FireBrick 2700 Configuration: Difference between revisions

← Older edit

FireBrick 2700 Configuration (view source)

Revision as of 05:14, 26 September 2019

1,494 bytes removed , 26 September 2019

→‎L2TP Tunnel

CrazyTeeka

editor

426

edits

Revision as of 13:32, 1 March 2016 (view source) CrazyTeeka (talk \| contribs) mNo edit summary ← Older edit		Latest revision as of 05:14, 26 September 2019 (view source) CrazyTeeka (talk \| contribs) (→‎L2TP Tunnel)
(14 intermediate revisions by 2 users not shown)
The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port. The 2700 has faster throughput - 350Mbit/s on the 2700 compared to 100Mbit/s on the 2500. =Factory Default Config= The factory default config of a FireBrick looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.38.001.xsd" timestamp="2016-03-01T13:13:40Z" patch="22527"> <system contact="John Doe" log-panic="fb-support"/> <log name="default" comment="General logging for web viewing"/> </config> </syntaxhighlight> =Quick Start Config= Here we have an example of the FireBrick using NAT: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.38.001.xsd" timestamp="2016-03-01T13:13:40Z" patch="22527"> <system contact="John Doe" log-panic="fb-support"/> <user name="admin" password="secret" timeout="1:00:00"/> and here the FireBrick is NAT free: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.38.001.xsd" timestamp="2016-03-01T13:13:40Z" patch="22527"> <system contact="John Doe" log-panic="fb-support"/> <user name="admin" password="secret" timeout="1:00:00"/> </config> </syntaxhighlight> =VoIP= Here we have an example of setting up VoIP on the FireBrick, inbound and outbound calls, inbound URI calls, and outbound URI calls to AAISP: <syntaxhighlight lang=xml> <voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" and here we use Direct Dial In, extn= is removed from <carrier> element and ddi= added to <telephone> element: <syntaxhighlight lang=xml> <voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" </voip> </syntaxhighlight> =Remote Login= Here we allow limited IPv6 addresses access to Telnet and HTTP, this stops you locking yourself out, in the example below 2001:8b0:119c:acf2::2/64 is used but you will need to use your own IP address instead, it also allows AAISP staff to login: <syntaxhighlight lang=xml> <telnet allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> <http allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> then add a user account for AAISP, don't forgot to change password to something else: <syntaxhighlight lang=xml> <user name="AAISP" password="secret" timeout="1:00:00"/> </syntaxhighlight> =Two Lines with 3G Dongle - Bonded= Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: <syntaxhighlight lang=xml> <port name="LAN" ports="1 2"/> <port name="WAN2" ports="3"/> Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: <syntaxhighlight lang=xml> <interface name="LAN" port="LAN" ra-client="false"> <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/> Interface - WAN interfaces, RA client is enabled: <syntaxhighlight lang=xml> <interface name="WAN1" port="WAN1" ra-client="true"/> <interface name="WAN2" port="WAN2" ra-client="true"/> PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds: <syntaxhighlight lang=xml> <ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP1" log="default" nat="false"/> <ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP2" log="default" nat="false"/> Dongle - Connect over 3G: <syntaxhighlight lang=xml> <usb> <dongle name="AAISP3" username="me@a.3" password="secret" nat="false" graph="AAISP3" log="default"/> Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged: <syntaxhighlight lang=xml> <route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/> </syntaxhighlight> Profiles - Checks if both lines are up or down: <syntaxhighlight lang=xml> <profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> <profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> </syntaxhighlight> =Two Lines with 3G Dongle - Fallover= Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: <syntaxhighlight lang=xml> <port name="LAN" ports="1 2"/> <port name="WAN2" ports="3"/> Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: <syntaxhighlight lang=xml> <interface name="LAN" port="LAN" ra-client="false"> <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/> Interface - WAN interfaces, RA client is enabled: <syntaxhighlight lang=xml> <interface name="WAN1" port="WAN1" ra-client="true"/> <interface name="WAN2" port="WAN2" ra-client="true"/> PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds, localpref= gives priority to the highest value: <syntaxhighlight lang=xml> <ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="1000" graph="AAISP1" log="default" nat="false"/> <ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="100" graph="AAISP2" log="default" nat="false"/> Dongle - Connect over 3G, localpref= gives this connection the lowest