https://support.aa.net.uk/api.php?action=feedcontributions&user=Tgb&feedformat=atomAAISP Support Site - User contributions [en-gb]2024-03-29T12:33:12ZUser contributionsMediaWiki 1.39.5https://support.aa.net.uk/index.php?title=FireBrick_Session_Tracking&diff=5727FireBrick Session Tracking2014-05-09T07:06:48Z<p>Tgb: Typo corrections</p>
<hr />
<div>[[File:2700-small.png|link=:Category:FireBrick]]<br />
<br />
Session tracking will be disabled if there are no rule-set or route-override config lines.<br />
You can add a blank rule-set to enable session tracking, e.g.:<br />
<syntaxhighlight><br />
<rule-set comment="Empty rule set to enable session tracking"/><br />
</syntaxhighlight><br />
<br />
<br />
[[Category:FireBrick]]</div>Tgbhttps://support.aa.net.uk/index.php?title=FireBrick_VoIP&diff=5724FireBrick VoIP2014-05-07T13:20:30Z<p>Tgb: /* Overview */</p>
<hr />
<div>[[File:2700-small.png|link=:Category:FireBrick]]<br />
<br />
=Other Pages=<br />
These pages are also related to this topic:<br />
*[http://www.firebrick.co.uk/fb2700/voip.php|VoIP Page on the FireBrick web site] regarding the FireBrick 2500 and 2700 series<br />
*[http://www.firebrick.co.uk/fb6000/fb6502.php|FB 6502] The FireBrick 6000 series SIP Switch (for VoIP Carriers)<br />
<br />
=AAISP VoIP Service=<br />
These pages are useful to owners of FireBrick 2500 and 2700 models, but the FireBrick SIP platform is also used by the AAISP VoIP service, so these pages are also relevant to customers using the AAISP VoIP service.<br />
<br />
=Overview=<br />
The FireBrick has SIP capabilities and can be set up as a basic back-to-back SIP endpoint for a home office and provide a set of PBX features itself, or can be combined additional RADIUS and custom companion software to create a much more powerful SIP switch that can be used by larger VoIP providers. It is designed to scale well by simply adding more boxes. When used as back-to-back, you have individual 'User' Accounts on your FireBrick for each of your phones, and separately, you have Carrier accounts configured. These carrier accounts are the SIP accounts with your SIP provider, they is nothing special about these accounts, they are the same as if you are configuring your phone to register directly with the SIP provider, but instead the FireBrick registers. This back-to-back configuration is not a SIP ALG.<br />
<br />
AAISP use FireBrick as their SIP Platform as a 'hosted' VoIP solution where by customers have phones which use the service and the features are provided by AAISP. <br />
<br />
SIP is supported across the FireBrick range with the 2500 and 2700 models ideal for Office use and for small VoIP providers, and the 6000 models being used by larger VoIP Providers.<br />
<br />
[[File:FBVoIPDia.png]]<br />
<br />
=Configuring the FireBrick for SIP=<br />
[[File:Pbvoipicon.png|left]]<br />
Carrier and Users are separate - Your the phones uses the 'VoIP users' configuration section, and the Carrier configuration is in the 'VoIP carriers' section of the FireBrick config. -The FireBrick doesn't pass on authentication on your phone over to your carrier. You'll need a configuration entry for each of your carriers and each of your phones. At a basic level you can just have a 1-to-1 mapping of carrier to phone, or you can use the FireBrick PBX features for a more comprehensive setup where the FireBrick is able to offer features such as ring groups, call pickup etc.<br />
<br />
Please also see: <br />
*[[FireBrick SIP Configuration]]<br />
This page describes how to configure the FireBrick to work with SIP phones and Carriers. See below on how to then configure phones to register against your FireBrick.<br />
<br />
== Configuring Specific Carriers==<br />
*[[FireBrick VoIP Generic Carrier|Generic Instructions]]<br />
*[[FireBrick VoIP AAISP|AAISP]]<br />
*[[FireBrick VoIP Gradwell|Gradwell]]<br />
*[[FireBrick VoIP SIPGate|SIPGate]]<br />
<br />
=Configuring Phones to Register Against your FireBrick=<br />
As AAISP use FireBrick as it's SIP platform the pages on this wiki for configuring phones to register with your FireBrick are relevant.<br />
Please see: <br />
*[[VoIP Phones - Generic Client|Generic Client Configuration]]<br />
*[[:Category:VoIP Phones|VoIP Phone category]]<br />
<br />
Specific Phones:<br />
<br />
<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1>Category:VoIP Phones</ncl><br />
<br />
<br />
<br />
<br />
[[Category:FireBrick]][[Category:VoIP]][[Category:Configuring]]<br />
[[Category:FireBrick VoIP]]</div>Tgbhttps://support.aa.net.uk/index.php?title=FireBrick_Power&diff=5071FireBrick Power2013-12-16T21:07:56Z<p>Tgb: Fixed a couple of minor grammar issues</p>
<hr />
<div>[[File:2700-small.png]]<br />
The FireBrick range of products are designed to very low power. Ideal for the environment, and the 6000 range are ideal for data centres where power is scarce or expensive.<br />
<br />
==2700 and 2500==<br />
The power consumption depends on loading, including USB and how many ethernet ports are connected, whether they are 100M or 1G, and how busy they are.<br />
<br />
The 2500 and 2700 are labelled 0.1A at 230V, which corresponds to 23VA. For a fully loaded brick we have measured close to that.<br />
<br />
However bear in mind that power (watts) and VA are not the same thing, due to the power factor. The FB2700 draws between approx 8 and 15W power depending on loading, the FB2500 between approx 7 and 12W.<br />
<br />
==6000==<br />
Are rated at 20 watts.<br />
<br />
<br />
[[Category:FireBrick]]</div>Tgbhttps://support.aa.net.uk/index.php?title=FireBrick_Custom_CSS&diff=5070FireBrick Custom CSS2013-12-16T20:48:47Z<p>Tgb: Fixed typos</p>
<hr />
<div>[[File:2700-small.png|link=:Category:FireBrick]]<br />
<br />
You can use custom css to override the css used on the FireBrick admin pages to create your own look.<br />
[[File:Firebrick-css.png|frame|Custom colour header by using css]]<br />
<br />
The css file is set in the config in the <http section:<br />
<br />
<http css-url="http://example.com/css/myfb.css"><br />
<br />
For example, to change the header and footer bar from red to blue, create your myfb.css file as:<br />
<br />
<syntaxhighlight><br />
/* <br />
Custom css to make my FireBrick visibly different to normal ones<br />
*/<br />
<br />
div.header {<br />
background: inherit;<br />
<br />
background-color: #000080;<br />
background: -moz-linear-gradient(top, #000080 0px, #202080 100%);<br />
