FireBrick 2700 Configuration: Difference between revisions

← Older edit

FireBrick 2700 Configuration (view source)

Revision as of 05:14, 26 September 2019

920 bytes added , 26 September 2019

→‎L2TP Tunnel

CrazyTeeka

editor

426

edits

Revision as of 20:03, 19 August 2014 (view source) CrazyTeeka (talk \| contribs) m (→‎Firewall - Rule(s):) ← Older edit		Latest revision as of 05:14, 26 September 2019 (view source) CrazyTeeka (talk \| contribs) (→‎L2TP Tunnel)
(89 intermediate revisions by 3 users not shown)
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that: The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port. The 2700 has faster throughput - ~~350Mb~~350Mbit/s on the 2700 compared to ~~100Mb~~100Mbit/s on the 2500. =Factory Default Config= The factory default config of a FireBrick looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> ~~<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"~~ ~~xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"~~ ~~xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"~~ ~~patch="20687">~~ <system contact="John Doe" log-panic="fb-support"/> <log name="default" comment="General logging for web viewing"/> </syntaxhighlight> =Quick Start Config= Here we have an example of the FireBrick using NAT: ~~=Config Run Through=~~ ~~The FireBrick uses XML version 1.0 and UTF-8 encoding:~~ <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> ~~</syntaxhighlight>~~ <system contact="John Doe" log-panic="fb-support"/> ~~FireBrick is running factory release firmware 1.31.000 (Janus):~~ <user name="admin" password="secret" timeout="1:00:00"/> ~~<syntaxhighlight>~~ <log name="default" comment="General logging for web viewing"/> ~~<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"~~ <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> ~~xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"~~ <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> ~~xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"~~ </log> ~~patch="20687">~~ <services> <ntp ntpserver="time.aa.net.uk"/> <telnet/> <http/> <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> </services> <port name="LAN" ports="1 2 3"/> <port name="WAN" ports="4"/> <interface name="LAN" port="LAN" ra-client="false"> <subnet ip="2001:db8::1/64 10.0.0.1/24"/> <dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/> </interface> <interface name="WAN" port="WAN" ra-client="true"/> <ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="true"/> <rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> <rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> </rule-set> </config> </syntaxhighlight> and here the FireBrick is NAT free: ~~==System:==~~ ~~FireBrick with basic system config. Automatic updates to new factory release firmware are enabled by default:~~ ~~<syntaxhighlight>~~ ~~<system contact="John Doe" log-panic="fb-support"/>~~ ~~</syntaxhighlight>~~ ~~Same as above but automatic firmware updates are disabled:~~ ~~<syntaxhighlight>~~ ~~<system contact="John Doe" log-panic="fb-support" sw-update="false"/>~~ ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==User:==~~ <?xml version="1.0" encoding="UTF-8"?> ~~Admin account with password "secret". Login idle timeout is "5:00". Login level is "ADMIN".~~ <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> ~~<syntaxhighlight>~~ <system contact="John Doe" log-panic="fb-support"/> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD"/>~~ <user name="admin" password="secret" timeout="1:00:00"/> ~~</syntaxhighlight>~~ <log name="default" comment="General logging for web viewing"/> ~~Same as above but login idle timeout is disabled:~~ <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> ~~<syntaxhighlight>~~ <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0"/>~~ </log> ~~</syntaxhighlight>~~ <services> ~~Basic Guest/User account with many things hidden:~~ <ntp ntpserver="time.aa.net.uk"/> ~~<syntaxhighlight>~~ <telnet/> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="GUEST"/>~~ <http/> ~~</syntaxhighlight>~~ <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> or </services> ~~<syntaxhighlight>~~ <port name="LAN" ports="1 2 3"/> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="USER"/>~~ <port name="WAN" ports="4"/> ~~</syntaxhighlight>~~ <interface name="LAN" port="LAN" ra-client="false"> ~~Debug account with a few extra things unhidden:~~ <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29"/> ~~<syntaxhighlight>~~ <dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0" level="DEBUG"/>~~ </interface> <interface name="WAN" port="WAN" ra-client="true"/> <ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="false"/> <rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> <rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> </rule-set> </config> </syntaxhighlight> =VoIP= ~~==Logging:==~~ ~~General logging:~~ ~~<syntaxhighlight>~~ ~~<log name="default" comment="General logging for web viewing"/>~~ ~~</syntaxhighlight>~~ ~~Crash logs emailed to FireBrick support team, ties in with <system log-panic="fb-support"> as above:~~ ~~<syntaxhighlight>~~ ~~<log name="fb-support" comment="Log target for sending logs to FireBrick support team">~~ ~~<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>~~ ~~</log>~~ ~~</syntaxhighlight>~~ Here we have an example of setting up VoIP on the FireBrick, inbound and outbound calls, inbound URI calls, and outbound URI calls to AAISP: ~~==Services - NTP Client:==~~ ~~Set time from AAISP time server, local-only by default:~~ ~~<syntaxhighlight>~~ ~~<ntp ntpserver="time.aa.net.uk"/>~~ ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==Services - Telnet Server:==~~ <voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> ~~Enable telnet server, local-only by default:~~ <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" ~~<syntaxhighlight>~~ registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/> ~~<telnet/>~~ <carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/> <telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/> <telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/> <telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/> <telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/> </voip> </syntaxhighlight> and here we use Direct Dial In, extn= is removed from <carrier> element and ddi= added to <telephone> element: ~~==Services - HTTP Server:==~~ ~~Enable HTTP server, local-only by default:~~ <syntaxhighlight lang=xml> <voip source-ip4="217.169.11.113" source-ip6="2001:8b0:119c:acf2::1"> ~~<http/>~~ <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" registrar="voiceless.aa.net.uk" username="+441234567890" password="secret"/> <carrier name="URI" to="@domain.name" trust-cli="true" extn="1000"/> <telephone name="John" display-name="John" username="John" password="secret" extn="1000" ddi="+441234567890" carrier="AASIP+441234567890"/> <telephone name="AAISP-Sales" extn="400222" uri="sales@aa.net.uk"/> <telephone name="AAISP-Accounts" extn="400666" uri="accounts@aa.net.uk"/> <telephone name="AAISP-Support" extn="400999" uri="support@aa.net.uk"/> </voip> </syntaxhighlight> =Remote Login= ~~==Services - DNS Service:==~~ ~~Enable DNS service, local-only by default:~~ Here we allow limited IPv6 addresses access to Telnet and HTTP, this stops you locking yourself out, in the example below 2001:8b0:119c:acf2::2/64 is used but you will need to use your own IP address instead, it also allows AAISP staff to login: ~~<syntaxhighlight>~~ ~~<dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/>~~ <syntaxhighlight lang=xml> <telnet allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> <http allow="2001:8b0:119c:acf2::2/64 2001:8b0::/47" local-only="false"/> </syntaxhighlight> then add a user account for AAISP, don't forgot to change password to something else: ~~==Port Grouping and Naming:==~~ ~~Port grouping for a single PPPoE session:~~ <syntaxhighlight lang=xml> <~~port~~user