priority: <syntaxhighlight lang=xml> <usb> <dongle name="AAISP3" username="me@a.3" password="secret" nat="false" localpref="10" graph="AAISP3" log="default"/> Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged: <syntaxhighlight lang=xml> <route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/> </syntaxhighlight> Profiles - Checks if both lines are up or down: <syntaxhighlight lang=xml> <profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> <profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> </syntaxhighlight> =L2TP Tunnel= L2TP tunnel with port 4 connected to another router: ~~=Firewall=~~ <syntaxhighlight lang=xml>▼ ~~Here are some pre-written firewall rules:~~ <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> ~~==Steam Client==~~ <system contact="John Doe" log-panic="fb-support"/> <user name="admin" password="secret" timeout="1:00:00"/> ~~These static DNS entries help to keep the IP addresses matched to the ones in the firewall:~~ <log name="default" comment="General logging for web viewing"/> <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> ▲<syntaxhighlight> <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21">▼ </log> ~~<host name="api.steampowered.com" ip="173.223.184.147"/>~~ <services> ~~<host name="cdn.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>~~ <http/> ~~<host name="cdn.store.steampowered.com" ip="23.63.98.26 23.63.98.32"/>~~ ▲ <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> ~~<host name="clientconfig.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>~~ <telnet/> ~~<host name="images.akamai.steamusercontent.com" ip="23.63.98.26 23.63.98.32"/>~~ <time/> ~~<host name="media.steampowered.com" ip="23.63.98.26 23.63.98.32"/>~~ </services> ~~<host name="media2.steampowered.com" ip="205.185.216.10 205.185.216.42"/>~~ <port name="LAN" ports="1 2 3"/> ~~<host name="media3.steampowered.com" ip="8.253.70.30 8.253.70.142 8.254.191.238"/>~~ <~~host~~port name="~~media4.steampowered.com~~WAN" ipports="~~23.63.98.26 23.63.98.32~~4"/> <interface name="LAN" port="LAN" ra-client="false"> ~~<host name="repo.steampowered.com" ip="23.63.98.26 23.63.98.32"/>~~ <subnet ip="2001:db8::1/64 10.0.0.1/24"/> ~~<host name="steamcloud-eu.storage.googleapis.com" ip="64.233.166.128"/>~~ <~~host~~dhcp name="~~steamcommunity-a.akamaihd.net~~DHCP" ip="2310.630.990.~~219~~2-254" ~~23.67.255.202~~lease="1:00:00"/> </interface> ~~<host name="steamcommunity.com" ip="92.122.219.245"/>~~ <interface name="WAN" port="WAN" ra-client="true" table="1"> ~~<host name="store.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>~~ <subnet name="DHCP"/> ~~<host name="store.steampowered.com" ip="173.223.184.147"/>~~ </interface> ~~</dns>~~ <l2tp> ~~</syntaxhighlight>~~ <outgoing name="AAISP" hostname="AAISP" server="90.155.53.19" graph="AAISP" table="1" payload-table="0" username="me@a.1" password="secret" min-retry="1" tcp-mss-fix="true"/> </l2tp> ~~Outbound Rules - Change the MAC address in the source-mac= element to your own:~~ <rule-set name="~~Steam Client~~Fallback: ~~Inbound~~NAT" target-interface="~~LAN~~nowhere" no-match-action="~~reject~~continue">▼ <rule name="~~TCP~~NAT" ~~target~~set-~~port~~nat="~~27014-27050~~true" ~~protocol~~set-table="61" action="accept"/>▼ ~~<syntaxhighlight>~~ </rule-set>▼ ~~<rule-set name="Steam Client: Outbound" source-interface="LAN" target-interface="pppoe" no-match-action="continue">~~ <rule-set name="~~NTP~~Firewall: LAN" target-~~port~~interface="~~123~~LAN" ~~protocol~~no-match-action="17reject" ~~action~~comment="~~accept~~Default firewall rule for traffic to LAN"/> <rule name="~~TCP~~Allow Firebrick" ~~target~~source-~~port~~interface="~~27014-27050~~self" ~~protocol~~comment="6"Allow ~~action="accept~~all from the FireBrick to LAN"/> </rule-set>▼ ~~<rule name="UDP" target-port="3478 4379 4380 27000-27030" protocol="17" action="accept"/>~~ </config> <rule name="HTTP" target-ip="8.253.70.30 8.253.70.142 8.254.191.238 23.63.98.26 23.63.98.32 23.63.99.219 23.67.255.202 62.115.11.250 80.239.194.146 92.122.219.245 155.133.245.0/24 155.133.248.0/24 162.254.192.0/24 162.254.193.0/24 162.254.194.0/23 162.254.196.0/24 162.254.197.0/24 162.254.198.0/24 173.223.184.147 205.185.216.10 205.185.216.42 205.196.6.0/24 212.73.205.178" target-port="80 443" protocol="6" action="accept"/> ~~<rule name="Deponia" target-ip="64.233.166.128 104.40.183.236 168.61.58.14 191.235.193.40" target-port="80 443" protocol="6" action="accept"/>~~ ~~<rule name="Deny All" source-mac="D8CB8AA2464E" action="reject"/>~~ ▲</rule-set> ~~</syntaxhighlight>~~ ~~Inbound Rules:~~ ~~<syntaxhighlight>~~ ▲<rule-set name="Steam Client: Inbound" target-interface="LAN" no-match-action="reject"> ~~<rule name="Allow Firebrick" source-interface="self"/>~~ ▲<rule name="TCP" target-port="27014-27050" protocol="6" action="accept"/> ~~<rule name="UDP" target-port="3478 4379 4380 27000-27030" protocol="17" action="accept"/>~~ ▲</rule-set> </syntaxhighlight>