FireBrick FB6502
User Manual
FB6000 Versatile Network Appliance
FireBrick FB6502 User Manual
This User Manual documents Software version V1.46.100
Copyright © 2012-2017 FireBrick Ltd.
Table of Contents
Preface .................................................................................................................................. xvi
1. Introduction .......................................................................................................................... 1
1.1. The FB6000 ............................................................................................................... 1
1.1.1. Where do I start? .............................................................................................. 1
1.1.2. What can it do? ................................................................................................ 1
1.1.2.1. FB6502 Gigabit core VoIP SIP switch for ISTP use ...................................... 2
1.1.3. Ethernet port capabilities .................................................................................... 2
1.1.4. Product variants in the FB6000 series ................................................................... 2
1.2. About this Manual ....................................................................................................... 2
1.2.1. Version ........................................................................................................... 2
1.2.2. Intended audience ............................................................................................. 3
1.2.3. Technical details ............................................................................................... 3
1.2.4. Document style ................................................................................................. 3
1.2.5. Document conventions ....................................................................................... 3
1.2.6. Comments and feedback .................................................................................... 4
1.3. Additional Resources ................................................................................................... 4
1.3.1. Technical Support ............................................................................................. 4
1.3.2. IRC Channel .................................................................................................... 4
1.3.3. Application Notes ............................................................................................. 4
1.3.4. White Papers .................................................................................................... 4
1.3.5. Training Courses ............................................................................................... 5
2. Getting Started ...................................................................................................................... 6
2.1. IP addressing .............................................................................................................. 6
2.2. Accessing the web-based user interface ........................................................................... 6
2.2.1. Add a new user ................................................................................................ 7
3. Configuration ........................................................................................................................ 9
3.1. The Object Hierarchy ................................................................................................... 9
3.2. The Object Model ....................................................................................................... 9
3.2.1. Formal definition of the object model ................................................................. 10
3.2.2. Common attributes .......................................................................................... 10
3.3. Configuration Methods ............................................................................................... 10
3.4. Web User Interface Overview ...................................................................................... 10
3.4.1. User Interface layout ........................................................................................ 11
3.4.1.1. Customising the layout .......................................................................... 11
3.4.2. Config pages and the object hierarchy ................................................................. 12
3.4.2.1. Configuration categories ......................................................................... 12
3.4.2.2. Object settings ...................................................................................... 13
3.4.3. Navigating around the User Interface .................................................................. 15
3.4.4. Backing up / restoring the configuration .............................................................. 16
3.5. Configuration using XML ........................................................................................... 16
3.5.1. Introduction to XML ........................................................................................ 16
3.5.2. The root element - <config> ............................................................................. 17
3.5.3. Viewing or editing XML .................................................................................. 17
3.5.4. Example XML configuration ............................................................................. 17
3.6. Downloading/Uploading the configuration ...................................................................... 19
3.6.1. Download ...................................................................................................... 19
3.6.2. Upload .......................................................................................................... 19
4. System Administration .......................................................................................................... 20
4.1. User Management ...................................................................................................... 20
4.1.1. Login level ..................................................................................................... 20
4.1.2. Configuration access level ................................................................................ 21
4.1.3. Login idle timeout ........................................................................................... 21
4.1.4. Restricting user logins ...................................................................................... 21
4.1.4.1. Restrict by IP address ............................................................................ 21
iv
FireBrick FB6502 User Manual
4.1.4.2. Logged in IP address ............................................................................. 22
4.1.4.3. Restrict by profile ................................................................................. 22
4.1.5. Password change ............................................................................................. 22
4.1.6. One Time Password (OTP) ............................................................................... 22
4.2. General System settings .............................................................................................. 23
4.2.1. System name (hostname) .................................................................................. 23
4.2.2. Administrative details ...................................................................................... 23
4.2.3. System-level event logging control ..................................................................... 23
4.2.4. Home page web links ...................................................................................... 23
4.3. Software Upgrades ..................................................................................................... 24
4.3.1. Software release types ...................................................................................... 24
4.3.1.1. Breakpoint releases ............................................................................... 24
4.3.2. Identifying current software version .................................................................... 25
4.3.3. Internet-based upgrade process .......................................................................... 25
4.3.3.1. Manually initiating upgrades ................................................................... 25
4.3.3.2. Controlling automatic software updates ..................................................... 26
4.3.4. Manual upgrade .............................................................................................. 26
4.4. Boot Process ............................................................................................................. 27
4.4.1. LED indications .............................................................................................. 27
4.4.1.1. Power LED status indications ................................................................. 27
4.4.1.2. Port LEDs ........................................................................................... 27
5. Event Logging ..................................................................................................................... 28
5.1. Overview .................................................................................................................. 28
5.1.1. Log targets ..................................................................................................... 28
5.1.1.1. Logging to Flash memory ...................................................................... 28
5.1.1.2. Logging to the Console .......................................................................... 29
5.2. Enabling logging ....................................................................................................... 29
5.3. Logging to external destinations ................................................................................... 29
5.3.1. Syslog ........................................................................................................... 29
5.3.2. Email ............................................................................................................ 30
5.3.2.1. E-mail process logging .......................................................................... 31
5.4. Factory reset configuration log targets ........................................................................... 31
5.5. Performance .............................................................................................................. 31
5.6. Viewing logs ............................................................................................................. 31
5.6.1. Viewing logs in the User Interface ..................................................................... 31
5.6.2. Viewing logs in the CLI environment ................................................................. 32
5.7. System-event logging ................................................................................................. 32
5.8. Using Profiles ........................................................................................................... 32
6. Interfaces and Subnets .......................................................................................................... 33
6.1. Relationship between Interfaces and Physical Ports .......................................................... 33
6.1.1. Port groups .................................................................................................... 33
6.1.2. Interfaces ....................................................................................................... 33
6.2. Defining an interface .................................................................................................. 33
6.2.1. Defining subnets ............................................................................................. 34
6.2.1.1. Source filtering ..................................................................................... 35
6.2.1.2. Using DHCP to configure a subnet .......................................................... 35
6.2.2. Setting up DHCP server parameters .................................................................... 35
6.2.2.1. Fixed/Static DHCP allocations ................................................................ 36
6.2.2.2. Restricted allocations ............................................................................. 36
6.2.2.3. Special DHCP options ........................................................................... 37
6.2.3. DHCP Relay Agent ......................................................................................... 38
6.3. Physical port settings .................................................................................................. 38
6.3.1. Setting duplex mode ........................................................................................ 38
6.3.2. Defining port LED functions ............................................................................. 39
7. Routing .............................................................................................................................. 40
7.1. Routing logic ............................................................................................................ 40
v
FireBrick FB6502 User Manual
7.2. Routing targets .......................................................................................................... 41
7.2.1. Subnet routes .................................................................................................. 41
7.2.2. Routing to an IP address (gateway route) ............................................................. 41
7.2.3. Special targets ................................................................................................ 42
7.3. Dynamic route creation / deletion ................................................................................. 42
7.4. Routing tables ........................................................................................................... 42
7.5. Bonding ................................................................................................................... 42
8. Profiles ............................................................................................................................... 44
8.1. Overview .................................................................................................................. 44
8.2. Creating/editing profiles .............................................................................................. 44
8.2.1. Timing control ................................................................................................ 44
8.2.2. Tests ............................................................................................................. 45
8.2.2.1. General tests ........................................................................................ 45
8.2.2.2. Time/date tests ..................................................................................... 45
8.2.2.3. Ping tests ............................................................................................. 45
8.2.3. Inverting overall test result ................................................................................ 45
8.2.4. Manual override .............................................................................................. 46
9. Traffic Shaping .................................................................................................................... 47
9.1. Graphs and Shapers ................................................................................................... 47
9.1.1. Graphs ........................................................................................................... 47
9.1.2. Shapers .......................................................................................................... 48
9.1.3. Ad hoc shapers ............................................................................................... 48
9.1.4. Long term shapers ........................................................................................... 48
9.2. Multiple shapers ........................................................................................................ 48
9.3. Basic principles ......................................................................................................... 49
10. System Services ................................................................................................................. 50
10.1. Protecting the FB6000 .............................................................................................. 50
10.2. Common settings ..................................................................................................... 50
10.3. HTTP Server configuration ........................................................................................ 51
10.3.1. Access control ............................................................................................... 51
10.3.1.1. Trusted addresses ................................................................................ 51
10.4. Telnet Server configuration ........................................................................................ 51
10.4.1. Access control ............................................................................................... 52
10.5. DNS configuration ................................................................................................... 52
10.5.1. Blocking DNS names ..................................................................................... 52
10.5.2. Local DNS responses ..................................................................................... 52
10.5.3. Auto DHCP DNS .......................................................................................... 52
10.6. NTP configuration .................................................................................................... 53
10.7. SNMP configuration ................................................................................................. 53
10.8. RADIUS configuration .............................................................................................. 53
10.8.1. RADIUS client .............................................................................................. 53
10.8.1.1. RADIUS client settings ........................................................................ 53
10.8.1.2. Server blacklisting ............................................................................... 54
11. Network Diagnostic Tools .................................................................................................... 55
11.1. Access check ........................................................................................................... 55
11.2. Packet Dumping ...................................................................................................... 56
11.2.1. Dump parameters ........................................................................................... 56
11.2.2. Security settings required ................................................................................ 57
11.2.3. IP address matching ....................................................................................... 57
11.2.4. Packet types .................................................................................................. 57
11.2.5. Snaplen specification ...................................................................................... 57
11.2.6. Using the web interface .................................................................................. 58
11.2.7. Using an HTTP client .................................................................................... 58
11.2.7.1. Example using curl and tcpdump ........................................................... 58
12. VRRP ............................................................................................................................... 59
12.1. Virtual Routers ........................................................................................................ 59
vi
FireBrick FB6502 User Manual
12.2. Configuring VRRP ................................................................................................... 60
12.2.1. Advertisement Interval .................................................................................... 60
12.2.2. Priority ........................................................................................................ 60
12.3. Using a virtual router ................................................................................................ 60
12.4. VRRP versions ........................................................................................................ 60
12.4.1. VRRP version 2 ............................................................................................ 60
12.4.2. VRRP version 3 ............................................................................................ 61
12.5. Compatibility ........................................................................................................... 61
13. VoIP ................................................................................................................................. 62
13.1. What is VoIP? ......................................................................................................... 62
13.2. Registration and Proxies ............................................................................................ 62
13.2.1. Registrar ...................................................................................................... 62
13.2.2. Proxy ........................................................................................................... 62
13.3. Core call routing switch ............................................................................................ 63
13.3.1. Call control .................................................................................................. 63
13.3.2. Bulk registration client ................................................................................... 63
13.4. Network Address Translation ..................................................................................... 63
13.5. Number plan ........................................................................................................... 64
13.6. Telephone handsets .................................................................................................. 64
13.7. VoIP call carriers ..................................................................................................... 65
13.8. Hunt groups ............................................................................................................ 66
13.9. Call pickup/steal ...................................................................................................... 66
13.10. Busy lamp field ..................................................................................................... 66
13.11. Using RADIUS ...................................................................................................... 66
13.11.1. RADIUS accounting ..................................................................................... 66
13.11.2. RADIUS authentication ................................................................................. 66
13.11.2.1. Call routing by RADIUS .................................................................... 67
13.12. Call recording ........................................................................................................ 68
13.13. Voicemail and IVR services ..................................................................................... 69
13.14. Call Data Records .................................................................................................. 69
13.15. Technical details .................................................................................................... 70
13.16. Custom tones ......................................................................................................... 70
14. BGP ................................................................................................................................. 72
14.1. What is BGP? ......................................................................................................... 72
14.2. BGP Setup .............................................................................................................. 72
14.2.1. Overview ..................................................................................................... 72
14.2.2. Standards ..................................................................................................... 72
14.2.3. Simple example setup ..................................................................................... 73
14.2.4. Peer type ...................................................................................................... 73
14.2.5. Route filtering ............................................................................................... 74
14.2.5.1. Matching attributes .............................................................................. 74
14.2.5.2. Action attributes .................................................................................. 74
14.2.6. Well known community tags ........................................................................... 75
14.2.7. Announcing black hole routes .......................................................................... 75
14.2.8. Announcing dead end routes ............................................................................ 76
14.2.9. Bad optional path attributes ............................................................................. 76
14.2.10. <network> element ....................................................................................... 76
14.2.11. <route>, <subnet> and other elements ............................................................. 76
14.2.12. Route feasibility testing ................................................................................. 76
14.2.13. Diagnostics ................................................................................................. 77
14.2.14. Router shutdown .......................................................................................... 77
14.2.15. TTL security ............................................................................................... 77
15. Command Line Interface ...................................................................................................... 78
A. CIDR and CIDR Notation ..................................................................................................... 79
B. MAC Addresses usage .......................................................................................................... 81
B.1. Multiple MAC addresses? ........................................................................................... 81
vii
FireBrick FB6502 User Manual
B.2. How the FireBrick allocates MAC addresses .................................................................. 82
B.2.1. Interface ........................................................................................................ 82
B.2.2. Subnet .......................................................................................................... 82
B.2.3. PPPoE .......................................................................................................... 82
B.2.4. Base MAC .................................................................................................... 82
B.2.5. Running out of MACs ..................................................................................... 83
B.3. MAC address on label ............................................................................................... 83
B.4. Using with a DHCP server ......................................................................................... 84
C. VLANs : A primer ............................................................................................................... 85
D. Supported RADIUS Attribute/Value Pairs for VoIP operation ...................................................... 86
D.1. Authentication request ............................................................................................... 86
D.2. Authentication response ............................................................................................. 87
D.2.1. Challenge authentication .................................................................................. 87
D.2.2. Accepted authentication (registration) ................................................................. 87
D.2.3. Accepted authentication (invite) ........................................................................ 87
D.2.4. Rejected authentication .................................................................................... 88
D.3. Accounting Start ....................................................................................................... 88
D.4. Accounting Interim .................................................................................................... 88
D.5. Accounting Stop ....................................................................................................... 89
D.6. Disconnect ............................................................................................................... 89
D.7. Change of Authorisation ............................................................................................. 90
E. FireBrick specific SNMP objects ............................................................................................ 91
E.1. Monitoring information .............................................................................................. 91
E.2. BGP information ....................................................................................................... 91
E.3. Monitoring information .............................................................................................. 92
F. Command line reference ........................................................................................................ 93
F.1. General commands .................................................................................................... 93
F.1.1. Trace off ....................................................................................................... 93
F.1.2. Trace on ........................................................................................................ 93
F.1.3. Uptime .......................................................................................................... 93
F.1.4. General status ................................................................................................. 93
F.1.5. Memory usage ................................................................................................ 93
F.1.6. Process/task usage ........................................................................................... 93
F.1.7. Login ............................................................................................................ 93
F.1.8. Logout .......................................................................................................... 94
F.1.9. See XML configuration .................................................................................... 94
F.1.10. Load XML configuration ................................................................................ 94
F.1.11. Show profile status ........................................................................................ 94
F.1.12. Enable profile control switch ........................................................................... 94
F.1.13. Disable profile control switch .......................................................................... 94
F.1.14. Show RADIUS servers ................................................................................... 94
F.1.15. Show DNS resolvers ...................................................................................... 94
F.2. Networking commands ............................................................................................... 95
F.2.1. Subnets ......................................................................................................... 95
F.2.2. Ping and trace ................................................................................................ 95
F.2.3. Show a route from the routing table ................................................................... 95
F.2.4. List routes ...................................................................................................... 95
F.2.5. List routing next hops ...................................................................................... 95
F.2.6. See DHCP allocations ...................................................................................... 96
F.2.7. Clear DHCP allocations ................................................................................... 96
F.2.8. Lock DHCP allocations .................................................................................... 96
F.2.9. Unlock DHCP allocations ................................................................................. 96
F.2.10. Name DHCP allocations ................................................................................. 96
F.2.11. Show ARP/ND status ..................................................................................... 96
F.2.12. Show VRRP status ........................................................................................ 96
F.2.13. Send Wake-on-LAN packet ............................................................................. 96
viii
FireBrick FB6502 User Manual
F.2.14. Check access to services ................................................................................. 97
F.3. BGP commands ........................................................................................................ 97
F.4. VoIP commands ........................................................................................................ 97
F.5. Advanced commands ................................................................................................. 97
F.5.1. Panic ............................................................................................................. 97
F.5.2. Reboot .......................................................................................................... 97
F.5.3. Screen width .................................................................................................. 97
F.5.4. Make outbound command session ...................................................................... 97
F.5.5. Show command sessions .................................................................................. 98
F.5.6. Kill command session ...................................................................................... 98
F.5.7. Flash memory list ........................................................................................... 98
F.5.8. Delete block from flash .................................................................................... 98
F.5.9. Boot log ........................................................................................................ 98
F.5.10. Flash log ...................................................................................................... 98
G. Constant Quality Monitoring - technical details ......................................................................... 99
G.1. Access to graphs and csvs .......................................................................................... 99
G.1.1. Trusted access ................................................................................................ 99
G.1.2. Dated information ........................................................................................... 99
G.1.3. Authenticated access ...................................................................................... 100
G.2. Graph display options .............................................................................................. 100
G.2.1. Data points .................................................................................................. 100
G.2.2. Additional text ............................................................................................. 100
G.2.3. Other colours and spacing .............................................................................. 101
G.3. Overnight archiving ................................................................................................. 101
G.3.1. Full URL format ........................................................................................... 102
G.3.2. load handling ............................................................................................... 102
G.4. Graph scores ........................................................................................................... 103
G.5. Creating graphs, and graph names .............................................................................. 103
H. Hashed passwords .............................................................................................................. 104
H.1. Password hashing .................................................................................................... 104
H.1.1. Salt ............................................................................................................. 104
H.2. One Time Password seed hashing .............................................................................. 105
I. Configuration Objects .......................................................................................................... 107
I.1. Top level ................................................................................................................. 107
I.1.1. config: Top level config .................................................................................. 107
I.2. Objects ................................................................................................................... 108
I.2.1. system: System settings ................................................................................... 108
I.2.2. link: Web links .............................................................................................. 109
I.2.3. user: Admin users .......................................................................................... 109
I.2.4. eap: User access controlled by EAP .................................................................. 109
I.2.5. log: Log target controls ................................................................................... 110
I.2.6. log-syslog: Syslog logger settings ..................................................................... 110
I.2.7. log-email: Email logger settings ........................................................................ 111
I.2.8. services: System services ................................................................................. 111
I.2.9. snmp-service: SNMP service settings ................................................................. 112
I.2.10. ntp-service: NTP service settings ..................................................................... 112
I.2.11. telnet-service: Telnet service settings ............................................................... 113
I.2.12. http-service: HTTP service settings .................................................................. 113
I.2.13. dns-service: DNS service settings .................................................................... 114
I.2.14. dns-host: Fixed local DNS host settings ............................................................ 115
I.2.15. dns-block: Fixed local DNS blocks .................................................................. 115
I.2.16. radius-service: RADIUS service definition ........................................................ 116
I.2.17. radius-service-match: Matching rules for RADIUS service ................................... 117
I.2.18. radius-server: RADIUS server settings ............................................................. 118
I.2.19. ethernet: Physical port controls ....................................................................... 119
I.2.20. sampling: Packet sampling configuration .......................................................... 119
ix
FireBrick FB6502 User Manual
I.2.21. portdef: Port grouping and naming .................................................................. 120
I.2.22. interface: Port-group/VLAN interface settings .................................................... 120
I.2.23. subnet: Subnet settings .................................................................................. 121
I.2.24. vrrp: VRRP settings ...................................................................................... 122
I.2.25. dhcps: DHCP server settings .......................................................................... 123
I.2.26. dhcp-attr-hex: DHCP server attributes (hex) ...................................................... 124
I.2.27. dhcp-attr-string: DHCP server attributes (string) ................................................. 124
I.2.28. dhcp-attr-number: DHCP server attributes (numeric) ........................................... 124
I.2.29. dhcp-attr-ip: DHCP server attributes (IP) .......................................................... 125
I.2.30. route: Static routes ........................................................................................ 125
I.2.31. network: Locally originated networks ............................................................... 125
I.2.32. blackhole: Dead end networks ........................................................................ 126
I.2.33. loopback: Locally originated networks ............................................................. 126
I.2.34. namedbgpmap: Mapping and filtering rules of BGP prefixes ................................. 127
I.2.35. bgprule: Individual mapping/filtering rule ......................................................... 127
I.2.36. bgp: Overall BGP settings .............................................................................. 128
I.2.37. bgppeer: BGP peer definitions ........................................................................ 128
I.2.38. bgpmap: Mapping and filtering rules of BGP prefixes ......................................... 130
I.2.39. cqm: Constant Quality Monitoring settings ........................................................ 130
I.2.40. profile: Control profile .................................................................................. 132
I.2.41. profile-date: Test passes if within any of the time ranges specified ......................... 133
I.2.42. profile-time: Test passes if within any of the date/time ranges specified .................. 134
I.2.43. profile-ping: Test passes if any addresses are pingable ......................................... 134
I.2.44. ip-group: IP Group ....................................................................................... 134
I.2.45. voip: Voice over IP config ............................................................................. 135
I.2.46. carrier: VoIP carrier details ............................................................................ 136
I.2.47. telephone: VoIP telephone authentication user details .......................................... 138
I.2.48. tone: Tone definitions .................................................................................... 139
I.2.49. ringgroup: Ring groups .................................................................................. 139
I.2.50. dhcp-relay: DHCP server settings for remote / relayed requests ............................. 140
I.3. Data types ............................................................................................................... 140
I.3.1. autoloadtype: Type of s/w auto load .................................................................. 140
I.3.2. config-access: Type of access user has to config .................................................. 140
I.3.3. user-level: User login level .............................................................................. 141
I.3.4. eap-subsystem: Subsystem with EAP access control ............................................. 141
I.3.5. eap-method: EAP access method ....................................................................... 141
I.3.6. syslog-severity: Syslog severity ........................................................................ 141
I.3.7. syslog-facility: Syslog facility ........................................................................... 142
I.3.8. month: Month name (3 letter) ........................................................................... 142
I.3.9. day: Day name (3 letter) .................................................................................. 143
I.3.10. radiuspriority: Options for controlling platform RADIUS response priority tagging ... 143
I.3.11. radiustype: Type of RADIUS server ................................................................ 143
I.3.12. port: Physical port ........................................................................................ 144
