methods
name string Not optional User or account name
password Secret Not optional User password
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
subsystem eap-subsystem Not optional Access controlled subsystem

K.2.6. log: Log target controls

Named logging target

Table K.9. log: Attributes

AttributeTypeDefaultDescription
colour Colour -Colour used in web display
comment string -Comment
console boolean -Log immediately to console
flash boolean -Log immediately to slow flash memory (use with care)
jtag boolean -Log immediately jtag (development use only)
name NMTOKEN Not optional Log target name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
system boolean -Include system logs on web/cli view

Table K.10. log: Elements

ElementTypeInstancesDescription
email log-email Optional, unlimitedEmail settings
syslog log-syslog Optional, unlimitedSyslog settings

K.2.7. log-syslog: Syslog logger settings

Logging to a syslog server

Table K.11. log-syslog: Attributes

AttributeTypeDefaultDescription
comment string -Comment
facility syslog-facility LOCAL0Facility setting
port unsignedShort 514Server port
profile NMTOKEN -Profile name
server IPNameAddr Not optional Syslog server
severity syslog-severity NOTICESeverity setting
source string -Source of data, used in automated config management
source-ip IPAddr -Use specific source IP
system-logs boolean -Include generic system log messages as well
table (unsignedByte 0-99) routetable 0Routing table number for sending syslogs

K.2.8. log-email: Email logger settings

Logging to email

Table K.12. log-email: Attributes

AttributeTypeDefaultDescription
comment string -Comment
delay duration 1:00Delay before sending, since first event to send
from string One made up using serial numberSource email address
hold-off duration 1:00:00Delay before sending, since last email
log NMTOKEN Not loggingLog emailing process
log-debug NMTOKEN Not loggingLog emailing debug
log-error NMTOKEN Not loggingLog emailing errors
port unsignedShort 25Server port
profile NMTOKEN -Profile name
retry duration 10:00Delay before sending, since failed send
server IPNameAddr -Smart host to use rather than MX
source string -Source of data, used in automated config management
subject string From first line being loggedSubject
table (unsignedByte 0-99) routetable 0Routing table number for sending email
to string Not optional Target email address

K.2.9. services: System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

Table K.13. services: Elements

ElementTypeInstancesDescription
dns dns-service OptionalDNS service settings
http http-service OptionalWeb server settings
radius radius-service OptionalRADIUS server/proxy settings
snmp snmp-service OptionalSNMP server settings
telnet telnet-service OptionalTelnet server settings
time time-service OptionalSystem time server settings

K.2.10. http-service: Web service settings

Web management pages

Table K.14. http-service: Attributes

AttributeTypeDefaultDescription
access-control-allow-origin string -Additional HTTP header
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
allow-acme boolean trueAllow limited port 80 HTTP access for ACME during renewal
banner-background Colour #bd1220Override default colours
certlist List of NMTOKEN use any suitableCertificate(s) to be used for HTTPS sessions
comment string -Comment
config-boxes Colour from bannerConfig editor colours
content-security-policy string -Additional HTTP header
css-url string -Additional CSS for web control pages
highlight-text Colour from bannerOverride default colours
https-port unsignedShort 443Service port for HTTPS access
js-url string -Additional javascript for web control pages (logged in/trusted-ip)
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-client NMTOKEN Not loggingLog client accesses
log-client-debug NMTOKEN Not loggingLog client accesses (debug)
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mode http-mode redirect-to-https-if-acmeSecurity mode
port unsignedShort 80Service port for HTTP access
referrer-policy string no-referrerAdditional HTTP header
self-sign boolean trueCreate self signed certificate for HTTPS when necessary
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service
trusted List of IPNameRange -List of allowed IP ranges from which additional access to certain functions is available
x-content-type-options string nosniffAdditional HTTP header
x-frame-options string SAMEORIGINAdditional HTTP header
x-xss-protection string 1; mode=blockAdditional HTTP header

K.2.11. dns-service: DNS service settings

DNS forwarding resolver service

Table K.15. dns-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
auto-dhcp boolean -Forward and reverse DNS for names in DHCP using this domain
auto-dhcp-new string -Name to use for last new DHCP allocation (since last reboot)
caching boolean trueCache relayed DNS entries locally
comment string -Comment
domain string -Our domain
fallback boolean trueFor incoming requests, if no server in required table, relay to any DNS available
fallback-table (unsignedByte 0-99) routetable Don't fallbackFor incoming requests, if no server in requesting table, relay to any DNS available in this table
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
log-interface List of NMTOKEN All interfacesOnly do normal log for specific interface(s)
resolvers List of IPAddr -Recursive DNS resolvers to use
resolvers-table (unsignedByte 0-99) routetable as table / 0Routing table for specified resolvers
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

Table K.16. dns-service: Elements

ElementTypeInstancesDescription
block dns-block Optional, unlimitedFixed local DNS host blocks
host dns-host Optional, unlimitedFixed local DNS host entries

K.2.12. dns-host: Fixed local DNS host settings

DNS forwarding resolver service

Table K.17. dns-host: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPAddr Our IPIP addresses to serve (or our IP if omitted)
name List of string Not optional Host names (can use * as a part of a domain)
profile NMTOKEN -Profile name
restrict-interface List of NMTOKEN -Only apply on certain interface(s)
restrict-to List of IPNameRange -List of IP ranges to which this is served
reverse boolean -Map reverse DNS as well
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable anyRouting table applicable
ttl unsignedInt 60Time to live