background: -webkit-gradient(linear, top, bottom, color-stop(0%,#000080), color-stop(100%,#202080));<br />
background: -webkit-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: -o-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: -ms-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: linear-gradient(top, #000080 0%,#202080 100%);<br />
-ms-filter: "progid:DXImageTransform.Microsoft.gradient(startColorstr='#000080', endColorstr='#202080')";<br />
}<br />
<br />
div.footer {<br />
background: inherit;<br />
<br />
background-color: #000080;<br />
background: -moz-linear-gradient(top, #000080 0px, #202080 100%);<br />
background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#000080), color-stop(100%,#202080));<br />
background: -webkit-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: -o-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: -ms-linear-gradient(top, #000080 0%,#202080 100%);<br />
background: linear-gradient(top, #000080 0%,#202080 100%);<br />
-ms-filter: "progid:DXImageTransform.Microsoft.gradient(startColorstr='#000080', endColorstr='#202080')";<br />
}<br />
</syntaxhighlight><br />
<br />
<br />
[[Category:FireBrick]]</div>Tgbhttps://support.aa.net.uk/index.php?title=07_Availability&diff=104207 Availability2011-10-14T11:05:51Z<p>Tgb: Updated Vodafone status</p>
<hr />
<div>=07 Numbers=<br />
Our 07 number block is 074411xxxxx.<br />
<br />
The block was allocated to us in July 2011 (http://s.aa.net.uk/1033). Customers are able to order numbers but not all telephone operators are routing the calls yet.<br />
<br />
==Test Number==<br />
07441144123 is a number that will read back the current time.<br />
<br />
=Operator Status=<br />
It takes time for new number blocks to be loaded in to the various telephone operators systems. <br />
<br />
==AAISP ✔==<br />
Calls do work from AAISP VoIP customers!<br />
<br />
==BT ✔==<br />
Calls: Working from BT landlines<br />
<br />
==Orange==<br />
14 October - Unobtainable tone<br />
<br />
==Vodafone==<br />
<br />
14 October: Calls are preceded by a recorded message, saying "The number you have dialled is not a standard UK mobile number, and extra charges may apply. If you do not wish to continue, please end the call now." Calls confirmed working both ways. SMS from AA to Vodafone work, SMS from Vodafone to AA do not work. No information available on the extra charges.<br />
<br />
==Three==<br />
<br />
==T Mobile==<br />
<br />
=Text Messages=<br />
We are expecting text messages to take longer to work.</div>Tgbhttps://support.aa.net.uk/index.php?title=FireBrick_2700_Configuration_run-through&diff=935FireBrick 2700 Configuration run-through2011-06-02T21:18:17Z<p>Tgb: </p>
<hr />
<div>=Also See:=<br />
*Our main [[FireBrick]] wiki page<br />
<br />
= Overview =<br />
Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.<br />
<br />
These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. Som people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/fb105config.php <br />
<br />
We have an AAISP ADSL line with the following details: <br />
<br />
*Username= abc@a.1 Password=secret <br />
*Routed IP block = 192.0.2.0/28<br />
(Later in the page, we'll be adding an IPv6 block, and bonding with a second line)<br />
(192.0.2.0/28 is used in this example as the 192.9.2 block is a special block reserved for documentation (RFC 5737). We will also use the v6 documentation prefixes 2001:DB8:: (RFC 3849))<br />
<br />
= Default Config =<br />
<br />
The default configuration (of a fully-loaded FireBrick) looks like this: <br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"<br />
timestamp="1970-01-01T00:00:07Z"><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="LAN4" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<dhcp ip="10.0.0.100-199"/><br />
</interface><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
<services><br />
<ntp/><br />
<telnet comment="Set allow IP list to restrict access"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
Which sets up the 4 Ethernet ports as separate LANs, and an IP of 10.0.0.1 (and 2001:DB8::1)&nbsp;with the FireBrick acting DHCP server on the first port. So, connecting a computer to Port 1 should get you a 10.0.0.x IP address, and you can access http://10.0.0.1 . Port 1 is also a DHCP client, so it will try to get an IP from your DHCP server, if you have one. -Check your DHCP server logs for what IP is allocated.<br />
<br />
Port 4 is set as an example of a PPPoE client, (ie to be plugged in to a ADSL modem/FTTC/FTTP modem etc) we'll set this up a little later.<br />
<br />
= Configuring Initial Basic Settings =<br />
<br />
Set yourself a user with full debug rights, eg: <br />
<syntaxhighlight><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
</syntaxhighlight><br />
<br />
To explain the timeout a bit:<br />
The timeout is how long this user stays logged in to the FB admin pages/telnet.<br />
PT (Period Time)<br />
20M is 20 minutes.<br />
You can just enter 3600, and it will convert it to PT1H (as in a number on it's own will mean seconds).<br />
<br />
Modify the ntp time server to use the AAISP time server: <br />
<syntaxhighlight><br />
<ntp timeserver="time.aaisp.net.uk"/><br />
</syntaxhighlight><br />
modify the telnet service to permit only access from your LAN: <br />
<syntaxhighlight><br />
<telnet allow="192.0.2.0/28"/><br />
</syntaxhighlight><br />
Set DNS servers and your domain name, under the services (here we're using the AAISP DNS servers: <br />
<syntaxhighlight><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
</syntaxhighlight><br />
Note: If you are using PPPoE, then you can leave the resolves empty, and the FireBrick will obtain the DNS servers from the ISP.<br />
<br />
= LAN Subnet =<br />
<br />
We want to use just Ethernet port 1 on the FireBrick for our LAN, we'll be connecting port 1 to a switch, and all our devices will be plugged in to that switch. <br />
<br />
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.)&nbsp;And we'll make this a DHCP server: <br />
<syntaxhighlight><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</syntaxhighlight><br />
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN1 interface now looks like this: <br />
<br />
<syntaxhighlight><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
</syntaxhighlight><br />
<br />
Our complete config now looks like this: <br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="LAN4" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