I.3.13. Crossover: Crossover configuration .................................................................. 144
I.3.14. LinkSpeed: Physical port speed ....................................................................... 144
I.3.15. LinkDuplex: Physical port duplex setting .......................................................... 144
I.3.16. LinkFlow: Physical port flow control setting ..................................................... 144
I.3.17. LinkClock: Physical port Gigabit clock master/slave setting ................................. 145
I.3.18. LinkLED-y: Yellow LED setting ..................................................................... 145
I.3.19. LinkLED-g: Green LED setting ...................................................................... 145
I.3.20. LinkPower: PHY power saving options ............................................................ 145
I.3.21. LinkFault: Link fault type to send ................................................................... 146
I.3.22. sampling-protocol: Sampling protocol .............................................................. 146
I.3.23. trunk-mode: Trunk port more ......................................................................... 146
I.3.24. ramode: IPv6 route announce level .................................................................. 146
I.3.25. dhcpv6control: Control for RA and DHCPv6 bits ............................................... 146
x
FireBrick FB6502 User Manual
I.3.26. bgpmode: BGP announcement mode ................................................................ 147
I.3.27. sampling-mode: Sampling mode ...................................................................... 147
I.3.28. sfoption: Source filter option .......................................................................... 147
I.3.29. peertype: BGP peer type ................................................................................ 147
I.3.30. switch: Profile manual setting ......................................................................... 148
I.3.31. voip-format: Number presentation format .......................................................... 148
I.3.32. uknumberformat: Number formatting option ...................................................... 148
I.3.33. recordoption: Recording option ....................................................................... 148
I.3.34. ring-group-order: Order of ring ....................................................................... 149
I.3.35. ring-group-type: Type of ring when one call in queue .......................................... 149
I.3.36. record-beep-option: Record beep option ............................................................ 149
I.4. Basic types .............................................................................................................. 149
Index .................................................................................................................................... 152
xi
List of Figures
2.1. Initial web page in factory reset state ...................................................................................... 7
2.2. Initial "Users" page .............................................................................................................. 7
2.3. Setting up a new user .......................................................................................................... 8
2.4. Configuration being stored .................................................................................................... 8
3.1. Main menu ....................................................................................................................... 11
3.2. Icons for layout controls ..................................................................................................... 12
3.3. Icons for configuration categories ......................................................................................... 12
3.4. The "Setup" category .......................................................................................................... 13
3.5. Editing an "Interface" object ................................................................................................ 14
3.6. Show hidden attributes ....................................................................................................... 14
3.7. Attribute definitions ........................................................................................................... 14
3.8. Navigation controls ............................................................................................................ 15
4.1. Setting up a new user ......................................................................................................... 20
4.2. Software upgrade available notification ................................................................................. 25
4.3. Manual Software upload ..................................................................................................... 26
B.1. Product label showing MAC address range ............................................................................ 83
xii
List of Tables
2.1. IP addresses for computer ..................................................................................................... 6
2.2. IP addresses to access the FireBrick ....................................................................................... 6
2.3. IP addresses to access the FireBrick ....................................................................................... 6
3.1. Special character sequences ................................................................................................. 17
4.1. User login levels ............................................................................................................... 21
4.2. Configuration access levels .................................................................................................. 21
4.3. General administrative details attributes ................................................................................. 23
4.4. Attributes controlling auto-upgrades ...................................................................................... 26
4.5. Power LED status indications .............................................................................................. 27
5.1. Logging attributes .............................................................................................................. 29
5.2. System-Event Logging attributes .......................................................................................... 32
7.1. Example route targets ......................................................................................................... 41
10.1. List of system services ...................................................................................................... 50
10.2. List of system services ...................................................................................................... 50
11.1. Packet dump parameters .................................................................................................... 56
11.2. Packet types that can be captured ........................................................................................ 57
13.1. Access-Accept ................................................................................................................. 68
13.2. Default tones ................................................................................................................... 70
14.1. Peer types ....................................................................................................................... 73
14.2. Communities ................................................................................................................... 75
14.3. Network attributes ............................................................................................................ 76
B.1. DHCP client names used .................................................................................................... 84
D.1. Access-request .................................................................................................................. 86
D.2. Access-Challenge .............................................................................................................. 87
D.3. Access-Accept .................................................................................................................. 87
D.4. Access-Accept .................................................................................................................. 87
D.5. Access-Reject ................................................................................................................... 88
D.6. Accounting-Start ............................................................................................................... 88
D.7. Accounting-Interim ............................................................................................................ 88
D.8. Accounting-Stop ............................................................................................................... 89
D.9. Disconnect ....................................................................................................................... 89
D.10. Change-of-Authorisation ................................................................................................... 90
E.1. iso.3.6.1.4.1.24693.1 .......................................................................................................... 91
E.2. iso.3.6.1.4.1.24693.179 ....................................................................................................... 91
E.3. iso.3.6.1.4.1.24693.5060 ..................................................................................................... 92
G.1. File types ......................................................................................................................... 99
G.2. Colours .......................................................................................................................... 100
G.3. Text .............................................................................................................................. 101
G.4. Text .............................................................................................................................. 101
G.5. URL formats .................................................................................................................. 102
I.1. config: Attributes .............................................................................................................. 107
I.2. config: Elements ............................................................................................................... 107
I.3. system: Attributes ............................................................................................................. 108
I.4. system: Elements .............................................................................................................. 108
I.5. link: Attributes ................................................................................................................. 109
I.6. user: Attributes ................................................................................................................. 109
I.7. eap: Attributes .................................................................................................................. 109
I.8. log: Attributes .................................................................................................................. 110
I.9. log: Elements ................................................................................................................... 110
I.10. log-syslog: Attributes ....................................................................................................... 110
I.11. log-email: Attributes ........................................................................................................ 111
I.12. services: Elements ........................................................................................................... 111
I.13. snmp-service: Attributes ................................................................................................... 112
I.14. ntp-service: Attributes ...................................................................................................... 112
xiii
FireBrick FB6502 User Manual
I.15. telnet-service: Attributes ................................................................................................... 113
I.16. http-service: Attributes ..................................................................................................... 114
I.17. dns-service: Attributes ..................................................................................................... 114
I.18. dns-service: Elements ...................................................................................................... 115
I.19. dns-host: Attributes ......................................................................................................... 115
I.20. dns-block: Attributes ....................................................................................................... 115
I.21. radius-service: Attributes .................................................................................................. 116
I.22. radius-service: Elements ................................................................................................... 117
I.23. radius-service-match: Attributes ......................................................................................... 117
I.24. radius-server: Attributes ................................................................................................... 118
I.25. ethernet: Attributes .......................................................................................................... 119
I.26. sampling: Attributes ........................................................................................................ 119
I.27. portdef: Attributes ........................................................................................................... 120
I.28. interface: Attributes ......................................................................................................... 120
I.29. interface: Elements .......................................................................................................... 121
I.30. subnet: Attributes ............................................................................................................ 121
I.31. vrrp: Attributes ............................................................................................................... 122
I.32. dhcps: Attributes ............................................................................................................. 123
I.33. dhcps: Elements .............................................................................................................. 123
I.34. dhcp-attr-hex: Attributes ................................................................................................... 124
I.35. dhcp-attr-string: Attributes ................................................................................................ 124
I.36. dhcp-attr-number: Attributes ............................................................................................. 124
I.37. dhcp-attr-ip: Attributes ..................................................................................................... 125
I.38. route: Attributes .............................................................................................................. 125
I.39. network: Attributes .......................................................................................................... 125
I.40. blackhole: Attributes ........................................................................................................ 126
I.41. loopback: Attributes ........................................................................................................ 126
I.42. namedbgpmap: Attributes ................................................................................................. 127
I.43. namedbgpmap: Elements .................................................................................................. 127
I.44. bgprule: Attributes .......................................................................................................... 127
I.45. bgp: Attributes ................................................................................................................ 128
I.46. bgp: Elements ................................................................................................................ 128
I.47. bgppeer: Attributes .......................................................................................................... 128
I.48. bgppeer: Elements ........................................................................................................... 130
I.49. bgpmap: Attributes .......................................................................................................... 130
I.50. bgpmap: Elements ........................................................................................................... 130
I.51. cqm: Attributes ............................................................................................................... 130
I.52. profile: Attributes ............................................................................................................ 132
I.53. profile: Elements ............................................................................................................. 133
I.54. profile-date: Attributes ..................................................................................................... 133
I.55. profile-time: Attributes ..................................................................................................... 134
I.56. profile-ping: Attributes ..................................................................................................... 134
I.57. ip-group: Attributes ......................................................................................................... 134
I.58. voip: Attributes ............................................................................................................... 135
I.59. voip: Elements ................................................................................................................ 136
I.60. carrier: Attributes ............................................................................................................ 136
I.61. telephone: Attributes ........................................................................................................ 138
I.62. tone: Attributes ............................................................................................................... 139
I.63. ringgroup: Attributes ....................................................................................................... 139
I.64. dhcp-relay: Attributes ...................................................................................................... 140
I.65. dhcp-relay: Elements ....................................................................................................... 140
I.66. autoloadtype: Type of s/w auto load ................................................................................... 140
I.67. config-access: Type of access user has to config ................................................................... 140
I.68. user-level: User login level ............................................................................................... 141
I.69. eap-subsystem: Subsystem with EAP access control .............................................................. 141
I.70. eap-method: EAP access method ....................................................................................... 141
xiv
FireBrick FB6502 User Manual
I.71. syslog-severity: Syslog severity ......................................................................................... 141
I.72. syslog-facility: Syslog facility ........................................................................................... 142
I.73. month: Month name (3 letter) ........................................................................................... 142
I.74. day: Day name (3 letter) .................................................................................................. 143
I.75. radiuspriority: Options for controlling platform RADIUS response priority tagging ..................... 143
I.76. radiustype: Type of RADIUS server ................................................................................... 143
I.77. port: Physical port ........................................................................................................... 144
I.78. Crossover: Crossover configuration .................................................................................... 144
I.79. LinkSpeed: Physical port speed ......................................................................................... 144
I.80. LinkDuplex: Physical port duplex setting ............................................................................ 144
I.81. LinkFlow: Physical port flow control setting ........................................................................ 144
I.82. LinkClock: Physical port Gigabit clock master/slave setting .................................................... 145
I.83. LinkLED-y: Yellow LED setting ....................................................................................... 145
I.84. LinkLED-g: Green LED setting ......................................................................................... 145
I.85. LinkPower: PHY power saving options ............................................................................... 145
I.86. LinkFault: Link fault type to send ...................................................................................... 146
I.87. sampling-protocol: Sampling protocol ................................................................................. 146
I.88. trunk-mode: Trunk port more ............................................................................................ 146
I.89. ramode: IPv6 route announce level .................................................................................... 146
I.90. dhcpv6control: Control for RA and DHCPv6 bits ................................................................. 146
I.91. bgpmode: BGP announcement mode .................................................................................. 147
I.92. sampling-mode: Sampling mode ........................................................................................ 147
I.93. sfoption: Source filter option ............................................................................................. 147
I.94. peertype: BGP peer type .................................................................................................. 147
I.95. switch: Profile manual setting ........................................................................................... 148
I.96. voip-format: Number presentation format ............................................................................ 148
I.97. uknumberformat: Number formatting option ........................................................................ 148
I.98. recordoption: Recording option ......................................................................................... 148
I.99. ring-group-order: Order of ring .......................................................................................... 149
I.100. ring-group-type: Type of ring when one call in queue .......................................................... 149
I.101. record-beep-option: Record beep option ............................................................................ 149
I.102. Basic data types ............................................................................................................ 149
xv
Preface
The FB6000 device is the result of several years of intensive effort to create products based on state of the
art processing platforms, featuring an entirely new operating system and IPv6-capable networking software,
written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts
the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain
exceptional levels of quality and reliability.
The result is a product that has the feature set, performance and reliability to handle mission-critical functions,
effortlessly handling huge volumes of traffic, supporting thousands of customer connections.
The software is constantly being improved and new features added, so please check that you are reading the
manual appropriate to the version of software you are using. This manual is for version V1.46.100.
xvi
Chapter 1. Introduction
1.1. The FB6000
1.1.1. Where do I start?
The FB6000 is shipped in a factory reset state. This means it has a default configuration that allows the unit
to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a
known IP address for further configuration.
Besides allowing initial web access to the unit, the factory reset configuration provides a starting point for you
to develop a bespoke configuration that meets your requirements.
A printed copy of the QuickStart Guide is included with your FB6000 and covers the basic set up required to
gain access to the web based user interface. If you have already followed the steps in the QuickStart guide, and
are able to access the FB6000 via a web browser, you can begin to work with the factory reset configuration
by referring to Chapter 3.
Initial set up is also covered in this manual, so if you have not already followed the QuickStart Guide, please
start at Chapter 2.
Tip
The FB6000's configuration can be restored to the state it was in when shipped from the factory. The
procedure requires physical access to the FB6000, and can be applied if you have made configuration
changes that have resulted in loss of access to the web user interface, or any other situation where it
is appropriate to start from scratch - for example, commissioning an existing unit for a different role,
or where you've forgotten an administrative user password. It is also possible to temporarily reset the
FB6000 to allow you to recover and edit a broken configuration (though you still need to know the
password you had). You can also go back one step in the config.
The remainder of this chapter provides an overview of the FB6000's capabilities, and covers your product
support options.
Tip
The latest version of the QuickStart guide for the FB6000 can be obtained from the FireBrick website
at : http://www.firebrick.co.uk/pdfs/quickstart-6000.pdf
1.1.2. What can it do?
The FB6000 series of products is a family of high speed ISP/telco grade routers and firewalls providing a range
of specific functions.
Key features of the FB6000 family:
• 1U 19" rack mount
• Very low power consumption (typical 20W) - all important with today's power charges in data centres
• Two small fans are the only moving parts for high reliability
• Dual 120/230V AC power feed
• IPv6 built in from the start
1
Introduction
• Gigabit performance
The FB600 series are provided in a number of variants. This manual is for the FB6502. This variant includes:
• Border Gateway Protocol, to allow routes to be announced and accepted from peering BGP routers.
• SIP VoIP caller server, providing core call routing and registration functions for a voice network operator.
1.1.2.1. FB6502 Gigabit core VoIP SIP switch for ISTP use
The FB6502 acts as a core voice network switch. It provides high capacity media forwarding and SIP/2.0 VoIP
protocol handling, including registration and call routing.
The design allows the FB6502 to perform the grunt of a large scale voice network leaving external devices
(e.g. linux boxes) to make decisions and log calls, interacting via RADIUS messages. The FB6502 can work
with pools of RADIUS servers for fallback and load management.
1.1.3. Ethernet port capabilities
The FB6000 has two Ethernet network ports that operate at 1Gb/s. The ports implement auto-negotiation by
default, but operation can be fine-tuned to suit specific circumstances. The function of these ports is very
flexible, and defined by the device's configuration. The ports implement one or more interfaces.
Multiple interfaces can be implemented on a single physical port via support for IEEE 802.1Q VLANs, ideal
for using the FB6000 with VLAN-capable network switches. In this case, a single physical connection can be
made between a VLAN-capable switch and the FB6000, and with the switch configured appropriately, this
physical connection will carry traffic to/from multiple VLANs, and the FB6000 can do Layer 3 processing
(routing/firewalling etc.) between nodes on two or more VLANs.
1.1.4. Product variants in the FB6000 series
• FB6102 High capacity ping monitoring box
• FB6202 Gigabit L2TP LNS with detailed monitoring of all lines
• FB6302 Gigabit BGP router
• FB6402 Gigabit stateful firewall
• FB6502 Gigabit core VoIP SIP switch for ISTP use
• FB6602 Mobile GTPv1 GGSN/L2TP gateway
• FB6702 Tunnel endpoint / gateway
1.2. About this Manual
1.2.1. Version
Every major FB6000 software release is accompanied by a release-specific version of this manual. This manual
documents software version V1.46.100 - please refer to Section 4.3 to find out more about software releases,
and to see how to identify which software version your FB6000 is currently running.
If your FB6000 is running a different version of system software, then please consult the version of this manual
that documents that specific version, as there may be significant differences between the software versions.
Also bear in mind that if you are not reading the latest version of the manual (and using the latest software
release), references in this manual to external resources, such as the FireBrick website, may be out of date.
2
Introduction
You can find the latest revision of a manual for a specific software version on the FB6000 software downloads
website [http://www.firebrick.co.uk/software.php?PRODUCT=6000]. This includes the revision history for all
software releases.
1.2.2. Intended audience
This manual is intended to guide FB6000 owners in configuring their units for their specific applications. We
try to make no significant assumption about the reader's knowledge of FireBrick products, but as might be
expected given the target market for the products, it is assumed the reader has a reasonable working knowledge
of common IP and Ethernet networking concepts. So, whether you've used FireBrick products for years, or
have purchased one for the very first time, and whether you're a novice or a network guru, this Manual sets out
to be an easy to read, definitive guide to FireBrick product configuration for all FireBrick customers.
1.2.3. Technical details
There are a number of useful technical details included in the apendices. These are intended to be a reference
guild for key features.
1.2.4. Document style
At FireBrick, we appreciate that different people learn in different ways - some like to dive in, hands-on,
working with examples and tweaking them until they work the way they want, referring to documentation
as required. Other people prefer to build their knowledge up from first principles, and gain a thorough
understanding of what they're working with. Most people we suspect fall somewhere between these two learning
styles.
This Manual aims to be highly usable regardless of your learning style - material is presented in an order that
starts with fundamental concepts, and builds to more complex operation of your FireBrick. At all stages we hope
to provide a well-written description of how to configure each aspect of the FireBrick, and - where necessary
- provide enough insight into the FireBrick's internal operation that you understand why the configuration
achieves what it does.
1.2.5. Document conventions
Various typefaces and presentation styles are used in this document as follows :-
• Text that would be typed as-is, for example a command, or an XML attribute name is shown in
monospaced_font
• Program (including XML) listings, or fragments of listings are shown thus :-
/* this is an example program listing*/
printf("Hello World!\n");
• Text as it would appear on-screen is shown thus :-
This is an example of some text that would
appear on screen.
Note that for documentation purposes additional
line-breaks may be present that would not be in the on-screen text
3
Introduction
• Notes of varying levels of significance are represented thus (colour schemes may differ depending on
signficance) :-
Note
This is an example note.
The significance is identified by the heading text and can be one of : Tip - general hints and tips, for example
to point out a useful feature related to the current discussion ; Note - a specific, but not critical, point relating
to the surrounding text ; Caution - a potentially critical point that you should pay attention to, failure to do
so may result in loss of data, security issues, loss of network connectivity etc.
1.2.6. Comments and feedback
If you'd like to make any comments on this Manual, point out errors, make suggestions for improvement or
provide any other feedback, we would be pleased to hear from you via e-mail at : docs@firebrick.co.uk.
1.3. Additional Resources
1.3.1. Technical Support
Technical support is available, in the first instance, via the reseller from which you purchased your FireBrick.
FireBrick provide extensive training and support to resellers and you will find them experts in FireBrick
products.
However, before contacting them, please ensure you have :-
• upgraded your FB6000 to the latest version of software (see Section 4.3) and
• are using the latest revision of the manual applicable to that software version and
• have attempted to answer your query using the material in this manual
Many FireBrick resellers also offer general IT support, including installation, configuration, maintenance, and
training. You may be able to get your reseller to develop FB6000 configurations for you - although this will
typically be chargeable, you may well find this cost-effective, especially if you are new to FireBrick products.
If you are not satisfied with the support you are getting from your reseller, please contact us [http://
www.firebrick.co.uk/contact.php].
1.3.2. IRC Channel
A public IRC channel is available for FireBrick discussion - the IRC server is irc.z.je, and the channel
is #firebrick.
1.3.3. Application Notes
FireBrick are building a library of Application Note documents that you can refer to - each Application Note
describes how to use and configure a FireBrick in specific scenarios, such as using the device in a multi-tenant
Serviced Office environment, or using the FireBrick to bond multiple WAN connections together.
1.3.4. White Papers
FireBrick White Papers cover topics that deserve specific discussion - they are not related to specific
Applications, rather they aim to educate interested readers regarding networking protocols, common/best
practice, and real-world issues encountered.
4
Introduction
1.3.5. Training Courses
FireBrick provide training courses for the FB2x00 series products, and also training course on general IP
networking that are useful if you are new to networking with IP.
To obtain information about upcoming courses, please contact us via e-mail at :
training@firebrick.co.uk.
5
Chapter 2. Getting Started
2.1. IP addressing
You can configure your FireBrick using a web browser - to do this, you need IP connectivity between your
computer and the FireBrick. For a new FB6000 or one that has been factory reset, there are three methods
to set this up, as described below - select the method that you prefer, or that best suits your current network
architecture.
• Method 1 - use the FireBrick's DHCP server to configure a computer.
If your computer is already configured (as many are) to get an IP address automatically, you can connect
your computer to port 1 on the FireBrick, and the FireBrick's inbuilt DHCP server should give it an IPv4
and IPv6 address.
• Method 2 - configure a computer with a fixed IP address.
Alternatively, you can connect a computer to port 1 on the FireBrick, and manually configure your computer
to have the fixed IP address(es) shown below :-
Table 2.1. IP addresses for computer
IPv6 IPv4
2001:DB8::2/64 10.0.0.2 ; subnet mask : 255.255.255.0
• Method 3 - use an existing DHCP server to configure the FireBrick.
If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it
will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not
interfere with your existing network. You would need to check your DHCP server to find what address has
been assigend to the FB6000.
2.2. Accessing the web-based user interface
If you used Method 1, you should browse to the FireBrick's web interface as follows, or you can use the IP
addresses detailed:-
Table 2.2. IP addresses to access the FireBrick
URL
http://my.firebrick.co.uk/
If you used Method 2, you should browse to the FireBrick's IP address as listed below:-
Table 2.3. IP addresses to access the FireBrick
IPv6 IPv4
http://[2001:DB8::1] http://10.0.0.1
If you used Method 3, you will need to be able to access a list of allocations made by the DHCP server in
order to identify which IP address has been allocated to the FB6000, and then browse this address from your
computer. If your DHCP server shows the client name that was supplied in the DHCP request, then you will
see FB6000 in the client name field (assuming a factory reset configuration) - if you only have one FB6000 in
factory reset state on your network, then it will be immediately obvious via this client name. Otherwise, you
will need to locate the allocation by cross-referring with the MAC address range used by the FB6000 you are
6
Getting Started
interested in - if necessary, refer to Appendix B to see how to determine which MAC address you are looking
for in the list of allocations.
Once you are connected to the FB6000, you should see a page with "Configuration needed" prominently
displayed, as shown below :-
Figure 2.1. Initial web page in factory reset state
Click on the "edit the configuration" link (red text), which will take you to the main user interface page for
managing the configuration.
2.2.1. Add a new user
You now need to add a new user with a password in order to gain full access to the FireBrick's user interface.
Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with
the "Add" link highlighted:-
Figure 2.2. Initial "Users" page
Enter a suitable username in the "Name" box, and enter a password (passwords are mandatory), as shown below.
Leave all other checkboxes un-ticked, but see the Tip below regarding the timeout setting.
Note
Take care to enter the password carefully, as the FB6000 does not prompt you for confirmation of
the password.
7
Figure 2.3. Setting up a new user
Getting Started
Tip
You may also want to increase the login-session idle time-out from the default of 5 minutes, especially
if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and
enter an appropriate value as minutes, colon, and seconds, e.g. 15:00 for 15 minutes.
Click on the Save button near the top of the screen which will save a new configuration that includes your
new user definition.
You should now see a page showing the progress of storing the new configuration in Flash memory :-
Figure 2.4. Configuration being stored
On this page there is a "Login" link (in red text)- click on this link and then log in using the username and
password you chose.
We recommend you read Chapter 3 to understand the design of the FB6000's user interface, and then start
working with your FB6000's factory reset configuration. Once you are familiar with how the user interface is
structured, you can find more detail on setting up users in Section 4.1.
8
Chapter 3. Configuration
3.1. The Object Hierarchy
The FB6000 has, at its core, a configuration based on a hierarchy of objects, with each object having one or
more attributes. An object has a type, which determines its role in the operation of the FB6000. The values
of the attributes determine how that object affects operation. Attributes also have a type (or datatype), which
defines the type of data that attribute specifies. This in turn defines what the valid syntax is for a value of that
datatype - for example some are numeric, some are free-form strings, others are strings with a specific format,
such as a dotted-quad IP address. Some examples of attribute values are :-
• IP addresses, and subnet definitions in CIDR format e.g. 192.168.10.0/24
• free-form descriptive text strings, e.g. a name for a firewall rule
• Layer 4 protocol port numbers e.g. TCP ports
• data rates used to control traffic shaping
• enumerated values used to control a feature e.g. defining Ethernet port LED functions
The object hierarchy can be likened to a family-tree, with relationships between objects referred to using terms
such as Parent, Child, Sibling, Ancestor and Descendant. This tree-like structure is used to :-
• group a set of related objects, such as a set of firewall rules - the parent object acts as a container for a group
of (child) objects, and may also contribute to defining the detailed behaviour of the group
• define a context for an object - for example, an object used to define a locally-attached subnet is a child of
an object that defines an interface, and as such defines that the subnet is accessible on that specific interface.
Since multiple interfaces can exist, other interface objects establish different contexts for subnet objects.
Additional inter-object associations are established via attribute values that reference other objects, typically
by name, e.g. a firewall rule can specify one of several destinations for log information to be sent when the
rule is processed.
3.2. The Object Model
The term 'object model' is used here to collectively refer to :-
• the constraints that define a valid object hiearchy - i.e. which object(s) are valid child objects for a given
parent object, how many siblings of the same type can exist etc.
• for each object type, the allowable set of attributes, whether the attributes are mandatory or optional, their
datatypes, and permissible values of those attributes
The bulk of this User Manual therefore serves to document the object model and how it controls operation of
the FB6000.
Tip
This version of the User Manual may not yet be complete in its coverage of the full object model.
Some more obscure attributes may not be covered at all - some of these may be attributes that are
not used under any normal circumstances, and used only under guidance by support personnel. If you
encounter attribute(s) that are not documented in this manual, please refer in the first instance to the
documentation described in Section 3.2.1 below. If that information doesn't help you, and you think
the attribute(s) may be relevant to implementing your requirements, please consult the usual support
channel(s) for advice.
9
Configuration
3.2.1. Formal definition of the object model
The object model has a formal definition in the form of an XML Schema Document (XSD) file, which is
itself an XML file, normally intended for machine-processing. A more readable version of this information is
available in Appendix I.
Note, however, that this is reference material, containing only brief descriptions, and intended for users who
are familiar with the product, and in particular, for users configuring their units primarily via XML.
The XSD file is also available on the software downloads website by following the "XSD" link that is present
against each software release.
3.2.2. Common attributes
Most objects have a comment attribute which is free-form text that can be used for any purpose. Similarly,
most objects have a source attribute that is intended for use by automated configuration management tools.
Neither of these attributes have a direct effect on the operation of the FB6000.
Many objects have a name attribute which is non optional and often needs to be unique within the list of object.
This allows the named object to be referenced from other attributes. The data type for these is typically an
NMTOKEN which is a variant of a string type that does not allow spaces. If you include spaces then they are
removed automatically. This helps avoid any problems referencing names in other places especially where the
reference may be a space separated list.
Many objects have a graph attribute. This allows a graph name to be specified. However, the actual graph
name will be normalised to avoide spaces and limit the number of characters. Try to keep graph names as basic
characters (letters, numbers) to avoid confusion.
3.3. Configuration Methods
The configuration objects are created and manipulated by the user via one of two configuration methods :
• web-based graphical User Interface accessed using a supported web-browser
• an XML (eXtensible Markup Language) file representing the entire object hierarchy, editable via the web
interface or can be uploaded to the FB6000
The two methods operate on the same underlying object model, and so it is possible to readily move between
the two methods - changes made via the User Interface will be visible as changes to the XML, and vice-versa.
Users may choose to start out using the User Interface, and - as experience with the object model and the XML
language develops - increasingly make changes in the XML environment. For information on using XML to
configure the FB6000, please refer to Section 3.5.
