FireBrick 2700 Configuration run-through: Difference between revisions

FireBrick 2700 Configuration run-through (view source)

Revision as of 09:44, 30 May 2020

680 bytes removed , 30 May 2020

m

no edit summary

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 10:26, 31 October 2012 (view source) AA-Andrew (talk \| contribs) (→‎Other, other things) ← Older edit		Revision as of 09:44, 30 May 2020 (view source) AA-Andrew (talk \| contribs) mNo edit summary Newer edit →
(28 intermediate revisions by 3 users not shown)
[[File:2700-small.png\|link=:Category:FireBrick]] =Also See:=▼ Our main [[FireBrick]] wiki page▼ ▲=Also See:= ▲Our main [[:Category:FireBrick\|FireBrick]] wiki page =2500 and 2700= These instructions are mostly applicable to the 2500 too. The difference between the 2500 and the 2700 is that: 2700 has a USB port so supports 3G fallback, 2500 does not have the USB port 2700 has faster throughput (about ~~100Mb~~100Mbit/s on the 2500 compared to about ~~350Mb~~350Mbit/s on the 2700) =XML or Web UI config editor= Here we will build a config file for a FB2700, from scratch, it should help you to build a configuration for your line(s) and help you understand the XML syntax etc. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP. These examples are based on V0.00.608 (2011-01-05), and future firmware releases may have different configuration requirements. ~~Som people converting from a 105 may prefer to also use the 105 converter tool, and base that output on the configuration for your new 2700. more info at: http://www.firebrick.co.uk/fb105config.php~~ We have an AAISP ADSL line with the following details: Username= abc@a.1 Password=secret Routed IP block = 192.0.2.0/28 (Later in the page, we'll be adding an [[IPv6]] block, and [[bonding]] with a second line) (192.0.2.0/28 is used in this example as the 192.9.2 block is a special block reserved for documentation (RFC 5737). We will also use the v6 documentation prefixes 2001:DB8:: (RFC 3849)) The default configuration (of a fully-loaded FireBrick) looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" </syntaxhighlight> Which sets up the 4 [[Ethernet]] ports as separate LANs, and an IP of 10.0.0.1 (and 2001:DB8::1) with the FireBrick acting DHCP server on the first port. So, connecting a computer to Port 1 should get you a 10.0.0.x IP address, and you can access http://10.0.0.1 . Port 1 is also a DHCP client, so it will try to get an IP from your DHCP server, if you have one. -Check your DHCP server logs for what IP is allocated. Port 4 is set as an example of a PPPoE client, (iei.e. to be plugged in to a [[ADSL modem]]/FTTC/FTTP modem etc.) we'll set this up a little later. = Configuring Initial Basic Settings = Set yourself a user with full debug rights, ege.g.: <syntaxhighlight>▼ <tabs> <tab name="XML"> ▲<syntaxhighlight lang=xml> <user name="john" timeout="PT20M" level="DEBUG" password="secret"/> </syntaxhighlight> </tab> <tab name="GUI"> coming soon </tab> </tabs> To explain the timeout a bit: PT (Period Time) 20M is 20 minutes. You can just enter 3600, and it will convert it to PT1H (as in a number on ~~it's~~its own will mean seconds). Modify the ntp time server to use the AAISP time server: <syntaxhighlight lang=xml> <ntp timeserver="time.aaisp.net.uk"/> </syntaxhighlight> modify the telnet service to permit only access from your LAN: <syntaxhighlight lang=xml> <telnet allow="192.0.2.0/28"/> </syntaxhighlight> Set DNS servers and your domain name, under the services (here we're using the AAISP DNS servers: <syntaxhighlight lang=xml> <dns domain="yourdomain.tld" resolvers="217.169.20.20 217.169.20.21"/> </syntaxhighlight> = LAN Subnet = We want to use just [[Ethernet]] port 1 on the FireBrick for our LAN, we'll be connecting port 1 to a switch, and all our devices will be plugged in to that switch. So, first we'll add a new subnet, this can go under the current 10.0.0.1 subnet (which we'll delete later.) And we'll make this a DHCP server: <syntaxhighlight lang=xml> <subnet ip="192.0.2.1/28" comment="LAN"/> <dhcp ip="192.0.2.2-12"/> Remove the existing DHCP settings for the 10.0.0.1 interface. The LAN1 interface now looks like this: <syntaxhighlight lang=xml> <interface name="LAN1" port="LAN1"> <subnet comment="dhcp client"/> Our complete config now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> if that works, we can now safely remove the DHCP client subnet and the 10.0.0.1 subnet, so remove the lines: <syntaxhighlight lang=xml> <subnet comment="dhcp client"/> <subnet ip="2001:DB8::1/64 