FireBrick 2700 Configuration: Difference between revisions
CrazyTeeka (talk | contribs) No edit summary |
CrazyTeeka (talk | contribs) |
||
(125 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that: |
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that: |
||
*The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port. |
*The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port. |
||
*The 2700 has faster throughput - |
*The 2700 has faster throughput - 350Mbit/s on the 2700 compared to 100Mbit/s on the 2500. |
||
=Factory Default Config= |
=Factory Default Config= |
||
The default config of a FireBrick looks like this: |
The factory default config of a FireBrick looks like this: |
||
<syntaxhighlight> |
<syntaxhighlight lang=xml> |
||
<?xml version="1.0" encoding="UTF-8"?> |
|||
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> |
|||
<system contact="John Doe" log-panic="fb-support"/> |
|||
<log name="default" comment="General logging for web viewing"/> |
|||
<log name="fb-support" comment="Log target for sending logs to FireBrick support team"> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> |
|||
</log> |
|||
<services> |
|||
<ntp/> |
|||
<telnet/> |
|||
<http local-only="true"/> |
|||
<dns> |
|||
<host name="my.firebrick.co.uk my.firebrick.uk"/> |
|||
</dns> |
|||
</services> |
|||
<port name="LAN1" ports="1"/> |
|||
<port name="LAN2" ports="2"/> |
|||
<port name="LAN3" ports="3"/> |
|||
<port name="WAN" ports="4"/> |
|||
<interface name="LAN1" port="LAN1" ra-client="false" comment="Default LAN interface"> |
|||
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
|||
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/> |
|||
</interface> |
|||
<interface name="LAN2" port="LAN2" ra-client="false" comment="Default LAN interface"> |
|||
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
|||
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/> |
|||
</interface> |
|||
<interface name="LAN3" port="LAN3" ra-client="false" comment="Default LAN interface"> |
|||
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> |
|||
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/> |
|||
</interface> |
|||
<interface name="WAN" port="WAN" ra-client="true" comment="Default WAN interface"> |
|||
<subnet name="DHCP client" comment="Delete if not required, not needed if using PPP"/> |
|||
</interface> |
|||
<ppp name="LAN-PPPoE" port="LAN1" username="me@firebrick" password="password" nat="true"/> |
|||
<ppp name="WAN-PPPoE" port="WAN" username="me@firebrick" password="password" nat="true"/> |
|||
<usb> |
|||
<dongle name="Example-3G" comment="Default 3G config, does not usually require any more settings"/> |
|||
</usb> |
|||
<rule-set name="Firewall: LAN" target-interface="LAN1 LAN2 LAN3" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> |
|||
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> |
|||
</rule-set> |
|||
</config> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
=Quick Start Config= |
|||
Here we have an example of the FireBrick using NAT: |
|||
=Config Run Through= |
|||
The FireBrick uses XML version 1.0 and UTF-8 encoding: |
|||
<syntaxhighlight> |
<syntaxhighlight lang=xml> |
||
<?xml version="1.0" encoding="UTF-8"?> |
<?xml version="1.0" encoding="UTF-8"?> |
||
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> |
|||
<system contact="John Doe" log-panic="fb-support"/> |
|||
<user name="admin" password="secret" timeout="1:00:00"/> |
|||
<log name="default" comment="General logging for web viewing"/> |
|||
<log name="fb-support" comment="Log target for sending logs to FireBrick support team"> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> |
|||
</log> |
|||
<services> |
|||
<ntp ntpserver="time.aa.net.uk"/> |
|||
<telnet/> |
|||
<http/> |
|||
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> |
|||
</services> |
|||
<port name="LAN" ports="1 2 3"/> |
|||
<port name="WAN" ports="4"/> |
|||
<interface name="LAN" port="LAN" ra-client="false"> |
|||
<subnet ip="2001:db8::1/64 10.0.0.1/24"/> |
|||
<dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/> |
|||
</interface> |
|||
<interface name="WAN" port="WAN" ra-client="true"/> |
|||
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="true"/> |
|||
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> |
|||
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> |
|||
</rule-set> |
|||
</config> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
FireBrick is running factory release firmware 1.31.000 (Janus): |
|||
and here the FireBrick is NAT free: |