3.4. Web User Interface Overview
This section provides an overview of how to use the web-based User Interface. We recommend that you
read this section if you are unfamiliar with the FB6000, so that you feel comfortable with the design of the
User Interface. Later chapters cover specific functionality topics, describing which objects are relevant, any
underlying operational principles that are useful to understand, and what effect the attributes (and their values)
have.
The web-based User Interface provides a method to create the objects that control operation of the FB6000.
Internally, the User Interface uses a formal definition of the object model to determine where (in the hierarchy)
objects may be created, and what attributes may exist on each object, so you can expect the User Interface to
always generate valid XML.
1
If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this
may be a bug - please check this via the appropriate support channel(s).
1
10
Configuration
Additionally, the web User Interface provides access to the following items :-
• status information, such as DHCP server allocations, FB105 tunnel information and system logs
• network diagnostic tools, such as Ping and Traceroute ; there are also tools to test how the FB6000 will
process particular traffic, allowing you to verify your firewalling is as intended
• traffic graphs
By default, access to the web user interface is available to all users, from any IP address. If you don't require
such open access, you may wish to restrict access using the settings described in Section 10.3.
3.4.1. User Interface layout
The User Interface has the following general layout :-
• a 'banner' area at the top of the page, containing the FireBrick logo, model number and system name
• a main-menu, with sub-menus that access various parts of the user interface ; the main-menu can be shown
vertically or horizontally - sub-menu appearance depends on this display style : if the main-menu is vertical,
sub-menus are shown by 'expanding' the menu vertically ; if the main-menu is horizontal, sub-menus are
shown as pull-down menus
• a 'footer' area at the bottom of the page, containing layout-control icons and showing the current software
version
• the remaining page area contains the content for the selected part of the user-interface
Figure 3.1 shows the main menu when it is set to display horizontally. Note that the main-menu items themselves
have a specific function when clicked - clicking such items displays a general page related to that item - for
example, clicking on Status shows some overall status information, whereas sub-menu items under Status
display specific categories of status information.
Figure 3.1. Main menu
The user interface pages used to change the device configuration are referred to as the 'config pages' in this
manual - these pages are accessed by clicking on the "Edit" item in the sub-menu under the "Config" mainmenu item.
Note
The config pages utilise JavaScript for their main functionality ; you must therefore have JavaScript
enabled in your web browser in order to configure your FB6000 using the web interface.
3.4.1.1. Customising the layout
The following aspects of the user interface layout can be customised :-
• The banner area can be reduced in height, or removed all together
• The main menu strip can be positioned vertically at the left or right-hand sides, or horizontally at the top
(under the banner, if present)
Additionally, you can choose to use the default fonts that are defined in your browser setup, or use the fonts
specified by the user interface.
11
Configuration
These customisations are controlled using three icons on the left-hand side of the page footer, as shown in
Figure 3.2 below :-
Figure 3.2. Icons for layout controls
The first icon, an up/down arrow, controls the banner size/visibility and cycles through three settings : full size
banner, reduced height banner, no banner. The next icon, a left/right arrow, controls the menu strip position
and cycles through three settings : menu on the left, menu on the right, menu at the top. The last icon, the letter
'A', toggles between using browser-specified or user-interface-specified fonts.
Layout settings are stored in a cookie - since cookies are stored on your computer, and are associated with
the DNS name or IP address used to browse to the FB6000, this means that settings that apply to a particular
FB6000 will automatically be recalled next time you use the same computer/browser to connect to that FB6000.
It is also possible to configure an external CSS to use with the FireBrick web control pages which allows a great
deal of control over the overall layout and appearance. This can be usful for dealers or IT support companies
to set up FireBricks in a style and branding of their choice.
3.4.2. Config pages and the object hierarchy
The structure of the config pages mirrors the object hierachy, and therefore they are themselves naturally
hierachical. Your postition in the hierachy is illustrated in the 'breadcrumbs' trail at the top of the page, for
example :-
Firewall/mapping rules :: rule-set 1 of 3 (filters) :: rule 7 of 19 (ICMP)
This shows that the current page is showing a rule, which exists within a rule-set, which in turn is in the
"Firewall/mapping rules" category (see below).
3.4.2.1. Configuration categories
Configuration objects are grouped into a number of categories. At the top of the config pages is a set of icons,
one for each category, as shown in Figure 3.3 :-
Figure 3.3. Icons for configuration categories
Within each category, there are one or more sections delimited by horizontal lines. Each of these sections has a
heading, and corresponds to a particular type of top-level object, and relates to a major part of the configuration
that comes under the selected category. See Figure 3.4 for an example showing part of the "Setup" category,
which includes general system settings (the system object) and control of system services (network services
provided by the FB6000, such as the web-interface web server, telnet server etc., controlled by the services
object).
12
Configuration
Figure 3.4. The "Setup" category
Each section is displayed as a tabulated list showing any existing objects of the associated type. Each row of
the table corresponds with one object, and a subset (typically those of most interest at a glance) of the object's
attributes are shown in the columns - the column heading shows the attribute name. If no objects of that type
exist, there will be a single row with an "Add" link. Where the order of the objects matter, there will be an 'Add'
link against each object - clicking an 'Add' link for a particular object will insert a new object before it. To add
a new object after the last existing one, click on the 'Add' link on the bottom (or only) row of the table.
Tip
If there is no 'Add' link present, then this means there can only exist a limited number of objects of
that type (possibly only one), and this many already exist. The existing object(s) may have originated
from the factory reset configuration.
You can 'push-down' into the hierarchy by clicking the 'Edit' link in a table row. This takes you to a page
to edit that specific object. The page also shows any child objects of the object being edited, using the same
horizontal-line delimited section style used in the top-level categories. You can navigate back up the hierarchy
using various methods - see Section 3.4.3.
Caution
Clicking the "Add" link will create a new sub-object which will have blank/default settings. This can
be useful to see what attributes an object can take, but if you do not want this blank object to be part
of the configuration you later save you will need to click Erase. Simply going back "Up" or moving to
another part of the config will leave this newly created empty object and that could have undesirable
effects on the operation of your FireBrick if saved.
3.4.2.2. Object settings
The details of an object are displayed as a matrix of boxes (giving the appearance of a wall of bricks), one
for each attribute associated with that object type. Figure 3.5 shows an example for an interface object
(covered in Chapter 6) :-
13
Configuration
Figure 3.5. Editing an "Interface" object
By default, more advanced or less frequently used attributes are hidden - if this applies to the object being
edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the
link "Show all".
Figure 3.6. Show hidden attributes
Each brick in the wall contains the following :-
• a checkbox - if the checkbox is checked, an appropriate value entry widget is displayed, otherwise, a default
value is shown and applied for that setting. If the attribute is not optional then no checkbox is show.
• the attribute name - this is a compact string that exactly matches the underlying XML attribute name
• a short description of the attribute
Tip
If there is no default shown for an attribute then its value, if needed, is zero, blank, null, empty string,
false (internally it is zero bits!). In some cases the presence of an attribute will have meaning even
if that attribute is an empty string or zero value. In some cases the default for an attribute will not
be a fixed value but will depend on other factors, e.g. it may be "auto", or "set if using xyz...". The
description of the default value should make this clear. Where an optional attribute is not ticked the
attribute does not appear in the XML at all.
These can be seen in Figure 3.7 :-
Figure 3.7. Attribute definitions
14
Configuration
If the attribute value is shown in a 'strike-through' font (with a horizontal line through it mid-way vertically),
this illustrates that the attribute can't be set - this will happen where the attribute value would reference an
instance of particular type of object, but there are not currently any instances of objects of that type defined.
Tip
Since the attribute name is a compact, concise and un-ambiguous way of referring to an attribute, please
quote attribute names when requesting technical support, and expect technical support staff to discuss
your configuration primarily in terms of attribute (and object/element) names, rather than descriptive
text, or physical location on your screen (both of which can vary between software releases).
3.4.3. Navigating around the User Interface
You navigate around the hierarchy using one or more of the following :-
• configuration category icons
• the breadcrumbs - each part of the breadcrumbs (delimited by the :: symbol) is a clickable link
• the in-page navigation buttons, shown in Figure 3.8 : "Up" - move one level up in the object hierachy, "Prev"
- Previous object in a list, and "Next" - Next object in a list.
Figure 3.8. Navigation controls
Caution
The configuration pages are generated on-the-fly using JavaScript within your web browser
environment (i.e. client-side scripting). As such, the browser is essentially unaware of changes to
page content, and cannot track these changes - this means the browser's navigation buttons (Back,
Forward), will not correctly navigate through a series of configuration pages.
Please take care not to use the browser's Back button whilst working through configuration pages navigation between such pages must be done via the buttons provided on the page - "Prev", "Next"
and "Up".
Navigating away from an object using the supported navigation controls doesn't cause any modifications to
that object to be lost, even if the configuration has not yet been saved back to the FB6000. All changes are
initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you
press the Save button.
The navigation button area, shown in Figure 3.8, also includes three other buttons :-
• New : creates a new instance of the object type being edited - the new object is inserted after the current one ;
this is equivalent to using the "Add" link one level up in the hierarchy
• Erase : deletes the object being edited - note that the object will not actually be erased until the configuration
is saved
• Help : browses to the online reference material (as desribed in Section 3.2.1) for the object type being edited
15
Configuration
Caution
If you Add a new object, but don't fill in any parameter values, the object will remain in existence
should you navigate away. You should be careful that you don't inadvertently add incompletely setup
objects this way, as they may affect operation of the FireBrick, possibly with a detrimental effect.
If you have added an object, perhaps for the purposes of looking at what attributes can be set on it,
remember to delete the object before you navigate away -- the "Erase" button (see Figure 3.8) is used
to delete the object you are viewing.
3.4.4. Backing up / restoring the configuration
To back up / save or restore the configuration, start by clicking on the "Config" main-menu item. This will
show a page with a form to upload a configuration file (in XML) to the FB6000 - also on the page is a link
"Download/save config" that will download the current configuration in XML format.
3.5. Configuration using XML
3.5.1. Introduction to XML
An XML file is a text file (i.e. contains human-readable characters only) with formally defined structure and
content. An XML file starts with the line :-
<?xml version="1.0" encoding="UTF-8"?>
This defines the version of XML that the file complies with and the character encoding in use. The UTF-8
character coding is used everywhere by the FireBrick.
The XML file contains one or more elements, which may be nested into a hiearchy.
Note
In XML, the configuration objects are represented by elements, so the terms object and element are
used interchangeably in this manual.
Each element consists of some optional content, bounded by two tags - a start tag AND an end tag.
A start tag consists of the following sequence of characters:-
• a < character
• the element name
• optionally, a number of attributes
• a > character
An end tag consists of the following sequence of characters:-
• a < character
• a / character
• the element name
• a > character
16
Configuration
If an element needs no content, it can be represented with a more compact self closing tag. A self closing tag
is the same as a start tag but ends with /> and then has no content or end tag.
Since the <, > and " characters have special meaning, there are special ('escape') character sequences starting
with the ampersand character that are used to represent these characters. They are :-
Table 3.1. Special character sequences
Sequence Character represented
< <
> >
" "
& &
Note that since the ampersand character has special meaning, it too has an escape character sequence.
Attributes are written in the form : name="value" or name='value'. Multiple attributes are separated
by white-space (spaces and line breaks).
Generally, the content of an element can be other child elements or text. However, the FB6000 doesn't use text
content in elements - all configuration data is specified via attributes. Therefore you will see that elements only
contain one or more child elements, or no content at all. Whilst there is generally not any text between the tags,
white space is normally used to make the layout clear.
3.5.2. The root element - <config>
At the top level, an XML file normally only has one element (the root element), which contains the entire
element hierarchy. In the FB6000 the root element is <config>, and it contains 'top-level' configuration
elements that cover major areas of the configuration, such as overall system settings, interface definitions,
firewall rule sets etc.
In addition to this User Manual, there is reference material is available that documents the XML elements refer to Section 3.2.1.
3.5.3. Viewing or editing XML
The XML representation of the configuration can be viewed and edited (in text form) via the web interface
by clicking on "XML View" and "XML Edit" respectively under the main-menu "Config" item. Viewing the
configuration is, as you might expect, 'read-only', and so is 'safe' in as much as you can't accidentally change
the configuration.
3.5.4. Example XML configuration
An example of a simple, but complete XML configuration is shown below, with annotations pointing out the
main elements
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://firebrick.ltd.uk/xml/fb2700/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ ...
timestamp="2011-10-14T12:24:07Z"
patch="8882">
17
Configuration
<system name="gateway"
contact="Peter Smith"
location="The Basement"
log-panic="fb-support">
</system>
<user name="peter"
full-name="Peter Smith"
password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6"
timeout="PT3H20M"
config="full"
level="DEBUG"/>
<log name="default"/>
<log name="fb-support">
<email to="crashlog@firebrick.ltd.uk"
comment="Crash logs emailed to FireBrick Support"/>
</log>
<services>
<ntp timeserver="pool.ntp.org"/>
<telnet log="default"/>
<http />
<dns domain="watchfront.co.uk"
resolvers="81.187.42.42 81.187.96.96"/>
</services>
<port name="WAN"
ports="1"/>
<port name="LAN"
ports="2"/>
<interface name="WAN"
port="WAN">
<subnet name="ADSL"
ip="81.187.106.73/30"/>
</interface>
<interface name="LAN"
port="LAN">
<subnet name="LAN"
ip="81.187.96.94/28"/>
<dhcp name="LAN"
ip="81.187.96.88-92"
log="default"/>
</interface>
</config>
sets some general system parameters (see Section 4.2)
defines a single user with the highest level of access (DEBUG) (see Section 4.1)
defines a log target (see Chapter 5)
configures key system services (see Chapter 10)
defines physical-port group (see Section 6.1)
18
Configuration
defines an interface, with one subnet and a DHCP allocation pool (see Chapter 6)
3.6. Downloading/Uploading the configuration
The XML file may be retrieved from the FireBrick, or uploaded to the FireBrick using HTTP transfers done
via tools such as curl. Using these methods, configuration of the FB6000 can be integrated with existing
administrative systems.
Note
Linebreaks are shown in the examples below for clarity only - they must not be entered on the
command-line
3.6.1. Download
To download the configuration from the FB6000 you need to perform an HTTP GET of the following URL :-
http://<FB6000 IP address or DNS name>/config/config
An example of doing this using curl, run on a Linux box is shown below :-
curl http://<FB6000 IP address or DNS name>/config/config
--user "username:password" --output "filename"
Replace username and password with appropriate credentials.
The XML configuration file will be stored in the file specified by filename - you can choose any file extension
you wish (or none at all), but we suggest that you use .xml for consistency with the file extension used when
saving a configuration via the User Interface (see Section 3.4.4).
3.6.2. Upload
To upload the configuration to the FB6000 you need to send the configuration XML file as if posted by a web
form, using encoding MIME type multi-part/form-data.
An example of doing this using curl, run on a Linux box is shown below :-
curl http://<FB6000 IP address or DNS name>/config/config
--user "username:password" --form config="@filename"
Note
You can also include --form override=true to force the config to be loaded even if it has
minor (recoverable) errors, e.g. if it is config for older version of FireBrick.
19
Chapter 4. System Administration
4.1. User Management
You will have created your first user as part of the initial setup of your FB6000, as detailed in either the
QuickStart Guide or in Chapter 2 in this manual.
To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under
the "Config" main-menu item, then click on the "Users" category icon. Click on the "Edit" link adjacent to the
user you wish to edit, or click on the "Add" link to add a user.
To delete a user, click the appropriate "Edit" link, then click the "Erase" button in the navigation controls - see
Figure 3.8. As with any such object erase operation, the object will not actually be erased until the configuration
is saved.
Once you have added a new user, or are editing an existing user, the object editing page will appear, as shown
in Figure 4.1 :-
Figure 4.1. Setting up a new user
The minimum attributes that must be specified are name, which is the username that you type in when logging
in, and password - passwords are mandatory on the FB6000.
You can optionally provide a full name for the specified username, and a general comment field value.
4.1.1. Login level
A user's login level is set with the level attribute, and determines what CLI commands the user can run. The
default, if the level attribute is not specified, is ADMIN - you may wish to downgrade the level for users who
are not classed as 'system administrators'.
20
System Administration
Table 4.1. User login levels
Level Description
NOBODY No access to any menu items, but can access control
switches for which the user has access.
GUEST Guest user, access to some menu items
USER Normal unprivileged user
ADMIN System administrator
DEBUG System debugging user
Tip
In general you only want to use NOBODY, ADMIN or DEBUG levels.
4.1.2. Configuration access level
The configuration access level determines whether a user has read-only or read-write access to the
configuration, as shown in Table 4.2 below. This mechanism can also be used to deny all access to the
configuration using the none level, but still allowing access to other menus and diagnostics.
This setting is distinct from, and not connected with, the login level described above. You can use the access
level to define, for example, whether a USER login-level user can modify the configuration. Typically an
ADMIN (or DEBUG) login-level user would always be granted full access, so for ADMIN or DEBUG level
user's, the default of full is suitable.
Table 4.2. Configuration access levels
Level Description
none No access unless explicitly listed
view View only access (no passwords or hashes)
read Read only access (with passwords and hashes)
full Full view and edit access - DEFAULT
4.1.3. Login idle timeout
To improve security, login sessions to either the web user interface, or to the command-line interface (via telnet,
see Chapter 15), will time-out after a period of inactivity. This idle time-out defaults to 5 minutes, and can be
changed by setting the timeout attribute value.
The time-out value is specified using the syntax for the XML fb:duration data type. The syntax is hours, minutes
and seconds, or minutes and seconds or just seconds. E.g. 5:00.
To set a user's time-out in the user interface, tick the checkbox next to timeout, and enter a value in the
format described above.
Setting a timeout to 0 means unlimited and shoudl obviously be used with care.
4.1.4. Restricting user logins
4.1.4.1. Restrict by IP address
You can restrict logins by a given user to be allowed only from specific IP addresses, using the allow attribute.
This restriction is per-user, and is distinct from, and applies in addition to, any restrictions specified on either the
web or telnet (for command line interface access) services (see Section 10.3 and Section 10.4), or any firewall
rules that affect web or telnet access to the FB6000 itself.
21
System Administration
4.1.4.2. Logged in IP address
The FireBrick allows a general definition of IP groups which allow a name to be used in place of a range of
IP addresses. This is a very general mechanism that can be used for single IP addresses or groups of ranges
IPs, e.g. admin-machines may be a list or range of the IP addresses from which you want to allow some access.
The feature can also be useful even where only one IP is in the group just to give the IP a meaningful name
in an access list.
These named IP groups can be used in the allow list for a user login, along with specific IP addresses or ranges
if needed.
However, IP groups can also list one or more user names and implicitely include the current IP address from
which those users are logged in to the web interface. This can be useful for firewall rules where you may have
to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow
further access to a network from that IP.
4.1.4.3. Restrict by profile
By specifying a profile name using the profile attribute, you can allow logins by the user only when the
profile is in the Active state (see Chapter 8). You can use this to, for example, restrict logins to be allowed
only during certain times of the day, or you can effectively suspend a user account by specifying an alwaysInactive profile.
4.1.5. Password change
Normally, all config data is updated via the config edit process, and this allows a new password to be set for
any user.
However, there is also a menu to allow a logged in user to change their own password. This does not require
the user to have any config access permission. Simply enter the old password, and the new password twice
and the password is updated.
If you have OTP set up on a user, then you cannot change the password simply using the configuration editor
(unless also setting a new OTP from scratch or removing the OTP). In such cases the password should be set
using the password change web page. This is also good practice is it avoids the administrator knowing people's
passwords.
4.1.6. One Time Password (OTP)
A login to the FireBrick normally requires only a username and password. However you can configue an
additional security measure using a One Time Password (OTP) device. These are available as key fobs that
show a code, but are more commonly done by use of a mobile phone application.
In order for the device to work you need a key which is known to the FireBrick and the device. However, this
is very simple to set up. A user can access the Password / OTP menu where a random key is allocated and
displayed within a QR 2D bar code. Most authenticator applications simply scan the QR code and start showing
the 6 digit number on the display (which changes every 30 seconds). You then enter your password and a code
from your device and you are set up.
It is possible for anyone with configuration access to edit your user settings and remove the OTP settings if you
wish. This can be useful if you lose or break the phone, for example. You may want to keep a local configuration
user as a backup as well, as OTP cannot be used if the clock is not set for any reason.
When you login, after you submit your username and password you are asked for a code from the authenticator
to complete the login process.
It is also possible to enter the password as the authenticator code followed by the configured password. This is
useful if using http authentication to access a web page where there is no separate option for the authentictor
input to be provided.
22
System Administration
If OTP is configured you can leave the pasword blank (which is not normally allowed) and hence use the
authenticator code as the entire password, though this is not recommended for secuiry reasons as it also means
the TOTP seed is recoverable from the config..
Note
Technical details to allow you to create configs with password and OTP seed hashes are described
in Appendix H.
4.2. General System settings
The system top-level object can specify attributes that control general, global system settings. The available
attributes are described in the following sections, and can be configured in the User Interface by choosing the
"Setup" category, then clicking the "Edit" link under the heading "System settings".
The software auto upgrade process is controlled by system objects attributes - these are described in
Section 4.3.3.2.
4.2.1. System name (hostname)
The system name, also called the hostname, is used in various aspects of the FB6000's functions, and so we
recommend you set the hostname to something appropriate for your network.
The hostname is set using the name attribute.
4.2.2. Administrative details
The attributes shown in Table 4.3 allow you to specify general administrative details about the unit :-
Table 4.3. General administrative details attributes
Attribute Purpose
comment General comment field
contact Contact name
intro Text that appears on the 'home' page - the home page
is the first page you see after logging in to the FB6000.
This text is also displayed immediately after you login
to a command-line session.
location Physical location description
4.2.3. System-level event logging control
The log and log-... attributes control logging of events related to the operation of the system itself. For
details on event logging, please refer to Chapter 5, and for details on the logging control attributes on system
object, please refer to Section 5.7.
4.2.4. Home page web links
The home page is the first page you see after logging in to the FB6000, or when you click the Home mainmenu item. The home page displays the system name, and, if defined, the text specified by the intro attribute
on the system object.
Additionally, you can define one or more web links to appear on the home page. These are defined using link
objects, which are child objects of the system object.
23
System Administration
To make a usable link, you must specify the following two attributes on the link object :-
• text : the text displayed as a hyperlink
• url : link destination URL
Additionally, you can name a link, specify a comment, and make the presence of the link on the home page
conditional on a profile.
4.3. Software Upgrades
FB6000 users benefit from FireBrick's pro-active software development process, which delivers fast fixes of
important bugs, and implementation of many customer enhancement requests and suggestions for improvement.
As a matter of policy, FireBrick software upgrades are always free to download for all FireBrick customers.
To complement the responsive UK-based development process, the FB6000 is capable of downloading and
installing new software directly from Firebrick's servers, providing the unit has Internet access.
This Internet-based upgrade process can be initiated manually (refer to Section 4.3.3.1), or the FB6000 can
download and install new software automatically, without user intervention.
If the unit you want to upgrade does not have Internet access, then new software can be uploaded to the unit
via a web browser instead - see Section 4.3.4.
Caution
Software upgrades are best done using the Internet-based upgrade process if possible - this ensures
the changes introduced by Breakpoint releases are automatically accounted for (see Section 4.3.1.1)
Software upgrades will trigger an automatic reboot of your FB6000 - this will cause an outage in routing,
and can cause connections that are using NAT to drop. However, the FB6000 reboots very quickly, and in
many cases, users will be generally unaware of the event. You can also use a profile to restrict when software
upgrades may occur - for example, you could ensure they are always done over night. The reboot will close all
BGP sessions first. For this reason, on the FB6000 factory reset config does not have automatic s/w upgrades
enabled. The reboot will wait for all VoIP calls to complete before rebooting.
4.3.1. Software release types
There are three types of software release : factory, beta and alpha. For full details on the differences
between these software releases, refer to the FB6000 software downloads website [http://www.firebrick.co.uk/
software.php?PRODUCT=6000] - please follow the 'read the instructions' link that you will find just above
the list of software versions.
Note
In order to be able to run alpha releases, your FB6000 must be enabled to run alpha software - this
is done by changing the entry in the FireBrick capabilities database (hosted on FireBrick company
servers) for your specific FB6000, as identified by the unit's Serial Number. Normally your FB6000
will be running factory or possibly beta software, with alpha software only used under advice and
guidance of support personnel while investigating/fixing possible bugs or performance issues. You
can see whether your FB6000 is able to run alpha releases by viewing the main Status page (click the
Status main menu-item), and look for the row labelled "Allowed" - if the text shows "Alpha builds
(for testing)" then your FB6000 can run alpha releases.
4.3.1.1. Breakpoint releases
Occasionally, a software release will introduce a change to the object model that means the way specific
functionality is configured in XML also changes - for example an attribute may have been deprecated, and
24
System Administration
a replacement attribute should be used instead. A release where such an change has been made, and existing
configurations will need modifying, are termed Breakpoint software releases.
Breakpoint releases are special as they are able to automatically update an existing configuration - used with
the previous software release - so that it is compatible with the new release, and functionality is retained whereever possible.
When using the Internet-based upgrade process, the FB6000 will always upgrade to the next available
breakpoint version first, so that the configuration is updated appropriately. If your current software version is
several breakpoint releases behind the latest version, the upgrade process will be repeated for each breakpoint
release, and then to the latest version if that is later than the latest breakpoint release.