K.2.13. dns-block: Fixed local DNS blocks

DNS forwarding resolver service

Table K.18. dns-block: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name List of string Not optional Host names (can use * as a part of a domain)
profile NMTOKEN -Profile name
restrict-interface List of NMTOKEN -Only apply on certain interface(s)
restrict-to List of IPNameRange -List of IP ranges to which this is served
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable anyRouting table applicable
ttl unsignedInt 60Time to live

K.2.14. radius-service: RADIUS service definition

RADIUS server and proxy definitions

Table K.19. radius-service: Attributes

AttributeTypeDefaultDescription
acct-port unsignedShort 1813Accounting UDP port
allow List of IPNameRange -Allowed source IP address of RADIUS request
aruba-vlan (unsignedShort 0-4095) vlan Don't sendAruba VLAN
auth-port unsignedShort 1812Authentication UDP port
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
class string -Class field to send
comment string -Comment
control-port unsignedShort 3799Control UDP port (CoA/DM)
dummy-ip boolean trueSend dummy framed IP response
erx-egress-policy-name string -Juniper attribute 11
erx-ingress-policy-name string -Juniper attribute 10
erx-tunnel-switch-profile string -Juniper attribute 91
erx-tunnel-virtual-router string -Juniper attribute 8
erx-virtual-router-name string -Juniper attribute 1 (Also SIN502 Context-Name)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN -Log debug
log-error NMTOKEN Log as eventLog errors
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile NMTOKEN -Profile name
reject boolean -Reject request (rarely what you want)
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
tagged boolean -Tag all attributes that support tagging
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP

Table K.20. radius-service: Elements

ElementTypeInstancesDescription
match radius-service-match Optional, unlimitedMatching rules for specific responses
server radius-server Optional, unlimitedRADIUS server settings

K.2.15. radius-service-match: Matching rules for RADIUS service

Rules for matching incoming RADIUS requests

Table K.21. radius-service-match: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Allowed source IP address of RADIUS request
ap-group List of string -One or more patterns to match AP Group
aruba-vlan (unsignedShort 0-4095) vlan Don't sendAruba VLAN
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
class string -Class field to send
comment string -Comment
device-type List of string -One or more patterns to match Device Type
dummy-ip boolean trueSend dummy framed IP response
erx-egress-policy-name string -Juniper attribute 11
erx-ingress-policy-name string -Juniper attribute 10
erx-tunnel-switch-profile string -Juniper attribute 91
erx-tunnel-virtual-router string -Juniper attribute 8
erx-virtual-router-name string -Juniper attribute 1 (Also SIN502 Context-Name)
essid-name List of string -One or more patterns to match ESSID Name
ip List of IPNameRange -Match target IP address of RADIUS request
location-id List of string -One or more patterns to match Location ID
log NMTOKEN Not loggingLog events matching this
mac-local boolean -Match only local or non local MAC addresses if username is a MAC
name string -Name
nas-ip List of IPNameRange -Match NAS-IP address in RADIUS request
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile NMTOKEN -Profile name
reject boolean -Reject request (rarely what you want)
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
stop boolean trueStop checking if this matches
tagged boolean -Tag all attributes that support tagging
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP
username List of string -One or more patterns to match username

K.2.16. radius-server: RADIUS server settings

Server settings for outgoing RADIUS

Table K.22. radius-server: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Must match hostAllowed control request source IPs instead of host check
comment string -Comment
host List of IPNameAddr Not optional One or more hostname/IPs of RADIUS servers
max-timeout duration 10Maximum final timeout
min-timeout duration 2Minimum final timeout
name string -Name
port unsignedShort From services/radius settingsUDP port
profile NMTOKEN -Profile name
queue unsignedInt -Concurrent requests over all of these servers (per type)
scale-timeout unsignedByte 2Timeout scaling factor
secret Secret Not optional Shared secret for RADIUS requests
source string -Source of data, used in automated config management
source-ip IPAddr -Fix source IP
table (unsignedByte 0-99) routetable -Routing table number
type Set of radiustype AllServer type

K.2.17. telnet-service: Telnet service settings

Telnet control interface

Table K.23. telnet-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 23Service port
prompt string system namePrompt
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

K.2.18. snmp-service: SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

Table K.24. snmp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
community Secret publicCommunity string
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 161Service port
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service

K.2.19. time-service: System time server settings

The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time). The defaults are those that apply to the EU

Table K.25. time-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
legacy-timeserver boolean falseServe legacy TIME service on UDP port 37
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
maxpoll duration 1024NTP maximum poll rate
minpoll duration 64NTP minimum poll rate
ntp-control-allow List of IPNameRange Allow from anywhereList of IP ranges from which control (ntpq) requests can be accessed
ntp-control-local-only boolean trueRestrict control (ntpq) access to locally connected Ethernet subnets only
ntp-control-table (unsignedByte 0-99) routetable AllRouting table number for incoming control (ntpq) requests
ntp-peer-table (unsignedByte 0-99) routetable 0Routing table number used for outgoing ntp peer requests
ntp-servers List of IPNameAddr ntp.firebrick.ltd.ukList of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP)
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable AllRouting table number for access to service
tz1-name string GMTTimezone 1 name
tz1-offset duration 0Timezone 1 offset from UTC
tz12-date (unsignedByte 1-31) datenum 25Timezone 1 to 2 earliest date in month
tz12-day day SunTimezone 1 to 2 day of week of change
tz12-month month MarTimezone 1 to 2 month
tz12-time time 01:00:00Timezone 1 to 2 local time of change
tz2-name string BSTTimezone 2 name
tz2-offset duration 1:00:00Timezone 2 offset from UTC
tz21-date (unsignedByte 1-31) datenum 25Timezone 2 to 1 earliest date in month
tz21-day day SunTimezone 2 to 1 day of week of change
tz21-month month OctTimezone 2 to 1 month
tz21-time time 02:00:00Timezone 2 to 1 local time of change