|||
<syntaxhighlight> |
|||
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
|||
<syntaxhighlight lang=xml> |
|||
xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd" |
|||
<?xml version="1.0" encoding="UTF-8"?> |
|||
timestamp="2014-08-08T09:00:00Z" patch="19726"> |
|||
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> |
|||
<system contact="John Doe" log-panic="fb-support"/> |
|||
<user name="admin" password="secret" timeout="1:00:00"/> |
|||
<log name="default" comment="General logging for web viewing"/> |
|||
<log name="fb-support" comment="Log target for sending logs to FireBrick support team"> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> |
|||
</log> |
|||
<services> |
|||
<ntp ntpserver="time.aa.net.uk"/> |
|||
<telnet/> |
|||
<http/> |
|||
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> |
|||
</services> |
|||
<port name="LAN" ports="1 2 3"/> |
|||
<port name="WAN" ports="4"/> |
|||
<interface name="LAN" port="LAN" ra-client="false"> |
|||
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29"/> |
|||
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> |
|||
</interface> |
|||
<interface name="WAN" port="WAN" ra-client="true"/> |
|||
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="false"/> |
|||
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> |
|||
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> |
|||
</rule-set> |
|||
</config> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==System:== |
|||
=VoIP= |
|||
FireBrick with basic system config. Automatic updates to new factory release firmware are enabled by default: |
|||
<syntaxhighlight> |
|||
Here we have an example of setting up VoIP on the FireBrick, inbound and outbound calls, inbound URI calls, and outbound URI calls to AAISP: |
|||
<system name="FireBrick" contact="AAISP Subscriber" log-panic="fb-support"/> |
|||
<syntaxhighlight lang=xml> |
|||
<voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> |
|||
<carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" |
|||
registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/> |
|||
<carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/> |
|||
<telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/> |
|||
<telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/> |
|||
<telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/> |
|||
<telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/> |
|||
</voip> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Same as above but automatic firmware updates are disabled: |
|||
and here we use Direct Dial In, extn= is removed from <carrier> element and ddi= added to <telephone> element: |
|||
<syntaxhighlight> |
|||
<system name="FireBrick" contact="AAISP Subscriber" log-panic="fb-support" sw-update="false"/> |
|||
<syntaxhighlight lang=xml> |
|||
<voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> |
|||
<carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" |
|||
registrar="voiceless.aa.net.uk" username="+441234567890" password="secret"/> |
|||
<carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/> |
|||
<telephone name="John" display-name="John" username="John" password="secret" extn="1000" ddi="+441234567890" carrier="AASIP+441234567890"/> |
|||
<telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/> |
|||
<telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/> |
|||
<telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/> |
|||
</voip> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==User:== |
|||
=Remote Login= |
|||
Admin account with password "secret". Login idle timeout is "5:00". Login level is "ADMIN". |
|||
<syntaxhighlight> |
|||
Here we allow limited IPv6 addresses access to Telnet and HTTP, this stops you locking yourself out, in the example below 2001:8b0:119c:acf2::2/64 is used but you will need to use your own IP address instead, it also allows AAISP staff to login: |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD"/> |
|||
<syntaxhighlight lang=xml> |
|||
<telnet allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> |
|||
<http allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Same as above but login idle timeout is disabled: |
|||
then add a user account for AAISP, don't forgot to change password to something else: |
|||
<syntaxhighlight> |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0"/> |
|||
<syntaxhighlight lang=xml> |
|||
<user name="AAISP" password="secret" timeout="1:00:00"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Basic Guest/User account with many things hidden: |
