FireBrick FB6302 User Manual
   Next

FireBrick FB6302 User Manual

This User Manual documents Software version V2.02.012

Copyright © 2012-2025 FireBrick Ltd.

The FireBrick config editor uses the OCR-B font designed by Matthew Anderson, which is licensed under a Creative Commons 4.0 Attribution License

Table of Contents

Preface
1. Introduction
1.1. The FB6000
1.1.1. Where do I start?
1.1.2. What can it do?
1.1.2.1. FB6302 Gigabit BGP router
1.1.3. Ethernet port capabilities
1.1.4. Product variants in the FB6000 series
1.2. About this Manual
1.2.1. Version
1.2.2. Intended audience
1.2.3. Technical details
1.2.4. Document style
1.2.5. Document conventions
1.2.6. Comments and feedback
1.3. Additional Resources
1.3.1. Technical Support
1.3.2. IRC Channel
1.3.3. Application Notes
1.3.4. Training Courses
2. Getting Started
2.1. IP addressing
2.2. Accessing the web-based user interface
2.2.1. Initial configuration
3. Configuration
3.1. The Object Hierarchy
3.2. The Object Model
3.2.1. Formal definition of the object model
3.2.2. Common attributes
3.3. Configuration Methods
3.4. Configuration upgrades and versioning
3.5. Data types
3.5.1. Sending and receiving values
3.5.2. Lists of values
3.5.3. Set of possible values
3.5.4. Dates, times, and durations
3.5.5. Colours
3.5.6. Passwords and secrets
3.5.7. IP addresses
3.5.7.1. Simple IP addresses
3.5.7.2. Subnets and prefixes
3.5.7.3. Ranges
3.5.7.4. Prefix filters
3.6. Default values
3.7. Web User Interface Overview
3.7.1. User Interface layout
3.7.2. Config pages and the object hierarchy
3.7.2.1. Configuration categories
3.7.2.2. Object settings
3.7.3. Navigating around the User Interface
3.7.4. Backing up / restoring the configuration
3.7.5. Customising the layout
3.8. Configuration using XML
3.8.1. Introduction to XML
3.8.2. The root element - <config>
3.8.3. Viewing or editing XML
3.8.4. Example XML configuration
3.9. Downloading/Uploading the configuration
3.9.1. Download
3.9.2. Upload
4. System Administration
4.1. User Management
4.1.1. Login level
4.1.2. Configuration access level
4.1.3. Login idle timeout
4.1.4. Restricting user logins
4.1.4.1. Restrict by IP address
4.1.4.2. Logged in IP address
4.1.4.3. Restrict by profile
4.1.5. Password change
4.1.6. One Time Password (OTP)
4.2. General System settings
4.2.1. System name (hostname)
4.2.2. Administrative details
4.2.3. System-level event logging control
4.2.4. Home page web links
4.3. Software Upgrades
4.3.1. Software release types
4.3.1.1. Breakpoint releases
4.3.2. Identifying current software version
4.3.3. Internet-based upgrade process
4.3.3.1. Manually initiating upgrades
4.3.3.2. Controlling automatic software updates
4.3.4. Manual upgrade
4.4. Boot Process
4.4.1. LED indications
4.4.1.1. Port LEDs
5. Event Logging
5.1. Overview
5.1.1. Log targets
5.1.1.1. Logging to Flash memory
5.1.1.2. Logging to the Console
5.2. Enabling logging
5.3. Logging to external destinations
5.3.1. Syslog
5.3.2. Email
5.3.2.1. E-mail process logging
5.4. Factory reset configuration log targets
5.5. Performance
5.6. Viewing logs
5.6.1. Viewing logs in the User Interface
5.6.2. Viewing logs in the CLI environment
5.7. System-event logging
5.8. Using Profiles
6. Automated Certificate Management Environment (ACME)
6.1. Overview
6.1.1. LetsEncrypt
6.1.2. Troubleshooting
6.1.3. More advanced usage
6.1.3.1. Using your own keys
6.1.3.2. Alternative ACME providers
6.1.3.3. Using an existing account