K.2.20. ethernet: Physical port controls

Physical port attributes

Table K.26. ethernet: Attributes

AttributeTypeDefaultDescription
autoneg boolean truePerform link auto-negotiation
clocking LinkClock prefer-slaveGigabit clock setting
crossover Crossover autoPort crossover configuration
flow LinkFlow noneFlow control setting
green LinkLED-g Link/ActivityGreen LED setting
lacp boolean AutoSend LACP packets
lldp boolean trueSend LLDP packets
optimise boolean trueenable PHY optimisations
port port Not optional Physical port
power-saving LinkPower fullenable PHY power saving
profile NMTOKEN -Profile name
send-fault LinkFault -Send fault status
yellow LinkLED-y TxYellow LED setting

K.2.21. sampling: Packet sampling configuration

Packet sampling configuration

Table K.27. sampling: Attributes

AttributeTypeDefaultDescription
agent-ip IPAddr use source-ipIP address used to identify this agent
collector-ip IPAddr Not optional IP address of collector
collector-port unsignedShort 6343 for sFlow, 4739 for IPFIXUDP port which collector listens on
comment string -Comment
mtu (unsignedShort 576-2000) mtu 1500 
name string -Name
profile NMTOKEN -Profile name
protocol sampling-protocol sflowProtocol used to export sampling data
sample-flush duration 1 sec for sFlow; 30 for IPFIXSample max cache time
sample-rate (unsignedShort 100-10000) sample-rate 1000Sample rate (uniform random prob 1/N)
snap-length unsignedShort 64Packet header snap length
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP address to use
source-port unsignedShort Use collector-portUDP source port
stats-interval duration 60Stats export interval
table (unsignedByte 0-99) routetable 0Routing table number for sample data
template-refresh duration 600Template resend interval

K.2.22. portdef: Port grouping and naming

Port grouping and naming

Table K.28. portdef: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name NMTOKEN Not optional Name
ports Set of port Not optional Physical port(s)
source string -Source of data, used in automated config management
trunk trunk-mode l2-hashTrunk ports

K.2.23. interface: Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

Table K.29. interface: Attributes

AttributeTypeDefaultDescription
allow-6in4 boolean falseHandle 6in4 (protocol 41) packets
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
dhcp-relay IP4Addr -Relay any unresolved requests to external server
fast-l2tp boolean -Set on interfaces that are mainly terminating L2TP traffic
graph (token) graphname -Graph name
link NMTOKEN -Interface to which this is linked at layer 2
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-dhcp NMTOKEN Not loggingLog DHCP events not related to a pool
log-error NMTOKEN Log as eventLog errors
mac-suffix (hexBinary) macsuffix -Interface MAC ends with this hex value
mtu (unsignedShort 576-2000) mtu 1500MTU for this interface
name NMTOKEN -Name
pd boolean If not WAN and no ra-subnet-templates and no ra subnetsAvailable for IPv6 prefix delegation
ping IPAddr -Ping address to add loss/latency to graph for interface
port NMTOKEN Not optional Port group name
profile NMTOKEN -Profile name
restrict-mac boolean -Use only one MAC on this interface
sampling sampling-mode offPerform sampling
source string -Source of data, used in automated config management
source-filter sfoption -Source filter traffic received via this interface
source-filter-table (unsignedByte 0-99) routetable interface tableRouting table to use for source filtering checks
table (unsignedByte 0-99) routetable 0Routing table applicable
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)
wan boolean -Do not consider this interface 'local' for 'local-only' checks

Table K.30. interface: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings
ra-subnet-template subnet-template Optional, unlimitedSubnet options for RA client
subnet subnet Optional, unlimitedIP subnet on the interface
vrrp vrrp Optional, unlimitedVRRP settings