At this point we can save the config, there should be no errors. <br />
<br />
Our computer should then pick up a new 192.0.2.x IP address, and we can connected back to the FireBrick on http://192.0.2.1 <br />
<br />
if that works, we can now safely remove the DHCP client subnet and the&nbsp;10.0.0.1 subnet, so remove the lines: <br />
<syntaxhighlight><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
</syntaxhighlight><br />
Save, and re-connect to the web interface.<br />
<br />
= PPPoE =<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/pppoe.php <br />
<br />
The FireBrick 2700 supports PPPoE - so you can use it to connect via an xDSL modem, eg a: <br />
<br />
*A BT supplied&nbsp;FTTC/FTTP Modem <br />
*A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC) <br />
*Another ADSL router set for bridge mode <br />
*A modem such as a Draytek [[Vigor_120]] (firmware 3.2.4.3 and above)<br />
<br />
Note: You cannot just use any of these devices on any line type: There are combinations that will work, and combinations that will not. You MUST read the link above. In short, BT lines can auto-detect PPPoA or PPPoE, so will work with pretty much anything. BE lines on the other hand are hard-coded to either PPPoE OR PPPoA. For a BE PPPoE line, a simple bridge mode router like the ZyXEL is the correct choice. For a BE PPPoA line, you need a device that can do true PPPoA on the wire <-> PPPoE on the LAN to the FB. The Vigour 120 is one of the only devices that can do this. <br />
<br />
In our default config, you can see that we already have some PPPoE settings: <br />
<syntaxhighlight><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
</syntaxhighlight> <br />
This is using Ethernet port 4, so plug your modem in to that port. <br />
<br />
This line can be changed for your ADSL settings, eg: <br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
</syntaxhighlight> <br />
We've also set the FireBrick to create a graph for this, as well as to log. <br />
<br />
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change <br />
<syntaxhighlight><br />
<port name="LAN4" ports="4"/><br />
</syntaxhighlight><br />
to: <br />
<syntaxhighlight><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
Our complete config in full now looks like this: <br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
By default the PPPoE will be used as the default route, saving this config should mean you have an internet connection!<br />
<br />
==1500 MTU?==<br />
The Default MTU is 1492 for PPPoE. However if your modem supports jumboframes, then you should be able to use a full 1500MTU on the PPPoE. The BT supplied modem for FTTC does support this, other modems may or may not...<br />
Config wise, just add mtu="1500" to the ppp element.<br />
eg:<br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" mtu="1500"/><br />
</syntaxhighlight><br />
<br />
==ZyXEL P660R-D1 Notes==<br />
(These notes will be similar for any type of ADSL router in Bridge mode, or ADSL modems.)<br />
<br />
The P660R-D1 also supports a hybrid [http://www.zyxel.co.uk/web/support_faq_detail.php?faqID=136&pid=20040812093058 Half Bridge mode]; the PPP session is terminated on the modem but its internal NAT is disabled and the WAN IP is assigned to the firewall / router connected to its ethernet port via short DHCP lease. This configuration may suffice for some simpler setups, the advantage being the modem can be used with a PPPoA setup (e.g. Opal / Tiscali Business LLU). The modem remains accessible on its default LAN IP address.<br />
<br />
When setting up the ZyXEL to work with the FireBrick, set the WAN settings to be:<br />
<br />
===For a BT Line ( which will do PPPoA or PPPoE ):===<br />
*Name: AAISP (But can be anything)<br />
*Mode: Bridge<br />
*Encapsulation: RFC 1483<br />
*Multiplexing: LLC (VC may work on 20cn, but stick with LLC)<br />
*VPI: 0<br />
*VCI: 38<br />
*ADSL modulation type: Multimode<br />
<br />
===For a Be PPPoE Line:===<br />
*Name: AAISP (But can be anything)<br />
*Mode: Bridge<br />
*Encapsulation: RFC 1483<br />
*Multiplexing: LLC<br />
*VPI: 0<br />
*VCI: 101<br />
*ADSL modulation type: Multimode<br />
<br />
===For a Be PPPoA Line:===<br />
You will need to use a Draytek Vigour 120, or similar device, which can provide true PPPoA <-> PPPoE bridging. The ZyXEL won't do this. Please read the link: &nbsp;http://www.firebrick.co.uk/fb2700/pppoe.php<br />
<br />
Also make a note of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN.<br />
As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though.<br />
<br />
= Filters =<br />
With no filters set, the default is to allow all incoming and outgoing traffic.<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/firewall.php <br />
<br />
Since that page is more of a referece than a tutorial, it contains no examples. So here's a code snippet from a working config which allows incoming SMTP to your mail server, and IAX2 to an asterisk box as a starting-point:<br />
<br />
<syntaxhighlight><br />
<rule-set target-interface="LAN1" drop="reject" comment="Default firewall rule - block incoming"><br />
<rule source-interface="self" comment="Allow from the FireBrick though"/><br />
<rule name="SMTP" target-ip="81.x.xxx.190" target-port="25"/><br />
<rule name="IAX2" target-ip="81.x.xxx.189" target-port="4569"/><br />
</rule-set><br />
</syntaxhighlight><br />
<br />
For debugging, you can add log="true" and/or graph="xyz" to the <rule .../> lines, which will then print an entry to the log when the rule is matched, and will also draw graphs for that traffic, eg:<br />
<br />
== VoIP Rules ==<br />
<br />
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: <br />
<syntaxhighlight><br />
<rule-set name="Incoming Firewall Rules"><br />
<rule name="SIP" source-ip="81.187.30.110-119" target-ip="192.0.2.0/28" target-port="5060-5069"/><br />
<rule name="RTP" target-ip="192.0.2.0/28" protocol="17" target-port="1025-5059 5070-" set-graph="RTP"/><br />
</rule-set><br />
</syntaxhighlight><br />
Here the rules are defined in a rule-set. rule-sets allow helpful management of rules. Ie you can have a couple of main rule sets for example for Incoming Traffic, Port Maps, Outgoing Traffic etc. Rules and rule-sets are processed in order, top to bottom.<br />
<br />
This also sets a graph for RTP, you may want to restrict the target to just your VoIP phones, as the above set the target at the whole of the LAN<br />
