FireBrick 2700 Configuration run-through: Difference between revisions
(→PPPoE) |
No edit summary |
||
Line 10: | Line 10: | ||
*Username= abc@a.1 Password=secret |
*Username= abc@a.1 Password=secret |
||
*Routed IP block = |
*Routed IP block = 1.2.3.0/28 |
||
= Default Config = |
= Default Config = |
||
Line 57: | Line 57: | ||
modify the telnet service to permit only access from your LAN: |
modify the telnet service to permit only access from your LAN: |
||
<syntaxhighlight> |
<syntaxhighlight> |
||
<telnet allow=" |
<telnet allow="1.2.3.0/28"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
Set DNS servers and your domain name, under the services: |
Set DNS servers and your domain name, under the services: |
||
Line 70: | Line 70: | ||
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server: |
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server: |
||
<syntaxhighlight> |
<syntaxhighlight> |
||
<subnet ip=" |
<subnet ip="1.2.3.1/28" comment="LAN"/> |
||
<dhcp ip=" |
<dhcp ip="1.2.3.2-12"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN! interface now looks like this: |
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN! interface now looks like this: |
||
Line 79: | Line 79: | ||
<subnet comment="dhcp client"/> |
<subnet comment="dhcp client"/> |
||
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
||
<subnet ip=" |
<subnet ip="1.2.3.1/28" comment="LAN"/> |
||
<dhcp ip=" |
<dhcp ip="1.2.3.2-12"/> |
||
</interface> |
</interface> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
Line 97: | Line 97: | ||
<subnet comment="dhcp client"/> |
<subnet comment="dhcp client"/> |
||
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
||
<subnet ip=" |
<subnet ip="1.2.3.1/28" comment="LAN"/> |
||
<dhcp ip=" |
<dhcp ip="1.2.3.2-12"/> |
||
</interface> |
</interface> |
||
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/> |
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/> |
||
Line 104: | Line 104: | ||
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> |
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> |
||
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/> |
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/> |
||
<telnet allow=" |
<telnet allow="1.2.3.0/28"/> |
||
<http/> |
<http/> |
||
</services> |
</services> |
||
Line 115: | Line 115: | ||
At this point we can save the config, there should be no errors. |
At this point we can save the config, there should be no errors. |
||
Our computer should then pick up a new |
Our computer should then pick up a new 1.2.3.x IP address, and we can connected back to the FireBrick on http://1.2.3.1 |
||
if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines: |
if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines: |
||
Line 167: | Line 167: | ||
<subnet comment="dhcp client"/> |
<subnet comment="dhcp client"/> |
||
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
||
<subnet ip=" |
<subnet ip="1.2.3.1/28" comment="LAN"/> |
||
<dhcp ip=" |
<dhcp ip="1.2.3.2-12"/> |
||
</interface> |
</interface> |
||
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> |
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> |
||
Line 174: | Line 174: | ||
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> |
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> |
||
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/> |
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/> |
||
<telnet allow=" |
<telnet allow="1.2.3.0/28"/> |
||
<http/> |
<http/> |
||
</services> |
</services> |
||
Line 194: | Line 194: | ||
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: |
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: |
||
<syntaxhighlight> |
<syntaxhighlight> |
||
<rule name="SIP" source-ip="81.187.30.110-119" target-ip=" |
<rule name="SIP" source-ip="81.187.30.110-119" target-ip="1.2.3.0/28" target-port="5060-5069"/> |
||
<rule name="RTP" target-ip=" |
<rule name="RTP" target-ip="1.2.3.0/28" protocol="17" target-port="1025-5059 5070-" set-graph="RTP"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
This also sets a graph for RTP |
This also sets a graph for RTP, you may want to restrict the target to just your VoIP phones, as the above set the target at the whole of the LAN |
||
== Restricting FireBrick Config access == |
== Restricting FireBrick Config access == |
||
Line 203: | Line 203: | ||
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to: |
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to: |
||
<syntaxhighlight> |
<syntaxhighlight> |
||
<http allow=" |
<http allow="1.2.3.1/28"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
Revision as of 15:21, 5 Ocak 2011
Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc.
Overview
These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. Som people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/fb105config.php
These config examples havn't been fully reviewed yet, so please bear that in mind, they are based on a working config though.