K.2.24. subnet: Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

Table K.31. subnet: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by DHCP
arp-timeout unsignedShort 60Max lifetime on ARP and ND
bgp bgpmode AutoBGP announce mode for routes
broadcast boolean falseIf broadcast address allowed
comment string -Comment
dhcp-class string FB-typeDHCP client option 60 (Class)
dhcp-client-id string MACDHCP client option 61 (Client-Identifier)
gateway List of IPAddr -One or more gateways to install
ip List of IPSubnet Automatic by DHCPOne or more IP/len
localpref unsignedInt 4294967295Localpref for subnet (highest wins)
mac-suffix (hexBinary) macsuffix -Subnet MAC ends with this hex value
mtu (unsignedShort 576-2000) mtu As interfaceMTU for subnet
name string -Name
profile NMTOKEN -Profile name
proxy-arp boolean falseAnswer ARP/ND by proxy if we have routing
ra ramode falseIf to announce IPv6 RA for this subnet
ra-autonomous boolean If managed not setRA 'A' (autonomous) flag
ra-dns List of IP6Addr Our IPList of recursive DNS servers in route announcements
ra-dnssl List of string -List of DNS search domains in route announcements
ra-managed boolean -RA 'M' (managed) flag
ra-max (unsignedShort 4-1800) ra-max 600Max RA send interval
ra-min (unsignedShort 3-1350) ra-min ra-max/3Min RA send interval
ra-mtu unsignedShort As subnetMTU to use on RA
ra-onlink boolean trueRA 'L' (onlink) flag
ra-other boolean -RA 'O' (other) flag
ra-profile NMTOKEN -Profile, if inactive then forces low priority RA
simple-dhcpv6 boolean -Simple DHCPv6 server (fixed addresses)
source string -Source of data, used in automated config management
test IPAddr -Test link state using ARP/ND for this IP
ttl unsignedByte 64TTL for originating traffic via subnet

K.2.25. subnet-template: Subnet option templates for RA

Table K.32. subnet-template: Attributes

AttributeTypeDefaultDescription
accept-dns boolean True if not set elsewhereAccept DNS servers specified by DHCP/SLAAC
comment string -Comment
gateway-match List of IPNameRange Any IPApply only to received RAs with a gateway in these IPs
name string -Name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management

K.2.26. vrrp: VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority.

Table K.33. vrrp: Attributes

AttributeTypeDefaultDescription
answer-ping boolean trueWhether to answer PING to VRRP IPs when master
comment string -Comment
delay unsignedInt 60Delay after routing established before priority returns to normal
interval unsignedShort 100Transit interval (centiseconds)
ip List of IPAddr Not optional One or more IP addresses to announce
log NMTOKEN Not loggingLog events
log-error NMTOKEN log as eventLog errors
low-priority unsignedByte 1Lower priority applicable until routing established
name NMTOKEN -Name
preempt boolean trueWhether pre-empt allowed
priority unsignedByte 100Normal priority
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
use-vmac boolean trueWhether to use the special VMAC or use normal MAC
version3 boolean v2 for IPv4, v3 for IPv6Use only version 3
vrid unsignedByte 42VRID

K.2.27. dhcps: DHCP server settings

Settings for DHCP server

Table K.34. dhcps: Attributes

AttributeTypeDefaultDescription
boot IP4Addr -Next/boot server
boot-file string -Boot filename
broadcast boolean -Broadcast replies even if not requested
circuit string -Agent info circuit match
class string -Vendor class match
client-name string -Client name match
comment string -Comment
dns List of IP4Addr Our IPDNS resolvers
domain string From system settingsDNS domain
domain-search string -DNS domain search list (list will be truncated to fit one attribute)
force boolean -Send all options even if not requested
gateway IP4Subnet Our IPGateway
graph-prefix string -Prefix to use for allocation auto graphs
ip List of IP4Range 0.0.0.0/0Address pool
lease duration 2:00:00Lease length
log NMTOKEN Not loggingLog events
log-decline NMTOKEN Not loggingLog events (declined)
log-move NMTOKEN Not loggingLog events (moved)
log-new NMTOKEN Not loggingLog events (new)
log-release NMTOKEN Not loggingLog events (released)
log-renew NMTOKEN Not loggingLog events (renewed)
log-reuse NMTOKEN Not loggingLog events (reused)
mac List up to 12 (hexBinary) macprefix -Partial or full client hardware (MAC) addresses (or client-id MAC if specified)
mac-local boolean -Match only local or non local MAC addresses
name string -Name
ntp List of IP4Addr Our IPNTP server
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
syslog List of IP4Addr -Syslog server
time List of IP4Addr Our IPTime server

Table K.35. dhcps: Elements

ElementTypeInstancesDescription
send dhcp-attr-hex Optional, unlimitedAdditional attributes to send (hex)
send-ip dhcp-attr-ip Optional, unlimitedAdditional attributes to send (IP)
send-number dhcp-attr-number Optional, unlimitedAdditional attributes to send (numeric)
send-string dhcp-attr-string Optional, unlimitedAdditional attributes to send (string)

K.2.28. dhcp-attr-hex: DHCP server attributes (hex)

Additional DHCP server attributes (hex)

Table K.36. dhcp-attr-hex: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value hexBinary Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

K.2.29. dhcp-attr-string: DHCP server attributes (string)

Additional DHCP server attributes (string)

Table K.37. dhcp-attr-string: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value string Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

K.2.30. dhcp-attr-number: DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

Table K.38. dhcp-attr-number: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value unsignedInt Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

K.2.31. dhcp-attr-ip: DHCP server attributes (IP)

Additional DHCP server attributes (IP)

Table K.39. dhcp-attr-ip: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value IP4Addr Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