<br />
== Restricting FireBrick Config access ==<br />
<br />
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to: <br />
<syntaxhighlight><br />
<http allow="192.0.2.1/28"/><br />
</syntaxhighlight><br />
<br />
= Native IPv6 =<br />
<br />
Assuming you have an IPv6 block allocated to your line on Clueless and you're using the FB for PPPoE, then all the FB config needs is: <br />
<br />
*An IPv6 address on the LAN subnet <br />
*ra="true" in the subnet<br />
<br />
Your computers should then get IPv6 details. test on http://ip.help.me.uk.<br />
<br />
If you previously had your IPv6 allocation routed over a Protocol 41 tunnel to a tunnel end-point machine on your LAN, you now need to remove that on clueless to allow native IPv6 to the FB. Log in to clueless and simply clear the IPv4 endpoint address, and save the changes. You then need to drop the connection to AAISP, and re-connect, for the routing change to take effect. Also remember to shut down your LAN tunnel endpoint, so it's not still announcing routes it can't honour any more.<br />
<br />
If you still need to use Tunnelled IPv6, rather than Native, see this page: *[[FireBrick 2700 v6 Tunnel]]<br />
<br />
So, our config will look like this:<br />
<syntaxhighlight><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" comment="IPv6 LAN"/><br />
...<br />
</interface><br />
...<br />
</syntaxhighlight><br />
<br />
Our complete config now looks like:<br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" comment="IPv6 LAN"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
'''DNS auto-config''':<br />
<br />
( since release V0.02.039 )<br />
<br />
Setting 'ra=true' will enable auto-configuration of IPv6 addresses, and of the Default Route.<br />
You may also wish to configure IPv6 DNS servers ( DNS servers that are to be queried over IPv6 ).<br />
<br />
There are a couple of different mechanisms available to push out IPv6 DNS servers, and the FB2700 supports both.<br />
Be sure your DNS server actually responds on it's IPv6 address!<br />
<br />
The first method is to have the FB include the DNS server addresses as a new option( RDNSS ) in the Router Announcements. ( RFC6106 ).<br />
RFC6106 aware clients are, however, somewhat thin on the ground at the moment.<br />
To enable this, set the 'ra-dns' option to point to your IPv6 Recursive DNS Server.<br />
In this example, I'm pointing it to a DNS server on 2001:8B0:B7:1::2.<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-dns="2001:8B0:123:1::2"/><br />
</syntaxhighlight><br />
<br />
This will make the FB include the RDNSS option in the Router Announcements.<br />
If the client is smart enough, this is all it will take.<br />
<br />
Most clients are not currently able to recieve this option.<br />
So we can also use the more traditional method:<br />
Setting the 'O' flag in the RA, telling the client to do DHCPv6 after auto-configuration, and request 'Other' config data, ie DNS.<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="true"/><br />
</syntaxhighlight><br />
<br />
Now, the FB will set the 'O' flag in the RAs, causing your clients to then query a DHCPv6 server for 'Other' ( DNS ) config data.<br />
You must provision an external DHCPv6 server to respond to these queries.<br />
<br />
The FB can be also be configured to run a mini-DHCPv6 server to respond to these queries by itself, eliminating the need for an external DHCPv6 server.<br />
To enable the 'O' flag AND the mini-DHCPv6, set the ra-other option to 'dhcpv6', and also specify the DNS server address to be doled out in the rd-dns option:<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2"/><br />
</syntaxhighlight><br />
<br />
Now, the clients are instructed to do DHCPv6, and this FB will respond with the addresses listed.<br />
Future releases may support the Search List options, too.<br />
<br />
Tested with: Win 7, Win Vista<br />
<br />
Note:<br />
It's not always clear on the win boxes whether this worked.<br />
On a Vista box, the command 'ipconfig /all' will show both IPv4 and IPv6 DNS servers configured.<br />
Win7 seems lame, and only reports IPv4.<br />
To show the IPv6 DNS servers, you need to use the command 'netsh interface ipv6 show dns'.<br />
<br />
= Next Steps, Bonding a Second Line =<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/bonding.php <br />
ADSL and FTTC lines can be bonded, typically A&A customers bond a BT and a Be line for greater resilience. Multiple FTTC lines can be bonded together too in the same way.<br />
<br />
== Set up second PPPoE ==<br />
<br />
Set up port 3 to connect to the second modem you have, ie: <br />
<syntaxhighlight><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/><br />
</syntaxhighlight><br />
and change the port from: <br />
<syntaxhighlight><br />
<port name="LAN3" ports="3"/><br />
</syntaxhighlight><br />
to <br />
<syntaxhighlight><br />
<port name="WAN2" ports="3"/> <br />
</syntaxhighlight><br />
If you prefer, you can rearrange the ports so that they are in sequential order etc... <br />
<br />
We now have: <br />
<br />
*Port 1 = LAN <br />
*Port 2 = Spare <br />
*Port 3 = ADSL Line 2 <br />
*Port 4 = ADSL Line 1<br />
<br />
== Bond the PPPoE: ==<br />
<br />
''Bonding on a 2700 requires the Bonding capability - found on the Fully-Loaded and Bonding variants.'' <br />
<br />
Simply setting speed=x in the ppp config will bond the PPPoE for uplink.<br />
The speed value is in ''bits per sec''. You can use G/M/K when specifying the value, as well as B for bytes, or i, power of 2. eg, 1000000 is the same as 1M)<br />
<br />
eg: <br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/><br />
</syntaxhighlight><br />
Since each PPP connection will give the FireBrick a default route, the FireBrick will use both, and upload traffic on each ppp connection up to the speed given. The speed is in bits, so this example is where the upload is 1M.<br />
If the upload is different on the lines, then that's fine - eg, you may have a line using Annex-A and one Annex-M. Setting the speed correctly will mean the correct amount of traffic will be sent up each line.<br />
<br />
Our config now looks like this:<br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2" comment="IPv6 LAN"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
<br />
</syntaxhighlight><br />
<br />
= Setting up 3G Fallback =<br />
