FireBrick 2700 Configuration run-through: Difference between revisions
No edit summary |
|||
Line 142: | Line 142: | ||
*A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC) |
*A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC) |
||
*Another ADSL router set for bridge mode |
*Another ADSL router set for bridge mode |
||
*A modem such as a Draytek 120 |
*A modem such as a Draytek [[Vigor 120]] |
||
In our default config, you can see that we already have some PPPoE settings: |
In our default config, you can see that we already have some PPPoE settings: |
||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"LAN4"</span> <span class="re0">username</span>=<span class="st0">"startup_user@startup_domain"</span> <span class="re0">password</span>=<span class="st0">""</span> <span class="re0">comment</span>=<span class="st0">"Example PPPoE config for DSL/FTTC/FTTP/etc"</span><span class="re2">/></span></span></pre></div></div> |
|||
<syntaxhighlight> |
|||
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/> |
|||
</syntaxhighlight> |
|||
This is using Ethernet port 4, so plug your modem in to that port. |
This is using Ethernet port 4, so plug your modem in to that port. |
||
This line can be changed for your ADSL settings, eg: |
This line can be changed for your ADSL settings, eg: |
||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span><span class="re2">/></span></span></pre></div></div> |
|||
<syntaxhighlight> |
|||
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> |
|||
</syntaxhighlight> |
|||
We've also set the FireBrick to create a graph for this, as well as to log. |
We've also set the FireBrick to create a graph for this, as well as to log. |
||
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change |
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change |
||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN4"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span></pre></div></div> |
|||
<syntaxhighlight> |
|||
<port name="LAN4" ports="4"/> |
|||
</syntaxhighlight> |
|||
to: |
to: |
||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"WAN1"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span></pre></div></div> |
|||
<syntaxhighlight> |
|||
<port name="WAN1" ports="4"/> |
|||
</syntaxhighlight> |
|||
Our complete config in full now looks like this: |
Our complete config in full now looks like this: |
||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><?xml</span> <span class="re0">version</span>=<span class="st0">"1.0"</span> <span class="re0">encoding</span>=<span class="st0">"UTF-8"</span><span class="re2">?></span></span> <span class="sc3"><span class="re1"><config</span> <span class="re0">xmlns</span>=<span class="st0">"http://firebrick.ltd.uk/xml/fb2700/"</span> <span class="re0">xmlns:xsi</span>=<span class="st0">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="re0">xsi:schemaLocation</span>=<span class="st0">"http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"</span> <span class="re0">timestamp</span>=<span class="st0">"1970-01-01T00:00:07Z"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><user</span> <span class="re0">name</span>=<span class="st0">"john"</span> <span class="re0">timeout</span>=<span class="st0">"PT20M"</span> <span class="re0">level</span>=<span class="st0">"DEBUG"</span> <span class="re0">password</span>=<span class="st0">"secret"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN1"</span> <span class="re0">ports</span>=<span class="st0">"1"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN2"</span> <span class="re0">ports</span>=<span class="st0">"2"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN3"</span> <span class="re0">ports</span>=<span class="st0">"3"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"WAN1"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><interface</span> <span class="re0">name</span>=<span class="st0">"LAN1"</span> <span class="re0">port</span>=<span class="st0">"LAN1"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">comment</span>=<span class="st0">"dhcp client"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">ip</span>=<span class="st0">"2001:DB8::1/64 10.0.0.1/24"</span> <span class="re0">nat</span>=<span class="st0">"true"</span> <span class="re0">comment</span>=<span class="st0">"Temporary IPs for setup only, delete when finished configuring"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">ip</span>=<span class="st0">"192.0.2.1/28"</span> <span class="re0">comment</span>=<span class="st0">"LAN"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><dhcp</span> <span class="re0">ip</span>=<span class="st0">"192.0.2.2-12"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></interface<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><services<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><dns</span> <span class="re0">domain</span>=<span class="st0">"yourdomain.tld"</span> <span class="re0">resolvers</span>=<span class="st0">"217.169.20.20 217.169.20.21"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><ntp</span> <span class="re0">timeserver</span>=<span class="st0">"90.155.53.32 