K.2.32. pppoe: PPPoE settings

PPPoE endpoint settings

Table K.40. pppoe: Attributes

AttributeTypeDefaultDescription
ac-name string Any a/c name as client, else same as 'name'Access concentrator name
accept-dns boolean trueAccept DNS servers specified by far end
auto-percent unsignedByte N/ATry to set egress based on connect message, percentage
bgp bgpmode AutoBGP announce mode for routes
calling-id pppoe-calling -Add mac and/or vlan(s) after prefix
calling-prefix string -Prefix on calling number (BRAS mode)
calling-suffix pppoe-calling-suffix -Override the calling suffix
comment string -Comment
cug (unsignedShort 1-32767) cug -Closed user group ID
cug-restrict boolean -Closed user group restricted traffic (only to/from same CUG ID)
eth port -Physical port connected to modem (for port reset)
fast-retry boolean -Aggressive re-connect
graph (token) graphname -Graph name
incoming-profile NMTOKEN -Profile for responding to PADIs
incoming-vlans List of (unsignedShort 0-4095) vlan -VLAN IDs to accept connections on
ip-over-lcp boolean autoSends all IP packets as LCP
lcp-rate unsignedByte 10LCP interval (seconds)
lcp-timeout unsignedByte 61LCP timeout (seconds)
local IP4Addr -Local IPv4 address
localpref unsignedInt 4294967295Localpref for route (highest wins)
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Not loggingLog as events
mac-suffix (hexBinary) macsuffix -MAC ends with this hex value
mode pppoe-mode clientPPPoE server/client mode
mtu (unsignedShort 576-2000) mtu 1492MTU for link
name NMTOKEN -Name
password Secret -User password
port NMTOKEN Not optional Port group name
profile NMTOKEN -Profile name
remote IP4Addr -Remote IPv4 address
rfc4638 boolean If over 1492 MTUSend RFC4638 PPP-Max-Payload
routes List of IPPrefix Default gatewayRoutes when link up
service string Any serviceService name
source string -Source of data, used in automated config management
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable -Routing table number for payload
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
username string -User name
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)

Table K.41. pppoe: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when ppp link is up

K.2.33. ppp-route: PPP routes

Routes that apply when link is up

Table K.42. ppp-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management

K.2.34. route: Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

Table K.43. route: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
gateway List of IPAddr Not optional One or more target gateway IPs
graph (token) graphname -Graph name
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
speed unsignedInt -Egress rate limit (b/s)
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

K.2.35. network: Locally originated networks

Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but not add routing.

Table K.44. network: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode trueBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

K.2.36. blackhole: Dead end networks

Networks that go nowhere

Table K.45. blackhole: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode falseBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
no-fib boolean -Route not in forwarding, only for EBGP
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

K.2.37. loopback: Locally originated networks

Loopback addresses define local IP addresses

Table K.46. loopback: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
ip List of IPAddr Not optional One or more local network addresses
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile NMTOKEN -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tag List of Community -List of community tags

K.2.38. namedbgpmap: Mapping and filtering rules of BGP prefixes

This defines a set of named rules for mapping and filtering of prefixes to/from a BGP peer.

Table K.47. namedbgpmap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name NMTOKEN Not optional Name
source string -Source of data, used in automated config management

Table K.48. namedbgpmap: Elements

ElementTypeInstancesDescription
match bgprule Optional, unlimitedList rules, in order of checking

K.2.39. bgprule: Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

Table K.49. bgprule: Attributes

AttributeTypeDefaultDescription
as-origin unsignedInt -AS that must be last in path to match
as-present unsignedInt -AS that must be present in path to match
comment string -Comment
community Community -Community that must be present to match
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
name string -Name
no-community Community -Community that must not be present to match
pad unsignedByte -Pad (prefix stuff) our AS on export by this many, can be zero to not send our AS
prefix List of IPFilter -Prefixes that this rule applies to
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

K.2.40. bgp: Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

Table K.50. bgp: Attributes

AttributeTypeDefaultDescription
as unsignedInt -Our AS
blackhole-community Community -Community tag to mark black hole routes
cluster-id IP4Addr -Our cluster ID
comment string -Comment
dead-end-community Community -Community tag to mark dead end routes
greyhole-community Community -Community tag to mark black hole routes with no-fib
id IP4Addr -Our router ID
log NMTOKEN Not loggingLog events
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

Table K.51. bgp: Elements

ElementTypeInstancesDescription
peer bgppeer Optional, up to 500List of peers/neighbours

K.2.41. bgppeer: BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

Table K.52. bgppeer: Attributes

AttributeTypeDefaultDescription
add-own-as boolean -Add our AS on exported routes
allow-export boolean true for customerIgnore no-export community and export anyway
allow-only-their-as boolean -Only accept routes that are solely the peers AS
allow-own-as boolean -Allow our AS inbound
as unsignedInt -Peer AS
blackhole-community Community Not announced on EBGP, our blackhole-community if IBGPEgress community tag to mark black hole routes
capability-as4 boolean trueIf supporting AS4
capability-graceful-restart boolean trueIf supporting Graceful Restart
capability-mpe-ipv4 boolean trueIf supporting MPE for IPv4
capability-mpe-ipv6 boolean trueIf supporting MPE for IPv6
capability-route-refresh boolean trueIf supporting Route Refresh
clean-shutdown-wait duration -Resend routes at low priority when +ve, withdraw routes when -ve and delay for the absolute value on shutdown
clean-startup-wait duration -Don't announce routes within this time of reboot
comment string -Comment
drop-default boolean falseIgnore default route received
export-filters List of NMTOKEN -Named export filters to apply
export-med unsignedInt -Set MED on exported routes (unless export filter sets it)
holdtime unsignedInt 30Hold time
ignore-bad-optional-partial boolean trueIgnore routes with a recognised badly formed optional that is flagged partial
import-filters List of NMTOKEN -Named import filters to apply
import-localpref unsignedInt -Set localpref on imported routes (unless import filter sets it)
import-tag List of Community -List of community tags to add in addition to any import filters
in-soft boolean -Mark received routes as soft
ip List of IPAddr -One or more IPs of neighbours (omit to allow incoming)
log-debug NMTOKEN Not loggingLog debug
max-prefix unsignedInt -Limit prefixes (IPv4+IPv6)
md5 Secret -MD5 signing secret
name string -Name
next-hop-self boolean falseForce us as next hop outbound
no-fib boolean -Don't include received routes in packet forwarding
pad unsignedByte -Pad (prefix stuff) our AS on export by this many
profile NMTOKEN -Profile name
reduce-recursion boolean falseOverride incoming next hop if not local subnet
restart-time unsignedShort -Time to tell other end to expect us to take to restart (defaults to holdtime)
same-ip-type boolean trueOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers
send-default boolean falseSend a default route to this peer
send-no-routes boolean falseDon't send any normal routes
source string -Source of data, used in automated config management
timer-idle unsignedInt 60Idle time after error
timer-openwait unsignedInt 10Time to wait for OPEN on connection
timer-retry unsignedInt 10Time to retry the neighbour
ttl-security byte -Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking.
type peertype normalType of neighbour (affects some defaults)
use-vrrp-as-self boolean true if customer/transit typeUse VRRP address as self if possible