If you have an AA data SIM, the FireBrick can configured to use this as a backup connection, by using a 3G dongle plugged into the USB port. Any routed legacy IP blocks will continue to work across this link, but so far IPv6 isn't supported. The FireBrick is known to support the ZTE MF112 Dongle and some Huawei dongles. Others may work too.<br />
The basic config is:<br />
<syntaxhighlight><br />
<usb><br />
<dongle username="startup_user@startup_domain" password=""/><br />
</usb><br />
</syntaxhighlight><br />
<br />
Provided you use your AA username and password, then that's all you need to get the dongle configured. If your main broadband connection goes down, the FireBrick will automatically switch to use the 3G connection, then back again once your main connection is back.<br />
<br />
= Set Ports 1 and 2 to be a switch =<br />
To make use of port 2, we can configure it to be another LAN1 port.<br />
Our current port config is:<br />
<syntaxhighlight><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
We can change this to make port 2 a LAN1 port:<br />
<syntaxhighlight><br />
<port name="LAN1" ports="1 2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
<br />
Now ports 1 and 2 act as a switch on the LAN interface, and ports 3 and 4 are connected to the 2 ADSL modems.<br />
<br />
=Other Things=<br />
== Accessing the Modem ==<br />
<br />
The modem, or ADSL router in bridge mode, will also have a LAN IP that you can use to get to it's config pages etc. eg, the ZyXEL P660-R will still have a LAN setting, with an IP set. For the purpose of this example, let's assume the modem is on 192.168.1.2 mask 255.255.255.0. <br />
<br />
In order to talk to the Modem from the LAN side of the FireBrick, a Subnet on the FireBrick needs to be made. This subnet would be on the WAN Interface, eg: <br />
<br />
<syntaxhighlight><br />
<interface name="WAN" port="WAN1"><br />
<subnet ip="192.168.1.1/24" comment="IP subnet on WAN for router config"/><br />
</interface><br />
</syntaxhighlight><br />
<br />
'''Static Routes:'''<br />
<br />
The previous config will put the FB on 192.168.1.1, and allow the FB to route IP packets between your LAN subnet and the 192.168.1 subnet. However, at this stage, you may find you are still unable to ping the modem on the WAN port. This is because although packets from your 81.x.x.x address are correctly routed to the modem, the modem itself knows no route back to 81.x.x.x. It know nothing of the FB. So we need to tell it by setting a static route. <br />
<br />
ZyXel P-660R:<br />
<br />
You will have configured the IP and Netmask on the 'LAN' tab. But there's no 'Gateway', so we must go to 'Advanced' -&gt; 'Static Routes' tab, and create one. Enter it as follows: IP, Mask = base address of your internal LAN; eg: 81.xx.xx.0, 255.255.255.192. The 'Gateway' address is pointing back at the FB, eg 192.168.1.1. Check the box to Activate the route, hit the 'Apply' button, and that's it done. <br />
<br />
Vigor 120:<br />
<br />
You need to telnet in to the CLI to set the route. The commands to set a route back to 81.x.x.0 via the FB at 192.168.1.1 are: <br />
<br />
<pre>ip route status<br />
ip route add 81.x.x.0 255.255.255.192 192.168.1.1 static<br />
ip route status <br />
</pre><br />
<br />
Once this is confirmed working, you should do a: <br />
<br />
<pre>sys commit </pre><br />
<br />
to save it to flash, otherwise it's lost on power-down. <br />
<br />
The Draytek CLI reference may be found here: ftp://ftp.draytek.com/Document/Telnet_Commands_V1.11.zip <br />
<br />
Now, the assuming the Modem is on 192.168.1.2, you'll be able to access it from the LAN side of the FireBrick.<br />
<br />
== Other, other things ==<br />
<br />
You may want to look at the [[FireBrick]] page as there are examples there fro setting up OTP, syslog, auto-updates and so on. <br />
<br />
[[Category:Bonding]][[Category:FireBrick]][[Category:BT]][[Category:BE]][[Category:ADSL]][[Category:Configuring]]</div>Tgbhttps://support.aa.net.uk/index.php?title=FireBrick_2700_Configuration_run-through&diff=934FireBrick 2700 Configuration run-through2011-06-02T21:17:28Z<p>Tgb: Added info on 3G fallback</p>
<hr />
<div>=Also See:=<br />
*Our main [[FireBrick]] wiki page<br />
<br />
= Overview =<br />
Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.<br />
<br />
These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. Som people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/fb105config.php <br />
<br />
We have an AAISP ADSL line with the following details: <br />
<br />
*Username= abc@a.1 Password=secret <br />
*Routed IP block = 192.0.2.0/28<br />
(Later in the page, we'll be adding an IPv6 block, and bonding with a second line)<br />
(192.0.2.0/28 is used in this example as the 192.9.2 block is a special block reserved for documentation (RFC 5737). We will also use the v6 documentation prefixes 2001:DB8:: (RFC 3849))<br />
<br />
= Default Config =<br />
<br />
The default configuration (of a fully-loaded FireBrick) looks like this: <br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"<br />
timestamp="1970-01-01T00:00:07Z"><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="LAN4" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<dhcp ip="10.0.0.100-199"/><br />
</interface><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
<services><br />
<ntp/><br />
<telnet comment="Set allow IP list to restrict access"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
Which sets up the 4 Ethernet ports as separate LANs, and an IP of 10.0.0.1 (and 2001:DB8::1)&nbsp;with the FireBrick acting DHCP server on the first port. So, connecting a computer to Port 1 should get you a 10.0.0.x IP address, and you can access http://10.0.0.1 . Port 1 is also a DHCP client, so it will try to get an IP from your DHCP server, if you have one. -Check your DHCP server logs for what IP is allocated.<br />
<br />
Port 4 is set as an example of a PPPoE client, (ie to be plugged in to a ADSL modem/FTTC/FTTP modem etc) we'll set this up a little later.<br />
<br />
= Configuring Initial Basic Settings =<br />
<br />
Set yourself a user with full debug rights, eg: <br />
<syntaxhighlight><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
</syntaxhighlight><br />
<br />
To explain the timeout a bit:<br />
The timeout is how long this user stays logged in to the FB admin pages/telnet.<br />
PT (Period Time)<br />
20M is 20 minutes.<br />
You can just enter 3600, and it will convert it to PT1H (as in a number on it's own will mean seconds).<br />
