FireBrick 2700 Configuration run-through: Difference between revisions

FireBrick 2700 Configuration run-through (view source)

Revision as of 23:59, 14 March 2017

726 bytes removed , 14 March 2017

m

clean up, typos fixed: However → However,

Reedy

editor

698

edits

Revision as of 21:17, 6 January 2015 (view source) Reedy (talk \| contribs) m (clean up, typos fixed: on it's → on its (3), recieve → receive, ie → i.e. (3), etc) → etc.), eg: → e.g.: (13), 100Mb/s → 100Mbit/s (2)) ← Older edit		Revision as of 23:59, 14 March 2017 (view source) Reedy (talk \| contribs) m (clean up, typos fixed: However → However,) Newer edit →
(17 intermediate revisions by 2 users not shown)
[[File:2700-small.png\|link=:Category:FireBrick]] =Also See:= Our main [[:Category:FireBrick\|FireBrick]] wiki page =2500 and 2700= Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP. These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. ~~Som~~Some people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/~~fb105config~~fb105-2700.php We have an AAISP ADSL line with the following details: The default configuration (of a fully-loaded FireBrick) looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" Set yourself a user with full debug rights, e.g.: <syntaxhighlight>▼ <tabs> <tab name="XML"> ▲<syntaxhighlight lang=xml> <user name="john" timeout="PT20M" level="DEBUG" password="secret"/> </syntaxhighlight> </tab> <tab name="GUI"> coming soon </tab> </tabs> To explain the timeout a bit: Modify the ntp time server to use the AAISP time server: <syntaxhighlight lang=xml> <ntp timeserver="time.aaisp.net.uk"/> </syntaxhighlight> modify the telnet service to permit only access from your LAN: <syntaxhighlight lang=xml> <telnet allow="192.0.2.0/28"/> </syntaxhighlight> Set DNS servers and your domain name, under the services (here we're using the AAISP DNS servers: <syntaxhighlight lang=xml> <dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> </syntaxhighlight> So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server: <syntaxhighlight lang=xml> <subnet ip="192.0.2.1/28" comment="LAN"/> <dhcp ip="192.0.2.2-12"/> Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN1 interface now looks like this: <syntaxhighlight lang=xml> <interface name="LAN1" port="LAN1"> <subnet comment="dhcp client"/> Our complete config now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines: <syntaxhighlight lang=xml> <subnet comment="dhcp client"/> <subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> In our default config, you can see that we already have some PPPoE settings: <syntaxhighlight lang=xml> <ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/> </syntaxhighlight> This line can be changed for your ADSL settings, e.g.: <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> </syntaxhighlight> We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change <syntaxhighlight lang=xml> <port name="LAN4" ports="4"/> </syntaxhighlight> to: <syntaxhighlight lang=xml> <port name="WAN1" ports="4"/> </syntaxhighlight> Our complete config in full now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> ==1500 MTU?== The Default MTU is 1492 for PPPoE. However, if your modem supports jumboframes, then you should be able to use a full 1500MTU on the PPPoE. The BT supplied modem for FTTC does support this, other modems may or may not... Config wise, just add mtu="1500" to the ppp element. e.g.: <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" mtu="1500"/> </syntaxhighlight> VCI: 38 ADSL modulation type: Multimode ~~===( Obsolete )For a Be PPPoE Line===~~ Name: AAISP (But can be anything) Mode: Bridge Encapsulation: RFC 1483 Multiplexing: LLC VPI: 0 VCI: 101 ADSL modulation type: Multimode ~~===( Obsolete )For a Be PPPoA Line===~~ ~~Most A&A BE lines from around December 2010 are PPPoA - they use the same VPI/VCI as BT (0/38).~~ You will need to use a Draytek Vigour 120, or similar device, which can provide true PPPoA <-> PPPoE bridging. The ZyXEL P660R-D1 won't do this. Please read the link:  http://www.firebrick.co.uk/fb2700/pppoe.php ~~Also make a note of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN.~~ ~~As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though.