6.1.4. Further information about the renewal process
7. Interfaces and Subnets
7.1. Relationship between Interfaces and Physical Ports
7.1.1. Port groups
7.1.2. Interfaces
7.2. Defining an interface
7.2.1. Defining subnets
7.2.1.1. Source filtering
7.2.1.2. Using DHCP to configure a subnet
7.2.1.3. Using SLAAC (IPv6 router announcements) to configure a subnet
7.2.1.4. Providing IPv6 addresses to devices on a network (IPv6 router announcements)
7.2.2. Setting up DHCP server parameters
7.2.2.1. Fixed/Static DHCP allocations
7.2.2.2. Restricted allocations
7.2.2.3. Special DHCP options
7.2.2.4. Logging
7.2.3. DHCP Relay Agent
7.3. Physical port settings
7.3.1. Setting duplex mode
7.3.2. Defining port LED functions
8. Routing
8.1. Routing logic
8.2. Routing targets
8.2.1. Subnet routes
8.2.2. Routing to an IP address (gateway route)
8.2.3. Special targets
8.3. Dynamic route creation / deletion
8.4. Routing tables
8.5. Bonding
9. Profiles
9.1. Overview
9.2. Creating/editing profiles
9.2.1. Timing control
9.2.2. Tests
9.2.2.1. General tests
9.2.2.2. Time/date tests
9.2.2.3. Ping tests
9.2.3. Inverting overall test result
9.2.4. Manual override
9.2.4.1. Control Switches
9.2.5. Scripting
10. Traffic Shaping
10.1. Graphs and Shapers
10.1.1. Graphs
10.1.2. Shapers
10.1.3. Ad hoc shapers
10.1.4. Long term shapers
10.1.5. Shared shapers
10.2. Multiple shapers
10.3. Basic principles
11. System Services
11.1. Protecting the FB6000
11.2. Common settings
11.3. HTTP Server configuration
11.3.1. Access control
11.3.1.1. Trusted addresses
11.3.2. HTTPS access
11.4. Telnet Server configuration
11.4.1. Access control
11.5. DNS configuration
11.5.1. Auto DHCP DNS
11.5.2. Local DNS responses
11.5.3. Blocking DNS names
11.6. NTP configuration
11.7. SNMP configuration
12. Network Diagnostic Tools
12.1. Access check
12.2. Packet Dumping
12.2.1. Dump parameters
12.2.2. Security settings required
12.2.3. IP address matching
12.2.4. Packet types
12.2.5. Snaplen specification
12.2.6. Using the web interface
12.2.7. Using an HTTP client
12.2.7.1. Example using curl and tcpdump
13. VRRP
13.1. Virtual Routers
13.2. Configuring VRRP
13.2.1. Advertisement Interval
13.2.2. Priority
13.3. Using a virtual router
13.4. VRRP versions
13.4.1. VRRP version 2
13.4.2. VRRP version 3
13.5. Compatibility
14. BGP
14.1. What is BGP?
14.2. BGP Setup
14.2.1. Overview
14.2.2. Standards
14.2.3. Simple example setup
14.2.4. Peer type
14.2.5. Route filtering
14.2.5.1. Matching attributes
14.2.5.2. Action attributes
14.2.6. Well known community tags
14.2.7. Announcing black hole routes
14.2.8. Grey holes
14.2.9. Announcing dead end routes
14.2.10. Bad optional path attributes
14.2.11. <network> element
14.2.12. <route>, <subnet> and other elements
14.2.13. Route feasibility testing
14.2.14. Status
14.2.15. Diagnostics
14.2.16. Router startup and shutdown
14.2.17. TTL security
15. OSPF
15.1. What is OSPF?
15.2. OSPF Setup
15.2.1. Overview
15.2.2. Standards
15.2.3. Simple example setup
15.2.4. <ospf> config element
16. Command Line Interface
A. CIDR and CIDR Notation
B. MAC Addresses usage
B.1. Multiple MAC addresses?
B.2. How the FireBrick allocates MAC addresses
B.2.1. Interface
B.2.2. Subnet
B.2.3. PPPoE
B.2.4. Running out of MACs
B.3. Forcing particular MAC addresses
B.4. MAC address on label
B.5. Using with a DHCP server
C. Scripted access
C.1. Tools
C.2. Access control
C.2.1. Username and password