<br />
Modify the ntp time server to use the AAISP time server: <br />
<syntaxhighlight><br />
<ntp timeserver="time.aaisp.net.uk"/><br />
</syntaxhighlight><br />
modify the telnet service to permit only access from your LAN: <br />
<syntaxhighlight><br />
<telnet allow="192.0.2.0/28"/><br />
</syntaxhighlight><br />
Set DNS servers and your domain name, under the services (here we're using the AAISP DNS servers: <br />
<syntaxhighlight><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
</syntaxhighlight><br />
Note: If you are using PPPoE, then you can leave the resolves empty, and the FireBrick will obtain the DNS servers from the ISP.<br />
<br />
= LAN Subnet =<br />
<br />
We want to use just Ethernet port 1 on the FireBrick for our LAN, we'll be connecting port 1 to a switch, and all our devices will be plugged in to that switch. <br />
<br />
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.)&nbsp;And we'll make this a DHCP server: <br />
<syntaxhighlight><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</syntaxhighlight><br />
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN1 interface now looks like this: <br />
<br />
<syntaxhighlight><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
</syntaxhighlight><br />
<br />
Our complete config now looks like this: <br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="LAN4" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
At this point we can save the config, there should be no errors. <br />
<br />
Our computer should then pick up a new 192.0.2.x IP address, and we can connected back to the FireBrick on http://192.0.2.1 <br />
<br />
if that works, we can now safely remove the DHCP client subnet and the&nbsp;10.0.0.1 subnet, so remove the lines: <br />
<syntaxhighlight><br />
<subnet comment="dhcp client"/><br />
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/><br />
</syntaxhighlight><br />
Save, and re-connect to the web interface.<br />
<br />
= PPPoE =<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/pppoe.php <br />
<br />
The FireBrick 2700 supports PPPoE - so you can use it to connect via an xDSL modem, eg a: <br />
<br />
*A BT supplied&nbsp;FTTC/FTTP Modem <br />
*A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC) <br />
*Another ADSL router set for bridge mode <br />
*A modem such as a Draytek [[Vigor_120]] (firmware 3.2.4.3 and above)<br />
<br />
Note: You cannot just use any of these devices on any line type: There are combinations that will work, and combinations that will not. You MUST read the link above. In short, BT lines can auto-detect PPPoA or PPPoE, so will work with pretty much anything. BE lines on the other hand are hard-coded to either PPPoE OR PPPoA. For a BE PPPoE line, a simple bridge mode router like the ZyXEL is the correct choice. For a BE PPPoA line, you need a device that can do true PPPoA on the wire <-> PPPoE on the LAN to the FB. The Vigour 120 is one of the only devices that can do this. <br />
<br />
In our default config, you can see that we already have some PPPoE settings: <br />
<syntaxhighlight><br />
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/><br />
</syntaxhighlight> <br />
This is using Ethernet port 4, so plug your modem in to that port. <br />
<br />
This line can be changed for your ADSL settings, eg: <br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
</syntaxhighlight> <br />
We've also set the FireBrick to create a graph for this, as well as to log. <br />
<br />
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change <br />
<syntaxhighlight><br />
<port name="LAN4" ports="4"/><br />
</syntaxhighlight><br />
to: <br />
<syntaxhighlight><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
Our complete config in full now looks like this: <br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
By default the PPPoE will be used as the default route, saving this config should mean you have an internet connection!<br />
<br />
==1500 MTU?==<br />
The Default MTU is 1492 for PPPoE. However if your modem supports jumboframes, then you should be able to use a full 1500MTU on the PPPoE. The BT supplied modem for FTTC does support this, other modems may or may not...<br />
Config wise, just add mtu="1500" to the ppp element.<br />
eg:<br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" mtu="1500"/><br />
</syntaxhighlight><br />
<br />
==ZyXEL P660R-D1 Notes==<br />
(These notes will be similar for any type of ADSL router in Bridge mode, or ADSL modems.)<br />
<br />
The P660R-D1 also supports a hybrid [http://www.zyxel.co.uk/web/support_faq_detail.php?faqID=136&pid=20040812093058 Half Bridge mode]; the PPP session is terminated on the modem but its internal NAT is disabled and the WAN IP is assigned to the firewall / router connected to its ethernet port via short DHCP lease. This configuration may suffice for some simpler setups, the advantage being the modem can be used with a PPPoA setup (e.g. Opal / Tiscali Business LLU). The modem remains accessible on its default LAN IP address.<br />
<br />
When setting up the ZyXEL to work with the FireBrick, set the WAN settings to be:<br />
<br />
===For a BT Line ( which will do PPPoA or PPPoE ):===<br />
*Name: AAISP (But can be anything)<br />
*Mode: Bridge<br />
*Encapsulation: RFC 1483<br />
*Multiplexing: LLC (VC may work on 20cn, but stick with LLC)<br />
*VPI: 0<br />
*VCI: 38<br />
*ADSL modulation type: Multimode<br />
<br />
===For a Be PPPoE Line:===<br />
*Name: AAISP (But can be anything)<br />
*Mode: Bridge<br />
*Encapsulation: RFC 1483<br />
*Multiplexing: LLC<br />
*VPI: 0<br />
*VCI: 101<br />
*ADSL modulation type: Multimode<br />
<br />
===For a Be PPPoA Line:===<br />
You will need to use a Draytek Vigour 120, or similar device, which can provide true PPPoA <-> PPPoE bridging. The ZyXEL won't do this. Please read the link: &nbsp;http://www.firebrick.co.uk/fb2700/pppoe.php<br />
<br />
Also make a note of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN.<br />
As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though.<br />
<br />
= Filters =<br />
With no filters set, the default is to allow all incoming and outgoing traffic.<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/firewall.php <br />
<br />
Since that page is more of a referece than a tutorial, it contains no examples. So here's a code snippet from a working config which allows incoming SMTP to your mail server, and IAX2 to an asterisk box as a starting-point:<br />