Table K.53. bgppeer: Elements

ElementTypeInstancesDescription
export bgpmap OptionalMapping and filtering rules of announcing prefixes to peer
import bgpmap OptionalMapping and filtering rules of accepting prefixes from peer

K.2.42. bgpmap: Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

Table K.54. bgpmap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
prefix List of IPFilter -Drop all that are not in this prefix list
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

Table K.55. bgpmap: Elements

ElementTypeInstancesDescription
match bgprule Optional, unlimitedList rules, in order of checking

K.2.43. cqm: Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

Table K.56. cqm: Attributes

AttributeTypeDefaultDescription
auto-refresh-list boolean trueAuto refresh graph list pages (for trusted IPs)
ave Colour #08fColour for average latency
axis Colour blackAxis colour
background Colour whiteBackground colour
bottom unsignedByte 11Pixels space at bottom of graph
dateformat string %Y-%m-%dDate format
dayformat string %aDay format
fail Colour redColour for failed (dropped) seconds
fail-level unsignedInt 1Fail level not expected on low usage
fail-level1 unsignedByte 3Loss level 1
fail-level2 unsignedByte 50Loss level 2
fail-score unsignedByte 200Score for fail and low usage
fail-score1 unsignedByte 100Score for on/above level 1
fail-score2 unsignedByte 200Score for on/above level 2
fail-usage unsignedInt 128000Usage below which fail is not expected
fblogo Colour #bd1220Colour for logo
graticule Colour greyGraticule colour
heading string -Heading of graph
hourformat string %HHour format
key unsignedByte 90Pixels space for key
label-ave string AveLabel for average latency
label-damp string Damp%Label for % shaper damping
label-fail string %FailLabel for seconds (%) failed
label-latency string LatencyLabel for latency
label-max string MaxLabel for maximum latency
label-min string MinLabel for minimum latency
label-off string OffLabel for off line seconds
label-period string PeriodLabel for period
label-poll string PollsLabel for polls
label-rej string %RejectLabel for rejected seconds
label-rx string RxLabel for Rx traffic level
label-score string ScoreLabel for score
label-sent string SentLabel for seconds polled
label-shaper string ShaperLabel for shaper
label-time string TimeLabel for time
label-traffic string Traffic (bit/s)Label for traffic level
label-tx string TxLabel for Tx traffic level
latency-level unsignedInt 100000000Latency level not expected on low usage
latency-level1 unsignedInt 100000000Latency level 1 (ns)
latency-level2 unsignedInt 500000000Latency level 2 (ns)
latency-score unsignedByte 200Score for high latency and low usage
latency-score1 unsignedByte 10Score for on/above level 1
latency-score2 unsignedByte 20Score for on/above level 2
latency-usage unsignedInt 128000Usage below which latency is not expected
left unsignedByte 0Pixels space left of main graph
log NMTOKEN Not loggingLog events
marker-width string -Stroke width for marker (+) on tx/rx (e.g. 4)
max Colour greenColour for maximum latency
min Colour #008Colour for minimum latency
ms-max positiveInteger 500ms max height
off Colour #c8fColour for off line seconds
outside Colour transparentColour for outer border
pppoe-dos-limit unsignedInt 10000Per poll tx packet drop limit for DOS protection on PPPoE incoming sessions
rej Colour #f8cColour for off line seconds
right unsignedByte 50Pixels space right of main graph
rx Colour #800Colour for Rx traffic level
secret Secret -Secret for SHA1 coded URLs
sent Colour #ff8Colour for polled seconds
share-interface NMTOKEN -Interface on which to broadcast data for shaper sharing
share-secret Secret -Secret to validate shaper sharing
stroke-width string 4 if no markerStroke line for tx/rx
subheading string -Subheading of graph
svg-css string -URL for SVG CSS instead of local style settings
svg-title boolean -Include mouseover title text on svg
text Colour blackColour for text
text1 string -Text line 1
text2 string -Text line 2
text3 string -Text line 3
text4 string -Text line 4
timeformat string %Y-%m-%d %H:%M:%STime format
top unsignedByte 4Pixels space at top of graph
tx Colour #080Colour for Tx traffic level

