FireBrick 2700 Configuration: Difference between revisions

From AAISP Support Site
mNo edit summary
m (clean up, typos fixed: 350Mb/s → 350Mbit/s (2))
Line 5: Line 5:
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that:
These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that:
*The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port.
*The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port.
*The 2700 has faster throughput - 350Mb/s on the 2700 compared to 100Mb/s on the 2500.
*The 2700 has faster throughput - 350Mbit/s on the 2700 compared to 100Mbit/s on the 2500.




Line 73: Line 73:
</syntaxhighlight>
</syntaxhighlight>


==System:==
==System==
FireBrick with basic system config. Automatic updates to new factory release firmware are enabled by default:
FireBrick with basic system config. Automatic updates to new factory release firmware are enabled by default:
<syntaxhighlight>
<syntaxhighlight>
Line 83: Line 83:
</syntaxhighlight>
</syntaxhighlight>


==User:==
==User==
Full administrator account:
Full administrator account:
<syntaxhighlight>
<syntaxhighlight>
Line 101: Line 101:
</syntaxhighlight>
</syntaxhighlight>


==Logging:==
==Logging==
General logging:
General logging:
<syntaxhighlight>
<syntaxhighlight>
Line 113: Line 113:
</syntaxhighlight>
</syntaxhighlight>


==Services - NTP Client:==
==Services - NTP Client==
Set time from FireBrick time server:
Set time from FireBrick time server:
<syntaxhighlight>
<syntaxhighlight>
Line 123: Line 123:
</syntaxhighlight>
</syntaxhighlight>


==Services - Telnet Server:==
==Services - Telnet Server==
Enable telnet server, local-only by default:
Enable telnet server, local-only by default:
<syntaxhighlight>
<syntaxhighlight>
Line 153: Line 153:
</syntaxhighlight>
</syntaxhighlight>


==Services - HTTP Server:==
==Services - HTTP Server==
Enable HTTP server, local-only by default:
Enable HTTP server, local-only by default:
<syntaxhighlight>
<syntaxhighlight>
Line 183: Line 183:
</syntaxhighlight>
</syntaxhighlight>


==Services - DNS Service:==
==Services - DNS Service==
Enable DNS service, local-only by default:
Enable DNS service, local-only by default:
<syntaxhighlight>
<syntaxhighlight>
Line 189: Line 189:
</syntaxhighlight>
</syntaxhighlight>


==Port Grouping and Naming:==
==Port Grouping and Naming==
Port grouping for a single PPPoE session:
Port grouping for a single PPPoE session:
<syntaxhighlight>
<syntaxhighlight>
Line 209: Line 209:
</syntaxhighlight>
</syntaxhighlight>


==Ethernet Interface:==
==Ethernet Interface==
LAN Interface:
LAN Interface:
<syntaxhighlight>
<syntaxhighlight>
Line 244: Line 244:
</syntaxhighlight>
</syntaxhighlight>


==PPPoE:==
==PPPoE==
Connect to AAISP over PPPoE session (with NAT):
Connect to AAISP over PPPoE session (with NAT):
<syntaxhighlight>
<syntaxhighlight>
Line 270: Line 270:
</syntaxhighlight>
</syntaxhighlight>


==USB and 3G dongle:==
==USB and 3G dongle==
Connect to AAISP over 3G dongle (with NAT):
Connect to AAISP over 3G dongle (with NAT):
<syntaxhighlight>
<syntaxhighlight>
Line 288: Line 288:
</syntaxhighlight>
</syntaxhighlight>


==Static Routes:==
==Static Routes==
3G dongle IPv6 default route using IPv4 tunnel:
3G dongle IPv6 default route using IPv4 tunnel:
<syntaxhighlight>
<syntaxhighlight>
Line 294: Line 294:
</syntaxhighlight>
</syntaxhighlight>


==Firewall - Rule Set:==
==Firewall - Rule Set==
Default firewall rule for traffic to LAN:
Default firewall rule for traffic to LAN:
<syntaxhighlight>
<syntaxhighlight>
Line 301: Line 301:
</syntaxhighlight>
</syntaxhighlight>


==Firewall - Rule(s):==
==Firewall - Rule(s)==
Allow all from the FireBrick to LAN - This rule is important:
Allow all from the FireBrick to LAN - This rule is important:
<syntaxhighlight>
<syntaxhighlight>
Line 317: Line 317:
</syntaxhighlight>
</syntaxhighlight>