|||
=Two Lines with 3G Dongle - Bonded= |
|||
<syntaxhighlight> |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="GUEST"/> |
|||
Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: |
|||
<syntaxhighlight lang=xml> |
|||
<port name="LAN" ports="1 2"/> |
|||
<port name="WAN2" ports="3"/> |
|||
<port name="WAN1" ports="4"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
or |
|||
Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: |
|||
<syntaxhighlight> |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="USER"/> |
|||
<syntaxhighlight lang=xml> |
|||
<interface name="LAN" port="LAN" ra-client="false"> |
|||
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/> |
|||
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/> |
|||
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> |
|||
</interface> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Debug account with a few extra things unhidden: |
|||
Interface - WAN interfaces, RA client is enabled: |
|||
<syntaxhighlight> |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="DEBUG"/> |
|||
<syntaxhighlight lang=xml> |
|||
<interface name="WAN1" port="WAN1" ra-client="true"/> |
|||
<interface name="WAN2" port="WAN2" ra-client="true"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==Logging:== |
|||
PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds: |
|||
General logging: |
|||
<syntaxhighlight> |
|||
<syntaxhighlight lang=xml> |
|||
<log name="default" comment="General Logging"/> |
|||
<ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP1" log="default" nat="false"/> |
|||
<ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP2" log="default" nat="false"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Email new crash logs to the "FireBrick Support Team" as they happen, ties in with <system log-panic="fb-support"> as above: |
|||
Dongle - Connect over 3G: |
|||
<syntaxhighlight> |
|||
<log name="fb-support" comment="FireBrick Support Team"> |
|||
<syntaxhighlight lang=xml> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10"/> |
|||
< |
<usb> |
||
<dongle name="AAISP3" username="me@a.3" password="secret" nat="false" graph="AAISP3" log="default"/> |
|||
</usb> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==Services - NTP Client:== |
|||
Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged: |
|||
Set time from AAISP time server, local-only by default: |
|||
<syntaxhighlight> |
|||
<syntaxhighlight lang=xml> |
|||
<ntp ntpserver="time.aa.net.uk"/> |
|||
<route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==Services - Telnet Server:== |
|||
Profiles - Checks if both lines are up or down: |
|||
Enable telnet server, local-only by default: |
|||
<syntaxhighlight> |
|||
<syntaxhighlight lang=xml> |
|||
<telnet/> |
|||
<profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> |
|||
</syntaxhighlight> |
|||
<profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> |
|||
==Services - HTTP Server:== |
|||
Enable HTTP server, local-only by default: |
|||
<syntaxhighlight> |
|||
<http/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==Services - DNS Service:== |
|||
=Two Lines with 3G Dongle - Fallover= |
|||
Enable DNS service, local-only by default: |
|||
<syntaxhighlight> |
|||
Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: |
|||
<dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/> |
|||
</syntaxhighlight> |
|||
<syntaxhighlight lang=xml> |
|||
==Port Grouping and Naming:== |
|||
Port grouping for a single PPPoE session: |
|||
<syntaxhighlight> |
|||
<port name="LAN" ports="1 2 3"/> |
|||
<port name="WAN" ports="4"/> |
|||
</syntaxhighlight> |
|||
Port grouping for dual PPPoE sessions: |
|||
<syntaxhighlight> |
|||
<port name="LAN" ports="1 2"/> |
<port name="LAN" ports="1 2"/> |
||
<port name="WAN1" ports="3"/> |
|||
<port name="WAN2" ports="4"/> |
|||
</syntaxhighlight> |
|||
Port grouping for triple PPPoE sessions: |
|||
<syntaxhighlight> |
|||
<port name="LAN" ports="1"/> |
|||
<port name="WAN1" ports="2"/> |
|||
<port name="WAN2" ports="3"/> |
<port name="WAN2" ports="3"/> |
||
<port name=" |
<port name="WAN1" ports="4"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
Port grouping for a single PPPoE session over 3G dongle: |
|||
Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: |
|||
<syntaxhighlight> |
|||
<port name="LAN" ports="1 2 3 4"/> |
|||
<syntaxhighlight lang=xml> |
|||
<interface name="LAN" port="LAN" ra-client="false"> |
|||
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/> |