2001:8B0:0:53::5A9B:3520"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><telnet</span> <span class="re0">allow</span>=<span class="st0">"192.0.2.0/28"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><http</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></services<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><rule-set</span> <span class="re0">target-interface</span>=<span class="st0">"LAN1"</span> <span class="re0">drop</span>=<span class="st0">"reject"</span> <span class="re0">comment</span>=<span class="st0">"default firewall rule - block incoming"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><rule</span> <span class="re0">source-interface</span>=<span class="st0">"self"</span> <span class="re0">comment</span>=<span class="st0">"allow from the FireBrick though"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></rule-set<span class="re2">></span></span></span> <span class="sc3"><span class="re1"></config<span class="re2">></span></span></span></pre></div></div> |
|||
<syntaxhighlight> |
|||
⚫ | |||
<?xml version="1.0" encoding="UTF-8"?> |
|||
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> |
|||
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/> |
|||
<port name="LAN1" ports="1"/> |
|||
<port name="LAN2" ports="2"/> |
|||
<port name="LAN3" ports="3"/> |
|||
<port name="WAN1" ports="4"/> |
|||
<interface name="LAN1" port="LAN1"> |
|||
<subnet comment="dhcp client"/> |
|||
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
|||
<subnet ip="192.0.2.1/28" comment="LAN"/> |
|||
<dhcp ip="192.0.2.2-12"/> |
|||
</interface> |
|||
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> |
|||
<services> |
|||
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> |
|||
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/> |
|||
<telnet allow="192.0.2.0/28"/> |
|||
<http/> |
|||
</services> |
|||
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming"> |
|||
<rule source-interface="self" comment="allow from the FireBrick though"/> |
|||
</rule-set> |
|||
</config> |
|||
</syntaxhighlight> |
|||
⚫ | |||
==1500 MTU?== |
== 1500 MTU? == |
||
⚫ | |||
Config wise, just add mtu="1500" to the ppp element. |
|||
eg: |
|||
<syntaxhighlight> |
|||
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" mtu="1500"/> |
|||
</syntaxhighlight> |
|||
⚫ | |||
⚫ | |||
<div dir="ltr" class="mw-geshi" style="text-align: left;"><div class="xml source-xml"><pre class="de1"><span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span> <span class="re0">mtu</span>=<span class="st0">"1500"</span><span class="re2">/></span></span></pre></div></div> |
|||
⚫ | |||
⚫ | |||
When setting up the ZyXEL to work with the FireBrick, set the WAN settings to be: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* |
*Mode: Bridge |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
*ADSL modulation type: Multimode |
*ADSL modulation type: Multimode |
||
===For a Be, PPPoE, Line:=== |
=== For a Be, PPPoE, Line: === |
||
*Name: AAISP (But can be anything) |
*Name: AAISP (But can be anything) |
||
*Mode: Bridge |
|||
⚫ | |||
*Encapsulation: RFC 1493 |
*Encapsulation: RFC 1493 |
||
*Multiplexing: LLC |
*Multiplexing: LLC |
||
⚫ | |||
* |
*VPI: 0 |
||
*VCI: 101 |
|||
*ADSL modulation type: Multimode |
*ADSL modulation type: Multimode |
||
Also make a not of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN. |
Also make a not of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN. As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though. |
||
As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though. |
|||
= Filters = |
= Filters = |
Revision as of 15:59, 10 February 2011
Also See:
- Our main FireBrick wiki page
Overview
Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.
These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. Som people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/fb105config.php
We have an AAISP ADSL line with the following details:
- Username= abc@a.1 Password=secret
- Routed IP block = 192.0.2.0/28
(Later in the page, we'll be adding an IPv6 block, and bonding with a second line) (192.0.2.0/28 is used in this example as the 192.9.2 block is a special block reserved for documentation (RFC 5737). We will also use the v6 documentation prefixes too (RFC 3849))
Default Config
The default configuration (of a fully-loaded FireBrick) looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"
timestamp="1970-01-01T00:00:07Z">
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="LAN4" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<dhcp ip="10.0.0.100-199"/>
</interface>
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/>
<services>
<ntp/>
<telnet comment="Set allow IP list to restrict access"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
Which sets up the 4 Ethernet ports as separate LANs, and an IP of 10.0.0.1 (and 2001:DB8::1) with the FireBrick acting DHCP server on the first port. So, connecting a computer to Port 1 should get you a 10.0.0.x IP address, and you can access http://10.0.0.1 . Port 1 is also a DHCP client, so it will try to get an IP from your DHCP server, if you have one. -Check your DHCP server logs for what IP is allocated.