C.2.2. OTP
C.2.3. Allow list
C.2.4. Allowed access
C.3. XML data for common functions
C.4. XML data from diagnostics and tests
C.4.1. Cross site scripting security
C.4.2. Arguments to scripts
C.5. Special URLs
C.6. Web sockets
D. VLANs : A primer
E. FireBrick specific SNMP objects
E.1. Conventions
E.1.1. IP addresses as indices
E.2. Firebrick-specific structures for BGP
E.2.1. Structure definitions
E.2.1.1. The list of BGP peers for this Firebrick
E.2.2. Enum Definitions
E.3. Firebrick-specific structures for IPSec
E.3.1. Structure definitions
E.3.1.1. fbIPsecGeneral
E.3.1.2. The list of IPsec connections for this Firebrick
E.3.2. Enum Definitions
E.4. Firebrick CPU usage
E.4.1. Structure definitions
E.4.1.1. CPU usage for this Firebrick
E.5. Firebrick system stats
E.5.1. Structure definitions
E.5.1.1. The table of runtime stats for this Firebrick
E.6. Monitoring for general system features
E.6.1. Structure definitions
E.6.1.1. The list of readings for this Firebrick
E.7. System wide status
E.7.1. Structure definitions
E.7.1.1. fbGlobalMemory
E.7.1.2. fbGlobalBuffers
E.8. Firebrick profiles
E.8.1. Structure definitions
E.8.1.1. Profiles status
E.9. Monitoring information (deprecated)
F. Command line reference
F.1. General commands
F.1.1. Trace off
F.1.2. Trace on
F.1.3. Uptime
F.1.4. General status
F.1.5. Memory usage
F.1.6. Process/task usage
F.1.7. Login
F.1.8. Logout
F.1.9. See XML configuration
F.1.10. Load XML configuration
F.1.11. Show profile status
F.1.12. Enable profile control switch
F.1.13. Disable profile control switch
F.1.14. Show RADIUS servers
F.1.15. Show DNS resolvers
F.2. Networking commands
F.2.1. Subnets
F.2.2. Renegotiate DHCP for a subnet
F.2.3. Ping and trace
F.2.4. Show a route from the routing table
F.2.5. List routes
F.2.6. List routing next hops
F.2.7. See DHCP allocations
F.2.8. Clear DHCP allocations
F.2.9. Lock DHCP allocations
F.2.10. Unlock DHCP allocations
F.2.11. Name DHCP allocations
F.2.12. Show ARP/ND status
F.2.13. Show VRRP status
F.2.14. Send Wake-on-LAN packet
F.2.15. Check access to services
F.3. Logging commands
F.3.1. Show Log
F.4. BGP commands
F.4.1. Show BGP
F.4.2. Show BGP Peer
F.4.3. Show BGP Summary
F.4.4. Show BGP Routes
F.4.5. Compare BGP
F.4.6. Clear BGP
F.4.7. Refresh BGP
F.4.8. Refresh BGP
F.5. OSPF commands
F.5.1. Show OSPF
F.5.2. Show OSPF Area
F.5.3. Show OSPF Link
F.5.4. Show OSPF Subnet
F.5.5. Show OSPF Neighbour
F.5.6. Show OSPF Lsa
F.6. Advanced commands
F.6.1. Panic
F.6.2. Reboot
F.6.3. Screen width
F.6.4. Make outbound command session
F.6.5. Show command sessions
F.6.6. Kill command session
F.6.7. Flash memory list
F.6.8. Delete block from flash
F.6.9. Boot log
F.6.10. Flash log
G. Constant Quality Monitoring - technical details
G.1. Tx/Rx direction
G.2. Access to graphs and csvs
G.2.1. Trusted access
G.2.2. Dated information
G.2.3. Authenticated access
G.3. Graph display options
G.3.1. Scaleable Vector Graphics
G.3.2. Data points
G.3.3. Additional text
G.3.4. Other colours and spacing
G.4. Overnight archiving
G.4.1. Full URL format
G.4.2. load handling
G.5. Graph scores
G.6. Creating graphs, and graph names
H. Hashed passwords
H.1. Password hashing
H.1.1. Salt
H.2. One Time Password seed hashing
I. Configuration Objects
I.1. Top level
I.1.1. config: Top level config
I.2. Objects
I.2.1. system: System settings
I.2.2. link: Web links
I.2.3. routing-table: Default source IP for services using a given table