<br />
<syntaxhighlight><br />
<rule-set target-interface="LAN1" drop="reject" comment="Default firewall rule - block incoming"><br />
<rule source-interface="self" comment="Allow from the FireBrick though"/><br />
<rule name="SMTP" target-ip="81.x.xxx.190" target-port="25"/><br />
<rule name="IAX2" target-ip="81.x.xxx.189" target-port="4569"/><br />
</rule-set><br />
</syntaxhighlight><br />
<br />
For debugging, you can add log="true" and/or graph="xyz" to the <rule .../> lines, which will then print an entry to the log when the rule is matched, and will also draw graphs for that traffic, eg:<br />
<br />
== VoIP Rules ==<br />
<br />
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: <br />
<syntaxhighlight><br />
<rule-set name="Incoming Firewall Rules"><br />
<rule name="SIP" source-ip="81.187.30.110-119" target-ip="192.0.2.0/28" target-port="5060-5069"/><br />
<rule name="RTP" target-ip="192.0.2.0/28" protocol="17" target-port="1025-5059 5070-" set-graph="RTP"/><br />
</rule-set><br />
</syntaxhighlight><br />
Here the rules are defined in a rule-set. rule-sets allow helpful management of rules. Ie you can have a couple of main rule sets for example for Incoming Traffic, Port Maps, Outgoing Traffic etc. Rules and rule-sets are processed in order, top to bottom.<br />
<br />
This also sets a graph for RTP, you may want to restrict the target to just your VoIP phones, as the above set the target at the whole of the LAN<br />
<br />
== Restricting FireBrick Config access ==<br />
<br />
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to: <br />
<syntaxhighlight><br />
<http allow="192.0.2.1/28"/><br />
</syntaxhighlight><br />
<br />
= Native IPv6 =<br />
<br />
Assuming you have an IPv6 block allocated to your line on Clueless and you're using the FB for PPPoE, then all the FB config needs is: <br />
<br />
*An IPv6 address on the LAN subnet <br />
*ra="true" in the subnet<br />
<br />
Your computers should then get IPv6 details. test on http://ip.help.me.uk.<br />
<br />
If you previously had your IPv6 allocation routed over a Protocol 41 tunnel to a tunnel end-point machine on your LAN, you now need to remove that on clueless to allow native IPv6 to the FB. Log in to clueless and simply clear the IPv4 endpoint address, and save the changes. You then need to drop the connection to AAISP, and re-connect, for the routing change to take effect. Also remember to shut down your LAN tunnel endpoint, so it's not still announcing routes it can't honour any more.<br />
<br />
If you still need to use Tunnelled IPv6, rather than Native, see this page: *[[FireBrick 2700 v6 Tunnel]]<br />
<br />
So, our config will look like this:<br />
<syntaxhighlight><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" comment="IPv6 LAN"/><br />
...<br />
</interface><br />
...<br />
</syntaxhighlight><br />
<br />
Our complete config now looks like:<br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="LAN3" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" comment="IPv6 LAN"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
</syntaxhighlight><br />
<br />
'''DNS auto-config''':<br />
<br />
( since release V0.02.039 )<br />
<br />
Setting 'ra=true' will enable auto-configuration of IPv6 addresses, and of the Default Route.<br />
You may also wish to configure IPv6 DNS servers ( DNS servers that are to be queried over IPv6 ).<br />
<br />
There are a couple of different mechanisms available to push out IPv6 DNS servers, and the FB2700 supports both.<br />
Be sure your DNS server actually responds on it's IPv6 address!<br />
<br />
The first method is to have the FB include the DNS server addresses as a new option( RDNSS ) in the Router Announcements. ( RFC6106 ).<br />
RFC6106 aware clients are, however, somewhat thin on the ground at the moment.<br />
To enable this, set the 'ra-dns' option to point to your IPv6 Recursive DNS Server.<br />
In this example, I'm pointing it to a DNS server on 2001:8B0:B7:1::2.<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-dns="2001:8B0:123:1::2"/><br />
</syntaxhighlight><br />
<br />
This will make the FB include the RDNSS option in the Router Announcements.<br />
If the client is smart enough, this is all it will take.<br />
<br />
Most clients are not currently able to recieve this option.<br />
So we can also use the more traditional method:<br />
Setting the 'O' flag in the RA, telling the client to do DHCPv6 after auto-configuration, and request 'Other' config data, ie DNS.<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="true"/><br />
</syntaxhighlight><br />
<br />
Now, the FB will set the 'O' flag in the RAs, causing your clients to then query a DHCPv6 server for 'Other' ( DNS ) config data.<br />
You must provision an external DHCPv6 server to respond to these queries.<br />
<br />
The FB can be also be configured to run a mini-DHCPv6 server to respond to these queries by itself, eliminating the need for an external DHCPv6 server.<br />
To enable the 'O' flag AND the mini-DHCPv6, set the ra-other option to 'dhcpv6', and also specify the DNS server address to be doled out in the rd-dns option:<br />
<br />
<syntaxhighlight><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2"/><br />
</syntaxhighlight><br />
<br />
Now, the clients are instructed to do DHCPv6, and this FB will respond with the addresses listed.<br />
Future releases may support the Search List options, too.<br />
<br />
Tested with: Win 7, Win Vista<br />
<br />
Note:<br />
It's not always clear on the win boxes whether this worked.<br />
On a Vista box, the command 'ipconfig /all' will show both IPv4 and IPv6 DNS servers configured.<br />
Win7 seems lame, and only reports IPv4.<br />
To show the IPv6 DNS servers, you need to use the command 'netsh interface ipv6 show dns'.<br />
<br />
= Next Steps, Bonding a Second Line =<br />
<br />
More info on&nbsp;http://www.firebrick.co.uk/fb2700/bonding.php <br />
ADSL and FTTC lines can be bonded, typically A&A customers bond a BT and a Be line for greater resilience. Multiple FTTC lines can be bonded together too in the same way.<br />
<br />
== Set up second PPPoE ==<br />
<br />
Set up port 3 to connect to the second modem you have, ie: <br />
<syntaxhighlight><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/><br />
</syntaxhighlight><br />
and change the port from: <br />
<syntaxhighlight><br />