Port 4 is set as an example of a PPPoE client, (ie to be plugged in to a ADSL modem/FTTC/FTTP modem etc) we'll set this up a little later.
Configuring Initial Basic Settings
Set yourself a user with full debug rights, eg:
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
To explain the timeout a bit: The timeout is how long this user stays logged in to the FB admin pages/telnet. PT (Period Time) 20M is 20 minutes. You can just enter 3600, and it will convert it to PT1H (as in a number on it's own will mean seconds).
Modify the ntp time server to use the AAISP time server:
<ntp timeserver="time.aaisp.net.uk"/>
modify the telnet service to permit only access from your LAN:
<telnet allow="192.0.2.0/28"/>
Set DNS servers and your domain name, under the services (here we're using the AAISP DNS servers:
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
Note: If you are using PPPoE, then you can leave the resolves empty, and the FireBrick will obtain the DNS servers from the ISP.
LAN Subnet
We want to use just Ethernet port 1 on the FireBrick for our LAN, we'll be connecting port 1 to a switch, and all our devices will be plugged in to that switch.
So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server:
<subnet ip="192.0.2.1/28" comment="LAN"/>
<dhcp ip="192.0.2.2-12"/>
Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN! interface now looks like this:
<interface port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="192.0.2.1/28" comment="LAN"/>
<dhcp ip="192.0.2.2-12"/>
</interface>
Our complete config now looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z">
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="LAN4" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="192.0.2.1/28" comment="LAN"/>
<dhcp ip="192.0.2.2-12"/>
</interface>
<ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/>
<services>
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/>
<telnet allow="192.0.2.0/28"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
At this point we can save the config, there should be no errors.
Our computer should then pick up a new 192.0.2.x IP address, and we can connected back to the FireBrick on http://192.0.2.1
if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines:
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
Save, and re-connect to the web interface.
PPPoE
More info on http://www.firebrick.co.uk/fb2700/pppoe.php
The FireBrick 2700 supports PPPoE - so you can use it to connect via an xDSL modem, eg a:
- A BT supplied FTTC/FTTP Modem
- A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC)
- Another ADSL router set for bridge mode
- A modem such as a Draytek Vigor 120
In our default config, you can see that we already have some PPPoE settings:
<span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"LAN4"</span> <span class="re0">username</span>=<span class="st0">"startup_user@startup_domain"</span> <span class="re0">password</span>=<span class="st0">""</span> <span class="re0">comment</span>=<span class="st0">"Example PPPoE config for DSL/FTTC/FTTP/etc"</span><span class="re2">/></span></span>
This is using Ethernet port 4, so plug your modem in to that port.
This line can be changed for your ADSL settings, eg:
<span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span><span class="re2">/></span></span>
We've also set the FireBrick to create a graph for this, as well as to log.