On the FB6000 software downloads website, breakpoint releases are labelled [Breakpoint] immediately
under the version number.
Note
If you have saved copies of configurations for back-up purposes, always re-save a copy after upgrading
to a breakpoint issue. If you use automated methods to configure your FB6000, check documentation
to see whether those methods need updating.
4.3.2. Identifying current software version
The current software version is displayed on the main Status page, shown when you click the Status main
menu-item itself (i.e. not a submenu item). The main software application version is shown next to the word
"Software", e.g. :-
Software FB2901 TEST Ximenes+ (V1.45.069 2017-09-27T08:14:40))
The software version is also displayed in the right hand side of the 'footer' area of each web page, and is shown
immediately after you login to a command-line session.
4.3.3. Internet-based upgrade process
If automatic installs are allowed, the FB6000 will check for new software on boot up and approximately every
24 hours thereafter - your FB6000 should therefore pick up new software at most ~ 24 hours after it is released.
You can choose to allow this process to install only new factory-releases, factory or beta releases, or any release,
which then includes alpha releases (if your FB6000 is enabled for alpha software - see Section 4.3.1) - refer to
Section 4.3.3.2 for details on how to configure auto upgrades.
Caution
Alpha releases may be unstable, and so we do not generally recommend setting your FB6000 to
automatically install alpha releases.
4.3.3.1. Manually initiating upgrades
Whenever you browse to the main Status page, the FB6000 checks whether there is newer software available,
given the current software version in use, and whether alpha releases are allowed. If new software is available,
you will be informed of this as shown in Figure 4.2 :-
Figure 4.2. Software upgrade available notification
25
System Administration
To see what new software is available, click on the "Upgrade available" link. This will take you to a page that
will show Release notes that are applicable given your current software version, and the latest version available.
On that page there is an "Upgrade" button which will begin the software upgrade process.
4.3.3.2. Controlling automatic software updates
There are two attributes on the system object (see Section 4.2) that affect the automatic software upgrade
process :-
Table 4.4. Attributes controlling auto-upgrades
Attribute Description
sw-update Controls what types of software releases the auto-
upgrade process will download/install. This attribute
can also be used to disable the auto-upgrade process use the value of false to achieve this.
• false : Disables auto upgrades
• factory : Only download/install factory releases
- this is the default if the attribute is not specified
• beta : Download/install factory or beta releases
• alpha : Download/install factory, beta or alpha
releases
sw-update-profile Specifies the name of a profile to use to control when
software upgrades are attempted (see Chapter 8 for
details on profiles).
The current setting of sw-update (in descriptive form) can be seen on the main Status page, adjacent to the
word "Upgrade", as shown in Figure 4.2 (in that example, sw-update is set to, or is defaulting to, factory).
4.3.4. Manual upgrade
This method is entirely manual, in the sense that the brick itself does not download new software from the
FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user.
In order to do this, you will first need to download the required software image file (which has the file
extension .img) from the FB6000 software downloads website [http://www.firebrick.co.uk/software.php?
PRODUCT=6000] onto your PC.
The next step is the same as you would perform when manually-initiating an Internet-based upgrade i.e. you
should browse to the main Status page, where, if there is new software is available, you will be informed of
this as shown in Figure 4.2.
This step is necessary since the manual upgrade feature currently shares the page used for Internet-based manual
upgrades, which is reached by clicking "Upgrade available" link. After clicking this link, you will find the
manual upgrade method at the bottom of the page, as shown in Figure 4.3 :-
Figure 4.3. Manual Software upload
26
System Administration
4.4. Boot Process
The FB6000 contains internal Flash memory storage that holds two types of software :-
• main application software (generally referred to as the app)
• a bootloader - runs immediately on power-up, initialises system, and then loads the app
It is possible for only one of these types of software, or neither of them, to be present in the Flash, but when
shipped from the factory the unit will contain a bootloader and the latest factory-release application software.
The FB6000 can store multiple app software images in the Flash, and this is used with an automatic fall-back
mechanism - if a new software image proves unreliable, it is 'demoted', and the unit falls back to running older
software. The show flash contents CLI command can be used to see what is stored in the Flash - see
Appendix F.
4.4.1. LED indications
4.4.1.1. Power LED status indications
The green power LED has three defined states, as shown in Table 4.5 below :-
Table 4.5. Power LED status indications
Indication Status
Off No AC power applied to unit (or possibly hardware
fault)
Flashing green with approximately 1 second period Bootloader running / waiting for network connection
On Main application software running
After power-up, the normal power LED indication sequence is therefore to go through the ~1 second period
flashing phase, and then - if at least one Ethernet port is connected to an active device, or after a few seconds
waiting for a factory reset cable - change to solid once the app is running.
Note
The power LED can be configured to be a different colour when the main application software is
running, including black (i.e. off). The LED can also be set to different colours and cycle through
colours based on active profiles (see Chapter 8).
From power-up, a FB6000 will normally boot and be operational in under five seconds.
4.4.1.2. Port LEDs
Whilst the bootloader is waiting for an active Ethernet connection, the green and yellow LEDs built into the
physical port connectors flash in a continual left-to-right then right-to-left sequence. The port LEDs on the
panel on the opposite side to the physical ports also flash, in a clock-wise sequence.
Note
The same port LED flashing sequences are observed if the app is running and none of the Ethernet
ports are connected to an active link-partner. Note that the app continues to run, and the power LED
will still be on solid.
When connected to an active link-partner, these flashing sequences will stop and the port LEDs will start
indicating physical port status, with various status indications possible, controllable via the configuration (see
Section 6.3).
27
Chapter 5. Event Logging
5.1. Overview
Many events in the operation of the FireBrick create a log entry. These are a one-line string of text saying what
happened. This could be normal events such as someone logging in to the web interface, or unusual events such
as a wrong password used, or DHCP not being able to find any free addresses to allocate.
5.1.1. Log targets
A log target is a named destination (initially internal to the FB6000) for log entries - you can have multiple log
targets set up which you can use to separate out log event messages according to some criteria - for example,
you could log all firewalling related log events to a log target specifically for that purpose. This makes it easier
to locate events you are looking for, and helps you keep each log target uncluttered with un-related log events
- this is particularly important when when you are logging a lot of things very quickly.
A log target is defined using a log top-level object - when using the web User Interface, these objects are in
the "Setup" category, under the heading "Log target controls".
Every log entry is put in a buffer in RAM, which only holds a certain number of log entries (typically around
1MB of text) - once the buffer is full, the oldest entries are lost as new ones arrive. Since the buffer is stored
in volatile memory (RAM), buffer contents are lost on reboot or power failure.
This buffer can be viewed via the web interface or command line which can show the history in the buffer and
then follow the log in real time (even when viewing via a web browser, with some exceptions - see Section 5.6.1).
In some cases it is essential to ensure logged events can be viewed even after a power failure. You can flag a
log target to log to the non-volatile Flash memory within the FB6000, where it will remain stored even after a
power failure. You should read Section 5.5 before deciding to log events to Flash memory.
Each log target has various attributes and child objects defining what happens to log entries to this target.
However, in the simplest case, where you do not require non-volatile storage, or external logging (see
Section 5.3), the log object will only need a name attribute, and will have no child objects. In XML this will
look something like :-
<log name="my_log"/>
5.1.1.1. Logging to Flash memory
The internal Flash memory logging system is separate from the external logging. It applies if the log target
object has flash="true". It causes each log entry to be written to the internal non-volatile Flash log as
it is created.
The flash log is intended for urgent permanent system information only, and is visible using the show flash
log CLI command (see Appendix F for details on using this command). Chapter 15 covers the CLI in general.
Caution
Flash logging slows down the system considerably - only enable Flash logging where absolutely
necessary.
The flash log does have a limit on how much it can hold, but it is many thousands of entries so this is rarely an
issue. Oldest entries are automatically discarded when there is no space.
28
Event Logging
5.1.1.2. Logging to the Console
The console is the command line environment described in Chapter 15. You can cause log entries to be displayed
as soon as possible on the console (assuming an active console session) by setting console="true" on
the log target.
You can stop the console logging with troff command or restart it with tron command.
The FB6000 also has a serial console to which console log entries are sent if logged in.
5.2. Enabling logging
Event logging is enabled by setting one of the attributes shown in Table 5.1 on the appropriate object(s) in the
configuration, which depends on what event(s) you are interested in. The attribute value specifies the name
of the log target to send the event message to. The events that cause a log entry will naturally depend on the
object on which you enable logging. Some objects have additional attributes such as log-error for unusual
events, and log-debug for extra detail.
Table 5.1. Logging attributes
Attribute Event types
log This is normal events. Note that if log-error is not
set then this includes errors.
log-error This is when things happen that should not. It could be
something as simple as bad login on telnet. Note that
if log-error is not set but log is set then errors are
logged to the log target by default.
log-debug This is extra detail and is normally only used when
diagnosing a problem. Debug logging can be a lot of
information, for example, in some cases whole packets
are logged (e.g. PPP). It is generally best only to use
debug logging when needed.
5.3. Logging to external destinations
Entries in the buffer can also be sent on to external destinations, such as via email or syslog. Support for
triggering SNMP traps may be provided in a future software release.
You can set these differently for each log target. There is inevitably a slight lag between the event happening
and the log message being sent on, and in some cases, such as email, you can deliberately delay the sending
of logs to avoid getting an excessive number of emails.
If an external logging system cannot keep up with the rate logs are generated then log entries can be lost. The
fastest type of external logging is using syslog which should manage to keep up in pretty much all cases.
5.3.1. Syslog
The FB6000 supports sending of log entries across a network to a syslog server. Syslog is described in RFC5424
[http://tools.ietf.org/html/rfc5424], and the FB6000 includes microsecond resolution time stamps, the hostname
(from system settings) and a module name in entries sent via syslog. Syslog logging is very quick as there
is no reply, and syslog servers can be easily setup on most operating systems, particularly Unix-like systems
such as Linux.
Note
Older syslog servers will typically show time and hostname twice, and will need upgrading.
29
Event Logging
The module name refers to which part of the system caused the log entry, and is also shown in all other types
of logging such as web and console.
To enable log messages to be sent to a syslog server, you need to create a syslog object that is a child of the
log target (log) object. You must then specify the DNS name or IP address of your syslog server by setting
the server attribute on the syslog object. You can also set the facility and/or severity values using these
attributes :-
• facility : the 'facility' to be used in the syslog messages - when syslog entries are generated by subsystems
or processes in a general-purpose operating system, the facility typically identifies the message source ;
where the commonly used facility identifiers are not suitable, the "local0" thru "local7" identifiers can be
used. If the facility attribute is not set, it defaults to LOCAL0
• severity : the severity value to be used in the syslog messages - if not set, the severity defaults to NOTICE
The FB6000 normally uses the 'standard' syslog port number of 514, but if necessary, you can change this by
setting the port attribute value.
5.3.2. Email
You can cause logs to be sent by e-mail by creating an email object that is a child of the log target (log) object.
An important aspect of emailed logs is that they have a delay and a hold-off. The delay means that the email
is not sent immediately because often a cluster of events happen over a short period and it is sensible to wait
for several log lines for an event before e-mailing.
The hold-off period is the time that the FB6000 waits after sending an e-mail, before sending another. Having
a hold-off period means you don't get an excessive number of e-mails ; since the logging system is initially
storing event messages in RAM, the e-mail that is sent after the hold-off period will contain any messages that
were generated during the hold-off period.
The following aspects of the e-mail process can be configured :-
• subject : you can either specify the subject, by setting the subject attribute value, or you can allow the
FB6000 to create a subject based on the first line of the log message
• e-mail addresses : as to be expected, you must specify a target e-mail address, using the to attribute. You
can optionally specify a From: address, by setting the from atttribute, or you can allow the FB6000 to create
an address based on the unit's serial number
• outgoing mail server : the FB6000 normally sends e-mail directly to the Mail eXchanger (MX) host for the
domain, but you can optionally specify an outgoing mail server ('smart host') to use instead, by setting the
server attribute
• SMTP port number : the FB6000 defaults to using TCP port 25 to perform the SMTP mail transfer, but if
necessary you can set the port attribute to specify which port number to use
• retry delay : if an attempt to send the e-mail fails, the FB6000 will wait before re-trying ; the default wait
period is 10 minutes, but you can change this by setting the retry attribute
An example of a simple log target with e-mailing is available in a factory reset configuration - the associated
XML is shown below, from which you can see that in many cases, you only need to specify the to attribute
(the comment attribute is an optional, general comment field) :-
<log name="fb-support"
comment="Log target for sending logs to FireBrick support team">
<email to="crashlog@firebrick.ltd.uk"
comment="Crash logs emailed to FireBrick Support team"/>
30
Event Logging
</log>
A profile can be used to stop emails at certain times, and when the email logging is back on an active profile
it tries to catch up any entries still in the RAM buffer if possible.
5.3.2.1. E-mail process logging
Since the process of e-mailing can itself encounter problems, it is possible to request that the process itself be
logged via the usual log target mechanism. This is done by specifying one or more of the log, log-debug
and log-error attributes.
Note
We recommend that you avoid setting these attributes such that specify the log-target containing the
email object, otherwise you are likely to continually receive e-mails as each previous e-mail process
log will trigger another e-mail - the hold-off will limit the rate of these mails though.
5.4. Factory reset configuration log targets
A factory reset configuration has a log target named default, which only logs to RAM. Provided this log
target has not been deleted, you can therefore simply set log="default" on any appropriate object to
immediately enable logging to this 'default' log target, which can then be viewed from the web User Interface
or via the CLI.
A factory reset configuration also has a log target named fb-support which is referenced by the log-
panic attribute of the system object (see Section 5.7). This allows the FireBrick to automatically email the
support team if there is a panic (crash) - you can, of course, change or delete this if you prefer.
Caution
Please do not use the fb-support log target for any other logging. This is normally only used for crash/
error reporting back to FireBrick.
5.5. Performance
The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls
in the config allow you to say what you log in some detail. However, logging to flash will always slow things
down a lot and should only be used where absolutely necessary.
5.6. Viewing logs
5.6.1. Viewing logs in the User Interface
To view a log in the web User Interface, select the "Log" item in the "Status" menu. Then select which log
target to view by clicking the appropriate link. You can also view a 'pseudo' log target "All" which shows log
event messages sent to any log target.
The web page then continues showing log events on the web page in real time i.e. as they happen.
Note
This is an "open ended" web page which has been known to upset some browsers, but this is rare.
However it does not usually work with any sort of web proxy which expects the page to actually finish.
31
Event Logging
All log targets can be viewed via the web User Interface, regardless of whether they specify any external logging
(or logging to Flash memory).
5.6.2. Viewing logs in the CLI environment
The command line allows logs to be viewed, and you can select which log target, or all targets. The logging
continues on screen until you press a key such as RETURN.
In addition, anything set to log to console shows anyway (see Section 5.1.1.2), unless disabled with the troff
command.
5.7. System-event logging
Some aspects of the operation of the overall system have associated events and messages that can be logged.
Logging of such events is enabled via the system object attributes shown in Table 5.2 below :-
Table 5.2. System-Event Logging attributes
system object attribute Event types
log General system events.
log-debug System debug messages.
log-error System error messages.
log-eth General Ethernet hardware messages.
log-eth-debug Ethernet hardware debug messages.
log-eth-error Ethernet hardware error messages.
log-panic System Panic events.
log-stats "One second stats" messages
Specifying system event logging attributes is usually only necessary when diagnosing problems with the
FB6000, and will typically be done under guidance from support staff. For example, log-stats causes a
log message to be generated every second containing some key system statistics and state information, which
are useful for debugging.
Note that there are some system events, such as startup and shutdown, which are always logged to all log targets,
and to the console and flash by default, regardless of these logging attributes.
5.8. Using Profiles
The log target itself can have a profile which stops logging happening when the profile is disabled. Also, each
of the external logging entries can have a profile. Some types of logging will catch up when their profile comes
back on (e.g. email) but most are immediate (such as syslog and SMS) and will drop any entries when disabled
by an Inactive profile.
32
Chapter 6. Interfaces and Subnets
This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those
interfaces.
6.1. Relationship between Interfaces and Physical Ports
The FB6000 features two Gigabit Ethernet (1Gb/s) ports. These ports only work at gigabit speeds.
Each port features a green and amber LED, the functions of which can be chosen from a range of options
indicating link speed and/or traffic activity.
The exact function of the ports is flexible, and controlled by the configuration of the FB6000.
6.1.1. Port groups
The FB6000 has two physical ports and no internal switch. This means that the port group configuration can
either be the default where each port is in one group, or where both ports are in a trunked group
The port group has a trunk setting which defaults to being true. When there are two ports in the port group this is
the only option. When only one port, it makes no difference. It is included for compatability with other models.
When using a trunked port group, the ports normally use and required LACP to a suitably configured switch.
Only when the LACP confirms the correct config is the trunk set up. Until them the first active port is used
on its own. If you do not wish to use LACP for the trunk (static config) you can edit the individual ethernet
port settings to set lacp to false. If lacp mode is not set then it is assumed to be active for trunked ports, and
passive for non trunked ports.
6.1.2. Interfaces
In the FB6000, an interface is a logical equivalent of a physical Ethernet interface adapter. Each interface
normally exists in a distinct broadcast domain, and is associated with at most one port group.
Each port can operate simply as an interface with no VLANs, or can have one or more tagged VLANs which
are treated as separate logical interfaces. Using VLAN tags and a VLAN capable switch you can effectively
increase the number of physical ports.
If you are unfamiliar with VLANs or the concept of broadcast domains, Appendix C contains a brief overview.
By combining the FB6000 with a VLAN capable switch, using only a single physical connection between the
switch and the FB6000, you can effectively expand the number of distinct physical interfaces, with the upper
limit on number being determined by switch capabilities, or by inherent IEEE 802.1Q VLAN or FB6000 MAC
address block size. An example of such a configuration is a multi-tenant serviced-office environment, where
the FB6000 acts as an Internet access router for a number of tenants, firewalling between tenant networks, and
maybe providing access to shared resources such as printers.
6.2. Defining an interface
To create or edit interfaces, select the Interface category in the top-level icons - under the section headed
"Ethernet interface (port-group/vlan) and subnets", you will see the list of existing interface top-level
objects (if any), and an "Add" link.
33
Interfaces and Subnets
The primary attributes that define an interface are the name of the physical port group it uses, an optional
VLAN ID, and an optional name. If the VLAN ID is not specified, it defaults to "0" which means only untagged
packets will be received by the interface.
To create a new interface, click on the Add link to take you to a new interface defintion. Select one of the
defined port groups. If the interface is to exist in a VLAN, tick the vlan checkbox and enter the VLAN ID
in the text field.
Editing an existing interface works similarly - click the Edit link next to the interface you want to modify.
An interface object can have the following child objects :-
• One or more subnet definition objects
• Zero or more DHCP server settings objects
• Zero or more Virtual Router Redundancy Protocol (VRRP) settings objects (refer to Chapter 12)
6.2.1. Defining subnets
Each interface can have one or more subnets definitions associated with it. The ability to specify multiple
subnets on an interface can be used where it is necessary to communicate with devices on two different subnets
and it is acceptable that the subnets exist in the same broadcast domain. For example, it may not be possible to
reassign machine addresses to form a single subnet, but the machines do not require firewalling from each other.
Note
As discussed in Section 6.1, an interface is associated with a broadcast domain ; therefore multiple
subnets existing in a single broadcast domain are not 'isolated' (at layer 2) from each other. Effective
firewalling (at layer 3) cannot be established between such subnets ; to achieve that, subnets need to
exist in different broadcast domains, and thus be on different interfaces. An example of this is seen in
the factory default configuration, which has two interfaces, "WAN" and "LAN", allowing firewalling
of the LAN from the Internet.
You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv6 networking.
The primary attributes that define a subnet are the IP address range of the subnet, the IP address of the FB6000
itself on that subnet, and an optional name.
The IP address and address-range are expressed together using CIDR notation - if you are not familiar with this
notation, please refer to Appendix A for an overview.
To create or edit subnets, select the Interface category in the top-level icons, then click Edit next to the
appropriate interface - under the section headed "IP subnet on the interface", you will see the list of existing
subnet child objects (if any), and an "Add" link.
Note
In a factory reset configuration, there are two temporary subnets defined on the "LAN" interface :
2001:DB8::1/64 and 10.0.0.1/24. These subnet definitions provide a default IP address that
the FB6000 can initially be accessed on, regardless of whether the FB6000 has been able to obtain an
address from an existing DHCP server on the network. Once you have added new subnets to suit your
requirements, and tested that they work as expected, these temporary definitions should be removed.
To create a new subnet, click on the Add link to take you to a new subnet object defintion. Tick the ip
checkbox, and enter the appropriate CIDR notation.
Editing an existing subnet works similarly - click the Edit link next to the subnet you want to modify.
34
Interfaces and Subnets
6.2.1.1. Source filtering
The interface has an option to source-filter traffic received from the interface. This means checking the
source IP of all traffic that arrives.
Setting source filtering to true will only allow IPs that would be routed back down that interface. That is the
most restrictive setting, and can be useful for restricting customer connections to only originate traffic from
their assigned IP addresses.
Setting source filtering to blackhole is less restrictive. It allows IPs to which there is a valid route even
if to a different interface. If the IP is routed to a black hole or a dead end or not in the routing table then it
is not accepted.
Tip
The routing look up to check the source IP is normally done in the routing table of the interface.
However, it is possible to set a source-filter-table which allows the check to be done in
a different routing table. This usually only makes sense when used with the blackhole option. It
allows a separate routing table to be used to define source filtering explicitly if needed.
Note
Link local IPv6 addresses starting FE80 are always allowed, as is the 0.0.0.0 null IP for DHCP usage.
IPv6 addresses within 2002::/16 are treated as the embedded IPv4 address for filtering checks.
6.2.1.2. Using DHCP to configure a subnet
You can create a subnet that is configured via DHCP by clearing the ip checkbox - the absence of an IP address/
prefix specification causes the FB6000 to attempt to obtain an address from a DHCP server (which must be
in the same broadcast domain). It may help to use the Comment field to note that the subnet is configured via
DHCP.
In its simplest form, a DHCP configured subnet is created by the following XML :- <subnet />
Tip
It is possible to specify multiple DHCP client subnets like this, and the FB6000 will reserve a separate
MAC address for each. This allows the FB6000 to aquire multiple independant IP addresses by DHCP
on the same interface if required.
6.2.2. Setting up DHCP server parameters
The FB6000 can act as a DHCP server to dynamically allocate IP addresses to clients. Optionally, the allocation
can be accompanied by information such as a list of DNS resolvers that the client should use.
Since the DHCP behaviour needs to be defined for each interface (specifically, each broadcast domain), the
behaviour is controlled by one or more dhcp objects, which are children of an interface object.
Address allocations are made from a pool of addresses - the pool is either explicitly defined using the ip
attribute, or if ip is not specified, it consists of all addresses on the interface, i.e. from all subnets but excluding
network or broadcast addresses, or any addresses that the FB6000 has seen ARP responses for (eg addresses
already in use, perhaps through a device configured with a fixed static address).
The XML below shows an example of an explicitly-specified DHCP pool :
<interface ...>
...
<dhcp name="LAN"
ip="172.30.16.50-80"
log="default"/>
35
Interfaces and Subnets
...
</interface>
Tip
When specifying an explicit range of IP addresses, if you start at the network then the FB6000 will
allocate that address. Not all devices cope with this so it is recommended that an explicit range is used,
e.g. 192.168.1.100-199. You do not, however, have to be careful of either the FireBrick's own
addresses or subnet broadcast addresses as they are automatically excluded. When using the default
(0.0.0.0/0) range network addresses are also omitted, as are any other addresses not within a subnet
on the same interface.
Every allocation made by the DHCP server built-in to the FB6000 is stored in non-volatile memory, and will
survive power-cycling and/or rebooting. The allocations can be seen using the "DHCP" item in the "Status"
menu, or using the show dhcp CLI command.
If a client does not request renewal of the lease before it expires, the allocation entry will show "expired".
Expired entries remain stored, and are used to lease the same IP address again if the same client (as identified
by its MAC address) requests an IP address. However, if a new MAC address requests an allocation, and there
are no available IPs (excluding expired allocations) in the allocation pool, then the oldest expired allocation
IP address is reused for the new client.
6.2.2.1. Fixed/Static DHCP allocations
'Fixed' (or 'static') allocations can be achieved by creating a separate dhcp object for each such allocation, and
specifying the client MAC address via the mac attribute, or the client name using the client-name attribute.
The XML below shows an example of a fixed allocation. Note the MAC address is written without any colons,
and is therefore a string of twelve hexadecimal digits (48 bits). This allocation also supplies DNS resolver
information to the client.
<interface ...>
...
<dhcp name="laptop"
ip="81.187.96.81"
mac="0090F59E4F12"
dns="81.187.42.42 81.187.96.96"
log="default"/>
...
</interface>
Tip
If you are setting up a static allocation, but your client has already obtained an address (from your
FB6000) from a pool, you will need to clear the existing allocation and then force the client to issue
a new DHCP request (e.g. unplug the ethernet cable, do a software 'repair connection' procedure or
similar). See the show dhcp and clear dhcp CLI commands in Appendix F for details on how
to clear the allocation. Chapter 15 covers the CLI in general.