name="~~LAN~~AAISP" ~~ports~~password="1secret" ~~2 3~~timeout="1:00:00"/> ~~<port name="WAN" ports="4"/>~~ </syntaxhighlight> ~~Port grouping for dual PPPoE sessions:~~ =Two Lines with 3G Dongle - Bonded= ~~<syntaxhighlight>~~ Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: <syntaxhighlight lang=xml> <port name="LAN" ports="1 2"/> <port name="WAN2" ports="3"/> <port name="WAN1" ports="4"/> </syntaxhighlight> ~~Port grouping for triple PPPoE sessions:~~ ~~<syntaxhighlight>~~ ~~<port name="LAN" ports="1"/>~~ ~~<port name="WAN3" ports="2"/>~~ ~~<port name="WAN2" ports="3"/>~~ ~~<port name="WAN1" ports="4"/>~~ ~~</syntaxhighlight>~~ Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: ~~==Ethernet Interface:==~~ ~~LAN Interface:~~ <syntaxhighlight lang=xml> <interface name="LAN" port="LAN" ra-client="false"> <subnet ip="2001:8b0:119c:acf2::1/64 217.2169.311.4113/2429" ra="true" ra-mtu="1412" ra-dns="2001:8b0::~~1/64~~2020 2001:8b0::2021" profile="DSL-Down"/> <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/> <dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> </interface> ~~</syntaxhighlight>~~ ~~LAN Interface for IPv6 tunnel over 3G dongle with MTU 1500:~~ ~~<syntaxhighlight>~~ ~~<interface name="LAN" port="LAN" ra-client="false">~~ ~~<subnet ip="1.2.3.4/24 2001:8b0::1/64" ra="true" ra-mtu="1480" ra-dns="2001:8b0::2020 2001:8b0::2021"/>~~ ~~</interface>~~ ~~</syntaxhighlight>~~ ~~LAN Interface for IPv6 tunnel over 3G dongle with MTU 1492:~~ ~~<syntaxhighlight>~~ ~~<interface name="LAN" port="LAN" ra-client="false">~~ ~~<subnet ip="1.2.3.4/24 2001:8b0::1/64" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021"/>~~ ~~</interface>~~ ~~</syntaxhighlight>~~ ~~WAN Interface for a single PPPoE session:~~ ~~<syntaxhighlight>~~ ~~<interface name="WAN" port="WAN" ra-client="false"/>~~ ~~</syntaxhighlight>~~ ~~WAN Interface for dual PPPoE sessions:~~ ~~<syntaxhighlight>~~ ~~<interface name="WAN1" port="WAN1" ra-client="false"/>~~ ~~<interface name="WAN2" port="WAN2" ra-client="false"/>~~ ~~</syntaxhighlight>~~ ~~WAN Interface for triple PPPoE sessions:~~ ~~<syntaxhighlight>~~ ~~<interface name="WAN1" port="WAN1" ra-client="false"/>~~ ~~<interface name="WAN2" port="WAN2" ra-client="false"/>~~ ~~<interface name="WAN3" port="WAN3" ra-client="false"/>~~ </syntaxhighlight> Interface - WAN interfaces, RA client is enabled: ~~==PPPoE:==~~ ~~Connect to AAISP over PPPoE session:~~ ~~<syntaxhighlight>~~ ~~<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default"/>~~ ~~</syntaxhighlight>~~ ~~Same as above with MTU 1500:~~ ~~<syntaxhighlight>~~ ~~<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" mtu="1500" graph="AAISP" log="default"/>~~ ~~</syntaxhighlight>~~ ~~Same as above with MTU 1500 and 3G dongle tweaks:~~ ~~<syntaxhighlight>~~ ~~<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP" log="default"/>~~ ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==USB and 3G dongle:==~~ <interface name="WAN1" port="WAN1" ra-client="true"/> ~~Connect to AAISP over 3G dongle with NAT:~~ <interface name="WAN2" port="WAN2" ra-client="true"/> ~~<syntaxhighlight>~~ ~~<dongle name="AAISP-3G" username="me@a.2" password="secret" graph="AAISP-3G" log="default"/>~~ ~~</syntaxhighlight>~~ ~~Connect to AAISP over 3G dongle without NAT:~~ ~~<syntaxhighlight>~~ ~~<dongle name="AAISP-3G" username="me@a.2" password="secret" nat="false" graph="AAISP-3G" log="default"/>~~ ~~</syntaxhighlight>~~ ~~Connect to AAISP over 3G dongle with APN and NAT:~~ ~~<syntaxhighlight>~~ ~~<dongle name="AAISP-3G" apn="m2m.aql.net" username="me@a.2" password="secret" graph="AAISP-3G" log="default"/>~~ ~~</syntaxhighlight>~~ ~~Connect to AAISP over 3G dongle with APN and without NAT:~~ ~~<syntaxhighlight>~~ ~~<dongle name="AAISP-3G" apn="m2m.aql.net" username="me@a.2" password="secret" nat="false" graph="AAISP-3G" log="default"/>~~ </syntaxhighlight> PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds: ~~==Static Routes:==~~ ~~3G dongle IPv6 default route using IPv4 tunnel:~~ ~~<syntaxhighlight>~~ ~~<route ip="::/0" gateway="81.187.81.6" comment="IPv6 default route using IPv4 tunnel"/>~~ ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==Firewall - Rule Set:==~~ <ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP1" log="default" nat="false"/> ~~Default firewall rule for traffic to LAN:~~ <ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP2" log="default" nat="false"/> ~~<syntaxhighlight>~~ ~~<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">~~ ~~</rule-set>~~ </syntaxhighlight> Dongle - Connect over 3G: ~~==Firewall - Rule(s):==~~ ~~Allow all from the FireBrick to LAN, this is all you need if you register your VoIP Phone to FireBrick:~~ ~~<syntaxhighlight>~~ ~~<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>~~ ~~</syntaxhighlight>~~ ~~Allow inbound calls to your VoIP Phone, if you have registered it directly to voiceless:~~ ~~<syntaxhighlight>~~ ~~<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>~~ <rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="1024-65535" protocol="17" action="accept"/> ~~</syntaxhighlight>~~ ~~Allow inbound calls to your Snom Phone, if you have registered it directly to voiceless:~~ ~~<syntaxhighlight>~~ ~~<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>~~ <rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="49152-65534" protocol="17" action="accept"/> ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==VoIP:==~~ <usb> ~~VoIP with IPv4 and IPv6 source IPs defined:~~ <dongle name="AAISP3" username="me@a.3" password="secret" nat="false" graph="AAISP3" log="default"/> ~~<syntaxhighlight>~~ </usb> ~~<voip source-ip4="1.2.3.4" source-ip6="2001:8b0::1">~~ ~~</voip>~~ </syntaxhighlight> Static Route - Brings up IPv6 default route using IPv4 tunnel when both lines are down or unplugged: ~~==VoIP Carriers:==~~ ~~VoIP carrier that registers with Voiceless and binds inbound/outbound calls to extension 1000 as below:~~ ~~<syntaxhighlight>~~ <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/> ~~</syntaxhighlight>~~ <syntaxhighlight lang=xml> ~~==VoIP Users:==~~ <route ip="::/0" gateway="81.187.81.6" profile="DSL-Down" comment="IPv6 default route using IPv4 tunnel"/> ~~VoIP user that accepts registrations from your VoIP phone:~~ ~~<syntaxhighlight>~~ ~~<telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/>~~ </syntaxhighlight> Profiles - Checks if both lines are up or down: <syntaxhighlight lang=xml> ~~=Complete Config Example=~~ <profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> ~~<syntaxhighlight>~~ <profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> ~~<?xml version="1.0" encoding="UTF-8"?>~~ </syntaxhighlight> =Two Lines with 3G Dongle - Fallover= ~~<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"~~ ~~xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"~~ ~~xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"~~ ~~patch="20687">~~ Ports - LAN is on ports 1 and 2, WAN1 is on port 4, WAN2 is on port 3: ~~<system contact="John Doe" log-panic="fb-support"/>~~ <syntaxhighlight lang=xml> ~~<user name="Admin" password="SHA1#D57E4F7EE70491BBD274B5F71185A2A577B0DAFBF558BD" timeout="0"/>~~ <port name="LAN" ports="1 2"/> <port name="WAN2" ports="3"/> <port name="WAN1" ports="4"/> </syntaxhighlight> Interface - LAN interface, with DHCP for IPv4 addresses and RA for IPv6 addresses, assumes PPP session is 1500 MTU, if PPP session is 1492 MTU then change 1472 to 1464 in second ra-mtu= element: ~~<log name="default" comment="General logging for web viewing"/>~~ <syntaxhighlight lang=xml> ~~<log name="fb-support" comment="Log target for sending logs to FireBrick support team">~~ <interface name="LAN" port="LAN" ra-client="false"> ~~<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>~~ <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1412" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Down"/> ~~</log>~~ <subnet ip="2001:8b0:119c:acf2::1/64 217.169.11.113/29" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021" profile="DSL-Up"/> <dhcp