10.0.0.1/24" nat="true" comment="Temporary IPs for setup only, delete when finished configuring"/> More info on http://www.firebrick.co.uk/fb2700/pppoe.php The [[FireBrick 2700]] supports PPPoE - so you can use it to connect via an xDSL modem, ege.g. a: A BT supplied FTTC/FTTP Modem A standard issue AAISP ZyXEL P660-D1, in bridge mode (Go to: Wan - Wan setup, mode Bridge, Encapsulation RFC1483, Multiplex LLC) Another [[ADSL Router\|ADSL router]] set for bridge mode A modem such as a Draytek [[~~Vigor_120~~Vigor 120]] (firmware 3.2.4.3 and above) Note: You cannot just use any of these devices on any line type: There are combinations that will work, and combinations that will not. You MUST read the link above. In short, BT lines can auto-detect PPPoA or PPPoE, so will work with pretty much anything. BE lines on the other hand are hard-coded to either PPPoE OR PPPoA. For a BE PPPoE line, a simple bridge mode router like the ZyXEL is the correct choice. For a BE PPPoA line, you need a device that can do true PPPoA on the wire <-> PPPoE on the LAN to the FB. The Vigour 120 is one of the only devices that can do this. In our default config, you can see that we already have some PPPoE settings: <syntaxhighlight lang=xml> <ppp port="LAN4" username="startup_user@startup_domain" password="" comment="Example PPPoE config for DSL/FTTC/FTTP/etc"/> </syntaxhighlight> This is using [[Ethernet]] port 4, so plug your modem in to that port. This line can be changed for your ADSL settings, ege.g.: <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true"/> </syntaxhighlight> We've changed the port to WAN1, so we also need to change the port config earlier in the file, so change <syntaxhighlight lang=xml> <port name="LAN4" ports="4"/> </syntaxhighlight> to: <syntaxhighlight lang=xml> <port name="WAN1" ports="4"/> </syntaxhighlight> Our complete config in full now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> ==1500 MTU?== The Default MTU is 1492 for PPPoE. However, if your modem supports jumboframes, then you should be able to use a full 1500MTU on the PPPoE. The BT supplied modem for FTTC does support this, other modems may or may not... Config wise, just add mtu="1500" to the ppp element. e.g.: ~~eg:~~ <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" mtu="1500"/> </syntaxhighlight> ==ZyXEL P660R-D1 Notes== (These notes will be similar for any type of [[ADSL Router\|ADSL router]] in Bridge mode, or ADSL modems.) The P660R-D1 also supports a hybrid [http://www.zyxel.co.uk/web/support_faq_detail.php?faqID=136&pid=20040812093058 Half Bridge mode]; the PPP session is terminated on the modem but its internal NAT is disabled and the WAN IP is assigned to the firewall / router connected to its [[ethernet]] port via short DHCP lease. This configuration may suffice for some simpler setups, the advantage being the modem can be used with a PPPoA setup (e.g. Opal / Tiscali Business LLU). The modem remains accessible on its default LAN IP address. When setting up the ZyXEL to work with the FireBrick, set the WAN settings to be: ===For a BT or TT Line ( which will do PPPoA or PPPoE ):=== Name: AAISP (But can be anything) Mode: Bridge Encapsulation: RFC 1483 Multiplexing: LLC (VC may work on BT 20cn, but stick with LLC) VPI: 0 VCI: 38 ADSL modulation type: Multimode ~~===For a Be PPPoE Line:===~~ Name: AAISP (But can be anything) Mode: Bridge Encapsulation: RFC 1483 Multiplexing: LLC VPI: 0 VCI: 101 ADSL modulation type: Multimode ~~===For a Be PPPoA Line:===~~ ~~Most A&A BE lines from around December 2010 are PPPoA - they use the same VPI/VCI as BT (0/38).~~ You will need to use a Draytek Vigour 120, or similar device, which can provide true PPPoA <-> PPPoE bridging. The ZyXEL P660R-D1 won't do this. Please read the link:  http://www.firebrick.co.uk/fb2700/pppoe.php ~~Also make a note of the LAN address, as you'll set a subnet on the FireBrick below so that you can still access the ZyXEL from your LAN.~~ ~~As the ZyXEL is not doing any PPP in bridge mode, the 'Internet' LED will not light up, the DSL light will still indicate sync though.