You can also lock an existing dynamic allocation to prevent it being re-used for a different MAC address even
if it has expired.
6.2.2.2. Restricted allocations
You can restrict a pool to apply only to devices with specific MAC addresses, client names or vendor class
names using the mac, client-name and class attributes on the dhcp object. The client and class names
can be specified using wildcard strings, where the characters '*' and '?' stand for any run of characters, and any
36
Interfaces and Subnets
single character, respectively. The value specified for the mac attribute can be a list of partial MAC addresses,
where each item can be less than a full 6-byte address. Any device whose MAC's leading bytes match one of
the items in the mac list is acceptable. [The fixed-allocation example above is actually a special case of this
general method for restricting allocation pools, where a single MAC address was specified in full.]
For example, as discussed in Appendix B, the first three octets (bytes) of a MAC address identify the
organization (often the end product manufacturer) which is registered to allocate that MAC address to an
Ethernet device. By specifying only these first three bytes (six hexadecimal characters, no colon delimiters), in
the mac attribute, you can ensure that all devices from the associated manufacturer are allocated addresses from
a particular address pool. This is helpful if you have some common firewalling requirements for such a group
of devices - for example, if all of your VoIP phones are from one manufacturer, as you can have appropriate
firewall rule(s) that apply to addresses in that pool.
The following example illustrates this technique. It will match any devices which have MAC addresses
beginning 00:04:13 or 00:0E:08, and which also have a vendor class name containing the string phone:
<interface ...>
...
<dhcp name="VoIP"
ip="10.20.30.40-50"
mac="000413 000E08"
class="*phone*"
dns="8.8.8.8"
log="DHCP-Phones"
comment="VoIP phones"/>
...
</interface>
The algorithm used to determine which pools apply to a particular device is as follows:
• If no restricted pools (ie those with one or more of the mac, client-name or class attributes present)
match the device's properties, then all non-restricted pools apply.
• If any restricted pools match the device's properties, then only restriced pools which match the device apply.
Furthermore, a scoring system is used to select which of those pools to use based on how well the device's
properties match. An exact match scores higher than any partial or wildcarded match and a MAC match
scores higher than a client-name match, with a class-name match scoring the least. The score for a partial or
wildcarded match is based on the number of bytes or characters which were explicitly matched.
• Only the pool or pools with the highest score are considered.
Note
While this may seem rather complex, it achieves the intuitively-expected result in most cases - for
example it allows a pool to be set up for a general class of device or a range of MAC addresses, and
for more specific pool entries to be included which will take precedence for individual devices, eg
with a full MAC address or a specific client-name.
6.2.2.3. Special DHCP options
For each pool, in addition to the common DHCP options to be supplied to the client device which you can
configure using recognized attributes (eg gateway, dns, domain), you can also supply other DHCP options,
specified as a string, IPv4 address or number, or even as raw data in hexadecimal. You can force sending of
an option even if not requested.
For vendor-specific options (ID 43) you can either specify in hex as ID 43, or you can specify the code to use
and set the vendor flag; this adds an option type 43 with the code and length for the option which can be string,
IPv4 address, number, or hexadecimal.
37
Interfaces and Subnets
6.2.3. DHCP Relay Agent
You can configure the FireBrick to operate as a DHCP/BOOTP Relay agent simply by setting the dhcp-relay
in the interface object to the IPv4 address of the remote DHCP server.
If you also configure a DHCP allocation on the same interface, this is checked first, and if there are no suitable
allocation pools or IP addresses available then the request is relayed. Normally you would configure either a
relay or a pool and not both.
The top level dhcp-relay configuration allows you to configure the FireBrick to be the remote server for a
DHCP/BOOTP Relay Agent. The relay attribute allows specific pools to be set up for specific relays. The table
and allow allow you to limit the use of the DHCP Remote server to requests from specific sources - note that
renewal requests come from the allocated IP, or NAT IP if behind NAT and not necessarily from the relay IP.
The allocation-table attribute allows for this pool of IPs to be placed in a separate table, thus allowing it to
be independant from other DHCP allocations on the FireBrick and to allow different overlapping pools for
different relay endpoints, which is not uncommon if the endpoints are behind separate NAT routers.
6.3. Physical port settings
The detailed operation of each physical port can be controlled by creating ethernet top-level objects, one
for each port that you wish to define different behaviour for vs. default behaviour.
To create a new ethernet object, or edit an existing object, select the Interface category from the top-level
icons. Under the section headed "Ethernet port settings", you will see the list of existing ethernet objects
(if any), and an "Add" link.
In a factory reset configuration, there are no ethernet objects, and all ports assume the following defaults :-
• Link auto-negotiation is enabled - both speed and duplex mode are determined via auto-negotiation, which
should configure the link for highest performance possible for the given link-partner (which will need to be
capable of, and participating in, auto-negotiation for this to happen)
• Auto-crossover mode is enabled - the port will swap Receive and Transmit pairs if required to adapt to cable /
link-partner configuration
• The green port LED is configured to show combined Link Status and Activity indication - the LED will be
off if no link is established with a link-partner. When a link is established (at any speed), the LED will be
on steady when there is no activity, and will blink when there is activity.
• The yellow port LED is configured to show Transmit activity.
When you first create an ethernet object you will see that none of the attribute checkboxes are ticked, and
the defaults described above apply. Ensure that you set the port attribute value correctly to modify the port
you intended to.
The FB6000 configuration contains a number of port settings which are not possible and will not save, e.g.
10M and 100M modes. These are included for compatibility with FB2500 and FB2700 products. The FB6000
only operates at gigabit port speeds.
6.3.1. Setting duplex mode
If auto-negotiation is enabled, the FB6000 port will normally advertise that it is capable of either half- or fullduplex operation modes - if you have reason to restrict the operation to either of these modes, you can set the
duplex attribute to either half or full. This will cause the port to only advertise the specified mode - if
the (auto-negotiate capable) link-partner does not support that mode, the link will fail to establish.
If auto-negotiation is disabled, the duplex attribute simply sets the port's duplex mode.
38
Interfaces and Subnets
Note
If you do not set the autoneg attribute (checkbox is unticked), and you set both port speed and
duplex mode to values other than auto, auto-negotiation will be disabled ; this behaviour is to reduce
the potential for duplex mis-match problems that can occur when connecting the FB6000 to some
vendors' (notably Cisco) equipment that has auto-negotation disabled by default.
6.3.2. Defining port LED functions
Each port has options to control the way the yellow and green LEDs are displayed based on the state of the
port. The default is yellow for Tx and green for link/activity.
39
Chapter 7. Routing
7.1. Routing logic
The routing logic in the FB6000 operates primarily using a conventional routing system of most specific prefix,
which is commonly found in many IP stacks in general purpose computers and routers.
Conventional routing determines where to send a packet based only on the packet's destination IP address, and
is applied on a 'per packet' basis - i.e. each packet that arrives is processed independently from previous packets.
Note that with this routing system, it does not matter where the packet came from, either in terms of source IP
address or which interface/tunnel etc. the packet arrived on.
A route consists of :-
• a 'target' specifying where to send the packet to - this may be a specialised action, such as silently dropping
the packet (a 'black-hole')
• an IP address range that this routing information applies to - the routing destination
A routing table consists of one or more routes. Unlike typical IP stacks, the FB6000 supports multiple
independent routing tables.
Routing destinations are expressed using CIDR notation - if you are not familiar with this notation, please refer
to Appendix A for an overview. Note that ip-groups cannot be used when defining subnets or routes. IP-groups
allow arbitrary ranges and not just prefixes, but routes can only use prefixes.
There are two cases that deserve special attention :-
• A routing destination may be a single IP address, in which case it is a "/32" in CIDR notation (for IPv4).
The /32 part (for IPv4) or /128 (for IPv6) is not shown when displaying such prefixes.
• A routing destination may encompass the entire IPv4 (or IPv6) address space, written as 0.0.0.0/0 (for
IPv4) or ::/0 (for IPv6) in CIDR notation. Since the prefix is zero-length, all destination IP addresses will
match this route - however, it is always the shortest-prefix route present, and so will only match if there are
no more specific routes. Such routes therefore acts as a default route.
The decision of where to send the packet is based on matching the packet's destination IP address to one or
more routing table entries. If more than one entry matches, then the longest (most specific) prefix entry is used.
The longest prefix is assumed to be associated with the optimal route to the destination IP address, since it is
the 'most specific', i.e. it covers a smaller IP address range than any shorter matching prefix.
For example, if you have two routes, one for 10.0.1.32/27 , and another for 10.0.0.0/8 (which encompasses
10.0.1.32/27), then a destination IP address of 10.0.1.35 will match the longest-prefix (smallest address range)
"/27" route.
The order in which routes are created does not normally matter as you do not usually have two routes that have
the same prefix. However, there is an attribute of every route called the localpref which decides between
identical routes - the higher localpref being the one which applies. If you have identical routes with the
same localpref then one will apply (you cannot rely on which one) but it can, in some cases, mean you
are bonding multiple links.
Tip
You can show the route(s) that apply for a specific destination IP address or address range using the
CLI command show route. You can also see a list of all routes in a routing table using the CLI
command show routes. There is also a routing display on the Diagnostics control web pages.
40
Routing
7.2. Routing targets
A route can specify various targets for the packet :-
Table 7.1. Example route targets
Target Notes
an Ethernet interface (locally-atached subnet) requires ARP or ND to find the device on the LAN to
which the traffic is to be sent.
a specific IP address (a "gateway") the packet is forwarded to another router (gateway) ;
routing is then determined based on the gateway's IP
address instead
tunnel interface such as L2TP, PPPoE or FB105
tunnels.
special targets e.g. the FB6000 itself, or to a black hole (causes all
These are covered in more detail in the following sections.
such routes are created as part of the config for the
interface and relate to the specific tunnel.
traffic to be dropped)
7.2.1. Subnet routes
Whenever you define a subnet or one is created dynamically (e.g. by DHCP), an associated route is
automatically created for the associated prefix. Packets being routed to a subnet are sent to the Ethernet
interface that the subnet is associated with. Traffic routed to the subnet will use ARP or ND to find the
final MAC address to send the packet to.
In addition, a subnet definition creates a very specific single IP (a "/32" for IPv4, or a "/128" for IPv6) route
for the IP address of the FB6000 itself on that subnet. This is a separate loop-back route which effectively
internally routes traffic back into the FB6000 itself - i.e. it never appears externally.
A subnet can also have a gateway specified, either in the config or by DHCP or RA. This gateway is just like
creating a route to 0.0.0.0/0 or ::/0 as a specific route configuration. It is mainly associated with the subnet for
convenience. If defined by DHCP or RA then, like the rest of the routes created by DHCP or RA, it is removed
when the DHCP or RA times out.
Example: <subnet ip="192.168.0.1/24"/> creates a route for destination 192.168.0.0/24 to
the interface associated with that subnet. A loop-back route to 192.168.0.1 (the FB6000's own IP
address on that subnet) is also created.
7.2.2. Routing to an IP address (gateway route)
Routes can be defined to forward traffic to another IP address, which will typically be another router (often
also called a gateway) For such a routing target, the gateway's IP address is then used to determine how to
route the traffic, and another routing decision is made. This subsequent routing decision usually identifies an
interface or other data link to send the packet via - in more unusual cases, the subsequent routing decision
identifies another gateway, so it is possible for the process to be 'recursive' until a 'real' destination is found.
Example: <route ip="0.0.0.0/0" gateway="192.168.0.100"/> creates a default IPv4 route
that forwards traffic to 192.168.0.100. The routing for 192.168.0.100 then has to be looked up to find
the final target, e.g. it may be to an Ethernet interface, in which case an ARP is done for 192.168.0.100
to find the MAC to send the traffic.
There is logic to ensure that the next-hop is valid - the gateway specified must be routable somewhere and if
that is via an Ethernet interface then the endpoint must be answering ARP or ND packets. If not, then the route
using the gateway is supressed and other less specific routes may apply.
41
Routing
7.2.3. Special targets
It is possible to define two special targets :-
• 'black-hole' : packets routed to a black-hole are silently dropped. 'Silent' refers to the lack of any ICMP
response back to the sender.
• 'nowhere' (also called Dead End) : packets routed to 'nowhere' are also dropped but the FB6000 generates
ICMP error responses back to the sender.
The blackhole and nowhere top-level objects are used to specify prefixes which are routed to these special
targets. In the User Interface, these objects can be found under the Routes category icon.
When using BGP you can also define a network which is announced by default, along with any dead-end-
community, and treated otherwise the same as nowhere.
7.3. Dynamic route creation / deletion
For data links that have an Up/Down state, such as L2TP or FB105 tunnels, or PPP links, the ability to actually
send traffic to the route target will depend on the state of the link. For such links, you can specify route(s)
to automatically create each time the link comes up - when the link goes down these routes are removed
automatically.
This can be useful where a link such as PPPoE is defined with a given localpref value, and a separate
route is defined with a lower localpref value (i.e. less preferred), and therefore acts as a fallback route if
the PPPoE link drops.
7.4. Routing tables
The conventional routing logic described above operates using one of possibly many routing tables that the
FB6000 can support simultaneously. Routing tables are numbered, with the default being routing table 0 (zero).
The various ways to add routes allow the routing table to be specified, and so allow completely independent
routing for different routing tables. The default table (table zero) is used when optional routing-table
specification attributes or CLI command parameters are omitted.
Each interface is logically in a routing table and traffic arriving on it is processed based on the routes in
that routing table. Tunnels like FB105 and L2TP allow the wrapped tunnel packets to work on one routing table
and the tunnel payload packets to be on another.
Routing tables can be very useful when working with tunnels of any sort - placing the wrappers in one routing
table, allowing DHCP clients and so on, without taking over the default route for all traffic. The payload can
then be in the normal routing table 0.
7.5. Bonding
A key feature of the FB6000 is the ability to bond multiple links at a per packet level.
Bonding works with routing and shapers together. (See Chapter 9 for details of shapers.)
The basic principle is that you have two or more routes that are identical (same target IP prefix) and have the
same localpref, so that there is nothing to decide between them. As described above this normally means one
of the routes is picked.
However, where the two (or more) routes are the same type of interface, and there are shapers applied to those
routes, then a decisions is made on a per packet basis as to which interface to used. The shapers are used to
decide which link is least far ahead. This means that traffic is sent down each link at the speed of that link.
42
Routing
To make this work to the best effect, set the tx speed of the shapers on the links to match the actual link speed.
E.g. for broadband lines, set the speed to match the uplink from the FB6000.
43
Chapter 8. Profiles
Profiles allow you to enable/disable various aspects of the FB6000's configuration (and thus functionality)
based on things such as time-of-day or presence/absence of Ping responses from a specified device.
8.1. Overview
A profile is a two-state control entity - it is either Active or Inactive ("On" or "Off", like a switch). Once a
profile is defined, it can be referenced in various configuration objects where the profile state will control the
behaviour of that object.
A profile's state is determined by one or more defined tests, which are performed periodically. If multiple tests
are specified, then the overall test result will be pass only if all the individual test results are pass. Assuming
the profile's state is Active, then when the overall test result has been 'fail' for a specified duration, the profile
transitions to Inactive. Similary, once the overall test result has been 'pass' for a specified duration, the profile
transitions to Active. These two durations are controlled by attributes and provide a means to 'filter' out short
duration 'blips' that are of little interest.
An example of a test that can be performed is a Ping test - ICMP echo request packets are sent, and replies are
expected. If replies are not being received, the test fails.
Profiles can be logically combined using familiar boolean terminology i.e. AND, OR and NOT, allowing for
some complex profile logic to be defined that determines a final profile state from several conditions. When
considering the state of another profile, it is the previous second's state that is considered - i.e. profile states
are all updated in one go after considering all profiles.
By combining profiles with the FB6000's event logging facilities, they can also be used for automated
monitoring and reporting purposes, where profile state changes can be e-mailed direct from the FB6000. For
example, a profile using a Ping test can be used to alert you via e-mail when a destination is unreachable. The
profile logic tests are also done based on the defined interval.
The current state of all the profiles configured on your FB6000 can be seen by choosing the "Profiles" item
in the "Status" menu.
Tip
You can also define dummy profiles that are permanantly Active or Inactive, which can be useful
if you wish to temporarily disable some functionality without deleting configuration object(s). For
example, you can force an FB105 tunnel to be Down, preventing traffic from being routed through
it. Refer to Section 8.2.4 for details.
8.2. Creating/editing profiles
In the web user interface, profiles are created and edited by clicking on the "Profiles" category icon. A profile
is defined by a profile top-level object.
8.2.1. Timing control
The following timing control parameters apply :-
• interval : the interval between tests being performed
• timeout : the duration that the overall test must have been failing for before the profile state changes to
Inactive
44
Profiles
• recover : the duration that the overall test must have been passing for before the profile state changes
to Active
The timeout and recover parameters do not apply to manually set profiles (see Section 8.2.4) and those
based on time-of-day (see Section 8.2.2.2).
8.2.2. Tests
8.2.2.1. General tests
'General' tests are provided for the following :-
• Routable addresses : the route attributes lists one or more IP addresses (full addresses, not CIDR prefix
ranges) - only if all the addresses are 'routable' - i.e. there is an entry in the routing table that will match
that address - will this test pass. Refer to Chapter 7 for discussion of routing tables and the routing logic
used by the FB6000
• VRRP state : the vrrp attribute lists one or more Virtual Router group membership definitions (see
Chapter 12) by name - if the FB6000 is not the master device in any of these Virtual Routers, this test will fail
• Port state : the ports attribute lists one of more physial Ethernet ports. if any of thes ports is up then the
test passes.
Tip
You can also control port state with a profile, so you could have a port come up if another port is
down to create a fallback arrangement.
If more than one of these general tests is selected (corresponding attribute specified), then they must all pass
(along with all other tests defined) for the overall result to be pass.
8.2.2.2. Time/date tests
Time and/or date tests are specified by date and/or time objects, which are child objects of the profile
object.
You can define multiple date ranges via multiple date objects - the date test will pass if the current date is
within any of the defined ranges. Similarly, you can define multiple time ranges via multiple time objects the time test will pass if the current time is within any of the defined ranges.
Tip
Unlike other tests the chanhe of state because of a date/time test takes effect immediately rather than
waiting for several seconds to confirm it is still Saturday or some such.
8.2.2.3. Ping tests
Like time/date tests, a Ping test is specified by a ping object, as a child of the profile object. At most
one Ping test can be defined per profile - logical combinations of profiles can be used to combine Ping tests
if necessary.
8.2.3. Inverting overall test result
The tests described in the previous section are used to form an overall test result. Normally this overall result is
used to determine the profile state using the mapping Pass > Active and Fail > Inactive. By setting the invert
attribute to true, the overall result is inverted (Pass changed to Fail and vice-versa) first before applying the
mapping.
45
Profiles
8.2.4. Manual override
You can manually override all tests, and force the profile state using the set attribute - a value of true forces
the state to Active, and false forces it to Inactive.
You can also configure the set attribute with a value of control-switch. This causes the profile to be
set manually based on a control switch which is not stored in the configuration itself. The switch appears on
the home web page allowing it to be turned on or off with one click. It can also be changed from the command
line. You can restrict each switch to one or more specific users to define who has control of the switch. This
control applies even if the user has no access to make configuration changes as the switch is not part of the
config. The switch state is automatically stored in the dynamic peristent data (along with DHCP settings, etc),
so survives a power cycle / restart. The control switch uses initial as the initial state when first added to
the config, but at start up it picks up the state of the stored state.
Note
The control switches ignore other tests, just like other manual settings, but can be combined with and,
or and not settings - these have the affect of forcing the control switch one way. E.g. if an and
profile is off then the control switch is forced off. If it is on then the control switch can be manually
set on or off as needed.
Note that the value of the invert attribute is ignored when manual override is requested.
These fixed-state profiles can be used as simple on/off controls for configuration objects. The following shows
an example of two such profiles, expressed in XML :-
<profile name="Off" set="false"/>
<profile name="On" set="true"/>
<profile name="IT-Support"
comment="Allow IT support company access to server"
set="control-switch"/>
46
Chapter 9. Traffic Shaping
The FB6000 includes traffic shaping functionality that allows you to control the speed of specific traffic flows
through the FB6000. The FB6000 also provides graphing functionality, allowing specific traffic flows to be
plotted on a graph image (PNG format) that the FB6000 generates. Within the FB6000, traffic shaping and
graphing are closely associated, and this is reflected in how you configure traffic shaping - in order to be able
to perform traffic shaping, you must first graph the traffic flow.
9.1. Graphs and Shapers
9.1.1. Graphs
Several objects in the FB6000's configuration allow you to specify the name of a graph, by setting the value of
the graph attribute. This causes the traffic flow that is associated with that object (a firewall rule, an interface,
or whatever the attribute is attached to) to be recorded on a graph with the specified name. For connections
that have a defined state, such as a PPP link, the graph will also show the link state history. Other information,
such as packet loss and latency may also be displayed, depending on whether it can be provided by the type
of object you are graphing.
For example, the XML snippet below shows the graph attribute being set on an interface. As soon as you
have set a graph attribute (and saved the configuration), a new graph with the specified name will be created.
<interface name="LAN"
port="LAN"
graph="LAN">
The graph is viewable directly (as a PNG image) from the FB6000 via the web User Interface - to view a graph,
click the "PNG" item in the "Graphs" menu. This will display all the graphs that are currently configured - it is
not currently possible to show a single graph within the web User Interface environment.
It is possible to access the graph data in many ways, using the URL to control what information is shown,
labels, and colours, and also allowing graphs to be archived. See Appendix G for more details.
Note
You may find images shown for graph names that are no longer specified anywhere in the
configuration. Over time, these graphs will disappear automatically.
Alternatively, the underlying graph data is available in XML format, again via the FB6000's built-in HTTP
server. The XML version of the data can be viewed in the web User Interface by clicking the "XML" item in
the "Graphs" menu, and then clicking on the name of the graph you're interested in.
Both directions of traffic flow are recorded, and are colour-coded on the PNG image generated by the FB6000.
The directions are labelled "tx" and "rx", but the exact meaning of these will depend on what type of object
the graph was referenced from - for example, on a graph for an interface, "tx" will be traffic leaving the
FB6000, and "rx" will be traffic arriving at the FB6000.
Each data point on a graph corresponds to a 100 second interval ; where a data point is showing a traffic rate,
the rate is an average over that interval. For each named graph, the FB6000 stores data for the last 24 hours.
Note
Specifying a graph does not itself cause any traffic shaping to occur, but is a pre-requisite to specifying
how the associated traffic flow should be shaped.
47
Traffic Shaping
9.1.2. Shapers
Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on
those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum
average speeds over time.
You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object.
To create or edit a shaper object in the web User Interface, first click on the "Shape" category icon. To create
a new object, click the "Add" link. To edit an existing object, click the appropriate "Edit" link instead.
The shaper object specifies the parameters (primarily traffic rates) to use in the traffic shaping process, and
the shaper is associated with the appropriate existing graph by specifying the name attribute of the shaper
object to be the same as the name of the graph.
9.1.3. Ad hoc shapers
You can define a shaper object and set the speed controls for that shaper, and then define the graph attribute
on something, e.g. an interface, to apply that shaper to the interface.
It is also possible, in most cases, to simply set a speed attribute on some object. This creates an un-named
shaper (so no graph) which has the specified speed for egress (tx). This is unique to that object unlike named
shapers which are shared between all objects using the same named shaper.
It is also possible to set graph and speed attributes to create a named shaper with the specified speed, without
having to create a separate shaper object.
If you set a graph attribute without a speed attribute or creating a shaper object then that simply creates
a graph without traffic shaping. Multiple objects can share the same graph.
9.1.4. Long term shapers
If defining a shaper using the shaper object there are a number of extra options which allow a long term
shaper to be defined. A long term shaper is one that changes the actual speed applied dynamlically to ensure
a long term usage level that is within a defined setting.
The key parameters for the long term shaper are the target speed (e.g. tx), the minimum speed (e.g. tx-min)
and maximum speed (e.g. tx-max). The target speed is what is normally used if nothing else is set, but if a
min and max are set then the shaper will actually use the max speed normally.
However, if the usage exceeds the target speed then this is considered to be bursting and this continues until
the average speed since the bursting started drops below the target speed.
When bursting, a time is intially allowed with no change of speed (e.g. tx-min-burst) and after that the
speed drops. This can be automatic, or using a rate of drop per hour (e.g. tx-step). The rate will drop down
to the defined minimum speed.
Once the average, since bursting started, drops below the target and the restrictions are lifted, returning to the
maximum speed. If the minimum speed is below the target speed then this will happen eventually even if the
link is used solidly at the maximum it is allowed. If the minimum is at the target or higher then the usage will
have to drop below the target for a time before the average speed drops low enough to restore full speed.
The overall effect of this means that you can burst up to a specified maximum, but ultimately you cannot transfer
more than if the target speed had been applied the whole time.
9.2. Multiple shapers
A packet that passes through the FB6000 can pass through multiple shapers, for example
48
Traffic Shaping
• The ingress interface can have a defined shaper
• It is possible to create a bonded gateway route where multiple routes exist for the same target (typically a
default gateway) and each route as a speed set, which is itself a shaper. This is used to control how much
traffic goes via each of the bonded routes. (You simply create more than one route object with a speed
or graph setting).
