editor
706
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
m (clean up, typos fixed: ie, → i.e., (4), etc, → etc.,, eg → e.g. (3)) |
(Fix syntax) |
||
(41 intermediate revisions by 2 users not shown) | |||
__NOTOC__<indicator name="L2TP">[[File:Menu-L2TP-Relay.svg|link=:Category:L2TP Handover|30px|Back up to the L2TP Handover page]]</indicator>
[[File:2700-small.png|link=:Category:FireBrick]]
=Overview=
A FireBrick can be easily configured to act as an LNS (L2TP Network Server) - you can then terminate direct L2TP connections on it from remove devices, or relay data SIMs or DSL circuits on to it (where the ISP support s L2TP relay - we do on the A&A Data SIMs and DSL services) This means, you can have remote 3G/4G LTE Mobile Data SIMs or DSL circuits terminated directly on to your LAN or a VLAN on your internal network.
This is ideal for remote monitoring, digital signage, machine-to-machine networking, IoT etc... As the remote device is being terminated on the FireBrick, you have full control over firewall and internet access to and from the remote device.
*A 'Fully Loaded' FireBrick is required for [[L2TP]] features
*AAISP Data SIMS can be relayed on to your own [[L2TP]] Server, such as a FireBrick. This will enable a remote SIM to be connected directly to your LAN and have an IP on your LAN, very similar to a VPN.
*The Computer (or device) with the SIM will not need any special config or software installed.
*
*Basic setups can be done in the FireBrick config without the need to run your own RADIUS server - for each SIM connecting in you'll need a single <match .../> config.
*The FireBrick allocates IPs statically within the config and can't use DHCP - for more advanced and more flexible configurations you'd run your own RADIUS server.
[[File:FireBrick-L2TP-Diagram.jpg|600px|An attempt at a network diagram showing the SIM on the internal LAN]]
=FireBrick Config=
On the WebUI, this is set under Tunnels, [[L2TP]], Incoming [[L2TP]] connections, and basic XML example is as below:
<gallery widths=400px heights=400px caption="Screenshots" mode="traditional">
File:SIMtoL2TP-FireBrick1.png|L2TP settings
File:SIMtoL2TP-FireBrick2.png|Match settings
</gallery>
The settings explained are:
*lpc-rate/timeout - used for graphs - we don't need to poll as often as the actual LCPs are not answered by the SIM, but by the mobile network. Basically latency on the graphs for SIMs should be ignored.
The
*name - just a name, e.g.
*graph - make a graph for this SIM - will show usage etc., but latency can be ignored.
*calling-station-id - this is the ICCID of the SIM, as AAISP use this as the station id
==Firewall==
You will also need firewall filters, e.g. to allow traffic out of the SIM, in a
<syntaxhighlight lang="xml">
<rule name="L2TPOut" source-interface="l2tp"/>
</syntaxhighlight>
This of course can be restricted, so you could give a SIM just access to your LAN and not your WAN - i.e. to block internet access whilst allowing them to access your own internal servers.
==Routing from the LAN (Enable proxy-ARP)==
If you are assigning IPs from your LAN to the SIM, then as the [[L2TP]] connection is on a different interface to your LAN -to enable routing from the LAN to your SIM you will need to set proxy-arp=true on the LAN interface.
=Separate (NAT) Subnet for the Dongle=
Rather than giving your SIM an IP on your LAN, you could give the SIM a private (RFC1918) IP in the <match config, e.g.:
<syntaxhighlight lang="xml">
<match name="SIM" graph="SIM" calling-station-id="8944200000000000" remote-ip="192.168.99.99" comment="My SIM"/>
</syntaxhighlight>
To give the SIMs access to the Internet, you will need a Route Override configured to NAT the traffic from the [[L2TP]] to your internet interface (in this case PPPoE), eg:
<syntaxhighlight lang="xml">
<route-override name="L2TP NAT">
<rule name="NAT the SIM for Internet Access" source-interface="[[L2TP|l2tp]]" target-interface="pppoe" set-nat="true"/>
[[Category:FireBrick
[[Category:L2TP Handover]]
|