|||
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/> |
|||
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> |
|||
</interface> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
==Ethernet Interface:== |
|||
Interface - WAN interfaces, RA client is enabled: |
|||
<syntaxhighlight> |
|||
<interface name="LAN" port="LAN"/> |
|||
<syntaxhighlight lang=xml> |
|||
<interface name="WAN1" port="WAN1" ra-client="true"/> |
|||
<interface name="WAN2" port="WAN2" ra-client="true"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
<syntaxhighlight> |
|||
PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds, localpref= gives priority to the highest value: |
|||
<interface name="WAN" port="WAN"/> |
|||
<syntaxhighlight lang=xml> |
|||
<ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="1000" graph="AAISP1" log="default" nat="false"/> |
|||
<ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="100" graph="AAISP2" log="default" nat="false"/> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
Dongle - Connect over 3G, localpref= gives this connection the lowest priority: |
|||
<syntaxhighlight lang=xml> |
|||
=Complete Config Example= |
|||
<usb> |
|||
<syntaxhighlight> |
|||
<dongle name="AAISP3" username="me@a.3" password="secret" nat="false" localpref="10" graph="AAISP3" log="default"/> |
|||
<?xml version="1.0" encoding="UTF-8"?> |
|||
</usb> |
|||
</syntaxhighlight> |
|||
Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged: |
|||
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
|||
xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd" |
|||
timestamp="2014-08-08T09:00:00Z" patch="19726"> |
|||
<syntaxhighlight lang=xml> |
|||
<system name="FireBrick" contact="AAISP Subscriber" log-panic="fb-support"/> |
|||
<route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/> |
|||
</syntaxhighlight> |
|||
Profiles - Checks if both lines are up or down: |
|||
<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0"/> |
|||
<syntaxhighlight lang=xml> |
|||
<log name="default" comment="General Logging"/> |
|||
<profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> |
|||
<profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> |
|||
</syntaxhighlight> |
|||
=L2TP Tunnel= |
|||
<log name="fb-support" comment="FireBrick Support Team"> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10"/> |
|||
</log> |
|||
L2TP tunnel with port 4 connected to another router: |
|||
<services> |
|||
<ntp ntpserver="time.aa.net.uk"/> |
|||
<telnet/> |
|||
<http/> |
|||
<dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/> |
|||
</services> |
|||
<syntaxhighlight lang=xml> |
|||
<port name="LAN" ports="1 2 3"/> |
|||
< |
<?xml version="1.0" encoding="UTF-8"?> |
||
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> |
|||
<system contact="John Doe" log-panic="fb-support"/> |
|||
<user name="admin" password="secret" timeout="1:00:00"/> |
|||
<log name="default" comment="General logging for web viewing"/> |
|||
<log name="fb-support" comment="Log target for sending logs to FireBrick support team"> |
|||
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> |
|||
</log> |
|||
<services> |
|||
<http/> |
|||
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> |
|||
<telnet/> |
|||
<time/> |
|||
</services> |
|||
<port name="LAN" ports="1 2 3"/> |
|||
<port name="WAN" ports="4"/> |
|||
<interface name="LAN" port="LAN" ra-client="false"> |
|||
<subnet ip="2001:db8::1/64 10.0.0.1/24"/> |
|||
<dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/> |
|||
</interface> |
|||
<interface name="WAN" port="WAN" ra-client="true" table="1"> |
|||
<subnet name="DHCP"/> |
|||
</interface> |
|||
<l2tp> |
|||
<outgoing name="AAISP" hostname="AAISP" server="90.155.53.19" graph="AAISP" table="1" payload-table="0" username="me@a.1" password="secret" min-retry="1" tcp-mss-fix="true"/> |
|||
</l2tp> |
|||
<rule-set name="Fallback: NAT" target-interface="nowhere" no-match-action="continue"> |
|||
<rule name="NAT" set-nat="true" set-table="1" action="accept"/> |
|||
</rule-set> |
|||
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> |
|||
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> |
|||
</rule-set> |
|||
</config> |
|||
</syntaxhighlight> |
</syntaxhighlight> |
||
[[Category:FireBrick|Configuration]] |
|||
[[Category:AA Routers]] |
Latest revision as of 05:14, 26 September 2019
This page describes editing the XML directly. The Firebrick does have a Web User Interface too. Both can be used to edit the config, as they edit the same underlying XML.