<port name="LAN3" ports="3"/><br />
</syntaxhighlight><br />
to <br />
<syntaxhighlight><br />
<port name="WAN2" ports="3"/> <br />
</syntaxhighlight><br />
If you prefer, you can rearrange the ports so that they are in sequential order etc... <br />
<br />
We now have: <br />
<br />
*Port 1 = LAN <br />
*Port 2 = Spare <br />
*Port 3 = ADSL Line 2 <br />
*Port 4 = ADSL Line 1<br />
<br />
== Bond the PPPoE: ==<br />
<br />
''Bonding on a 2700 requires the Bonding capability - found on the Fully-Loaded and Bonding variants.'' <br />
<br />
Simply setting speed=x in the ppp config will bond the PPPoE for uplink.<br />
The speed value is in ''bits per sec''. You can use G/M/K when specifying the value, as well as B for bytes, or i, power of 2. eg, 1000000 is the same as 1M)<br />
<br />
eg: <br />
<syntaxhighlight><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/><br />
</syntaxhighlight><br />
Since each PPP connection will give the FireBrick a default route, the FireBrick will use both, and upload traffic on each ppp connection up to the speed given. The speed is in bits, so this example is where the upload is 1M.<br />
If the upload is different on the lines, then that's fine - eg, you may have a line using Annex-A and one Annex-M. Setting the speed correctly will mean the correct amount of traffic will be sent up each line.<br />
<br />
Our config now looks like this:<br />
<br />
<syntaxhighlight><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"><br />
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
<interface name="LAN1" port="LAN1"><br />
<subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2" comment="IPv6 LAN"/><br />
<subnet ip="192.0.2.1/28" comment="LAN"/><br />
<dhcp ip="192.0.2.2-12"/><br />
</interface><br />
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/><br />
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/><br />
<services><br />
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/><br />
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/><br />
<telnet allow="192.0.2.0/28"/><br />
<http/><br />
</services><br />
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"><br />
<rule source-interface="self" comment="allow from the FireBrick though"/><br />
</rule-set><br />
</config><br />
<br />
</syntaxhighlight><br />
<br />
== Setting up 3G Fallback ==<br />
If you have an AA data SIM, the FireBrick can configured to use this as a backup connection, by using a 3G dongle plugged into the USB port. Any routed legacy IP blocks will continue to work across this link, but so far IPv6 isn't supported. The FireBrick is known to support the ZTE MF112 Dongle and some Huawei dongles. Others may work too.<br />
The basic config is:<br />
<syntaxhighlight><br />
<usb><br />
<dongle username="startup_user@startup_domain" password=""/><br />
</usb><br />
</syntaxhighlight><br />
<br />
Provided you use your AA username and password, then that's all you need to get the dongle configured. If your main broadband connection goes down, the FireBrick will automatically switch to use the 3G connection, then back again once your main connection is back.<br />
<br />
= Set Ports 1 and 2 to be a switch =<br />
To make use of port 2, we can configure it to be another LAN1 port.<br />
Our current port config is:<br />
<syntaxhighlight><br />
<port name="LAN1" ports="1"/><br />
<port name="LAN2" ports="2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
We can change this to make port 2 a LAN1 port:<br />
<syntaxhighlight><br />
<port name="LAN1" ports="1 2"/><br />
<port name="WAN2" ports="3"/><br />
<port name="WAN1" ports="4"/><br />
</syntaxhighlight><br />
<br />
Now ports 1 and 2 act as a switch on the LAN interface, and ports 3 and 4 are connected to the 2 ADSL modems.<br />
<br />
=Other Things=<br />
== Accessing the Modem ==<br />
<br />
The modem, or ADSL router in bridge mode, will also have a LAN IP that you can use to get to it's config pages etc. eg, the ZyXEL P660-R will still have a LAN setting, with an IP set. For the purpose of this example, let's assume the modem is on 192.168.1.2 mask 255.255.255.0. <br />
<br />
In order to talk to the Modem from the LAN side of the FireBrick, a Subnet on the FireBrick needs to be made. This subnet would be on the WAN Interface, eg: <br />
<br />
<syntaxhighlight><br />
<interface name="WAN" port="WAN1"><br />
<subnet ip="192.168.1.1/24" comment="IP subnet on WAN for router config"/><br />
</interface><br />
</syntaxhighlight><br />
<br />
'''Static Routes:'''<br />
<br />
The previous config will put the FB on 192.168.1.1, and allow the FB to route IP packets between your LAN subnet and the 192.168.1 subnet. However, at this stage, you may find you are still unable to ping the modem on the WAN port. This is because although packets from your 81.x.x.x address are correctly routed to the modem, the modem itself knows no route back to 81.x.x.x. It know nothing of the FB. So we need to tell it by setting a static route. <br />
<br />
ZyXel P-660R:<br />
<br />
You will have configured the IP and Netmask on the 'LAN' tab. But there's no 'Gateway', so we must go to 'Advanced' -&gt; 'Static Routes' tab, and create one. Enter it as follows: IP, Mask = base address of your internal LAN; eg: 81.xx.xx.0, 255.255.255.192. The 'Gateway' address is pointing back at the FB, eg 192.168.1.1. Check the box to Activate the route, hit the 'Apply' button, and that's it done. <br />
<br />
Vigor 120:<br />
<br />
You need to telnet in to the CLI to set the route. The commands to set a route back to 81.x.x.0 via the FB at 192.168.1.1 are: <br />
<br />
<pre>ip route status<br />
ip route add 81.x.x.0 255.255.255.192 192.168.1.1 static<br />
ip route status <br />
</pre><br />
<br />
Once this is confirmed working, you should do a: <br />
<br />
<pre>sys commit </pre><br />
<br />
to save it to flash, otherwise it's lost on power-down. <br />
<br />
The Draytek CLI reference may be found here: ftp://ftp.draytek.com/Document/Telnet_Commands_V1.11.zip <br />
<br />
Now, the assuming the Modem is on 192.168.1.2, you'll be able to access it from the LAN side of the FireBrick.<br />
<br />
== Other, other things ==<br />
<br />
You may want to look at the [[FireBrick]] page as there are examples there fro setting up OTP, syslog, auto-updates and so on. <br />
<br />
[[Category:Bonding]][[Category:FireBrick]][[Category:BT]][[Category:BE]][[Category:ADSL]][[Category:Configuring]]</div>Tgb