We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change
<span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN4"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span>
to:
<span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"WAN1"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span>
Our complete config in full now looks like this:
<span class="sc3"><span class="re1"><?xml</span> <span class="re0">version</span>=<span class="st0">"1.0"</span> <span class="re0">encoding</span>=<span class="st0">"UTF-8"</span><span class="re2">?></span></span> <span class="sc3"><span class="re1"><config</span> <span class="re0">xmlns</span>=<span class="st0">"http://firebrick.ltd.uk/xml/fb2700/"</span> <span class="re0">xmlns:xsi</span>=<span class="st0">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="re0">xsi:schemaLocation</span>=<span class="st0">"http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd"</span> <span class="re0">timestamp</span>=<span class="st0">"1970-01-01T00:00:07Z"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><user</span> <span class="re0">name</span>=<span class="st0">"john"</span> <span class="re0">timeout</span>=<span class="st0">"PT20M"</span> <span class="re0">level</span>=<span class="st0">"DEBUG"</span> <span class="re0">password</span>=<span class="st0">"secret"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN1"</span> <span class="re0">ports</span>=<span class="st0">"1"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN2"</span> <span class="re0">ports</span>=<span class="st0">"2"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"LAN3"</span> <span class="re0">ports</span>=<span class="st0">"3"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><port</span> <span class="re0">name</span>=<span class="st0">"WAN1"</span> <span class="re0">ports</span>=<span class="st0">"4"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><interface</span> <span class="re0">name</span>=<span class="st0">"LAN1"</span> <span class="re0">port</span>=<span class="st0">"LAN1"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">comment</span>=<span class="st0">"dhcp client"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">ip</span>=<span class="st0">"2001:DB8::1/64 10.0.0.1/24"</span> <span class="re0">nat</span>=<span class="st0">"true"</span> <span class="re0">comment</span>=<span class="st0">"Temporary IPs for setup only, delete when finished configuring"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><subnet</span> <span class="re0">ip</span>=<span class="st0">"192.0.2.1/28"</span> <span class="re0">comment</span>=<span class="st0">"LAN"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><dhcp</span> <span class="re0">ip</span>=<span class="st0">"192.0.2.2-12"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></interface<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><services<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><dns</span> <span class="re0">domain</span>=<span class="st0">"yourdomain.tld"</span> <span class="re0">resolvers</span>=<span class="st0">"217.169.20.20 217.169.20.21"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><ntp</span> <span class="re0">timeserver</span>=<span class="st0">"90.155.53.32 2001:8B0:0:53::5A9B:3520"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><telnet</span> <span class="re0">allow</span>=<span class="st0">"192.0.2.0/28"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"><http</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></services<span class="re2">></span></span></span> <span class="sc3"><span class="re1"><rule-set</span> <span class="re0">target-interface</span>=<span class="st0">"LAN1"</span> <span class="re0">drop</span>=<span class="st0">"reject"</span> <span class="re0">comment</span>=<span class="st0">"default firewall rule - block incoming"</span><span class="re2">></span></span> <span class="sc3"><span class="re1"><rule</span> <span class="re0">source-interface</span>=<span class="st0">"self"</span> <span class="re0">comment</span>=<span class="st0">"allow from the FireBrick though"</span><span class="re2">/></span></span> <span class="sc3"><span class="re1"></rule-set<span class="re2">></span></span></span> <span class="sc3"><span class="re1"></config<span class="re2">></span></span></span>
By default the PPPoE will be used as the default route, saving this config should mean you have an internet connection!
1500 MTU?
The Default MTU is 1492 for PPPoE. However if your modem supports jumboframes, then you should be able to use a full 1500MTU on the PPPoE. The BT supplied modem for FTTC does support this, other modems may or may not... Config wise, just add mtu="1500" to the ppp element. eg:
<span class="sc3"><span class="re1"><ppp</span> <span class="re0">port</span>=<span class="st0">"WAN1"</span> <span class="re0">username</span>=<span class="st0">"abc@a.1"</span> <span class="re0">password</span>=<span class="st0">"secret"</span> <span class="re0">comment</span>=<span class="st0">"BT ADSL"</span> <span class="re0">graph</span>=<span class="st0">"BT ADSL"</span> <span class="re0">log</span>=<span class="st0">"true"</span> <span class="re0">mtu</span>=<span class="st0">"1500"</span><span class="re2">/></span></span>
ZyXEL P660R-D1 Notes
(These notes will be similar for any type of ADSL router in Bridge mode, or ADSL modems.) When setting up the ZyXEL to work with the FireBrick, set the WAN settings to be:
For a Be PPPoA or a BT Line:
- Name: AAISP (But can be anything)
- Mode: Bridge
- Encapsulation: RFC 1493
- Multiplexing: VC
- VPI: 0
- VCI: 38
- ADSL modulation type: Multimode
For a Be, PPPoE, Line:
- Name: AAISP (But can be anything)
- Mode: Bridge
- Encapsulation: RFC 1493
- Multiplexing: LLC
- VPI: 0
- VCI: 101
- ADSL modulation type: Multimode
Also make a not of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN. As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though.
Filters
More info on http://www.firebrick.co.uk/fb2700/firewall.php
The default filters will block incoming traffic, and allow outgoing traffic.