We have an ADSL line with the following details:
- Username= abc@a.1 Password=secret
- Routed IP block = 1.2.3.0/28
Default Config
The default configuration (or a fully-loaded FireBrick) looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"
timestamp="1970-01-01T00:00:07Z">
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="LAN4" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<dhcp ip="10.0.0.100-199"/>
</interface>
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/>
<services>
<ntp/>
<telnet comment="Set allow IP list to restrict access"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
Which sets up the 4 Ethernet ports as separate LANs, and an IP of 10.0.0.1 (and 2001:DB8::1) with the FireBrick acting DHCP server on the first port. So, connecting a computer to Port 1 should get you a 10.0.0.x IP address, and you can access http://10.0.0.1
Port 4 is set as an example of a PPPoE client, we'll set this up a little later.
Configuring Initial Basic Settings
Set yourself a user with full debug rights, eg:
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
Modify the ntp time server to use the AAISP time server:
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/>
modify the telnet service to permit only access from your LAN:
<telnet allow="1.2.3.0/28"/>
Set DNS servers and your domain name, under the services:
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
LAN Subnet
We want to use just Ethernet port 1 on the FireBrick for our LAN, we'll be connecting port 1 to a switch, and all our devices will be plugged in to that switch.
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server:
<subnet ip="1.2.3.1/28" comment="LAN"/>
<dhcp ip="1.2.3.2-12"/>
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN! interface now looks like this:
<interface port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="1.2.3.1/28" comment="LAN"/>
<dhcp ip="1.2.3.2-12"/>
</interface>
Our complete config now looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z">
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="LAN4" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="1.2.3.1/28" comment="LAN"/>
<dhcp ip="1.2.3.2-12"/>
</interface>
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/>
<services>
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/>
<telnet allow="1.2.3.0/28"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
At this point we can save the config, there should be no errors.
Our computer should then pick up a new 1.2.3.x IP address, and we can connected back to the FireBrick on http://1.2.3.1
if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines:
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
Save, and re-connect to the web interface.
PPPoE
More info on http://www.firebrick.co.uk/fb2700/pppoe.php
The FireBrick 2700 supports PPPoE - so you can use it to connect via an xDSL modem, eg a:
- A BT supplied FTTC Modem
- A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC)
- Another ADSL router set for bridge mode
- A modem such as a Draytek 120
In our default config, you can see that we already have some PPPoE settings:
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/>
This is using Ethernet port 4, so plug your modem in to that port.
This line can be changed for your ADSL settings, eg:
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/>
We've also set the FireBrick to create a graph for this, as well as to log.
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change
<port name="LAN4" ports="4"/>
to:
<port name="WAN1" ports="4"/>
Our complete config in full now looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z">
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="WAN1" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="1.2.3.1/28" comment="LAN"/>
<dhcp ip="1.2.3.2-12"/>
</interface>
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/>
<services>
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/>
<telnet allow="1.2.3.0/28"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
By default the PPPoE will be used as the default route, saving this config should mean you have an internet connection!
Filters
More info on http://www.firebrick.co.uk/fb2700/firewall.php
The default filters will block incoming traffic, and allow outgoing traffic.
VoIP Rules
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers:
<rule name="SIP" source-ip="81.187.30.110-119" target-ip="1.2.3.0/28" target-port="5060-5069"/>
<rule name="RTP" target-ip="1.2.3.0/28" protocol="17" target-port="1025-5059 5070-" set-graph="RTP"/>
This also sets a graph for RTP, you may want to restrict the target to just your VoIP phones, as the above set the target at the whole of the LAN
Restricting FireBrick Config access
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to:
<http allow="1.2.3.1/28"/>
Native IPv6
Assuming you have an IPv6 block allocated to your line on Clueless and you're using the FB for PPPoE, then all the FB config needs is:
- An IPv6 address on the LAN subnet
- ra="true" in the subnet
Your computers should then get IPv6 details. test on http://ip.help.me.uk
Next Steps, Bonding a Second PPPoE Line
More info on http://www.firebrick.co.uk/fb2700/bonding.php
Set up second PPPoE
Set up port 3 to connect to the second line you have, ie:
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/>
and change the port from:
<port name="LAN3" ports="3"/>
to
<port name="WAN2" ports="3"/>
If you prefer, you can rearrange the ports so that they are in sequential order etc...
We now have:
- Port 1 = LAN
- Port 2 = Spare
- Port 3 = ADSL Line 2
- Port 4 = ADSL Line 1
Bond the PPPoE:
Bonding on a 2700 requires the Bonding capability - found on the Fully-Loaded and Bonding variants.
Simply setting speed=x in the ppp config will bond the PPPoE for uplink
eg:
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1M"/>
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1M"/>
Since each PPP connection will give the FireBrick a default route, the FireBrick will use both, and upload traffic on each ppp connection up to the speed given.