==VoIP:==
==VoIP==
VoIP with IPv6 source IP defined:
VoIP with IPv6 source IP defined:
<syntaxhighlight>
<syntaxhighlight>
Line 329: Line 329:
</syntaxhighlight>
</syntaxhighlight>


==VoIP Carriers:==
==VoIP Carriers==
VoIP carrier that registers with Voiceless and binds inbound/outbound calls to extension 1000 as below:
VoIP carrier that registers with Voiceless and binds inbound/outbound calls to extension 1000 as below:
<syntaxhighlight>
<syntaxhighlight>
Line 335: Line 335:
</syntaxhighlight>
</syntaxhighlight>


==VoIP Users:==
==VoIP Users==
VoIP user that accepts registrations from your VoIP phone:
VoIP user that accepts registrations from your VoIP phone:
<syntaxhighlight>
<syntaxhighlight>
Line 344: Line 344:
=With NAT vs Without NAT=
=With NAT vs Without NAT=
You have 8 IPv4 for example "1.1.1.1-1.1.1.8" or "1.1.1.1/29", you can use them with NAT or without NAT. By using NAT you would only be using "1.1.1.1" and the other IPs would be unused.
You have 8 IPv4 for example "1.1.1.1-1.1.1.8" or "1.1.1.1/29", you can use them with NAT or without NAT. By using NAT you would only be using "1.1.1.1" and the other IPs would be unused.
==With NAT:==
==With NAT==
LAN Interface (with NAT):
LAN Interface (with NAT):
<syntaxhighlight>
<syntaxhighlight>
Line 356: Line 356:
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" graph="AAISP" log="default"/>
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" graph="AAISP" log="default"/>
</syntaxhighlight>
</syntaxhighlight>
==Without NAT:==
==Without NAT==
LAN Interface (without NAT):
LAN Interface (without NAT):
<syntaxhighlight>
<syntaxhighlight>
Line 372: Line 372:
=NAT on a Single Port=
=NAT on a Single Port=
It is possible to have NAT on a single port, for example port 3, while ports 1 and 2 are without NAT.
It is possible to have NAT on a single port, for example port 3, while ports 1 and 2 are without NAT.
==Port Grouping and Naming with NAT on Port 3:==
==Port Grouping and Naming with NAT on Port 3==
<syntaxhighlight>
<syntaxhighlight>
<port name="LAN" ports="1 2"/>
<port name="LAN" ports="1 2"/>
Line 378: Line 378:
<port name="WAN" ports="4"/>
<port name="WAN" ports="4"/>
</syntaxhighlight>
</syntaxhighlight>
==Ethernet Interface:==
==Ethernet Interface==
<syntaxhighlight>
<syntaxhighlight>
<interface name="LAN" port="LAN" ra-client="false">
<interface name="LAN" port="LAN" ra-client="false">
Line 392: Line 392:
<interface name="WAN" port="WAN" ra-client="false"/>
<interface name="WAN" port="WAN" ra-client="false"/>
</syntaxhighlight>
</syntaxhighlight>
==PPPoE:==
==PPPoE==
<syntaxhighlight>
<syntaxhighlight>
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" graph="AAISP" log="default"/>
<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" graph="AAISP" log="default"/>
</syntaxhighlight>
</syntaxhighlight>
==Firewall:==
==Firewall==
<syntaxhighlight>
<syntaxhighlight>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">

Revision as of 21:18, 6 January 2015

2700-small.png

This page describes editing the XML directly. The Firebrick does have a Web User Interface too. Both can be used to edit the config, as they edit the same underlying XML.

These instructions are mostly applicable to the 2500 too. The difference between the 2700 and the 2500 is that:

  • The 2700 has a USB port so supports 3G fallback, the 2500 does not have a USB port.
  • The 2700 has faster throughput - 350Mbit/s on the 2700 compared to 100Mbit/s on the 2500.