VoIP Rules
If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers:
<rule-set name="Incoming Firewall Rules">
<rule name="SIP" source-ip="81.187.30.110-119" target-ip="192.0.2.0/28" target-port="5060-5069"/>
<rule name="RTP" target-ip="192.0.2.0/28" protocol="17" target-port="1025-5059 5070-" set-graph="RTP"/>
</rule-set>
Here the rules are defined in a rule-set. rule-sets allow helpful management of rules. Ie you can have a couple of main rule sets for example for Incoming Traffic, Port Maps, Outgoing Traffic etc. Rules and rule-sets are processed in order, top to bottom.
This also sets a graph for RTP, you may want to restrict the target to just your VoIP phones, as the above set the target at the whole of the LAN
Restricting FireBrick Config access
You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, eg, change the current line to:
<http allow="192.0.2.1/28"/>
Native IPv6
Assuming you have an IPv6 block allocated to your line on Clueless and you're using the FB for PPPoE, then all the FB config needs is:
- An IPv6 address on the LAN subnet
- ra="true" in the subnet
Your computers should then get IPv6 details. test on http://ip.help.me.uk.
If you need to use Tunnelled IPv6, rather than Native, see this page: *FireBrick 2700 v6 Tunnel
So, our config will look like this:
<interface name="LAN" port="LAN">
<subnet ip="2001:8B0:1635::1/64" ra="true" comment="IPv6 LAN"/>
...
</interface>
...
Our complete config now looks like:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z">
<user name="john" timeout="PT20M" level="DEBUG" password="secret"/>
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="WAN1" ports="4"/>
<interface name="LAN1" port="LAN1">
<subnet comment="dhcp client"/>
<subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<subnet ip="192.0.2.1/28" comment="LAN"/>
<dhcp ip="192.0.2.2-12"/>
<subnet ip="2001:8B0:1635::1/64" ra="true" comment="IPv6 LAN"/>
</interface>
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/>
<services>
<dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/>
<ntp timeserver="90.155.53.32 2001:8B0:0:53::5A9B:3520"/>
<telnet allow="192.0.2.0/28"/>
<http/>
</services>
<rule-set target-interface="LAN1" drop="reject" comment="default firewall rule - block incoming">
<rule source-interface="self" comment="allow from the FireBrick though"/>
</rule-set>
</config>
Next Steps, Bonding a Second Line
More info on http://www.firebrick.co.uk/fb2700/bonding.php
Set up second PPPoE
Set up port 3 to connect to the second modem you have, ie:
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/>
and change the port from:
<port name="LAN3" ports="3"/>
to
<port name="WAN2" ports="3"/>
If you prefer, you can rearrange the ports so that they are in sequential order etc...
We now have:
- Port 1 = LAN
- Port 2 = Spare
- Port 3 = ADSL Line 2
- Port 4 = ADSL Line 1
Bond the PPPoE:
Bonding on a 2700 requires the Bonding capability - found on the Fully-Loaded and Bonding variants.
Simply setting speed=x in the ppp config will bond the PPPoE for uplink. The speed value is in bits per sec. You can use G/M/K when specifying the value, as well as B for bytes, or i, power of 2. eg, 1000000 is the same as 1M)
eg:
<ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/>
<ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/>
Since each PPP connection will give the FireBrick a default route, the FireBrick will use both, and upload traffic on each ppp connection up to the speed given. The speed is in bits, so this example is where the upload is 1M. If the upload is different on the lines, then that's fine - eg, you may have a line using Annex-A and one Annex-M. Setting the speed correctly will mean the correct amount of traffic will be sent up each line.
Set Ports 1 and 2 to be a switch
To make use of port 2, we can configure it to be another LAN1 port. Our current port config is:
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>
We can change this to make port 2 a LAN1 port:
<port name="LAN1" ports="1 2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>
Now ports 1 and 2 act as a switch on the LAN interface.
Other Things
Accessing the Modem
The modem, or ADSL router in bridge mode, will also have a LAN IP that you can use to get to it's config pages etc. eg, the ZyXEL P660-R will still have a LAN setting, with an IP set. In order to talk to the Modem from the LAN side of the FireBrick, a Subnet on the FireBrick needs to be made. This subnet would be on the WAN Interface, eg:
<interface name="WAN" port="WAN1">
<subnet ip="198.51.100.2/24"/>
</interface>
And the assuming the Modem is on 198.51.100.1, you'll be able to access it from the LAN side of the FireBrick.