~~ Because of a quirk in the way these lines are configured by Be, PPPoEoA (bridge mode on the ZyXEL) does in fact work. However, it is an unsupported configuration. It will almost certainly work for the lifetime of the service, but if it does ever break Be will not fix it. ===Bridge Mode on Billion 7800N=== Since that page is more of a referece than a tutorial, it contains no examples. So here's a code snippet from a working config which allows incoming SMTP to your mail server, and IAX2 to an asterisk box as a starting-point: <syntaxhighlight lang=xml> <rule-set target-interface="LAN1" drop="reject" comment="Default firewall rule - block incoming"> <rule source-interface="self" comment="Allow from the FireBrick though"/> </syntaxhighlight> For debugging, you can add log="true" and/or graph="xyz" to the <rule .../> lines, which will then print an entry to the log when the rule is matched, and will also draw graphs for that traffic, ege.g.: == VoIP Rules == If you have VoIP phones on your LAN, then here are some example rules to allow SIP and RTP from the AAISP phone servers: <syntaxhighlight lang=xml> <rule-set name="Incoming Firewall Rules"> <rule name="SIP" source-ip="81.187.30.110-119" target-ip="192.0.2.0/28" target-port="5060-5069"/> == Restricting FireBrick Config access == You may only want to allow access to the FireBrick webserver from your LAN, do this in the http service, ege.g., change the current line to: <syntaxhighlight lang=xml> <http allow="192.0.2.1/28"/> </syntaxhighlight> = Native IPv6 = Assuming you have an [[IPv6]] block allocated to your line on Clueless and you're using the FB for PPPoE, then all the FB config needs is: An [[IPv6]] address on the LAN subnet ra="true" in the subnet Your computers should then get [[IPv6]] details. test on http://ip.help.me.uk. If you previously had your [[IPv6]] allocation routed over a Protocol 41 tunnel to a tunnel end-point machine on your LAN, you now need to remove that on clueless to allow native [[IPv6]] to the FB. Log in to clueless and simply clear the IPv4 endpoint address, and save the changes. You then need to drop the connection to AAISP, and re-connect, for the routing change to take effect. Also remember to shut down your LAN tunnel endpoint, so it's not still announcing routes it can't honour any more. If you still need to use Tunnelled [[IPv6]], rather than Native, see this page: [[FireBrick 2700 v6 Tunnel]] So, our config will look like this: <syntaxhighlight lang=xml> <interface name="LAN1" port="LAN1"> <subnet ip="2001:8B0:123:1::1/64" ra="true" comment="[[IPv6]] LAN"/> ... </interface> Our complete config now looks like: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> <port name="WAN1" ports="4"/> <interface name="LAN1" port="LAN1"> <subnet ip="2001:8B0:123:1::1/64" ra="true" comment="[[IPv6]] LAN"/> <subnet ip="192.0.2.1/28" comment="LAN"/> <dhcp ip="192.0.2.2-12"/> ( since release V0.02.039 ) Setting 'ra=true' will enable auto-configuration of [[IPv6]] addresses, and of the Default Route. You may also wish to configure [[IPv6]] DNS servers ( DNS servers that are to be queried over [[IPv6]] ). There are a couple of different mechanisms available to push out [[IPv6]] DNS servers, and the FB2700 supports both. Be sure your DNS server actually responds on ~~it's~~its [[IPv6]] address! The first method is to have the FB include the DNS server addresses as a new option( RDNSS ) in the Router Announcements. ( RFC6106 ). RFC6106 aware clients are, however, somewhat thin on the ground at the moment. To enable this, set the 'ra-dns' option to point to your [[IPv6]] Recursive DNS Server. In this example, I'm pointing it to a DNS server on 2001:8B0:B7:1::2. <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-dns="2001:8B0:123:1::2"/> </syntaxhighlight> If the client is smart enough, this is all it will take. Most clients are not currently able to ~~recieve~~receive this option. So we can also use the more traditional method: Setting the 'O' flag in the RA, telling the client to do DHCPv6 after auto-configuration, and request 'Other' config data, iei.e. DNS. <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="true"/> </syntaxhighlight> To enable the 'O' flag AND the mini-DHCPv6, set the ra-other option to 'dhcpv6', and also specify the DNS server address to be doled out in the rd-dns option: <syntaxhighlight lang=xml> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2"/> </syntaxhighlight> Note: It's not always clear on the win boxes whether this worked. On a Vista box, the command 'ipconfig /all' will show both IPv4 and [[IPv6]] DNS servers configured. Win7 seems lame, and only reports IPv4. To show the [[IPv6]] DNS servers, you need to use the command 'netsh interface [[IPv6\|ipv6]] show dns'. = Next Steps, Bonding a Second Line = == Set up second PPPoE == Set up port 3 to connect to the second modem you have, iei.e.: <syntaxhighlight lang=xml> <ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true"/> </syntaxhighlight> and change the port from: <syntaxhighlight lang=xml> <port