• The egress interface can have a defined shaper
9.3. Basic principles
Each shaper tracks how far ahead the link has got with traffic that has been recently sent. This depends on
the length of packets sent and the speed of the shaper. This is, essentially, tracking how much is likely to be
queued at a bottleneck further on. The FB6000 does not delay sending packets and assumes something with a
lower speed is probably queuing them up later.
This record of how far ahead the traffic is gets used in two ways:
• If the shaper is too far ahead, then packets are dropped, causing the link to be rate limited to the selected
speed. Exactly how much is too far depends on the packet size, with small packets (less than 1000 bytes)
allowed more margin than large packets. This has the effect of prioritising DNS, interactive traffic, VoIP, etc.
• Where there are two or more links with shapers a link is picked based on which is the least far ahead. This
has the effect of balancing the traffic levels between multiple links based on the speed of each link exactly.
49
Chapter 10. System Services
A system service provides general functionality, and runs as a separate concurrent process alongside normal
traffic handling.
Table 10.1 lists the services that the FB6000 can provide :-
Table 10.1. List of system services
Service Function
SNMP server provides clients with access to management information using the Simple Network
Management Protocol
NTP client automatically synchronises the FB6000's clock with an NTP time server (usually
using an Internet public NTP server)
Telnet server provides an administration command-line interface accessed over a network
connection
HTTP server serves the web user-interface files to a user's browser on a client machine
DNS relays DNS requests from either the FB6000 itself, or client machines to one or
more DNS resolvers
RADIUS Configuration of RADIUS client accessing external RADIUS servers.
Services are configured under the "Setup" category, under the heading "General system services", where there
is a single services object (XML element : <services>). The services object doesn't have any attributes
itself, all configuration is done via child objects, one per service. If a service object is not present, the service is
disabled. Clicking on the Edit link next to the services object will take you to the lists of child objects. Where
a service object is not present, the table in that section will contain an "Add" link. A maximum of one instance
of each service object type can be present.
10.1. Protecting the FB6000
The FB6000 does not have a firewall as such. However, the design of the FB6000 is that it should be able to
protect itself sensibly without the need for a separate firewall.
Each service has specific access control settings, and these default to not allowing external access (i.e. traffic
not from locally Ethernet connected devices. You can also lock down access to a specific routing table, and
restrict the source IP addresses from which connections are accepted.
In the case of the web interface, you can also define trusted IP addresses which are given priority access to
the login page even.
10.2. Common settings
Most system service have common access control attributes as follows.
Tip
You can verify whether the access control performs as intended using the diagnostic facility described
in Section 11.1
Table 10.2. List of system services
Attribute Function
50
System Services
table If specified, then the service only accepts requests/connections on the specified
routing table. If not specified then the service works on any routing table. Where
the service is also a client then this specifies the routing table to use (default 0).
allow If specified then this is a list of ranges of IP addresses and ip group names from
which connections are allowed. If specified as an empty list then no access is
allowed. If omitted then access is allowed from everywhere. Note that if local-
only is specified, the allow list allows access from addresses that are not local,
if they are in the allow list.
local-only This normally defaults to true, but not in all cases. If true then access is only
allowed from machines on IPs on the local subneta (and any addresses in the
allow list, if specified).
log The standard log, log-error, and log-debug settings can be used to
specified levels of logging for the service.
a
A locally-attached subnet is one which can be directly reached via one of the defined interfaces, i.e. is not accessed via a gateway.
Tip
Address ranges in allow can be entered using either <first address>-<last_address> syntax, or
using CIDR notation : <start address>/<prefix length>. If a range entered using the first syntax
can be expressed using CIDR notation, it will be automatically converted to that format when the
configuration is saved. You can also use name(s) of defined IP address group(s), which are pre-defined
ranges of IPs.
10.3. HTTP Server configuration
The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based userinterface for the FB6000. It is not a general-purpose web server that can be used to serve user documents, and
so there is little to configure.
10.3.1. Access control
By default, the FB6000 will allow access to the user interface from any machine, although obviously access to
the user interface normally requires the correct login credentials to be provided. However, if you have no need
for your FB6000 to be accessed from arbitrary machines, then you may wish to 'lock-down' access to the user
interface to one or more client machines, thus removing an 'attack vector'.
Access can be restricted using allow and local-only controls as with any service. If this allows access,
then a user can try and login. However, access can also be restricted on a per user basis to IP addresses and
using profiles, which block the login even if the passord is correct.
Additionally, access to the HTTP server can be completely restricted (to all clients) under the control of a
profile. This can be used, for example, to allow access only during certain time periods.
10.3.1.1. Trusted addresses
Trusted addresses are those from which additional access to certain functions is available. They are specified
by setting the trusted attribute using address ranges or IP address group names. This trusted access allows
visibility of graphs without the need for a password, and is mandatory for packet dump access.
10.4. Telnet Server configuration
The Telnet server allows standard telnet-protocol clients (available for most client platforms) to connect to
the FB6000 and access a command-line interface (CLI). The CLI is documented in Chapter 15 and in the
Appendix F.
51
System Services
10.4.1. Access control
Access control can be restricted in the same way as the HTTP (web) service, including per user access
restrictions.
Note
By default, the FB6000 will only allow telnet access from machines that are on one of the locallyattached Ethernet subnetsa. This default is used since the CLI offers a degree of system control that
is not available via the web interface - for example, software images stored in the on-board Flash
memory can be deleted via the CLI.
The example XML below shows the telnet service configured this way :-
<telnet allow="10.0.0.0/24 10.1.0.3-98 10.100.100.88 10.99.99.0/24"
comment="telnet service access restricted by IP address"
local-only="false"/>
10.5. DNS configuration
The DNS service provides name resolution service to other tasks within the app software, and can act
as a relay for requests received from client machines. DNS typically means converting a name, like
www.firebrick.co.uk to one or more IP addresses, but it can also be used for reverse DNS finding the
name of an IP address. DNS service is normally provided by your ISP.
The DNS service on the FB6000 simply relays requests to external DNS servers and caches replies. You can
configure a list of external DNS servers using the resolvers attribute. However, DNS resolvers are also
learned automatically via various systems such as DHCP In most cases you do not need to set the resolvers.
10.5.1. Blocking DNS names
You can configure names such that the FB6000 issues an NXDOMAIN response making it appear that the
domain does not exist. This can be done using a wildcard, e.g. you could block *.xxx.
Tip
You can also restrict responses to certain IP addresses on your LAN, making it that some devices get
different responses. You can also control when responses are given using a profile, e.g. time of day.
10.5.2. Local DNS responses
Instead of blocking names, you can also make some names return pre-defined responses. This is usually only
used for special cases, and there is a default for my.firebrick.co.uk which returns the FireBrick's own
IP. Faking DNS responses will not always work, and new security measures such as DNSSEC will mean these
faked responses will not be accepted.
10.5.3. Auto DHCP DNS
The FB6000 can also look for specific matching names and IP addresses for forward and reverse DNS that
match machines on your LAN. This is done by telling the FireBrick the domain for your local network. Any
name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made
will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address
back to a name. You can enable this using the auto-dhcp attribute.
52
System Services
10.6. NTP configuration
The NTP service automatically sets the FB6000's real-time-clock using time information provided by a Network
Time Protocol (NTP) server. There are public NTP servers available for use on the Internet, and a factory reset
configuration does not specify an NTP server which means a default of ntp.firebrick.ltd.uk. You
can set your preferred NTP server instead.
The NTP service is currently only an NTP client. A future software version is likely to add NTP server
functionality, allowing other NTP clients (typically those in your network) to use the FB6000 as an NTP server.
Configuration of the NTP (client) service typically only requires setting the timeserver attribute to specify
one or more NTP servers, using either DNS name or IP address.
10.7. SNMP configuration
The SNMP service allows other devices to query the FB6000 for management related information, using the
Simple Network Management Protocol (SNMP).
As with the HTTP server, access can be restricted to :-
• specific client IP addresses, and/or
• clients connecting from locally-attached Ethernet subnets only.
See Section 10.3.1 for details. The SNMP service defaults to allowing access from anywhere.
The remaining SNMP service configuration attributes are :-
• community : specifies the SNMP community name, with a default of public
• port : specifies the port number that the SNMP service listens on - this typically does not need setting, as
the default is the standard SNMP port (161).
10.8. RADIUS configuration
10.8.1. RADIUS client
RADIUS is used for authentication, call routing and accounting for VoIP servcies. Chapter 13 provides details
of how RADIUS is used for VoIP. Appendix D provides details of the specific AVPs used with RADIUS for
VoIP.
10.8.1.1. RADIUS client settings
The system settings for a RADIUS client allow multiple different client settings to be created by name. For
VoIP to use RADIUS you have to set a named RADIUS client setting to be used. Once set, the named client
setting is found and used for accounting and/or authentication.
The corresponding RADIUS servers are queried for the authentication or account messages. Each client setting
can list multiple servers. Normally the first matching setting is used, and all of the listed servers considered.
However, if all of the servers listed are currently blacklisted then the next matching named entry (i.e. with same
name) is considered, and its listed servers considered. You can see the status of each RADIUS server in the
Status/RADIUS menu. This includes the average response time, and the last 64 responses (good/bad).
The set of servers being considered are put in order based on their previous responses. The least recently
failed to respond are listed first and then the fastest responding servers listed first. Only the last 64 responses
53
System Services
being considered. The first 5 servers are then considered for answering the RADIUS query. If fewer than 5 are
available, then the list is repeated. This give 5 requests in a row to try, even if that is one server 5 times.
Each server is then given a timeout. The timeout is normally based on the scale-timeout multiplied by the
average response time of that server. If this is more than one fifth of the max-timeout then that is used instead.
The final (5th) server is given a timeout to extent to at least the min-timeout as total since the first request is
sent. This creates a sequence of requests to be sent to one or more RADIUS servers.
If, within the overall timeout, any of the servers respond then this is accepted. If none respond then all record
a timeout.
To allow servers to recognise duplicate requests, each request in the sequence that is to the same server has the
same content and ID. This allows the server to simply resend the previous reply if it was dropped.
In addition to these timeouts, it is also possible to set a maximum queue for the set of servers. This limits how
many concurrent requests can be waiting.
Tip
If your RADIUS servers are struggling, then set the queue lower, e.g. 8. If the response times have a lot
of jitter then consider setting the scale-timeout higher (the default is only 2, so try 3, 4, etc). For VoIP,
you will want a very fast server to respond to authentication used for call routing. For accounting you
may want to allow a longer scale and max timeout to ensure accounting requests are not lost.
10.8.1.2. Server blacklisting
For each request to a server, a log is made of whether there was a response or a timeout, and this is recored and
shown on the server status page. This logs the last 64 requests.
If all of the last 64 requests have failed then the server is blacklisted. This stops it being considered when there
are other servers to consider. If all are blacklisted then the blacklisted servers are used anyway.
However, it is quite possible for a server to go away when there are no current RADIUS requests, or even come
back when not being used for current requests. To allow for this the FireBrick sends status-server requests to
the server periodically, and records the responses in the 64 bit response queue. This means a blacklisted server
will be recorded as usable again once it starts answering such requests. It also means a server can become
blacklisted is a server stops responding to such requests without actually losing any real RADIUS requests.
If a server has never answered a status-server request, it is assumed not to be enabled. We strongly recommend
enabling this feature on your RADIUS servers. If not enabled then servers are provided with a dummy good
response periodically to take them out of blacklisted status and allow then to be tried occasionally in case they
are now working again.
54
Chapter 11. Network Diagnostic Tools
Various network diagnostic tools are provided by the FB6000, accessible through either the web user interface
or the CLI :-
• Packet dump : low level diagnostics to for detailed examination of network traffic passing through the
FB6000
• Ping : standard ICMP echo request/reply ping mechanism
• Traceroute : classical traceroute procedure - ICMP echo request packets with increasing TTL values,
soliciting "TTL expired" responses from routers along the path
• Access check : check whether a specific IP address is allowed to access the various network services
described in Chapter 10
Each tool produces a textual result, and can be accessed via the CLI, where the same result text will be shown.
Caution
The diagnostic tools provided are not a substitute for external penetration testing - they are intended
to aid understanding of FB6000 configuration, assist in development of your configuration, and for
diagnosing problems with the behaviour of the FB6000 itself.
11.1. Access check
For each network service implemented by the FB6000 (see Chapter 10), this command shows whether a specific
IP address will be able to access or utilise the service, based on any access restrictions configured on the service.
For example, the following shows some service configurations (expressed in XML), and the access check result
when checking access for an external address, 1.2.3.4 :-
<http local-only="false"/>
Web control page access via http:This address is allowed access to web control pages subject to
username/password being allowed.
<telnet allow="admin-ips"
local-only="false"/>
Telnet access:This address is not allowed access due to the allow list on telnet
service.
(in this example, admin-ips is the name of an IP address group that does not include 1.2.3.4)
<dns local-only="true"/>
55
Network Diagnostic Tools
DNS resolver access:This address is not on a local Ethernet subnet and so not allowed access.
11.2. Packet Dumping
The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used
where the behaviour of the FB6000 is not as expected, and can help identify whether other devices are correctly
implementing network protocols - if they are, then you should be able to determine whether the FB6000 is
responding appropriately. The packet dumping facility may also be of use to you to debug traffic (and thus
specific network protocols) between two hosts that the brick is routing traffic between.
This feature is provided via the FB6000's HTTP server and provides a download of a pcap format file (old
format) suitable for use with tcpdump or Wireshark.
A packet dump can be performed by either of these methods :-
• via the user interface, using a web-page form to setup the dump - once the capture data has been downloaded
it can be analysed using tcpdump or Wireshark
• using an HTTP client on another machine (typically a command-line client utility such as curl)
The output is streamed so that, when used with curl and tcpdump, you can monitor traffic in real time.
Limited filtering is provided by the FB6000, so you will normally apply any additional filtering you need via
tcpdump.
11.2.1. Dump parameters
Table 11.1 lists the parameters you can specify to control what gets dumped. The "Parameter name" column
shows the exact parameter name to specify when constructing a URL to use with an HTTP client. The "Webform field" column shows the label of the equivalent field on the user interface form.
Table 11.1. Packet dump parameters
Parameter name Web-form field Function
interface Interface One or more interfaces, as
the name of the interface. e.g.
interface=WAN, also applies for
name of PPPoE on an interface
snaplen Snaplen The maximum capture length for a
packet can be specified, in bytes.
Default 0 (auto). See notes below.
timeout Timeout The maximum capture time can be
specified in seconds. Default 10.
ip IP address (2-off) Up to two IPs can be specified to
filter packets
self Include my IP By default any traffic to or from the
IP which is connecting to the web
interface to access pcap is excluded.
This option allows such traffic. Use
with care else you dump your own
dump traffic.
56
Network Diagnostic Tools
11.2.2. Security settings required
The following criteria must be met in order to use the packet dump facility :-
• You must be accessing from an IP listed as trusted in the HTTP service configuration (see Section 10.3).
• You must use a user and password for a "DEBUG level" user - the user level is set with the level attribute
on the user object.
Note
These security requirements are the most likely thing to cause your attempts to packet dump to fail. If
you are getting a simple "404" error response, and think you have specified the correct URL (if using
an HTTP client), please check security settings are as described here.
11.2.3. IP address matching
You may optionally specify upto two IP address to be checked for a match in packets on the interface(s) and/or
L2TP session(s) specified. If you do not specify any IP addresses, then all packets are returned. If you specify
one IP address then all packets containing that IP address (as source or destination) are returned. If you specify
two IP addresses then only those packets containing both addresses (each address being either as source or
destination) are returned.
IP matching is only performed against ARP, IPv4 or IPv6 headers and not in encapsulated packets or ICMP
payloads.
If capturing too much, some packets may be lost.
11.2.4. Packet types
The capture can collect different types of packets depending on where the capture is performed. All of these
are presented as Ethernet frames, with faked Ethernet headers where the packet type is not Ethernet.
Table 11.2. Packet types that can be captured
Type Notes
Ethernet Interface based capture contains the full Ethernet
frame with any VLAN tag removed.
IP IP only, currently not possible to capture at this level.
An Ethernet header is faked.
PPP PPP from the protocol word (HDLC header is ignored
if present). An Ethernet header is faked and also a
PPPoE header. The PPPoE header has the session
PPPoE ID that is the local end L2TP session ID.
The faked protocol header has target MAC of 00:00:00:00:00:00 and source MAC of 00:00:00:00:00:01 for
received packets, and these reversed for sent packets.
11.2.5. Snaplen specification
The snaplen argument specifies the maximum length captured, but this applies at the protocol level. As such
PPP packets will have up to the snaplen from the PPP protocol bytes and then have fake PPPoE and Ethernet
headers added.
A snaplen value of 0 has special meaning - it causes logging of just IP, TCP, UDP and ICMP headers as
well as headers in ICMP error payloads. This is primarily to avoid logging data carried by these protocols.
57
Network Diagnostic Tools
11.2.6. Using the web interface
The web form is accessed by selecting the "Packet dump" item under the "Diagnostics" main-menu item. Setup
the dump parameters with reference to Table 11.1 and click the "Dump" button. Your browser will ask you to
save a file, which will take time to save as per the timeout requested.
11.2.7. Using an HTTP client
To perform a packet dump using an HTTP client, you first construct an appropriate URL that contains standard
HTTP URL form-style parameters from the list shown in Table 11.1. Then you retreive the dump from the
FB6000 using a tool such as curl.
The URL is http://<FB6000 IP address or DNS name>/pcap?
parameter_name=value[¶meter_name=value ...]
The URL may include as many parameter name and value pairs as you need to completely specify the dump
parameters.
Packet capturing stops if the output stream (HTTP transfer) fails. This is useful if you are unable to determine
a suitable timeout period, and would like to run an ongoing capture which you stop manually. This is achieved
by specifying a very long duration, and then interrupting execution of the HTTP client using Ctrl+C or similar.
Only one capture can operate at a time. The HTTP access fails if no valid interfaces or sessions etc. are specified
or if a capturing is currently running.
11.2.7.1. Example using curl and tcpdump
An example of a simple real-time dump and analysis run on a Linux box is shown below :-
curl --silent --no-buffer --user name:pass
'http://1.2.3.4/pcap?interface=LAN&timeout=300&snaplen=1500'
| /usr/sbin/tcpdump -r - -n -v
Note
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line
In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4
- obviously you would change the IP address (or host name) and credentials to something suitable for your
FB6000.
We have asked for a dump of the interface named LAN, with a 5 minute timeout and capturing 1500 byte
packets. We have then fed the output in real time (hence specifying --no-buffer on the curl command)
to tcpdump, and asked it to take capture data from the standard input stream (via the -r - options). We have
additionally asked for no DNS resolution (-n) and verbose output (-v).
Consult the documentation provided with the client (e.g. Linux box) system for details on the extensive range
of tcpdump options - these can be used to filter the dump to better locate the packets you are interested in.
58
Chapter 12. VRRP
The FB6000 supports VRRP (Virtual Router Redundancy Protocol), which is a system that provides routing
redundancy, by enabling more than one hardware device on a network to act as a gateway for routing traffic.
Hardware redundancy means VRRP can provide resilience in the event of device failure, by allowing a backup
device to automatically assume the role of actively routing traffic.
12.1. Virtual Routers
VRRP abstracts a group of routers using the concept of a virtual router, which has a virtual IP address. The IP
address is virtual in the sense that it is associated with more than one hardware device, and can 'move' between
devices automatically.
The virtual IP address normally differs from the real IP address of any of the group members, but it can be the
real address of the master router if you prefer (e.g. if short of IP addresses).
You can have multiple virtual routers on the same LAN at the same time, so there is a Virtual Router Identifier
(VRID) that is used to distinguish them. The default VRID used by the FB6000 is 42. You must set all devices
that are part of the same group (virtual router) to the same VRID, and this VRID must differ from that used
by any other virtual routers on the same LAN. Typically you would only have one virtual router on any given
LAN, so the default of 42 does not normally need changing.
Note
You can use the same VRID on different VLANs without a clash in any way in the FB6000, however
you may find some switches and some operatings systems do not work well and get confused about the
same MAC appearing on different interfaces and VLANs. As such it is generally a good idea to avoid
doing this unless you are sure your network will cope. i.e. use different VRIDs on different VLANs.
At any one time, one physical device is the master and is handling all the traffic sent to the virtual IP address.
If the master fails, a backup takes over, and this process is transparent to other devices, which do not need to
be aware of the change.
The members of the group communicate with each other using multicast IP packets.
The transparency to device failure is implemented by having group members all capable of receiving traffic
addressed to the same single MAC address. A special MAC address is used, 00-00-5E-00-01-XX, where
XX is the VRID or VRRPv2, and 00-00-5E-00-02-XX for VRRPv3.
The master device will reply with this MAC address when an ARP request is sent for the virtual router's IP
address.
Since the MAC address associated with the virtual IP address does not change, ARP cache entries in other
devices remain valid throughout the master / backup switch-over, and other devices are not even aware that the
switch has happened, apart from a short 'black-hole' period until the backup starts routing.
When there is a switch-over, the VRRP packets that are multicast are sent from this special MAC, so
network switches will automatically modify internal MAC forwarding tables, and start switching traffic to the
appropriate physical ports for the physical router that is taking up the active routing role.
Note
You can disable the use of the special MAC if you wish, and use a normal FireBrick MAC. However,
this can lead to problems in some cases.
59
VRRP
12.2. Configuring VRRP
VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB6000 comes under the
scope of an interface definition. As such, to set-up your FB6000 to participate in a Virtual Router group,
you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where
the VRRP operates.
12.2.1. Advertisement Interval
A master indicates that it still 'alive' by periodically sending an advertisement multicast packet to the group
members. A failure to receive a multicast packet from the master router for a period longer than three times the
advertisement interval timer causes the backup routers to assume that the master router is down.
The interval is specified in multiples of 10ms, so a value of 100 represents one second. The default value, if not
specified, is one second. If you set lower than one second then VRRP3 is used by default (see below). VRRP2
only does whole seconds, and must have the same interval for all devices. VRRP3 can have different intervals
on different devices, but typically you would set them all the same.
The shorter the advertisement interval, the shorter the 'black hole' period, but there will be more (multicast)
traffic in the network.
Note
For IPv6 VRRP3 is used by default, whereas for IPv4 VRRP2 is used by default. Devices have to
be using the same version. IPv4 and IPv6 can co-exist with one using VRRP2 and the other VRRP3.
Setting the same config (apart from priority) on all devices ensures they have the same version.
12.2.2. Priority
Each device is assigned a priority, which determines which device becomes the master, and which devices
remain as backups. The (working) device with the highest priority becomes the master.
If using the real IP of the master, then the master should have priority 255. Otherwise pick priorities from 1
to 254. It is usually sensible to space these out, e.g. using 100 and 200. We suggest not setting priority 1 (see
profiles and test, below).
12.3. Using a virtual router
A virtual router is used by another device simply by specifying the virtual-router's virtual IP address as the
gateway in a route, rather than using a router's real IP address. From an IP point-of-view, the upstream device is
completely unaware that the IP address is associated with a group of physical devices, and will forward traffic
to the virtual IP address as required, exactly as it would with a single physical gateway.
12.4. VRRP versions
12.4.1. VRRP version 2
VRRP version 2 works with IPv4 addresses only (i.e. does not support IPv6) and whole second advertisement
intervals only. The normal interval is one second - since the timeout is three times that, this means the fastest a
backup can take over is just over 3 seconds. You should configure all devices in a VRRP group with the same
settings (apart from their priority).
60
VRRP
12.4.2. VRRP version 3
VRRP version 3 works in much the same way, but allows the advertisement interval to be any multiple of 10ms
(1/100th of a second). The default interval is still 1 second, but it can now be set much faster - so although the
timeout is still 3 times the interval, this means the backup could take over in as little as 30ms.
VRRP3 also works with IPv6. Whilst IPv4 and IPv6 VRRP are completely independent, you can configure
both at once in a single vrrp object by listing one or more IPv4 addresses and one or more IPv6 addresses.
VRRP3 is used by default for any IPv6 addresses or where an interval of below one second is selected. It can
also be specifically set in the config by setting the attribute version3 to the value "true".
Caution
If you have devices that are meant to work together as VRRP but one is version 2 and one is version 3
then they will typically not see each other and both become master. The FB6000's VRRP Status page
shows if VRRP2 or VRRP3 is in use, and whether the FireBrick is master or not.
12.5. Compatibility
VRRP2 and VRRP3 are standard protocols and so the FB6000 can work alongside other devices that support
VRRP2 or VRRP3.
Note that the FB6000 has non-standard support for some specific packets sent to the VRRP virtual addresses.
This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate
in the same way and so may not work in the same way if they take over from the FireBrick.
61
Chapter 13. VoIP
13.1. What is VoIP?
Voice over IP (VoIP) is simply a means of carrying voice (telephone calls) over Internet Protocol (the Internet).
Instead of using pairs of wires to carry the signal electrically, the sound is sampled and converted to a sequence
of bytes. This is normally what is done in the telephone exchange before the data is sent over the telephone
network. The key difference with VoIP is that the bytes are placed in packets, typically 20ms long, and these
are sent via Internet Protocol. Unlike the telephone network, IP can cause packets to be delayed, lost or even
copied. It is the job of the receiving end to cope with this and produce the audio again for the recipient to hear.