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that:
- The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port.
- The 2700 has faster throughput - 350Mbit/s on the 2700 compared to 100Mbit/s on the 2500.
Factory Default Config
The factory default config of a FireBrick looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)">
<system contact="John Doe" log-panic="fb-support"/>
<log name="default" comment="General logging for web viewing"/>
<log name="fb-support" comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
</log>
<services>
<ntp/>
<telnet/>
<http local-only="true"/>
<dns>
<host name="my.firebrick.co.uk my.firebrick.uk"/>
</dns>
</services>
<port name="LAN1" ports="1"/>
<port name="LAN2" ports="2"/>
<port name="LAN3" ports="3"/>
<port name="WAN" ports="4"/>
<interface name="LAN1" port="LAN1" ra-client="false" comment="Default LAN interface">
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
</interface>
<interface name="LAN2" port="LAN2" ra-client="false" comment="Default LAN interface">
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
</interface>
<interface name="LAN3" port="LAN3" ra-client="false" comment="Default LAN interface">
<subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
<dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
</interface>
<interface name="WAN" port="WAN" ra-client="true" comment="Default WAN interface">
<subnet name="DHCP client" comment="Delete if not required, not needed if using PPP"/>
</interface>
<ppp name="LAN-PPPoE" port="LAN1" username="me@firebrick" password="password" nat="true"/>
<ppp name="WAN-PPPoE" port="WAN" username="me@firebrick" password="password" nat="true"/>
<usb>
<dongle name="Example-3G" comment="Default 3G config, does not usually require any more settings"/>
</usb>
<rule-set name="Firewall: LAN" target-interface="LAN1 LAN2 LAN3" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</rule-set>
</config>
Quick Start Config
Here we have an example of the FireBrick using NAT:
<?xml version="1.0" encoding="UTF-8"?>
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)">
<system contact="John Doe" log-panic="fb-support"/>
<user name="admin" password="secret" timeout="1:00:00"/>
<log name="default" comment="General logging for web viewing"/>
<log name="fb-support" comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
</log>
<services>
<ntp ntpserver="time.aa.net.uk"/>
<telnet/>
<http/>
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/>
</services>
<port name="LAN" ports="1 2 3"/>
<port name="WAN" ports="4"/>
<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="2001:db8::1/64 10.0.0.1/24"/>
<dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/>
</interface>
<interface name="WAN" port="WAN" ra-client="true"/>
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="true"/>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</rule-set>
</config>
and here the FireBrick is NAT free:
<?xml version="1.0" encoding="UTF-8"?>
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)">
<system contact="John Doe" log-panic="fb-support"/>
<user name="admin" password="secret" timeout="1:00:00"/>
<log name="default" comment="General logging for web viewing"/>
<log name="fb-support" comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
</log>
<services>
<ntp ntpserver="time.aa.net.uk"/>
<telnet/>
<http/>
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/>
</services>
<port name="LAN" ports="1 2 3"/>
<port name="WAN" ports="4"/>
<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29"/>
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/>
</interface>
<interface name="WAN" port="WAN" ra-client="true"/>
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="false"/>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</rule-set>
</config>
VoIP
Here we have an example of setting up VoIP on the FireBrick, inbound and outbound calls, inbound URI calls, and outbound URI calls to AAISP:
<voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1">
<carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48"
registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/>
<carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/>
<telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/>
<telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/>
<telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/>
<telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/>
</voip>
and here we use Direct Dial In, extn= is removed from <carrier> element and ddi= added to <telephone> element:
<voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1">
<carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48"
registrar="voiceless.aa.net.uk" username="+441234567890" password="secret"/>
<carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/>