name="LAN3" ports="3"/> </syntaxhighlight> to <syntaxhighlight lang=xml> <port name="WAN2" ports="3"/> </syntaxhighlight> Port 4 = ADSL Line 1 == Bond the PPPoE: == ''[[Bonding]] on a 2700 requires the [[Bonding]] capability - found on the Fully-Loaded and [[Bonding]] variants.'' Simply setting speed=x in the ppp config will bond the PPPoE for uplink. The speed value is in ''bits per sec''. You can use G/M/K when specifying the value, as well as B for bytes, or i, power of 2. ege.g., 1000000 is the same as 1M) ege.g.: <syntaxhighlight lang=xml> <ppp port="WAN1" username="abc@a.1" password="secret" comment="BT ADSL" graph="BT ADSL" log="true" speed="1000000"/> <ppp port="WAN2" username="abc@a.2" password="secret" comment="BT ADSL" graph="BT ADSL 2" log="true" speed="1000000"/> </syntaxhighlight> Since each PPP connection will give the FireBrick a default route, the FireBrick will use both, and upload traffic on each ppp connection up to the speed given. The speed is in bits, so this example is where the upload is 1M. If the upload is different on the lines, then that's fine - ege.g., you may have a line using Annex-A and one Annex-M. Setting the speed correctly will mean the correct amount of traffic will be sent up each line. Our config now looks like this: <syntaxhighlight lang=xml> <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ http://firebrick.ltd.uk/xml/fb2700/0.00.605.xsd" timestamp="1970-01-01T00:00:07Z"> <port name="WAN1" ports="4"/> <interface name="LAN1" port="LAN1"> <subnet ip="2001:8B0:123:1::1/64" ra="true" ra-other="dhcpv6" ra-dns="2001:8B0:123:1::2" comment="[[IPv6]] LAN"/> <subnet ip="192.0.2.1/28" comment="LAN"/> <dhcp ip="192.0.2.2-12"/> = Setting up 3G Fallback = If you have an AA data SIM, the FireBrick can configured to use this as a backup connection, by using a 3G dongle plugged into the USB port. Any routed legacy IP blocks will continue to work across this link, but so far [[IPv6]] isn't supported. The FireBrick is known to support the ZTE MF112 Dongle and some Huawei dongles. Others may work too. The basic config is: <syntaxhighlight lang=xml> <usb> <dongle username="startup_user@startup_domain" password=""/> To make use of port 2, we can configure it to be another LAN1 port. Our current port config is: <syntaxhighlight lang=xml> <port name="LAN1" ports="1"/> <port name="LAN2" ports="2"/> </syntaxhighlight> We can change this to make port 2 a LAN1 port: <syntaxhighlight lang=xml> <port name="LAN1" ports="1 2"/> <port name="WAN2" ports="3"/> == Accessing the Modem == The modem, or [[ADSL Router\|ADSL router]] in bridge mode, will also have a LAN IP that you can use to get to ~~it's~~its config pages etc. ege.g., the ZyXEL P660-R will still have a LAN setting, with an IP set. For the purpose of this example, let's assume the modem is on 192.168.1.2 mask 255.255.255.0. In order to talk to the Modem from the LAN side of the FireBrick, a Subnet on the FireBrick needs to be made. This subnet would be on the WAN Interface, ege.g.: <syntaxhighlight lang=xml> <interface name="WAN" port="WAN1"> <subnet ip="192.168.1.1/24" comment="IP subnet on WAN for router config"/> </syntaxhighlight> == Static Routes: == The previous config will put the FB on 192.168.1.1, and allow the FB to route IP packets between your LAN subnet and the 192.168.1 subnet. However, at this stage, you may find you are still unable to ping the modem on the WAN port. This is because although packets from your 81.x.x.x address are correctly routed to the modem, the modem itself knows no route back to 81.x.x.x. It know nothing of the FB. So we need to tell it by setting a static route. === ZyXel P-660R: === You will have configured the IP and Netmask on the 'LAN' tab. But there's no 'Gateway', so we must go to 'Advanced' -> 'Static Routes' tab, and create one. Enter it as follows: IP, Mask = base address of your internal LAN; ege.g.: 81.xx.xx.0, 255.255.255.192. The 'Gateway' address is pointing back at the FB, ege.g. 192.168.1.1. Check the box to Activate the route, hit the 'Apply' button, and that's it done. === [[Vigor 120:]] === You need to telnet in to the CLI to set the route. The commands to set a route back to 81.x.x.0 via the FB at 192.168.1.1 are: == Other, other things == You may want to look at the [[:Category:FireBrick]] page as there are examples there from setting up OTP, syslog, auto-updates and so on. [[Category:FireBrick\|Configuration]] ~~[[Category:FTTC]] [[Category:Bonding]][[Category:FireBrick]][[Category:BT]][[Category:BE]][[Category:ADSL]][[Category:Configuring]]~~