~~ Because of a quirk in the way these lines are configured by Be, PPPoEoA (bridge mode on the ZyXEL) does in fact work. However, it is an unsupported configuration. It will almost certainly work for the lifetime of the service, but if it does ever break Be will not fix it. ===Bridge Mode on Billion 7800N=== Since that page is more of a referece than a tutorial, it contains no examples. So here's a code snippet from a working config which allows incoming SMTP to your mail server, and IAX2 to an asterisk box as a starting-point: <syntaxhighlight lang=xml> <rule-set target-interface="LAN1" drop="reject" comment="Default firewall rule - block incoming"> <rule source-interface="self" comment="Allow from the FireBrick though"/> If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: <syntaxhighlight lang=xml> <rule-set name="Incoming Firewall Rules"> <rule name="SIP" source-ip="81.187.30.110-119" target-ip="192.0.2.0/28" target-port="5060-5069"/> You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, e.g., change the current line to: <syntaxhighlight lang=xml> <http allow="192.0.2.1/28"/> </syntaxhighlight> So, our config will look like this: <syntaxhighlight lang=xml> <interface name="LAN1" port="LAN1"> <subnet ip="2001:8B0:123:1::1/64" ra="true" comment="[[IPv6]] LAN"/> Our complete config now looks like: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> In this example, I'm pointing it to a DNS server on 2001:8B0:B7:1::2. <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-dns="2001:8B0:123:1::2"/> </syntaxhighlight> Setting the 'O' flag in the RA, telling the client to do DHCPv6 after auto-configuration, and request 'Other' config data, i.e. DNS. <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="true"/> </syntaxhighlight> To enable the 'O' flag AND the mini-DHCPv6, set the ra-other option to 'dhcpv6', and also specify the DNS server address to be doled out in the rd-dns option: <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2"/> </syntaxhighlight> Set up port 3 to connect to the second modem you have, i.e.: <syntaxhighlight lang=xml> <ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/> </syntaxhighlight> and change the port from: <syntaxhighlight lang=xml> <port name="LAN3" ports="3"/> </syntaxhighlight> to <syntaxhighlight lang=xml> <port name="WAN2" ports="3"/> </syntaxhighlight> e.g.: <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/> <ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/> Our config now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> If you have an AA data SIM, the FireBrick can configured to use this as a backup connection, by using a 3G dongle plugged into the USB port. Any routed legacy IP blocks will continue to work across this link, but so far [[IPv6]] isn't supported. The FireBrick is known to support the ZTE MF112 Dongle and some Huawei dongles. Others may work too. The basic config is: <syntaxhighlight lang=xml> <usb> <dongle username="startup_user@startup_domain" password=""/> To make use of port 2, we can configure it to be another LAN1 port. Our current port config is: <syntaxhighlight lang=xml> <port name="LAN1" ports="1"/> <port name="LAN2" ports="2"/> </syntaxhighlight> We can change this to make port 2 a LAN1 port: <syntaxhighlight lang=xml> <port name="LAN1" ports="1 2"/> <port name="WAN2" ports="3"/> In order to talk to the Modem from the LAN side of the FireBrick, a Subnet on the FireBrick needs to be made. This subnet would be on the WAN Interface, e.g.: <syntaxhighlight lang=xml> <interface name="WAN" port="WAN1"> <subnet ip="192.168.1.1/24" comment="IP subnet on WAN for router config"/> The previous config will put the FB on 192.168.1.1, and allow the FB to route IP packets between your LAN subnet and the 192.168.1 subnet. However, at this stage, you may find you are still unable to ping the modem on the WAN port. This is because although packets from your 81.x.x.x address are correctly routed to the modem, the modem itself knows no route back to 81.x.x.x. It know nothing of the FB. So we need to tell it by setting a static route. === ZyXel P-660R: === You will have configured the IP and Netmask on the 'LAN' tab. But there's no 'Gateway', so we must go to 'Advanced' -> 'Static Routes' tab, and create one. Enter it as follows: IP, Mask = base address of your internal LAN; e.g.: 81.xx.xx.0, 255.255.255.192. The 'Gateway' address is pointing back at the FB, e.g. 192.168.1.1. Check the box to Activate the route, hit the 'Apply' button, and that's it done. === [[Vigor 120]]: === You need to telnet in to the CLI to set the route. The commands to set a route back to 81.x.x.0 via the FB at 192.168.1.1 are: == Other, other things == You may want to look at the [[:Category:FireBrick]] page as there are examples there from setting up OTP, syslog, auto-updates and so on. ~~[[Category:Bonding]]~~[[Category:FireBrick~~]][[Category:Configuring]][[Category:Router~~\|Configuration]]