Factory Default Config

The factory default config of a FireBrick looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"
        patch="20687">
   <system contact="John Doe" log-panic="fb-support"/>
   <log name="default" comment="General logging for web viewing"/>
   <log name="fb-support" comment="Log target for sending logs to FireBrick support team">
      <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
   </log>
   <services>
      <ntp/>
      <telnet/>
      <http local-only="true"/>
      <dns>
         <host name="my.firebrick.co.uk my.firebrick.uk"/>
      </dns>
   </services>
   <port name="LAN1" ports="1"/>
   <port name="LAN2" ports="2"/>
   <port name="LAN3" ports="3"/>
   <port name="WAN" ports="4"/>
   <interface name="LAN1" port="LAN1" ra-client="false" comment="Default LAN interface">
      <subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
      <dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
   </interface>
   <interface name="LAN2" port="LAN2" ra-client="false" comment="Default LAN interface">
      <subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
      <dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
   </interface>
   <interface name="LAN3" port="LAN3" ra-client="false" comment="Default LAN interface">
      <subnet name="Default IPs" ip="2001:db8::1/64 10.0.0.1/24" ra="false" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/>
      <dhcp name="Auto allocated IPs" comment="Allocates IP addresses automatically"/>
   </interface>
   <interface name="WAN" port="WAN" ra-client="true" comment="Default WAN interface">
      <subnet name="DHCP client" comment="Delete if not required, not needed if using PPP"/>
   </interface>
   <ppp name="LAN-PPPoE" port="LAN1" username="me@firebrick" password="password" nat="true"/>
   <ppp name="WAN-PPPoE" port="WAN" username="me@firebrick" password="password" nat="true"/>
   <usb>
      <dongle name="Example-3G" comment="Default 3G config, does not usually require any more settings"/>
   </usb>
   <rule-set name="Firewall: LAN" target-interface="LAN1 LAN2 LAN3" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
      <rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
   </rule-set>
</config>


Config Run Through

The FireBrick uses XML version 1.0 and UTF-8 encoding:

<?xml version="1.0" encoding="UTF-8"?>

FireBrick is running factory release firmware 1.31.000 (Janus):

<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"
        patch="20687">

System

FireBrick with basic system config. Automatic updates to new factory release firmware are enabled by default:

<system contact="John Doe" log-panic="fb-support"/>

Same as above but automatic firmware updates are disabled:

<system contact="John Doe" log-panic="fb-support" sw-update="false"/>

User

Full administrator account:

<user name="admin" password="secret"/>

Full administrator account with login idle timeout disabled:

<user name="admin" password="secret" timeout="0"/>

Debug account with a few extra things unhidden:

<user name="admin" password="secret" timeout="0" level="DEBUG"/>

Guest account with many things hidden:

<user name="guest" password="secret" timeout="0" level="GUEST"/>

Logging

General logging:

<log name="default" comment="General logging for web viewing"/>

Crash logs emailed to FireBrick support team:

<log name="fb-support" comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
</log>

Services - NTP Client

Set time from FireBrick time server:

<ntp/>

Set time from AAISP time server:

<ntp ntpserver="time.aa.net.uk"/>

Services - Telnet Server

Enable telnet server, local-only by default:

<telnet/>

Enable telnet server, allow inbound to telnet server from a single IPv4 address:

<telnet allow="1.2.3.4" local-only="false"/>

Enable telnet server, allow inbound to telnet server from a block of IPv4s:

<telnet allow="1.2.3.4-100" local-only="false"/>

Enable telnet server, allow inbound to telnet server from a /29 block of IPv4s:

<telnet allow="1.2.3.4/29" local-only="false"/>

Enable telnet server, allow inbound to telnet server from a single IPv6 address:

<telnet allow="2001:8b0:119c:acf2::1" local-only="false"/>

Enable telnet server, allow inbound to telnet server from a /48 block of IPv6s:

<telnet allow="2001:8b0:119c::/48" local-only="false"/>

Enable telnet server, allow inbound to telnet server from a /64 block of IPv6s:

<telnet allow="2001:8b0:119c:acf2::/64" local-only="false"/>

Services - HTTP Server

Enable HTTP server, local-only by default:

<http/>

Enable HTTP server, allow inbound to HTTP server from a single IPv4 address:

<http allow="1.2.3.4" local-only="false"/>

Enable HTTP server, allow inbound to HTTP server from a block of IPv4s:

<http allow="1.2.3.4-100" local-only="false"/>

Enable HTTP server, allow inbound to HTTP server from a /29 block of IPv4s:

<http allow="1.2.3.4/29" local-only="false"/>

Enable HTTP server, allow inbound to HTTP server from a single IPv6 address:

<http allow="2001:8b0:119c:acf2::1" local-only="false"/>

Enable HTTP server, allow inbound to HTTP server from a /48 block of IPv6s:

<http allow="2001:8b0:119c::/48" local-only="false"/>

Enable HTTP server, allow inbound to HTTP server from a /64 block of IPv6s:

<http allow="2001:8b0:119c:acf2::/64" local-only="false"/>

Services - DNS Service

Enable DNS service, local-only by default:

<dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/>

Port Grouping and Naming

Port grouping for a single PPPoE session:

<port name="LAN" ports="1 2 3"/>
<port name="WAN" ports="4"/>

Port grouping for dual PPPoE sessions:

<port name="LAN" ports="1 2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>

Port grouping for triple PPPoE sessions:

<port name="LAN" ports="1"/>
<port name="WAN3" ports="2"/>
<port name="WAN2" ports="3"/>
<port name="WAN1" ports="4"/>

Ethernet Interface

LAN Interface:

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="10.0.0.1/24 2001:8b0::1/64"/>
</interface>

LAN Interface for IPv6 tunnel over 3G dongle (with MTU 1500):

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="10.0.0.1/24 2001:8b0::1/64" ra="true" ra-mtu="1480" ra-dns="2001:8b0::2020 2001:8b0::2021"/>
</interface>

LAN Interface for IPv6 tunnel over 3G dongle (with MTU 1492):

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="10.0.0.1/24 2001:8b0::1/64" ra="true" ra-mtu="1472" ra-dns="2001:8b0::2020 2001:8b0::2021"/>
</interface>

WAN Interface for a single PPPoE session:

<interface name="WAN" port="WAN" ra-client="false"/>

WAN Interface for dual PPPoE sessions:

<interface name="WAN1" port="WAN1" ra-client="false"/>
<interface name="WAN2" port="WAN2" ra-client="false"/>

WAN Interface for triple PPPoE sessions:

<interface name="WAN1" port="WAN1" ra-client="false"/>
<interface name="WAN2" port="WAN2" ra-client="false"/>
<interface name="WAN3" port="WAN3" ra-client="false"/>

PPPoE

Connect to AAISP over PPPoE session (with NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" graph="AAISP" log="default"/>

Connect to AAISP over PPPoE session (without NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" graph="AAISP" log="default"/>

Connect to AAISP over PPPoE session (with MTU 1500 and NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" mtu="1500" graph="AAISP" log="default"/>

Connect to AAISP over PPPoE session (with MTU 1500 but without NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" mtu="1500" graph="AAISP" log="default"/>

Connect to AAISP over PPPoE session (with MTU 1500, 3G dongle tweaks and NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP" log="default"/>

Connect to AAISP over PPPoE session (with MTU 1500, 3G dongle tweaks but without NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" mtu="1500" lcp-rate="1" lcp-timeout="5" graph="AAISP" log="default"/>

USB and 3G dongle

Connect to AAISP over 3G dongle (with NAT):

<dongle name="AAISP-3G" username="me@a.2" password="secret" nat="true" graph="AAISP-3G" log="default"/>

Connect to AAISP over 3G dongle (without NAT):

<dongle name="AAISP-3G" username="me@a.2" password="secret" nat="false" graph="AAISP-3G" log="default"/>

Connect to AAISP over 3G dongle (with APN and NAT):

<dongle name="AAISP-3G" apn="m2m.aql.net" username="me@a.2" password="secret" nat="true" graph="AAISP-3G" log="default"/>

Connect to AAISP over 3G dongle (with APN but without NAT):

<dongle name="AAISP-3G" apn="m2m.aql.net" username="me@a.2" password="secret" nat="false" graph="AAISP-3G" log="default"/>

Static Routes

3G dongle IPv6 default route using IPv4 tunnel:

<route ip="::/0" gateway="81.187.81.6" comment="IPv6 default route using IPv4 tunnel"/>

Firewall - Rule Set

Default firewall rule for traffic to LAN:

<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
</rule-set>

Firewall - Rule(s)

Allow all from the FireBrick to LAN - This rule is important:

<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>

Allow inbound calls to your VoIP Phone, if you register it with Voiceless:

<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="10.0.0.3" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="10.0.0.3" target-port="1024-65535" protocol="17" action="accept"/>

Allow inbound calls to your Snom Phone, if you register it with Voiceless:

<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="10.0.0.3" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="10.0.0.3" target-port="49152-65534" protocol="17" action="accept"/>

VoIP

VoIP with IPv6 source IP defined:

<voip source-ip6="2001:8b0::1">
</voip>

VoIP with IPv4 and IPv6 source IPs defined:

<voip source-ip4="1.2.3.4" source-ip6="2001:8b0::1">
</voip>

VoIP Carriers

VoIP carrier that registers with Voiceless and binds inbound/outbound calls to extension 1000 as below:

<carrier name="AASIP+441234567890" allow="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" registrar="voiceless.aa.net.uk" username="+441234567890" password="secret" extn="1000"/>

VoIP Users

VoIP user that accepts registrations from your VoIP phone:

<telephone name="John" display-name="John" username="John" password="secret" extn="1000" carrier="AASIP+441234567890"/>


With NAT vs Without NAT

You have 8 IPv4 for example "1.1.1.1-1.1.1.8" or "1.1.1.1/29", you can use them with NAT or without NAT. By using NAT you would only be using "1.1.1.1" and the other IPs would be unused.

With NAT

LAN Interface (with NAT):

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="10.0.0.1/24"/>
<dhcp name="DHCP" ip="10.0.0.1/24" lease="1:00:00"/>
</interface>

Connect to AAISP over PPPoE session (with NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="true" graph="AAISP" log="default"/>

Without NAT

LAN Interface (without NAT):

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="1.1.1.1/29"/>
<dhcp name="DHCP" ip="1.1.1.1/29" lease="1:00:00"/>
</interface>

Connect to AAISP over PPPoE session (without NAT):

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" graph="AAISP" log="default"/>


NAT on a Single Port

It is possible to have NAT on a single port, for example port 3, while ports 1 and 2 are without NAT.

Port Grouping and Naming with NAT on Port 3

<port name="LAN" ports="1 2"/>
<port name="LAN-NAT" ports="3"/>
<port name="WAN" ports="4"/>

Ethernet Interface

<interface name="LAN" port="LAN" ra-client="false">
<subnet ip="1.1.1.1/29 2001:8b0::1/64"/>
<dhcp name="DHCP" ip="1.1.1.1/29" lease="1:00:00"/>
</interface>

<interface name="LAN-NAT" port="LAN-NAT" ra-client="false">
<subnet ip="10.0.0.1/24" nat="true"/>
<dhcp name="DHCP" ip="10.0.0.1/24" lease="1:00:00"/>
</interface>

<interface name="WAN" port="WAN" ra-client="false"/>

PPPoE

<ppp name="AAISP" port="WAN" username="me@a.1" password="secret" nat="false" graph="AAISP" log="default"/>

Firewall

<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</rule-set>


Config Example

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/download/FB2701/xml/fb2700/1.31.000.xsd"
        patch="20687">
   <system contact="John Doe" log-panic="fb-support"/>
   <user name="admin" password="secret" timeout="0"/>
   <log name="default" comment="General logging for web viewing"/>
   <log name="fb-support" comment="Log target for sending logs to FireBrick support team">
      <email to="crashlog@firebrick.ltd.uk" delay="10" comment="Crash logs emailed to FireBrick support team"/>
   </log>
   <services>
      <ntp/>
      <telnet/>
      <http/>
      <dns resolvers="217.169.20.20 217.169.20.21 2001:8b0::2020 2001:8b0::2021"/>
   </services>
   <port name="LAN" ports="1 2 3"/>
   <port name="WAN" ports="4"/>
   <interface name="LAN" port="LAN" ra-client="false">
      <subnet ip="10.0.0.1/24 2001:8b0::1/64"/>
      <dhcp name="DHCP" ip="10.0.0.1/24" lease="1:00:00"/>
   </interface>
   <interface name="WAN" port="WAN" ra-client="false"/>
   <ppp name="AAISP" port="WAN" username="me@a.1" password="secret" graph="AAISP" log="default" nat="true"/>
   <rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
      <rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
   </rule-set>
</config>