The end result is that telephone calls can be made over the Internet. This can cause confusion as this is often
seen simply as free calls. Apart from costs for Internet traffic, this is indeed true where calls do not involve the
traditional telephone network and you control both ends, but typically you will need to subscribe to a carrier
who can route calls to and from the traditional telephone network.
The FB6000's role in this it to handle the IP packets used for VoIP. It does not get involved in converting
sound to, or from, packets of data, but in passing those packets of data between VoIP devices and carriers. The
protocol involves complex sequences of messages for control and authentication which the FB6000 handles.
13.2. Registration and Proxies
One of the common confusions with SIP/VoIP is the way registrations work.
13.2.1. Registrar
A SIP device can register with a service, e.g. with the FB6000, or with a SIP carrier. This is like logging in
and means that incoming calls are then sent to the device. The device will renew the registration periodically
to stay logged in, and if it fails to do this then incoming calls will fail.
This process uses a username and password for security. Obviously you also have to say where to register, the
proxy specifies IP address or host name of the SIP service with which you are registering, and the registrar
defines the hostname to use in the registration.
This process works well if the service does not have a fixed idea of where you are, which is normally the case
for SIP handsets. Even on a local network the IP of the handset will normally be dynamically allocated with
DHCP, and for a SIP carrier the IP could be anywhere in the world.
Note
It is possible to have a VoIP carrier that does have a pre-set idea of where calls are to be sent, and
sends the calls without registration. In this case there is no registration process but the handset/device
has to be able to accept calls from the carrier. Again, a username and password are used for security,
but this time it is the device checking the credentials of the carrier.
13.2.2. Proxy
To make an outgoing call via a SIP carrier you have to send the call details to a proxy. In the case of the FB6000
acting as the carrier, the same address is used for registrar and proxy.
The process uses a username and password in much the same way as registration, and they are usually the
same details. This checks that the device is allowed to make the calls, and allows the right person to be billed
for the call.
62
VoIP
Tip
You can have a case of incoming calls working and not outgoing, which means registration has worked
but somehow you have incorrect proxy details. The other way around, where outgoing calls work and
incoming do not would mean the registration is not working, but the proxy details are correct. The
logging options can be very useful to help diagnose problems.
13.3. Core call routing switch
The design allows the FB6502 to perform the grunt of a large scale voice network leaving external devices
(e.g. linux boxes) to make decisions and log calls, interacting via RADIUS messages. The FB6502 can work
with pools of RADIUS servers for fallback and load management.
13.3.1. Call control
The basic concept is that the FireBrick handles the SIP messages and audio RTP, but uses RADIUS to decide
what to do. Appendix D defines the RADIUS messages used and the responses necessary to use the FireBrick
as a core VoIP switch.
13.3.2. Bulk registration client
The FireBrick can be used to perform registrations as a SIP client, sending REGISTER messages and
maintaining the registration with remote servers.
To do this you define a carrier-url in the VoIP settings. The FireBrick does a simple http GET on this
periodically (set carrier-update to control frequency). The response is expected to be plain text containing
space or comma separated values:-
• Carrier name (this is the key to identify each carrier)
• VoIP server hostname or IP address
• Authentication username (blank if not used)
• Authentication password (blank if not used)
• Optional source IP to use for outgoing messages to this carrier
The username can be of the form of user@domain and this will be used in full in the From/To fields with the
REGISTER sent to the host specified. If an @ is needed in the username for some reason then user@host@host
can be used to allow this as only final @ in the username is checked.
If username is prefixed ! then this is stripped and send-pre-auth unset for this registration. If an ! is needed in the
username then !!name can be used, as only first ! is stripped. This will force no pre-auth but would otherwise
work as expected.
13.4. Network Address Translation
Network Addres Translation (NAT) is common on many Internet connections in homes and offices. It means
that the office uses private IP addresses (e.g. 192.168.1.1) and these are mapped (translated) to one external
address.
NAT is known to cause a lot of problems with a wide variety of applications and protocols. One of those that
suffers a lot from the problems of NAT is VoIP. There are, sometimes, ways of making this work, but it usually
a compromise of some sort and prone to problems.
The FB6000 provides some key ways to tackle the issues of NAT.
63
VoIP
• An FB2500/FB2700 can be used as a gateway device in a home or office - using PPPoE to connect to the
Internet. This means the FireBrick has a real external IP address without NAT. The FireBrick can then
connect to SIP handsets on the LAN using private IP addresses. The FireBrick provides a gateway for VoIP
with no NAT implications.
Note
Some ISPs may use Carrier Grade NAT (CGNAT), and so a real IP address may involve additional
cost.
• The FireBrick can make use of the current Internet Protcol (IPv6). At present there are few carriers and
handsets that work with IPv6, but this is improving all of the time. IPv6 avoids the need for NAT. The
FireBrick acts as a media gateway which makes firewalling rules simple even when using IPv6, and allows
IPv4 and IPv6 devices to interwork with no problems.
• The FireBrick, when acting as a call server outside of any NAT connected telephones, can handle cases where
devices are behind a simple port mapping NAT which has a timeout of at least 60 seconds. It recognises
REGISTER and INVITE requests that appear to be behind NAT and will treat the requester IP/port as the
contact rather than the stated contact in the message. At RTP level it will send all audio to the same IP and
port from which it is received rather than the endpoint defined in the SDP. Registrations that seem to be from
NAT connections will receive a null UDP packet at approximately 60 second intervals to keep the control
session open on the NAT router. This is not foolproof but works in most cases with simple NAT gateways
(including where a FireBrick is doing the NAT). It obviously also works where a NAT device is doing full
ALG and changing the control messages and RTP accordingly.
13.5. Number plan
The FB6000 is designed primarily as a core VoIP switch, which means it uses real public telephone numbers.
A registered telephone will be assigend a DDI (Direct Dial In) number which can be used in call routing.
It also is possible to use the FB6000 in a PABX mode, and allocate internal extension numbers if you wish.
Note
DDI (Direct Dial In) telephone numbers must be entered in the full international format. This is
a plus (+) then the country code, and area code, and number. e.g. +441234567890 which is
country code 44 for UK, area code 1234 and local number 567890. In the UK you would dial
this as 01234567890. Note that UK numbers have no 0 in front of the area code when quoted in
international format.
13.6. Telephone handsets
Any VoIP handset which supports SIP will normally work with the FB6000. Most makes of handset actually
allow multiple identities on the handset so it can appear as multiple handsets to one or more phone systems,
but a typical installation will not normally need more than on identity per handset.
On the handset you will need to set a registrar and/or proxy which is usually either a host name or an IP address.
This will need to refer to the FB6000's address.
The handset will also have some form of login or username and a password. Typically you would use the
extension number or DDI as the username, but in an office PABX you may want people's names as the user
name.
VoIP users are normally authenticated using RADIUS to your authentication server. Appendix D provides
details of the RADIUS parameters. It is possible to configure local telephone users as well.
The VoIP status page shows the active registrations from handsets.
64
VoIP
Tip
The log-register and log-register-debug settings can provide a lot of information about
registrations and help diagnose any problems.
13.7. VoIP call carriers
A VoIP carrier is a service provider that can accept outgoing calls, and route incoming calls. Typically a VoIP
carrier is expecting a handset to register with the carrier, and will then send calls to the registered device. It is
also possible for a VoIP carrier to send calls to the FB6000 using a fixed pre-set configuration.
To set up a VoIP carrier where the FB6000 registers with the carrier you need to specify the registrar
attribute. This can be a host name or IP address. You also need to specify the username and password. For
incoming calls you need to specify the extn that is logically dialled when a call comes in from this carrier this can be the extension number of a telephone or hunt group.
To set up a VoIP carrier for outgoing calls you need to specify the proxy. This can be a host name or IP
address. You also need to specify the username and password.
You can define the carrer to use for outgoing calls on a per telephone basis, and also for hunt groups (where the
group calls an external number). You can also define a default carrier if none is otherwise specified. A backup
carrier can also be defined which is used if the call fails via the selected carrier.
For a carrier that sends calls to the FB6000 without registration, you will need to know how the FireBrick
recognises the call is from a carrier.
For a start, all carriers considered have the allow attribute, if present, checked agasint the source IP, and if
not allowed the carrier is excluded from any consideration.
Also, if there is an Authorization header with a username, only carriers with a matching user name or no
username set will match.
Then the following tests are done to find a carrier match, finding the first.
• The request is unauthorized, and has a SIP target or To header of a registered contact from an outgoing
registration from the carrier (can be from any allowed IP).
• The SIP target matches exactly one of the to entries in a carrier, or if a blank to attribute and the
Authorization username matches the username.
• The SIP target, or if that has no host part, the To header host part, prefixed with @, matches one of the to
entries in a carrier.
Once a carrier is picked, if it has a password (and was not to a registered contact), the password must match,
after sending a challenge if necessary.
Note
The carrier may send a pre-challenge Authorization header to indicate the username it is using
- in such case the carrier selection will only match entries that have that username set and can match
entries with no to attribute defined. When a FireBrick attempts an authenticated call it can send such
a pre-challenge Authorization header.
An incoming carrier will usually relate to a specific extn which is what is called when a call comes in. You
can leave this unset and route based on called ddi or you can set the extn including X characters in place
of the digits sent with the call as the dialled number. These are taken from the right hand end of the dialled
number, so if 0134567890 is what was called, 1XX would be extn 190. This makes it easy to define a trunk
carrier for incoming calls.
You do not have to configure VoIP carriers for outgoing call routing as this can be specified in RADIUS call
routing replies from your RADIUS authentication server. Configuring specific carriers allows more fine tuned
65
VoIP
controls, such as limiting concurrent calls, etc, and you can reference a configured carrier in the RADIUS call
routing reply.
13.8. Hunt groups
Hunt groups are normally provided by sending details of multiple endpoints on the RADIUS call routing
response.
It is also possible to configure local hunt groups on the FB6000 as a standard PABX function.
13.9. Call pickup/steal
Call pickup/steal is not normally used with a voice carrier service as it is more of a PABX feature. It is disabled
by default, but can be enabled on hunt groups and telephone configuration if required. It allows a ringing call
to a phone or hunt group to be picked up, or an active call to be stolen by dialling prefix (default *) and the
extension number.
Pickup and steal can be provided via RADIUS controls on a large scale voice service.
13.10. Busy lamp field
Busy lamp fields are not normally used with a voice carrier service as it is more of a PABX feature. It is disabled
by default, but can be configured for individual telephones and hunt groups.
13.11. Using RADIUS
RADIUS can be used to allow new handsets to be registered dynamically without individual configuration
by using RADIUS authentication to an external RADIUS server. RADIUS is also used to make call routing
decisions.
RADIUS accounting can be used to log calls as they start and end to an external RADIUS server.
Tip
You have to configure each of the radius functions in the VoIP config - leaving the radius setting unset
will disable use of RADIUS for that feature. There are separate configuration settings for register,
call and cdr.
13.11.1. RADIUS accounting
RADIUS accounting logs each call leg, so a typical call has an incoming and outgoing leg.
• A RADIUS START message is sent when the call leg is created.
• A RADIUS INTERIM update is sent if/when the call connects (i.e. status 200).
• A RADIUS STOP message is sent when the call ends, even if it did not connect.
An interim update includes a call duration which is the time spent ringing. A final (stop) message contains a
call duration which is the time from the connection of the call.
13.11.2. RADIUS authentication
RADIUS authentication is used for any requests with Authorization header, such as REGISTER, INVITE,
REFER, SUBSCRIBE, OPTIONS etc. The Digest-Method is always included to indicate a VoIP request and
identify the type of request.
66
VoIP
You can have a RADIUS authentication before the FireBrick challenges the requestor setting the radius-
challenge settings, allowing a RADIUS challenge response to customise the challenge. This also happens
for a non local request where the user is not recognised as a local telephone user. Otherwise the FB6000 will
send a challenge automatically and only send a RADIUS authentication when the authenticated message is
received. This also happens if an Authorization header is presented without a response value.
Tip
For an unauthenticated request you can respond with an Access Challenge including the paramaters
to challenge, but any attributes you omit will be completed automatically, so you can simply respond
with an empty challenge to confirm the FB6000 is to go ahead and do the challenge itself.
For REGISTER an accept response can include a Called-Station-Id attribute to define the registered connection
as a tel:number URI for call routing. Without this, the registration is not logged on the FB6000 and it is
assumed the RADIUS server will record where to send calls based on the registration. The SIP-AOR AVP in
the access request provides the Contact URI, and can be used in the reply to cause a 302 redirect response to
a specified contact.
• An access request is sent to approve any SIP request such as REGISTER, SUBSCRIBE, OPTIONS, etc.
• An access request is sent to make call routing decision for INVITE and REFER.
• An access request is sent to make a call routing decision when a 3xx response is received from a connection
being made to a telephone. Acct-Terminate-Cause specifies the redirect code, e.g. 301, 302.
Access requests are made even when the request is coming from an locally configured telephone. In such cases
the telephone must also pass validation against a locally configured password (if present). To identify such
requests, the User-Name is the configured name (or extn or ddi) of the telephone user, and the Chargeable-
User-Identity attribute is set based on the configured CUI.
Access requests are made even when from a recognised carrier. In such case the carrier is validated by the
FireBrick directly, and then the access request is made to decide call routing. To identify such requests, the
User-Name is the configured name of the carrier prefixed with an @ character.
Note
In the case of a telephone user, any @ charaters at the start of the name are removed so that it cannot
be confused with a carrier.
Note
A call can come from anywhere. An unknown request from a non local IP will send a RADIUS request
before challenging the requestor so that the RADIUS server can decide if it is to be challenged or not.
An Access reject with no message attribute will not send any error to a non local IP requestor - add
a message to force this.
13.11.2.1. Call routing by RADIUS
To understand how call routing works you need to understand how call legs work. A call leg is a connection to or
from the FB6000 to another SIP device. It could be a SIP carrier or a telephone. Typically there is an incoming
call leg from a carrier or a phone, which needs to be authenticated, and then a call routing decision is made.
An Access Accept response can then contain the call routing attributes. This causes one or more outgoing call
legs to be created. These would typically be ringing telephones. Once one of these legs answers the others are
cancelled and the two legs are connected together to form a call. The purpose of the routing attributes is to
create these outgoing call legs, and to set up attributes such as CDRs and call recording.
Each call leg has a CLI (calling number), a Dialled number, a display Name, a number of CDR records (each
of which have CDR and Dialled as well), and finally a number of email addresses for call recording.
67
VoIP
The response attributes are processed in order. Initially the last call leg is the originating call. When a new
outgoing leg is added, that becomes the current call leg.
Table 13.1. Access-Accept
AVP No. Usage
Calling-Station-Id 31 Replaces CLI of current call leg.
Called-Station-Id 30 Replaces Dialled number of current call leg.
User-Name 1 Replaces the Name of the current call leg.
Filter-Id 11 Adds a call recording email address to the current call leg.
Chargeable-User-
Identity
SIP-AOR 121 Creates a new outgoing call leg. See below for formats
An outgoing call leg is created for each SIP-AOR entry, and it can be in one of the following formats. Each of
these can also include a number of digits and a + symbol at the start which specifies a delay before attempting
to connect the outgoing leg.
• number@carrier which causes a call via a known carrier. The part after the @ is the name of the carrier in
the config. The Dialled number is set to the number specified, and the CLI is set from the originating call.
89 Adds a CDR record with this CUI, and current CLI and Dialled attributes to
the current call leg.
• tel:number which causes a call via a registered telephone. The Dialled number is set to the number specified,
and the CLI is set from the originating call.
• sip:uri which causes a call via a an arbitrary SIP URI. The Dialled number and CLI are set from the originating
call. This format allows sip:number@host and sip:user:pass@host and also sip:user:pass@host/number.
This final version makes a call using the sip:number@host target but authenticates using user and pass.
• NNN a custom response code, such as 404, 500, etc, can be provided to indicate that the call is actually to
be rejected.
• 3NN:URL A 3NN response code can be used, where 3NN is then replaced by sip: in the contact in the
response. This feature is somewhat experimental.
Tip
If the originating call leg is incoming and not get been connected, a single SIP-AOR response can be
provided in the format of a 3 digit response code, or 3xx:uri where 3xx is the response code (e.g. 302)
and is replaced by sip: and used as a Contact header in a 3xx response. Redirect only works on some
carriers/phones and serves to redirect the incoming call away from the FB6000.
13.12. Call recording
The FB6000 supports call recording by teeing off the two way audio from a call leg and sending to a SIP
endpoint. The SIP endpoint will then record the call and handle it in any way you wish.
The recording is controlled by setting an email address on a call leg. This can be configured for telephone users
and set to automatically record incoming one, outgoing only, or all calls. You can also set this on a hunt group
to record all incoming calls to the hunt group (attaching the recording to the calling leg).
The recording server can be any SIP endpoint, such as an asterisk box. A linux based call recording app is
available to FireBrick customers for this purpose, and some VOIP carriers may offer this as a service.
Tip
If the SIP endpoint supports stereo A-law then the recording is made in stereo with each side of the
conversation on a channel. The supplied call recording app makes stereo A-law WAV files, and can
be configured to send these by email as each call ends.
68
VoIP
13.13. Voicemail and IVR services
Voicemail is still in development. The FB6000 will simply pass the call to a voicemail server via SIP. This
could be a local device on the network, or a service provided by a carrier. We will include a software package
to run on a linux box that will save the recording.
Tip
Most VoIP carriers provide voicemail
13.14. Call Data Records
A Call Data Record (CDR) is a record that is used for charging for a call. It consists of the following which
are shown in a comma separated list.
• Start time when call connected (UTC with milliseconds), or if not connected then when call created
• Duration of ringing (seconds and milliseconds)
• Duration of call (seconds and milliseconds), or minus and call status if call not connected
• Call Record Data
Where the CDR is created based on the presence of a cui setting in the configuration, the Call Record Data
consists of the following fields. Where RADIUS is used the Call Record Data is simply the data provided by
RADIUS.
• Chargeable User Identiy (the content of the cui setting)
• Dialled number
• Calling Line Identity
The CUI is just a string of characters. It can be set on a telephone user, but defaults to ddi, exten or name, if
not set. It is typically the telephone number that should pay for the call being made.
In a simple example of a telephone calling an external number, the call comes in (inbound leg) and an outgoing
call is made to the carrier (outbound leg). A CDR record is attached to the outbound leg with the telephone's
CUI, and the corresponding CLI and dialled number used. When the call connects the start time is set on the
CDR. At the end of the call the CDR record is written out. CDR records can be logged (e.g. syslog) and send
by RADIUS accounting. RADIUS accounting also carries details of each call leg (start, interim and stop), and
the CDR records are contained in the final RADIUS STOP message for the call, so only in one record.
There are more complex examples, such as A calls B, and B diverts to C. When a call is diverted or transferred,
the CDR for that outbound leg is moved to the new outbound leg along with any CDR for that outbound leg.
This means that, in this example, you get two final CDRs, one for A to B, and one for B to C, each starting
when the call connected and having the same duration.
For a transfer, e.g. A calls B, B places on hold and calls C, then B transfers call, you have the same situation,
but the start times and duration of the two parts are not the same.
This stacking of CDRs is important for call billing. In these examples A only expects to pay for a call to B
(which may even be free if an internal call). But B expects to pay for the call to C because they diverted or
transferred the calls.
A CDR can be associated with an incoming call leg, this is normally set by RADIUS, or by giving a carrier a
cui setting. This is sticky and stays with the calling leg, and is logged when the calling leg ends even if the call
did not connect. Otherwise the CDR is only logged if it connects.
69
VoIP
13.15. Technical details
The FireBrick operates according to well established technical standards within specific design constraints
which allow it to operate efficiently handling thousands of calls.
• SIP/2.0 UDP control messages using IPv4 or IPv6 are supported up to approximately 1900 bytes (fragmented
if necessary).
• The FireBrick always acts as an audio media endpoint, i.e. it is always in the media path. This minimises call
routing and firewalling issues. The FireBrick uses the same IP for media and control messages on each call.
• The FireBrick always acts as a SIP protocol endpoint and not as a relaying proxy. This minimises
incompatibility between end devices being a party to a call as they do not see each others protocol messages.
• Only RTP audio using A-law 20ms is supported. This is generally compatible with all carriers and devices
and provides high quality audio.
• Out of band DTMF is accepted using SIP INFO or RFC2833. DMTF can be sent using RFC2833 or generated
-law in-band audio.
• Error responses to REGISTER/INVITE from non local devices are not normally sent - this is against the SIP
protocols but avoids issues with port scanning systems looking for VoIP platforms. This can make diagnosis
of incorrect settings harder.
The design is intended to work with all common VoIP handsets and carriers. If you experience any difficulty
with a carrier or a VoIP device, please contact the FireBrick support team, ideally with a full debug log.
Tip
It is possible to set different source IP addresses to be used per carrier - obviously, to work, these
have to be IP addresses that the FireBrick has, but it can be useful to force registration via specific
addresses. It is also possible to define a default IPv4 and IPv6 source address to be used for messages
that can be authenticated, thus allowing different source addresses to be used for messages to which a
challenge must be sent and those that do not expect a challenge. This can be useful when dealing with
remote boxes that have to decide on a challenge based on source address.
13.16. Custom tones
The configuration also allows customised tones to be generated. You can replace these with your own versions.
The format for a tone is either a single tone or a series of duration@tone sections. In a sequence you can
use duration for a period of silence. A duration is a number and then ms and a tone is a frequency or
frequency+frequency for mixing two tones. Each frequency is a number of Hz and can have a volume suffix
which is - and a number if dB. The tone can be followed by ^ if you want it to be shaped (rise at start and
fall at end).
Whilst internally only the basic tones for silence, progress, ring, queue, hold, wait, you can configure the use
of tones for various cases when no audio is present and calling a specific carrier.
Table 13.2. Default tones
Tone Plan
silence 100ms
progress 1000ms 1000ms@400Hz-3dB+450Hz-3dB 1000ms
ring 1000ms 400ms@400Hz-3dB+450Hz-3dB 200ms 400ms@400Hz-3dB+450Hz-3dB
1000ms
70
VoIP
queue 700ms 400ms@400Hz-3dB+450Hz-3dB 200ms 400ms@400Hz-3dB+450Hz-3dB 200ms
400ms@400Hz-3dB+450Hz-3dB 700ms
busy 375ms@400Hz 375ms
hold 100ms@400Hz-3dB+450Hz-3dB 200ms 100ms@400Hz-3dB+450Hz-3dB 2600ms
wait 2600ms 100ms@400Hz-3dB+450Hz-3dB 200ms 100ms@400Hz-3dB+450Hz-3dB
close-encounter 1000ms 300ms@588Hz^ 300ms@654Hz^ 400ms@524Hz^ 600ms@262Hz^
1000ms@392Hz^ 1000ms
bbc 50ms 345ms@122Hz 35ms 300ms@525Hz 2000ms
1000Hz 1000Hz
beep 200ms 200ms@800Hz 200ms
pi 350Hz-3dB+440Hz-3dB
spi 750ms@350Hz-3dB+440Hz-3dB 750ms@440Hz-3dB
pet 400ms@400Hz-6dB 350ms 225ms@400Hz 525ms
sct 200ms@400Hz 300ms@1004Hz
cnai 100ms@400Hz
sit 330ms@950Hz 5ms 330ms@1400Hz 5ms 330ms@1800Hz
cwi 100ms@400Hz 5000ms
scwi 30ms@400Hz 10ms 30ms@400Hz 6000ms
pt 125ms@400Hz 125ms
ct 20000ms@1400Hz
st 200ms@400Hz 400ms 2000ms@400Hz 400ms
Tip
Accessing a url on the FireBrick of /voip/ring.wav serves a WAV format of the tone. You can
test tones using a URL like /voip/tone.wav?100ms@1000Hz+200ms@2000Hz but ensure
you URL escape the query string.
71
Chapter 14. BGP
14.1. What is BGP?
BGP (Border Gateway Protocol) is the protocol used between ISPs to advise peers of routes that are available.
Each ISP tells its peers the routes it can see, being the routes it knows itself and those that it has been advised
by other peers.
In an ideal world everyone would tell everyone else the routes they can see; there would be almost no
configuration needed; all packets would find the best route accross the Internet automatically. To some extent
this is what happens between major transit providers in the Internet backbone.
In practice things are not that simple and you will have some specific relationships with peers when using BGP.
For most people there will be transit providers with which you peer. You can receive a full table from each
transit provider, containing routes to everywhere in the Internet via that provider. The FB6000 can then decide
which provider has the best route to any destination. You can advise the transit provider of your own routes
for your own network so that they can route to you, and they tell their peers that they can route to you via that
provider. This only works if you have IP address space of your own that you can announce to the world - unless
you are an ISP then this is not commonly the case.
Even though IPv4 address space has already run out, it is possible to obtain IPv6 PI address space and an AS
number to announce your own IPv6 addresses to multiple providers for extra resilience.
You can use BGP purely as an internal routing protocol to ensure parts of your network know how to route to
other parts of your network, and can dynamically reroute via other links when necessary.
In most cases, unless you are an ISP of somesort, you are not likely to need BGP.
14.2. BGP Setup
14.2.1. Overview
The FB6000 series router provides BGP routing capabilities. The aim of the design is to make configurationm
simple for a small ISP or corporate BGP user - defining key types of BGP peer with pre-set rules to minimise
mistakes.