I.2.4. user: Admin users
I.2.5. eap: User access controlled by EAP
I.2.6. log: Log target controls
I.2.7. log-syslog: Syslog logger settings
I.2.8. log-email: Email logger settings
I.2.9. services: System services
I.2.10. http-service: Web service settings
I.2.11. dns-service: DNS service settings
I.2.12. dns-host: Fixed local DNS host settings
I.2.13. dns-block: Fixed local DNS blocks
I.2.14. telnet-service: Telnet service settings
I.2.15. snmp-service: SNMP service settings
I.2.16. time-service: System time server settings
I.2.17. ethernet: Physical port controls
I.2.18. sampling: Packet sampling configuration
I.2.19. portdef: Port grouping and naming
I.2.20. interface: Port-group/VLAN interface settings
I.2.21. subnet: Subnet settings
I.2.22. subnet-template: Subnet option templates for RA
I.2.23. dhcp6-client: DHCPv6 Client
I.2.24. vrrp: VRRP settings
I.2.25. dhcps: DHCP server settings
I.2.26. dhcp-attr-hex: DHCP server attributes (hex)
I.2.27. dhcp-attr-string: DHCP server attributes (string)
I.2.28. dhcp-attr-number: DHCP server attributes (numeric)
I.2.29. dhcp-attr-ip: DHCP server attributes (IP)
I.2.30. route: Static routes
I.2.31. network: Locally originated networks
I.2.32. blackhole: Dead end networks
I.2.33. loopback: Locally originated networks
I.2.34. ospf: Overall OSPF settings
I.2.35. namedbgpmap: Mapping and filtering rules of BGP prefixes
I.2.36. bgprule: Individual mapping/filtering rule
I.2.37. bgp: Overall BGP settings
I.2.38. bgppeer: BGP peer definitions
I.2.39. bgpmap: Mapping and filtering rules of BGP prefixes
I.2.40. cqm: Constant Quality Monitoring settings
I.2.41. profile: Control profile
I.2.42. profile-date: Test passes if within any of the time ranges specified
I.2.43. profile-time: Test passes if within any of the date/time ranges specified
I.2.44. profile-ping: Test passes if any addresses are pingable
I.2.45. shaper: Traffic shaper
I.2.46. shaper-override: Traffic shaper override based on profile
I.2.47. ip-group: IP Group
I.2.48. dhcp-relay: DHCP server settings for remote / relayed requests
I.3. Data types
I.3.1. user-level: User login level
I.3.2. ppp-dump: PPP dump format
I.3.3. autoloadtype: Type of s/w auto load
I.3.4. lacp-hot-standby: LACP hot standby mode
I.3.5. config-access: Type of access user has to config
I.3.6. eap-subsystem: Subsystem with EAP access control
I.3.7. eap-method: EAP access method
I.3.8. syslog-severity: Syslog severity
I.3.9. syslog-facility: Syslog facility
I.3.10. http-mode: HTTP/HTTPS security mode
I.3.11. month: Month name (3 letter)
I.3.12. day: Day name (3 letter)
I.3.13. port: Physical port
I.3.14. Crossover: Crossover configuration
I.3.15. LinkFlow: Physical port flow control setting
I.3.16. LinkClock: Physical port Gigabit clock master/slave setting
I.3.17. LinkLED-y: Yellow LED setting
I.3.18. LinkLED-g: Green LED setting
I.3.19. LinkPower: PHY power saving options
I.3.20. LinkFault: Link fault type to send
I.3.21. sampling-protocol: Sampling protocol
I.3.22. trunk-mode: Trunk port mode
I.3.23. ramode: IPv6 route announce level
I.3.24. bgpmode: BGP announcement mode
I.3.25. sampling-mode: Sampling mode
I.3.26. sfoption: Source filter option
I.3.27. ipsec-type: IPsec encapsulation type
I.3.28. ipsec-auth-algorithm: IPsec authentication algorithm
I.3.29. ipsec-crypt-algorithm: IPsec encryption algorithm
I.3.30. peertype: BGP peer type
I.3.31. switch: Profile manual setting
I.4. Basic types
Index

List of Figures

3.1. Icons for configuration categories
3.2. The "Setup" category
3.3. Editing an "Interface" object
3.4. Show hidden attributes
3.5. Attribute definitions
3.6. Navigation controls
4.1. Setting up a new user
B.1. Product label showing MAC address range

List of Tables

2.1. IP addresses for computer
2.2. IP addresses to access the FireBrick
2.3. IP addresses to access the FireBrick
3.1. Special character sequences
4.1. User login levels
4.2. Configuration access levels
4.3. General administrative details attributes
4.4. Attributes controlling auto-upgrades
5.1. Logging attributes
5.2. System-Event Logging attributes
8.1. Example route targets
11.1. List of system services
11.2. List of system services
12.1. Packet dump parameters
12.2. Packet types that can be captured
14.1. Peer types
14.2. Communities
14.3. Network attributes
15.1. OSPF config attributes
B.1. DHCP client names used
C.1. Special URLs
C.2. Upgrade type numbers enum
E.1. Indices
E.2. Fields
E.3. FbBgpPeerState - The state of a BGP peer
E.4. Fields
E.5. Indices
E.6. Fields
E.7. FbIPsecConState - The state of an IPsec connection
E.8. Indices
E.9. Fields
E.10. Indices
E.11. Fields
E.12. Indices
E.13. Fields
E.14. Fields
E.15. Fields
E.16. Indices
E.17. Fields
E.18. iso.3.6.1.4.1.24693.1.X.Y
G.1. File types
G.2. Colours
G.3. Text
G.4. Text
G.5. URL formats
I.1. config: Attributes
I.2. config: Elements
I.3. system: Attributes
I.4. system: Elements
I.5. link: Attributes
I.6. routing-table: Attributes
I.7. user: Attributes
I.8. eap: Attributes
I.9. log: Attributes
I.10. log: Elements
I.11. log-syslog: Attributes
I.12. log-email: Attributes
I.13. services: Elements
I.14. http-service: Attributes
I.15. dns-service: Attributes
I.16. dns-service: Elements
I.17. dns-host: Attributes
I.18. dns-block: Attributes
I.19. telnet-service: Attributes
I.20. snmp-service: Attributes
I.21. time-service: Attributes
I.22. ethernet: Attributes
I.23. sampling: Attributes
I.24. portdef: Attributes
I.25. interface: Attributes
I.26. interface: Elements
I.27. subnet: Attributes
I.28. subnet-template: Attributes
I.29. dhcp6-client: Attributes
I.30. vrrp: Attributes
I.31. dhcps: Attributes
I.32. dhcps: Elements
I.33. dhcp-attr-hex: Attributes
I.34. dhcp-attr-string: Attributes
I.35. dhcp-attr-number: Attributes
I.36. dhcp-attr-ip: Attributes
I.37. route: Attributes
I.38. network: Attributes
I.39. blackhole: Attributes
I.40. loopback: Attributes
I.41. ospf: Attributes
I.42. namedbgpmap: Attributes
I.43. namedbgpmap: Elements
I.44. bgprule: Attributes
I.45. bgp: Attributes
I.46. bgp: Elements
I.47. bgppeer: Attributes
I.48. bgppeer: Elements
I.49. bgpmap: Attributes
I.50. bgpmap: Elements
I.51. cqm: Attributes
I.52. profile: Attributes
I.53. profile: Elements
I.54. profile-date: Attributes
I.55. profile-time: Attributes
I.56. profile-ping: Attributes
I.57. shaper: Attributes
I.58. shaper: Elements
I.59. shaper-override: Attributes
I.60. ip-group: Attributes
I.61. dhcp-relay: Attributes
I.62. dhcp-relay: Elements
I.63. user-level: User login level
I.64. ppp-dump: PPP dump format
I.65. autoloadtype: Type of s/w auto load
I.66. lacp-hot-standby: LACP hot standby mode
I.67. config-access: Type of access user has to config
I.68. eap-subsystem: Subsystem with EAP access control
I.69. eap-method: EAP access method
I.70. syslog-severity: Syslog severity
I.71. syslog-facility: Syslog facility
I.72. http-mode: HTTP/HTTPS security mode
I.73. month: Month name (3 letter)
I.74. day: Day name (3 letter)
I.75. port: Physical port
I.76. Crossover: Crossover configuration
I.77. LinkFlow: Physical port flow control setting
I.78. LinkClock: Physical port Gigabit clock master/slave setting
I.79. LinkLED-y: Yellow LED setting
I.80. LinkLED-g: Green LED setting
I.81. LinkPower: PHY power saving options
I.82. LinkFault: Link fault type to send
I.83. sampling-protocol: Sampling protocol
I.84. trunk-mode: Trunk port mode
I.85. ramode: IPv6 route announce level
I.86. bgpmode: BGP announcement mode
I.87. sampling-mode: Sampling mode
I.88. sfoption: Source filter option
I.89. ipsec-type: IPsec encapsulation type
I.90. ipsec-auth-algorithm: IPsec authentication algorithm
I.91. ipsec-crypt-algorithm: IPsec encryption algorithm
I.92. peertype: BGP peer type
I.93. switch: Profile manual setting
I.94. Basic data types

List of Examples

E.1.
E.2.
/ ==========================================================================
   Next
   Preface