FireBrick Traffic Shaping

From AAISP Support Site



  • The FireBrick 2700 has been used as a 'black' box traffic shaping device in shared offices. It's quite easy to configure a FireBrick for a 'serviced office' scenario where tenants pay for a slice of a fast pipe. -this would be great for leased lines, ethernet services, FTTC, FTTP etc.
  • The FireBrick can shape based on parameters such as source/target IP/port/protocol, giving flexibility.
  • When shaping, CQM graphs are produces for each 'shaper', giving a visual representation of the traffic.
  • FireBrick are being used to traffic shape tenants in a serviced office setup where the alternative products to do the job were many times the cost.


If a managed office already has network infrastructure then the FireBrick can work in a proxy-arp mode, and physically sit on your network between your router and your LAN.

Config Examples

Proxy-arp Mode

If you want the Firebrick to be 'invisible' on your LAN, i.e., you have machines on the LAN which use the gateway IP of your router, and you do not want to use the FireBrick as the router, then setting proxy-arp on the subnets is required. - this will then proxy arps between the FireBricks LAN and WAN, both ways. -Note broadcast traffic is not passed through the FireBrick - so the router won't be able to do DHCP - the FireBrick can, or another host on the LAN can instead.

Here is a config snipet where physical ports are as follows:

  • 1 for the WAN, plugged in to the internet router
  • 2 for the LAN, plugged in to the network
  • 3 and 4 are unused.

In terms of IP addressing on the network:

  • is the Internet router
  • has been assigned to the FireBrick
  • is used for the various clients on the LAN

   <port name="WAN" ports="1"/>
   <port name="LAN" ports="2"/>
   <interface name="WAN" port="WAN">
      <subnet ip="" gateway="" proxy-arp="true"/>
   <interface name="LAN" port="LAN">
      <subnet ip="" proxy-arp="true"/>

We're simply setting the same IP address on both sides on the FireBrick, and setting proxy-arp=true.

Traffic Shaping configuration

First we need some shapers - these define the speed lanes/tunnels/pipes:

   <shaper name="Customer A" egress="500000" ingress="500000"/>
   <shaper name="Customer B" egress="3000000" ingress="3000000"/>

Here we have defined 2 shapers, one with 500kbit/s up/down, and one with 3Mbit/s up/down.

These shapers can then be used in rules, e.g.:

      <rule name="Customer A" source-ip="" set-graph="Customer A"/>
      <rule name="Customer B" source-ip="" set-graph="Customer B"/>

Here we have set specific IP addresses to go through specific shapers, so will get 500K/bs and will get 3Mbit/s.