K.2.44. l2tp: L2TP settings

L2TP settings for incoming L2TP connections

Table K.57. l2tp: Attributes

AttributeTypeDefaultDescription
accounting-interval duration 1:00:00Periodic interim accounting interval
send-acct-delay boolean -Send Acct-Delay as well as Event-Timestamp on accounting

Table K.58. l2tp: Elements

ElementTypeInstancesDescription
incoming l2tp-incoming Optional, unlimitedIncoming L2TP connections

K.2.45. l2tp-incoming: L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

Table K.59. l2tp-incoming: Attributes

AttributeTypeDefaultDescription
advise-speed unsignedInt -Advise clients of their egress rate (may be overridden by RADIUS) (b/s) - This is a FireBrick specific mechanism
allow List of IPNameRange -List of IP ranges from which connects can be made
bgp bgpmode AutoBGP announce mode for routes
comment string -Comment
damping boolean falseApply damping to sessions if limiting on shaper
dhcpv6dns List of IP6Addr System DNS resolversList of IPv6 DNS servers
dos-limit unsignedInt 10000Per second per session tx packet drop limit for DOS protection
fail-lockout unsignedByte 60Interval kept in failed state
graph string -Graph name
hdlc boolean trueSend HDLC header (FF03) on all PPP frames
hello-interval unsignedByte 60Interval between HELLO messages
icmp-ppp boolean falseUse PPP endpoint for ICMP
ip6-checksum boolean trueCalculate checksum on IPv6 tunnels
ipv6ep IP4Addr -Local end IPv4 for IPv6 tunnels
lcp-data-len unsignedByte -LCP data field length
lcp-mru-fix boolean falseRestart LCP if RAS negotiated MRU is too high
lcp-rate unsignedByte 1LCP interval (seconds)
lcp-timeout unsignedByte 10LCP timeout (seconds)
local-hostname string System nameHostname quoted on reply
local-ppp-ip IP4Addr -Local end PPP IPv4
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu (unsignedShort 576-2000) mtu -Default MTU for sessions in this tunnel
name string -Name
open-timeout unsignedByte 60Interval before OPEN considered failed
operator-name string -Value to send for Operator-Name AVP
payload-source-ip IP46Addr -IP of our end when originating traffic to LAC
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
ppp-final-timeout unsignedByte 60PPP total timeout (seconds)
ppp-init-timeout unsignedByte 10PPP initial timeout (seconds)
pppdns1 IP4Addr -PPP DNS1 IPv4 default
pppdns2 IP4Addr -PPP DNS2 IPv4 default
profile NMTOKEN -Profile name
radius string -Name for RADIUS server config to use
radius-nas-ip radius-nas lacPass remote (LAC) or local (LNS) as RADIUS NAS IP / port
receive-window unsignedShort Not sentReceive window to advise on connection
remote-hostname string -Hostname expected on connection
require-platform boolean falseAll sessions require a platform RADIUS first
require-radius-acct boolean -Close session if cannot do RADIUS accounting
retry-timeout unsignedByte 60Interval to retry sending control messages before fail
secret Secret -Shared secret (for far end to check)
session-timeout duration -Default session timeout
shutdown boolean falseRefuse all new sessions or tunnels
source string -Source of data, used in automated config management
source-ip IPAddr -IP of our end for relayed (on same table)
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable AnyRouting table number for L2TP session
tcp-mss-fix boolean falseAdjust MSS option in TCP SYN to fix session MSS

Table K.60. l2tp-incoming: Elements

ElementTypeInstancesDescription
match l2tp-relay Optional, unlimitedRules for relaying connections and local authentication

K.2.46. l2tp-relay: Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

Table K.61. l2tp-relay: Attributes

AttributeTypeDefaultDescription
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
comment string -Comment
graph (token) graphname -Graph name
group-graph (token) graphname -Secondary graph name
ip-over-lcp boolean -Send IP over LCP (local auth)
lcp-echo-mim boolean -Handle LCP echos in the middle on relayed connection
localpref unsignedInt 4294967295Localpref for remote-ppp-ip/routes (highest wins)
name string -Name
password Secret -Password check
payload-table (unsignedByte 0-99) routetable As per l2tp-incomingRouting table number for payload traffic (or L2TP relay)
profile NMTOKEN -Profile name
relay-hostname string -Hostname for L2TP connection
relay-ip List of IPAddr -Target IP(s) for L2TP connection
relay-pick boolean -If set, try one of the relay IPs at random first
relay-secret Secret -Shared secret for L2TP connection
remote-netmask IP4Addr -Remote end PPP Netmask (local auth)
remote-ppp-ip IP4Addr -Remote end PPP IPv4 (local auth)
routes List of IPPrefix -Additional routes when link up (local auth)
rx-speed unsignedInt -Send ingress rate (b/s)
source string -Source of data, used in automated config management
tx-speed unsignedInt -Egress rate limit (b/s)
username List of string -One or more patterns to match username

K.2.47. profile: Control profile

General on/off control profile used in various places in the config.