Caution
Misconfiguring BGP can have a serious impact on the Internet as a whole. In most cases your transit
providers will have necessary filtering in place to protect from mistakes, but that is not always the case.
If you are an ISP and connect to peering points you can cause havoc locally, or even internationally,
by misconfiguring your BGP. Take care and get professional advice if you are unsure.
14.2.2. Standards
The key features supported are:-
• Simple pre-set configurations for typical ISP/corporate setup
• RFC4271 Standard BGP capable of handling multiple full internet routing tables
• RFC4893 32 bit AS number handling
• RFC2858 Multi protocol handling of IPv6
• RFC1997 Community tagging, with in-build support of well-known communities
72
BGP
• RFC2385 TCP MD5 protection
• RFC2796 Route reflector peers
• RFC3392 Capabilities negotiation
• RFC3065 Confederation peers
• RFC5082 TTL Security
• Multiple independent routing tables allowing independent BGP operations
• Multiple AS operation
14.2.3. Simple example setup
A typical installation may have transit connections from which a complete internet routing table is received,
peers which provide their own routes only, internal peers making an IBGP mesh, customers to which transit
is provided and customer routes may be accepted. To make this set up simple the <peer> definition contains a
type attribute. This allows simple BGP configuration such as:-
<bgp as="12345">
<peer as="666" name="transit1" type="transit" ip="1.2.3.4"/>
<peer as="777" name="transit2" type="transit" ip="2.3.4.5 2.3.4.6"/\>
<peer type="internal" ip="5.6.7.8"/\>
</bgp>
This example has two transit providers, the second of which is actually two peer IP addresses, and one internal
connection. Note that the peer AS is optional and unnecessary on internal type as it has to match ours.
The exact elements that apply are defined in the XML/XSD documentation for your software release.
14.2.4. Peer type
The type attribute controls some of the behaviour of the session and some of the default settings as follows.
Table 14.1. Peer types
Type Meaning
normal Normal mode, no special treatment. Follows normal BGP rules.
transit Used when talking to a transit provider, or a peer that provides more than just their own
routes. Peers only with different AS. The community no-export is added to imported routes
unless explicitly de-tagged
peer Used when talking to a peer providing only their own routes. Peers only with different AS.
The community no-export is added to imported routes unless explicitly de-tagged allow-
only-their-as defaults to true
customer Used when talking to customers routers, expecting transit feed and providing their own
routes Peers only with different AS allow-only-their-as defaults to true allow-export
defaults to true The community no-export is added to exported routes unless explicitly de-
tagged
internal For IBGP links. Peers only with same AS allow-own-as defaults to true
reflector For IBGP links that are a route-reflector. Route reflector rules apply Peers only with same
AS allow-own-as defaults to true
73
BGP
confederate For EBGP that is part of a confederation. Confederation rules apply Peers only with different
AS
ixp Must be EBGP, and sets default of no-fib and not add-own-as. Routes from this peer are
marked as IXP routes which affects filtering on route announcements. Only announced on
EBGP not IBGP.
14.2.5. Route filtering
Each peer has a set of import and export rules which are applied to routes that are imported or exported from
the peer. There are also named bgp-filter which can be used as import-filters or export-filters.
The objects import and export work in exactly the same way, checking the routes imported or exported against a
set of rules and then possibly making changes to the attributes of the routes or even choosing to discard the route.
Each of these objects contain:-
• Cosmetic attributes such as name, comment, and source.
• Route matching attributes allowing specific routes to be selected
• Action attributes defining changes to the route
• A continuation attribute stop defining if the matching stops at this rule (default) or continues to check further
rules
The rules are considered in order. The first rule to match all of the matching attributes is used. If no rules match
then the default actions from the import/export object are used.
In addition, the top level import/export has a prefix list. If present then this will limit the prefixes processed at
a top level, dropping any that do not match the list without even considering the rules.
14.2.5.1. Matching attributes
The actual attributes are listed in the XML/XSD documentation for the software version. The main ones are:-
• A list of prefixes filters defining which prefixes to match
• There will be community tag checking and AS path checking in future
You can have a rule with no matching attribute which will always be applied, but this is generally pointless as no
later rules will be considered. If you want to define defaults then set them in the top level import/export object.
14.2.5.2. Action attributes
The actual attributes are listed in the XML/XSD documentation for the software version. The main ones are:-
• Adding specific community tags
• Removing specific community tags, including defaults added by the peer type.
• Dropping the route completely
• Changing the MED
• Changing the localpref
The logic works by creating a set of actions that are applied, and these are based on top level settings in the
peer (such as set-med) followed by the list of import or export named filters from which one matching action
is picked, and then followed by the peers indivdiual import and export rules from which one mathcing action
74
BGP
is picked. The matching action causes each of the settings that are present to replace what is currently picked.
E.g. if a MED is set in the top level and a named rule set the named rules set replaces the top level setting.
Important note - adding or removing community tags does not compound. For each setting (e.g. tag, untag,
med and localpref and any added in future) the latest that was found after checking top level peer settings, the
ordered list of filters, and then the local filters, is what applies. Multiple tag do not cause all the tags to be
added, just the latest listed tags in the action. There are plans to improve this in the future to work step by step
and even allow MED and localpref adjustments to compund.
You can have a rule with no action attributes. If matched then this means none of the actions are taken and
communities, localpref, med, etc., are all unchanged.
14.2.6. Well known community tags
Specific well known communities are supported natively. Some of these are set automatically based on peer
type and can be explicitly removed using the detag action. These rules are automatically checked for exporting
routes unless overridden on the peer attributes.
Table 14.2. Communities
Community Name Meaning
FFFFFF01 no-export The route is not announced on any EBGP session (other than confederation or
where allow-export is set).
FFFFFF02 no-advertise The route is not considered part of BGP. Whilst it is applied and used for
routing internally it is not announced at all or considered to have been received
for the purposes of BGP.
FFFFFF03 local-as The route is only advertised on IBGP (same AS) sessions.
FFFFFF04 no-peer This tag is passed on to peers but does not have any special meaning internally
14.2.7. Announcing black hole routes
The FireBrick allows black hole routes to be defined using the the blackhole object. Routing for such addresses
is simply dropped with no ICMP error. Such routes can be marked for BGP announcement just like any other
routes.
In order to ensure that your internal BGP network sees such routes as a black hole, and not simply as a route
to the router than has the black hole defined (where the packets will be dropped), you can ensure all black hole
routes are announced using a suitable community tag. In many cases an EBGP peer will even allow you to
announce black hole routes to them with a suitable community tag.
The top level bgp object includes a blackhole-community attribute which can be set to a tag that is used to
mark routes as a black hole within your network. Any route received on a BGP peer within that config object
which includes the specified community is treated as a black hole route. It is installed in the BGP routes and
propagated as normal but it is internally set as forwarding to nowhere and packets dropped as a black hole.
Each peer object also has a blackhole-community tag. If set then this is added to any black hole routes
announced. If not set, then black hole routes are not sent on EBGP links. On IBGP links, if not set, the blackhole-
community from the parent bgp is added if present. Black hole routes are always announced on IBGP (subject
to normal rules for announcement).
To use this, define a suitable blackhole-community for your network, such as YourAS:666 and set in all bgp
objects. For all EBGP peers, set the peer object blackhole-community attribute with the tag they expect for
black hole routes.
It is unlikely you would want to announce a black hole route to an EBGP peer without an agreed tag as you
will be drawing traffic from them only to be discarded. If you want to do this, you have to specify a blackhole-
community to add, but this could simply be your own community tag for black holes.
75
BGP
14.2.8. Announcing dead end routes
The top level bgp object includes a dead-end-community attribute which can be set to a tag that is used to mark
routes as a dead end within your network. Any route received on a BGP peer within that config object which
includes the specified community is treated as a dead end route. It is installed in the BGP routes and propagated
as normal but it is internally set as forwarding to nowhere and icmp errors generated (rate limited as usual).
Any route installed as network are announced with this community. Note, this is not set automatically on a
nowhere route, allowing a route to be announced to get to this FireBrick to be propagated via IBGP.
The effect of this is that your network can include one (or more) source of top level network routes which,
within your network, are installed as dead ends at each point. Without this these would be announced to your
internal network so traffic is sent to the originating router and it has to handle all dead end traffic. Using this
system you can ensure dead end traffic is handled at your borders instead.
14.2.9. Bad optional path attributes
The BGP specification is clear that receipt of a path attribute that we understand but is in some way wrong
should cause the BGP session to be shut down. This has a problem if the attribute is one that is not known to
intermediate routers in the internet which means a bad content is propagated to multiple routers on the internet
and they will drop their session. This can cause a major problem in the internet.
To work around this have, by default, ignore-bad-optional-partial set to true. The effect is that if a path attribute
we understand is wrong, and it is optional, and trhe router that sent it to us did not understand or check it (partial
bit is set), we ignore the specific route rather than dropping the whole BGP session.
14.2.10. <network> element
The network element defines a prefix that is to be announced by BGP by default, and tagged with any deadend-community, but otherwise treated the same as a nowhere route.
Table 14.3. Network attributes
Attribute Meaning
ip One or more prefixes to be announced
as-path Optional AS path to be used as if we had received this prefix from another AS with this path
localpref Applicable localpref to announce
bgp The bgp mode, one of the well known community tags or true (the default) which is
announced by BGP with no extra tags
14.2.11. <route>, <subnet> and other elements
Subnet and route elements used for normal set-up of internal routing can be announced by BGP using the bgp
attribute with the same values as the well known community tags, please true meaning simply announce with
no tags, and false meaning the same as no-advertise.
Many other objects in the configuration which can cause routes to be inserted have a bgp attribute which can
be set to control whether the routes are announced, or not.
14.2.12. Route feasibility testing
The FB6000 has an aggressive route feasibility test that confirms not only routability of each next-hop but also
that it is answering ARP/ND requests. Whenever a next-hop is infeasible then all routes using that next-hop are
removed. When it becomes feasible the routes are re-applied. This goes beyond the normal BGP specification
and minimises any risk of announcing a black hole route.
76
BGP
Note
There is an option relating to imported routes reduce-recursion which, when set, changes any
received next hop to the peer address unless the next hop relates to a locally connected Ethernet subnet.
This helps reduce the recursion involved, and is important in some cases for route reflectors if they
pass recursive routes on to routers that do not handle BGP recursive routes properly (such as BIRD).
14.2.13. Diagnostics
The web control pages have diagnostics allowing routing to be show, either for a specific target IP (finding
the most specific route which applies), or for a specified prefix. This lists the routes that exist in order, and
indicates if they are supressed (e.g. route feasibility has removed the route). There are command line operation
to show routing as well.
It is also possible, using the command line, to confirm what routes are imported from or exported to any peer.
The diagnostics also allow ping and traceroute which can be useful to confirm correct routing.
14.2.14. Router shutdown
On router shutdown/reboot (e.g. for software load) all established BGP sessions are closed cleanly. Before the
sessions are closed all outgoing routes are announced with a lower priority (high MED, low localpref, prefix
stuffed) and then a delay allows these to propagate. This is a configurable option per peer and the maximum
delay of all active peers is used as the delay. Setting to zero will not do the low priority announcement. A
special case of setting this delay to a negative value on a peer causes routes to be specifically withdrawn before
the delay rather than announced low priority.
14.2.15. TTL security
The FireBrick supports RFC5082 standard TTL security. Simply setting ttl-security="1" on the peer settings
causes all of the BGP control packets to have a TTL of 255 and expects all received packets to be TTL 255
as well.
You can configure multiple hops as well, setting ttl-security="2" for example still sends TTL 255 but accepts
254 or 255. This works up to 127.
You can also configure a non standard forced TTL mode by setting a negative TTL security (-1 to -128)
which forces a specific TTL on sending packets but does not check received packets. For example, setting ttlsecurity="-1" causes a TTL of 1 on outgoing packets. This simulates the behaviour of some other routers in
IBGP mode. Using -2, -3, etc, will simulate the behaviour of such routers in EBGP multi-hop mode. This is
non standard as RFCs recommend a much higher TTL and BGP does not require TTLs to be set differently.
Without ttl-security set (or set to 0) the RFC recommended default TTL us used on all sent packets and not
checked on received packets.
77
Chapter 15. Command Line Interface
The FB6000 provides a traditional command-line interface (CLI) environment that can be used to check status
information, and control some aspects of the unit's operation.
The CLI is accessed via the 'telnet' protocol - the FB6000 implements a telnet server, which you can connect
to using any common telnet client program. To learn how to enable the telnet server, and to set-up access
restrictions, please refer to Section 10.4.
The CLI is also available via the serial interface on the rear of the unit. This is normally set to 9k600 1N8. A
USB serial lead is supplied.
Note
The CLI is not normally used to change the configuration of the unit - that must be done via the web
interface. Whilst most commands can be carried out via the web interface, there are a few that can
only be performed via the CLI.
The CLI has the following features :-
• full line-editing capabilities - that cursor-keys, backspace key and delete key function as expected allowing
you to go back and insert/delete characters. You can press Enter at any point in the command-line text, and
the full command text will be processed.
• command history memory - the CLI remembers a number of previously typed commands, and these can be
recalled using the Up and Down cursor keys. Once you've located the required command, you can edit it if
needed, and then press Enter.
• supports entering abbreviated commands - you only need to type sufficient characters to make the command
un-ambiguous ; for example, 'show dhcp' and 'show dns' can be abbreviated to 'sh dh' and 'sh dn' respectively
- 'show' is the only command word that begins "sh", and two characters of the second command word are
sufficient to make it un-ambiguous.
• built-in command help - you can list all the available commands, and the CLI will also show the synopsis
for each command. Typing the ? character at the command-prompt immediately displays this list (you do
not have to press Enter). Alternatively, you can list all the possible completions of a part-typed command in this case, typing the ? character after typing part of a command will list only commands that begin with
the already-typed characters, for example, typing tr ? causes the CLI to respond as shown below :-
marty> tr
traceroute <IPNameAddr> [table=<routetable>] [source=<IPAddr>] ...
troff
tron
marty> tr
After listing the possible commands, the CLI re-displays the command line typed so far, which you can then
complete.
Please refer to Appendix F for command details.
78
Appendix A. CIDR and CIDR Notation
Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993
that had the aims of "conserving the address space and limiting the growth rate of global routing state". The
current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
The pre-CIDR era
CIDR replaced the original class-based organisation of the IP address space, which had become wasteful of
address space, and did not permit aggregation of routing information.
In the original scheme, only three sizes of network were possible :
• Class A : 128 possible networks each with 16,777,216 addresses
• Class B : 16384 possible networks each with 65,536 addresses
• Class C : 2097152 possible networks each with 256 addresses
Every network, including any of the large number of possible Class C networks, required an entry in global
routing tables - those used by core Internet routers - since it was not possible to aggregate entries that had the
same routing information. The inability to aggregate routes meant global routing table size was growing fast,
which meant performance issues at core routers.
The position and size of the network ID and host ID bitfields were implied by the bit pattern of some of the
most significant address bits, which segmented the 32-bit IPv4 address space into three main blocks, one for
each class of network.
CIDR
The prefix notation introduced by CIDR was, in the simplest sense, "to make explicit which bits in a 32-bit
IPv4 address are interpreted as the network number (or prefix) associated with a site and which are the used
to number individual end systems within the site". In this sense, the 'prefix' is the N most significant bits that
comprise the network ID bitfield.
CIDR notation is written as :IPv4 : Traditional IPv4 'dotted-quad' number, followed by the "/" (slash) character, followed by a decimal
prefix-length value between 0 and 32 (inclusive)
IPv6 : IPv6 address, followed by the "/" (slash) character, followed by a decimal prefix-length value between
0 and 128 (inclusive)
Where formerly only three network sizes were available, CIDR prefixes may be defined to describe any power
of two-sized block of between one and 2^32 end system addresses, that begins at an address that is a multiple
of the block size. This provides for far less wasteful allocation of IP address space. The size of the range is
given by 2^M, where M = 32 - prefix_length
Routing destinations
As well as being used to define a network (subnet), the CIDR notation is used to define the destination in
a routing table entry, which may encompass multiple networks (with longer prefixes) that are reachable by
using the associated routing information. This, therefore, provides the ability to create aggregated routing table
entries.
For example, a routing table entry with a destination of 10.1.2.0/23 specifies the address range 10.1.2.0
to 10.1.3.255 inclusive. As an example, it might be that in practice two /24 subnets are reachable via this
79
CIDR and CIDR Notation
routing table entry - 10.1.2.0/24 and 10.1.3.0/24 - routing table entries for these subnets would appear in a
downstream router.
Note that in either a network/subnet or routing destination specification, the address will be the starting address
of the IP address range being expressed, such that there will be M least significant bits of the address set to
zero, where M = 32 - prefix_length
Combined interface IP address and subnet definitions
Another common use of the CIDR notation is to combine the definition of a network with the specification of
the IP address of an end system on that network - this form is used in subnet definitions on the FB6000, and
in many popular operating systems.
For example, the default IPv4 subnet on the LAN interface after factory reset is 10.0.0.1/24 - the address
of the FB6000 on this subnet is therefore 10.0.0.1, and the prefix length is 24 bits, leaving 8 bits for host
addresses on the subnet. The subnet address range is therefore 10.0.0.0 to 10.0.0.255
A prefix-length of 32 is possible, and specifies a block size of just one address, equivalent to a plain IP address
specification with no prefix notation. This is not the same as a combined subnet and interface-IP-address
definition, as it only specifies a single IP address.
General IP address range specifications
CIDR notation can also be used in the FB6000 to express general IP address ranges, such as in session-rules,
trusted IP lists, access control lists etc. In these cases, the notation is the same as for routing destinations or
subnets, i.e. the address specified is the starting address of the range, and the prefix-length determines the size
of the range.
80
Appendix B. MAC Addresses usage
Ethernet networks use 48 bit MAC addresses. These are globally unique and allocated by the equipment
manufacturer from a pool of addresses that is defined by the first three octets (bytes), which identify the
organization, and are known as the Organizationally Unique Identifier (OUI). OUIs are issued by the IEEE more information, and a searchable database of existing OUIs are available at http://standards.ieee.org/develop/
regauth/oui/
MAC addresses are commonly written as six groups of two hexadecimal digits, separated by colons or hyphens.
FB6000s currently ship with an OUI value of 00:03:97.
In principle the FireBrick could have a single MAC address for all operations. However, practical experience
has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each
FireBrick, with the size of the block dependent on the model.
Most of the time, FB6000 users do not need to know what MAC addresses the product uses. However, there
are occasions where this information is useful, such as when trying to identify what IP address a DHCP server
has allocated to a specific FB6000. The subnet status page shows the MAC addresses currently in use on the
Ethernet interfaces.
B.1. Multiple MAC addresses?
A MAC address does have to be unique on an Ethernet LAN segment, but typically a device will have one
MAC address, or one for each physical interface, preset by the network card in use. However, the FireBrick
makes use of multiple MAC addresses. There are two key reasons for this.
• The FireBrick can operate as a DHCP client device multiple times on the same LAN segment, obtaining
several separate IP addresses. This is useful on some cable modem type installations where multiple IPs
are only available if the FireBrick appears to be multiple devices at once. Whilst DHCP theoretically does
not need separate MAC addresses, experience suggests this is by far the most practical approach. If you
have more than one DHCP client subnets in your configuration they will automatically get separate MAC
addresses.
• In theory the scope of a MAC address is a single LAN segment. The fact that they are globally unique
is simply to avoid any clashes on a LAN segment. However, once again, practical experience shows that
some network devices and some network switches do not handle the concept of the same MAC address
appearing on different ports or VLANs within the network. This can lead to broken networks or traffic leaks
between VLANs, neither of which is good. For this reason the FireBrick uses distinct MAC addresses on
each interface.
B.1. Using the same MAC address
There are cases where it is sensible or requires to use the same MAC address for more than one thing. For a
start, the FireBrick does not have unlimited MAC addresses, but there are other reasons, for example:-
• Distinct subnets on the same LAN segment do not cause any switch/MAC issues as the FireBrick appears
to simply be one device on the LAN segment with multiple IPs. This is quite a normal configuration for
network devices. In these cases the FireBrick can use the same MAC address for multiple IPs on the same
LAN segment.
• There can be MAC restrictions on some devices - this is mainly at the ISP level where peering points and
network connections may be set up with limited MAC addresses. In such cases any packet with a different
MAC address seen on a port can cause the port to shut down, or the additional MAC addresses to be blocked.
For this reason there are cases where multiple subnets need to be restricted to exactly one MAC address.
81
MAC Addresses usage
Tip
The interface settings in the configuration have a restrict-mac setting which, when set to
true causes the same MAC to be used for all subnets and operations on that specific interface
(port group / VLAN combination).
B.2. Changing MAC address
There is no reason for any network device to maintain the same MAC address for ever. It is normal for the
MAC address to change if the network card is changed on a PC, for example.
However, it is inconvenient if MAC addresses change simply because a device is power cycled or a new
configuration is loaded. This can cause delays accessing the device if other devices have the MAC cached. It
is also a serious problem for ISP links as above where ports are locked to only accept one MAC.
The way the FireBrick manages MAC addresses is designed to be a bit sticky so that a config change will not
usually cause a MAC address assigned to a subnet or interface to change.
B.2. How the FireBrick allocates MAC addresses
To meet these requirements the FireBrick allocates MAC addresses so specific aspects of the configuration
when it is loaded, and stores this separately in persistent data. If the config is then changed, such as changing
the order of interface definitions, then the allocated MAC stays with the config object based on some key aspect
(such as port group and VLAN tag for interfaces, or IP for subnets).
B.2.1. Interface
Each interface object is allocated a MAC, keyed by the port group and VLAN tag of the interface. This is used
for dynamic IPv6 allocation on the interface using router announcements (RA) and any other interface specific
uses that are not relates to a subnet.
B.2.2. Subnet
Each subnet object is allocated a MAC, which is used for all of the IPs listed in that subnet object. This allows
many IPs to have the same MAC by listing them in the same subnet object. The MAC allocation is keyed on
the port group and VLAN tag and the first listed IP address in the subnet. If a later subnet has the same first IP
listed then this is allocated a separate MAC (i.e. the key for the MAC is also based on which instance of this
specific first IP it is, 1st, 2nd, 3rd, within the interface).
DCHP client subnets work in much the same way - they are based on the port group and VLAN tag and which
instance of DHCP client they are (1st, 2nd, 3rd, etc) within the interface. The special case for DHCP clients is
that the first of these within an interface is given the same MAC as the interface itself.
B.2.3. PPPoE
Each PPPoE object is given a MAC. This is keyed on the port group and VLAN and works in the same way
as if it was a DHCP client subnet in a corresponding interface. i.e. where there is an interface with same port
group and VLAN the PPPoE object gets the interface MAC.
B.2.4. Base MAC
The factory default config has interfaces listed left to right, and a DHCP client in the first interface. This means
the base MAC address of the FireBrick is allocated to the left hand interface and DHCP client on that interface.
This is the same MAC address used by the boot loader which transmits on the left most port on power up.
82
MAC Addresses usage
B.2.5. Running out of MACs
The allocations are recorded in persistent data, so if an object is removed from the config and later put back
it should get the same MAC address. If however there are not enough MAC addresses when loading a config,
then previous assignments are re-used. If there are too many interface, subnet and ppp objects within the config
to allocate MAC addresses (even reusing old allocations) then an error is given and the config cannot be loaded.
Tip
Using restrict-mac on an interfaces restricts that interface (port group/VLAN) to only use one
MAC and not one per subnet.
B.3. MAC address on label
The label attached to the bottom of the FB6000 shows what MAC address range that unit uses, using a compact
notation, as highlighted in Figure B.1 :-
Figure B.1. Product label showing MAC address range
In this example, the range is specified as :-
000397:147C-F
this is interpreted as :-
• All addresses in the range start with 00:03:97:14:7
• the next digit then ranges from "C" through to "F"
• the first address in the range has zero for the remaining digits (C:00)
• the last address in the range has F for the remaining digits (F:FF)
Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7F:FF inclusive (1024 addresses).
If you trying to identify an IP address allocation, note that the exact address used within this range depends
on a number of factors ; generally you should look for an IP address allocation against any of the addresses
in the range.
Alternatively, if the range specification doesn't include a hyphen, it specifies that all addresses in the range start
with this 'prefix' - the first address in the range will have zero for all the remaining digits, and the last address
in the range will have F for all the remaining digits. For example :-
000397:147C
is interpreted as :
• All addresses in the range start with 00:03:97:14:7C
83
MAC Addresses usage
• the first address in the range has zero for the remaining digits (00)
• the last address in the range has F for the remaining digits (FF)
Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7C:FF inclusive (256 addresses).
B.4. Using with a DHCP server
If your DHCP server shows the name of the client (FB6000) that issued the DHCP request, then you will
see a value that depends on whether the system name is set on the FB6000, as shown in Table B.1. Refer to
Section 4.2.1 for details on setting the system name.
Table B.1. DHCP client names used
System name Client name used
not set (e.g. factory reset configuration) FB6000
set Main application software running
If the FB6000's system name is set, and your DHCP server shows client names, then this is likely to be the
preferred way to locate the relevant DHCP allocation in a list, rather than trying to locate it by MAC address.
If the FB6000 is in a factory-reset state, then the system name will not be set, and you will have to locate it
by MAC address.
84
Loading...