<telephone name="John" display-name="John" username="John" password="secret" extn="1000" ddi="+441234567890" carrier="AASIP+441234567890"/>
<telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/>
<telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/>
<telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/>
</voip>
Remote Login
Here we allow limited IPv6 addresses access to Telnet and HTTP, this stops you locking yourself out, in the example below 2001:8b0:119c:acf2::2/64 is used but you will need to use your own IP address instead, it also allows AAISP staff to login:
<telnet allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/>
<http allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/>
then add a user account for AAISP, don't forgot to change password to something else:
<user name="AAISP" password="secret" timeout="1:00:00"/>
Two Lines with 3G Dongle - Bonded
Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3:
<port name="LAN" ports="1 2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>
Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element:
<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/>
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/>
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/>
</interface>
Interface - WAN interfaces, RA client is enabled:
<interface name="WAN1" port="WAN1" ra-client="true"/>
<interface name="WAN2" port="WAN2" ra-client="true"/>
PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds:
<ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP1" log="default" nat="false"/>
<ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP2" log="default" nat="false"/>
Dongle - Connect over 3G:
<usb>
<dongle name="AAISP3" username="me@a.3" password="secret" nat="false" graph="AAISP3" log="default"/>
</usb>
Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged:
<route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/>
Profiles - Checks if both lines are up or down:
<profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/>
<profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/>
Two Lines with 3G Dongle - Fallover
Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3:
<port name="LAN" ports="1 2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>
Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element:
<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/>
<subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/>
<dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/>
</interface>
Interface - WAN interfaces, RA client is enabled:
<interface name="WAN1" port="WAN1" ra-client="true"/>
<interface name="WAN2" port="WAN2" ra-client="true"/>
PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds, localpref= gives priority to the highest value:
<ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="1000" graph="AAISP1" log="default" nat="false"/>
<ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="100" graph="AAISP2" log="default" nat="false"/>
Dongle - Connect over 3G, localpref= gives this connection the lowest priority:
<usb>
<dongle name="AAISP3" username="me@a.3" password="secret" nat="false" localpref="10" graph="AAISP3" log="default"/>
</usb>
Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged:
<route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/>
Profiles - Checks if both lines are up or down:
<profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/>
<profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/>
L2TP Tunnel
L2TP tunnel with port 4 connected to another router:
<?xml version="1.0" encoding="UTF-8"?>
<config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)">
<system contact="John Doe" log-panic="fb-support"/>
<user name="admin" password="secret" timeout="1:00:00"/>
<log name="default" comment="General logging for web viewing"/>
<log name="fb-support" comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
</log>
<services>
<http/>
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/>
<telnet/>
<time/>
</services>
<port name="LAN" ports="1 2 3"/>
<port name="WAN" ports="4"/>
<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="2001:db8::1/64 10.0.0.1/24"/>
<dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/>
</interface>
<interface name="WAN" port="WAN" ra-client="true" table="1">
<subnet name="DHCP"/>
</interface>
<l2tp>
<outgoing name="AAISP" hostname="AAISP" server="90.155.53.19" graph="AAISP" table="1" payload-table="0" username="me@a.1" password="secret" min-retry="1" tcp-mss-fix="true"/>
</l2tp>
<rule-set name="Fallback: NAT" target-interface="nowhere" no-match-action="continue">
<rule name="NAT" set-nat="true" set-table="1" action="accept"/>
</rule-set>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</rule-set>
</config>