name="DHCP" ip="217.169.11.114-118" lease="1:00:00"/> </interface> </syntaxhighlight> Interface - WAN interfaces, RA client is enabled: ~~<services>~~ ~~<ntp ntpserver="time.aa.net.uk"/>~~ ~~<telnet/>~~ ~~<http/>~~ ~~<dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/>~~ ~~</services>~~ <syntaxhighlight lang=xml> ~~<port name="LAN" ports="1 2 3"/>~~ <~~port~~interface name="~~WAN~~WAN1" port="WAN1" ~~ports~~ra-client="4true"/> <interface name="WAN2" port="WAN2" ra-client="true"/> </syntaxhighlight> PPP - Connect to both lines, MTU is 1500, timeout is 5 seconds, localpref= gives priority to the highest value: ~~<interface name="LAN" port="LAN" ra-client="false">~~ ~~<subnet ip="1.2.3.4/24 2001:8b0::1/64"/>~~ ~~</interface>~~ <syntaxhighlight lang=xml> ~~<interface name="WAN" port="WAN" ra-client="false"/>~~ <ppp name="AAISP1" port="WAN1" username="me@a.1" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="1000" graph="AAISP1" log="default" nat="false"/> <ppp name="AAISP2" port="WAN2" username="me@a.2" password="secret" mtu="1500" lcp-rate="1" lcp-timeout="5" localpref="100" graph="AAISP2" log="default" nat="false"/> </syntaxhighlight> Dongle - Connect over 3G, localpref= gives this connection the lowest priority: ~~<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default"/>~~ <syntaxhighlight lang=xml> <usb> <dongle name="~~AAISP-3G~~AAISP3" username="me@a.23" password="secret" nat="false" localpref="10" graph="~~AAISP-3G~~AAISP3" log="default"/> </usb> </syntaxhighlight> ~~<route~~Static ~~ip="::/0"~~Route ~~gateway="81.187.81.6"~~- Brings up ~~comment="~~IPv6 default route using IPv4 tunnel~~"/>~~ when both lines are down or unplugged: <syntaxhighlight lang=xml> ~~<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">~~ <~~rule~~route ~~name~~ip="~~Allow~~::/0" ~~Firebrick~~gateway="81.187.81.6" ~~source-interface~~profile="~~self~~DSL-Down" comment="~~Allow all~~IPv6 ~~from~~default ~~the~~route ~~FireBrick~~using toIPv4 ~~LAN~~tunnel"/> </syntaxhighlight> ~~</rule-set>~~ Profiles - Checks if both lines are up or down: ~~<voip source-ip4="1.2.3.4" source-ip6="2001:8b0::1">~~ <carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/> ~~<telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/>~~ ~~</voip>~~ <syntaxhighlight lang=xml> <profile name="DSL-Down" interval="1" timeout="5" recover="1" ppp="AAISP1 AAISP2" invert="true" comment="DSL is Down"/> <profile name="DSL-Up" not="DSL-Down" comment="DSL is Up"/> </syntaxhighlight> =L2TP Tunnel= L2TP tunnel with port 4 connected to another router: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config serial="0000-0000-0000" version="FB2700 Flint (V1.53.000)"> <system contact="John Doe" log-panic="fb-support"/> <user name="admin" password="secret" timeout="1:00:00"/> <log name="default" comment="General logging for web viewing"/> <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/> </log> <services> <http/> <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"/> <telnet/> <time/> </services> <port name="LAN" ports="1 2 3"/> <port name="WAN" ports="4"/> <interface name="LAN" port="LAN" ra-client="false"> <subnet ip="2001:db8::1/64 10.0.0.1/24"/> <dhcp name="DHCP" ip="10.0.0.2-254" lease="1:00:00"/> </interface> <interface name="WAN" port="WAN" ra-client="true" table="1"> <subnet name="DHCP"/> </interface> <l2tp> <outgoing name="AAISP" hostname="AAISP" server="90.155.53.19" graph="AAISP" table="1" payload-table="0" username="me@a.1" password="secret" min-retry="1" tcp-mss-fix="true"/> </l2tp> <rule-set name="Fallback: NAT" target-interface="nowhere" no-match-action="continue"> <rule name="NAT" set-nat="true" set-table="1" action="accept"/> </rule-set> <rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN"> <rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/> </rule-set> </config> </syntaxhighlight> [[Category:~~Configuring~~FireBrick\|Configuration]] [[Category:~~FireBrick~~AA Routers]] ~~[[Category:Router]]~~