Table K.62. profile: Attributes

AttributeTypeDefaultDescription
and List of NMTOKEN -Active if all specified profiles are active as well as all other tests passing, including 'not'
comment string -Comment
control-switch-group string -Heading to use when grouping in UI
control-switch-locks boolean falseControl switch requires unlock before use.
control-switch-users List of NMTOKEN Any usersRestrict users that have access to control switch
dhcp List of IPNameAddr -Test passes if any specified addresses are active in DHCP
expect boolean noneDefines state considered 'Good' and shown green on status page
initial boolean trueDefines state at system startup (unless set), or new config, where not known/fixed
interval duration 1Time between tests
invert boolean -Invert final result of testing
log NMTOKEN Not loggingLog target
log-debug NMTOKEN Not loggingLog additional information
name NMTOKEN Not optional Profile name
not NMTOKEN -Active if specified profile is inactive as well as all other tests passing, including 'and'
or List of NMTOKEN -Active if any of these other profiles are active regardless of other tests (including 'not' or 'and')
ports Set of port -Test passes if any of these physical ports are up
ppp List of NMTOKEN -PPP link state (any of these are up)
recover duration 1Time before recover (i.e. how long test has been passing)
route List of IPAddr -Test passes if all specified addresses are routeable
set switch -Manual override. Test settings ignored; Control switches can use and/or/not/invert
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable -Routing table for ping/route/dhcp
timeout duration 10Time before timeout (i.e. how long test has been failing)
uptime unsignedShort -Minimum uptime (seconds)
vrrp List of NMTOKEN -VRRP state (any of these is master)

Table K.63. profile: Elements

ElementTypeInstancesDescription
date profile-date Optional, unlimitedTest passes if within any date range specified
ping profile-ping OptionalTest passes if address is answering pings
time profile-time Optional, unlimitedTest passes if within any time range specified

K.2.48. profile-date: Test passes if within any of the time ranges specified

Time range test in profiles

Table K.64. profile-date: Attributes

AttributeTypeDefaultDescription
comment string -Comment
source string -Source of data, used in automated config management
start dateTime -Start (YYYY-MM-DDTHH:MM:SS)
stop dateTime -End (YYYY-MM-DDTHH:MM:SS)

K.2.49. profile-time: Test passes if within any of the date/time ranges specified

Time range test in profiles

Table K.65. profile-time: Attributes

AttributeTypeDefaultDescription
comment string -Comment
days Set of day -Which days of week apply, default all
source string -Source of data, used in automated config management
start time -Start (HH:MM:SS)
stop time -End (HH:MM:SS)

K.2.50. profile-ping: Test passes if any addresses are pingable

Ping targets

Table K.66. profile-ping: Attributes

AttributeTypeDefaultDescription
comment string -Comment
flow unsignedShort -Flow label (IPv6)
gateway IPAddr -Ping via specific gateway (bypasses session tracking if set)
ip IPAddr Not optional Target IP
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP
ttl unsignedByte -Time to live / Hop limit

K.2.51. shaper: Traffic shaper

Settings for a named traffic shaper

Table K.67. shaper: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name (token) graphname Not optional Graph name
rx unsignedLong -Rx rate limit/target (b/s)
rx-limit (unsignedShort 0-1000) shaper-limit 400msRx low level burst limit (ms) - ½ for large packets
rx-max unsignedLong -Rx rate limit max
rx-min unsignedLong -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedLong -Rx rate reduction per hour
share boolean falseIf shaper is shared with other devices
source string -Source of data, used in automated config management
tx unsignedLong -Tx rate limit/target (b/s)
tx-limit (unsignedShort 0-1000) shaper-limit 400msTx low level burst limit (ms) - ½ for large packets
tx-max unsignedLong -Tx rate limit max
tx-min unsignedLong -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedLong -Tx rate reduction per hour

Table K.68. shaper: Elements

ElementTypeInstancesDescription
override shaper-override Optional, unlimitedProfile specific variations on main settings

K.2.52. shaper-override: Traffic shaper override based on profile

Settings for a named traffic shaper

Table K.69. shaper-override: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile NMTOKEN Not optional Profile name
rx unsignedLong -Rx rate limit/target (b/s)
rx-limit (unsignedShort 0-1000) shaper-limit 400msRx low level burst limit (ms) - ½ for large packets
rx-max unsignedLong -Rx rate limit max
rx-min unsignedLong -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedLong -Rx rate reduction per hour
source string -Source of data, used in automated config management
tx unsignedLong -Tx rate limit/target (b/s)
tx-limit (unsignedShort 0-1000) shaper-limit 400msTx low level burst limit (ms) - ½ for large packets
tx-max unsignedLong -Tx rate limit max
tx-min unsignedLong -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedLong -Tx rate reduction per hour

K.2.53. ip-group: IP Group

Named IP group

Table K.70. ip-group: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPRange -One or more IP ranges or IP/len
name string Not optional Name
source string -Source of data, used in automated config management
users List of NMTOKEN -Include IP of (time limited) logged in web users

K.2.54. dhcp-relay: DHCP server settings for remote / relayed requests

Settings for DHCP server for relayed connections

Table K.71. dhcp-relay: Attributes

AttributeTypeDefaultDescription
allocation-table (unsignedByte 0-99) routetable Allocate same as request tableRouting table for allocations - suggest using separate tables for remote DHCP
allow List of IPNameRange Allow from anywhereIPs allowed (e.g. allocated IPs for renewal)
relay List of IPNameRange Any relayRelay server IP(s)
table (unsignedByte 0-99) routetable Allow anyRouting table applicable

Table K.72. dhcp-relay: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings