FireBrick FB2500 User Manual
Contents
1. Value Description KERN Kernel messages USER User level messges MAIL Mail system DAEMON System Daemons AUTH Security auth SYSLOG Internal to syslogd LPR Printer NEWS News UUCP UUCP CRON Cron deamon AUTHPRIV private security auth FTP File transfer 12 Unused 13 Unused 14 Unused 15 Unused LOCALO Local 0 LOCAL1 Local 1 LOCAL2 Local 2 LOCAL3 Local 3 LOCAL4 Local 4 LOCALS Local 5 LOCAL6 Local 6 LOCAL7 Local 7 J 3 6 month Month name 3 letter Table J 102 month Month name 3 letter Value Description Jan January Feb February Mar March Apr April May May Jun June Jul July www voipon co uk 196 sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Aug August Sep September Oct October Nov November Dec December J 3 7 day Day name 3 letter Table J 103 day Day name 3 letter Value Description Sun Sunday Mon Monday Tue Tuesday Wed Wednesday Thu Thursday Fri Friday Sat Saturday J 3 8 radiuspriority Options for controlling platform RADIUS response priority tagging Table J 104 radiuspriority Options for controlling platform RADIUS response priority tagging Value Description equal All the same priority strict In order specified random Random2. hold off duration 1 00 00 Delay before sending since last email log NMTOKEN Not logging Log emailing process log debug NMTOKEN Not logging Log emailing debug log error NMTOKEN Not logging Log emailing errors port unsignedShort 25 Server port profile NMTOKEN Profile name retry duration 10 00 Delay before sending since failed send server IPNameAddr Smart host to use rather than MX source string Source of data used in automated config management subject string From first line being Subject logged table unsignedByte 0 99 0 Routing table number for sending email routetable to string Not optional Target email address J 2 7 services System services System services are various generic services that the system provides and allows access controls and settings for these to be specified The service is only active if the corresponding element is included in services otherwise it is disabled Table J 11 services Elements Element Type Instances Description dns dns service Optional DNS service settings http http service Optional HTTP server settings ntp ntp service Optional NTP client settings server not implemented yet radius radius service Optional RADIUS server proxy settings snmp snmp service Optional SNMP server settings telnet telnet service Optional Telnet server settings J 2 8 snmp service SNMP service settings The SNMP service has general service
3. Table 5 2 System Event Logging attributes system object attribute Event types log General system events log debug System debug messages log error System error messages log eth General Ethernet hardware messages log eth debug Ethernet hardware debug messages log eth error Ethernet hardware error messages log panic System Panic events log stats One second stats messages Specifying system event logging attributes is usually only necessary when diagnosing problems with the FB2500 and will typically be done under guidance from support staff For example log stats causes a log message to be generated every second containing some key system statistics and state information which are useful for debugging Note that there are some system events such as startup and shutdown which are always logged to all log targets and to the console and flash by default regardless of these logging attributes 5 8 Using Profiles The log target itself can have a profile which stops logging happening when the profile is disabled Also each of the external logging entries can have a profile Some types of logging will catch up when their profile comes back on e g email but most are immediate such as syslog and SMS and will drop any entries when disabled by an Inactive profile 33 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 6 Interfac
4. Having picked a RADIUS configuration entry the servers listed are considered based on their previous response time and reliability The requests are then sent to serves in order allowing enough time for a response based on previous performance There are settings to fine tune these timings Once a response is received then the L2TP connection can proceed The same process is followed for RADIUS accounting Each config can say if it is used for authentication or accounting or both 108 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 19 Command Line Interface The FB2500 provides a traditional command line interface CLI environment that can be used to check status information and control some aspects of the unit s operation The CLI is accessed via the telnet protocol the FB2500 implements a telnet server which you can connect to using any common telnet client program To learn how to enable the telnet server and to set up access restrictions please refer to Section 13 4 Note The CLI is not normally used to change the configuration of the unit that must be done via the web interface Whilst most commands can be carried out via the web interface there are a few that can only be performed via the CLI The CLI has the following features e full line editing capabilities that cursor keys backspace key and delete key function as expected allowing you to go back and ins
5. The label attached to the bottom of the FB2500 shows what MAC address range that unit uses using a compact notation as highlighted in Figure C 1 Figure C 1 Product label showing MAC address range FireBrick FB2x00 E E aC 3 mu Made in UK e Serial 2X00 XXXX XXXX Bee 110 240VAC 50 60Hz 0 2 0 TA In this example the range is specified as 000397 147C F this is interpreted as e All addresses in the range start with 00 03 97 14 7 e the next digit then ranges from C through to F e the first address in the range has zero for the remaining digits C 00 e the last address in the range has F for the remaining digits F FF Therefore this range spans 00 03 97 14 7C 00 to 00 03 97 14 7F FF inclusive 1024 addresses If you trying to identify an IP address allocation note that the exact address used within this range depends on a number of factors generally you should look for an IP address allocation against any of the addresses in the range Alternatively if the range specification doesn t include a hyphen it specifies that all addresses in the range start with this prefix the first address in the range will have zero for all the remaining digits and the last address in the range will have F for all the remaining digits For example 114 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 MAC Addresses usage 000397 147C is interpreted as e All addresse
6. Various network diagnostic tools are provided by the FB2500 accessible through either the web user interface or the CLI Packet dump low level diagnostics to for detailed examination of network traffic passing through the FB2500 Ping standard ICMP echo request reply ping mechanism Traceroute classical traceroute procedure ICMP echo request packets with increasing TTL values soliciting TTL expired responses from routers along the path Access check check whether a specific IP address is allowed to access the various network services described in Chapter 13 Firewall check check how the FB2500 would treat specific traffic when deciding whether to establish a new session as per the processing flow described in Section 7 3 2 Each tool produces a textual result and can be accessed via the CLI where the same result text will be shown Caution The diagnostic tools provided are not a substitute for external penetration testing they are intended to aid understanding of FB2500 configuration assist in development of your configuration and for diagnosing problems with the behaviour of the FB2500 itself 14 1 Firewalling check The FB2500 follows a defined processing flow when it comes to deciding whether to establish a new session see Section 7 2 for an overview of session tracking and its role in implementing firewalling The processing flow used to decide whether to allow a session i e to implement firewalling requi
7. AVP Chargeable User Identity No 89 Usage Identity to be used on accounting records Called Station Id 30 Overrides Dialled number of this call Calling Station Id 31 Overrides CLI to use on this call Anonymous will flag as withheld CLI User Name 1 Replaces the Name of the this call Filter Id 11 Adds a call recording email address to this call 132 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for VoIP operation SIP AOR 121 Creates a new outgoing call leg See Section 16 11 2 1 for details of call routing G 2 4 Rejected authentication Table G 5 Access Reject AVP No Usage Reply Message 18 Reply message sent in SIP response The reply message is included in a Warning heading G 3 Accounting Start Table G 6 Accounting Start AVP No Usage User Name 1 SIP URI for our end of the call leg Callback ID 20 SIP URI for other end of the call leg Called Station Id 30 Dialled number as received Calling Station Id 31 Calling number as received Acct Status Type 40 1 Start Acct Session Id 44 Unique ID for call leg Acct Multi Session 50 SIP Call ID for call leg Id Acct Event 55 Time call started trying Timestamp NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 Far end IPv4 address
8. 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Since the lt gt and characters have special meaning there are special escape character sequences starting with the ampersand character that are used to represent these characters They are Table 3 1 Special character sequences Sequence Character represented amp 1lt lt Egt gt amp quot li samp amp Note that since the ampersand character has special meaning it too has an escape character sequence Attributes are written in the form name value or name value Multiple attributes are separated by white space spaces and line breaks Generally the content of an element can be other child elements or text However the FB2500 doesn t use text content in elements all configuration data is specified via attributes Therefore you will see that elements only contain one or more child elements or no content at all Whilst there is generally not any text between the tags white space is normally used to make the layout clear 3 5 2 The root element lt config gt At the top level an XML file normally only has one element the root element which contains the entire element hierarchy In the FB2500 the root element is lt config gt and it contains top level configuration elements that cover major areas of the configuration such as overall system settings interface definitions firewall rule sets etc In
9. RADIUS session steering to reply with one of three active LNSs as the first choice perhaps ussing a hash and the 4th backup LNS as a second choice This keeps one LNS as a hot standby for failure and also allows maintenance on it such as s w updates You can then change which of the there LNSs are active and either wait for lines to move when the reconnect or clear lines on the new backup LNS This makes it easy to do rolling upgrades on s w or other maintenance Session steering also allows specific configurations to be based on username and circuit and so on so allowing different responses for different carriers and different end users to be customised if necessary It is also possible to send a copy of the session steering RADIUS to your own RADIUS server for logging 18 8 4 L2TP endpoints The FB2500 will accept L2TP connections on any of its IP addresses but again we recommend allocating a loopback address or using the address from the LAN rather than the interlink address as we know some carriers cannot handle that Unlike RADIUS where any request can go to any LNS the L2TP connections have a state and so you will want the address to stay with the particular LNS Do not have a loopback that floats between LNSs via BGP as this would mean existin connections trying to talk to another LNS It is better for the a failure to cause a clean timeout on the failed LNS and reconnect via RADIUS session steering than to have active sessions traf
10. allow subscribe List of string Only allow subscribe Busy Lamp Field from these extensions anon numeric boolean Mark anonymous calls just using withhold prefix and leave display name area code string Local area code without national prefix for use from this phone carrier NMTOKEN Carrier to use for outbound calls comment string Comment cui string Chargeable user identity for call accounting ddi string Full telephone number international format starting display name string Text name to use email string Email address sent to call recording server expires duration 1 00 00 Registration expiry time extn string Local extension number 192 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects local only boolean true Restrict access to registrations from Ethernet subnets only max calls unsignedInt Maximum simultaneous calls allowed name NMTOKEN Not optional User name local part of from password Secret Authentication password profile NMTOKEN Profile name realm string Realm record recordoption Automatically record calls source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable uk cli text uknumberformat Auto Send display name as UK formatted number username string Authenticat
11. and is accessible via a web browser on a known IP address for further configuration Besides allowing initial web access to the unit the factory reset configuration provides a starting point for you to develop a bespoke configuration that meets your requirements A printed copy of the QuickStart Guide is included with your FB2500 and covers the basic set up required to gain access to the web based user interface If you have already followed the steps in the QuickStart guide and are able to access the FB2500 via a web browser you can begin to work with the factory reset configuration by referring to Chapter 3 Initial set up is also covered in this manual so if you have not already followed the QuickStart Guide please start at Chapter 2 Tip The FB2500 s configuration can be restored to the state it was in when shipped from the factory The procedure requires physical access to the FB2500 and can be applied if you have made configuration changes that have resulted in loss of access to the web user interface or any other situation where 1t is appropriate to start from scratch for example commissioning an existing unit for a different role or where you ve forgotten an administrative user password Itis also possible to temporarily reset the FB2500 to allow you to recover and edit a broken configuration though you still need to know the password you had You can also go back one step in the config For details on the factory reset proce
12. blink when Tx or Rx activity Activity Link10 100 On when link up at 10M or 100M blink when Tx or Rx activity Activity Duplex On when full duplex blink when half duplex and collisions detected Collision Collision Blink when collisions detected Tx Blink when Tx activity Rx Blink when Rx activity Off Permanently off On Permanently on Link On when link up Link1000 On when link up at 1G Link100 On when link up at 100M Link10 On when link up at 10M Link100 1000 On when link up at 100M or 1G Link10 1000 On when link up at 10M or 1G Link10 100 On when link up at 10M or 100M Duplex On when full duplex 199 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 3 17 LinkPower PHY power saving options Table J 113 LinkPower PHY power saving options Value Description none No power saving link down Power save only when link is down link up Power save only when link is up full Full power saving J 3 18 LinkFault Link fault type to send Table J 114 LinkFault Link fault type to send Value Description false No fault true Send fault off line Send offline fault 1G ane Send ANE fault 1G J 3 19 ramode IPv6 route announce level IPv6 route announcement mode and level Table J 115 ramode IP v6 route announce level Value Description false Do not anno
13. in contrast to the drop action The short lived session that is created when either drop and reject are actioned will appear in the session table when it is viewed in the web user interface or via the CLI see Figure 7 1 for an example of ICMP sessions resulting from some pings the session lifetime is around one second Figure 7 1 Example sessions created by drop and reject actions Sessions Sessions T P Bytes Packets Source Port Target Port Gateway 01 1176 14 81 187 96 81 51999 9 8 7 5 51999 reject Check 01 1932 23 81 187 96 81 47903 9 8 7 6 47903 drop Check 43 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling Note that drop and reject both drop packets with the difference only being whether notification of this is sent back to the traffic source Tip For a short period after startup the actions of drop and reject are treated as ignore This is so that a reboot which would forget all sessions allows sessions that have outbound traffic which is not NAT stand a chance of re establishing by use of outbound traffic Without this delay incoming traffic would create a drop reject short lived session and could send an icmp error closing the connection This is configurable per rule set Note It is possible to mis understand the function of the no match act ion attribute given where it is specified i e an attribute of the rule set object This is parti
14. log error NMTOKEN Log as event Log errors log sip blf NMTOKEN Not logged SUBSCRIBE NOTIFY PUBLISH log sip call NMTOKEN Not logged INVITE ACK CANCEL BYE log sip other NMTOKEN Not logged OPTIONS INFO etc log sip register NMTOKEN Not logged REGISTER max ring duration 5 00 Max time limit on call setup national string 0 National dialling prefix pabx boolean true Operate as office PABX pickup string k Call pickup steal prefix radius call string Name for RADIUS server config to use call routing radius cdr string Name for RADIUS server config to use for CDRs radius challenge boolean Send RADIUS auth to get challenge response radius register string Name for RADIUS server config to use for registrations realm string FireBrick Default realm record beep boolean true Send beep at start of recording record mandatory boolean Drop call if recording fails record server string Call recording server hostname or address release string 1470 CLI release prefix 190 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects security replies boolean true Don t challenge or error reply to unrecognised non local IP request source string Source of data used in automated config management status group 403 unsignedInt 603 Hunt group response for group 403 status group 404 unsignedInt 604 Hunt group response for group 404 statu
15. not making a session J 3 36 voip format Number presentation format Table J 132 voip format Number presentation format Value Description international Full international number int no plus International without leading plus national With nat int prefix local Internal extension number local number block Do not use for calls J 3 37 uknumberformat Number formatting option Table J 133 uknumberformat Number formatting option Value Description false Don t format numbers for display true Format numbers for display with spacing replace zero Format numbers for display with spacing and replacing zeros may look clearer on some CLI devices J 3 38 recordoption Recording option Table J 134 recordoption Recording option Value Description false Don t automatically record calls in only Automatically record incoming calls out only Automatically record outgoing calls true Automatically record all calls J 3 39 ring group order Order of ring Table J 135 ring group order Order of ring Value Description strict Order in config random Random order cyclic Cycling from last call oldest Oldest used phone first www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 204 Configuration Objects J 3 40 ring group type Type of ring when one call in queue Table J 136 ring grou
16. number followed by the slash character followed by a decimal prefix length value between 0 and 32 inclusive IPv6 IPv6 address followed by the slash character followed by a decimal prefix length value between 0 and 128 inclusive Where formerly only three network sizes were available CIDR prefixes may be defined to describe any power of two sized block of between one and 2432 end system addresses that begins at an address that is a multiple of the block size This provides for far less wasteful allocation of IP address space The size of the range is given by 24M where M 32 prefix_length Routing destinations As well as being used to define a network subnet the CIDR notation is used to define the destination in a routing table entry which may encompass multiple networks with longer prefixes that are reachable by using the associated routing information This therefore provides the ability to create aggregated routing table entries For example a routing table entry with a destination of 10 1 2 0 23 specifies the address range 10 1 2 0 to 10 1 3 255 inclusive As an example it might be that in practice two 24 subnets are reachable via this 112 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 CIDR and CIDR Notation routing table entry 10 1 2 0 24 and 10 1 3 0 24 routing table entries for these subnets would appear in a downstream router Note that in eithe
17. or continues to check further rules The rules are considered in order The first rule to match all of the matching attributes is used If no rules match then the default actions from the import export object are used In addition the top level import export has a prefix list If present then this will limit the prefixes processed at a top level dropping any that do not match the list without even considering the rules 17 2 5 1 Matching attributes The actual attributes are listed in the XML XSD documentation for the software version The main ones are e A list of prefixes filters defining which prefixes to match e There will be community tag checking and AS path checking in future You can have arule with no matching attribute which will always be applied but this is generally pointless as no later rules will be considered If you want to define defaults then set them in the top level import export object 17 2 5 2 Action attributes The actual attributes are listed in the XML XSD documentation for the software version The main ones are e Adding specific community tags e Removing specific community tags including defaults added by the peer type e Dropping the route completely e Changing the MED e Changing the localpref 100 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 BGP You can have a rule with no action attributes If matched then this means none of the actions are take
18. rgb rrggbb rgba rrggbbaa colour Secret Secret passphrase duration Period HH MM SS username Login name NMTOKEN ipnamerangelist List of IPranges or ip groups PNameRange routetable Route table number 0 99 unsignedByte ipnamelist List of IP addresses or domain names JPNameAddr datenum Day number in month 1 31 unsignedByte stringlist List of strings string iplist List of IP addresses PAddr subnetlist List of subnets JPSubnet ra max Route announcement max interval seconds 4 1800 unsignedShort ra min Route announcement min interval seconds 3 1350 unsignedShort ip6list List of IPv6 addresses IP6Addr mtu Max transmission unit 576 2000 unsignedShort vlan VLAN ID O untagged 0 4095 unsignedShort ip4rangelist List of IP4ranges IP4Range macprefixlist List of strings macprefix macprefix MAC prefix hexBinary ip4list List of IPv4 addresses IP4Addr graphname Graph name token cug CUG ID 1 32767 unsignedShort prefixlist List of IP Prefixes IPPrefix nmtokenlist List of NMTOKEN NMTOKEN aslist List of AS numbers unsignedIntList unsignedIntList List of integers unsignedInt communitylist List of BGP communities Community filterlist List of IP Prefix filters IPFilter bgp prefix limit Maximum prefixes accepted on BGP session 1 10000 unsignedInt fb105 reorder Maximum time to queue out of order packet ms 10 5000 unsignedInt timeout fb105 reorder maxq Maximum size of out of order pa
19. was sensible The LAC accepted the call on the modem and established a Layer 2 Tunnelling Protocol L2TP connection to the LNS This allowed PPP to be passed from the end user computer to the LNS The LNS is responsible for the PPP negotiations and passing IP packets to and from the Internet 18 1 3 L2TP L2TP provides a simple means for PPP packets to be passed over an IP network It uses a small header and UDP to pass packets between the LAC and LNS Some times it because sensible for the LAC to decide to which LNS it should connect by some means A good example is where a carrier with LACs will route connections to wholesale customers LNSs This would allow ISPs to make use of providers that have modems This is actually the way it works on broadband access Networks For example BT 02 and TalkTalk have LACs in their network which pass L2TP to their ISP customers To achieve this the LAC does some of the initial PPP negotiations It handles the LCP and starts the authentication It then establishes the L2TP connection passing these proxy details on to the LNS The choice of LNS is done using the username which is why it has to start the authentication Typically a realm is included in the user name using an and a string at the end of the username to steer the connection to the right LNS 103 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Internet Service Providers 18 1 4 Broadband I
20. 1 J LED Andi Caton e ieee o Aa eee 27 4 4 1 1 Power LED status indications csore enesenn iinet enes ns Eies 27 4A A 2 Port EEDS arenor ipi iae dp 27 Os Event LOS SINE tire op Soames A AE S E NEER ET ONES 29 Dali OVERVICW sorron AA E scans eee E I ERE S 29 Jeksi Log targets O hens 29 5 1 1 1 Logging to Flash memory occooccnnconnconocnnccnnncnnncnncnnncnnccnnconnccnnccnnconacinncos 29 IA A A AN 30 9 22 Enabling los eine ii odios 30 5 3 Logging to external destinations iesene a a o naaa eTe 30 Diels SYSLOG E A E E E N A 30 O EMAIL oro er ON 31 9 3 2 1 E mail process Tog sing nirin e ld 32 5 4 Factory reset configuration log targets ocoooccnocnnccnnccnnncnnnnnnronoconccnnccnnconnccnnccnnccnncnnncnnnoos 32 DI AIKOI o aena Ve EESE he A A Bore A Suet em erect 32 RN VIEWING LOSS aeea RO E e EESE REE 32 5 6 1 Viewing logs in the User Interface sien rn i n n E E E R E E 32 5 6 2 Viewing logs in the CLI environment 0 ce cece ence eee eceeeeeeeeeeseeseaeeaaes 33 D7 eSYStem event OS SIN Ge ire vec Mine ges cti 33 5 89 Using Proms uair locas span ii taaan 33 6 Interfaces amd Subnets void is E ii ia 34 6 1 Relationship between Interfaces and Physical Ports ooooccocccnccnnconnccnnconnconoconaconaccnonnnrnnoss 34 Ol POLE Proups a dio dd 34 A mtertaces isisa a e s nen encd wentess shad ebops I E ONA E a AE 34 6 2 Defining port BrOUPS re nnr r a E E a ii 34 6 3 Defining an interface nesmen en
21. 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 10 Traffic Shaping The FB2500 includes traffic shaping functionality that allows you to control the speed of specific traffic flows through the FB2500 The FB2500 also provides graphing functionality allowing specific traffic flows to be plotted on a graph image PNG format that the FB2500 generates Within the FB2500 traffic shaping and graphing are closely associated and this is reflected in how you configure traffic shaping in order to be able to perform traffic shaping you must first graph the traffic flow 10 1 Graphs and Shapers 10 1 1 Graphs Several objects in the FB2500 s configuration allow you to specify the name of a graph by setting the value of the graph attribute This causes the traffic flow that is associated with that object a firewall rule an interface or whatever the attribute is attached to to be recorded on a graph with the specified name For connections that have a defined state such as a PPP link the graph will also show the link state history Other information such as packet loss and latency may also be displayed depending on whether it can be provided by the type of object you are graphing For example the XML snippet below shows the graph attribute being set on an interface As soon as you have set a graph attribute and saved the configuration a new graph with the specified name will be created lt interface name LAN port LAN graph L
22. 6105 Attributes nicsen A ai 176 39 ADLOS Elements rosita ria caros aber Sev a E Oued sagen eaten neue faze tee hen ttevtaecaseedy 177 3 60 Tb105 ronte A tin bites ii A A ie ee edt ee 178 Ml A O O 178 3 62 Ipsec ike Elements port E A eI RA AE 178 3 63 1k proposal Attributes sintriisido e dente een tuen eE edetad a a R beast dabean 179 J 64 1psec proposal Attributes sini e nae e a A nee 179 J 65 1ke connection Attributes pessi ses ea a e e e Ea E it E Ee N E EEEE NEE 179 J 66 1ke connection Elements si et cok easel aed tat du ooh mote a E TEAS 180 3 67 1pSEC TOUte Ati DULES sespersona data inn Ria deve gles dit sub dnensventbeadseniaenaes 180 J 68 ipsec manual Attributes 20 0 0 cece cece a cece eeae a E A a EA A EEA O NS 181 3 69 1psec mantal Elements a seoe seeaceeyons es eetugegceb ne sings ten desntend Sesh eseaepepbaee gines eee Agen eunasbebosemeceses 182 J70 pine Atri Dutes avi dr ashes ed NUR eee Se 182 SAI profile Attributes arinena e a tee citewe thee dun e a Aaa gabe e E a E tue e a cietes 182 3 72 profile Elements mit E N rE ERES POE E E ES 183 J73 profile date Attributes sny nae e n E pe E ston E A ARE E E AEAEE 183 3 74 protile lt time AT N ad 184 IR A fey aera eos a E E a E sagan ead sep E EE Aa 184 3 70 Shaper s Atributo Seed eaters Cec eee E da Stat ord eat 184 JT 7s Shaper IC NN 185 3 78 Shaper override Attributes ii o Plis 185 3 79 Ip Sroup AMPULES oinean dons aheconesta gen sdaeesew eB iad
23. CHAP Challenge 60 CHAP challenge only present if not the same as RADIUS authenticator Framed MTU 12 MTU requested by PPP if one was requested even if 1500 Connect Info 77 Text Tx speed Rx speed from L2TP connection if known Tunnel Client 66 Indicates the L2TP tunnel configured name attribute allowing connections via Endpoint different L2TP incoming configurations to be identified Note that the NAS IP Address is normally the local end of the L2TP connection for the incoming connection However there is a configuration option to pass the remote end of the L2TP as the NAS IP Address as this is often more useful If the remote Ip is used the NAS Port is set to the far end L2TP session ID rather than the local end session ID The NAS Identified remains the name of the FB6000 This option is separately available for accounting messages 122 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation Note that the Calling Station Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling Station Id F 2 Authentication response F 2 1 Accepted authentication Table F 2 Access Accept AVP No Usage Reply Message 18 Reply message sent on PPP authentication response MS Primary DNS 311 28 Primary DNS address used in PPP IPCP Vendor 311 specif
24. E 6 Incoming Call Request Table E 6 ICRQ AVP No Incoming Outgoing Message Type ofVaue10 Valuel0 Assigned Session ID 14 Mandatory Mandatory our session ID Call Serial Number 15 Accepted and passed on if relaying Passed on incoming value Bearer Type 18 Ignored Not sent Called Number 21 Accepted used in RADIUS and passed Passed on incoming value on if relaying 118 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported L2TP Attribute Value Pairs Calling Number 22 Accepted used in RADIUS and passed Passed on incoming value on if relaying Sub Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent Table E 7 ICRP AVP No Incoming Outgoing Message Type 0 Value 11 Value 11 Assigned Session ID 14 Mandatory Mandatory E 8 Incoming Call Connected Table E 8 ICCN AVP No Incoming Outgoing Message Type 0 Value 12 Value 12 Framing Type 19 Ignored 1 Tx Connect Speed 24 Accepted used in RADIUS and passed Passed on incoming value on if relaying Initial Received LCP 26 Ignored Not sent CONFREQ Last Sent LCP 27 Accepted used in RADIUS and passed Passed on incoming value CONFREQ on if relaying Last Received LCP 28 Accepted used in RADIUS and passed Passed on incoming value CONFREQ on if relaying Proxy Authen Type 29 Acce
25. FB2500 can run alpha releases 4 3 1 1 Breakpoint releases Occasionally a software release will introduce a change to the object model that means the way specific functionality is configured in XML also changes for example an attribute may have been deprecated and a replacement attribute should be used instead A release where such an change has been made and existing configurations will need modifying are termed Breakpoint software releases Breakpoint releases are special as they are able to automatically update an existing configuration used with the previous software release so that it is compatible with the new release and functionality is retained where ever possible When using the Internet based upgrade process the FB2500 will always upgrade to the next available breakpoint version first so that the configuration is updated appropriately If your current software version is several breakpoint releases behind the latest version the upgrade process will be repeated for each breakpoint release and then to the latest version if that is later than the latest breakpoint release On the FB2500 software downloads website breakpoint releases are labelled Breakpoint immediately under the version number Note If you have saved copies of configurations for back up purposes always re save a copy after upgrading to a breakpoint issue If you use automated methods to configure your FB2500 check documentation to see whether those
26. FF03 on all PPP frames hello interval unsignedByte 60 Interval between HELLO messages hostname string Hostname quoted on incoming tunnel icmp ppp boolean false Use PPP endpoint for ICMP ipv6ep IP4Addr Local end IPv4 for IPv6 tunnels Icp mru fix boolean false Restart LCP if RAS negotiated MRU is too high Icp rate unsignedByte 1 LCP interval seconds Icp timeout unsignedB yte 10 LCP timeout seconds log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors mtu unsignedShort Default MTU for sessions in this tunnel 576 2000 mtu name string Name open timeout unsignedB yte 60 Interval before OPEN considered failed payload table unsignedByte 0 99 0 Routing table number for payload traffic routetable pppdns1 IP4Addr PPP DNS1 IPv4 default pppdns2 IP4Addr PPP DNS2 IPv4 default pppip IP4Addr Local end PPP IPv4 profile NMTOKEN Profile name radius string Name for RADIUS server config to use relay nas ip boolean true Pass remote L2TP endpoint as NAS IP require platform boolean false All sessions require a platform RADIUS first require radius acct boolean Close session if cannot do RADIUS accounting retry timeout unsignedB yte 60 Interval to retry sending control messages before fail secret Secret Shared secret shutdown boolean false Refuse all new sessions or tunnels source string Source of data used in automated config management speed unsignedInt Default egres
27. For each network service implemented by the FB2500 see Chapter 13 this command shows whether a specific IP address will be able to access or utilise the service based on any access restrictions configured on the service For example the following shows some service configurations expressed in XML and the access check result when checking access for an external address 1 2 3 4 lt http local only false gt Web control page access via http This address is allowed access to web control pages subject to username password being allowed lt telnet allow admin ips local only false gt Telnet access This address is not allowed access due to the allow list on telnet service in this example admin ips is the name of an IP address group that does not include 1 2 3 4 lt dns local only true gt DNS resolver access This address is not on a local Ethernet subnet and so not allowed access 14 3 Packet Dumping The FireBrick includes the ability to capture packet dumps for diagnostic purposes This might typically be used where the behaviour of the FB2500 is not as expected and can help identify whether other devices are correctly implementing network protocols if they are then you should be able to determine whether the FB2500 is responding appropriately The packet dumping facility may also be of use to you to debug traffic and thus specific network proto
28. It is also possible in most cases to simply set a speed attribute on some object This creates an un named shaper so no graph which has the specified speed for egress tx This is unique to that object unlike named shapers which are shared between all objects using the same named shaper It is also possible to set graph and speed attributes to create a named shaper with the specified speed without having to create a separate shaper object If you set a graph attribute without a speed attribute or creating a shaper object then that simply creates a graph without traffic shaping Multiple objects can share the same graph Graphs can sometimes be created automatically and may have speeds applied For L2TP sessions the circuit ID which may be overridden by RADIUS auth responses is used to make a graph for the session 10 1 4 Long term shapers If defining a shaper using the shaper object there are a number of extra options which allow a long term shaper to be defined A long term shaper is one that changes the actual speed applied dynamlically to ensure a long term usage level that is within a defined setting The key parameters for the long term shaper are the target speed e g tx the minimum speed e g tx min and maximum speed e g tx max The target speed is what is normally used if nothing else is set but if a min and max are set then the shaper will actually use the max speed normally However if the usage exceeds the target sp
29. Misconfiguring BGP can have a serious impact on the Internet as a whole In most cases your transit providers will have necessary filtering in place to protect from mistakes but that is not always the case If you are an ISP and connect to peering points you can cause havoc locally or even internationally by misconfiguring your BGP Take care and get professional advice if you are unsure 17 2 2 Standards The key features supported are e Simple pre set configurations for typical ISP corporate setup e RFC4271 Standard BGP capable of handling multiple full internet routing tables e RFC4893 32 bit AS number handling e RFC2858 Multi protocol handling of IPv6 98 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 BGP RFC1997 Community tagging with in build support of well known communities RFC2385 TCP MDS protection RFC2796 Route reflector peers RFC3392 Capabilities negotiation RFC3065 Confederation peers RFC5082 TTL Security Multiple independent routing tables allowing independent BGP operations Multiple AS operation 17 2 3 Simple example setup A typical installation may have transit connections from which a complete internet routing table is received peers which provide their own routes only internal peers making an IBGP mesh customers to which transit is provided and customer routes may be accepted To make this set up simple the lt peer gt definition contains a type a
30. Sets erase ne daengn cued et dou eadess eves hme Eaa 70 12 2 3 Viewing tunnel Status iaa dl A oe ee E ES 71 12 24 Dynamic fouts y nas erin ee vende de Sad ous ER devel dees OE EIE 71 12 2 3 Tunnel bonding tii iS 71 12 226 Tunnels and NAT kaiean nnne A dp UR seyet fone Gy abou ah nani bed debas eet Sez acey 72 12 2 6 1 EB2300 dome NAT e Seni dirccit steeds ene ere aloes eth 72 12 2 6 2 Another device doing NAT rearea cceccec cece eee c nce eN EEEE EE E rE CNIR Sn 72 12 3 Ether tunnelling ii ip ida 73 13 System Services 2 55 NO 74 13 1 Protecting the FB 2500 7ni e Ti tia 74 1352 COMMON Stine S 20 Sagesse teense ns eetness sone lss ce Sune sty tea pee pe desk o e aio teens EN A Eepe 74 13 3 HTTP Server confi s uration 1 c shecr voce fase ibi 75 13 3 1 ACCESS Control isian e a E E R EE anon sgeeedeadeuesaesanvens 75 13 3 1 1 Trusted addresses nen Aa 75 13 4 Telnet Server CONTISUTAION sisese ae pone osa a E EAE E gheheeeae sede wee EE RA pyeen shes 76 13 42 ACCESS COMO ci A a nash Gaede 76 13 53 DNS configuration casees vio ee e a riera critico iii 76 13 5 1 Blocking DNS TAME dd pectin been taeda 76 135 5 2 Local DNS fESPODSES rnan it da sec tritio eines 76 13 5 3 Auto DHEER DN Sii cada eg Nab ade poh ata eh ie ett 77 13 6 NTP configuration ON 77 13 7 SNMP configuration o aoei e sek vie aE cede bese ert eased eee ec eeoe eh 77 13 8 RADIUS confi A e e naa aE EER EARE betwee AE gosh een dss
31. Techical detal ii A E EE ob E E ET eee 96 16 16 CUSTOM AOMES a esnea chews hee tade e ea er ea E aea e A EA ANE A NE 96 BOP A E NN 98 TFt What O A O IN 98 17 25 BGP Set p eontra A a 98 DT Del O NN 98 US A A AN 98 17 23 5 Simple example Setup reann vousecsydscgtops teases donando ER ESSE EO des 99 V7s2A PEER LY DE AER IA ash AI IIA ce dees TRI 99 17 23 Route Tern Ss oseaan der fi iii jad tear 100 17 2 5 1 Matching attributes is eeno ea rea e e E e a a E 100 EA AAA e eaa a E a A E n a 100 17 2 6 Well known community tags cece cee cece cee ceeeceeeeeeeea ceca eens eeae een eeneeeeeeeee es 101 17 2 7 Bad optional path attributes oooooccccnnncnnccnnccnnconnconnccnnccnncnnnconncnnncnnncnnncnaronoss 101 17 2 8 lt metwork gt element ostii rs oirein cece eee R EE K EEEE EEE E EE EENEN 101 17 2 9 lt route gt lt subnet gt and other elements ccc cece ccc cc ec ec cece eeeeeeeeeeeenenenenenenes 101 17 2 10 Route feasibility testing orn a ier a E r EE EE AEE E S E Ne 102 VIDA Ms Dia SnOstiess 2 3325 dos e ea eaa a E eh shea deen EEEE E EEA SS 102 17 212 Router hd WM e seins rE E elie red ee peed E TEASER EE 102 17 213 AA a e e a e E a ea E N E eS 102 18 Internet Service Providers ii A E E EE dag N cede E ENNES 103 182k BaCk Ground A ON 103 18 11 How it all Began a A LA A ec Sie 103 viii www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manu
32. a handset to register with the carrier and will then send calls to the registered device It is also possible for a VoIP carrier to send calls to the FB2500 using a fixed pre set configuration To set up a VoIP carrier where the FB2500 registers with the carrier you need to specify the registrar attribute This can be a host name or IP address You also need to specify the username and password For incoming calls you need to specify the extn that is logically dialled when a call comes in from this carrier this can be the extension number of a telephone or hunt group To set up a VoIP carrier for outgoing calls you need to specify the proxy This can be a host name or IP address You also need to specify the username and password You can define the carrer to use for outgoing calls on a per telephone basis and also for hunt groups where the group calls an external number You can also define a default carrier if none is otherwise specified A backup carrier can also be defined which is used if the call fails via the selected carrier For a carrier that sends calls to the FB2500 without registration you will need to set the to attribute to either the full address used in the To of the incoming connections or at least the domain part If calls can come in to multiple numbers you also need to set the incoming format so that calls can be routed In this case the username and password can be specified and are used to validate the credentials of th
33. absolutely necessary 5 6 Viewing logs 5 6 1 Viewing logs in the User Interface To view a log in the web User Interface select the Log item in the Status menu Then select which log target to view by clicking the appropriate link You can also view a pseudo log target All which shows log event messages sent to any log target The web page then continues showing log events on the web page in real time i e as they happen Note This is an open ended web page which has been known to upset some browsers but this is rare However it does not usually work with any sort of web proxy which expects the page to actually finish 32 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Event Logging All log targets can be viewed via the web User Interface regardless of whether they specify any external logging or logging to Flash memory 5 6 2 Viewing logs in the CLI environment The command line allows logs to be viewed and you can select which log target or all targets The logging continues on screen until you press a key such as RETURN In addition anything set to log to console shows anyway see Section 5 1 1 2 unless disabled with the troff command 5 7 System event logging Some aspects of the operation of the overall system have associated events and messages that can be logged Logging of such events is enabled via the system object attributes shown in Table 5 2 below
34. addition to this User Manual there is reference material is available that documents the XML elements refer to Section 3 2 1 3 5 3 Viewing or editing XML The XML representation of the configuration can be viewed and edited in text form via the web interface by clicking on XML View and XML Edit respectively under the main menu Config item Viewing the configuration is as you might expect read only and so is safe in as much as you can t accidentally change the configuration 3 5 4 Example XML configuration An example of a simple but complete XML configuration is shown below with annotations pointing out the main elements lt xml version 1 0 encoding UTF 8 gt lt config xmlns http firebrick 1td uk xml fb2700 xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation http firebrick 1td uk xml fb2700 timestamp 2011 10 14T12 24 072 patch 8882 gt lt system name gateway O contact Peter Smith location The Basement log panio TFE suppore ts lt system gt 17 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration lt user name peter 0 full name Peter Smith password FB105 4D42454D2 6F 8BF5480F07DFALE41AE47410154F6 timeout PT3H20M configs full lev7el DEBUG gt lt log name default gt lt log name fb support gt lt email to crashlog firebrick 1ltd uk com
35. and session tracking refer to Chapter 7 When establishing a session it is possible to scan an ordered list of rules which can consider not only the target IP but also source IP protocol ports and interfaces being used The result is typically to set a routing target IP for the session and possibly a routing table to jump between tables Note The destination IP in the packet header is not modified rather an overriding routing target IP address is stored in the session table entry This is done for each direction on the session and remembered This new target IP is then used on a per packet basis in the same way as above instead of the destination IP address of the packet This is the same as set gateway in the normal session tracking logic However routing overrides are applied at the end of checking rule sets and applied both ways allowing in effect a set reverse gateway Tip Because the route override just sets a new target routing IP and does not allow you to set a specific tunnel or such you may want to have a dummy single IP address routed down a tunnel and then use route override rules to tell specific sessions to use that IP as the gateway Future software releases may provide a means to specify a tunnel as a routing gateway more directly Note Route override logic was originally devised to allow routing for use with tunneling protocols but they are usually better handled with much less configuration using rou
36. as intended e traffic graphs By default access to the web user interface is available to all users from any IP address If you don t require such open access you may wish to restrict access using the settings described in Section 13 3 3 4 1 User Interface layout The User Interface has the following general layout e a banner area at the top of the page containing the FireBrick logo model number and system name e amain menu with sub menus that access various parts of the user interface the main menu can be shown vertically or horizontally sub menu appearance depends on this display style if the main menu is vertical sub menus are shown by expanding the menu vertically if the main menu is horizontal sub menus are shown as pull down menus a footer area at the bottom of the page containing layout control icons and showing the current software version e the remaining page area contains the content for the selected part of the user interface Figure 3 1 shows the main menu when it is set to display horizontally Note that the main menu items themselves have a specific function when clicked clicking such items displays a general page related to that item for example clicking on Status shows some overall status information whereas sub menu items under Status display specific categories of status information Figure 3 1 Main menu 3 FireBrick FB2700 Home Status Diagnostics Graphs Config Logout The use
37. as shown in Figure 4 1 Figure 4 1 Setting up a new user Admin users user 1 of 1 Up New Erase Help User names passwords and abilities for admin users name E comment profile User name Comment Profile name password E full name E otp User password Full name OTP serial number E timeout E config E level Login idie timeout zero to stay logged in Config access level Login level 5 00 Full ADMIN M allow Restrict logins to esses The minimum attributes that must be specified are name which is the username that you type in when logging in and password passwords are mandatory on the FB2500 You can optionally provide a full name for the specified username and a general comment field value 4 1 1 Login level A user s login level is set with the level attribute and determines what CLI commands the user can run The default if the level attribute is not specified is ADMIN you may wish to downgrade the level for users who are not classed as system administrators 21 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration Table 4 1 User login levels Level Description NOBODY No access to any menu items GUEST Guest user access to some menu items USER Normal unprivileged user ADMIN System administrator DEBUG System debugging user 4 1 2 Configuration access level The configuratio
38. be sent back to this modified address assuming that the intention is that this traffic reach the original source IP address the FB2500 will change the destination IP address in return traffic to be the original source IP address It can do this because it has stored the original source IP address in the session table entry The set source ip set source port set target ip and set target port attributes request this kind of change to be made Note Any rule that changes part of the session will affect the matching criteria in subsequent rule sets and rules i e they test the changed version of the session A caveat to this is that set nat just sets a flag causing the source IP address and port number to be picked at the end of rule set processing so the new source IP address or port number used for NAT cannot be tested for in later rule sets Network Address Translation NAT works in exactly the same way except that rather than specifying which address to map the original source IP address too the FB2500 will use an appropriate source IP address given where the traffic needs to be routed to Furthermore NAT will also modify the protocol source port number applicable to UDP or TCP sessions to become an unused local to the FB2500 port number This gives the session a completely new source identity from the far end point of view NAT is requested by setting the set nat attribute to true As mentioned in Section 6 3 1 a subnet defini
39. belonging to a specific VLAN When a tagged packet arrives at another switch the tag specifies which VLAN it is in and switching to the appropriate physical port s occurs In addition to VLAN support in switches some end devices incorporate VLAN support allowing them to send and receive tagged packets from VLAN switch infrastructure and use the VLAN ID to map packets to multiple logical interfaces whilst only using a single physical interface Such VLAN support is typically present in devices that are able to be multi homed have more than one IP interface such as routers and firewalls and general purpose network capable operating systems such as Linux The FB2500 supports IEEE 802 1Q VLANs and will accept and send packets with 802 1Q VLAN tags It can therefore work with any Ethernet switch or other equipment that also supports 802 1Q VLANs and therefore allows multiple logical interfaces to be implemented on a single physical port VLAN tagged switching is now also used in Wide Area Layer 2 Ethernet networks where a Layer 2 circuit is provided by a carrier over shared physical infrastructure The conventional concept of a LAN occupying a small geographic area is thus no longer necessarily true 116 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix E Supported L2TP Attribute Value Pairs This appendix details the L2TP protocol messages supported and the attribute value pai
40. bytes of recent log to show H 8 10 Flash log show flash log lt unsignedInt gt The logging system can log to flash for a permanent record This is done automatically for some system events and when booting You can specify the number of bytes of recent log to show 142 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix I Constant Quality Monitoring technical details The FireBrick provides constant quality monitoring The main purpose of this is to provide a graphical representation of the performance of an interface or traffic shaper typically used for broadband lines on L2TP e 100 second interval statistics available graphically as png and in text as csv covering at least the last 25 hours one day e Loss latency stats where available e g LCP echos on L2TP broadband lines including minimum average and maximum latency for the 100 second sample and percentage packet loss e Throughput stats where available e g interfaces shapers L2TP broadband lines including average tx and rx rate for 100 second sample Graphs can be loss latency or throughput of both A ping only system would only have loss latency An L2TP broadband line has both An interface or shaper normally has only throughput data 1 1 Broadband back haul providers When using the FB2500 as an LNS the CQM graphs are invaluable for diagnosing line faults They are useful to the ISP but als
41. category as shown in Figure 3 3 Figure 3 3 Icons for configuration categories 3 FireBrick FB2700 Home Status Diagnostics Graphs Config Logout E E E 6 E EJ E E E Within each category there are one or more sections delimited by horizontal lines Each of these sections has a heading and corresponds to a particular type of top level object and relates to a major part of the configuration that comes under the selected category See Figure 3 4 for an example showing part of the Setup category which includes general system settings the system object and control of system services network services provided by the FB2500 such as the web interface web server telnet server etc controlled by the services object 12 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Figure 3 4 The Setup category System System settings name contact location intro comment Edit ruby Mike Chambers WF Ryde Office General system services Edit General system services Constant Quality Monitoring config Each section is displayed as a tabulated list showing any existing objects of the associated type Each row of the table corresponds with one object and a subset typically those of most interest at a glance of the object s attributes are shown in the columns the column heading shows the attribute name If no objects of that type exist there will be a single
42. class based organisation of the IP address space which had become wasteful of address space and did not permit aggregation of routing information In the original scheme only three sizes of network were possible e Class A 128 possible networks each with 16 777 216 addresses e Class B 16384 possible networks each with 65 536 addresses e Class C 2097152 possible networks each with 256 addresses Every network including any of the large number of possible Class C networks required an entry in global routing tables those used by core Internet routers since it was not possible to aggregate entries that had the same routing information The inability to aggregate routes meant global routing table size was growing fast which meant performance issues at core routers The position and size of the network ID and host ID bitfields were implied by the bit pattern of some of the most significant address bits which segmented the 32 bit IPv4 address space into three main blocks one for each class of network CIDR The prefix notation introduced by CIDR was in the simplest sense to make explicit which bits in a 32 bit IPv4 address are interpreted as the network number or prefix associated with a site and which are the used to number individual end systems within the site In this sense the prefix is the N most significant bits that comprise the network ID bitfield CIDR notation is written as IPv4 Traditional IPv4 dotted quad
43. configuration LCP echos are faked both ways from the FireBrick and LCP echos are generated by the FireBrick and responses checked This allows the CQM graphs to be created The graph is only created for the outgoing part of the connection If not configured to fake LCP echos then these are passed through as normal and no graph is created Each session gets a CQM graph which uses one second LCP requests and produces detailed loss latency graphs for the session The graph name is picked based on the first available of e Chargeable User Identity sent in the RADIUS authentication response e Calling Station Id from L2TP e User name in RADIUS athentication response e Proxy Auth Name from L2TP e Negotiated user name from PAP CHAP If a second session starts with the same graph name as an existing session then the existing session is cleared with cause 13 Preempted It is recommended that a unique circuit ID is passed as the Chargeable User Identity in the authentication response to allow simple location of graphs 129 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation F 9 3 IP over LCP IP over LCP is a non standard coding of PPP packets for IPv4 and IPv6 The coding uses the LCP code C021 instead of the IPv4 0021 or IPv6 0057 code The first byte which would normally be the LCP type is 0x4X IPv4 or 0x6X IPv6 The FireBrick a
44. fc0c secvees sas cteate ioeie E i EEEE E E E T EEEE 124 F5 A A a aE Eaa Seas ETEO EEE pa EPET O VTS EEES EE TAES EREE SPERT Eni 125 F 6 Accounting Stop eenia teo e E EE oe Mois EEES be EE SEE EEES 126 E275 DISCONNE Ch aier costes i e oa E ea Matty Seka E E E A E R a E a E ES 127 F 8 Change of Authorisation ieser asees n ori ETES o EEEE EEE ETER EE EEE NETES 127 BOs Filter D D ERE E E E iii 128 G T O ie NA 131 G2 Access Challen ge csper nt a a R e N AEE E EA EE 132 Gi3 s Access Accept tii cause aere O EE S IAE EE EE E o N EEE ET E TEOSES 132 Xv www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual GA ACCESS A CCOPE aer riores deanaeesgeous stan acia Meee bsh wena segues torres 132 E ACCESS O EC Moises Sas A E ER ean Cer anda OE ce Ges 133 CANCINO 133 G Accounting ME e a e E E E A E E E eee 133 RNA toss a A E e a ee E A EEE cep NE e AT EA mses 134 G9 DISCONNECE oi arar A EE E ONNE O A i n 134 G0 Cha nge of A thorisati N syss enine E T EA A dene das a ERE I ESE 135 i CE LE an DEA A B EE EE E A E Sie date A N SE 143 2 COlOUPS NN 144 TB Text ira RN 145 TAT OX ER o dl rat n das 145 1 5 URE TOMAS A A A A aa sii 146 JA Conti A O 148 3 23 confie Elements A OA ias 148 SS ON 149 3 4 sy stem Elements E AA is 149 TI Jinks ATI Att EDENE E 150 A A UrIDULES Snar oa cea E Gag cdg Pere ee Pas tag T NE Se ack dah ag ceed eed cae aes 150 G7 los AMIDULES cs 4c
45. for SIP if using IPv4 NAS IPv6 Address 95 Far end IPv6 address for SIP if using IPv6 NAS Port 5 Far end UDP port for SIP G 4 Accounting Interim Table G 7 Accounting Interim AVP No Usage User Name 1 SIP URI for our end of the call leg Callback ID 20 SIP URI for other end of the call leg Called Station Id 30 Dialled number as received Calling Station Id 31 Calling number as received Acct Status Type 40 3 Interim Acct Session Id 44 Unique ID for session Acct Multi Session 50 SIP Call ID for call leg and second instance is Session Id of linked call Id 133 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for VoIP operation Acct Event 55 Time call answered Timestamp NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 Far end IPv4 address for SIP if using IPv4 NAS IPv6 Address 95 Far end IPv6 address for SIP if using IPv6 NAS Port 5 Far end UDP port for SIP Note If the call is connected to another call leg then a second Acct Session Id is included with details of the linked call leg G 5 Accounting Stop As accounting interim update plus Table G 8 Accounting Stop AVP No Usage User Name 1 SIP URI for our end of the call leg Callback ID 20 SIP URI for ot
46. for the domain but you can optionally specify an outgoing mail server smart host to use instead by setting the server attribute SMTP port number the FB2500 defaults to using TCP port 25 to perform the SMTP mail transfer but if necessary you can set the port attribute to specify which port number to use retry delay if an attempt to send the e mail fails the FB2500 will wait before re trying the default wait period is 10 minutes but you can change this by setting the ret ry attribute An example of a simple log target with e mailing is available in a factory reset configuration the associated XML is shown below from which you can see that in many cases you only need to specify the to attribute the comment attribute is an optional general comment field lt log name fb support comment Log target for sending logs to FireBrick support team gt lt email to crashlog firebrick 1td uk comment Crash logs emailed to FireBrick Support team gt 31 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Event Logging lt log gt A profile can be used to stop emails at certain times and when the email logging is back on an active profile it tries to catch up any entries still in the RAM buffer if possible 5 3 2 1 E mail process logging Since the process of e mailing can itself encounter problems it is possible to request that the process itself be logged via the us
47. from client machines DNS typically means converting a name like www firebrick co uk to one or more IP addresses but it can also be used for reverse DNS finding the name of an IP address DNS service is normally provided by your ISP The DNS service on the FB2500 simply relays requests to external DNS servers and caches replies You can configure a list of external DNS servers using the resolvers attribute However DNS resolvers are also learned automatically via various systems such as DHCP and PPPoE In most cases you do not need to set the resolvers 13 5 1 Blocking DNS names You can configure names such that the FB2500 issues an NXDOMAIN response making it appear that the domain does not exist This can be done using a wildcard e g you could block xxx Tip You can also restrict responses to certain IP addresses on your LAN making it that some devices get different responses You can also control when responses are given using a profile e g time of day 13 5 2 Local DNS responses Instead of blocking names you can also make some names return pre defined responses This is usually only used for special cases and there is a default for my firebrick co uk which returns the FireBrick s own IP Faking DNS responses will not always work and new security measures such as DNSSEC will mean these faked responses will not be accepted 76 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Sy
48. greated if memory is not available 147 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix J Configuration Objects This appendix defines the object definitions used in the FireBrick FB2500 configuration Copyright 2008 13 FireBrick Ltd J 1 Top level J 1 1 config Top level config The top level config element contains all of the FireBrick configuration data Table J 1 config Attributes Attribute Type Default Description patch integer Internal use for s w updates that change config syntax timestamp dateTime Config store time set automatically when config is saved Table J 2 config Elements Element Type Instances Description bgp bgp Optional up to 100 BGP config blackhole blackhole Optional unlimited Black hole dropped packets networks cqm cqm Optional Constant Quality Monitoring config ethernet ethernet Optional unlimited Ethernet port settings etun etun Optional Ether tunnel RFC3378 fb105 fb105 Optional up to 255 FB105 tunnel settings interface interface Optional up to 8192 Ethernet interface port group vlan and subnets 1p group 1p group Optional unlimited Named IP groups ipsec ike ipsec ike Optional IPsec IKE tunnel configuration ipsec manual ipsec manual Optional up to 255 IPsec manually keyed connection settings 12tp 12tp Optional L2TP settings l
49. http www watchfront co uk To form a bonded tunnel set simply specify the set attribute of each tunnel in the set to be a value unique to that set Although not required you would typically use a set value of 1 for the first set you have defined You can defined multiple bonded sets by using different values of the set attribute in each set 12 2 6 Tunnels and NAT If you are using NAT in your network it may have implications for how to successfully use FB105 tunnelling The issues depend on where on what device in your network NAT is being performed 12 2 6 1 FB2500 doing NAT If you have a bonded tunnel set implementing a single logical WAN connection then the FB2500 will typically have multiple WAN side IP addresses one per physical WAN connection If you are using the FB2500 to NAT traffic to the WAN the real source IP address of the traffic will be translated by the NAT process to one of the IP addresses used by the FB2500 When this NAT d traffic is carried via a tunnel it will be the source address of the tunnel payload packet that is modified Whatever address is used reply traffic will come back to that address In order to ensure this reply traffic is distributed across the tunnel set by the far end tunnelling device the address used needs to be an address that is routed down the tunnel set rather than one associated with any particular WAN connection In order to handle this scenario the internal ip attribute can be
50. ices si RO 150 3 8 loss Elements aii e it 151 F9 Jog syslo g AttIBUtES esena vedas e a etev eters semeed up nodebosh suede eee EEE ERER vedev ssh wwacesty ees 151 3 10 log emall Atte utes iii A ek Nate NA ed Se eases 151 Is LT services Elements contando din tds 152 JA2 lt snmp service Attributes ni A A ido 152 A A NO 153 J 14 telnet service Attributes ecrire e a E Ven eo ae aa ise aa 154 J15 http setvicer lA estan scvesiee dy bestwotees Ses due sdenshonsnae e a Ne Genk ded seay aden aerothes debe seers 154 JAG2dns service Attributes monensin ne R unsaadsecescwepeeetesopevedaaes cdedangeveseanpevedeueyecede wes 155 J 17 dns S ryice Element oidor racer taa vee ny seme drets irte 155 J 18 dns host Attributes iii iaa 155 PIS dnsiblock AtTIDU TES 0er 156 J 20 radius service Attributes oocooccoccnocccononoconocoronororonororo nono ro EEE EEEE E EARE ERNES 156 UA IA AAA OO teeters 157 J 22 radius service match Attributes areren nn E rE E EEE E E a TEE S 157 J 23 radius server AUrIDULES zerresine n hee ie abi eines 158 J 24A etherjet Attributes orinni i E E E E N E i a A E e aS 159 J25 portdet Attn Dutess nn Ren S E N geod EE EE A E EE E 159 3 26 interface Atri DULES Gui EE E EEEE S a cies 160 J27 pterface Elements motricidad 160 J28 Subnet Attributes iee peed ade A A A EE a E Ea 161 S29 Vip ADUE NN 162 J30 dheps Atri butes is OS DON A Ree see eee ay 162 J2 tedheps Elements sesiet OE 163 3 32 dhep attr he
51. interface and tools like curl to load configtations This command is provided as a last resort for emergency use so use with care H 1 11 Show profile status show profiles Shows profiles and current status H 1 12 Enable profile control switch enable profile lt string gt Turns a named profile control switch on H 1 13 Disable profile control switch disable profile lt string gt Turns a named profile control switch off H 1 14 Show RADIUS servers show radius show radius lt IPAddr gt Shows details of RADIUS servers currently in use H 1 15 Show DNS resolvers show dns 137 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference Shows current DNS resolver list and status H 2 Networking commands H 2 1 Subnets show subnets show subnet lt integer gt You can list all current subnets or details of a specific subnet This shows the same information as the web status pages for subnets H 2 2 Ping and trace ping lt IPNameAddr gt table lt routetable gt source lt IPAddr gt gateway lt IPAddr gt flow lt unsignedShort gt count lt positivelnteger gt ttl lt unsignedByte gt size lt unsignedShort gt xml lt boolean gt traceroute lt IPNameAddr gt table lt routetable gt source lt IPAddr gt gateway lt IPAddr gt flow lt unsignedShort
52. is to go ahead and do the challenge itself For REGISTER an accept response can include a Called Station Id attribute can be used to define the registered connection as a tel number URI for call routing Without this the registration is not logged on the FB2500 and it is assumed the RADIUS server will record where to send calls based on the registration The SIP AOR AVP in the access request provides the Contact URI and can be used in the reply to cause a 302 redirect response to a specified contact e An access request is sent to approve any SIP request such as REGISTER SUBSCRIBE OPTIONS etc e An access request is sent to make call routing decision for INVITE and REFER e An access request is sent to make a call routing decision when a 3xx response is received from a connection being made to a telephone Acct Terminate Cause specified the redirect code e g 301 302 Access requests are made even when the request is coming from an locally configured telephone In such cases the telephone must also pass validation against a locally configured password if present To identify such requests the User Name is the configured name or extn or ddi of the telephone user and Chargeable User Identity attribute is set based on the configured CUI Access requests are made even when from a recognised carrier In such case the carrier is validated by the FireBrick directly and then the access request made to decide call routing To identify such re
53. keys The key lengths depend on the selected algorithm according to the following table Table 12 1 IPsec algorithm key lengths Algorithm Bytes Hex Example digits HMAC MD5 16 32 00112233445566778899 AABBCCDDEEFF HMAC SHAI 20 40 0102030405060708090A0BO0CODOE0F10111213 AES XCBC 16 32 OFOEOCOD0B0A09080706050403020100 HMAC SHA256 32 64 0102030405060708090A0B0CODO0OE0F101112131415161718191A1B1C1D1E1F 3DES CBC 24 48 00112233445566778899 AABBCCDDEEFF001 1223344556677 blowfish 16 32 00112233445566778899 AABBCCDDEEFF blowfish 192 24 48 0102030405060708090AOBOCODOEOF101 1121314151617 blowfish 256 32 64 0102030405060708090A0B0CODO0OE0F101112131415161718191A1B1C1D1E1F AES CBC 16 32 00112233445566778899 AABBCCDDEEFF AES CBC 192 24 48 0102030405060708090AOBOCODOEOF101 1121314151617 67 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels AES CBC 256 32 164 10102030405060708090 AOBOCODOE0F101112131415161718191A1BICIDIEIF Note that in the current implementation the same key is used for both incoming and outgoing traffic The same keys and algorithms must be configured at the remote end of the link The above keys are examples only To reduce the possibility that your link could be compromised by keys becoming known or guessed you should generate them using a source of random or pseudo random data On a Unix Linux system the command xxd can be used in conjunct
54. label time string Time Label for time label traffic string Traffic bit s Label for traffic level label tx string Tx Label for Tx traffic level latency level unsignedInt 100000000 Latency level not expected on low usage latency levell unsignedInt 100000000 Latency level 1 ns latency level2 unsignedInt 500000000 Latency level 2 ns latency score unsignedByte 200 Score for high latency and low usage latency scorel unsignedByte 10 Score for on above level 1 latency score2 unsignedByte 20 Score for on above level 2 latency usage unsignedInt 128000 Usage below which latency is not expected left unsignedByte 0 Pixels space left of main graph log NMTOKEN Not logging Log events max Colour green Colour for maximum latency min Colour 008 Colour for minimum latency ms max positiveInteger 500 ms max height off Colour c8f Colour for off line seconds outside Colour transparent Colour for outer border ping update duration 1 00 00 Interval for periodic updates ping url string URL for ping list rej Colour f8c Colour for off line seconds right unsignedByte 50 Pixels space right of main graph TX Colour 800 Colour for Rx traffic level secret Secret Secret for MD5 coded URLs sent Colour ff8 Colour for polled seconds share interface NMTOKEN Interface on which to broadcast data for shaper sharing share secret string Secret to validate shaper sharing subheading string Subheading of graph text Colour black Colour for text textl string Text line 1 te
55. logged Sent as appropriate for tunnel close Q 931 Cause Code 12 Ignored Not sent Assigned Session ID 14 Expected see note Sent if assigned Note that a CDN may have a zero session ID in the header If this is the case the tunnel ID and assigned session ID are used to identify the session If an unknown session ID on a known tunnel ID is received on any any incoming packet a CDN is generated with header session ID 0 and specified assigned session ID E 13 WAN Error Notify Table E 13 WEN AVP No Incoming Outgoing Message Type 0 Value 15 Value 15 Not supported ignored E 14 Set Link Info Table E 14 SLI AVP No Incoming Outgoing 120 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported L2TP Attribute Value Pairs Message Type 0 Value 16 Value 16 Not supported ignored E 15 Notes E 15 1 BT specific notes The L2TP and PPP specifications are clear that the HDLC framing bytes are not sent or received within the L2TP packet However BT send type bytes FFO3 on the start of all PPP frames This is silently discarded Also BT will not process packets if these type bytes are not included in outgoing packets Sending the HDLC framing can be controlled in the config and on a per session basis using a Filter Id in RADIUS authentication response BT sometimes negotiate incorrect MRUs on behalf of the LNS Where the
56. logging Log events log error NMTOKEN Log as event Log errors mtu unsignedShort 1500 MTU for wrapped packets name NMTOKEN Name ospf cost unsignedShort 1000 Link cost forces default OSPF on link if set even if OSPF not otherwise configured payload table unsignedByte 0 99 0 Routing table number for payload traffic routetable port unsignedShort 1 UDP port to use profile NMTOKEN Profile name remote id unsignedByte Not optional Unique remote end tunnel ID reorder boolean false Reorder incoming tunnel packets reorder maxq unsignedInt 1 100 32 Max queue length for out of order packets fb 105 reorder maxq reorder timeout unsignedInt 100 Max time to delay out of order packet ms 10 5000 fb105 reorder timeout routes List of 1PPrefix None Routes when link up satellite boolean Mark links that are high speed and latency for split latency bonding experimental secret Secret Unsigned Shared secret for tunnel set unsignedB yte Set ID for reorder ID tagging create a set of tunnels together sign all boolean false All packets must be signed not just keepalives source string Source of data used in automated config management speed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 0 Routing table number for tunnel wrappers routetable tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS Table J 59 fb105 Elements Element Type Instances Description 177 www voipon co uk sales voipon co uk Te
57. lost as new ones arrive Since the buffer is stored in volatile memory RAM buffer contents are lost on reboot or power failure This buffer can be viewed via the web interface or command line which can show the history in the buffer and then follow the log in real time even when viewing via a web browser with some exceptions see Section 5 6 1 In some cases it is essential to ensure logged events can be viewed even after a power failure You can flag a log target to log to the non volatile Flash memory within the FB2500 where it will remain stored even after a power failure You should read Section 5 5 before deciding to log events to Flash memory Each log target has various attributes and child objects defining what happens to log entries to this target However in the simplest case where you do not require non volatile storage or external logging see Section 5 3 the log object will only need a name attribute and will have no child objects In XML this will look something like hog name tmy logi 5 1 1 1 Logging to Flash memory The internal Flash memory logging system is separate from the external logging It applies if the log target object has flash true It causes each log entry to be written to the internal non volatile Flash log as it is created The flash log is intended for urgent permanent system information only and is visible using the show flash log CLI command see Appendix H for details on using th
58. may include as many parameter name and value pairs as you need to completely specify the dump parameters Packet capturing stops if the output stream HTTP transfer fails This is useful if you are unable to determine a suitable timeout period and would like to run an ongoing capture which you stop manually This is achieved by specifying a very long duration and then interrupting execution of the HTTP client using Ctrl C or similar Only one capture can operate at a time The HTTP access fails if no valid interfaces or sessions etc are specified or if a capturing is currently running 14 3 7 1 Example using curl and tcpdump An example of a simple real time dump and analysis run on a Linux box is shown below eur silent no buffer user name pass http 1 2 3 4 pcap interface LAN amp timeout 300 amp snaplen 1500 usr sbin tcpdump r n v Note Linebreaks are shown in the example for clarity only they must not be entered on the command line In this example we have used username name and password pass to log in to a FireBrick on address 1 2 3 4 obviously you would change the IP address or host name and credentials to something suitable for your FB2500 We have asked for a dump of the interface named LAN with a 5 minute timeout and capturing 1500 byte packets We have then fed the output in real time hence specifying no buf fer on the curl command to tcpdump and asked it to take capture data from the stan
59. methods need updating 4 3 2 Identifying current software version The current software version is displayed on the main Status page shown when you click the Status main menu item itself 1 e not a submenu item The main software application version is shown next to the word Software e g software HBA OO Hermia V1 07001 2011 11 15T10322 48 The software version is also displayed in the right hand side of the footer area of each web page and is shown immediately after you login to a command line session 4 3 3 Internet based upgrade process Note Out of the box the FB2500 is configured to automatically download and install new factory releases This is a safe option and we expect many users to be happy with this however if you would prefer this process can be disabled refer to Section 4 3 3 2 If automatic installs are allowed the FB2500 will check for new software on boot up and approximately every 24 hours thereafter your FB2500 should therefore pick up new software at most 24 hours after it is released You can choose to allow this process to install only new factory releases factory or beta releases or any release which then includes alpha releases if your FB2500 is enabled for alpha software see Section 4 3 1 refer to Section 4 3 3 2 for details on how to configure auto upgrades 25 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Adminis
60. nE ESS REE OS TEE deis 81 14 2 Packet types that can be captured 2 20 0 eee cece eee e ee ceeeeeeeeaeeeaeeea sean eeae eens eeneeeeneeeeeeees 82 16 1 Rin 8 Type eare n e tacts sos encase a bate aneenets ses E ah aamaae hse batsed epee ta sae E eee isa 91 16 2 NON 91 MA NR SN 94 164 Default tones tai its idas 96 FI Peer types O 99 17 2 COMMUNES esti AAA i 101 17 3 Network attributes csi ease cose eaan ns rE EESPERE EE AASA ON ade ss cesses OS EOE E sense dasedsatescuoneads 101 Cul DHCPclentnames Used ici aaee dades di OEE EEE ias 115 O RR e a atte has E E E E E E a E E ES 117 EZ SCORP otitis o RA A EV ETE E a oe 117 EBS SCGON E E E TT E sbse5 ses dasetes san eDnacsseestecgheas Seusses sts cas ease 118 E4 StopCEN acia ies 118 ES HELLO 04d doin pito depa 118 B62 TERO ui A A AA EAs 118 A vooined Sedasnvescunae sis sedacnds rents Piwcden nds ansesveseesensess 119 E8 ICON sss bets chet thegi obskg cons E A iocedests oe slabs dhs a eecdedl le Hodals wean shad eberea EE E EEEn 119 E9 OCRO tics sisi ppt osas 119 E410 OCR P iia is e AE AA Ti E E T TEE 120 BUD A acisacvoass sss tia ads sete ada des send E E saa esses sosvasdgssp sa EEE AATAS tessacdadea EEEE EPSE YR 120 E12 GDN ii cie tia 120 E 13 WEN tus rae eop eea E abria rrpp brisa 120 j K SEn P EEE EEE AD AA A A 120 EA Access TEQUES airis n A EE NAA AE AAAA A E AEA EE A OAE EEOAE 122 F2 Acces ACCE NN 123 F3 Access Ree Limita irte pt cet io pirata 124 F4 Accounting S tant 2
61. nbies 77 13 8 1 RADIUS server platform RADIUS ocooccoccnccnconccnconccnconocncononoconococonacoconanoconanos 77 133822 RADIUS Chente a a e a cate tenga E A a a e ERE 77 14 Network Diagnostic TOONS cita id ti Ths cela eed weeded 79 14 1 Erew llino CHECK wicecs locos rior elites 79 14 2 Access Check tarta AS 80 A IN O O 80 14 31 Dump parameters Ai eet eee Seed te ee ic 81 14 3 2 Security Settings required siysa uses terri ire niente ips dpi r antes 81 143 3 IP address matthint msnnen eee fies oe Reedy POE oak ences ee eos 82 14 34 Packet types at ae ai ais 82 14 3 5 Shaplen specificato mensis Ad 82 143 0 Using the web interface ps ese ee e tee prs an a RNE e tai as 82 14 327 Using an HTTP Centura oe Mediate bh eae E A EO NS 82 14 3 7 1 Example using curl and tcpdump oooconcccnccnnccnnccnnconoconccnnconnccnnccnncnnncnnncos 83 TSE VRRP Le eae Rate ON E rte ee A EDO 84 vil www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual 15 L Virtual ROWERS otitis ica 84 152 Configuring VRRP ia A Es 85 15 221 Advertisement Intervalo teria noes 85 1522 Proy NN 85 15 3 Using a Virtual Touter eonennet E A E N E E a EAE ESERSE S 85 15 4 VRRP Versions vii id E AE E a deh E S 85 15 41 VRRE Versi Ls ri 85 15 4 2 VRRP Version Si a A ados 86 15 5 Compati DIt sare esapi wae sess donsh eon desdbveed bash eas sey ede leven EEA NRR EE RE 86 16 VOIP Se
62. order calling Hashed on calling station id called Hashed on called station id username Hashed on full username user Hashed on username before realm Hashed on username after prefix Hashed on username initial letters and numbers only J 3 9 radiustype Type of RADIUS server Table J 105 radiustype Type of RADIUS server Value Description authentication Authentication server accounting Accounting server control Allowed to send control CoA DM 197 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 3 10 port Physical port Table J 106 port Physical port Value Description 0 Port 0 not valid deprecated 1 Port 1 2 Port 2 3 Port 3 4 Port 4 J 3 11 Crossover Crossover configuration Physical port crossover configuration Table J 107 Crossover Crossover configuration Value Description auto Crossover is determined automatically MDI Force no crossover J 3 12 LinkSpeed Physical port speed Table J 108 LinkSpeed Physical port speed Value Description 10M 10Mbit sec 100M 100Mbit sec 1G 1Gbit sec auto Speed determined by autonegotiation J 3 13 LinkDuplex Physical port duplex setting Table J 109 LinkDuplex Physical port duplex setting Value half Description Half duplex full Full duplex auto Dupl
63. out e g using 100 and 200 We suggest not setting priority 1 see profiles and test below 15 3 Using a virtual router A virtual router is used by another device simply by specifying the virtual router s virtual IP address as the gateway in a route rather than using a router s real IP address From an IP point of view the upstream device is completely unaware that the IP address is associated with a group of physical devices and will forward traffic to the virtual IP address as required exactly as it would with a single physical gateway 15 4 VRRP versions 15 4 1 VRRP version 2 VRRP version 2 works with IPv4 addresses only i e does not support IPv6 and whole second advertisement intervals only The normal interval is one second since the timeout is three times that this means the fastest a backup can take over is just over 3 seconds You should configure all devices in a VRRP group with the same settings apart from their priority 85 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VRRP 15 4 2 VRRP version 3 VRRP version 3 works in much the same way but allows the advertisement interval to be any multiple of 10ms 1 100th of a second The default interval is still 1 second but it can now be set much faster so although the timeout is still 3 times the interval this means the backup could take over in as little as 30ms VRRP3 also works with IPv6 Whilst IPv4 and IPv6 VRR
64. outgoing tunnel ID Note that most parameters are not included in interim and stop accounting records The acct session id should be used by accounting servers to correlate interim and stop records with the start record The graph name could be used but is only available where there is a graph If too many different graphs then that is not present Some exceptions apply as they can be changed by a change of authorisation RADIUS request such as Connect Info F 4 Accounting Interim Table F 5 Accounting Interim AVP No Usage 125 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation Acct Status Type 40 3 Interim Update Acct Delay Time 41 Seconds since accounting data collected Acct Event 55 Data collected time unix timestamp Timestamp Acct Session Id 44 Unique ID for session Chargeable User 89 Graph name that applies sanitised to comply with CQM graph name rules Identity Connect Info 77 Text Tx speed Rx speed in use NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 NAS IPv4 address if using IPv4 NAS IPv6 Address 95 NAS IPv6 address if using IPv6 NAS Port 5 L2TP session ID Acct Input Octets 42 Rx byte count Acct Input 52 Rx byte count high 4 bytes Gigawords Acct Output Octets 43 Tx byte count Acct Output 53 Tx byte co
65. own IP header With the current implementation the only use of this is when it is required to provide both AH and ESP protection to encapsulated packets AH authentication with ESP encryption can provide marginally better authentication but is rarely used To configure this set up an ESP tunnel with just encryption and set up a separate AH IPsec entry in transport mode Each must have their own separate SPIs and the ESP entry should have the outer spi field set to the local spi of the AH entry The AH entry should have no IPs routing graph or speed set 12 1 3 5 Tunnelling to a non FireBrick device using Manually Keyed IPsec The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying provided a common set of algorithms can be chosen As an example the configuration for a Linux system using the ipsec tools package will be described Consider a tunnel between a FireBrick and a Linux system with the following setup e FireBrick has IP address 192 168 1 1 Linux system has IP address 192 168 2 2 e ESP encapsulation using HMAC SHA 1 authentication and AES CBC encryption e Authentication key 0123456789012345678901234567890123456789 e Encryption key 00010203040506070809101112131415 e Incoming SPI 1000 Outgoing SPI 2000 68 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels e FireBrick is providing connectivity for a local user subnet 10 1
66. pages and the object hierarchy ooocococcnccnnccnnccnnocnncnnncnnccnnconnconnccnnccnnconncos 12 3 4 2 1 Configuration Categories sciis in T e E 12 34 2 2 Object settings sioari era EEE E EE EE E ads 13 3 4 3 Navigating around the User Interface ocoooconoconcconoconocnnncnncnnncnnnrnnncnnconnccnnccnnioos 15 3 4 4 Backing up restoring the configuration 2 2 0 0 0 ccc cece cece cece cece eee c scene een eeneeeeneeeees 16 3 3 Configuration usinge XML sesse ernie a e altres ETE T aa abc st pilas 16 3 3 1 Introduction to XML ero Teee oe tae ereo EE EEEE EN ina 16 3 5 2 The root element lt COMfE gt seess rns e areor E EEE ES E EERI KESTA EE ESAE STEEVE EEES 17 3 5 3 Viewing or editing XML oo eee eceec nec ee eece cece cena eens een eeeeeeeeeeeeeeseeeseaees 17 3 5 4 Example XML configuration siiis ote enpa E enebenges bebe o dep cerns 17 3 6 Downloading Uploading the configuration ocooccncccnccnnccnnccnnccnnconnconnconncnnncnnronronccnncinnicnno 19 3 0 1 DOWnload O dees TEGS 19 3 6 2 Upload init ida a dio 20 A System Administra oN veis topo isri a a E saaheoehuie dias sa bab sods E plano feto e 21 4 1 User Management cintia ea E Rida ET Ue 21 AVA Dos ler da alar diia 21 4 1 2 Configuration access level ooooooocccoccnnconnccnnconnconoconnconncnnncnnccnnronncnnccnnccnnccnnioos 22 4 1 3 Login idle timeout inio bata de easeg rails desig has atada Dad 22 4 1 4 Restricting user lOBINS nienn eee a E E E E E
67. peer settings causes all of the BGP control packets to have a TTL of 255 and expects all received packets to be TTL 255 as well You can configure multiple hops as well setting ttl security 2 for example still sends TTL 255 but accepts 254 or 255 This works up to 127 You can also configure a non standard forced TTL mode by setting a negative TTL security 1 to 128 which forces a specific TTL on sending packets but does not check received packets For example setting ttl security 1 causes a TTL of 1 on outgoing packets This simulates the behaviour of some other routers in IBGP mode Using 2 3 etc will simulate the behaviour of such routers in EBGP multi hop mode This is non standard as RFCs recommend a much higher TTL and BGP does not require TTLs to be set differently Without ttl security set or set to 0 the RFC recommended default TTL us used on all sent packets and not checked on received packets 102 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 18 Internet Service Providers The FireBrick can be used by Internet Service Providers ISPs to provide Internet connectivity by acting as a gateway between a carrier network e g Broadband or mobile carrier and the Internet This chapter covers the ISP use of a FireBrick including L2TP and PPPoE L2TP can also be used on a smaller scale to creat point to point tunnels 18 1 Background 18 1 1 How it all began
68. points available For graph it is the last 24 to 25 hours You can display data for a specific date This only makes sense for today and during the first couple of hours of the day you can get yesterday in full The syntax is that of a date first in the form YYYY MM DD e g http host port cqm Y Y Y Y MM DD circuit png 1 2 3 Authenticated access Authenticate access requires a prefix of a hex shal string e g http host port cqm longhexsha1 circuit png or http host port cqm longhexsha1 Y Y YY MM DD circuit png The SHA 1 is 40 character hex of the SHA 1 hash made from the graph name the date and the http secret The date is in the form YY Y Y MM DD and is today s date for undated access based on local time This means a graph URL can be composed that is valid for a specific graph name for a specific day Note that an MDS can also be used instead but the SHA 1 is the preferred method 1 3 Graph display options The graphs can have a number of options which define the colours text and layout These are defined as http form get attributes on the URL e g http host port cqm circuit png H a heading Note that they can also be included in the path before the graph name e g http host port cqm H a heading circuit png in which case they can be separated by rather than amp The attributes are processed in order 1 3 1 Data points The data point controls can be included as either fieldname or fieldname colour T
69. protocols such as HTTPS or SSH over the tunnel The protocol supports multiple simultaneous tunnels to from an end point device and Local Tunnel ID values are used on an end point device to identify each tunnel The scope of the Local ID is restricted to a single end point device as such the tunnel itself does not possess a single ID value and is instead identified by the Local IDs in use at both ends which may well differ 12 2 1 Tunnel wrapper packets The protocol works by wrapping a complete IP packet in a UDP packet with the destination port number of the UDP packet defaulting to 1 but which can be set to any other port number if required These UDP packets are referred to as the tunnel wrappers and include the digital signature As with any other UDP traffic originating at the FB2500 the tunnel wrappers are then encapsulated in an IP packet and sent to the IP address of the far end tunnel end point The IP packet that is contained in a tunnel wrapper packet is referred to as the tunnel payload and IP addresses in the payload packet are not involved in any routing decisions until the payload is unwrapped at the far end Payload packet traffic is sent down a tunnel if the FB2500 s routing logic determines that tunnel is the routing target for the traffic Refer to Chapter 8 for discussion of the routing processes used in the FB2500 Often a dynamic route is specified in the tunnel definition such that traffic to a certa
70. same situation but the start times and duration of the two parts are not the same This stacking of CDRs is important for call billing In these examples A only expects to pay for a call to B which may even be free if an internal call But B expects to pay for the call to C because they diverted or transferred the calls A CDR can be associated with an incoming call leg this is normally set by RADIUS or by giving a carrier a cui setting This is sticky and stays with the calling leg and is logged when the calling leg ends even if the call did not connect Otherwise the CDR is only logged if it connects Note RADIUS CDR are only available on a fully loaded model Log e g syslog CDRs are available on all models 16 15 Technical details The FireBrick operates according to well established technical standards within specific design constraints which allow it to operate efficiently handling thousands of calls SIP 2 0 UDP control messages using IPv4 or IPv6 are supported up to approximately 1900 bytes fragmented if necessary The FireBrick always acts as an audio media endpoint i e it is always in the media path This minimises call routing and firewalling issues The FireBrick uses the same IP for media and control messages on each call The FireBrick always acts as a SIP protocol endpoint and not as a relaying proxy This minimises incompatibility between end devices being a party to a call as they do not see each others protoc
71. select a specific LAC by name if you wanted to 11 2 2 3 Logging The PPP connection status and PPP negotiation can be logged by setting the 1og attribute to a valid log target The 10g debug will log the whole PPP negotiation which is particularly useful when debugging connection problems 11 2 2 4 Speed and graphs As discussed in Chapter 10 graphs allow you to visual connections in terms of their state traffic rates and patterns etc By setting the graph attribute you can cause the state of the line data transferred each way and current packet loss and latency to be recorded on a graph Once you are graphing the PPPoE connection you can set traffic shaping to control speed see Section 10 1 2 Alternatively a PPPoE connection is something you can set a speed limit on directly setting the speed attribute will control the speed of traffic sent to the Internet this is mainly used when bonding PPP links 62 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 12 Tunnels The FB2500 supports the following tunnelling protocols e IPsec IP security e FB105 lightweight tunnelling protocol e L2TP e ETUN Ether tunnelling IPsec is an implementation of the IPsec protocol and IKEv2 key management protocol as defined in various RFCs This provides the means to authenticate and encrypt traffic sent over a public communication channel such as the Internet L2TP client fun
72. set s entry criteria are not met processing immediately procedes with the next rule set if any If the rule set s entry criteria are met or no entry criteria were specified processing of the rules within that rule set begins e Rules are processed sequentially e Each session rule specifies criteria and an action to be taken when traffic meets that criteria the action values are their meanings are shown in Table 7 1 Once a rule matches no more rules in that rule set are considered e If all of the rules in a rule set have been considered and none of them matched against the traffic then the action specified by the no match act ion attribute of the rule set is taken The available actions are the same as for a session rule Table 7 1 Action attribute values action attribute Action taken drop immediately cease rule processing quietly drop the packet and create a short lived session to drop further packets matching the rule criteria reject immediately cease rule processing drop the packet send rejection notification back to the traffic source and create a short lived session to drop further packets matching the rule criteria accept immediately cease rule processing and establish a normal session continue jump out of the rule set processing resumes with the next rule set if any ignore immediately cease rule processing quietly drop the packet but do not create a short lived session
73. set via web API or other means Table J 70 ping Attributes Attribute Type Default Description comment string Comment graph token graphname Not optional Graph name ip IPNameAddr Not optional Far end IP name string Name size unsignedInt 0 Payload size 0 1472 ping size slow boolean Auto Slow polling source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number for sending pings routetable J 2 52 profile Control profile General on off control profile used in various places in the config Table J 71 profile Attributes Attribute Type Default Description and List of NMTOKEN Active if all specified profiles are active as well as all other tests passing including not comment string Comment control switch users List of NMTOKEN Any users Restrict users that have access to control switch 182 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects fb105 List of NMTOKEN FB105 tunnel state any of these active initial boolean true Defines state at system startup if not using set interval duration 1 Time between tests invert boolean Invert final result of testing log NMTOKEN Not logging Log target log debug NMTOKEN Not logging Log
74. specified this replaces the number already present and is then used on the accounting start and relay L2TP Calling Station Id 31 Calling number may be specified this replaces the number already present and is then used on the accounting start and relay L2TP Chargeable User 89 This is used as the preferred CQM graph name Identity Class 25 Secondary CQM graph name to group sessions allowing group logging or shaping Session Timeout 27 Absolute limit on session in seconds Filter Id 11 See filter ID section Framed MTU 12 Set MTU for session Connect Info 77 Text tx speed limit to apply to session Tunnel Type 64 If specified must be 3 L2TP L2TP is assumed 123 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation Tunnel Medium Type 65 If specified must be 1 IPv4 or 2 IPv6 syntax of endpoint is used if this is not specified Tunnel Server 67 Text IPv4 or IPv6 address of endpoint FQDN is not accepted Endpoint Tunnel Client Auth 90 Hostname to quote on outgoing tunnel if omitted then configured FireBrick ID hostname is used Tunnel Password 69 Shared secret to use on outgoing tunnel encrypted if omitted then assumed no secret Tunnel Assignment 81 Name of outgoing tunnel shaper graph Also groups sessions together in a ID tunnel as per RFC Only use valid text gr
75. support for a very wide range of protocols that are carried over UDP and this is generally not practical Instead all sessions including TCP ones have an associated time out value if no packets matching the session arrive for a period equal to the time out value the session is deleted automatically This is adequate for most cases but may require selection of a suitable time out value based on knowledge of how frequently the higher level protocol sends packets An unnecessarily high time out may cause the session table to become populated with a significant number of sessions that correspond to flows or connections that have actually ceased However the FB2500 has highly efficient handling of session tracking both in terms of memory usage and processor load so in practice it can easily handle very large session tables hundreds of thousands of entries Note that TCP sessions also have time outs this is necessary since the connection may not be cleanly closed for example one end may crash if there were no time out the session table would hold a stale entry until the FB2500 was rebooted 7 3 Session Rules 7 3 1 Overview As each packet arrives the FB2500 determines whether the packet is part of an existing active session by doing a look up in the session table If a matching session is found the session table entry details determine how the packet is handled If no matching session is found the list of session rules is then
76. switch Profile manual setting oooconoconocnnocnnocnnonnnonnncnnncnnconnccnnocnnccnnconncnnncnnnos 203 J 3 35 firewall action Firewall action ocoooccnnccnccnncnnccnnccnnconnccnnccnnconoconncnnncnnncnnnonass 203 J 3 36 voip format Number presentation format oocoocccnccnnccnnconnconnconncnnacnnncnnncnnroninnnos 204 J 3 37 uknumberformat Number formatting Option ccoooccnnoccnnoccnnniccnnccnnnnccnnnnccnnoccnnns 204 J 3 38 recordoption Recording Option ooocccoccnnconnccnnconnconnconncnnncnnncnnrnnnrnnnrnnccnncinnicnno 204 J 3 39 ring group order Order Of ring 0 cece eee eee cee cee ceeeca ceca cena cena eens eeueeeneeeenees 204 J 3 40 ring group type Type of ring when one call in queue 0 ee cece eee eee 205 JA Basic LY Pes sh E E E E fae aes pia aude ts 205 o O TON 208 xiii www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 List of Figures 2 1 Initial web page in factory reset State amoran i a E E E E E E E a aa 7 2 2 Amitial Users page cat id A AAA E N EEE E 7 2 3 Setin up A oe eoa s a ar a E ESEE E PEPON EEE SEPAN TESTE EEO AEOS NESA E EPRS 8 2 4 Configuration being stored 0 00 0 ee cee EEEE EEEE ceca EEE EEEE EAEEREN EE EEEE IKES 8 3 1 Main Menu wis irene r a a yas IU pa a E a batwah ATE aE 11 3 2 Icons Tor layout Controls visiaci orein eee E e E e E E E iSe 12 3 3 Icons for configuration Categories j 5 5 5 ss scenes vecch ninas ci
77. targets It is possible to define two special targets black hole packets routed to a black hole are silently dropped Silent refers to the lack of any ICMP response back to the sender nowhere also called Dead End packets routed to nowhere are also dropped but the FB2500 generates ICMP error responses back to the sender The blackhole and nowhere top level objects are used to specify prefixes which are routed to these special targets In the User Interface these objects can be found under the Routes category icon 8 3 Dynamic route creation deletion For data links that have an Up Down state such as L2TP or FB105 tunnels or PPP links the ability to actually send traffic to the route target will depend on the state of the link For such links you can specify route s to automatically create each time the link comes up when the link goes down these routes are removed automatically Refer to Chapter 12 for details on how to achieve this via the routes attribute on the tunnel definition objects This can be useful where a link such as PPPoE is defined with a given localpref value and a separate route is defined with a lower localpref value i e less preferred and therefore acts as a fallback route if the PPPoE link drops 8 4 Routing tables The conventional routing logic described above operates using one of possibly many routing tables that the FB2500 can support simultaneously Routing tables are numbered
78. text default if not set in config is graph name h Sub heading text 1 3 3 Other colours and spacing Colours can be in the form of RGB RRGGBB RGBA RRGGBBAA defining red green blue alpha or some simple colour names Table I 4 Text Key Meaning L Defines a number of pixels to be provided on the left of the graph Bandwidth and scale axis shown based on space provided left and right R Defines a number of pixels to be provided on the right of the graph Bandwidth and scale axis is shown based on space provided left and right T Defines a number of pixels to be provided on the top of the graph Time axes is show based on space at top and bottom B Defines a number of pixels to be provided on the bottom of the graph Time axes is show based on space at top and bottom Y Defines Y bandwidth scale starting point 0 is lowest 1 is next etc y Defines Y ms scale max level in ms I Defines colour for graticule i Defines colour for axis lines g Defines colour for background within axis G Defines colour for background outside axis W Defines colour for writing text 1 4 Overnight archiving The system is designed to make it easy to archive all graphs or png xml etc files over night The graphs hold 1000 data points which is 27 hours 46 minutes This means you can access a full day s data for the previous day in the first 3 hours 46 minutes of the new day 2 hours 46 or 4 hours 46 wh
79. the Interface category in the top level icons under the section headed Ethernet interface port group vlan and subnets you will see the list of existing interface top level objects if any and an Add link The primary attributes that define an interface are the name of the physical port group it uses an optional VLAN ID and an optional name If the VLAN ID is not specified it defaults to 0 which means only untagged packets will be received by the interface To create a new interface click on the Add link to take you to a new interface defintion Select one of the defined port groups If the interface is to exist in a VLAN tick the vlan checkbox and enter the VLAN ID in the text field Editing an existing interface works similarly click the Edit link next to the interface you want to modify An interface object can have the following child objects e One or more subnet definition objects e Zero or more DHCP server settings objects e Zero or more Virtual Router Redundancy Protocol VRRP settings objects refer to Chapter 15 35 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets 6 3 1 Defining subnets Each interface can have one or more subnets definitions associated with it The ability to specify multiple subnets on an interface can be used where it is necessary to communicate with devices on two different subnets and it is acceptable that the subnets ex
80. the call ends This is to allow notes to be made etc after the call 16 8 1 Ring Type You can specify a different type of ringing rather than just ringing all phones at once Table 16 1 Ring Type Type Operation all Ring all phones at once cascade Ring phones in a sequence but do not stop ringing existing phones when starting to ring the next one sequence Ring phones in a sequence ringing one phone at a time You can set the timing used for calls to progress through the list of phones 16 8 2 Ring order When not ringing all phones at once you can control the order they are rung Table 16 2 Ring Order Order Operation strict Use the order you have listed the phones starting from the first phone each time the hunt group is called random Use a random order cyclic Ring in order that you have listed but continue that pattern on the next call rather than starting again oldest Consider how recently a phone has been in use and ring the oldest first This only works with internal phones not external numbers which are rung last 16 8 3 Overflow You can specify an overflow set of phone numbers to be rung if the call has been ringing too long You can configure how long is too long When you get to overflow time all phones are run including the overflow list 16 8 4 Out of hours You can set a profile on the hunt group which is typically a time and day based profile W
81. the group 6 1 2 Interfaces In the FB2500 an interface is a logical equivalent of a physical Ethernet interface adapter Each interface normally exists in a distinct broadcast domain and is associated with at most one port group Each port group which could be a single port can operate simply as an interface with no VLANs or can have one or more tagged VLANs which are treated as separate logical interfaces Using VLAN tags and a VLAN capable switch you can effectively increase the number of physical ports If you are unfamiliar with VLANs or the concept of broadcast domains Appendix D contains a brief overview By combining the FB2500 with a VLAN capable switch using only a single physical connection between the switch and the FB2500 you can effectively expand the number of distinct physical interfaces with the upper limit on number being determined by switch capabilities or by inherent IEEE 802 1Q VLAN or FB2500 MAC address block size An example of such a configuration is a multi tenant serviced office environment where the FB2500 acts as an Internet access router for a number of tenants firewalling between tenant networks and maybe providing access to shared resources such as printers 6 2 Defining port groups 34 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets Port groups come under the Interface category in the top level icons Under the section headed P
82. the system Please edit the configuration and add a user and password You can also edit XML Click on the edit the configuration link red text which will take you to the main user interface page for managing the configuration 2 2 1 Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick s user interface Click on the Users icon then click on the Add link to add a user The Users page is shown below with the Add link highlighted Figure 2 2 Initial Users page E FireBrick FB2500 aseaseeae E me E E ES Ed E EJ El Save Cancel There are unsaved changes that have not yet been sent to the FireBrick The config has been changed during your edit if you save now those changes will be replaced by yours Admin users Enter a suitable username in the Name box and enter a password passwords are mandatory as shown below Leave all other checkboxes un ticked but see the Tip below regarding the timeout setting Note Take care to enter the password carefully as the FB2500 does not prompt you for confirmation of the password www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Getting Started Figure 2 3 Setting up a new user Admin users user 1 of 1 New Erase Help User names passwords and abilities for admin users name E comment profite User name Comment Profil
83. to handsets via the office LAN network This can be the same network as used for PCs or separate or segregated using VLANs Instead of analogue phones or special system phones for a PABX the FB2500 works with any standard SIP VoIP phones There are a wide range of phones available in a range of price brackets The FireBrick has been tested well with snom phones including features such as busy lamp field lights and buttons The FB2500 scales well to support hundreds of phones in an office without needing extra FireBrick hardware This makes the FireBrick a much more scaleable and economical PABX solution than traditional systems It is possible to configure remote handsets e g for home workers connecting over the Internet The FB2500 can work with trunk carriers where one login connection is used to carry many calls to different numbers or it can appear to the carrier s as multiple separate VoIP devices or any combination This allows the FB2500 to be used with almost any VoIP carrier 16 4 Network Address Translation Network Addres Translation NAT is common on many Internet connections in homes and offices It means that the office uses private IP addresses e g 192 168 1 1 and these are mapped translated to one external address NAT is known to cause a lot of problems with a wide variety of applications and protocols One of those that suffers a lot from the problems of NAT is VoIP There are sometimes ways of making this wo
84. trusted List of List of allowed IP ranges from which IPNameRange additional access to certain functions is available J 2 12 dns service DNS service settings DNS forwarding resolver service Table J 16 dns service Attributes Attribute Type Default Description allow List of Allow from List of IP ranges from which service can be IPNameRange anywhere accessed auto dhcp boolean Forward and reverse DNS for names in DHCP using this domain comment string Comment domain string Our domain local only boolean true Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors profile NMTOKEN Profile name resolvers List of IPAddr Recursive DNS resolvers to use source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable Table J 17 dns service Elements Element Type Instances Description block dns block Optional unlimited Fixed local DNS host blocks host dns host Optional unlimited Fixed local DNS host entries J 2 13 dns host Fixed local DNS host settings DNS forwarding resolver service Table J 18 dns host Attributes Attribute Type Default Description comment string Comment lip _ Listof IPAddr OurIP IPaddressest
85. uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Network Diagnostic Tools 14 3 3 IP address matching You may optionally specify upto two IP address to be checked for a match in packets on the interface s and or L2TP session s specified If you do not specify any IP addresses then all packets are returned If you specify one IP address then all packets containing that IP address as source or destination are returned If you specify two IP addresses then only those packets containing both addresses each address being either as source or destination are returned IP matching is only performed against ARP IPv4 or IPv6 headers and not in encapsulated packets or ICMP payloads If capturing too much some packets may be lost 14 3 4 Packet types The capture can collect different types of packets depending on where the capture is performed All of these are presented as Ethernet frames with faked Ethernet headers where the packet type is not Ethernet Table 14 2 Packet types that can be captured Type Notes Ethernet Interface based capture contains the full Ethernet frame with any VLAN tag removed IP IP only currently not possible to capture at this level An Ethernet header is faked PPP PPP from the protocol word HDLC header is ignored if present An Ethernet header is faked and also a PPPoE header The PPPoE header has the session PPPoE ID that is the local end L2TP session ID The faked
86. uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects source interface List of NMTOKEN set source ip IPAddr New source IP set source port unsignedShort New source port set table unsignedByte 0 99 Set new routing table routetable set target ip IPAddr New target IP set target port unsignedShort New target port source string Source of data used in automated config management Source interface s source ip List of Source IP address range s IPNameRange source mac List up to Source MAC check if from Ethernet 12 hexBinary macprefix source port target interface List of PortRange List of NMTOKEN Source port s Target interface s target ip List of Target IP address range s IPNameRange target port List of PortRange Target port s Table J 88 session rule Elements Element Type Instances Description share session share Optional unlimited Load shared actions J 2 64 session share Firewall load sharing Firewall actions for load sharing Table J 89 session share Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Profile name set gateway IPAddr New gateway set graph string Graph name for shaping logging set nat boolean Changed source IP and port to local for NAT set reverse gra
87. used to define which IP address is used as the source IP address of the tunnel payload packets TBC do you therefore need at least a 32 public IP that is used by the brick and is not associated with any specific WAN connection So far I have seen NAT used only where there is also a block of public IPs routed down the tunnel set 12 2 6 2 Another device doing NAT If you are using another device that is performing NAT for example a NAT ing ADSL router and that device is on the route that tunnel wrapper packets will take you may have to set up what is generally called port forwarding on your NAT ing router If the FB2500 is behind a NAT router it will not have a public IP address of its own which you can reference as the far end IP address on the other end point device Instead you will need to specify the WAN address of the NAT router for this far end address Whether you need to setup a port forwarding rule on your NAT router depends on whether the FB2500 behind the router has a far end IP address specified in tunnel definition s as follows e If it does then it will be sending tunnel wrapper packets via the NAT router such that a session will have been created in the NAT router by the session tracking functionality that is used to implement NAT this assumes there is no outgoing firewall rule on the NAT router that would prevent the wrapper packets from being forwarded The established session will mean that UDP packets t
88. way of knowing that the return traffic is part of an allowed by firewalling rules session and it would likely be dropped due to firewalling The overall process of analysing packet payloads and maintaining the session table is referred to as session tracking Session tracking is necessary to be able to implement firewalling using the kind of rules you might expect to specify for example allow TCP connection to port 80 on IP address 10 1 2 3 from any IP address note source port number not specified Session tracking will therefore be present in a firewall but not required in a router 41 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling The contents of the session table can be viewed in the web user interface by clicking Sessions in the Status menu You will normally see two entries per session one with a green background and one with a yellow background These two entries are the forward and reverse details of the session 7 2 1 Session termination For connection orientated protocols such as TCP the session tracking is able to detect connection closure and delete the session from the session table For protocols such as UDP which will likely be carrying a higher level protocol that may well itself implement some form of connection orientated data transfers further inspection and analysis of communications is not done by the FB2500 To do so would require
89. web sites that do not handle MTU and ICMP correctly Typically your ISP will be doing this TCP fix for you as well 61 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 PPPoE Testing has been done which confirms setting mtu 1500 works correctly on BT FTTC and FTTP lines as well as BT 21CN and TalkTalk lines via a suitable bridging modem Dlink 320B Note Testing using a Zyxel P660R in bridge mode confirms that BT 21CN ADSL lines will negotiate 1500 byte MTU but it seems the Zyxel will not bridge more than 1496 bytes of PPP payload If you select more than 1492 MTU and have problems it could be that some device connecting you to the access concentrator cannot handle the larger packets such as a bridge or a switch For this reason the default MTU is 1492 11 2 2 2 Service and ac name The PPPoE protocol allows multiple services to be offered and the service setting can be used to select which is available This is rarely needed and should be ignored unless you know what you are doing If specified even as an empty string then only matching services will be selected The name specified via the ac name attribute is the name of the PPPoE endpoint access controller In some cases there may be a choice of endpoints and setting this causes one to be selected by name Again this is rarely needed and if specified will only match the name you specify On Be O2 PPPoE lines for example you could
90. wget fetch one linked file at a time which is ideal I 5 Graph scores Graphs are scored based on settings in the config Each 100 second sample has a score which is included in the csv and xml lists for any graph The score is also totalled for a graph as a whole and included in the csv 146 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Constant Quality Monitoring technical details and xml list of all graphs This total is done by multiplying the last score by 864 the previous by 863 and so on for the previous 24 hours I 6 Creating graphs and graph names Graph names are text and up to 20 characters Only letters numbers and are allowed All other characters are removed It is recommended that names complying with this are used Any graph name that you try and use that is too long will be replaced with one that uses part of the name and a hash to try and ensure a consistent unique graph name is applied Graphs can be defined in some configuration settings such as interface names Graphs can also be created dynamically in some cases e g L2TP based graphs are made based on the Chargeable User Id Calling Station Id or User Name for a connected line and so can be defined from the RADIUS authentication response It is recommended that the circuit ID is used where available e g from BT platform RADIUS Whilst the FB2500 can manage thousands of graphs new graphs will not be
91. with a form to upload a configuration file in XML to the FB2500 also on the page is a link Download save config that will download the current configuration in XML format 3 5 Configuration using XML 3 5 1 Introduction to XML An XML file is a text file i e contains human readable characters only with formally defined structure and content An XML file starts with the line lt xml version 1 0 encoding UTF 8 gt This defines the version of XML that the file complies with and the character encoding in use The UTF 8 character coding is used everywhere by the FireBrick The XML file contains one or more elements which may be nested into a hiearchy Note In XML the configuration objects are represented by elements so the terms object and element are used interchangeably in this manual Each element consists of some optional content bounded by two tags a start tag AND an end tag A start tag consists of the following sequence of characters e a lt character e the element name e optionally a number of attributes e a gt character An end tag consists of the following sequence of characters e a lt character e a character e the element name e a gt character If an element needs no content it can be represented with a more compact self closing tag A self closing tag is the same as a start tag but ends with gt and then has no content or end tag 16 www voipon co uk sales voipon co uk Tel
92. 0 0 8 which encompasses 10 0 1 32 27 then a destination IP address of 10 0 1 35 will match the longest prefix smallest address range 27 route The order in which routes are created does not normally matter as you do not usually have two routes that have the same prefix However there is an attribute of every route called the Localpref which decides between identical routes the higher localpref being the one which applies If you have identical routes with the same localpref then one will apply you cannot rely on which one but it can in some cases mean you are bonding multiple links 50 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Routing Tip You can show the route s that apply for a specific destination IP address or address range using the CLI command show route You can also see a list of all routes in a routing table using the CLI command show routes There is also a routing display on the Diagnostics control web pages 8 2 Routing targets A route can specify various targets for the packet Table 8 1 Example route targets Target Notes an Ethernet interface locally atached subnet requires ARP or ND to find the device on the LAN to which the traffic is to be sent a specific IP address a gateway the packet is forwarded to another router gateway routing is then determined based on the gateway s IP address instead tunnel interface such as L2T
93. 1 0 24 e Linux system is providing connectivity for a local user subnet 10 2 2 0 24 A suitable FireBrick xml config for this would be lt ipsec Tocal ip 192 168 111 remote Tp 192 1687227 local spi 1000 remote spi 2000 type ESP auth algorithm HMAC SHA1 auth key 0123456789012345678901234567890123456789 crypt algorichm AES CBO crypt key 00010203040506070809101112131415 routes 10 2 2 0 24 gt A corresponding ipsec tools config file would be flush spaf Lush ada 192 168 22 192 168 le esp 1000 m tunnel E rijndael cbc 0x00010203040506070809101112131415 A hmac shal 0x0123456789012345678901234567890123456789 add 192 168 1 1 192 1687272 esp 2000 m tunnel E rijndael cbc 0x00010203040506070809101112131415 A hmac shal 0x0123456789012345678901234567890123456789 spdadd 10ra 1 O 24 0k 222 0 24 any P in ipsec esp tunnel 192 168 1 1 192 168 2 2 require spdade 102 2 0 24 10 1 1 07 24 any P out ipsec esp tunnel 192 168 2 2 192 168 1 1 require Note that rijndael is the name used by ipsec tools for the AES algorithm 12 1 4 Remote connection IPsec and L2TP Another common configuration is remote computer connections such as a PC or mobile phone making a VPN Virtual Private Network connection to a FireBrick This is similar to a tunnel but one end is a single device not a whole network The connection is made using IPsec in the same way as a tunnel but then there is
94. 1245 808299 VoIP 16 11 1 RADIUS accounting RADIUS accounting logs each call leg so a typical call has an incoming and outgoing leg e A RADIUS START message is sent when the call leg is created e A RADIUS INTERIM update is sent if when the call connects i e status 200 e A RADIUS STOP message is sent when the call ends even if it did not connect An interim update includes a call duration which is the time spent ringing A final stop message contains a call duration which is the time from the connection of the call 16 11 2 RADIUS authentication RADIUS authentication is used for any challenged requests such as REGISTER INVITE REFER SUBSCRIBE OPTIONS etc The Digest Method is always included to indicate a VoIP request and identify the type of request You can have a RADIUS authentication before the FireBrick challenges the reqestor setting the radius challenge settings allowing a RADIUS challenge response to customise the challenge this also happens for anon local request where the user is not recognised as a local telephone user Otherwise the FB2500 will send a challenge automatically and only send a RADIUS authentication when the authenticated message is received Tip For an unauthenticated request you can respond with an Access Challenge including the paramaters to challenge but any attributes you omit will be completed automatically so you can simple response with an empty challenge to simply confirm the FB2500
95. 2 62 rule set Firewall mapping rule set Firewalling rule set with entry criteria and default actions Table J 85 rule set Attributes Attribute Type Default Description comment string Comment cug List of PortRange Closed user group ID s interface List of NMTOKEN Source or target interface s ip List of Source or target IP address range s IPNameRange log NMTOKEN Not logging Log session start log end NMTOKEN Not logging Log session end log no match NMTOKEN log start Log if no match name string Name no match action firewall action Not optional Default if no rule matches profile NMTOKEN Profile name protocol List of unsignedByte Protocol s 1 ICMP 6 TCP 17 UDP source string Source of data used in automated config management source interface List of NMTOKEN Source interface s source ip List of Source IP address range s IPNameRange 187 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects source port List of PortRange Source port s startup delay duration 10 Startup interval to use ignore instead of reject drop table unsignedByte 0 99 0 Applicable routing table routetable target interface List of NMTOKEN Target interface s target ip List of Target IP address range s IPNameRange target port List of PortRange Target port s
96. 4 2 defines a single user with the highest level of access DEBUG see Section 4 1 defines a log target see Chapter 5 configures key system services see Chapter 13 defines physical port group see Section 6 1 defines an interface with one subnet and a DHCP allocation pool see Chapter 6 defines a set of firewalling rules see Chapter 7 00000009 3 6 Downloading Uploading the configuration The XML file may be retrieved from the FireBrick or uploaded to the FireBrick using HTTP transfers done via tools such as curl Using these methods configuration of the FB2500 can be integrated with existing administrative systems Note Linebreaks are shown in the examples below for clarity only they must not be entered on the command line 3 6 1 Download To download the configuration from the FB2500 you need to perform an HTTP GET of the following URL http lt FB2500 IP address or DNS name gt config config An example of doing this using cur 1 run on a Linux box is shown below curl http lt FB2500 IP address or DNS name gt config config user username password output filename Replace username and password with appropriate credentials The XML configuration file will be stored in the file specified by filename you can choose any file extension you wish or none at all but we suggest that you use xm1 for consistency with the file extension used when saving a configuration via the Us
97. 5 808299 System Services Table 13 2 List of system services Attribute Function table If specified then the service only accepts requests connections on the specified routing table If not specified then the service works on any routing table Where the service is also a client then this specifies the routing table to use default 0 allow If specified then this is a list of ranges of IP addresses and ip group names from which connections are allowed If specified as an empty list then no access is allowed If omitted then access is allowed from everywhere Note that if Local only is specified the allow list allows access from addresses that are not local if they are in the al low list local only This normally defaults to true but not in all cases If true then access is only allowed from machines on IPs on the local subnet and any addresses in the allow list if specified log The standard log log error and log debug settings can be used to specified levels of logging for the service A locally attached subnet is one which can be directly reached via one of the defined interfaces i e is not accessed via a gateway Tip Address ranges in allow can be entered using either lt first address gt lt last_address gt syntax or using CIDR notation lt start address gt lt prefix length gt If a range entered using the first syntax can be expressed using CIDR notation it will be automatically con
98. 86 J 2 60 session route rule Routing override rule 0 eee cee cence eee ceeeee seca seen sean eeaes 186 J 2 61 session route share Route override load sharing oooccocccnccnnccnnconnconnconiconicnnoos 187 J 2 62 rule set Firewall mapping rule set ooooocnnncnnccnnccnnccnncnnccnnconoconnccnnconnconnccnncnnnss 187 J 2 63 session rule Firewall rules sssr orne eean E E TEE AREE E EEEE pE 188 J 2 64 session share Firewall load sharing oooccnoccnccnnccnnncnnocnncnnnrnnoconccnnccnnccnniccnnions 189 52 65 voip Voice over AA cede co e Ea A Ee A E Se 190 J 2 66 carrier VoIP carrier details nins esine r a r EE EEE TESO p e ENa 191 J 2 67 telephone VoIP telephone authentication user details 1 0 0 0 eee ee ee eeee eee rere 192 2 68 tone Tone de MIOS vii ii 193 3 2 69TINSgrOUp Ran SSrOUPS oss 3 sg seen pride redew ade a e ee eld oe daueadet oa yendavadvedewertens 193 J270 e i Ether tonel tee Das 194 O O NO 194 3 3 1 autoloadtype Type of s w auto load oocooocnnccnnccnnccnocnnccnnccnnconnconnccnnconaconecinncos 194 3 3 2 config access Type of access user has to config ocoooccccccnccnnccnncnnoconccnnccnnccnnccnnioos 195 3 3 3 user level User Joplin el 195 3 3 4 syslog severity Syslog S Verity ooocoooccoccnoccnccnnccnnconnccnncnnncnnnconncnnncnnncnnrcnnroninnnss 195 J 3 5 syslog facility Syslog facility oooocoocconccncccnconnconnccnnccnnconnconoconcnnncnnncnnrcnnronoss 196 J 3 6 mo
99. 9 Attribute Type Default Description boot IP4Addr Next boot server boot file string Boot filename class string Class match client name string Client name match comment string Comment dns List of IP4Addr Our IP DNS resolvers domain string From system settings DNS domain force boolean Send all options even if not requested gateway List of IP4Addr Our IP Gateway ip List of TP4Range 0 0 0 0 0 Address pool lease duration 2 00 00 Lease length 162 Configuration Objects log NMTOKEN Not logging Log events allocations mac List up to Partial or full MAC addresses 12 hexBinary macprefix name string Name ntp List of 1P4Addr From system settings NTP server profile NMTOKEN Profile name source string Source of data used in automated config management syslog List of IP4Addr Syslog server time List of IP4Addr Our IP Time server Table J 31 dhcps Elements Element Type Instances Description send dhcp attr hex Optional unlimited Additional attributes to send hex send ip dhcp attr ip Optional unlimited Additional attributes to send IP send number dhcp attr number Optional unlimited Additional attributes to send numeric send string dhcp attr string Optional unlimited Additional attributes to send string J 2 24 dhcp attr hex DHCP server attributes hex Additional DHCP server attributes hex Table J 32 dhcp attr
100. ADDR fred somewhere com 65 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels e KEYID string any unstructured string eg KEYID This is my IKE ID It is common to use a peer s real IP address as its IKE ID and to avoid repetition specifying the ID in the form IP ie omitting the IP address will use the actual IP address Note that there is no requirement for the IP address specified to actually be the real IP address it is used solely for identification Similarly if the DOMAIN or MAILADDR forms of ID are used there is no requirement for the domain or mail address to actiually be associated with the peer During the connection setup phase these IDs are used to authenticate the two ends to each other Each peer passes its ID to the other end of the connection in an encrypted and signed format On receiving an ID it is checked a to confirm that it is the expected ID and b to confirm that the signature is valid The signing process can be performed using X 509 certificates public keys eg RSA digital signatures or pre shared keys Note that currently the FireBrick implementation only supports pre shared secret authentication A pre shared secret must be entered in the configuration at each end Note that the authentication of each peer to the other is performed independently and need not use the same method eg when implemented one may authenticate using a certificate and the ot
101. AN gt The graph is viewable directly as a PNG image from the FB2500 via the web User Interface to view a graph click the PNG item in the Graphs menu This will display all the graphs that are currently configured it is not currently possible to show a single graph within the web User Interface environment It is possible to access the graph data in many ways using the URL to control what information is shown labels and colours and also allowing graphs to be archived See Appendix I for more details Note You may find images shown for graph names that are no longer specified anywhere in the configuration Over time these graphs will disappear automatically Alternatively the underlying graph data is available in XML format again via the FB2500 s built in HTTP server The XML version of the data can be viewed in the web User Interface by clicking the XML item in the Graphs menu and then clicking on the name of the graph you re interested in Both directions of traffic flow are recorded and are colour coded on the PNG image generated by the FB2500 The directions are labelled tx and rx but the exact meaning of these will depend on what type of object the graph was referenced from for example on a graph for an interface tx will be traffic leaving the FB2500 and rx will be traffic arriving at the FB2500 Each data point on a graph corresponds to a 100 second interval where a data point is showing a tr
102. Caution a potentially critical point that you should pay attention to failure to do so may result in loss of data security issues loss of network connectivity etc 1 2 6 Comments and feedback If you d like to make any comments on this Manual point out errors make suggestions for improvement or provide any other feedback we would be pleased to hear from you via e mail at docs firebrick co uk 1 3 Additional Resources 1 3 1 Technical Support Technical support is available in the first instance via the reseller from which you purchased your FireBrick FireBrick provide extensive training and support to resellers and you will find them experts in FireBrick products However before contacting them please ensure you have e upgraded your FB2500 to the latest version of software see Section 4 3 and e are using the latest revision of the manual applicable to that software version and e have attempted to answer your query using the material in this manual Many FireBrick resellers also offer general IT support including installation configuration maintenance and training You may be able to get your reseller to develop FB2500 configurations for you although this will typically be chargeable you may well find this cost effective especially if you are new to FireBrick products www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Introduction If you are not satisfied with the support
103. Class field to send comment string Comment context name string Juniper Context Name SIN502 control port unsignedShort 3799 Control UDP port CoA DM dummy ip boolean true Send dummy framed IP response log NMTOKEN Not logging Log events log debug NMTOKEN Log debug log error NMTOKEN Log as event Log errors nsn conditional boolean Only send NSN settings if username is not same as calling station id nsn tunnel override unsignedByte Additional response for GGSN usage username nsn tunnel user unsignedInt Additional response for GGSN usage auth method order radiuspriority Priority tagging of endpoints sent 156 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects profile NMTOKEN Profile name relay ip List of IPAddr Address to copy RADIUS request relay port unsignedShort 1812 Authentication UDP port for copy RADIUS request relay table unsignedByte 0 99 Routing table number for copy of RADIUS routetable request secret Secret Shared secret for RADIUS requests needed for replies source string Source of data used in automated config management tagged boolean Tag all attributes that can be target hostname string Hostname for L2TP connection target ip List of IPNameAddr Target IP s or hostname for primary L2TP connection target secret test Secret List of IPAddr Shared secret
104. Comment name string Link name profile NMTOKEN Profile name source string Source of data used in automated config management text string Link text url string Link address J 2 3 user Admin users User names passwords and abilities for admin users Table J 6 user Attributes Attribute Type Default Description allow List of Restrict logins to be from specific IP IPNameRange addresses comment string Comment config config access full Config access level full name string Full name level user level ADMIN Login level name NMTOKEN Not optional User name username otp string OTP serial number password Password Not optional User password profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Restrict login to specific routing table routetable timeout duration 5 00 Login idle timeout zero to stay logged in J 2 4 log Log target controls Named logging target Table J 7 log Attributes Attribute colour Type Colour Default Description Colour used in web display www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 150 Configuration Objects comment string Comment console boolean Log immediately to console flash boolean Log immediately to slow flash memory use with care jt
105. E 22 iv www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual 41 4 1 Restrict BY IP address wsscecs e e EEE N vere EAEEREN ESN 22 414 2 Logged in IP addressen esac cpsven sees a E bebce EE ues nene 22 4 VA 53 A NS 23 4 2 General System Stn gS tico da tal fc 23 4 21 System name ChOSthaMe retroceso e E A be Mente pre 23 4 22 Administrative details vivia o oi ed Mende 23 4 2 3 System level event logging control 2 0 0 0 cece cece eee cece ceca cen eeneeeneeeeeeeeeeeeeaees 23 4 2 4 Home page web Jinks ooccoccoccnccoconcnnconcnnconcnnconccnconocncononncononncononnconanoronanocos 24 43s Software Upgrades issos E E E E R A tendon danee EERS ERIR geese emndse 24 4 3 1 Soltware release Ly pes erion ne A Sone E SEAS 24 473 01 Breakpoint releases iensen ne a EE EEA AEE A AAE nS 25 4 3 2 Identifying current software version ooocoocccocnnccnnccnnccnnccnnccnnconnconncnnnrnnncnnronnrcnnnnnos 25 4 3 3 Internet based upgrade Process ooccoccnoccnnccnnconncnnnconnconncnnncnnnnnnronoronnrnnccnnccnnccnninns 25 4 3 3 1 Manually initiating upgrades ooccooccnccnnccnnconncinnccnnccnnconnconaconncnnncnnncnnronass 26 4 3 3 2 Controlling automatic software updates ooocoocccnccnnccnnconcconccnnccnnccnnccnnccninono 26 4 345 Manual UPorade A A ape ee he ade 26 4 4 Boot PLOCESS wc ascnssaeeey sun age a E ss deaes peter ERNS E e tee desert da 27 4 4
106. F enabled In your handset you set up BLF by specifying an extension number of a handset to be monitored The busy light will typically be on solidly when in a call or flashing when there is an incoming call ringing You can also subscribe to a hunt group using its extension number this shows flashing when the hunt group has a ringing call Tip Pressing a button next to the busy light will usually call that extensions You can configure the monitored extension prefixed with the call pick up code default to make the button a pickup steal button This is ideal to pick up a ringing call for a telephone or hunt group when the light is flashing Note You can restrict who is allowed to subscribe to a phone or hunt group in the configuration 16 11 Using RADIUS RADIUS can be used to allow new handsets to be registered dynamically without individual configuration by using RADIUS authentication to an external RADIUS server RADIUS is also used to make call routing decisions RADIUS accounting can be used to log calls as they start and end to an external RADIUS server Note RADIUS for VoIP is only available on a fully loaded model Tip You have to configure each of the radius functions in the VoIP config leaving the radius setting unset will disable use of RADIUS for that feature There are separate configuration settings for register call and cdr 92 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0
107. FireBrick FB2500 User Manual 3 FB2500 Versatile Network Appliance www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual This User Manual documents Software version V1 27 001 Copyright 2012 2013 FireBrick Ltd www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Table of Contents Preface sciadeicottessstertessaninsee es aa rip rr pinte E R aioe se xix T Introduction osr o sno A A as eg TS Be Eee eee ee es 1 LV Fhe FB2500 unid Sstagedes oie ag a taandas eri 1 1 1 1 Where dop Start iii e E ig eedes EERE ESSEE EEG 1 1 1 2 What cant do tartas tiroidea rata yt E irte parte ase 1 1 1 3 Ethernet port capabilities oocccoccnnccnnconnconconccnnocnnncnnncnnrnnncnnccnnconnccnnccnncnnnccnnios 2 1 1 4 Differences between the devices in the FB2x00 series ooooccnnconcconoconoconocononnnccnnccnons 2 11 3 Software features orion seins ita ia 2 1 1 6 Migration from previous FireBrick models ocoooccoccnnccnnccnnccnnconnconoconconacnncnnnrnnnss 2 1 2 About this Manual veces ri add 3 A O dese 3 1 2 2 Intended audience sisia cc csecie eect cheese eects cu enon Sagceseais peed eaubacecesty ducews KE EEEE EEE 3 1 2 3 Technical detalla lr ote llenarte tl 3 1 24 Document style enisi res in reteniendo daa dsd 3 1 2 3 Doc ment Conventio
108. IKE implementations at both ends of the connection There is a global IKE option force NAT which can be used to specify IP ranges which should be assumed to have intervening NAT which can be used when the remote peer does not support NAT Traversal 12 1 3 Setting up Manual Keying To set up a new manually keyed IPsec tunnel select Add New IPsec manually keyed connection settings on the tunnel setup page 12 1 3 1 IP endpoints The local ip and remote ip must both be configured The local ip is the source IP used by the FireBrick when sending tunnelled traffic and the remote ip is the IP of the device at the far end of the tunnel You can also optionally specify an internal ipv4 and or an internal ipv6 address When specified these addresses are used for the source address of the tunnelled packet when the FireBrick sends traffic it originates itself down the tunnel unless the source address has already been specified by some other means If these are not specified the FireBrick will use the tunnel s local ip setting when appropriate Note that although obviously the tunnel endpoint addresses must be the same type of address both IPv4 or both IPv6 the traffic sent through the tunnel may be IPv4 IPv6 or a mixture of the two 12 1 3 2 Algorithms and keys Select the required encapsulation type either AH providing just authentication or ESP providing authentication and or encryption Select the required algorithms and choose appropriate
109. IP and port from which it is received rather than the endpoint defined in the SDP Registrations that seem to be from NAT connections will receive a null UDP packet at approximately 60 second intervals to keep the control session open on the NAT router This is not foolproof but works in most cases with simple NAT gateways including where a FireBrick is doing the NAT It obviously also works where a NAT device is doing full ALG and changing the control messages and RTP accordingly 16 5 Number plan When setting up an office phone system you need to consider extension numbers These are short numbers typically 2 3 or 4 digits used to call other telephones on the same system You can use these numbers to call other extensions and importantly use them in configuration of hunt groups and so on making the config easier to understand In addition to an extension numbers you would normally set a ddi Direct Dial In full phone number for each telephone This is not a requirement and you can just use internal numbers for phones if you prefer It is a good idea to make a clear plan for how you will allocate the internal numbers especially if you have a corresponding block of real phone numbers Consider which are nice numbers you may want to publish for some reason and which could be obvious mis dials Maybe group extensions by department etc Always assume you will need more numbers later so make a plan that allows for expansion Tip It is a g
110. L2TP proxy details indicate and incorrect MRU has been negotiated then LCP negotiation is restarted and the correct MRU negotiates This helps avoid various issues with fragmentation on some services on the internet when the broadband fully supports 1500 byte MTU This is also relevant where the FB6000 is deliberately configured to use a smaller MRU for example when the L2TP connection is remote via a 1500 MTU link There are options using Filter Id from RADIUS to force LCP restart However this does confuse some ppp implementations as it is after authentication is complete This can be useful where BT have provided an incorrect MRU for the end user another bug There is also an option to forward 1500 byte packets rather than fragmenting them When enabled ICMP is still generated for DF and IPv6 E 15 2 IP over LCP IP over LCP is a non standard coding of PPP packets for IPv4 and IPv6 The coding uses the LCP code C021 instead of the IPv4 0021 or IPv6 0057 code The first byte which would normally be the LCP type is 0x4X IPv4 or 0x6X IPv6 The FireBrick assumes any such LCP codes are IPv4 IPv6 when received and using a RADIUS response can send IP packets using LCP This is specifically to bypass any carrier IP specific shaping or DPI 121 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix F Supported RADIUS Attribute Value Pairs for L2TP operation RADIUS is used for authentication
111. Link10 Activity On when link up at 10Mbit s blink off when Tx or Rx activity Link100 1000 Activity On when link up at 100Mbit s or 1 Gbit s blink off when Tx or Rx activity Link10 1000 Activity On when link up at 10Mbit s or 1Gbit s blink off when Tx or Rx activity Link10 100 Activity On when link up at 10Mbit s or 100Mbit s blink off when Tx or Rx activity Duplex Collision On when full duplex blink when half duplex and collisions detected Collision Blink on when collisions detected Tx Blink on when Transmit activity Default for Yellow LED Rx Blink on when Receive activity Off Permanently off On Permanently on Link On when link up Link1000 On when link up at 1Gbit s Link100 On when link up at 100Mbit s Link10 On when link up at 10Mbit s Link100 1000 On when link up at 100Mbit s or 1Gbit s Link10 1000 On when link up at 10Mbit s or 1Gbit s Link10 100 On when link up at 10Mbit s or 100Mbit s Duplex On when full duplex For example to configure the port LEDs to show the port link speed via the pattern of the green and yellow LEDs you could set the green attribute to Link10 1000 Activity and the yellow attribute to Link100 1000 so that the indication is Table 6 2 Example modified Port LED functions Green Yellow Indication Off Off Link down On Blinking Off Link up at 10Mbit s Tx or Rx Activity Off On Blinking Link up at 100Mbit s Tx or Rx Activity On Blinking On B
112. MTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors mode ike mode Wait ike connection setup mode mtu unsignedShort 1500 MTU for wrapped packets name NMTOKEN Name payload table unsignedByte 0 99 0 Routing table number for payload traffic peer ID string Peer IKE ID peer auth method ike authmethod Use auth method method for authenticating peer peer ips List of Accept from peer s IP or range IPNameRange anywhere peer secret Secret use secret shared secret used to authenticate peer profile NMTOKEN Profile name routes List of IPPrefix Routes when link up secret Secret shared secret used to authenticate self to peer source string Source of data used in automated config management speed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 0 Routing table number for IKE traffic and routetable tunnel wrappers tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec type ESP Encapsulation type Table J 66 ike connection Elements Element Type Instances Description route ipsec route Optional unlimited Routes to apply to tunnel when up J 2 49 ipsec route IPsec tunnel routes Routes for prefixes that are sent to the IPsec tunnel Table J 67 ipsec route Attributes Attribute Type Default Description bgp bgpmode BGP announce
113. N Not optional Carrier name outgoing format voip format national Dialled number format for outgoing calls password Secret Carrier password for outbound registration or inbound authenticated calls 191 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects profile NMTOKEN Profile name proxy string Carrier proxy hostname or address for registration and calls registrar string Carrier hostname for registration send hold boolean true Pass hold state to carrier source string Source of data used in automated config management source ip IPAddr Source IP to use table unsignedByte 0 99 0 Routing table number routetable to List of string To SIP request address for inbound invites may be domain for any at a domain trust cli boolean true Trust inbound calling line identity username string Carrier username for outbound registration or inbound authenticated calls withhold string Mark withheld outbound calls using this dial prefix and send CLI in remote party id J 2 67 telephone VoIP telephone authentication user details VoIP telephone details Table J 93 telephone Attributes Attribute Type Default Description allow List of Allow from List of IP ranges from which registration IPNameRange anywhere accepted allow pickup List of string Allow all if PABX Only allow pickup from these extensions mode
114. Once upon a time end users would use a computer and a modem to dial a provider The provider would have a modem connected to a server and this would allow simple text access to a computer system This was then used to provide bulletin boards This moved on and providers started to allow direct Internet Protocol IP access to end users The modem would connect and the computer would authenticate and pass IP packets using protocols such as SLIP and PPP This allowed the computer to authenticate and be allocated an IP address 18 1 2 Point to Point Protocol Point to Point Protocol PPP worked well and is still in use today in broaband access networks The modem at the provider would connect to the providers network and the Internet Typically there would be one device an Access Concentrator which connected IP on one side and modems on the other The IPs would be fixed for each modem so dynamic for the end user as depends which port they hit and routing could be static to each Access Concentrator PPP is quite a simple protocol that allows packets to be marked with their type but it also provides negotiation protcols for Link Control LCP authentication CHAP and PAP and IP level negotiations IPCP and IPV6CP Once negotiation is complete then IP packets can be passed using PPP As networks became more complex a separation of the Access Concentrator in to a L2TP Access Concentrator LAC which has the modems and the L2TP Network Server LNS
115. P PPPoE or FB105 such routes are created as part of the config for the tunnels interface and relate to the specific tunnel special targets e g the FB2500 itself or to a black hole causes all traffic to be dropped These are covered in more detail in the following sections 8 2 1 Subnet routes Whenever you define a subnet or one is created dynamically e g by DHCP an associated route is automatically created for the associated prefix Packets being routed to a subnet are sent to the Ethernet interface that the subnet is associated with Traffic routed to the subnet will use ARP or ND to find the final MAC address to send the packet to In addition a subnet definition creates a very specific single IP a 32 for IPv4 or a 128 for IPv6 route for the IP address of the FB2500 itself on that subnet This is a separate loop back route which effectively internally routes traffic back into the FB2500 itself i e it never appears externally A subnet can also have a gateway specified either in the config or by DHCP or RA This gateway is just like creating a route to 0 0 0 0 0 or 0 as a specific route configuration It is mainly associated with the subnet for convenience If defined by DHCP or RA then like the rest of the routes created by DHCP or RA it is removed when the DHCP or RA times out Example lt subnet ip 192 168 0 1 24 gt creates a route for destination 192 168 0 0 24 to the interface associated w
116. P are completely independent you can configure both at once in a single vrrp object by listing one or more IPv4 addresses and one or more IPv6 addresses VRRP3 is used by default for any IPv6 addresses or where an interval of below one second is selected It can also be specifically set in the config by setting the attribute version3 to the value true Caution If you have devices that are meant to work together as VRRP but one is version 2 and one is version 3 then they will typically not see each other and both become master The FB2500 s VRRP Status page shows if VRRP2 or VRRP3 is in use and whether the FireBrick is master or not 15 5 Compatibility VRRP2 and VRRP3 are standard protocols and so the FB2500 can work alongside other devices that support VRRP2 or VRRP3 Note that the FB2500 has non standard support for some specific packets sent to the VRRP virtual addresses This includes answering pings configurable and handling DNS traffic Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick 86 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 16 VoIP 16 1 What is VoIP Voice over IP VoIP is simply a means of carrying voice telephone calls over Internet Protocol the Internet Instead of using pairs of wires to carry the signal electrically the sound is sampled and converted to a sequence of bytes Thi
117. Pairs riie e n E E E E S ERE 117 E 1 Start Control Connection Request e cece cece ceeecncece cece cea ceeeceeeeeeeeeeeeeeeaeeeaeeea eens eeaes 117 E 2 Start Control Connection Reply oooccoccnnccnnccnnconnconoconncnnncnnncnnnnnnrnnnrnnconnconnccnnconnconncinnios 117 E 3 Start Control Connection Connected oocooocnnccnncnnncnnccnnconnconnconnconnconnconncnnncnnncnnncnnroninnnn 118 E 4 Stop Control Connection Notification oooconccconcnccnnnrnnocnnccnnconnccnnccnnconnconncnnnrnnnrnnnnnnnonoss 118 En Hell A A OA 118 E 6 Incoming Call REquest 05 055 Jssececsehswaasen e ess tano e sete sn EE R EEEE E EES EEEN 118 E 7Incoming Call Reply iii Meee AWA a DA Nee Ate AEG 119 EB Incoming Call Connected c ss3 cose isadensaewadeuaheca ete stone rias crean eae orante deed dee Weed deatavuenenty 119 E 9 Onteome Gall REQUEST A di 119 E 10 Outgomg CallEReply 5 ssvevey sueassganeedtes eeeegepnted despise des pused hehe E conv ted geoy RE E EE EEE 120 El Outgomp Call Connect ds vinci ss iia 120 E 12 CalleDisconnect Notily ieis aa a a e EE san A E gavegass ued dundee e TAa 120 E13 WAN Error Notify cortas A Sete o to LD RIN ove 120 E14 Set Link nfo pinra a e E E E R E NE E EE 120 EAS Notes Ai di A E dei aed darles 121 ETSI BT specifie Motes sasien e a E E E ANERE S REESE 121 A IP oyver LCP A N fete een N E N TO E T 121 F Supported RADIUS Attribute Value Pairs for L2TP operation oocooocnnccnnccnncnnnccnccnnccnnccnnccnnccnnioos 122 F 1 Aut
118. S IPNameRange request name string Name nsn conditional boolean Only send NSN settings if username is not same as calling station id nsn tunnel override unsignedByte username Additional response for GGSN usage nsn tunnel user unsignedInt Additional response for GGSN usage auth method order radiuspriority Priority tagging of endpoints sent profile NMTOKEN Profile name relay ip List of IPAddr Address to copy RADIUS request relay port unsignedShort 1812 Authentication UDP port for copy RADIUS request relay table unsignedByte 0 99 Routing table number for copy of RADIUS routetable request secret Secret Shared secret for RADIUS requests needed for replies source string Source of data used in automated config management tagged boolean Tag all attributes that can be target hostname string Hostname for L2TP connection target ip List of IPNameAddr Target IP s or hostname for primary L2TP connection target secret Secret Shared secret for L2TP connection test List of IPAddr List of IPs that must have routing for this target to be valid deprecated tunnel assignment string Tunnel Assignment ID to send id tunnel client return boolean Return tunnel client as radius IP username List of string One or more patterns to match username J 2 17 radius server RADIUS server settings Server settings for outgoing RADIUS Table J 23 r
119. S path as if network received unsignedInt bgp bgpmode BGP announce mode for routes comment string Comment ip List of IPAddr Not optional One or more local network addresses localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable 167 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects tag List of Community List of community tags J 2 34 bgp Overall BGP settings The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers Table J 43 bgp Attributes Attribute Type Default Description as unsignedInt Our AS cluster id IP4Addr Our cluster ID comment string Comment 1d IP4Addr Our router ID log NMTOKEN Not logging Log events name string Name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable Table J 44 bgp Elements Element Type Instances Description peer bgppeer Optional up to 50 List of peers neighbours J 2 35 bgppeer BGP peer definitions The peer definition specifies the attributes of an individual peer Multiple IP addresses can be specified t
120. SN authset Set of ipsec auth Accept any Integrity check algorithm for IPsec traffic algorithm supported algorithm cryptset Set of ipsec crypt Accept any Encryption algorithm for IPsec traffic algorithm supported algorithm name NMTOKEN Not optional Name J 2 48 ike connection peer configuration IPsec peer connection configuration Table J 65 ike connection Attributes Attribute Type Default Description auth method ike authmethod Not optional method for authenticating self to peer bgp bgpmode BGP announce mode for routes blackhole boolean false Blackhole routed traffic when tunnel is not up comment string Comment graph token graphname Graph name ike proposals List of NMTOKEN use built in default proposals IKE proposal list www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 internal ipv4 IP4Addr local ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal ipv6 IP6Addr local ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel 179 Configuration Objects ipsec proposals List of NMTOKEN use built in default proposals IPsec proposal list routetable local ID string Local IKE ID local ip IPAddr Local IP localpref unsignedInt 4294967295 Localpref for route highest wins log NMTOKEN Not logging Log events log debug N
121. Short 60 Max lifetime on ARP and ND bgp bgpmode BGP announce mode for routes broadcast boolean false If broadcast address allowed comment string Comment gateway List of IPAddr One or more gateways to install ip List of IPSubnet Automatic by DHCP One or more IP len localpref unsignedInt 4294967295 Localpref for subnet highest wins mtu unsignedShort As interface MTU for subnet 576 2000 mtu name string Name nat boolean false Short cut to set nat default mode on all IPv4 traffic from subnet can be overridden by firewall rules profile NMTOKEN Profile name proxy arp boolean false Answer ARP ND by proxy if we have routing ra ramode false If to announce IPv6 RA for this subnet ra dns List of IP6Addr List of recursive DNS servers in route announcements ra managed dhcpv6control RA M managed flag ra max unsignedShort 600 Max RA send interval 4 1800 ra max ra min unsignedShort Min RA send interval 3 1350 ra min ra mtu unsignedShort As subnet MTU to use on RA ra other dhcpv6control RA O other flag ra profile NMTOKEN Profile if inactive then forces low priority RA source string Source of data used in automated config management test IPAddr Test link state using ARP ND for this IP ttl unsignedB yte 64 TTL for originating traffic via subnet J 2 22 vrrp VRRP settings VRRP settings provide virtual router redundancy for the FireBrick Profile inactive does not disable vrrp but forces vrrp low priority Us
122. Stop interactive logging to this CLI session lasts until logout or tron H 1 2 Trace on tron Restart interactive logging to this CLI session Some types of logging can be set to log to console which shows on the CLI H 1 3 Uptime uptime show uptime Shows how long since the FB2500 restarted H 1 4 General status show status Shows general status information including uptime who owns the FireBrick etc This is the same as the Status on the web control pages H 1 5 Memory usage show memory Shows memory usage summary H 1 6 Process task usage show tasks Shows internal task list This is mainly for diagnostics purposes H 1 7 Login Login Normally when you connect you are prompted for a username and password If this is incorrect you can use the login to try again 136 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference H 1 8 Logout logout Guat exit You can also use Ctrl D to exit or close the connection if using telnet H 1 9 See XML configuration show run show configuration Dumps the full XML configuration to the screen H 1 10 Load XML configuration import configuration You then send the XML configuration ending with a blank line You would not normally import a configuration using this command as you can use the web
123. TP is available one or more sessions using the full hex accounting ID can be specified e g 12tp 002132D94AE297DFF51E01 or you can use l2tp followed by a calling line ID this sets up logging for a session based on calling line id when it next connects snaplen Snaplen The maximum capture length for a packet can be specified in bytes Default O auto See notes below timeout Timeout The maximum capture time can be specified in seconds Default 10 ip IP address 2 off Up to two IPs can be specified to filter packets self Include my IP By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded This option allows such traffic Use with care else you dump your own dump traffic 14 3 2 Security settings required The following criteria must be met in order to use the packet dump facility e You must be accessing from an IP listed as trusted in the HTTP service configuration see Section 13 3 e You must use a user and password for a DEBUG level user the user level is set with the level attribute on the user object Note These security requirements are the most likely thing to cause your attempts to packet dump to fail If you are getting a simple 404 error response and think you have specified the correct URL if using an HTTP client please check security settings are as described here 81 www voipon co uk sales voipon co
124. Table J 86 rule set Elements Element Type Instances Description ip group ip group Optional unlimited Named IP groups rule session rule Optional unlimited Individual rules first match applies J 2 63 session rule Firewall rules Firewall rule The individual firewall rules are checked in order within the rule set and the first match applied The default action for a rule is continue so once matched the next rule set is considered Table J 87 session rule Attributes Attribute Type Default Description action firewall action continue Action taken on match comment string Comment cug List of PortRange Closed user group ID s interface List of NMTOKEN Source or target interface s ip List of Source or target IP address range s IPNameRange log NMTOKEN As rule set Log session start log end NMTOKEN As rule set Log session end name string Name profile NMTOKEN Profile name protocol List of unsignedByte Protocol s 1 ICMP 6 TCP 17 UDP set gateway IPAddr New gateway set graph string Graph name for shaping logging set graph source boolean Graph name based on source MAC mac set initial timeout duration Initial time out set nat boolean Changed source IP and port to local for NAT set ongoing timeout duration Ongoing time out set reverse graph string Graph name for shaping logging far side of session 188 www voipon co
125. US Attribute Value Pairs for L2TP operation F 6 Disconnect A disconnect message is accepted as per RFC5176 if the session can be disconnected and ACK is sent else a NAK Table F 7 Disconnect AVP No Usage Acct Session Id 44 Unique ID for session Chargeable User 89 This is used as CQM graph name Identity Acct Terminate 49 Cause code as appropriate to be used in accounting stop message Cause The session is identified by Acct Session Id if present else by Chargeable User Identity No other identification parameters are supported If sent then they are ignored F 7 Change of Authorisation A change of authorisation message is accepted as per RFC5176 Table F 8 Change of Authorisation AVP No Usage Acct Session Id 44 Unique ID for session Chargeable User 89 This is used as CQM graph name Identity Framed Route 22 May appear more than once Text format is Pv4 Address Bits 0 0 0 0 metric The target IP is ignored but must be valid IPv4 syntax The metric is used as localpref in routing Delegated IPv6 123 IPv6 prefix to be routed to line Maximum localpref used Prefix Framed IPv6 Prefix 97 IPv6 prefix to be routed to line Maximum locapref used Framed IPv6 Route 99 May appear more than once Text format is Pv6 Address Bits metric The target IP is ignored but must be valid IPv6 syntax The metric is used as localpref in routing Alternati
126. VoIP progress 1000ms 1000ms 400Hz 3dB 450Hz 3dB 1000ms ring 1000ms 400ms 400Hz 3dB 450Hz 3dB 200ms 400ms 400Hz 3dB 450Hz 3dB 1000ms queue 700ms 400ms 400Hz 3dB 450Hz 3dB 200ms 400ms 400Hz 3dB 450Hz 3dB 200ms 400ms 400Hz 3dB 450Hz 3dB 700ms busy 375ms 400Hz 375ms hold 100ms 400Hz 3dB 450Hz 3dB 200ms 100ms 400Hz 3dB 450Hz 3dB 2600ms wait 2600ms 100ms 400Hz 3dB 450Hz 3dB 200ms 100ms 400Hz 3dB 450Hz 3dB close encounter 1000ms 300ms 588Hz 300ms 654Hz 400ms 524Hz 600ms 262Hz 1000ms392Hz 1000ms bbc 50ms 345ms 122Hz 35ms 300ms 525Hz 2000ms 1000Hz 1000Hz Tip Accessing a url on the FireBrick of voip ring wav serves a WAV format of the tone You can test tones using a URL like voip tone wav 100ms 1000Hz 200ms 2000Hz but ensure you URL escape the query string 97 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 17 BGP 17 1 What is BGP BGP Border Gateway Protocol is the protocol used between ISPs to advise peers of routes that are available Each ISP tells its peers the routes it can see being the routes it knows itself and those that it has been advised by other peers In an ideal world everyone would tell everyone else the routes they can see there would be almost no configuration needed all packets would find the best route accross the Internet automatically To some extent this is what happens between major transit provid
127. a further step using L2TP to further authenticate the device This uses PPP to set up IP addresses so normally means routing a single IP to the device and a default route from the device Note The configuration for this is not yet complete in the FireBrick It will involve an IPsec configuration set up for a dynamic far end and for connection to L2TP You then configure L2TP with local authentication or using RADIUS to set up the L2TP level connection 12 1 5 Choice of IPsec algorithms Both authentication and encryption allow a choice of algorithms 69 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels Tip The fastest encryption algorithm is Blowfish The fastest authentication is null esp auth but you may prefer to pick one of the authentication protocols to avoid garbage packets being decrypted and processed 12 2 FB105 tunnels The FB105 tunnelling protocol is a FireBrick proprietary protocol that was first implemented in the FireBrick FB105 device and is popular with FB105 users for setting up VPNs etc It is lightweight in as much as it is relatively simple with low overhead and easy setup but it does not currently offer encryption Although encryption is not available the protocol does digitally sign packets so that tunnel end points can be confident that the traffic originated from another trusted end point Where it matters encryption can be utilised via secure
128. additional information name NMTOKEN Not optional Profile name not NMTOKEN Active if specified profile is inactive as well as all other tests passing including and or List of NMTOKEN Active if any of these other profiles active regardless of other tests including not or and ppp List of NMTOKEN PPP link state any of these are up recover duration 1 Time before recover i e how long test has been passing route List of IPAddr Test passes if all specified addresses are routeable set switch Manual override ignore ALL other settings source string Source of data used in automated config management table unsignedByte 0 99 Routing table for ping route routetable timeout duration 10 Time before timeout i e how long test has been failing virp List of NMTOKEN VRRP state any of these is master Table J 72 profile Elements Element Type Instances Description date profile date Optional unlimited Test passes if within any date range specified ping profile ping Optional Test passes if address is answering pings time profile time Optional unlimited Test passes if within any time range specified J 2 53 profile date Test passes if within any of the time ranges specified Time range test in profiles Table J 73 profile date Attributes Attribute Type Default Description comment string Comment start dateTime Start Y YY Y MM DDTHH MM SS stop dateTime E
129. adius server Attributes Attribute Type Default Description comment string Comment host List of IPNameAddr Not optional One or more hostname IPs of RADIUS servers max timeout duration 20 Maximum final timeout min timeout duration 5 Minimum final timeout 158 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects name string Name port unsignedShort From services radius UDP port settings profile NMTOKEN Profile name queue unsignedInt Concurrent requests over all of these servers per type scale timeout unsignedByte 2 Timeout scaling factor secret Secret Not optional Shared secret for RADIUS requests source string Source of data used in automated config management table unsignedByte 0 99 Routing table number routetable type Set of radiustype All Server type J 2 18 ethernet Physical port controls Physical port attributes Table J 24 ethernet Attributes Attribute Type Default Description autoneg boolean auto negotiate unless Perform link auto negotiation manual 10 100 speed and duplex are set clocking LinkClock prefer slave Gigabit clock setting crossover Crossover auto Port crossover configuration duplex LinkDuplex auto Duplex setting for this port flow LinkFlow none Flow control setting green LinkLED Link Activity Green LED setting optimis
130. affic rate the rate is an average over that interval For each named graph the FB2500 stores data for the last 24 hours Note Specifying a graph does not itself cause any traffic shaping to occur but is a pre requisite to specifying how the associated traffic flow should be shaped 57 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Traffic Shaping 10 1 2 Shapers Once you have graphed a possibly bi directional traffic flow you can then also define speed restrictions on those flows These can be simple Tx and Rx speed limits or more complex settings allowing maximum average speeds over time You define the speed controls associated with the graphed traffic flow s by creating a shaper top level object To create or edita shaper object in the web User Interface first click on the Shape category icon To create a new object click the Add link To edit an existing object click the appropriate Edit link instead The shaper object specifies the parameters primarily traffic rates to use in the traffic shaping process and the shaper is associated with the appropriate existing graph by specifying the name attribute of the shaper object to be the same as the name of the graph 10 1 3 Ad hoc shapers You can define a shaper object and set the speed controls for that shaper and then define the graph attribute on something e g an interface to apply that shaper to the interface
131. ag boolean Log immediately jtag development use only name NMTOKEN Not optional Log target name profile NMTOKEN Profile name source string Source of data used in automated config management Table J 8 log Elements Element Type Instances Description email log email Optional unlimited Email settings syslog log syslog Optional unlimited Syslog settings J 2 5 log syslog Syslog logger settings Logging to a syslog server Table J 9 log syslog Attributes Attribute Type Default Description comment string Comment facility syslog facility LOCALO Facility setting port unsignedShort 514 Server port profile NMTOKEN Profile name server IPNameAddr Not optional Syslog server severity syslog severity NOTICE Severity setting source string Source of data used in automated config management source ip IPAddr Use specific source IP table unsignedByte 0 99 0 Routing table number for sending syslogs routetable J 2 6 log email Email logger settings Logging to email Table J 10 log email Attributes Attribute Type Default Description comment string Comment delay duration 1 00 Delay before sending since first event to send from string One made up using Source email address serial number 151 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects
132. al 18 1 2 Pomnt to Point Protocol 0 lt scscseyoss o5s enweacags none torno deso E R E ny OTe EEN EAEn ate 103 AS 1S A OO 103 18 1 4 Broadband pct sssdeues aes sohtiac te ceci codubonacestenthae ha onnesetebacsdeuaners I des costas 104 ISES DA SA A EN 104 A O deee asst Staal by Sen ERR own tees 104 18 2 Incoming E2TP CONMECHONS cuisine 104 18 3 The mportanc of COM raph c c3ssegeeesees eect taancubdacwpy ced lasgetedd ons deed Sede Pevenctee mB sesnnw eens 105 18 4 Authentication A A A eet Se 105 18 5 Accounting ooe e a cadapheue sas ahuen thes vwenesed ye cotorra tatoo actes 106 18 6 RADIUS Control messages 0 0 0 0 cece cece cece cece ce eeca cece cece cena cena RER SOE EE TES 106 18273 PPPOE iii esnwbet wed Nes ntue testo las dase e a deen tone 106 18 8 Typical CONSUMO eri A ey S E E e E Er SEA RRAS 106 1828 1 lt InterlnkeSubnet cities f ltd 106 18 8 2 BGP wath Cartier ii A os eisai EEAS 106 18 8 3 RADIUS SESSION StCCLIN Gs 55 05s saccnyocu hess ssudaes etek Saad ee R EA NEE RS EE aS 107 18 84 21 Pend points a A A wed ebay 107 18 8 9 ISP RADIUS vies wade O NO 108 19 Commiand Line Interface tin da Be ee AEI 109 A Factory Reset Procedure misterio tatiana id 110 B CIDR and CIDR Notation m aaa rca O ee cabal eeu aaa gehen erences 112 CMAC A seve dny cbs e yp Sas E EA EEEE E NE e OEE pp ete oben wed E RENE ES 114 DAVLANS SA primer sieners ea A ese whee E A edad aoe ee 116 E Supported L2TP Attribute Value
133. al PPPoE client connects to access controller bras 12tp PPPoE server mode linked to L2TP operation J 3 24 peertype BGP peer type Peer type controls many of the defaults for a peer setting It allows typical settings to be defined with one attribute that reflects the type of peer Table J 120 peertype BGP peer type Value Description normal Normal BGP operation transit EBGP Mark received as no export peer EBGP Mark received as no export only accept peer AS customer EBGP Allow export as if confederate only accept peer AS internal IBGP allowing own AS reflector IBGP allowing own AS and working in route reflector mode confederate EBGP confederate ixp Internet exchange point peer on route server J 3 25 ipsec auth algorithm IPsec authentication algorithm Table J 121 ipsec auth algorithm IPsec authentication algorithm Value Description null No authentication 201 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects HMAC MD5 HMAC MD5 96 RFC 2403 HMAC SHA1 HMAC SHA1 96 RFC 2404 AES XCBC AES XCBC MAC 96 RFC 3566 HMAC SHA256 HMAC SHA 256 128 RFC 4868 J 3 26 ipsec crypt algorithm IPsec encryption algorithm Table J 122 ipsec crypt algorithm IPsec encryption algorithm Value Description null No encryption RFC 2410 3DES CBC 3DES CBC RFC 2451 blowfish Blow
134. al port status with various status indications possible controllable via the configuration see Section 6 4 28 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 5 Event Logging 5 1 Overview Many events in the operation of the FireBrick create a log entry These are a one line string of text saying what happened This could be normal events such as someone logging in to the web interface or unusual events such as a wrong password used or DHCP not being able to find any free addresses to allocate 5 1 1 Log targets A log target is anamed destination initially internal to the FB2500 for log entries you can have multiple log targets set up which you can use to separate out log event messages according to some criteria for example you could log all firewalling related log events to a log target specifically for that purpose This makes it easier to locate events you are looking for and helps you keep each log target uncluttered with un related log events this is particularly important when when you are logging a lot of things very quickly A log target is defined using a 1og top level object when using the web User Interface these objects are in the Setup category under the heading Log target controls Every log entry is put in a buffer in RAM which only holds a certain number of log entries typically around 1MB of text once the buffer is full the oldest entries are
135. all leg has a CLI calling number a Dialled number a display Name a number of CDR records each of which have CDR and Dialled as well and finally a number of email addresses for call recording The response attributes are processed in order Initially the last call leg is the originating call When a new outgoing leg is added that becomes the current call leg Table 16 3 Access Accept AVP No Usage Calling Station Id 31 Replaces CLI of current call leg Called Station Id 30 Replaces Dialled number of current call leg User Name 1 Replaces the Name of the current call leg Filter Id 11 Adds a call recording email address to the current call leg Chargeable User 89 Adds a CDR record with this CUI and current CLI and Dialled attributes to Identity the current call leg SIP AOR 121 Creates a new outgoing call leg See below for formats An outgoing call leg is created for each SIP AOR entry and it can be in one of the following formats Each of this can also include a number of digits and a symbol at the start which specifies a delay before attempting to connect that outgoing leg e number carrier which causes a call via a known carrier The part after the is the name of carrier in the config The Dialled number is set to the number specified and the CLI is set from the originating call e tel number which causes a call via a registered telephone The Dialled number is set to the number spec
136. alling Station Id 31 Calling number as received on L2TP Service Type 6 Framed Framed Protocol 7 PPP Framed MTU 12 Final MTU being used for session Filter Id 11 Filters in use Session Timeout 27 Absolute limit on session in seconds if specified in authentication reply Framed Interface ID 96 Peer IPv6 Interface ID from PPP IPV6CP Framed IP Address 8 Peer IPv4 address negotiated in PPP normally from authentication response Connect Info 77 Text Tx speed Rx speed in use Acct Delay Time 41 Seconds since session started Acct Event 55 Session start time unix timestamp Timestamp Acct Session Id 44 Unique ID for session NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 NAS IPv4 address if using IPv4 NAS IPv6 Address 95 NAS IPv6 address if using IPv6 NAS Port 5 L2TP session ID Tunnel Type 64 Present for relayed L2TP sessions L2TP Tunnel Medium Type 65 Present for relayed L2TP 1 IPv4 or 2 IPv6 Tunnel Client 66 Present for relayed L2TP text IPv4 or IPv6 address of our address on the Endpoint outbound tunnel Tunnel Server 67 Present for relayed L2TP text IPv4 or IPv6 address of the far end address of Endpoint the outbound tunnel Tunnel Assignment 82 Present for relayed L2TP text local L2TP tunnel ID ID Tunnel Client Auth 90 Present for relayed L2TP local end hostname quoted by outgoing tunnel ID Tunnel Server Auth 91 Present for relayed L2TP far end hostname quoted by
137. alling check 79 Packet dumping 80 DNS configuring resolver s to use 76 E Ether tunnel overview 73 Ethernet Ports configuring LED indication modes 38 configuring speed and or duplex modes 38 defining port groups 34 relationship with interfaces 34 sequenced flashing of LEDs 27 Event logging external logging 30 overview 29 viewing logs 32 F H Hostname setting 23 HTTP service configuration 75 Interfaces defining 35 Ethernet 34 relationship with physical ports 34 Internet Service Providers overview 103 L LEDs Power LED status indications 27 Log targets 29 Logging see Event logging N NAT requesting via session rule 48 Navigation buttons in user interface 15 NTP Network Time Protocol configuring time servers to use 77 O Object Hierarchy overview 9 Object Model definition of 9 formal definition 10 P Packet dumping 80 Example using curl and tcpdump 83 PPPoE configuring 61 overview 60 Profiles defining 54 overview 54 viewing current state 54 R Firewall RADIUS definition of 41 configuring service 77 Firewalling Route recommended method 47 definition of 50 Router G definition of 41 Graphs 57 Routing 208 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Index route targets 51 Vv Denan 46 Virtual Router Redundancy Protocol VRRP 84 enning virtual router definition of 84 VRRP v
138. allow export defaults to true The community no export is added to exported routes unless explicitly de tagged internal For IBGP links Peers only with same AS allow own as defaults to true 99 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 BGP reflector For IBGP links that are a route reflector Route reflector rules apply Peers only with same AS allow own as defaults to true confederate For EBGP that is part of a confederation Confederation rules apply Peers only with different AS ixp Must be EBGP and sets default of no fib and not add own as Routes from this peer are marked as IXP routes which affects filtering on route announcements 17 2 5 Route filtering Each peer has a set of import and export rules which are applied to routes that are imported or exported from the peer In future there will be named peer groups route maps and prefix lists The objects import and export work in exactly the same way checking the routes imported or exported against a set of rules and then possibly making changes to the attributes of the routes or even choosing to discard the route Each of these objects contain e Cosmetic attributes such as name comment and source e Route matching attributes allowing specific routes to be selected e Action attributes defining changes to the route e A continuation attribute stop defining if the matching stops at this rule default
139. allow someone to have access from outside e g the FireBrick support team H 8 5 Show command sessions show command sessions The FB2500 can have multiple telnet connections at the same time This lists all of the current connections H 8 6 Kill command session kin command session lt IPAddr gt You can kill a command session by IP address This is useful if you know you have left a telnet connected from somewhere else Telnet sessions usually have a timeout but this can be overridden in the configuration for each user H 8 7 Flash memory list show flash contents Lists the content of flash memory this includes various files such as software releases configuration and so on Multiple copies are usually stored allowing you to delete a later version if needed and roll back to an older version H 8 8 Delete block from flash delete config lt unsignedInt gt confirm lt string gt 141 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference delete data lt unsignedInt gt confirm lt string gt delete image lt unsignedInt gt confirm lt string gt Delete a block from flash memory This cannot be undone You have to specify the correct type of block and specify confirm yes for the command to work H 8 9 Boot log show boot log lt unsignedInt gt Show log of recent boots You can specify the number of
140. alpha Load test releases J 3 2 config access Type of access user has to config Table J 98 config access Type of access user has to config Value Description none No access unless explicitly listed view View only access no passwords read Read only access with passwords full Full view and edit access J 3 3 user level User login level User login level commands available are restricted according to assigned level Table J 99 user level User login level Value Description NOBODY Unknown or not logged in user GUEST Guest user USER Normal unprivileged user ADMIN System administrator DEBUG System debugger J 3 4 syslog severity Syslog severity Log severity different loggable events log at different levels Table J 100 syslog severity Syslog severity Value Description EMERG System is unstable ALERT Action must be taken immediately CRIT Critical conditions ERR Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO LOGGING No logging 195 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 3 5 syslog facility Syslog facility Syslog facility usually used to control which log file the syslog is written to Table J 101 syslog facility Syslog facility
141. ames too Be O2 PPPoA lines only support PPPoA in theory In practice they also support PPPoE This means you can use a PPPoE A modem or a bridging modem TalkTalk lines support both PPPoA and PPPoE and so can work with a bridging modem They support baby jumbo frames too BT FTTC lines come with a VDSL modem which supports PPPoE directly so no extra equipment is needed to connect to the FireBrick BT FTTP lines terminate on an active NTE which supports PPPoE directly so no extra equipment is needed to connect to the FireBrick For other types of lines in the UK or those in other countries you need to know what they can do on the wire PPPoA or PPPoE and have a suitable modem router to talk that protocol and convert to PPPoE on the LAN link to the FB2500 It seems most DSL routers will bridge PPPoE on the wire to PPPoE on the LAN but few will act as a PPPoE access concentrator The Vigor V 120 is one of the few that handle PPPoA on the wire and PPPoE link to the FB2500 60 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 PPPoE A significant benefit of the Vigor V 120 is that it works with no configuration on BT 20CN and 21CN lines as well as Be O2 PPPoA lines and TalkTalk lines you just plug it in to the line and the FB2500 and it just works There are also modems that work in bridged mode and support baby jumbo frames allowing PPPoE through to the carrier BRAS with full size MTU For
142. analysed to determine whether a new session should be established or whether the traffic should be dropped or rejected Each session rule contains a list of criteria that traffic must match against and contains an action specification that is used in the logic to decide whether the session will be allowed or not The session rule can also e make the session subject to traffic shaping e specify that Network Address Translation should occur e specify that address and or port mapping should occur Session rules are grouped into rule sets and together they are involved in a well defined processing flow sequence described in the next section that determines the final outcome for a candidate session Tip The FB2500 provides a method to illustrate how specific traffic will be processed according to the flow described This can be used to debug your rules and rule sets or simply to improve verify your understanding of the processing flow used to determine whether sessions are established Refer to Section 14 1 for details 42 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling 7 3 2 Processing flow The following processing flow applies to rules and rule sets e Rule sets are processed sequentially e Each rule set can optionally specify entry criteria if present these criteria must be matched against for the rules within the rule set to be considered e If the rule
143. and accounting of L2TP connections If no authentication servers are configured then authentication is not performed If no accounting servers are configured then no accounting is generated Multiple servers can be configured and they are processed in order Each can have multiple IP addresses The IP addresses are tried based on the previous performance response time etc If a server does not respond a number of times as configured then it is blacklisted for a configurable period It is possible to configure local configurations which are checked before any RADIUS authentication It is possible to configure L2TP so that RADIUS accounting must respond and if not then the sessions are disconnected F 1 Authentication request Table F 1 Access request AVP No Usage Message 80 Message signature as per RFC2869 Authenticator User Name 1 Username from authentication PAP CHAP or proxy authentication received on L2TP Called Station Id 30 Called number as received on L2TP Calling Station Id 31 Calling number as received on L2TP Acct Session Id 44 Unique ID for session as used on all following accounting records NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 NAS IPv4 address if using IPv4 NAS IPv6 Address 95 NAS IPv6 address if using IPv6 NAS Port 5 L2TP session ID Service Type 6 Framed Framed Protocol 7 PPP CHAP Password 3 CHAP ID and response
144. and replies are expected If replies are not being received the test fails Profiles can be logically combined using familiar boolean terminology i e AND OR and NOT allowing for some complex profile logic to be defined that determines a final profile state from several conditions By combining profiles with the FB2500 s event logging facilities they can also be used for automated monitoring and reporting purposes where profile state changes can be e mailed direct from the FB2500 For example a profile using a Ping test can be used to alert you via e mail when a destination is unreachable The current state of all the profiles configured on your FB2500 can be seen by choosing the Profiles item in the Status menu Tip You can also define dummy profiles that are permanantly Active or Inactive which can be useful if you wish to temporarily disable some functionality without deleting configuration object s For example you can force an FB105 tunnel to be Down preventing traffic from being routed through it Refer to Section 9 2 4 for details 9 2 Creating editing profiles In the web user interface profiles are created and edited by clicking on the Profiles category icon A profile is defined by a profile top level object 9 2 1 Timing control The following timing control parameters apply e interval the interval between tests being performed e timeout the duration that the overall test must have been failing for be
145. and routing apart from the PPP endpoint and DNS The update can also include change of routing table This can be useful to move an active connection in to a walled garden and back without ever dropping the PPP connection itself This can be useful for credit control systems 18 7 PPPoE In addition to working as a conventional LNS the FireBrick can also be configured to operate as a PPPoE endpoint as a BRAS The PPPoE connections appear as if they has arrived via L2TP so can have local IP termination or relay via L2TP to another LNS The FireBrick supports baby jumbo frame negotiation to allow full 1500 byte MTU operation 18 8 Typical configuration The FB2500 is very felxible but a typical configuration for L2TP as an ISP connected to a carrier generally follows a standard set up Some carriers need specific extra settings and the FireBrick support team can provide examples if you require 18 8 1 Interlink subnet A carrier will normally have an interlink this could be a dedicated port on the FB2500 or a VLAN perhaps via a suitable switch In any case this is an interface in the configuration Some carriers use a 30 IPv4 interlink per LNS and some use a larger subnet covering several LNSs 18 8 2 BGP with carrier This interlink is usually ised soley for the purpose of a BGP link to the carrier and all other IPs used by the ISP or carrier are announced via that BGP connection You may want to configure filters on the BGP c
146. aph names Tunnel Preference 83 Specifies preference order when multiple tagged endpoints sent Note that whilst a RADIUS response is normally relatively small in can get larger when multiple tunnel endpoints are included Fragmented responses are handled but there is an internal limit to the size of response that can be processed as such we recommend keeping the response to a single un fragmented packet of up to 1500 bytes You can use tag 0 for common settings such as Tunnel Client Auth ID or Tunnel Password when using multiple endpoints in order to reduce the size of the response F 2 1 1 Prefix Delegation The RADIUS authentication response can include Delegated IPv6 Prefix Framed IPv6 Prefix and Framed IPv6 Route in order to route native IPv6 prefixes to the line If there are any native IPv6 routes or the Framed IPv6 Interface attribute was specified then IPV6CP negotiation is started Framed IPv6 Route can also be used to added IPv4 tunneled routes to the line The FE80 10 link local address negotiated with IPV6CP is not added to the routing for the line The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing Once a router solicitation is sent periodic Router Advertisements will then be sent on the connection by the Firebrick The client can use DHCPv6 to request an IA_NA 128 link address IA_TA 128 temp link address IA_PD Prefic delegation and DNS s
147. as been factory reset there are three methods to set this up as described below select the method that you prefer or that best suits your current network architecture e Method 1 use the FireBrick s DHCP server to configure a computer If your computer is already configured as many are to get an IP address automatically you can connect your computer to port 1 on the FireBrick and the FireBrick s inbuilt DHCP server should give it an IPv4 and IPv6 address Method 2 configure a computer with a fixed IP address Alternatively you can connect a computer to port on the FireBrick and manually configure your computer to have the fixed IP address es shown below Table 2 1 IP addresses for computer IPv6 IPv4 2001 DB8 2 64 10 0 0 2 subnet mask 255 255 255 0 e Method 3 use an existing DHCP server to configure the FireBrick If your LAN already has a DHCP server you can connect port 4 of your FireBrick to your LAN and it will get an address Port 4 is configured by default not to give out any addresses and as such it should not interfere with your existing network You would need to check your DHCP server to find what address has been assigend to the FB2500 2 2 Accessing the web based user interface If you used Method 1 you should browse to the FireBrick s web interface as follows or you can use the IP addresses detailed Table 2 2 IP addresses to access the FireBrick URL http my fi
148. at confirms not only routability of each next hop but also that it is answering ARP ND requests Whenever a next hop is infeasible then all routes using that next hop are removed When it becomes feasible the routes are re applied This goes beyond the normal BGP specification and minimises any risk of announcing a black hole route 17 2 11 Diagnostics The web control pages have diagnostics allowing routing to be show either for a specific target IP finding the most specific route which applies or for a specified prefix This lists the routes that exist in order and indicates if they are supressed e g route feasibility has removed the route There are command line operation to show routing as well It is also possible using the command line to confirm what routes are imported from or exported to any peer The diagnostics also allow ping and traceroute which can be useful to confirm correct routing 17 2 12 Router shutdown One router shutdown e g for software load all established BGP sessions have all announced routes cleanly withdrawn and the session closes cleanly However all received routes are retained in the routing table until the final shutdown and restart This minimises the impact of the shutdown when operating a pair of routers as it allows all outbound traffic to continue while stopping inbound traffic 17 2 13 TTL security The FireBrick supports RFC5082 standard TTL security Simply setting ttl security 1 on the
149. ate products based on state of the art processing platforms featuring an entirely new operating system and IPv6 capable networking software written from scratch in house by the FireBrick team Custom designed hardware manufactured in the UK hosts the new software and ensures FireBrick are able to maximise performance from the hardware and maintain exceptional levels of quality and reliability The result is a product that has the feature set and performance to handle the tasks encountered in today s office networking environments where new access technologies such as Fibre To The Cabinet FTTC deliver faster connections than ever before The new software is closely related to that which runs on FireBrick s big box product the FB6000 a carrier grade product that has been proven in the field for a number of years effortlessly handling huge volumes of traffic and thousands of customer connections The software is constantly being improved and new features added so please check that you are reading the manual appropriate to the version of software you are using This manual is for version V1 27 001 XiX www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 1 Introduction 1 1 The FB2500 1 1 1 Where do start The FB2500 is shipped in a factory reset state This means it has a default configuration that allows the unit to be attached directly to a computer or into an existing network
150. ayed as a matrix of boxes giving the appearance of a wall of bricks one for each attribute associated with that object type Figure 3 5 shows an example for an interface object covered in Chapter 6 13 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Figure 3 5 Editing an Interface object MW comment 8 profile Comment Profile name m port 8 vian 8 mtu Port group name VLAN ID O untagged l arr MTU for this interface WAN y 0 8 ra client 8 ping Accept IPv6 RA and create auto config subnets and routes true 8 log error 8 log debug Log errors Log debug Log as event Not logging By default more advanced or less frequently used attributes are hidden if this applies to the object being edited you will see the text shown in Figure 3 6 The hidden attributes can be displayed by clicking on the link Show all Figure 3 6 Show hidden attributes There are additional attributes which have not been shown Show all Each brick in the wall contains the following e a checkbox if the checkbox is checked an appropriate value entry widget is displayed otherwise a default value is shown and applied for that setting If the attribute is not optional then no checkbox is show e the attribute name this is a compact string that exactly matches the underlying XML attribute name e a short description of the attribute Tip Tf there is no default shown for an at
151. ber of 514 but if necessary you can change this by setting the port attribute value 5 3 2 Email You can cause logs to be sent by e mail by creating an email object that is a child of the log target 10g object An important aspect of emailed logs is that they have a delay and a hold off The delay means that the email is not sent immediately because often a cluster of events happen over a short period and it is sensible to wait for several log lines for an event before e mailing The hold off period is the time that the FB2500 waits after sending an e mail before sending another Having a hold off period means you don t get an excessive number of e mails since the logging system is initially storing event messages in RAM the e mail that is sent after the hold off period will contain any messages that were generated during the hold off period The following aspects of the e mail process can be configured e subject you can either specify the subject by setting the subject attribute value or you can allow the FB2500 to create a subject based on the first line of the log message e mail addresses as to be expected you must specify a target e mail address using the to attribute You can optionally specify a From address by setting the from atttribute or you can allow the FB2500 to create an address based on the unit s serial number outgoing mail server the FB2500 normally sends e mail directly to the Mail eXchanger MX host
152. cation method 20 0 0 eee ee eee ceee ce ee ca eeca cece eeaeeeae een eeneeeneeeees 203 J 127 ike mode connection setup MOE 1 2 0 0 eee eee cece cece eeee en a an snie 203 J 128 ipsec type IPsec encapsulation type oocoooccnnconoconccnnocnnccnnnnnnconnrnnnrnnncnnconnccnnccnnconncnnncnnncnnnss 203 J 129 ipsec mode Manually keyed IPsec encapsulation mode oooccoccnnccnnccnnccnnconnconnconncnnncnncnnnccnose 203 J 130 switch Profile manual setting coooocccooccnnnoccnnccnnnnccnnnocnnnocnnnnconnnccnnncononnconnornnnnccnnnncnonioos 203 J131 fir wall action Firewall Acton 90 08 555 nne an daveedod eect bean avesdonesoa hardened do tenddheanceesaeneds 203 J 132 voip format Number presentation format 0 ccc cece cece ence cece eeceneeeeeeeeeeeeeeeeeeaeseaeeenes 204 J 133 uknumberformat Number formatting Option oocccoocconoccnnnocnnnccnnnnconnnrcnnnccnnnnconnccnnnnccnnnncnnnss 204 J 134 recordoption Recording Option rsss isser rai E E een E EE EEE E AEREE ERE 204 J 133 rinmg ero p order Order OF TINS soseri dese aes fees N E EE A a e 204 J 136 ring group type Type of ring when one call in queue oocoooccnnconcconcconocnnocnncnnncnnaccnccnncinnicnno 205 J137 Basiesdata types sione e a waves tose E E RSE e Seated ds TE ASSAS 205 xviii www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Preface The FB2500 device is the result of several years of intensive effort to cre
153. ce of a filter has no effect To set normal routing table 0 zero send TO To set not a member of a CUG send AO F 9 Notes F 9 1 L2TP relay L2TP relay means that an incoming call ICRQ is relayed to another L2TP endpoint The decision of which calls to relay to what endpoint can be made in one of two ways e Configured pattern match based on calling number called number or login e RADIUS response to initial authentication request advising new endpoint for connection A test is made against the config on the initial connection based on known data This is calling number if present called number if present and login proxy_auth_name if present If a match is found the call is relayed with no additional PPP packets exchanged If there is no proxy LCP provided or the provided negotiation conflicts with the configuration then LCP negotiation is completed If there is no proxy authentication PPP authentication is start until a response login is received from the peer assuming authentication is required in the config At this point a further check is made for a configured relay which can now be based on a login if one was not present before RADIUS authentication is completed and if the response indicates a relay then the call is relayed The relayed call includes the incoming call parameters and any LCP and authentication parameters that may have been negotiated at that point F 9 2 LCP echo and CQM graphs Depending on
154. cket queue 1 100 unsignedInt ipsec local spi Manually keyed Security Parameters Index assigned locally 256 65535 unsignedInt ipsec spi Manually keyed Security Parameters Index assigned by peer 256 4294967295 unsignedInt ping size Data payload size to be sent in ping packet 0 1472 unsignedInt iprangelist List of IPranges PRange portlist List of protocol port ranges PortRange protolist List of IP protocols unsignedByte userlist List of user names username 206 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects prefix4list List of IPv4 Prefixes 1P4Prefix routetableset Set of routetables routetable vlan nz VLAN ID 1 4095 unsignedShort dates Set of dates datenum tun id Local tunnel ID 1 20 unsignedShort ses id Local session ID 1 250 unsignedShort 207 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Index B BGP overview 98 Boot process 27 Breadcrumbs 12 C Configuration backing up and restoring 16 categories user interface 12 methods 10 overview 9 overview of using XML 16 transferring using HTTP client 19 using web user interface 10 Configuration Basic data types 205 Configuration Data types 194 Configuration Field definitions 148 D DHCP configuring server 37 configuring subnet with DHCP client 36 Diagnostics Access check 80 Firew
155. ckets e g PPPoE m Sets the connection to fragment IPv4 packets with DF not set that are too big for the advised MRU This is teh default i L This is not a filter and not confirmed back on accounting start and not valid on Change of Authorisation It forces a restart of LCP negotiation This is useful when BRASs lie about negotiated LCP such as BTs 21CN BRASs This is not a filter and not confirmed back on accounting start and not valid on Change of Authorisation It stops an LCP negotiation restart that may be planned e g due toan MRU mismatch X Pad packets to 74 bytes if length fields appears to be less needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode C Send all IPv4 and IPv6 using the LCP type code only works if FireBrick doing PPP at far end O Mark session as low priority see shaper and damping P Mark session as premium see shaper and damping Sn Set LCP echo rate to n seconds default 1 sn Set LCP timeout rate to n seconds default 10 bn Disable anti spoofing source filtering 128 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation q n Specify or add to quota for tx bytes Use either q or Q Action depends on Terminate Action Q n Specify or add to quota for total tx rx bytes For change of authorisation the absen
156. cols between two hosts that the brick is routing traffic between This feature is provided via the FB2500 s HTTP server and provides a download of a pcap format file old format suitable for use with t cpdump or Wireshark A packet dump can be performed by either of these methods e via the user interface using a web page form to setup the dump once the capture data has been downloaded it can be analysed using t codump or Wireshark e using an HTTP client on another machine typically a command line client utility such as cur1 80 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Network Diagnostic Tools The output is streamed so that when used with curl and tcpdump you can monitor traffic in real time Limited filtering is provided by the FB2500 so you will normally apply any additional filtering you need via tcpdump 14 3 1 Dump parameters Table 14 1 lists the parameters you can specify to control what gets dumped The Parameter name column shows the exact parameter name to specify when constructing a URL to use with an HTTP client The Web form field column shows the label of the equivalent field on the user interface form Table 14 1 Packet dump parameters Parameter name Web form field Function interface Interface One or more interfaces as the name of the interface e g interface WAN also applies for name of PPPoE on an interface 12tp L2TP session Where L2
157. ction setup mode Table J 127 ike mode connection setup mode Value Description Wait Wait for peer to initiate the connection On demand Bring up when needed for traffic Immediate Always attempt to bring up connection J 3 32 ipsec type IPsec encapsulation type Table J 128 ipsec type IPsec encapsulation type Value Description AH Authentication Header ESP Encapsulating Security Payload J 3 33 ipsec mode Manually keyed IPsec encapsulation mode Table J 129 ipsec mode Manually keyed IPsec encapsulation mode Value Description tunnel IPsec tunnel transport IPsec transport J 3 34 switch Profile manual setting Manual setting control for profile Table J 130 switch Profile manual setting Value Description false Profile set to OFF true Profile set to ON control switch Profile set based on control switch on home page J 3 35 firewall action Firewall action Table J 131 firewall action Firewall action Value Description 203 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects continue Continue rule set checking accept Allow but no more rule set checking reject End all rule checking now and set to send ICMP reject drop End all rule checking now and set to drop ignore End all rule checking and ignore drop just this packet
158. ctionality enables tunnelled connections to be made to an L2TP server Ether tunnelling provides a mechanism to tunnel layer 2 ethernet traffic between two devices using the protocol defined in RFC3378 Support for FB105 tunnels means the FB2500 can inter work with existing FB105 hardware FB105 tunnels can also be set up between any two FireBricks from the FB2x00 and FB6000 ranges which support FB105 tunnelling 12 1 IPsec IP Security 12 1 1 Introduction One of the uses of IPsec is to create a private tunnel between two places This could be two FireBricks or between a FireBrick and some otehr device such as a router VPN box Linux box etc The tunnel allows traffic to IP addresses at the far end to be routed over the Internet in secret encrypted at the sending end and decrypted at the receiving end IPsec can also be used to set up a VPN between a roaming client and a server providing security for working at home or on the road scenarios This usage is known as Road Warrior The FireBrick IPsec implementation will support this usage scenario but the implementation is not yet complete There are three main aspects to IP Security integrity checking encryption and authentication 12 1 1 1 Integrity checking The purpose of integrity checking is to ensure that the packets of data when received are identical to when transmitted i e their contents have not been tampered with en route There are a number of algorithms that ca
159. cularly true when using XML If you are unfamiliar with the FB2500 s session rule specifications you may interpret the no match action as specifying what happens if the rule set s entry criteria are not met i e at the beginning of processing a rule set no match action specifies what happens after the entry criteria were met and all the rules were considered but none of them matched no match i e at the very end of processing a rule set Caution If all rule sets have been considered and no action has specified that the session should be dropped or rejected it will be ALLOWED The factory default rule sets have a firewall rule with no match action set to drop to avoid this happening by mistake We recommend you use the firewall diagnostic tests to verify that you have constructed rule sets and rules that provide the firewalling you intended We also highly recommend external intrusion testing to verify behaviour We also recommend that firewalling is done using the method described in Section 7 3 3 1 This processing flow is illustrated as a flow chart in Figure 7 2 44 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling Figure 7 2 Processing flow chart for rule sets and session rules Packet arrives no matching session exists Processing continues with next rule set Session Allowed Allrule sets processed Examine next tule
160. d higher getting a longer timeout as per RFC recommendations 49 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 8 Routing 8 1 Routing logic The routing logic in the FB2500 operates primarily using a conventional routing system of most specific prefix which is commonly found in many IP stacks in general purpose computers and routers Conventional routing determines where to send a packet based only on the packet s destination IP address and is applied on a per packet basis i e each packet that arrives is processed independently from previous packets Note that with this routing system it does not matter where the packet came from either in terms of source IP address or which interface tunnel etc the packet arrived on The FB2500 also implements more specialised routing logic that can route traffic based on other characteristics such as source address that can be used when routing based on destination IP address alone is insufficient This is linked in to the session tracking logic see Chapter 7 A route consists of e a target specifying where to send the packet to this may be a specialised action such as silently dropping the packet a black hole e an IP address range that this routing information applies to the routing destination A routing table consists of one or more routes Unlike typical IP stacks the FB2500 supports multiple independent routing table
161. dInt Rx rate reduction per hour share boolean If shaper is shared with other devices source string Source of data used in automated config management tx unsignedInt Tx rate limit target b s 184 Configuration Objects tx max unsignedInt Tx rate limit max tx min unsignedInt Tx rate limit min tx min burst duration Tx minimum allowed burst time tx step unsignedInt Tx rate reduction per hour Table J 77 shaper Elements Element Type Instances Description override shaper override Optional unlimited Profile specific variations on main settings J 2 57 shaper override Traffic shaper override based on profile Settings for a named traffic shaper Table J 78 shaper override Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Not optional Profile name rx unsignedInt Rx rate limit target b s rx max unsignedInt Rx rate limit max rx min unsignedInt Rx rate limit min rx min burst duration Rx minimum allowed burst time rx step unsignedInt Rx rate reduction per hour source string Source of data used in automated config management tx unsignedInt Tx rate limit target b s tx max unsignedInt Tx rate limit max tx min unsignedInt Tx rate limit min tx min burst duration Tx minimum allowed burst time tx step unsignedInt Tx rate reduction per hou
162. dard input stream via the r options We have additionally asked for no DNS resolution n and verbose output v Consult the documentation provided with the client e g Linux box system for details on the extensive range of tcpdump options these can be used to filter the dump to better locate the packets you are interested in 83 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 15 VRRP The FB2500 supports VRRP Virtual Router Redundancy Protocol which is a system that provides routing redundancy by enabling more than one hardware device on a network to act as a gateway for routing traffic Hardware redundancy means VRRP can provide resilience in the event of device failure by allowing a backup device to automatically assume the role of actively routing traffic 15 1 Virtual Routers VRRP abstracts a group of routers using the concept of a virtual router which has a virtual IP address The IP address is virtual in the sense that it is associated with more than one hardware device and can move between devices automatically The virtual IP address normally differs from the real IP address of any of the group members but it can be the real address of the master router if you prefer e g if short of IP addresses You can have multiple virtual routers on the same LAN at the same time so there is a Virtual Router Identifier VRID that is used to distinguish them The
163. default VRID used by the FB2500 is 42 You must set all devices that are part of the same group virtual router to the same VRID and this VRID must differ from that used by any other virtual routers on the same LAN Typically you would only have one virtual router on any given LAN so the default of 42 does not normally need changing Note You can use the same VRID on different port groups without a clash in any way in the FB2500 However you cannot use the same VRID on different VLANs on the same port group as the internal switch in the FB2500 will only track the MAC address to one port at a time You may also find some switches and some operatings systems do not work well and get confused about the same MAC appearing on different interfaces and VLANs As such it is generally a good idea to avoid doing this unless you are sure your network will cope i e use different VRIDs on different VLANs At any one time one physical device is the master and is handling all the traffic sent to the virtual IP address If the master fails a backup takes over and this process is transparent to other devices which do not need to be aware of the change The members of the group communicate with each other using multicast IP packets The transparency to device failure is implemented by having group members all capable of receiving traffic addressed to the same single MAC address A special MAC address is used 00 00 5E 00 01 XX where XX is the VRID or VRRP
164. directory The options list can include separators rather amp separators to make apparent subdirectories ext The file extension can be included on the end of the options this is used only for making the index of all graphs for that type see below graphname Graph name For XML this can be just to produce one XML file with all graphs ext Extension for file type required options Options can alternatively be included as a html form get field list Where no graph name or ext are provided i e the index page of a directory then an html page is served An ext can be included after any options to make a list of files of that type Otherwise the index is an html page explaining the options A blank graph is available by accessing simply png i e no graph name An xml list of all graphs is available as xml A csv list of graph name and score is available as csv and similarly for txt and tsv A special case exists for extracting the xml files for all graphs in one request using the name xml 1 4 2 load handling The graphs and csv files are generated on the fly and only one is generated at a time Connection requests are queued As part of the normal web management system the trusted IPs queue is always processed first so constant access from untrusted sources will not stop access from trusted sources If the queue is full the connection is not accepted The most load applies when archiving but tools like
165. dministrative details attributes Attribute Purpose comment General comment field contact Contact name intro Text that appears on the home page the home page is the first page you see after logging in to the FB2500 This text is also displayed immediately after you login to a command line session location Physical location description 4 2 3 System level event logging control The log and log attributes control logging of events related to the operation of the system itself For details on event logging please refer to Chapter 5 and for details on the logging control attributes on system object please refer to Section 5 7 23 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration 4 2 4 Home page web links The home page is the first page you see after logging in to the FB2500 or when you click the Home main menu item The home page displays the system name and if defined the text specified by the int ro attribute on the system object Additionally you can define one or more web links to appear on the home page These are defined using Link objects which are child objects of the system object To make a usable link you must specify the following two attributes on the 1ink object e text the text displayed as a hyperlink e url link destination URL Additionally you can name a link specify a comment and make the presence of
166. dropped thus enforcing a default drop policy Note The FB2500 itself does not generally need firewalling rules to protect against unwanted or malicious access as the access controls on services can provide this protection directly see Chapter 13 for discussion of access controls You may want to perform some outbound traffic filtering as well This would normally want to work the other way around to inbound filtering With inbound you want block all but those listed hence using a no match action of drop However for outbound you will typically want a allow all but those listed To this end you could create a rule set for traffic from inside interfaces such as LAN and a no match action of continue Then include specific rules for those things you wish to block with an action of reject 7 3 3 2 Changes to session traffic Normally a session table entry holds enough information to allow return traffic to reach its destination without potentially being firewalled However a session rule can specify certain changes to be made to the outbound traffic in a session and the session table entry will hold additional information that allows the FB2500 to account for these changes when processing the return traffic For example a session rule can specify that the source IP address of the outbound packets be changed such that they appear to be coming from a different address typically one owned by the FB2500 itself Return traffic will then
167. dure please refer to Appendix A or consult the QuickStart Guide The remainder of this chapter provides an overview of the FB2500 s capabilities and covers your product support options Tip The latest version of the QuickStart guide for the FB2500 can be obtained from the FireBrick website at http www firebrick co uk pdfs quickstart 2500 pdf 1 1 2 What can it do The FB2500 is an extremely versatile network appliance which you can think of as something akin to a Swiss army knife for networking It can act as a firewall to protect your network from direct attack over the Internet allocate network addresses to machines on your network e g DHCP manage multiple networks at once modify traffic passing though to do address and protocol port mapping control the speed of different types of traffic traffic shaping www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Introduction e handle IPv6 ready for the day that all five regional Internet registries RIRs exhaust their allocations and much more 1 1 3 Ethernet port capabilities The FB2500 has four Ethernet network ports that can operate at 10Mb s 100Mb s or 1Gb s The ports implement auto negotiation by default but operation can be fine tuned to suit specific circumstances The function of these ports is very flexible and defined by the device s configuration The ports implement one or more interfaces and each i
168. e This can be useful for firewall rules where you may have to log in to the FireBrick even as a NOBODY level user just to get your IP address in an access list to allow further access to a network from that IP 4 1 4 3 Restrict by profile By specifying a profile name using the profile attribute you can allow logins by the user only when the profile is in the Active state see Chapter 9 You can use this to for example restrict logins to be allowed only during certain times of the day or you can effectively suspend a user account by specifying an always Inactive profile 4 2 General System settings The system top level object can specify attributes that control general global system settings The available attributes are described in the following sections and can be configured in the User Interface by choosing the Setup category then clicking the Edit link under the heading System settings The software auto upgrade process is controlled by system objects attributes these are described in Section 4 3 3 2 4 2 1 System name hostname The system name also called the hostname is used in various aspects of the FB2500 s functions and so we recommend you set the hostname to something appropriate for your network The hostname is set using the name attribute 4 2 2 Administrative details The attributes shown in Table 4 3 allow you to specify general administrative details about the unit Table 4 3 General a
169. e an object used to define a locally attached subnet is a child of an object that defines an interface and as such defines that the subnet is accessible on that specific interface Since multiple interfaces can exist other interface objects establish different contexts for subnet objects Additional inter object associations are established via attribute values that reference other objects typically by name e g a firewall rule can specify one of several destinations for log information to be sent when the tule is processed 3 2 The Object Model The term object model is used here to collectively refer to e the constraints that define a valid object hiearchy i e which object s are valid child objects for a given parent object how many siblings of the same type can exist etc e for each object type the allowable set of attributes whether the attributes are mandatory or optional their datatypes and permissible values of those attributes The bulk of this User Manual therefore serves to document the object model and how it controls operation of the FB2500 Tip This version of the User Manual may not yet be complete in its coverage of the full object model Some more obscure attributes may not be covered at all some of these may be attributes that are not used under any normal circumstances and used only under guidance by support personnel If you encounter attribute s that are not documented in this manual please refer i
170. e The yellow port LED is configured to show Transmit activity When you first create an ethernet object you will see that none of the attribute checkboxes are ticked and the defaults described above apply Ensure that you set the port attribute value correctly to modify the port you intended to 6 4 1 Disabling auto negotiation If you are connecting a port to a link partner that does not support auto negotiation or has it disabled it is advisable to disable auto negotiation on the FB2500 port To do this tick the checkbox for the autoneg attribute and select false from the drop down box You will then need to set port speed and duplex mode manually see below to match the link partner settings 6 4 2 Setting port speed If auto negotiation is enabled the FB2500 port will normally advertise that it is capable of link speeds of 10Mb s 100Mb s or 1Gb s if you have reason to restrict the possible link speed to one of these values you can set the speed attribute to 10M 100M or 1G This will cause the port to only advertise the specified speed if the auto negotiate capable link partner does not support that speed the link will fail to establish If auto negotiation is disabled the speed attribute simply sets the port s speed 6 4 3 Setting duplex mode If auto negotiation is enabled the FB2500 port will normally advertise that it is capable of either half or full duplex operation modes if you have reason to restrict the opera
171. e boolean true enable PHY optimisations port port Not optional Physical port power saving LinkPower full enable PHY power saving send fault LinkFault Send fault status shutdown boolean false Power down this port speed LinkSpeed auto Speed setting for this port yellow LinkLED Tx Yellow LED setting J 2 19 portdef Port grouping and naming Port grouping and naming Table J 25 portdef Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description comment string Comment name NMTOKEN Not optional Name ports Set of port Not optional Physical port s 159 Configuration Objects profile NMTOKEN Profile name source string Source of data used in automated config management J 2 20 interface Port group VLAN interface settings The interface definition relates to a specific physical port group and VLAN It includes subnets and VRRP that apply to that interface Table J 26 interface Attributes Attribute Type Default Description comment string Comment cug unsignedShort Closed user group ID 1 32767 cug cug restrict boolean Closed user group restricted traffic only to from same CUG ID graph token graphname Graph name link NMTOKEN Interface to which this is linked at layer 2 log NMTOKEN Not logging Log events including DHCP and related events lo
172. e different VRID on different VLANs 161 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Table J 29 vrrp Attributes Attribute Type Default Description answer ping boolean true Whether to answer PING to VRRP IPs when master comment string Comment delay unsignedInt 60 Delay after routing established before priority returns to normal interval unsignedShort 100 Transit interval centiseconds ip List of IPAddr Not optional One or more IP addresses to announce log NMTOKEN Not logging Log events log error NMTOKEN log as event Log errors low priority unsignedByte 1 Lower priority applicable until routing established name NMTOKEN Name preempt boolean true Whether pre empt allowed priority unsignedByte 100 Normal priority profile NMTOKEN Profile name source string Source of data used in automated config management test List of IPAddr List of IPs to which routing must exist else low priority deprecated use vmac boolean true Whether to use the special VMAC or use normal MAC version3 boolean v2 for IPv4 v3 for Use only version 3 IPv6 vrid unsignedB yte 42 VRID J 2 23 dhcps DHCP server settings Settings for DHCP server Table J 30 dhcps Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 80829
173. e incoming call An incoming carrier will usually relate to a specific extn which is what is called when a call comes in You can leave this unset and route based on called ddi or you can set the extn including X characters in place of the digits sent with the call as the dialled number These are taken from the right have end of the dialled number so if 0134567890 is what was called 1XX would be extn 190 This makes it easy to define a trunk carrier for incoming calls 16 8 Hunt groups The basic idea of a hunt group is simple It has a number which when called causes a number of extensions to be rung perhaps in order to hunt for someone to take the calls In practice there are a number of options as to how the hunt group works 90 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP Creating a hunt group involves picking an extension number In the same way as a telephone user is set up you can also set a display name and DDI number The main set of numbers that the hunt group will call is specified in the ring attribute By default this causes all of the numbers listed to be rung at once Tip You can list internal extension numbers for ring and overflow lists or you can include full DDIs or even external phone numbers to be included Tip It is possible to set a wrap up time on a phone a per telephone setting which stops group calls ringing the phone for a period of time after
174. e name password E full name E otp User password Full name OTP serial number M timeout E config E level Login idle timeout zero to stay logged in Config access level Login level 5 00 Full ADMIN E allow Tip You may also want to increase the login session idle time out from the default of 5 minutes especially if you are unfamiliar with the user interface To do that tick the checkbox next to timeout and enter an appropriate value as minutes colon and seconds e g 15 00 for 15 minutes Click on the Save button near the top of the screen which will save a new configuration that includes your new user definition You should now see a page showing the progress of storing the new configuration in Flash memory Figure 2 4 Configuration being stored Loading config No errors found Erasing flash page Programming flash page Flashed 1789 bytes Config loaded Please login to make any further changes Login On this page there is a Login link in red text click on this link and then log in using the username and password you chose We recommend you read Chapter 3 to understand the design of the FB2500 s user interface and then start working with your FB2500 s factory reset configuration Once you are familiar with how the user interface is structured you can find more detail on setting up users in Section 4 1 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chap
175. e object type can be present 13 1 Protecting the FB2500 Whilst the FB2500 does have a comprehensive firewall the design of the FB2500 is that it should be able to protect itself sensibly without the need for a separate firewall You can of course configure the fireall settings to control access to system services as well if you want Each service has specific access control settings and these default to not allowing external access i e traffic not from locally Ethernet connected devices You can also lock down access to a specific routing table and restrict the source IP addresses from which connections are accepted In the case of the web interface you can also define trusted IP addresses which are given priority access to the login page even When using the FB2500 as an LNS you may be allowing access to CQM graphs linked from control systems as an ISP and so have to have the web interface open to the world You should make use of the trusted IP settings to ensure you still have access even if there is a denial of service attack against the web interface You should also set up access restrictions for users see Section 4 1 4 for details 13 2 Common settings Most system service have common access control attributes as follows Tip You can verify whether the access control performs as intended using the diagnostic facility described in Section 14 2 74 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 124
176. e of this approach is that you will need to specify target interfaces in every rule in order to replicate the functionality of the method described previously In any case you can verify that your rule sets function the way you intended using the diagnostic facility described in Section 14 1 The XML fragment below shows a small firewalling rule set for an interface with a default drop policy lt rule set name firewall_to_LAN target interface LAN no match action drop gt 1 lt rule name web target port 80 protocol 6 comment WAN access to company web server gt 2 lt rule set gt Rule set is named firewall_to_LAN The rule set only applies to sessions targetting the LAN interface from any other interface The action to perform when no rule within the rule set applies is to drop O Rule is named web the criteria for matching the rule only specifies that the traffic must be targetting TCP protocol 6 port 80 The action attribute is not present so the action defaults to continue 47 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling processing continues with next rule set Unless any subsequent rule in a later rule set drops the session the session will therefore be allowed If no rule matched the traffic then the no match action of the rule set is applied here in this case the session is
177. e prefix length determines the size of the range 113 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix C MAC Addresses usage Ethernet networks use 48 bit MAC addresses These are globally unique and allocated by the equipment manufacturer from a pool of addresses that is defined by the first three octets bytes which identify the organization and are known as the Organizationally Unique Identifier OUT OUIs are issued by the IEEE more information and a searchable database of existing OUIs are available at http standards ieee org develop regauth oui MAC addresses are commonly written as six groups of two hexadecimal digits separated by colons or hyphens FB2500s currently ship with an OUI value of 00 03 97 In principle the FireBrick could have a single MAC address for all operations However practical experience has led to the use of multiple MAC addresses on the FireBrick A unique block of addresses is assigned to each FireBrick with the size of the block dependent on the model Most of the time FB2500 users do not need to know what MAC addresses the product uses However there are occasions where this information is useful such as when trying to identify what IP address a DHCP server has allocated to a specific FB2500 For information on how MAC addresses are used by the FB2500 please refer to this article on the FireBrick website http www firebrick co uk fb2700 mac php
178. e remote IP is not known for example when it may change if the remote device moves to a different network or is behind a NAT device The IKE connection type is AH or ESP ESP is by far the most commonly used as it provides both integrity checking and encryption of traffic AH provides integrity cheecking only so data is transmitted in plaintext AH does provide a very slight extra level of security as the IP addresses of the tunnel encapsulation packets are also integrity checked However this is a incompatible with usage over NAT and b rather illusory as with IKE the whole connection is authenticated at setup so the remote peer is already known to be valid 12 1 2 3 2 IKE proposal lists Algorithms and proposals are discussed in more detail below Normally these can be left blank causing the default proposals to be used If required the IKE proposal list and or the IPsec proposal list can configured Each consists of a list of names of proposals which have been configured under the top IKE configuration section 12 1 2 3 3 Authentication and IKE identities IKE authenticates each end of a connection using the connection s IKE identity The identity is chosen when configuring each end and can be specified in different ways using the following syntax e IP ip address an IPv4 or IPv6 address eg IP 123 45 67 8 e DOMAIN domain a dot separated domain eg DOMAIN firebrick co uk e MAILADDR email address an email address eg MAIL
179. e the link in for example a profile see Section 9 2 2 1 There are a number of additional options see below but for most configurations this is all you need It causes the FB2500 to connect and set a default route for internet access via the PPP link 11 2 1 IPv6 If your ISP negotiates IPv6 on the link then a default route is set for IPv6 traffic down the line If the ISP handles ICMPv6 prefix delegation then an IPv6 block will automatically be assigned to you LAN If not then you could manually configure the IPv6 prefix the ISP is providing There are options to control which interfaces get automatic prefix delegations in this way 11 2 2 Additional options 11 2 2 1 MTU and TCP fix Normally PPPoE operates with a maximum packet size of 1492 bytes this is due to the 8 byte PPPoE header that is used and the normal 1500 byte payload limit of an Ethernet packet The FB2500 includes an option to set the PPPoE MTU so that when used with equipment capable of jumbo frames such as BT FITC and FTTP services and with appropriate ADSL bridging modems this allows use of slightly larger frames to provide a 1500 byte MTU To achieve this simply set the mtu attribute to a value of 1500 By default the tcp mss fix attribute is also set which means when working with a smaller MTU such as 1492 any connections that try and establish 1500 byte links are adjusted on the fly to be the lower MTU This avoids problems with a lot of corporate and bank
180. e used for SIP requests where the request is to be challenged e g REGISTER INVITE REFER SUBSCRIBE OPTIONS etc The format mostly follows RFC5090 There is an option radius challenge to send the RADIUS authentication request before receiving authentication data from the requestor which allows progress without authentication credentials but more likely to be used to send a ACCESS_CHALLENGE response to customise the challenge sent to the requestor Table G 1 Access request AVP No Usage User Name 1 Name of locally configured telephone user or E and locally configured carrier name Chargeable User 89 If request relates to locally configured telephone user or carrier Identity Message 80 Message signature as per RFC2869 Authenticator Called Station Id 30 Local part of To header Calling Station Id 31 Local part of From header NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 Requestor IPv4 address if using IPv4 NAS IPv6 Address 95 Requestor IPv6 address if using IPv6 NAS Port 5 Requestor UDP port NAS Port Type 61 Send with value 5 virtual if NAT detected Class 25 User Agent string Acct Multi Session 50 Call ID from request Id Digest Response 103 Digest Response Digest Realm 104 Digest Realm Digest Nonce 105 Digest Nonce Digest Method 108 Digest Method Digest URI 109 Digest URL or URI from request if no Authorization di
181. ed ead ete oe ee i Aen dea 166 xi www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual J 2 31 network Locally originated networks 2 00 0 0 ee eee cece eee ce ee ceeeceeeeeeeeaeeea sean eeaes 166 J 2 32 blackhole Dead end networks 2 0 0 0 asier ee cence cence ra E EEE seen eeu eeae ones 167 J 2 33 loopback Locally originated networks ooocoocccnccnoccnccnnncnnccnnconnccnnccnncnnnconaconncos 167 J 2 34 bgp Overall BGP settings 2 0 0 0 eee c eee cn eece een cena eens E e E N ER 168 32 35 beppeer BGP peer defi thongs tias 168 J 2 36 bgpmap Mapping and filtering rules of BGP prefixes 2 0 0 0 eee eee eee eee 170 J 2 37 bgprule Individual mapping filtering rule oocooccnnccnnconnccnnconnconoconicnnacnnncnaronoso 170 J 2 38 cqm Constant Quality Monitoring settings 1 00 0 ee ceee eee cneece seca een eene eens 171 239 2tp L2 TP Sem ps say ces O 172 J 2 40 12tp outgoing L2TP settings for outgoing L2TP connections eee 173 J 2 41 12tp incoming L2TP settings for incoming L2TP connections ooocooccnccnnccnnccnnccnns 174 J 2 42 12tp relay Relay and local authentication rules for L2TP eee eee 176 J 2 43 fb105 FB105 tunnel definition ooocccnoccnnnnccnnccnnnoccnnncnnnnconnnaconononnnnccnnnncnnnccnns 176 52 44 16105 route FB TOS routes ita citar ected ese aceon se Me ia 178 J 2 45 ipsec ike IPsec configurati
182. ed from the session table Two time out values are configurable Initial time out this time out period begins when the first reply packet of the session arrives at the FB2500 it is specified by the set ongoing timeout attribute Ongoing time out this time out period begins when each subsequent packet of the session arrives at the FB2500 it is specified by the set initial timeout attribute Note The actual timeout used is taken from a list of timeouts and set to the next highest available value The status sessions list shows the timeout in force as well as useful flags for session started and closed and so on The session timeout is actually maintained separately for each direction and only when the timeout happens in both directions does the session get dropped This allows one sided keep alive packets as often used by protocols such as VoIP The ongoing timeout is set for both directions at once only when both directions are considered to have started The initial forward packet does not count as starting but a further packet does An ICMP error packet does not count to start a session either and neither does a TCP packet that does not carry the ACK bit These subtlties are designed to better handle unresponsive TCP endpoints and spoofed TCP packets even 1f allowed through the firewall There are default timeouts for UDP TCP ICMP and other protocols For UDP the timeout also depends on the target port with ports 1024 an
183. eed then this is considered to be bursting and this continues until the average speed since the bursting started drops below the target speed When bursting initiall a time is allowed with no change of speed e g tx min burst and after that the speed drops This can be automatic or using a rate of drop per hour e g tx step The rate will drop down to the defined minimum speed Once the average since bursting started drops below the target and the restrictions are lifted returning to the maximum speed If the minimum speed is below the target speed then this will happen eventually even if the link is used solidly at the maximum it is allowed If the minimum is at the target or higher then the usage will have to drop below the target for a time before the average speed drops low enough to restore full speed The overall effect of this means that you can burst up to a specified maximum but ultimately you cannot transfer more than if the target speed had been applied the whole time 58 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Traffic Shaping 10 2 Multiple shapers A packet that passes through the FB2500 can pass through multiple shapers for example e The ingress interface can have a defined shaper When the packet passes through session tracking the two sides of the session tracking forward and reverse can each have shapers that apply If the packet is carrier via an L2TP tun
184. ement Type Instances Description IKE proposal ike proposal Optional unlimited Proposal for IKE security association IPsec proposal ipsec proposal Optional unlimited Proposal for IPsec AH ESP security association connection ike connection Optional unlimited IKE connections J 2 46 ike proposal IKE security proposal Proposal for establishing the IKE security association 178 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Table J 63 ike proposal Attributes Attribute Type Default Description DHset Set of ike DH Accept any Diffie Hellman group for IKE negotiation supported group PRFset Set of ike PRF Accept any Pseudo Random function for key supported function generation authset Set of ipsec auth Accept any Integrity check algorithm for IKE messages algorithm supported algorithm cryptset Set of ipsec crypt Accept any Encryption algorithm for IKE messages algorithm supported algorithm name NMTOKEN Not optional Name J 2 47 ipsec proposal IPsec AH ESP proposal Proposal for establishing the IPsec AH ESP keying information Table J 64 ipsec proposal Attributes Attribute Type Default Description DHset Set of ike DH Accept any Diffie Hellman group for IPsec key supported group negotiation ESN Set of ike ESN Accept ESN or short Support for extended sequence numbers
185. en a a a N A A AEE 35 63 1 Defining subnets cn e e a E deta sis 36 6 3 1 1 Using DHCP to configure a subnet ooccocccnccnnconnccnncnnnconnconnconaronocnnccnnnnnns 36 6 3 2 Setting up DHCP server parameters ooocooccnnccnnccnnconnconeconnconcnnnnnnnnnnronnronccnnccnnicono 37 6 3 2 1 Fixed Static DHCP allocations ooocooccnccnnccnnconnconnccnnconnconconaronccnnccnninnn 37 6 3 2 1 1 Special DHCP attributes oooconoccnocnnncnnccnncnnncnnncnnccnnconnconnccnnccnncos 38 6 3 2 2 Partial MAC address based allocations ocoooccnccnnccnnccnncnnocnnccnnccnnccnnccnnions 38 64 Physical port SCtUN SS tl a ias 38 6 4 1 Disabling auto negotiation 0 cece cece cece rece inae sesen a i Eee SEa RE 39 6 4 2 SOLE port speed ei li ria ened sta ies tea eee 39 6 4 3 Setting duplex AA O 39 6 4 4 Defining port LED functions roren aree r E T NEE e EEIN 39 Ty Session A O N 41 Tel Routing vs Firewalling 0 A a a de dede 41 v www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual SSI AAA ey cove ds beswaecsy E EEA EEE AEA EO EEEE 41 TZ LES OS SON terminato Ri bed Nance See Shed eae 42 7 3 SESSION RULES Serradilla dei 42 TO LAO A A iii 42 ER A See bee bs votes Novel E e aE ty Seaaeon A E a e aa ee 43 7 3 3 Defining Rule Sets and Rules ssns orin e TE ENN 46 7 3 3 1 Recommended method of implementing firewalling eee 47 7 3 3 2 Changes to sess
186. en carrier and an ISP The carrier will send a RADIUS request to the ISP asking the ISP for details of the LNS to which the connection is to be sent This allows the ISP to steer sessions as they need Once the LNS gets the L2TP connection RADIUS is used to obtain the IP address details to be assigned to the specific connection RADIUS is also used for accounting to provide details of connections in progress and volumes of data transferred Appendix F provides details of the specific AVPs used with RADIUS for L2TP 18 1 6 BGP Once a connection is made to an LNS the end user is assigned IP addresses Obviously there is a need to ensure that the IP addresses are routed within the ISPs network to the correct LNS OSPF and BGP are the main routing protocols used for this though back in dialup days RIP and RIP2 were often used and a bits slow OSPF is not ideal for this as it means the whole OSPF network tracking every connection of every user The FireBrick supports use of BGP to announce connected IP addresses in to an ISPs internal network as connections are made via L2TP 18 2 Incoming L2TP connections To allow a connection to the FireBrick you have to decide on a hostname This is not a DNS hostname and can be anything you like You can pre agree with your carrier the hostname they will use and the IP address of your LNS When the connection arrives the protocol includes the hostname and a password The hostname allows the FireBrick
187. en clocks change in previous day As such it is recommended that over night archiving is done of the previous day just after midnight 145 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Constant Quality Monitoring technical details The recommended command to run just after midnight is wget m http host port cqm date F z as this will create a directory for the server cqm date and z and then the files The use of z clears text off the graphs to make them clean 1 4 1 Full URL format The full URL format allows several variations These are mainly to allow sensible directory structures in overnight archiving Table I 5 URL formats URL Meaning cqm All CQM URLs start with this 32 hex Optional authentication string needed for untrusted access Can be used with trusted access characters to test the authentication is right YYYY MM Optional date to restrict output Can also be in the form YY YY MM DD YY Y Y MM DD DD YYYY MM DD if preferred Can also have HH or HH on the end to get data for just one hour and HH HH or HH HH on the end for a specific range of hours Can end HH MM SS or MM MM SS for data for one hour from a specific time options Optional graph colour control options Useful when extracting a list of images as the all must have the same options as the list is just graphname png as a relative link thereby ensuring all graphs appear in this
188. end ingress rate b s secret Secret Shared secret source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number for L2TP session routetable tcp mss fix boolean false Adjust MSS option in TCP SYN to fix session MSS tx speed unsignedInt Egress rate limit b s username string User name for login Table J 54 12tp outgoing Elements Element Type Instances Description route ppp route Optional unlimited Routes to apply when link is up J 2 41 I2tp incoming L2TP settings for incoming L2TP connections L2TP tunnel settings for incoming L2TP connections Table J 55 12tp incoming Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description allow List of List of IP ranges from which connects can IPNameRange be made bgp bgpmode BGP announce mode for routes comment string Comment damping boolean false Apply damping to sessions if limiting on shaper dhcpv6dns List of IP6Addr List of IPv6 DNS servers dos limit unsignedInt 10000 Per second per session tx packet drop limit for DOS protection fail lockout unsignedByte 60 Interval kept in failed state graph string Graph name 174 Configuration Objects hdlc boolean true Send HDLC header
189. er Interface see Section 3 4 4 19 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration 3 6 2 Upload To upload the configuration to the FB2500 you need to send the configuration XML file as if posted by a web form using encoding MIME type multi part form data An example of doing this using cur1 run on a Linux box is shown below curl http lt FB2500 IP address or DNS name gt config config user username password form config filename 20 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 4 System Administration 4 1 User Management You will have created your first user as part of the initial setup of your FB2500 as detailed in either the QuickStart Guide or in Chapter 2 in this manual To create edit or delete users browse to the config pages by clicking the Edit item in the sub menu under the Config main menu item then click on the Users category icon Click on the Edit link adjacent to the user you wish to edit or click on the Add link to add a user To delete a user click the appropriate Edit link then click the Erase button in the navigation controls see Figure 3 8 As with any such object erase operation the object will not actually be erased until the configuration is saved Once you have added a new user or are editing an existing user the object editing page will appear
190. er LED has three defined states as shown in Table 4 5 below Table 4 5 Power LED status indications Indication Status Off No AC power applied to unit or possibly hardware fault Flashing with approximately 1 second period Bootloader running waiting for network connection On Main application software running After power up the normal power LED indication sequence is therefore to go through the 1 second period flashing phase and then if at least one Ethernet port is connected to an active device change to solid once the app is running From power up a FB2500 will normally boot and be operational in under five seconds 4 4 1 2 Port LEDs 27 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration Whilst the bootloader is waiting for an active Ethernet connection the green and yellow LEDs built into the physical port connectors flash in a continual left to right then right to left sequence The port LEDs on the panel on the opposite side to the physical ports also flash in a clock wise sequence Note The same port LED flashing sequences are observed if the app is running and none of the Ethernet ports are connected to an active link partner Note that the app continues to run and the power LED will still be on solid When connected to an active link partner these flashing sequences will stop and the port LEDs will start indicating physic
191. eriodically sending an advertisement multicast packet to the group members A failure to receive a multicast packet from the master router for a period longer than three times the advertisement interval timer causes the backup routers to assume that the master router is down The interval is specified in multiples of 10ms so a value of 100 represents one second The default value if not specified is one second If you set lower than one second then VRRP3 is used by default see below VRRP2 only does whole seconds and must have the same interval for all devices VRRP3 can have different intervals on different devices but typically you would set them all the same The shorter the advertisement interval the shorter the black hole period but there will be more multicast traffic in the network Note For IPv6 VRRP3 is used by default whereas for IPv4 VRRP2 is used by default Devices have to be using the same version IPv4 and IPv6 can co exist with one using VRRP2 and the other VRRP3 Setting the same config apart from priority on all devices ensures they have the same version 15 2 2 Priority Each device is assigned a priority which determines which device becomes the master and which devices remain as backups The working device with the highest priority becomes the master If using the real IP of the master then the master should have priority 255 Otherwise pick priorities from 1 to 254 It is usually sensible to space these
192. ers in the Internet backbone In practice things are not that simple and you will have some specific relationships with peers when using BGP For most people there will be transit providers with which you peer The FB2500 cannot take a full table map of the whole Internet from a transit provider so you would typically have a default route to them You can advise the transit provider of your own routes for your own network so that they can route to you and they tell their peers that they can route to you via that provider This only works if you have IP address space of your own that you can announce to the world unless you are an ISP then this is not commonly the case Even though IPv4 address space has already run out it is possible to obtain IPv6 PI address space and an AS number to announce your own IPv6 addresses to multiple providers for extra resilience You can use BGP purely as an internal routing protocol to ensure parts of your network know how to route to other parts of your network and can dynamically reroute via other links when necessary In most cases unless you are an ISP of somesort you are not likely to need BGP 17 2 BGP Setup 17 2 1 Overview The FB2500 series router provides BGP routing capabilities The FB2500 cannot handle a full table The aim of the design is to make configurationm simple for a small ISP or corporate BGP user defining key types of BGP peer with pre set rules to minimise mistakes Caution
193. ersions 85 S VLANs Session Rules introduction to 116 defining 46 VoIP overview 42 basics 87 processing flow 43 CDR 95 processing flow chart 44 NAT 88 Session Table 41 overview 87 Session Tracking registration 87 changes to session traffic 48 technical 96 configuring time outs 49 overview 41 X time outs 42 XML Shapers 58 introduction to 16 SNMP XML Schema Document XSD file 10 configuring service 77 Software identifying current version 25 Software upgrades breakpoint releases 25 controlling auto upgrade behaviour 26 overview 24 software release types 24 System name see Hostname System services checking access to 80 configuring 74 definition of 74 list of 74 T Telnet service configuration 75 Time out login sessions 22 Traffic shaping overview 57 Tunnels bonding FB105 71 FB105 70 viewing status FB105 71 U User Interface customising layout 11 general layout 11 navigation 15 overview 10 Users creating configuring 21 login level 21 restricting logins by IP address 22 209 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299
194. ert delete characters You can press Enter at any point in the command line text and the full command text will be processed command history memory the CLI remembers a number of previously typed commands and these can be recalled using the Up and Down cursor keys Once you ve located the required command you can edit it if needed and then press Enter supports entering abbreviated commands you only need to type sufficient characters to make the command un ambiguous for example show dhcp and show dns can be abbreviated to sh dh and sh dn respectively show is the only command word that begins sh and two characters of the second command word are sufficient to make it un ambiguous built in command help you can list all the available commands and the CLI will also show the synopsis for each command Typing the character at the command prompt immediately displays this list you do not have to press Enter Alternatively you can list all the possible completions of a part typed command in this case typing the character after typing part of a command will list only commands that begin with the already typed characters for example typing tr causes the CLI to respond as shown below marty Er traceroute lt IPNameAddr gt table lt routetable gt source lt IPAddr gt ECOC E CEON marty Er After listing the possible commands the CLI re displays the command line typed so far which you can t
195. ervers Prefixes are delegated based on the order in the DHCPv6 request and the order of Delegated IPv6 Prefix Framed IPv6 Prefix and then Framed IPv6 Route with multiple such entries in the order that they appeared in the RADIUS response Such prefixes are not split up if a smaller prefix is requested but the first part of a prefix is delegated F 2 2 Rejected authentication Table F 3 Access Reject AVP No Usage Reply Message 18 Reply message sent on PPP authentication response Note that an authentication reject will normally cause the reply message to be sent as an authentication reject message The reply Try another causes the L2TP session to be closed with result error 2 7 Try another without sending an authentication reply on PPP F 3 Accounting Start Table F 4 Accounting Start AVP No Usage Acct Status Type 40 1 Start 124 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation User Name 1 Username from authentication PAP CHAP or proxy authentication received on L2TP or received in authentication response Class 25 From authentication response if present Chargeable User 89 Graph name that applies sanitised to comply with CQM graph name rules Identity Called Station Id 30 Called number as received on L2TP C
196. es rather than descriptive text or physical location on your screen both of which can vary between software releases 3 4 3 Navigating around the User Interface You navigate around the hierarchy using one or more of the following e configuration category icons e the breadcrumbs each part of the breadcrumbs delimited by the symbol is a clickable link e the in page navigation buttons shown in Figure 3 8 Up move one level up in the object hierachy Prev Previous object in a list and Next Next object in a list Figure 3 8 Navigation controls Interface interface 2 of 3 LAN Up Prev Next New Erase Help Caution The configuration pages are generated on the fly using JavaScript within your web browser environment i e client side scripting As such the browser is essentially unaware of changes to page content and cannot track these changes this means the browser s navigation buttons Back Forward will not correctly navigate through a series of configuration pages Please take care not to use the browser s Back button whilst working through configuration pages navigation between such pages must be done via the buttons provided on the page Prev Next and Up Navigating away from an object using the supported navigation controls doesn t cause any modifications to that object to be lost even if the configuration has not yet been saved back to the FB2500 All changes are initially held i
197. es and Subnets This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those interfaces For information about other types of interfaces refer to the following chapters e Point to Point Protocol over Ethernet PPPoE Chapter 11 e Tunnels including FB 105 tunnels Chapter 12 6 1 Relationship between Interfaces and Physical Ports The FB2500 features four Gigabit Ethernet 1Gb s ports that can also operate at 10Mb s and 100Mb s speeds Auto negotiation of link speed is enabled by default so when connected to auto negotation capable equipment the ports operate at the highest speed that both ends of the link can run at In some situations auto negotiation is not supported by connected equipment and so the FB2500 provides control of port behaviour to allow the port to work with such equipment Each port features a green and amber LED the functions of which can be chosen from a range of options indicating link speed and or traffic activity The exact function of the ports is flexible and controlled by the configuration of the FB2500 6 1 1 Port groups Up to four port groups can be defined with each group comprising a set of one or more physical ports that doesn t overlap with any other group The ports within the group work as a conventional Ethernet switch directly transferring traffic at wire speed that is destined for a MAC address that is present on one of the other ports in
198. et of parameters that makes it unique two of these parameters are the network addresses of the two end points For protocols that support multiplexing of multiple flows or connections to from a single network address UDP and TCP both support this the remaining parameters are the identifiers used to do the multiplexing For both UDP and TCP this identifier is a port number whose scope is local to the end point and is therefore usually different at each end point for a given flow connection Normally only one of the two port numbers involved will be known a priori this will be the documented port number used for a specific service at the server end for example port 80 for an HTTP service the other is dynamically chosen from the available pool of unused port numbers at the client end Therefore the filter criteria can only specify that known port number the other port number can only be determined by inspection of the IP packet payloads discovering which protocol is being carried and using knowledge of the protocol to extract the port number This information must then be stored and held for a duration not less than the duration that communications occur over the flow or connection This information defines a session and is stored in the session table The key point of the session table entry is that it will then cause return traffic to be allowed and sent to the correct place Without the session table entry the FB2500 would have no
199. ex determined by autonegotiation J 3 14 LinkFlow Physical port flow control setting Table J 110 LinkFlow Physical port flow control setting Value Description none No flow control symmetric Can support two way flow control send pauses Can send pauses but does not support pause reception www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 198 Configuration Objects any Can receive pauses and may send pauses if required J 3 15 LinkClock Physical port Gigabit clock master slave setting Table J 111 LinkClock Physical port Gigabit clock master slave setting Value Description prefer master Master status negotiated preference for master prefer slave Master status negotiated preference for slave force master Master status forced force slave Slave status forced J 3 16 LinkLED LED settings Table J 112 LinkLED LED settings Value Description Link Activity On when link up blink when Tx or Rx activity Link1000 On when link up at 1G blink when Tx or Rx activity Activity Link100 On when link up at 100M blink when Tx or Rx activity Activity Link10 Activity On when link up at 10M blink when Tx or Rx activity Link100 1000 On when link up at 100M or 1G blink when Tx or Rx activity Activity Link10 1000 On when link up at 10M or 1G
200. ext hop addresses currently in use and their status 138 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference H 2 6 See DHCP allocations show dhcp lt IP4Addr gt table lt routetable gt Shows DHCP allocations with option to show details for specific allocation H 2 7 Clear DHCP allocations clear dhcp ip lt IP4Range gt table lt routetable gt Allows you to remove one or more DHCP allocations H 2 8 Lock DHCP allocations lock dhcp ip lt IP4Addr gt table lt routetable gt Locks a DHCP allocation This stops the allocation being used for any other MAC address even if long expired H 2 9 Unlock DHCP allocations unlock dhcp ip lt IP4Addr gt table lt routetable gt Unlocks a DHCP allocation allowing the address to be re used if the expired H 2 10 Name DHCP allocations name dhcp ip lt IP4Addr gt name lt string gt table lt routetable gt Allows you to set a name for a DHCP allocation overridding the clientname that was sent H 2 11 Show ARP ND status show arp show arp lt IPAddr gt Shows details of ARP and Neighbour discovery cache H 2 12 Show VRRP status show VELO Lists all VRRP in use and current status H 2 13 Send Wake on LAN packet wol interface lt string gt mac lt hexBinary gt Send a wake on LAN packet to a spec
201. f for route highest wins log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors mode ipsec mode tunnel Encapsulation mode mtu unsignedShort 1500 MTU for wrapped packets name NMTOKEN Name ospf cost unsignedShort 1000 Link cost forces default OSPF on link if set even if OSPF not otherwise configured outer spi unsignedInt Security Parameters Index for outer header 256 4294967295 ipsec spi payload table unsignedByte 0 99 0 Routing table number for payload traffic routetable profile NMTOKEN Profile name remote ip IPAddr Far end IP for tunnel 181 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects remote spi unsignedInt Not optional Remote Security Parameters Index 256 4294967295 ipsec spi routes List of IPPrefix Routes when link up source string Source of data used in automated config management speed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 0 Routing table number for tunnel wrappers routetable tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec type ESP Encapsulation type Table J 69 ipsec manual Elements Element Type Instances Description route ipsec route Optional unlimited Routes to apply to tunnel when up J 2 51 ping Ping graph definition Base ping config additional ping targets
202. fibre to the cabinet FTTC and fibre to the premises FTTP service you connect the FB2500 directly to the service BT supplied modem with no extra equipment 11 2 Definining PPPoE links A PPPoE link is defined by a ppp top level object To create or edit PPPoE links in the web user interface select the Interface category icon under the section headed PPPoE settings you will see the list of existing ppp objects if any and an Add link For most situations configuring a PPPoE link only requires that you specify the physical port number or alternatively a port group name see Section 6 2 that the router modem is connected to and the login credentials i e username and password The port number or port group name is specified via the port attribute on the ppp object and credentials are specified via the username and password attributes If you are connecting multiple routers modems via a VLAN capable switch to a single FB2500 port you will also need to specify the VLAN used for the FB2500 to router modem layer 2 connection this is done by setting the value of the vlan attribute too As an example if you were to connect a single modem router directly to port 4 on your FB2500 i e not using VLANs then the configuration needed shown as an XML fragment would be lt ppp port 4 username password gt You may also want to give the PPPoE link a name by setting the name attribute you can then referenc
203. fic go to a different LNS where the session IDs could match and existing session unlikely but possible The L2TP connection is matched to an incoming L2TP configuration The RADIUS session steering can be used to specify the hostname and password that is sent so that the correct incoming configuration can be matched 107 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Internet Service Providers This can the select specific RADIUS servers to use at the ISP for authorising the connection though typically a single set of RADIUS servers is used for all connections It can also specify defaults for DNS PPP endpoint addresses and so on 18 8 5 ISP RADIUS Once the L2TP connection arrives you can use RADIUS in your own network to control the connection accepting it or rejecting it and defining IP addressing DNS traffic speeds routing table and much more Appendix F provides details of the specific AVPs used with RADIUS for L2TP You would normally have more than one RADIUS server You can set these in a priority order a set of main servers and a set of backup The FB2500 will find a config line for RADIUS based on the named RADIUS server in the L2TP incoming configuration or pick any if this is not set It checks these in order Each RADIUS configuration can have multiple servers Only if all of the services in a configuration entry are blacklisted will later configuration entries be considered
204. fish CBC RFC 2451 with 16 byte key blowfish 192 Blowfish CBC RFC 2451 with 24 byte key blowfish 256 Blowfish CBC RFC 2451 with 32 byte key AES CBC AES CBC Rijndael RFC 3602 with 16 byte key AES 192 CBC AES CBC Rijndael RFC 3602 with 24 byte key AES 256 CBC AES CBC Rijndael RFC 3602 with 32 byte key J 3 27 ike PRF IKE Pseudo Random Function Table J 123 ike PRF IKE Pseudo Random Function Value Description HMAC MD5 HMAC MD5 HMAC SHAI HMAC SHAI AES XCBC 128 HMAC SHA256 AES XCBC with 128 bit key PRF HMAC SHA 256 rfc4868 J 3 28 ike DH IKE Diffie Hellman group Table J 124 ike DH IKE Diffie Hellman group Value Description none No D H negotiation only used with AH ESP MODP 1024 1024 bit Sophie Germain Prime MODP Group MODP 2048 2048 bit Sophie Germain Prime MODP Group J 3 29 ike ESN IKE Sequence Number support Table J 125 ike ESN IKE Sequence Number support Value Description ALLOW ESN _ Allow Extended Sequence Numbers 64 bits ALLOW Allow short sequence numbers 32 bits SHORT SN 202 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 3 30 ike authmethod authentication method Table J 126 ike authmethod authentication method Value Description Secret Shared Secret J 3 31 ike mode conne
205. for L2TP connection List of IPs that must have routing for this target to be valid deprecated tunnel assignment string Tunnel Assignment ID to send id tunnel client return boolean Return tunnel client as radius IP Table J 21 radius service Elements Element Type Instances Description match radius service Optional unlimited Matching rules for specific responses match server radius server Optional unlimited RADIUS server settings J 2 16 radius service match Matching rules for RADIUS service Rules for matching incoming RADIUS requests Table J 22 radius service match Attributes Attribute Type Default Description allow List of Match source IP address of RADIUS IPNameRange request authenticator boolean Require message authenticator backup ip List of IPNameAddr Target IP s or hostname for backup L2TP connection called station id List of string One or more patterns to match called station id calling station id List of string One or more patterns to match calling station id class string Class field to send comment string Comment 157 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects context name string Juniper Context Name SIN502 dummy ip boolean true Send dummy framed IP response ip List of Match target IP address of RADIU
206. fore the profile state changes to Inactive e recover the duration that the overall test must have been passing for before the profile state changes to Active 54 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Profiles The timeout and recover parameters do not apply to manually set profiles see Section 9 2 4 and those based on time of day see Section 9 2 2 2 9 2 2 Tests 9 2 2 1 General tests General tests are provided for the following e FB105 tunnel state the 105 attribute lists one or more FB105 tunnel names see Section 12 2 if any of the specified tunnels are in the Active state this tunnel state test will pass e PPPoE connection state the ppp attribute lists one or more PPPoE connection names see Chapter 11 if any of the specified connections are up this pppoe state test will pass Routable addresses the route attributes lists one or more IP addresses full addresses not CIDR prefix ranges only if all the addresses are routable i e there is an entry in the routing table that will match that address will this test pass Refer to Chapter 8 for discussion of routing tables and the routing logic used by the FB2500 e VRRP state the vrrp attribute lists one or more Virtual Router group membership definitions see Chapter 15 by name if the FB2500 is not the master device in any of these Virtual Routers this test will fail If more than one of
207. g debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors mtu unsignedShort 1500 MTU for this interface 576 2000 mtu name NMTOKEN Name ping IPAddr Ping address to add loss latency to graph for interface port NMTOKEN Not optional Port group name profile NMTOKEN Profile name ra client boolean true Accept IPv6 RA and create auto config subnets and routes restrict mac boolean Use only one MAC on this interface source string Source of data used in automated config management source filter sfoption Source filter traffic received via this interface table unsignedByte 0 99 0 Routing table applicable routetable vlan unsignedShort 0 VLAN ID O untagged 0 4095 vlan Table J 27 interface Elements Element Type Instances Description dhcp dhcps Optional unlimited DHCP server settings subnet subnet Optional unlimited IP subnet on the interface 160 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects be virp Optional unlimited VRRP settings J 2 21 subnet Subnet settings Subnet settings define the IP address es of the FireBrick and also allow default routes to be set Table J 28 subnet Attributes Attribute Type Default Description accept dns boolean true Accept DNS servers specified by DHCP arp timeout unsigned
208. gest present Digest QOP 110 Digest QOP Digest Algorithm 111 Digest Algorithm 131 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for VoIP operation Digest CNonce 113 Digest CNonce Digest Nonce Count 114 Digest Nonce Count NC Digest Username 115 Digest Username Digest Opaque 116 Digest Opaque SIP AOR 121 Contact URI Session Timeout Acct Terminate Cause 27 Time from Expires header 49 Only sent for a redirect call routing the redirect code e g 301 302 G 2 Authentication response G 2 1 Challenge authentication Table G 2 Access Challenge AVP No Usage Digest Realm 104 Digest Realm Digest Nonce 105 Digest Nonce Digest QOP 110 Digest QOP Digest Algorithm 111 Digest Algorithm Digest Opaque 116 Digest Opaque Digest Stale 120 Digest Stale G 2 2 Accepted authentication registration Table G 3 Access Accept AVP No Usage Calling Station Id 31 Calling number to be set up for tel number routing to this registration if omitted then the registration is not recorded Session Timeout 27 Time to send in reply Expires header SIP AOR 121 SIP URI Contact for 302 redirect response G 2 3 Accepted authentication invite Note that this section is not yet complete Table G 4 Access Accept
209. gn cs oso E cdtesyseeb age ta E RE 185 3 80 route override Attributes irren Asda tt erecta aed be Mok aa ead da Pend ees 186 3 31 route override Elements oses e neee e a tr bese venues tio denetensel Sexesey 186 J 82osessionroute rule Attributes Sisi a ii Geka ates Sob asus 186 J 83 session route rule Elements secorre A Seek dasnawedareng Ee N a RE TEn 187 J 84 session route share Attributes s sssessseesseresrrrrreresrerrsrrerrsrrerrrresreresrrerrsrrerrrresrreesrreerrt 187 J85 r l set Attributes sss ennn E A EE E E N EEEREN N 187 3 86 Tule Set Elements cs ido n a E He ae A E O 188 3 37 Session r le Atti DUutes eeen eee A a a a e OA E a a ios a TEADES 188 3 88 session rule Elements sii ot sa 189 3 89 Session share sA tr DUtes sirope eae a alain praia i 189 J90 VoIp At DUES se tdi AI ee SIE T EE E E 190 ARA AE e set a E a dee E E EE E ENER 191 J92 camer ANDU E S eE e ive leat ee E ee todas At See es 191 3 93 telephones Attribute Sioe e a E E dees EE E EE Vae ERASERS 192 J94 tone Atri DUtes odia o o E O E S 193 J9 TINE SOUP AUF DULES esn Sec cess ea coats E ea E E E E uel E a des e tees seeks ieee a 193 J96 etun Attributes mt A a oe ents 194 J 97 autoloadtype Type of s w auto load 2 2 eee cece cence cece ace neeeeeeeaeeeeceeeeaeseaesea esau sean eeaes 194 J 98 config access Type of access user has to config coocccccnnccnnconnccnnccnncnnnconnconncnnncnnncnnronaronncnnn 195 3 99 serclevel User logi
210. grade process use the value of false to achieve this false Disables auto upgrades factory Only download install factory releases this is the default if the attribute is not specified beta Download install factory or beta releases alpha Download install factory beta or alpha releases sw update profile Specifies the name of a profile to use to control when software upgrades are attempted see Chapter 9 for details on profiles The current setting of sw update in descriptive form can be seen on the main Status page adjacent to the word Upgrade as shown in Figure 4 2 in that example sw update is set to or is defaulting to factory 4 3 4 Manual upgrade This method is entirely manual in the sense that the brick itself does not download new software from the FireBrick servers and responsibilty for loading breakpoint releases as required lies with the user 26 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration In order to do this you will first need to download the required software image file which has the file extension img from the FB2500 software downloads website http www firebrick co uk software php PRODUCT 2500 onto your PC The next step is the same as you would perform when manually initiating an Internet based upgrade i e you should browse to the main Status page where if there is new software is available you
211. grades may occur for example you could ensure they are always done over night The reboot will close all L2TP connections first The reboot will close all BGP sessions first The reboot will wait for all VoIP calls to complete before rebooting 4 3 1 Software release types There are three types of software release factory beta and alpha For full details on the differences between these software releases refer to the FB2500 software downloads website http www firebrick co uk software php PRODUCT 2500 please follow the read the instructions link that you will find just above the list of software versions Note In order to be able to run alpha releases your FB2500 must be enabled to run alpha software this 1s done by changing the entry in the FireBrick capabilities database hosted on FireBrick company 24 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration servers for your specific FB2500 as identified by the unit s Serial Number Normally your FB2500 will be running factory or possibly beta software with alpha software only used under advice and guidance of support personnel while investigating fixing possible bugs or performance issues You can see whether your FB2500 is able to run alpha releases by viewing the main Status page click the Status main menu item and look for the row labelled Allowed if the text shows Alpha builds for testing then your
212. gt count lt positivelnteger gt ttl lt unsignedByte gt size lt unsignedShort gt xml lt boolean gt This sends a series of ICMP echo requests ping to a specified destination and confirms a response is received and the round trip time For the traceroute variant the TTL Hopcount is increased by one each time to show a series of response hops There are a number of controls allowing you to fine tune what is sent Obviously you should only send from a source address that will return to the FB2500 correctly You can also ask for the results to be presented in an XML format Where possible the reverse DNS name is shown next to replies but there is deliberately no delay waiting for DNS responses so you may find it useful to run a trace a second time as results from the first attempt will be cached H 2 3 Show a route from the routing table show route lt IPPrefix gt table lt routetable gt Shows details of a route in the routing table Where an individual IP is used the route that would be used is shown but if a specifiy prefix is used then that specific route is shown even if there may be more specific routes in use H 2 4 List routes show routes lt IPFilter gt table lt routetable gt Lists routes in the routing table limited to those that match the filter if specified H 2 5 List routing next hops show route nexthop lt IPAddr gt List the n
213. guration there are two temporary subnets defined on the LAN interface 2001 DB8 1 64 and10 0 0 1 24 These subnet definitions provide a default IP address that the FB2500 can initially be accessed on regardless of whether the FB2500 has been able to obtain an address from an existing DHCP server on the network Once you have added new subnets to suit your requirements and tested that they work as expected these temporary definitions should be removed To create a new subnet click on the Add link to take you to a new subnet object defintion Tick the ip checkbox and enter the appropriate CIDR notation Editing an existing subnet works similarly click the Edit link next to the subnet you want to modify The FB2500 can perform conventional Network Address Translation NAT for network connections flows originating from all machines on a subnet for example one using RFC1918 private IP address space by setting the nat attribute on the subnet object Tip Behind the scenes activation of NAT is on a per session basis and the nat attribute on a subnet is really a shortcut for a session rule using the set nat attribute If you wish to learn more about sessions and session tracking please refer to Chapter 7 If you have any need for firewalling you ll need to refer to that chapter in due course anyway 6 3 1 1 Using DHCP to configure a subnet You can create a subnet that is configured via DHCP by clearing the ip checkbox the ab
214. hat arrive from the WAN side will be passed to the UDP port number that was the source port used in the outgoing wrapper packets 72 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels e If it does not then you will have to manually setup a port forwarding rule since there will have been no outbound packets to initiate a session The forwarding rule should specify the UDP port number that is being used by the tunnel wrapper packets the port attribute value in the tunnel definintion or the default of 1 if the port is not specified 12 3 Ether tunnelling Ether tunnelling provides a mechanism to tunnel layer 2 ethernet traffic between two devices using the protocol defined in RFC3378 An ETUN tunnel provides a link layer 2 connection between two specific physical ports on different FireBricks Consider two FireBricks A and B which are able to communicate with each other using IP eg over the internet An otherwise unused port on each FireBrick can be configured as an ETUN port Every ethernet packet arriving at FireBrick A s ETUN port is encapsulated and transmitted to FireBrick B over IP FireBrick B decapsulates the packet and transmits it on its configured ETUN port Ethernet packets received on FireBrick B s ETUN port are likewise transported to FireBrick A and transmitted from its ETUN port This mechanism can be used to extend a LAN over a large physical distance A typical application w
215. hem As described above this normally means one of the routes is picked However where the two or more routes are the same type of interface and there are shapers applied to those routes then a decisions is made on a per packet basis as to which interface to used The shapers are used to decide which link is least far ahead This means that traffic is sent down each link at the speed of that link To make this work to the best effect set the tx speed of the shapers on the links to match the actual link speed E g for broadband lines set the speed to match the uplink from the FB2500 For L2TP use as an LNS the graph created for each L2TP session has an agress speed automatically set based on the speed details sent on the L2TP connection These can also be overridden by a RADIUS response The effect of this is that multiple lines that are connected to the same LNS and have the same IPs routed to the lines will automatically per packet bond traffic down those lines 8 6 Route overrides The conventional routing logic described so far operates very much like any conventional router with the addition of some handling for bonding and duplicate subnets However the FB2500 also allows the possibility of route overrides which control routing in more more detail This feature is part of session tracking functionality and so applies on a per session basis contrasting with the per packet basis for the conventional routing For details on sessions
216. hen complete Please refer to Appendix H for command details 109 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix A Factory Reset Procedure The FireBrick has a simple factory reset process to erase the configuration allowing you to reconnect using the default IP addresses described in Chapter 2 This process can be very useful if you ever make an error in the configuration that stops you having access to the FireBrick for any reason or any other situation where it is appropriate to start from scratch e Disconnect all network and power leads OEA E e Connect lead between far left and far right ports ports 1 and 4 C OCI E e Connect power and wait a few seconds for all port LEDs to be on steadily Power LED blinks Note There is a timeout of 20 seconds in this process if the loop is present for longer than 20 seconds the power LED will stop flashing and the factory reset will be aborted 110 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Factory Reset Procedure e Connect network to left hand port Power LED comes on solidly HOOO Ss This process will start the FireBrick in a factory reset mode temporarily the configuration stored in flash memory has not yet been altered or deleted at this stage If you disconnect the power then the config will revert to the previous state and no longer be reset s
217. hen the profile is off the hunt group does not work or you can set a number to be rung instead as the out of hours number www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 91 VoIP Tip The ring list and overflow list cannot use the numbers of other hunt groups but the out of hours number can be anotehr hunt group number 16 9 Call pickup steal By default it is possible to pick up a ringing call to a telephone or hunt group by dialling a prefix default and the extension number of the telephone or hunt group This stops the call ringing the phone or hunt group and connects it to the phone that dialled the pick up code Tip You can restrict which phones are allowed to pick up or steal a call in the telephone and hunt group configuration Using the same code you can also steal an active call from a telephone This hangs up the telephone and moves the call to the phone that dialled the code Tip Call stealing is useful as a sort of reverse call transfer which works well in an open office Someone can say I have a call for you on 406 and you can dial 406 to steal the call from them This is quicker saves them asking your extension number and avoids putting the caller on hold It is much like key and lamp systems where someone might say There is a call for you on line 3 16 10 Busy lamp field Busy lamp fields are normally a light and button on a phone The snom phones can have BL
218. hentication regestis oiia E R EE a EE EEEN E R 122 F 2 Authentication response vestesi Ra ges a a E AE a EAE E EERENS 123 F 2 1 Accepted authentication arson r e e bed EE E E R EE EE 123 F2 tl Prei Dele sation ar E E GEEET E ANE 124 F 2 2 Rejected authentication oocoocooccocnoconcnnconcnnroncnnroncnnroncnnroncnnroncnnroncnnronenaronenarones 124 BS ACCOUNUNG Start iisen seen yet cadeeh aden aenaedetesebanewan Weeds NE e das age e saweny sed twaadeas ten nuns 124 E 4 Accounting Interim lt 0 sores Sisecersi es ees heehee Rs era eee eee Rema eat des 125 NS ghsh een ogsdeeelenehs wun ass sy EN EE E E E AE R 126 F6 Disconnect muaa is Ge nt eae II Bah a Ge aoe eae REE 127 E 7 Change of Authorisation 20m inerte ciao indie AEA Deets era eao a a idas 127 ES LEMA rt A adios 128 F9 NOUS sien A RO 129 BO A A O 129 E 9 2 LCP echo and CQM graphs esrar piee e S E titeres 129 F932 IP OVer E S E E E S ee iat Ltn Ue EE Saath oe eae 130 ix www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual E 9 4 Closed User Group secos tordo rca file stopp tues 130 E 9 3 Route table in AS a Daa acaba ase ea Ne ay 130 G Supported RADIUS Attribute Value Pairs for VoIP operation occoooccccnccnnnccnnnnccnnnccnnnccnnnnccnnacnnns 131 Gil Authentication request A A ec cee cL ee ee 131 G2 AUthentiCatlOn resposes ssia sever tess euneis irte eee 132 62 1 Challenge authentication mii
219. her end of the call leg Called Station Id 30 Dialled number as received Calling Station Id 31 Calling number as received Acct Status Type 40 2 Stop Acct Session Id 44 Unique ID for session Acct Multi Session 50 SIP Call ID for call leg Id Acct Terminate 49 Cause code as appropriate Cause Acct Event 55 Time call ended Timestamp Chargeable User 89 CUI for this call Identity NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 Far end IPv4 address for SIP if using IPv4 NAS IPv6 Address 95 Far end IPv6 address for SIP if using IPv6 NAS Port 5 Far end UDP port for SIP G 6 Disconnect A disconnect message is accepted as per RFC5176 if the session can be disconnected and ACK is sent else a NAK Table G 9 Disconnect AVP No Usage Acct Session Id 44 Unique ID for session Acct Terminate 49 SIP response code Cause 134 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for VoIP operation G 7 Change of Authorisation A change of authorisation message is accepted as per RFC5176 Table G 10 Change of Authorisation AVP No Usage Acct Session Id 44 Unique ID for session 135 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix H Command line reference H 1 General commands H 1 1 Trace off EOL
220. her using a pre shared secret Even when both are using a pre shared secret they may use different secrets to authenticate each other and this is provided for in the configuration 12 1 2 3 4 IP addresses The peer ips item is normally set to the IP of the peer when this is known It must be a single IP when the connection mode is Immediate or On Demand but for a mode Wait connection this may be left blank or specified as a permissible range Note that in this case the identity the peer provides when it attempts to set up the connection will be used to select the matching configuration connection details The local ip is optional if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely and the FireBrick chooses a suitable source IP when it initiates a connection You can also optionally specify an internal ipv4 and or an internal ipv6 address When specified these addresses are used for the source address of the tunnelled packet when the FireBrick sends traffic it originates itself down the tunnel unless the source address has already been specified by some other means If these are not specified the FireBrick will use the tunnel s local ip setting when appropriate Note that although obviously the tunnel endpoint addresses must be the same type of address both IPv4 or both IPv6 the traffic sent through the tunnel may be IPv4 IPv6 or a mixture of the two 12 1 2 3 5 Routing You must configure r
221. hex Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested id unsignedByte Not optional Attribute type code name string Name value hexBinary Not optional Value vendor boolean Add as vendor specific option under option 43 J 2 25 dhcp attr string DHCP server attributes string Additional DHCP server attributes string Table J 33 dhcp attr string Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested id unsignedByte Not optional Attribute type code name string Name value string Not optional Value 163 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects vendor boolean Add as vendor specific option under option 43 J 2 26 dhcp attr number DHCP server attributes numeric Additional DHCP server attributes numeric Table J 34 dhcp attr number Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested id unsignedByte Not optional Attribute type code name string Name value unsignedInt Not optional Value vendor boolean Add as vendor specific option under option 43 J 2 27 dhcp attr ip DHCP server attributes IP Additional DHCP server attribu
222. hod of implementing firewalling Although there are likely numerous ways in which you can construct workable rule sets that implement firewalling in addition to any traffic shaping or NAT etc we recommend that you implement firewalling as follows e create one or more rule sets that are specifically for firewalling e use one rule set per interface with the interface specified as the target interface in the entry criteria such that the rule set relates to sessions to that interface e implement a default drop policy on each firewalling rule set such that you have to list exceptions to this policy to allow sessions to the specified target interface to implement this policy you set the no match act ion attribute to either drop or reject e ensure these firewalling rule sets appear before any other non firewalling rule sets e create subsequent rule sets if necessary to perform any modifications to the session such as NAT ing or to subject sessions to traffic shaping Caution If you have a large number of interfaces for example more than just WAN and LAN you must take care that you have covered all the interfaces that need to be firewalled Alternatively you could have a single firewalling rule set without any entry criteria and with no match action attribute set to either drop or reject that way all traffic regardless of its origin or its characteristics will be subject to the default drop policy A disadvantag
223. hrough three settings menu on the left menu on the right menu at the top The last icon the letter A toggles between using browser specified or user interface specified fonts Layout settings are stored in a cookie since cookies are stored on your computer and are associated with the DNS name or IP address used to browse to the FB2500 this means that settings that apply to a particular FB2500 will automatically be recalled next time you use the same computer browser to connect to that FB2500 It is also possible to configure an external CSS to use with the FireBrick web control pages which allows a great deal of control over the overall layout and appearance This can be usful for dealers or IT support companies to set up FireBricks in a style and branding of their choice 3 4 2 Config pages and the object hierarchy The structure of the config pages mirrors the object hierachy and therefore they are themselves naturally hierachical Your postition in the hierachy is illustrated in the breadcrumbs trail at the top of the page for example Firewall mapping rules rule set 1 of 3 filters rule 7 of 19 ICMP This shows that the current page is showing a rule which exists within a rule set which in turn is in the Firewall mapping rules category see below 3 4 2 1 Configuration categories Configuration objects are grouped into a number of categories At the top of the config pages is a set of icons one for each
224. i es ii 132 G 2 2 Accepted authentication registration ooocooccnccnnccnnccnnconnconnconnconnconiconaconannnronoso 132 G 2 3 Accepted authentication invite occooccoccnccocnncnncnnconcnnconcnnroncnnconcnnroncnnroncnarononns 132 G 2 4 Rejected authentication os o5 censcsuyesnstsh eoawsssverseboneauedesep ooaeecd ptueessenes EEEE E Ep 133 G 3 ACCOUNTS Start sesi oe peice gate sa a Reade ia 133 GA ACCOUNTING A IN 133 ANS a rre teen E A E T eg eth Beech seen al eben cates A N eee ete eas 134 G 6 Disconnect mr sr de 134 G7 Change of Authorisation viandas iia 135 H Command lan reference tii rd Ae 136 HT General command 25 6 ccct ets A E ERAR E eee ble onde precedes peeing tela 136 Hd Trace Off ta ae 136 Hd 2 TTA CE Mii iia des iii fas aoe ey 136 H13 Uptime canoa aa A silvia ica 136 ELLA General AUS das 136 HS Memory USA RES sss 5s oss duos nE es EEE n Smale eee decease E EEEIEE EERS E 136 H 1 6 Process task Usage tia atic st 136 A O AS 136 HS OSO Dis 137 H19 See XML configuration yeee e e E E teenager a NEE EEN EEEN EEES 137 H 1 10 Load XML configuration sopa e aE EE EN E ETO EEO EROS 137 PET Show protile Status serene en o Ea E abel E E NAA NEERA 137 H 1 12 Enable profile control switch ooooocconcnnccnnccnnccnnccnnccnnconoconncnnncnnncnnccnnraninnnos 137 H 1 13 Disable profile control switch oooccconoccnnccnonoccnnnocnnnccnnnnccnnnncnonccnnnnccnnnicnnnss 137 H 1 14 Show RADIUS Servers ocoococc
225. ial DHCP attributes For each pool you can list specific DHCP attributes specified as a string IPv4 address or number or even as raw data in hexadecimal You can force sending of an attribute even if not requested For vendor specific attributes ID 43 you can either specify in hex as ID 43 or you can specify the code to use and set the vendor flag this adds an attribute type 43 with the code and length for the attribute which can be string IPv4 address number or hexadecimal 6 3 2 2 Partial MAC address based allocations In addition to specifying a full 48 bit 12 hexadecimal character MAC address in a dhcp object it 1s also possible to specify part of a MAC address specifically some number of leading bytes The dhcp object will then apply for any client whose MAC address has the same leading bytes For example as discussed in Appendix C the first three octets bytes of a MAC address identify the organization often the end product manufacturer that can allocate that MAC address to an Ethernet device By specifying only these first three bytes six hexadecimal characters no colon delimiters in the mac attribute you could ensure that all devices from the associated manufacturer are allocated addresses from a particular address pool This is helpful if you have some common firewalling requirements for such a group of devices for example if all your VoIP phones are from one manufacturer as you can have appropriate firewall rule
226. ic Server MS Secondary DNS 311 29 Secondary DNS address used in PPP IPCP Vendor 311 specific Server Framed Interface ID 96 Peer IPv6 Interface ID expected in PPP IPV6CP Framed IP Address oo Peer IPv4 address expected in PPP IPCP does not support 255 255 255 255 or 255 255 255 254 yet Maximum localpref used NAS IP Address 4 Our end IPv4 address to in IPCP negotiation Does not add loopback route This is non standard Framed Route 22 May appear more than once Text format is Pv4 Address Bits 0 0 0 0 metric The target IP is ignored but must be valid IPv4 syntax The metric is used as localpref in routing Delegated IPv6 123 IPv6 prefix to be routed to line Maximum localpref used Prefix Framed IPv6 Prefix 97 IPv6 prefix to be routed to line Maximum localpref used Framed IPv6 Route 99 May appear more than once Text format is Pv6 Address Bits metric The target IP is ignored but must be valid IPv6 syntax The metric is used as localpref in routing Alternative format Pv6 Bits IPv4 Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link Rh User Name Username may be specified this replaces the username already present and is then used on accounting start and relay L2TP CHAP Password 3 CHAP Password may be specified this replaces the CHAP ID and response that is then sent on to a tunnel Called Station Id 30 Called number may be
227. ic to be graphed and therefore possibly be subject to traffic shaping they perform the same function as the graph attribute that can be specified on many different objects as described in Chapter 10 Each direction of the final established session can have a graph set The normal set graph attribute sets the forward direction graph and set reverse graph sets the reverse session graph remember sessions have two sides Because of this with set graph the graph Tx direction will be the direction in which the session was established and the Rx direction is therefore the opposite direction With set reverse graph the Tx Rx directions are swapped compared to using set graph There is also an option for set graph source mac which causes the session to set a forward graph that is based on the MAC address of the source packet if from an Ethernet interface The graph is created if it does not exist If set graph is also defined then each new session created also causes the speed settings and long term shaper parameters to be copied from the named graph in set graph to the MAC named graph being used This is aimed at management of open WiFi and the like allowing a named shaper to be defined and a copy of its settings created for each client based on MAC address 7 3 3 4 Configuring session time outs As discussed in Section 7 2 1 each session table entry has a timer associated with it this ensures that inactive sessions are remov
228. ific interface 139 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference H 3 Firewalling commands H 3 1 Check access to services check access lt IPAddr gt table lt routetable gt Reports access control checks for a source address to various internal services This is separate from any firewalling H 3 2 Check firewall logic check firewall source ip lt IPAddr gt target ip lt IPAddr gt protocol lt unsignedByte gt source port lt unsignedShort gt target port lt unsignedShort gt source route ip lt IPAddr gt table lt routetable gt evil lt boolean gt cug lt unsignedShort gt Allows a detailed check of rule sets and rules This reports the rule sets and rules that matched and the actions taken H 4 L2TP commands Note This command summary is not yet complete please see www firebrick co uk for details H 5 BGP commands Note This command summary is not yet complete please see www firebrick co uk for details H 6 PPPoE commands Note This command summary is not yet complete please see www firebrick co uk for details H 7 VoIP commands Note This command summary is not yet complete please see www firebrick co uk for details H 8 Advanced commands Some commands are only available when logged in as a user set with DEBUG level access H 8 1 Panic panic lt string gt confirm lt
229. ified and the CLI is set from the originating call e sip uri which causes a call via a an arbitrary SIP URI The Dialled number and CLI are set from the originating call This format allows sip number host and sip user passO host and also sip user passQ host number This final version makes a call using the sip numberO host target but authenticates using user and pass Tip If the originating call leg is incoming and not get been connected a single SIP AOR response can be provided of the format of a 3 digit response code or 3xx uri where 3xx is the response code e g 302 and is replaced by sip and used as a Contact header in a 3xx response Redirect only works on some carriers phones and serves to redirect the incoming call away from the FB2500 16 12 Call recording The FB2500 supports call recording by teeing off the two way audio from a call leg and sending to a SIP endpoint The SIP endpoint will then record the call and handle it in any way you wish 94 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP The recording is controlled by setting an email address on a call leg This can be configured for telephone users and set to automatically record incoming one outgoing only or all calls You can also set this on a hunt group to record all incoming calls to the hunt group attaching the recording to the calling leg The recording server can be any SIP endpoint such as an asterisk bo
230. in range of IP addresses or possibly all IP addresses for a default route is routed down the tunnel when it is in the Up state see Section 12 2 4 for details Tip Payload IP addressing is not restricted to RFC1918 private IP address space and so FB105 tunnels can be used to transport public IP address traffic too This is ideal where you want to provide public IP addresses to a network but it is either impossible to route the addresses directly to the network e g itis behind a NAT ing router or is connected via networks e g a 3rd party ISP that you have no control over or you wish to benefit from having portable public IP addresses e g you can physically relocate a tunnel end point FB2500 such that it is using different WAN connectivity yet still have the same public IP address block routed to an attached network 12 2 2 Setting up a tunnel You define a tunnel by creating an 6105 top level object In the web User Interface these objects are created and managed under the Tunnels category in the section headed FB105 tunnel settings The basic parameters for a tunnel are e name name of the tunnel OPTIONAL e local id the Local ID to use for the tunnel REQUIRED 70 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels e remote id the ID used at the far end for this tunnel this will be the Local ID used on the far end for this tunnel REQUIRED e secre
231. ing and tunnelling features You can use the base model for routing packets and filtering firewalling The fully loaded model is useful for bonding multiple lines tunnelling and more obscure features such as announcing addresses to an upstream provider by BGP It is possible to upgrade from base to fully loaded at a later date if you wish Contact your dealer for details 1 1 6 Migration from previous FireBrick models Many FB2500 users may well be migrating from earlier FireBrick products such as the FireBrick 105 to take advantage of the significantly higher performance of the FB2500 and perhaps to use features that simply didn t exist on the FB105 As you will see from reading Chapter 3 the new range of FireBrick products introduce a modern well structured configuration based on an underlying XML file The User Interface is intentionally closely coupled with the XML structures and this will likely be the most apparent visual difference for users experienced with the FB105 To aid the transition a translator is provided which will generate an FB2500 XML configuration file from an FB105 configuration file mapping features and functionality across as closely as is possible the converted configuration should be treated as a starting point for using your FB2500 in place of your FB105 as the result from the converter may be incomplete or there may be aspects that cannot be carried over The translator can be accessed at http
232. ion provides an overview of how to use the web based User Interface We recommend that you read this section if you are unfamiliar with the FB2500 so that you feel comfortable with the design of the User Interface Later chapters cover specific functionality topics describing which objects are relevant any underlying operational principles that are useful to understand and what effect the attributes and their values have The web based User Interface provides a method to create the objects that control operation of the FB2500 Internally the User Interface uses a formal definition of the object model to determine where in the hierarchy objects may be created and what attributes may exist on each object so you can expect the User Interface to always generate valid XML i If the User Interface does not generate valid XML i e when saving changes to the configuration the FireBrick reports XML errors then this may be a bug please check this via the appropriate support channel s 10 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Additionally the web User Interface provides access to the following items e status information such as DHCP server allocations FB105 tunnel information and system logs e network diagnostic tools such as Ping and Traceroute there are also tools to test how the FB2500 will process particular traffic allowing you to verify your firewalling is
233. ion traffic oooooccooccccnoccnnocnnonccnnnncnnnccnnnncononrcnnnccnnnncnnnioos 48 7 3 3 3 Graphing and traffic shaping ocoooccnocnnccnncnnocnnccnnconnconnccnnccnncnnnconncnnnnnnnos 49 7 3 3 4 Configuring session time outs cece cece cence cece ee ceneeeueceeeceeeeaeeeaeeenes 49 Sy ROUNE astas deci Ans Gabe anes naweda gee ue lero 50 8 1 Routine LOLI ina id A pei tees se 50 8 25 Routing targets A NS 51 8 2 1 Subnet Toute Ssst iin e A A id 51 8 2 2 Routing to an IP address gateway route ssesssseersseesresesrrerrsrrerrsrrerrrresrerrerreees 51 e AEE AE E RA S ES A A E de ne ods E E 52 8 3 Dynamic route creation deletion 2 0 0 0 eee eiie ee aps NE O pE S opa NEE S 52 8 4 Route tables cuota A il it ERSS 52 8 Bondin speien e e e a e ioe eaaa le e ane 52 8 6 Route override Sis een o aii 53 A E AE N E E N EAE e E sa EET ANE EAEE AE EESE 54 OV OVENIEW sr A aU tee AA EE A ee deen ees 54 9 2 Creating diting profiles 2s ss gees iasnseves hada des howe seed sa geeyag ce geves keds deb aww needed cages aden adoued oa gtub eee 54 9 2 1 Time control de 54 OID 2 Tests ieee en terete e doueaesyete cabsphneasseb Ea edute dobar snus dgsebeesdt eo EEA AIDE 55 9 2 2d General tests noi tesa ek deste Rete Oe eR ne RS 55 9 2 2 2 Time datestests fot chs decos rines toc ees Gae les Me we e o tec airada decia 55 O 2 2 32 PING ACSUS As od fuses o a a tetas estab ves 55 92 3 Inverting Overall test TESUIt o coovosi cdo Sew
234. ion username wrap up duration Wrap up time before new call J 2 68 tone Tone definitions Definition of tones used Table J 94 tone Attributes J 2 69 ringgroup Ring groups Ring groups Table J 95 ringgroup Attributes Attribute Type Default Description name NMTOKEN Not optional Tone name plan string Not optional Plan for frequency and duration e g 400ms 400Hz 3dB 450Hz 3dB www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description allow pickup List of string Only allow pickup from these extensions allow subscribe List of string Only allow subscribe Busy Lamp Field from these extensions answer time duration 30 Answer caller if ringing this long carrier NMTOKEN Carrier to use for external calls comment string Comment cui string Chargeable user identity for call accounting ddi List of string Full telephone number international format starting display name string Text name to use email string Email address sent to call recording server 193 Configuration Objects extn List of string Local extension number initial time duration Don t progress to second number until this time limit unsignedByte Number allowed to queue name NMTOKEN Not optional Group name order ring group order strict Order of ring o
235. ion with the dev random file For example to generate a 20 byte key the command would be xxd len 20 p dev random You also need to configure an SPI Security Parameter Index for both the incoming and outgoing traffic The SPI value is an integer from 256 to 2 1 These are configured as local spi for incoming traffic and remote spi for outgoing traffic The local spi uniquely identifies this IPsec connection so must be distinct for all IPsec connections on this FireBrick The current FireBrick implementation requires that the local SPI for manual connections to be in the range 256 to 65535 The incoming SPI must match the outgoing SPI of the far end of the link and vice versa 12 1 3 3 Routing You must configure routing to specify which traffic the FireBrick should send out through the tunnel The routing configuration uses the same style as used elsewhere in FireBrick configuration A simple set of IPs and or IP ranges can be specified in the routes attribute or for more complex routing a number of separate route elements can be added to the tunnel config Metrics and the routing tables to be used may also be specified 12 1 3 4 Other parameters A graph may be specified to monitor data through the tunnel A speed may be set to rate limit the traffic the mode should be set to the default tunnel for normal applications Transport mode IPsec is used in certain situations when the traffic to be encapsulated does not have its
236. is also used to indicate tunnel state with green for Up and red for Down Note that there is a third state that a tunnel can be in that is Up Down TBC confirm this indicates that tunnel wrapper packets are being received but that they are informing this end point that the far end is not receiving tunnel wrapper packets This means the tunnel is essentially only established unidirectionally typically because of a firewalling routing NAT or similar issue that is prevent the correct bidirectional flow of tunnels wrapper packets between the tunnel end points Tunnel status can also be seen using the show f b105 CLI command see Appendix H 12 2 4 Dynamic routes Since a tunnel can only carry traffic properly when in the Up state any traffic routed down a tunnel that is not Up will be discarded The ability to dynamically create a route when the tunnel enters the Up state and automatically delete the route when the tunnel leaves the Up state allows the route to be present only when traffic can actually be routed down the tunnel In combination with the use of route preference values you can use this to implement fall back to a less preferred route if the tunnel goes down Alternatively you may want to intentionally use a different tunnel to carry traffic and use profiles to enable disable tunnel s the dynamic route creation means that you do not need to manually change routing information to suit A dynamic route is defined by set
237. is command Chapter 19 covers the CLI in general Caution Flash logging slows down the system considerably only enable Flash logging where absolutely necessary The flash log does have a limit on how much it can hold but it is many thousands of entries so this is rarely an issue Oldest entries are automatically discarded when there is no space 29 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Event Logging 5 1 1 2 Logging to the Console The console is the command line environment described in Chapter 19 You can cause log entries to be displayed as soon as possible on the console assuming an active console session by setting console true on the log target You can stop the console logging with trof f command or restart it with tron command 5 2 Enabling logging Event logging is enabled by setting one of the attributes shown in Table 5 1 on the appropriate object s in the configuration which depends on what event s you are interested in The attribute value specifies the name of the log target to send the event message to The events that cause a log entry will naturally depend on the object on which you enable logging Some objects have additional attributes such as Log error for unusual events and 1og debug for extra detail Table 5 1 Logging attributes Attribute Event types log This is normal events Note that if 1og error is not set then this includes erro
238. isesesesses ddaedea css ecousngsesdossevosessseeoanegs sects sssveneens 6 3 1 Special character Sequences ioiii cepeccsia usses voce ces rea edad IRA desta ei ad cobs 17 AV User login levels iii Ena o toi 22 4 2 Configuration access levels cc cceseeusccesegccnsetvays e EE E E cuevtieetodsteeuessvseevensebeeees 22 4 3 General administrative details attributes 2 0 0 0 eee ee cece cee cee ee eeea ceca tena eens cena eeaeeeeneeeeeeees 23 4 4 Attributes controlling auto upgrades 20 0 0 cece cece ence cece cece ne ceneceneeeaeeeeeeeeeeaeseaeseueeaaeeaaeeges 26 4 5 Power LED status dications 422s 2 csc25 serranos ote va Dino pArA Iron A IAE AE a a 27 5 1 Logeime attributes cnica AD dd 30 3 2 System Event Logging attributes ce ccc ssseccc ess scccs is ecsnn ngs cones ioeescenssseceas POPES PTEE i Enies EEPE SNS 33 6 1 Port LED functions 33385 dietetica tes tdi dais 39 6 2 Example modified Port LED functions sssri yee cinco es oats tesoro e E a E Tes 40 T A Action attribute Valles ssrin e EE cose EEE eye E E E ENEE EEA RS 43 8 1 Example TOUte targets oiire irei os rea orrea Ep PE ains ales piso E EIES A TiSo EEE PEGE SESS 51 12 1 IPsec algorithm key lengths cuido bob desde E EER ures 67 13 1 Dist OL system SErViCeS emreis na ae a e E i E E A E A meas as E S 74 13 2 List of system SCLVICES 5 35 aoier ees eee Seen oot ecto A EET SES 75 14 1 Packet dump parameters os ccsccscsesscosaesseceeeds csees ca E EEES EEEE R OPE TETERE
239. ist in the same broadcast domain For example it may not be possible to reassign machine addresses to form a single subnet but the machines do not require firewalling from each other Note As discussed in Section 6 1 an interface is associated with a broadcast domain therefore multiple subnets existing in a single broadcast domain are not isolated at layer 2 from each other Effective firewalling at layer 3 cannot be established between such subnets to achieve that subnets need to exist in different broadcast domains and thus be on different interfaces An example of this is seen in the factory default configuration which has two interfaces WAN and LAN allowing firewalling of the LAN from the Internet You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv6 networking The primary attributes that define a subnet are the IP address range of the subnet the IP address of the FB2500 itself on that subnet and an optional name The IP address and address range are expressed together using CIDR notation if you are not familiar with this notation please refer to Appendix B for an overview To create or edit subnets select the Interface category in the top level icons then click Edit next to the appropriate interface under the section headed IP subnet on the interface you will see the list of existing subnet child objects if any and an Add link Note In a factory reset confi
240. ith that subnet A loop back route to 192 168 0 1 the FB2500 s own IP address on that subnet is also created 8 2 2 Routing to an IP address gateway route Routes can be defined to forward traffic to another IP address which will typically be another router often also called a gateway For such a routing target the gateway s IP address is then used to determine how to route the traffic and another routing decision is made This subsequent routing decision usually identifies an interface or other data link to send the packet via in more unusual cases the subsequent routing decision identifies another gateway so it is possible for the process to be recursive until a real destination is found Example lt route ip 0 0 0 0 0 gateway 192 168 0 100 gt creates a default IPv4 route that forwards traffic to 192 168 0 100 The routing for 192 168 0 100 then has to be looked up to find 51 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Routing the final target e g it may be to an Ethernet interface in which case an ARP is done for 192 168 0 100 to find the MAC to send the traffic There is logic to ensure that the next hop is valid the gateway specified must be routable somewhere and if that is via an Ethernet interface then the endpoint must be answering ARP or ND packets If not then the route using the gateway is supressed and other less specific routes may apply 8 2 3 Special
241. l 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects route 105 route Optional unlimited Routes to apply to tunnel when up J 2 44 fb105 route FB105 routes Routes for prefixes that are sent to the FB105 tunnel when up Table J 60 fb105 route Attributes Attribute Type Default Description bgp bgpmode BGP announce mode for routes comment A Comme O S ip List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name lprofile NMTOKEN b __ Profilename source string Source of data used in automated config management J 2 45 ipsec ike IPsec configuration IKEv2 IPsec IKEv2 configuration Table J 61 ipsec ike Attributes Attribute Type Default Description allow List of Allow from List of IP ranges from which IKE IPNameRange anywhere connections are allowed force NAT List of List of IP ranges of peers requiring forced IPNameRange NAT T log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors trusted List of List of IP ranges given higher priority when IPNameRange establshing new connections comment string Comment source string Source of data used in automated config management Table J 62 ipsec ike Elements El
242. l renew the registration periodically to stay logged in and if it fails to do this then incoming calls will fail This process uses a username and password for security Obviously you also have to say where to register the proxy specifies IP address or host name of the SIP service with which you are registering and the registrar defines the hostname to use in the registration This process works well if the service does not have a fixed idea of where you are which is normally the case for SIP handsets Even on a local network the IP of the handset will normally be dynamically allocated with DHCP and for a SIP carrier the IP could be anywhere in the world Note It is possible to have a VoIP carrier that does have a pre set idea of where calls are to be sent and sends the calls without registration In this case there is no registration process but the handset device has to be able to accept calls from the carrier Again a username and password are used for security but this time it is the device checking the credentials of the carrier 16 2 2 Proxy To make an outgoing call via a SIP carrier you have to send the call details to a proxy In the case of the FB2500 acting as the carrier the same address is used for registrar and proxy The process uses a username and password in much the same way as registration and they are usually the same details This checks that the device is allowed to make the calls and allows right person to be bi
243. lds to more complex operation of your FireBrick At all stages we hope to provide a well written description of how to configure each aspect of the FireBrick and where necessary provide enough insight into the FireBrick s internal operation that you understand why the configuration achieves what it does 1 2 5 Document conventions Various typefaces and presentation styles are used in this document as follows www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Introduction e Text that would be typed as is for example a command or an XML attribute name is shown in monospaced_font Program including XML listings or fragments of listings are shown thus this is an example program listing printf Hello World n Text as it would appear on screen is shown thus This is an example of some text that would appear on screen Note that for documentation purposes additional line breaks may be present that would not be in the on screen text e Notes of varying levels of significance are represented thus colour schemes may differ depending on signficance Note This is an example note The significance is identified by the heading text and can be one of Tip general hints and tips for example to point out a useful feature related to the current discussion Note a specific but not critical point relating to the surrounding text
244. les Only matches where from an Ethernet interface Allows the source MAC if the initial packet to be checked for the initial bytes e criteria regarding where the target of the session is e target interface one or more interfaces e target ip target IP address or address range s e target port target protocol port number for protocols that use the port number concept e g TCP and UDP e general criteria e protocol the IP protocol number There are also checks for just ip being either source or target IP interface being either source or target interface A rule set can also be named by setting the name attribute value and enabled disabled under control of a profile The comment attribute is a general purpose comment field that you can use to briefly describe the purpose of the rule set Under the heading Individual rules first match applies you will see the list of session rules within the rule set A session rule is defined by a rule object which is a child object of a rule set object 46 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling Below the list of session rules you will see the no match action attribute which is mandatory and has one of the values shown in Table 7 1 Recall that this attribute specifies the action to take if all of the rules in a rule set have been considered and none of them matched against the traffic 7 3 3 1 Recommended met
245. lication of configuring additional devices It is possible to connect more than one PPP device to a single FB2500 port using an Ethernet switch If you do this then you ideally need a switch that handles VLANs see Appendix D if you are not familiar with VLANs so that each router can be logically connected to a different interface on the FireBrick It is also a good idea to have a switch that supports jumbo frames where the endpoint supports them FTTC FTTP and via suitable modems BT 21CN and TalkTalk Note This section contains information relating to access network services such as DSL and Fibre To The Cabinet available in the United Kingdom Although this information will not be directly applicable to services available in other countries the concepts are the same with appropriate knowledge of your ISP service and suitable equipment the FB2500 should work equally well with services that are available in other countries 11 1 Types of DSL line and router in the United Kingdom In the UK there are various types of DSL line and router than can be used Any device that supports PPPoE can work with the FireBrick but some options are only available with some devices as listed below e BT 20CN or 21CN lines can support PPPoE and PPPoA on the wire This means you can use them with a PPPoE A modem such as a Vigor V 120 out of the box or with a bridging router such as the Zyxel P660 configured in bridge mode BT support baby jumbo fr
246. linking Link up at 1Gbit s Tx or Rx Activity www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 40 Chapter 7 Session Handling This chapter describes sessions session tracking and how the rules for session creation can be used to implement Firewalling subject specific traffic flows to traffic shaping and perform address mapping techniques including conventional Network Address Translation NAT Session tracking is also involved in the route override functionality of the FB2500 this is covered in Section 8 6 7 1 Routing vs Firewalling A network router is a device whose role is to forward packets entering the device out onto an appropriate physical interface based primarily or solely on the destination IP address of the packets Typically the source address of each packet is not considered in the forwarding decision A firewall on the other hand is a device whose primary role is to filter traffic based on specified criteria Since most network communication between two end points is bi directional any such filtering must correctly handle the packets flowing in both directions that constitute a specific end to end flow for connection less protocols such as UDP or connection for connection orientated protocols such as TCP In practice a firewall appliance will have to make routing decisions too 7 2 Session Tracking Each flow or connection is identifiable by the s
247. lled for the call Tip You can have a case of incoming calls working and not outgoing which means registration has worked but somehow you have incorrect proxy details The other way around where outgoing calls work and 87 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP incoming do not would mean the registration is not working but the proxy details are correct The logging options can be very useful to help diagnose problems 16 3 Home office phone system The FB2500 can be used as an office phone system PABX which allows you to connect a number of handsets telephones in your office and make and receive calls from the telephone number using a subscription to a carrier over the Internet Traditionally a PABX would connect to one or more telephone lines whether analogue or ISDN and to a number of telephone handsets The PABX would allow internal calls handset to handset and external calls to and from the external phone lines It would have features like busy lamp fields and hunt groups The FB2500 does the same job as a traditional PABX but using IP Instead of phone lines or ISDN the external calls are handled via an Internet Provider ISP and a VoIP carrier This can allow many calls and phone numbers to be used and is generally a lot more scalable and flexible than traditional phone lines Instead of internal phone wiring to connect telephone handsets the FB2500 connects
248. llocation pool then the oldest expired allocation IP address is re used for the new client 6 3 2 1 Fixed Static DHCP allocations Fixed or static allocations can be achieved by creating a separate dhcp object for each such allocation and specifying the client MAC address via the mac attribute on the dhcp object The XML below shows an example of a fixed allocation note the MAC address is written without any colons and is therefore a string of twelve hexadecimal digits 48 bits This allocation also supplies DNS resolver information to the client 37 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets lt intertace esa lt dhcp name laptop ip 9 L18796 n81 mac 0090F59E4F12 dns 81 187 4242 81 197 96 967 log default gt mMennace gt Tip If you are setting up a static allocation but your client has already obtained an address from your FB2500 from a pool you will need to clear the allocation and then force the client to issue another DHCP request e g unplug ethernet cable do a software repair connection procedure or similar etc See the show dhcp and clear dhcp CLI commands in the Appendix H for details on how to clear the allocation Chapter 19 covers the CLI in general You can also Jock an existing dynamic allocation to prevent it being re used for a different MAC address even if it has expired 6 3 2 1 1 Spec
249. lly for a whole carrier This tracks the overall throughput for all of the lines This is useful simply for reporting and tracking but the aggregate graph can also have a speed setting This allows rate limiting to meet commit levels with carriers which can be very important where for example there is 100th percentile billing This also allows a damping setting to used Where the aggregate is hitting the limit all lines within that aggregate are reduced in their shaper settings by a percentage to damp the overall throughput The continued hitting of the aggregate increaes the percentage level Individual lines can be tagged high or low priority by RADIUS which affects the level of damping applied and so allows three grades of service when an aggregate link is full At each stage aggregate and per line the shaping still drops larger packets first making for a very effective way to manage overall traffic levels It is also possible to set a third level of aggregation where each connection can be placed in a group which is itself another CQM graph This can be useful for tracking and shaping at a per wholesale customer or customer grouping in some way 18 4 Authentication Normally an incoming connection uses RADIUS to obtain details of the IP addresses to use It is also possible for RADIUS to provide relay tunnel endpoint details to pass the connection on to another LNS In addition to RADIUS based authentication it is also possible to pre
250. ment Crash logs emailed to FireBrick Support gt lt log gt lt services gt O lt ntp timeserver pool ntp org gt lt telnet log default gt lt a gt lt dns domain watchfront co uk resolvers 81 187 42 42 81 187 96 96 gt lt services gt lt port name WAN portem IM gt lt port name LAN ports 21 gt lt interface name WAN port WAN gt lt subnet name ADSL pelos 06 130 lt interface gt lt interface name LAN QO port LAN gt lt subnet name LAN ES A SS lt dhcp name LAN IS SIS oa log default gt lt interface gt lt rule set name filters O no match action drop gt lt rule name Our Traffic source interface self comment FB originated traffic allowed gt lt rule name FireBrick UI target port 80 target interface self protocol 6 gt lt rule name ICMP protocol 1 log default gt lt rule name A11 outgoing 18 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration source interface LAN gt lt rule name FB access source interface LAN target port 80 target interface self HE comment FB web config access gt lt rule name final no match log default action drop comment Catch all sets default logging for no match gt lt rule set gt lt Come ig sets some general system parameters see Section
251. mmunity Community that must be present to match detag List of Community List of community tags to remove drop boolean Do not import export this prefix localpref unsignedInt Set localpref highest wins med unsignedInt Set MED name string Name no community Community Community that must not be present to match pad unsignedByte Pad prefix stuff our AS on export by this many can be zero to not send our AS prefix List of 1PFilter Prefixes that this rule applies to 170 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects source string Source of data used in automated config management tag List of Community List of community tags to add J 2 38 cqm Constant Quality Monitoring settings Constant quality monitoring graphs and data have a number of settings Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases Table J 50 cqm Attributes Attribute Type Default Description ave Colour 08f Colour for average latency axis Colour black Axis colour background Colour white Background colour bottom unsignedByte J11 Pixelsspaceatbottomof graph dateformat string Y Jom Zod Date format dayformat string ha Day format fail Colour red Colour for failed dropped seconds fail level u
252. mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes 180 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data used in automated config management J 2 50 ipsec manual IPsec manually keyed connection IPsec manually keyed connection configuration Table J 68 ipsec manual Attributes Attribute Type Default Description auth algorithm ipsec auth algorithm null Manual setting for authentication algorithm auth key hexBinary Manual key for authentication bgp bgpmode BGP announce mode for routes comment string Comment crypt algorithm ipsec crypt null Manual setting for encryption algorithm algorithm crypt key hexBinary Manual key for encryption graph token graphname Graph name internal ipv4 IP4Addr local ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal ipv6 IP6Addr local ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local ip IPAddr Local end IP for tunnel local spi unsignedInt Not optional Local Security Parameters Index 256 65535 ipsec local spi localpref unsignedInt 4294967295 Localpre
253. ms and keys for integrity checking and encryption are selected The initiating end of the connection provides proposals of various combinations of algorithms it is willing to use and the responding end picks a suitable set The IKE implementation has built in default proposal lists which are suitable for normal use but for tighter control further proposals can be configured An IPsec IKE connection consists of two separate communication paths the IKE control security association and the IPsec data connection and these have separate proposals which are configured using the Proposal for IKE security association and Proposal for IPsec AH ESP security association sections See the later discussion on algorithms for further details 12 1 2 3 IKE connections To set up a new IKE connection select Add New IKE connections in the IKE configuration page There are a large number of options available for configuring a connection but the majority can usually be left at their default settings 12 1 2 3 1 IKE connection mode and type Three connection modes are currently supported Wait provides a dormant connection which will only be set up when the remote peer initiates the connection Immediate provides a connection wiich the local FireBrick attempts to initiate immediately On demand provides a connection which is only set up when the local FireBrick detects that it has traffic to send over the tunnel A Wait mode connection is useful when th
254. n a typical broadband network we don t have dialup modems in the same The modems are jumpered to the phone line at the exchanged and are part of an Access Node usually called a DSLAM or MSAN This then passes PPP packets on to a Remote Access Server usually called a BRAS The link from DSLAM to BRAS is typically PPPoE The BRAS acts as the LAC and connects to an ISPs LNSs PPPoE is PPP over Ethernet Some access networks use DSL to carry PPP packets directly PPPoA and some use the ADSL as an Ethernet Bridge PPPoE There are access networks which provide Ethernet by some means to the end user equipment which then commincations via PPPoE to the BRAS All of these work in much the same way at the BRAS as it sees PPPoE connections Typically the BRAS provides the initial proxy negotiation and then establishes an L2TP connection after which it is no longer involved in any negotiation but just passes on PPP packets each way 18 1 5 RADIUS Remote Access Dlual Up Server is a system that allows the authentication decisions and allocation of IP addresses to be passed on to separate servers rather than being configured in to the various equipment RADIUS uses UDP to send a request to a server and send a reply back RADIUS is used within carrier networks so that the BRAS can check to where it is to send an L2TP connection The RADIUS response can contain the tunnel details it needs including the authentication within L2TP RADIUS is also used betwe
255. n access level determines whether a user has read only or read write access to the configuration as shown in Table 4 2 below This mechanism can also be used to deny all access to the configuration using the none level but still allowing access to other menus and diagnostics This setting is distinct from and not connected with the login level described above You can use the access level to define for example whether a USER login level user can modify the configuration Typically an ADMIN or DEBUG login level user would always be granted full access so for ADMIN or DEBUG level user s the default of fu11 is suitable Table 4 2 Configuration access levels Level Description none No access unless explicitly listed view View only access no passwords read Read only access with passwords full Full view and edit access DEFAULT 4 1 3 Login idle timeout To improve security login sessions to either the web user interface or to the command line interface via telnet see Chapter 19 will time out after a period of inactivity This idle time out defaults to 5 minutes and can be changed by setting the timeout attribute value The time out value is specified using the syntax for the XML fb duration data type The syntax is hours minutes and seconds or minutes and seconds or just seconds E g 5 00 To set a user s time out in the user interface tick the checkbox next to timeout and enter a value in
256. n and communities localpref med etc are all unchanged 17 2 6 Well known community tags Specific well known communities are supported natively Some of these are set automatically based on peer type and can be explicitly removed using the detag action These rules are automatically checked for exporting routes unless overridden on the peer attributes Table 17 2 Communities Community Name Meaning FFFFFFO1 no export The route is not announced on any EBGP session other than confederation or where allow export is set FFFFFF02 no advertise The route is not considered part of BGP Whilst it is applied and used for routing internally it is not announced at all or considered to have been received for the purposes of BGP FFFFFF03 local as The route is only advertised on IBGP same AS sessions FFFFFF04 no peer This tag is passed on to peers but does not have any special meaning internally 17 2 7 Bad optional path attributes The BGP specification is clear that receipt of a path attribute that we understand but is in some way wrong should cause the BGP session to be shut down This has a problem if the attribute is one that is not known to intermediate routers in the internet which means a bad content is propagated to multiple routers on the internet and they will drop their session This can cause a major problem in the internet To work around this have by default ignore bad optional partial
257. n be used They all use a key which is known only to the two ends of the communication The key is typically a sequence of random looking bytes usually expressed in hex notation Integrity checking on its own does not stop someone snooping on the contents of the packets it just makes sure that they are not tampered with on the way as only someone with knowledge of the key could change the data without invalidating it 12 1 1 2 Encryption The purpose of encryption is to change the data when it is sent such that nobody snooping on the packet can make sense of it There are different algorithms offering different levels of security Encryption similarly involves a key which is known only to the two ends of the communication 63 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels IPsec provides two ways to encapsulate data AH Authentication Header which integrity checks the packet data and also some of the header fields IP addresses and ESP which both encrypts and integrity checks the payloads 12 1 1 3 Authentication Authenticaion is a mechanism for ensuring that the two end users of a communication channel trust that they are who they think they are Neither encryption nor integrity checking alone can do this To ensure that you are talking to the correct person and not someone else masquerading as them and to be sure nobody else can read your communications you need to be sure
258. n level vocoder cosy a n ag ceaeuesdereguegdavesesawen ries 195 J 100 syslog severity Syslog severity dne n e EE EEEE e ESAO ES EEEE Sara EEEE 195 xvii www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual J 101 syslog facility Syslog facility sesona ae E R E E E EEKE SE AS 196 J 102 month Month name 3 letter oocoocococnccnononncnoncnncnoncnncnonnnncncrncnnnnrncnnrnnrnnncnnnncnnnnnncnninnnns 196 J103 day Day name 3 Tetter A e A G Ee e E TEATA EER 197 J 104 radiuspriority Options for controlling platform RADIUS response priority tagging 197 J 105 radiustype Type of RADIUS server ccc cece E N EE E a ESTEE RS E SE 197 3 106 port Physical POC idas 198 J 107 Crossover Crossover COnfiguration ocoooccoccnncnnncnnocnnccnnconnconnccnnccnnconnconncrnncnnncnnnrnnrenaraninnnss 198 J 108 LinkSpeed Physical port speed ooocococnnccnnccnncnnocnnccnnccnnconnccnnconnconnconncnnnrnnnrnnrnnnrnnccnncinniinn 198 J 109 LinkDuplex Physical port duplex setting coooconoccnccnnccnnocnncnnnrnnocnnncnnccnnccnnccnnconnconncnnncnnnes 198 J 110 LinkFlow Physical port flow control setting ooooccccccnccnnccnnccnnccnnccnnconoconncnnncnnncnnrnnnronicnno 198 J 111 LinkClock Physical port Gigabit clock master slave setting oooocoooccnnconoconcconocnnocnnccnnccnacnnns 199 J112 LinkLEDs LED settings ai Di ad iD 199 J 113 LinkPower PHY p
259. n memory in the web browser itself and are committed back to the FireBrick only when you press the Save button The navigation button area shown in Figure 3 8 also includes three other buttons e New creates a new instance of the object type being edited the new object is inserted after the current one this is equivalent to using the Add link one level up in the hierarchy e Erase deletes the object being edited note that the object will not actually be erased until the configuration is saved e Help browses to the online reference material as desribed in Section 3 2 1 for the object type being edited 15 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Caution If you Add a new object but don t fill in any parameter values the object will remain in existence should you navigate away You should be careful that you don t inadvertently add incompletely setup objects this way as they may affect operation of the FireBrick possibly with a detrimental effect If you have added an object perhaps for the purposes of looking at what attributes can be set on it remember to delete the object before you navigate away the Erase button see Figure 3 8 is used to delete the object you are viewing 3 4 4 Backing up restoring the configuration To back up save or restore the configuration start by clicking on the Config main menu item This will show a page
260. n teuoessumeceepteande pp ENE aorta sgh Sumas sen tees 55 9 2 4 Manual oyerride eri a adh beh ated oak A ad 55 IS NS 37 10 1 Graphs and Shapers ssh cgus recites Ad eed 57 LOS RE E iieo i E EAE EE E EEE EAEE EEE 57 10 12 Shapers ei e E e A A E RN 58 10 13 Ad HOC Shapers rioan ea a a E E E a e 58 101 4 Long termi shapers ecne ni rE a T ah E O EE E TEO E RN ESS 58 10 2 M l ple shapers sssr e iao aE e See tien AAEE AANE EI R Ee E 59 10 37 Basic principles iS O TEE E A As 59 11 PPPOE Atiye li wot ae a EEA Sea e aS aE ANE rom NE E 60 11 1 Types of DSL line and router in the United Kingdom oooccoccnccnnccnnccnnconnccnnccnnconnconacinicos 60 11 2 Definining dd A a o oe EERIE awed dest ORA EEEE 61 UDEV PEP VG ciety assess E E A Feb este watedeh a eNOS NG ee Ge GaSe RN eet eee pone 61 11 2 2 Additional Options ee enese dou ngdendache dad an besdoes Gouless tebe saeeteveodas aw S S 61 112 21 MPU and PCP TX ts a ai a eects 61 1 1 2 2 2 Service and ac Name teria toria pesada tees 62 E TR O ta ese Sueded 62 11 2 2 4 Speed and graphs istmo drena E ag veian dee dees ce E 62 TD O soar beset A A O ie tele O E 63 121 IPsec AP Security osn a r EEE t E 63 A Introduction s eene A AO 63 FZI I Integrity checking ic is 655 chaser a ee a E Sas E O AEE aS 63 121 2 BNCry PO ct E E O N 63 IZ ElI A thentc ti on arrn e E E E Ea E ESET NEE 64 12 1 2 Setting up IKE managed IPsec connections ooocccoccnnccnnccnncnnncnnnconnconaconocnnccnar
261. n the first instance to the documentation described in Section 3 2 1 below If that information doesn t help you and you think the attribute s may be relevant to implementing your requirements please consult the usual support channel s for advice www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration 3 2 1 Formal definition of the object model The object model has a formal definition in the form of an XML Schema Document XSD file which is itself an XML file normally intended for machine processing A more readable version of this information is available in Appendix J Note however that this is reference material containing only brief descriptions and intended for users who are familiar with the product and in particular for users configuring their units primarily via XML The XSD file is also available on the software downloads website by following the XSD link that is present against each software release 3 2 2 Common attributes Most objects have a comment attribute which is free form text that can be used for any purpose Similarly most objects have a source attribute that is intended for use by automated configuration management tools Neither of these attributes have a direct effect on the operation of the FB2500 Many objects have a name attribute which is non optional and often needs to be unique within the list of object This allows the named object to be refere
262. name protocol List of unsignedByte Protocol s 1 ICMP 6 TCP 17 UDP set gateway IPAddr New gateway set graph string Graph name for shaping logging if not set by rule set set nat boolean Changed source IP and port to local for NAT source string Source of data used in automated config management source interface List of NMTOKEN Source interface s source ip List of Source IP address range s IPNameRange source port List of PortRange Source port s target interface List of NMTOKEN Target interface s target ip List of Target IP address range s IPNameRange target port List of PortRange Target port s 186 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Table J 83 session route rule Elements Element Type Instances Description share session route share Optional unlimited Load shared actions J 2 61 session route share Route override load sharing Route override setting for load sharing Table J 84 session route share Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Profile name set gateway IPAddr New gateway set graph string Graph name for shaping logging if not set by rule set set nat boolean Changed source IP and port to local for NAT weight positiveInteger 1 Weighting of load share J
263. nced from other attributes The data type for these is typically an NMTOKEN which is a variant of a string type that does not allow spaces If you include spaces then they are removed automatically This helps avoid any problems referencing names in other places especially where the reference may be a space separated list Many objects have a graph attribute This allows a graph name to be specified However the actual graph name will be normalised to avoide spaces and limit the number of characters Try to keep graph names as basic characters letters numbers to avoid confusion 3 3 Configuration Methods The configuration objects are created and manipulated by the user via one of two configuration methods e web based graphical User Interface accessed using a supported web browser e an XML eXtensible Markup Language file representing the entire object hierarchy editable via the web interface or can be uploaded to the FB2500 The two methods operate on the same underlying object model and so it is possible to readily move between the two methods changes made via the User Interface will be visible as changes to the XML and vice versa Users may choose to start out using the User Interface and as experience with the object model and the XML language develops increasingly make changes in the XML environment For information on using XML to configure the FB2500 please refer to Section 3 5 3 4 Web User Interface Overview This sect
264. nd Y YY Y MM DDTHH MM SS 183 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 2 54 profile time Test passes if within any of the date time ranges specified Time range test in profiles Table J 74 profile time Attributes Attribute Type Default Description comment string Comment days Set of day Which days of week apply default all start time Start HH MM SS stop time End HH MM SS J 2 55 profile ping Test passes if any addresses are pingable Ping targets Table J 75 profile ping Attributes Attribute Type Default Description flow unsignedShort Flow label IPv6 gateway IPAddr Ping via specific gateway bypasses session tracking if set ip IPAddr Not optional Target IP source ip IPAddr Source IP ttl unsignedB yte Time to live Hop limit J 2 56 shaper Traffic shaper Settings for a named traffic shaper Table J 76 shaper Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description comment string Comment name token graphname Not optional Graph name rx unsignedInt Rx rate limit target b s rx max unsignedInt Rx rate limit max rx min unsignedInt Rx rate limit min rx min burst duration Rx minimum allowed burst time rx step unsigne
265. need to be fragmented tcp mss fixcan be set to attempt to avoid fragmentation in TCP sessions by adjusting the TCP SYN header so that the negotiated TCP MSS will fit in the tunnelled MTU 66 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels log log error and log debug can be used to steer IKE logging information which is specific to this connection to a selected logging target 12 1 2 3 7 NAT Traversal Devices performing NAT Network Address Translation on the path between the connection peers can cause difficulties with IPsec operation Since NAT changes source IP addresses and these are checked if a type AH connection is used AH is incompatible with NAT A NAT device usually requires regular traffic to ensure dynamic address and port mappings are maintained Additionally some NAT devices incorrectly attempt to modify IPsec traffic en route IKE attempts to work around these problems by detecting whether there are any NAT devices in the transmission path and modifying its behaviour accordingly IKE ESP traffic is encapsulated in UDP packets using port numbers which faulty NAT devices will not treat specially and keepalive packets are sent Additionally IKE will notice if a peer behind a NAT suddenly changes its IP address as would happen eg if a NAT device was rebooted and lost its NAT mappings This mechanism known as NAT Traversal is normally automatic if it is supported by the
266. nel of any sort there can be an aggregate shaper for the tunnel e g the broadband carrier There can also be a class applied to the session which is an aggregate shaper for an arbitrary group of sessions often used when reselling broadband e When passing through an L2TP tunnel the session typically has a graph and shaper based on the circuit ID which is specifc to that session This is important for bonding multiple sessions as it controls the levels of traffic sent via each session Obviously traffic could come in via one L2TP tunnel and go back out via another incurring yet another set of shapers as above e PPPoE links can also have a defined shaper which is important when bonding multiple links as it is used to decide how much traffic goes via each link e It is possible to create a bonded gateway route where multiple routes exist for the same target typically a default gateway and each route as a speed set which is itself a shaper This is used to control how much traffic goes via each of the bonded routes You simply create more than one route object with a speed or graph setting The egress interface can have a defined shaper 10 3 Basic principles Each shaper tracks how far ahead the link has got with traffic that has been recently sent This depends on the length of packets sent and the speed of the shaper This is essentially tracking how much is likely to be queued at a bottleneck further on The FB2500 does not dela
267. ng graphs and graph names 0 ieee cence eee ce ence ENE E E EE T EE 147 J Configuration Objects centers dey dacn es out dengan eddie inn detailed 148 JAS POp level cle cetiteincte Gores Id 148 J11 contig Top level COM recontra ont ven init EE EAEE 148 FROM eLo IE dde 149 3 2115 y Stem SY Stemi Settings coccion lia testi did 149 32 20 mk Web anks la iia 150 UI A O 150 J24 108 OB target COn to Sii iota dy pi a a nc ve dass te E eos EE INN 150 J 2 5 log syslog Syslog logger settings oooocoocccnccnnconnconoconconoconoconocnnronacnnccnnccnninnno 151 J 2 6 log email Email logger settings cooocococonoconccnnocnnonnncnnocnnccnnconnccnnconnconaconicinoss 151 VIENES AA A Assay eee Shen A ESEE SA Ere 152 J 2 8 snmp service SNMP service settings oocooccccccnccnnccnnccnnccnnccnnconnconnconncnnncnnncnnronoss 152 J 2 9 ntp service NTP service Settings sesocan aee eae aaia Enay 153 J 2 10 telnet service Telnet service settings oooccooconoconccnnocnnncnncnnncnnncnnncnnconnconnccnncons 154 J 2 11 http service HTTP service settings 0 0 0 0 cece cece cee ceeeceeecaeeea seca a ecu eegs 154 J 2 12 dns service DNS service settingS 2 0 0 0 cece cece cece eee E E cece cece eene E E s 155 J 2 13 dns host Fixed local DNS host settings 1 0 0 0 cece cee cee ce eece seen eecaeeea sean eeaes 155 J 2 14 dns block Fixed local DNS blocks ooocoooccccccnccnnconoconccnnconnconnccnnccnnconnconaconncos 156 J 2 15
268. noccconococonocononorononororo nano ro nro ronroro nro E E 137 H 1 15 Show DNS TeSO VETS saniser ri A Oro cti riera 137 H 2 Networking Commands osier an seeds decency talado adas e dada e 138 A A O 138 2 22 Pino and Hacen A A A OA 138 H 2 3 Show a route from the routing table oooccnoccncconoconcconccononononnncnnacnnccnncinncnnno 138 2 ARIAS TOUS A A Unive ewen ge TE E T cde laos veeaemprenctes 138 H23 List routing next A O 138 H 2 6 See DHCP allocations pvc iaa cis ee 139 H 2 7 Clear DHEP allocations sisane n ae E coe ban ceue stew es wel hea noah baas seco EA AIEE N 139 H 2 8 Lock DHCP allocations enan noera e AEE EE EEEE Ene TA EEA 139 H 2 9 Unlock DHCP allocations asr a ena E EEE JEDE EERTE ES 139 H 2 10 Name DHCP allocations iaon iria ende uy te E ER nea dales 139 H2 11 Show ARP ND Status aren a a dida 139 H 2 12 Show VRRP Stalin 139 H 2 13 Send Wake on LAN packet vosen ae e e ae o e aS S 139 H3 Fire walling COMMON SER 140 A E ACCESS torseryiCe S oiya a NE a E EE R A E 140 H 3 2 Check firewall logicei i a io add 140 H4 A ae ster E REEE E EEEE R TEE ENEA NEE 140 H5 BGP commands Mii A as 140 H6 gt PEPOE commands en nae e tas Gane e A E aa aee NT a a Ma a Ee a A 140 H 4 VolP commands menee e i E EEE E E rE E EE A E RRE 140 HS Advanced commands rretra a a da a Eeee aa a R yia 140 HS Te PANIC A ub late deh A ARA 140 H 8 2 RN 141 H 8 3 Screen width aisinar eit nal ARE EAT beeen tice dead A EAT tot e
269. ns 5 cs ses sac esssessesdeteaseosseupseyacesshseSaseds dectesd ONTE EESE ENTIRE Snai ERES 3 1 2 6 Comments and feedback 20 0 0 eee cence cece cece E EEEE E a E TAERE Eire 4 1 3 Additional Resources inisi 055 sit8y Pa a E ia POETA Saag ass Pastas anatase 4 1 3 1 Technical Support inoseni aeo E cota ceded ieee ES EEE EEEE OES 4 1 3 2 IRC Channel ceci E S ERRE EESE EEE PRSES di 5 1 3 3 Application Notes s2 053 soci ere eene as Sed och KEETE EE EE E E ESEE EEEE ES 5 1 3 4 White Papers sia eiae isa tii E E E E TE SIES 5 1 3 5 Training Courses inris e e EEE EE E EE E EE E EES 5 PS O 6 2 1 IP A NN 6 2 2 Accessing the web based user interfaces issart n nena T E 6 2 2 l Add a TE WAUSEL io tn Teo E A EEEE EET EI a TEN 7 Es Sashes stboetg oes EErEE NECESE E Orisa E PECET seuss sysen ves eeteadseereudseeosessesyoes 9 3 1 The Object Hierarchy soi isise ote eae E EEE S ETETE E EEEE E e EEA 9 3 2 The Object Model iiis it va E E E E ae 9 3 2 1 Formal definition of the object model 2 0 0 0 ec ee cence eece teen eeca seen sean eeneees 10 3 2 2 AAA seeds r reii esd ce uses s ces ES EE saebeeeseesdeadessorseese Sieedessbeaes 10 3 3 Configuration Methods cess r s r E EE E E RE anal sen decesus evencsbinyeces tans 10 3 4 Web User Interface Overview temita ls is pando E 10 34 1 User Interface layout spisi ea eed EEES ie 11 3 4 1 1 Customising the layout s sss csi ds sctes ose sepseng esros E EErEE NECE SE incre EEE NS 11 3 4 2 Config
270. nses for i e addresses already in use perhaps through a static address configuration on a machine The XML below shows an example of an explicitly specified DHCP pool lt interface gt lt dhcp name LAN A 72 30 16 50 80 log default gt lt interface gt Tip When specifying an explicit range of IP addresses if you start at the network then the FB2500 will allocate that address Not all devices cope with this so it is recommended that an explicit range is used e g 192 168 1 100 199 You do not however have to be careful of either the FireBrick s own addresses or subnet broadcast addresses as they are automatically excluded When using the default 0 0 0 0 0 range network addresses are also omitted as are any other addresses not within a subnet on the same interface Every allocation made by the DHCP server built in to the FB2500 is stored in non volatile memory and as such will survive power cycling and or rebooting The allocations can be seen using the DHCP item in the Status menu or using the show dhcp CLI command If a client does not request renewal of the lease before it expires the allocation entry will show expired Expired entries remain stored and are used to lease the same IP address again if the same client as identified by its MAC address requests an IP address However if a new MAC address requests an allocation and there are no available IPs excluding expired allocations in the a
271. nsignedInt J1 Fail level not expected on low usage fail level1 unsignedByte 3 Loss level 1 fail level2 unsignedByte 50 Loss level 2 fail score unsignedByte 200 Score for fail and low usage Ifail scorel unsignedByte 100 Scoreforon abovelevell fail score2 unsignedByte 200 Score for on above level 2 fail usage unsignedInt 128000 Usage below which fail is not expected fblogo Colour bd 1220 Colour for logo Jeraticule Colour grey Graticulecolour 0 heading string Heading of graph hourformat string H Hour format key unsignedByte 90 Pixels space for key llabel ave string JAw Labelforaveragelatency label damp string Damp Label for shaper damping label fail string Fail Label for seconds failed label latency string Latency Label for latency label max stings Max Label for maximum latency label min string Min Label for minimum latency label off string Off Label for off line seconds label period string Period Label for period llabel poll sting Pols Label for polls ti i s SCSC d label rej string Reject Label for rejected seconds label rx string Rx Label for Rx traffic level label score string Score Label for score llabel sent string Sent Labelforseconds polled 171 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects label shaper string Shaper Label for shaper
272. nterface can span either a single port or a user defined group of ports When a port group is defined the ports in the group work as a conventional Layer 2 network switch directly transferring traffic at wire speed that is destined for a Layer 2 address that is present on one of the other ports in the group Conversely multiple interfaces can be implemented on a single physical port via support for IEEE 802 1Q VLANs ideal for using the FB2500 with VLAN capable network switches In this case a single physical connection can be made between a VLAN capable switch and the FB2500 and with the switch configured appropriately this physical connection will carry traffic to from multiple VLANs and the FB2500 can do Layer 3 processing routing firewalling etc between nodes on two or more VLANs 1 1 4 Differences between the devices in the FB2x00 series The main difference between the two devices in the series is that the FB2500 can route traffic at up to only 100Mb s whilst the FB2700 is faster typically up to 350Mb s The other advantage the FB2700 offers is that you can directly attach an ordinary 3G dongle via the USB port on the front and use a mobile data connection this is typically used as a back up for a DSL line 1 1 5 Software features The FB2500 has a simple two level software feature set Devices are graded as base models or fully loaded models The base model lacks a few of the features such as BGP L2TP and various bond
273. nth Month name 3 letter pesses cece ccec cece cece cence cece eens Er E ES 196 J3 7 day Day namex 3 letter is ei nec As a et es eek 197 J 3 8 radiuspriority Options for controlling platform RADIUS response priority tagging 197 J 3 9 radiustype Type of RADIUS server oocoocccoccnnccnnconnconnconncnnncnnncnnncnnccnncnnccnncinniinno 197 J 3 10 port Physical port iii p o rante diia aser iron 198 J 3 11 Crossover Crossover Configuration coooccconoccnncononoconnnccnnnccnnnnconnncnnnnccnnnncnoncnns 198 J 3 12 LinkSpeed Physical port speed sss sesse enonse ene eieae ess eerie Sn S 198 J 3 13 LinkDuplex Physical port duplex setting ooocoooccnccnncnnncnnccnnccnnconnconnconnconnconnoos 198 J 3 14 LinkFlow Physical port flow control setting oooccocccoccnnconnccnncnnnconoconiconiconnss 198 J 3 15 LinkClock Physical port Gigabit clock master slave setting cceeceeeeeee eee 199 xii www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual J3 16 oink LED ED Setings oeo e sede sey E EE E ERN EES O EA PEES 199 J 3 17 LinkPower PHY power saving Options coooccocccoccncccnocnnccnnconnconncconccnncnnaconaconase 200 J 3 18 LinkFault Link fault type to send ocoocccoccnnccnnconnconnconnconoconncnnonnnronnconccnncinninnno 200 J 3 19 ramode IPv6 route announce level 0 eee cece ee ce eeceeeceeeea essa esau sean eeaes 200 J 3 20 dhcp
274. o it is important to connect your laptop etc to the FB2500 after removing the looped cable and not power cycle in between If you do not save a new configuration at this stage then the FB2500 will revert to the existing saved configuration when next powered up or restarted It is also possible to recover the configuration stored in flash memory if you know an administrative username and password for it this gives you an opportunity to correct a configuration such as where you had made a change that prevented you from accessing the FB2500 A 1 Other types of reset To factory reset permanently follow the same process but with ports 1 and 2 looped this will overwrite the configuration stored in flash memory so use this reset method with caution To temporarily revert the configuration to the last but one saved config follow the same process with ports 1 and 3 Again if the FB2500 if reset before saving a new config it will revert to the last saved config again 111 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix B CIDR and CIDR Notation Classless Inter Domain Routing CIDR is a strategy for IP address assignment originally specified in 1993 that had the aims of conserving the address space and limiting the growth rate of global routing state The current specification for CIDR is in RFC4632 http tools ietf org html rfc4632 The pre CIDR era CIDR replaced the original
275. o make a valid URL either escape the prefix or omit it If any of these are included then only those that are included are shown If just fieldname is specified then the default colour is applied The text on the right shows what fields are included and their colour key Table I 2 Colours Key Colour Defines colour for minimum latency Defines colour for average latency Defines colour for max latency Defines colour for upload rate Defines colour for download rate Defines colour for sent echos Defines colour for rejected echos Defines colour for failed no response echos Oo zm oo 4 x gt z Defines colour for off line 144 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Constant Quality Monitoring technical details 1 3 2 Additional text Additional text is shown on the graph based on the values in the configuration if not specified There are 4 lines on the top left in small text and two heading lines top right in large text Table 1 3 Text Key Text Z Clean output clears all additional text fields Clean and clear as z but also sets inside background and off line colours to transparent so graphs are easy to merge with those other LNSs C Line 1 top left text default if not set in config is system name c Line 2 top left text N Line 3 top left text n Line 4 top left text H Main heading
276. o serve or our IP if omitted name List of string Not optional Host names can use as a part of a domain profile NMTOKEN Profile name restrict List of List of IP ranges to which this is served IPNameRange reverse boolean Map reverse DNS as well 155 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects source string Source of data used in automated config management ttl unsignedInt 60 Time to live J 2 14 dns block Fixed local DNS blocks DNS forwarding resolver service Table J 19 dns block Attributes Attribute Type Default Description comment string Comment name List of string Not optional Host names can use as a part of a domain profile NMTOKEN Profile name restrict List of List of IP ranges to which this is served IPNameRange source string Source of data used in automated config management ttl unsignedInt 60 Time to live J 2 15 radius service RADIUS service definition RADIUS server and proxy definitions Table J 20 radius service Attributes Attribute Type Default Description acct port unsignedShort 1813 Accounting UDP port auth port unsignedShort 1812 Authentication UDP port authenticator boolean Require message authenticator backup ip List of IPNameAddr Target IP s or hostname for backup L2TP connection class string
277. o useful to the back haul provider which is often a separate company e g BT or Be We recommend that you consider providing access to graphs for live circuits and archived data to your back haul provider when discussing faults with them FireBrick are working with several ISPs to ensure back haul providers are aware of the CQM graphs and how to use them to assist in diagnosis 1 2 Access to graphs and csvs Graphs can be accessed by http using the normal web management interface This can be used as a direct link from a web browser or using common tools such as curl and weet The web management interface services http define the port and allowed user list and also a trusted IP access list The CQM config defines a secret which is used to authorise untrusted access using an SHA1 hash in the URL All CQM URLs are in the cqm path 1 2 1 Trusted access To access a graph you simply need to request the URL that is the graph name followed by the file extension E g http host port cqm circuit png Table I 1 File types Extn Format png PNG image CSV COMMA separated values list tsv TAB separated values list txt SPACE separated values list xml XML data 143 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Constant Quality Monitoring technical details 1 2 2 Dated information Without any date the data returned is the latest For csv it is all data
278. odule name in entries sent via syslog Syslog logging is very quick as there is no reply and syslog servers can be easily setup on most operating systems particularly Unix like systems such as Linux Note Older syslog servers will typically show time and hostname twice and will need upgrading 30 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Event Logging The module name refers to which part of the system caused the log entry and is also shown in all other types of logging such as web and console To enable log messages to be sent to a syslog server you need to create a syslog object that is a child of the log target Log object You must then specify the DNS name or IP address of your syslog server by setting the server attribute on the syslog object You can also set the facility and or severity values using these attributes facility the facility to be used in the syslog messages when syslog entries are generated by subsystems or processes in a general purpose operating system the facility typically identifies the message source where the commonly used facility identifiers are not suitable the local0 thru local7 identifiers can be used If the facility attribute is not set it defaults to LOCALO e severity the severity value to be used in the syslog messages if not set the severity defaults to NOTICE The FB2500 normally uses the standard syslog port num
279. og log Optional up to 50 Log target controls loopback loopback Optional unlimited Extra local addresses network network Optional unlimited Locally originated networks nowhere blackhole Optional unlimited Dead end icmp error networks ping ping Optional up to 100 Base ping graph settings port portdef Optional up to 4 Port grouping and naming ppp pppoe Optional up to 10 PPPoE settings profile profile Optional unlimited Control profiles route route Optional unlimited Static routes route override rule set route override rule set Optional unlimited Optional unlimited Routing override rules Firewall mapping rules www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 148 Configuration Objects services services Optional General system services shaper shaper Optional unlimited Named traffic shapers system system Optional System settings user user Optional unlimited Admin users voip voip Optional VoIP config J 2 Objects J 2 1 system System settings The system settings are the top level attributes of the system which apply globally Table J 3 system Attributes Attribute Type Default Description comment string Comment contact string Contact name dos delay unsignedInt 2 Interrupt DoS restoration counter leave a
280. oints to which they can send requests One for master and one for backup Whilst the FB2500 will answer RADIUS on any of its IP addresses we know some carriers have issues using the interlink IP addresses We recommend you create two additional loopback addresses for session steering RADIUS These addresses are configured as a BGP announced loopback address You can use MEDs to steer which IP is on which LNSs If you have more than two LNSs you can ensure that the same IPs are announced from more than one LNS and let BGP decide which LNS gets the RADIUS requests RADIUS is a simple question and answer protocol so it does not matter which LNS gets the request The session steering configuration Platform RADIUS is very flexible We suggest you use the same configuration on each LNS so that the replies are consistent regardless of where the request goes The reply says where to connect the session as well as hostname and password to use The reply can be a single LNS or can be more than one reply with a priority tagging if the carrier supports this The FB2500 can pick an LNS randomly from a set or pick one based on a hash of the username part of the username or circuit ID This can be useful when multiple lines are in a bonded arrangement where using the same prefix on a username ensures all of the connections are steered to the same LNS for bonding If you have a lot of LNSs we recommend an N 1 arrangement E g if you have 4 LNSs you may set your
281. ol messages Only RTP audio using a law 20ms is supported This is generally compatible with all carriers and devices and provides high quality audio Out of band DTMF is accepted using SIP INFO or RFC2833 DMTF can be sent using RFC2833 or generated a law in band audio Error responses to REGISTER INVITE from non local devices are not normally sent this is against the SIP protocols but avoids issues with port scanning systems looking for VoIP platforms This can make diagnosis of incorrect settings harder The design is intended to work with all common VoIP handsets and carriers If you experience any difficulty with a carrier or a VoIP device please contact the FireBrick support team ideally with a full debug log 16 16 Custom tones The configuration also allows customised tones to be generated You can replace these with your own versions The format for a tone is either a single tone or a series of duration tone sections In a sequence you can use duration for a period of silence A duration is a number and then ms and a fone is a frequency or frequency frequency for mixing two tones Each frequency is a number of Hz and can have a volume suffix which is and a number if dB The tone can be followed by if you want it to be shaped rise at start and fall at end Table 16 4 Default tones Tone Plan silence 100ms 96 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299
282. on IKEV2 oooooccnnccncnoccnnnccnnnccnnnconnccnnnncinnncccnnccnns 178 J 2 46 ike proposal IKE security proposal ooocoocccccnnccnnccnnconnconncnnnconnconncnnncnnncnaronoso 178 J 2 47 ipsec proposal IPsec AH ESP proposal ooocccoccnnccnnccnnconnconoconncnnncnnnonnncnaronicnnos 179 J 2 48 ike connection peer configuration 2 0 0 0 eee ee cece eee ce ence eeceeeceeeea essa eeea eens eeaes 179 J 2 49 ipsec route IPsec tunnel routes 2 0 0 0 cece e cece eee eeeeea cece eeae eens eens eeneeeeeeeees 180 J 2 50 ipsec manual IPsec manually keyed connection e cee ceee cece ceeeee seca eee eene eens 181 J 2 51 ping Ping graph defimition sspe eee cece cee EE RNE p seca REES SEERE 182 J 2 52 profile Control profiles asii nodes voce deh as ee bee wee des ad es geet 182 J 2 53 profile date Test passes if within any of the time ranges specified 00 0000 183 J 2 54 profile time Test passes if within any of the date time ranges specified 184 J 2 55 profile ping Test passes if any addresses are pingable cocoonccnnccconoccnnncccnnccnnnns 184 3 2 56 shaper Trafic Shape E E E a Gy 184 J 2 57 shaper override Traffic shaper override based on profile oooonccocccnccnnccnnccnncono 185 3 28 1P 2100p TP Group vist stiches ses E ieee dt utah des ETE E E O E chan EEEN 185 J 2 59 route override Routing override rules cece eee eee ceee ca eece cece cena eeueeeneeen eens 1
283. on ise So nege sE aTi ESEE EE PEIRES S NEOS EEES aE e 12 3 4 The Setup Category ieska r E EE EE E EEO E EAE EK EEES OES 13 33 Editins an Interface OBJECT deerant e ea o e atte sos E E E E T a EE ESES 14 3 6 Show hidden attributeS oscri he E EEEE EE EEE EE ES E E 14 3 72 Attribute definitions eos ita ii E EENES ETUE EESTE SEEE SPEEN TEES KEUSES iii 14 3 8 Navigati n controls Leo SEEVE EE EE eE E EEA REEE EOE EE KEE EESE hh 15 4 1 Settna up NEW USER asesoris ninne EE E E e e a E E EE E S 21 4 2 Software upgrade available notification 2 1 0 0 eee cece cence ence ence ence eeeeeceeeseeeeaeeea seen eeu eeae esas 26 4 3 Manual Software upload isr isses oirne priar pE A E Eaa E I ERE Ia EPES EEE ARSE oee PESAS 27 7 1 Example sessions created by drop and reject actions 20 0 0 cece cece scence nce neeeeeeeeeeeeeeeeseaeeeaes 43 7 2 Processing flow chart for rule sets and session rules ooocoooconccnnncnnccnncnnncnnocnnccnnconnccnnccnnconncnnncos 45 C 1 Product label showing MAC address range oocoooccnnccnnconoconecnnncnnnnnncnnnronnrnnconnconnccnnccnnccnncinncos 114 xiv www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 List of Tables 2 1 Praddresses for cOMpuUter 4 j2isssis secs dario sora vinieran Ear E E ES 6 2 2 IP addresses to access the FireBrick sissies ee cence eee eeea ceca ceca eens eeu EEE EEE EEE 6 2 3 IP addresses to access the FireBrick 202 5005 ccovis ssics
284. only boolean true Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors ntpserver List of IPNameAddr ntp firebrick ltd uk List of time servers IP or hostname from which time may be set by ntp poll duration 1 00 00 NTP poll rate profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable tz1 name string GMT Timezone name tz1 offset duration 0 Timezone 1 offset from UTC tz12 date unsignedByte 1 31 25 Timezone 1 to 2 earliest date in month datenum tz12 day day Sun Timezone 1 to 2 day of week of change tz12 month month Mar Timezone 1 to 2 month tz12 time time 01 00 00 Timezone 1 to 2 local time of change tz2 name string BST Timezone 2 name tz2 offset duration 1 00 00 Timezone 2 offset from UTC tz21 date unsignedByte 1 31 25 Timezone 2 to earliest date in month datenum tz2 1 day day Sun Timezone 2 to day of week of change tz21 month month Oct Timezone 2 to 1 month 153 Configuration Objects tz21 time time 02 00 00 Timezone 2 to 1 local time of change J 2 10 telnet service Telnet service settings Telnet control interface Table J 14 telnet service Attributes routetable Attribute Type Default Description allow List of Allow from List of IP ranges from
285. onnection to limit the prefixes accepted from the carrier or announced to the carrier An alternative approach is to configure the interlink interface on a separate routing table The FB2500 can have separate routing tables which act as completely separate internets Using a separate table means you do not have to worry about what prefixes are announced on the BGP link as they will only apply to that routing table 106 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Internet Service Providers Whilst we would recommend using a BGP connection like this if the carrier does not handle BGP then you will need static routes Using a separate routing table can make this much simpler as you can set a default route to the carrier gateway on the interlink subnet If using a separate routing table you have to take care to correctly configure the routing table on the interface BGP RADIUS L2TP and loopback configuration elements 18 8 3 RADIUS session steering We recommend using RADIUS session steering with the carrier if they support it Session steering means that the carerier sends a RADIUS request to the ISP before connecting each session by L2TP The reply steers the connection to a specific LNS Session steering gives a lot of control to the ISP and is ideal if you operate bonding connections where multiple links need to use the same LNS The carrier will typically expect you to have two RADIUS endp
286. onoso 64 12 1 2 1 Global IKE parameters nni nn R R A E R 64 12 0220 IKE proposal it E N E tle Seth te hari 65 vi www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual 12 123 IKE CONNECTIONS 34 345 docto oe tute obs ween E EEE ANSE ESER SE EN 65 12 1 2 3 1 IKE connection mode and type cece cece eee ceeecneeee een eene eens 65 121232 IKE proposal sts sacoasces8 siden cinto door tte 65 12 1 2 3 3 Authentication and IKE identities 2 0 0 0 eee eee cence eeee eee 65 12112234 IP addresses eso sta dh vedeesns andes te Seats iii 66 12512235 ROUNDS 5 ssh DS cee 66 121 2306 Other PArametelS srera eee dacwae uedengeud der S E ips 66 VDD 223 E IN Va A MA Traversalic 2 rei iO eae eae RE de 67 12 1 3 Setting up Manual Keying csacsseesssepsaceeses poster tun des phous tbe REINE een dse nies 67 12 1531 A O A A taeace SENTAS 67 I2132 Algorithms and Keysi 44 awe inodoro ladera errada 67 PALA ROUUNS 2 20 0 NN 68 12 134 Other parameters escort iris 68 12 1 3 5 Tunnelling to a non FireBrick device using Manually Keyed IPsec 68 12 1 4 Remote connection IPsec and L2TP o ooocococnnccnnccnnccnncnnccnnccnnconnccnnccnnconnconnconncos 69 121S Choice 0f IPsec algorithms it ia 69 122 FB1OS tunnels 3 esc NS 70 12 2 1 Tunnel wrapper packets viii io eae a NS 70 12227 Setting up a tunnel sce hose ies die hewn es ensaes done
287. ood idea to get a block of telephone numbers from your carrier and use extension numbers that are the last 2 or 3 digits from that block That means everyone knows the full phone number for any extension Most carriers can provide a block of numbers You can then configure these as the DDI Direct Dial In numbers for each telephone Note Extension numbers can be any length you like They should be kept short so they are not confused with local telephone numbers and are easy to dial There is no need to dial 9 for an outside line as VoIP phones send the whole number when you dial The only special cases are emergency numbers 112 and 999 by default which cannot be used as extension numbers Note DDI Direct Dial In telephone numbers must be entered in the full international format This is a plus then the country code and area code and number e g 441234567890 which is country code 44 for UK area code 1234 and local number 567890 In the UK you would dial this as 01234567890 Note that there is no O in from the of the area code when quoted in international format and definitely no 0 in such numbers 16 6 Telephone handsets A VoIP handset which supports SIP will normally work with the FB2500 Most makes of handset actually allow multiple identities on the handset so it can appear as multiple handsets to one or more phone systems but a typical installation will not normally need more than on identity per handset On the handset
288. ore network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data used in automated config management J 2 30 route Static routes Static routes define prefixes which are permanently in the routing table and whether these should be announced by routing protocols or not Table J 39 route Attributes Attribute Type Default Description bgp bgpmode BGP announce mode for routes comment string Comment gateway List of IPAddr Not optional One or more target gateway IPs graph token graphname Graph name ip List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data used in automated config management speed unsignedInt Egress rate limit b s table unsignedByte 0 99 0 Routing table number routetable J 2 31 network Locally originated networks Network blocks that are announced but not actually added to internal routes note that blackhole and nowhere objects can also announce but add routing Table J 40 network Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description as path List up
289. ort grouping and naming you will see the list of existing port groups port group objects port are top level objects If there are less than four groups already defined an Add link will be present Each group is given a user defined name which is used to refer to the group in any interface definitions To create a new group click on the Add link to take you to a simple page where you specify the name of the group and select one or more physical ports to belong to the group To select more than one physical port hold down the Ctrl key whilst clicking on a port number to toggle it between selected and unselected An optional comment can also be specified for the group which may be useful to act as a memory jogger for the purpose of the port group Editing an existing group works similarly click the Edit link next to the group you want to modify The example XML below shows three port groups SCONE ese lt port name WAN ports 1 gt lt port name ADMIN ports 2 gt lt port name LAN ports 3 4 gt eonig In this example WAN and ADMIN groups consists of a single port each physical ports 1 and 2 respectively The LAN group consists of two physical ports numbers 3 and 4 Ports 3 and 4 are members of a single layer 2 broadcast domain and are equivalent in function in terms of communication between the FB2500 and another device 6 3 Defining an interface To create or edit interfaces select
290. oth ends of the link while at the same time ensuring the keys remain accessible only to the two ends If you use any form of communication to do this and that communication channel is not itself secure you have potentially lost your link security For this reason there is a protocol known as KE Internet Key Exchange which automatically negotiates and selects algorithms keys and other parameters and installs them at each end of the link using a secure channel between the two systems Public Key Cryptographic mechanisms are used to do this using eg the Diffie Hellman key exchange mechanism This can be made secure by having the two ends of the link authenticate each other using for example X509 certificates pre shared secrets or other methods such as those supported by EAP Extensible Authentication Protocol It is still necessary to install these certificates secrets or methods obviously but the configuration is simpler and more secure To set up a tunnel it is necessary to configure the IP addresses of the endpoints the algorithms to be used and also the keys if using manual keying and the required routing The configuration for IKE connections and manual keying is handled differently and will be discussed separately 12 1 2 Setting up IKE managed IPsec connections First an IKE configuration section needs to be added to the configuration if not already present or edited if present Select Add New IPsec manually keyed connection set
291. otocol SNMP As with the HTTP server access can be restricted to e specific client IP addresses and or e clients connecting from locally attached Ethernet subnets only See Section 13 3 1 for details The SNMP service defaults to allowing access from anywhere The remaining SNMP service configuration attributes are community specifies the SNMP community name with a default of public e port specifies the port number that the SNMP service listens on this typically does not need setting as the default is the standard SNMP port 161 13 8 RADIUS configuration 13 8 1 RADIUS server platform RADIUS Chapter 18 provides details of how the platform RADIUS service can be used to steer incoming sessions from a carrier for L2TP 13 8 2 RADIUS client RADIUS is used for authentication and accounting for incoming L2TP connections Chapter 18 provides details of how RADIUS is used for L2TP Appendix F provides details of the specific AVPs used with RADIUS for L2TP 77 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Services RADIUS is used for authentication call routing and accounting for VoIP servcies Chapter 16 provides details of how RADIUS is used for VoIP Appendix G provides details of the specific AVPs used with RADIUS for VoIP 78 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 14 Network Diagnostic Tools
292. ould be to enable a single LAN to bridge two data centres which do not have a direct layer 2 link connection or to provide alternative backup in the case that a layer 2 link becomes unavailable The two ETUN ed ports will behave as if they were two ports on a single link layer 2 hub or switch apart from the extra latency introduced by the carrier network traversal It is important to note that all ethernet packets are transported This includes ethernet broadcast packets ARP packets and also any non IP traffic eg IPX old NetBIOS NetBEUI etc so care should be taken to ensure that such traffic does not overload the carrier network In addition the extra latency may cause problems with devices expecting LAN speed responses for example switches running LACP Configuring an ETUN connection is very simple Select Add New Ether tunnel RFC3378 on the tunnel configuration page and enter the IP of the remote Firebrick and the local port to be used for ETUN The local IP can be optionally set and the usual log profile and table options are also available The local ETUN port is specified by selecting a port group The selected group must have only one physical port and must not be used for any other purpose so must not be used in any other configuration entries 73 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 13 System Services A system service provides general functionality and run
293. outing to specify which traffic the FireBrick should send out through the tunnel The routing configuration uses the same style as used elsewhere in FireBrick configuration A simple set of IPs and or IP ranges can be specified in the routes attribute or for more complex routing a number of separate route elements can be added to the tunnel config Metrics and the routing tables to be used may also be specified The blackhole option can be set to ensure that traffic to be routed down the tunnel is discarded if the tunnel is not up By default the normal FireBrick routing rules could select an alternate inappropriate transmission path thus compromising security 12 1 2 3 6 Other parameters A graph may be specified to monitor data through the tunnel A speed may be set to rate limit the traffic mtu can be used to specify a maximum MTU value for tunnelled packets Packets longer than this size will be fragmented or rejected using the normal IP fragmentation mechanism before being encapsulated Note that after encapsulation of a packet the resulting packet may become too large to transmit using the MTU of the path used to transmit the tunnel traffic in which case the encapsulated packet will be fragmented as usual In some situations for example where there are intervening NAT devices such fragments may be dropped In this case the mtu setting can be useful to reduce the maximum size of the inner packets so the encapsulated packets do not themselves
294. ower saving Options ocoooconcconocnnccnncnnnnnnnconoronocnnccnnconnccnnconnconnconncnnarinnss 200 J 114 LinkFault Link fault type to send 2 0 ere eere cee ce ee ca e EE E SE E 200 J 115 ramode IPv6 route announce level 2 20 0 eee cee eee e eee c eee ce cece cena E RAE NEEN REER EY 200 J 116 dhcpv6control Control for RA and DHCPV6 bits cooccoccnnccnnccnnccnnconnconnconnconncnnncnnccnnrcnncnnns 200 J 117 bgpmode BGP announcement mode 1 00 0 0 eee cece cence ee ceeeeeeecaeeeaeenaeeeaeeaeeeueeneeeneees 200 JLS sfoption Source filter optom viii ee eI os eee Seeds ia dee ae oder eee 201 J 119 pppoe mode Type of PPPoE connection cccoooccnnnccnnnccnnnocnnnccnnnnconnnonnnnccnnnncnonccnnnnccnnaronnness 201 120 peertype BGP peer ty pestis accom bee he e pee sie ees shane dota eed peek 201 J 121 ipsec auth algorithm IPsec authentication algorithm 0 cece eee cc cece neces ce eeceeeeeeeeaeeeaes 201 J 122 ipsec crypt algorithm IPsec encryption algorithm 20 0 0 cece cee cece nee eeece cece cena eeneeeneeennees 202 J 123 ike PRF IKE Pseudo Random Function 2 0 0 0 cece cece cece cece ce cece een eeneceeeeeeeceeeeeeeeeeseaeeeaes 202 J 124 ike DH IKE Diffie Hellman group oocccoooccnnnccnnnccnnnnccnnnrnnnnccnnnnconnccnnnnccnnnncnoncrnonncinnarcnnnoss 202 J 125 ike ESN IKE Sequence Number support 0 ce ceeceeeceeeceeece ceca seca cece eeaeeeae een ceneeeeeeeees 202 J 126 ike authmethod authenti
295. p type Type of ring when one call in queue Value Description all All phones cascade Increasing number of phones sequence One phone at a time J 4 Basic types Table J 137 Basic data types Type Description string text string token text string hexBinary hex coded binary data integer integer 2147483648 2147483647 positiveInteger positive integer 1 4294967295 unsignedInt unsigned integer 0 4294967295 unsignedShort unsigned short integer 0 65535 byte byte integer 128 127 unsignedByte unsigned byte integer 0 255 boolean Boolean dateTime YYYY MM DDTHH MM SS date time time HH MM SS time NMTOKEN String with no spaces void Internal use IPAddr IP address IPNameA ddr IP address or name IP4Addr IPv4 address IP6Addr IPv6 address IPPrefix IP address bitlen IPRange IP address bitlen or range IPNameRange IP address bitlen or range or name IP4Range IPv4 address bitlen or range IP4Prefix IPv4 address bitlen IP6Prefix IPv6 address bitlen IPSubnet IP address bitlen IPFilter Route filter Password Password Community XXX XXX community 205 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects PortRange XXX XXX port range Colour
296. ph string Graph name for shaping logging far side of session set source ip IPAddr New source IP set source port unsignedShort New source port set table unsignedByte 0 99 Set new routing table routetable set target ip IPAddr New target IP set target port unsignedShort New target port weight positiveInteger 1 Weighting of load share 189 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 2 65 voip Voice over IP config Voice over IP config Table J 90 voip Attributes Attribute Type Default Description area code string Local area code without national prefix backup carrier NMTOKEN Backup carrier to use for external calls comment string Comment country string 44 Local country code default carrier NMTOKEN Default carrier to use for external calls domain string Domain to use for us on outgoing SIP connections emergency List of string 112 999 Emergency numbers emergency uri string Use outbound carrier SIP URI for emergency calls international string 00 International dialling prefix local digits string 23456789 Local numbers start with these digits local min len unsignedByte 5 Local numbers min length log NMTOKEN Not logging Log calls log cdr NMTOKEN Not logged Log CDR records log debug NMTOKEN Not logging Log debug and SIP messages
297. protocol header has target MAC of 00 00 00 00 00 00 and source MAC of 00 00 00 00 00 01 for received packets and these reversed for sent packets 14 3 5 Snaplen specification The snaplen argument specifies the maximum length captured but this applies at the protocol level As such PPP packets will have up to the snaplen from the PPP protocol bytes and then have fake PPPoE and Ethernet headers added A snaplen value of 0 has special meaning it causes logging of just IP TCP UDP and ICMP headers as well as headers in ICMP error payloads This is primarily to avoid logging data carried by these protocols 14 3 6 Using the web interface The web form is accessed by selecting the Packet dump item under the Diagnostics main menu item Setup the dump parameters with reference to Table 14 1 and click the Dump button Your browser will ask you to save a file which will take time to save as per the timeout requested 14 3 7 Using an HTTP client To perform a packet dump using an HTTP client you first construct an appropriate URL that contains standard HTTP URL form style parameters from the list shown in Table 14 1 Then you retreive the dump from the FB2500 using a tool such as curl 82 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Network Diagnostic Tools The URL is http lt FB2500 IP address or DNS name gt pcap parameter_name value amp parameter_name value The URL
298. pted used in RADIUS and passed Passed on incoming value on if relaying Proxy Authen Name 30 Accepted used in RADIUS and passed on if relaying Passed on incoming value Proxy Authen 31 Accepted used in RADIUS and passed Passed on incoming value Challenge on if relaying Proxy Authen ID 32 Accepted used in RADIUS and passed Passed on incoming value on if relaying Proxy Authen Response 33 Accepted used in RADIUS and passed Passed on incoming value on if relaying Private Group ID 37 Ignored Not sent Rx Connect Speed 38 Accepted used in RADIUS and passed Passed on incoming value on if relaying Sequencing Required 39 Accepted on honoured Not sent Table E 9 OCRQ AVP No Incoming Outgoing 119 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported L2TP Attribute Value Pairs Message Type 0 Value 7 Value 7 Not supported ignored E 10 Outgoing Call Reply Table E 10 OCRP AVP No Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported ignored E 11 Outgoing Call Connected Table E 11 OCCN AVP No Incoming Outgoing Message Type 0 Value 9 Value 9 Not supported ignored E 12 Call Disconnect Notify Table E 12 CDN AVP No Incoming Outgoing Message Type 0 Value 14 Value 14 Result Code 1 Ignored
299. quests the User Name is the configured name of the carrier prefixed with an character Note In the case of a telephone user any charaters at the start of the name are removed so that it cannot be confused with a carrier Note A call can come from anywhere An unknown request from a non local IP will send a RADIUS request before challenging the requestor so that the RADIUS server can decide if it is to challenge it or not 93 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP An Access reject with no message attribute will not sent any error to a non local IP requestor add a message to force this 16 11 2 1 Call routing by RADIUS To understand how call routing works you need to understand how call legs work A call leg is a connection to or from the FB2500 to another SIP device It could be a SIP carrier or a telephone Typically there is an incoming call leg from a carrier or a phone which needs to be authenticated and then a call routing decision is made An Access Accept response can then contain the call routing attributes This causes one or more outgoing call legs to be created These would typically be ringing telephones Once one of these legs answers the others are cancelled and the two legs are connected together to form a call The purpose of the routing attributes is to create these outgoing call legs and to set up attributes such as CDRs and call recording Each c
300. r J 2 58 ip group IP Group Named IP group Table J 79 ip group Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description comment string Comment ip List of IPRange One or more IP ranges or IP len name string Not optional Name source string Source of data used in automated config management users List of NMTOKEN Include IP of time limited logged in web users 185 Configuration Objects J 2 59 route override Routing override rules Routing override rules Table J 80 route override Attributes Attribute Type Default Description comment string Comment name string Name profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Applicable routing table routetable Table J 81 route override Elements Element Type Instances Description rule session route rule Optional unlimited Individual rules first match applies J 2 60 session route rule Routing override rule Routing override rule Table J 82 session route rule Attributes Attribute Type Default Description comment string Comment cug List of PortRange Closed user group ID s name string Name profile NMTOKEN Profile
301. r a network subnet or routing destination specification the address will be the starting address of the IP address range being expressed such that there will be M least significant bits of the address set to zero where M 32 prefix_length Combined interface IP address and subnet definitions Another common use of the CIDR notation is to combine the definition of a network with the specification of the IP address of an end system on that network this form is used in subnet definitions on the FB2500 and in many popular operating systems For example the default IPv4 subnet on the LAN interface after factory reset is 10 0 0 1 24 the address of the FB2500 on this subnet is therefore 10 0 0 1 and the prefix length is 24 bits leaving 8 bits for host addresses on the subnet The subnet address range is therefore 10 0 0 0to10 0 0 255 A prefix length of 32 is possible and specifies a block size of just one address equivalent to a plain IP address specification with no prefix notation This is not the same as a combined subnet and interface IP address definition as it only specifies a single IP address General IP address range specifications CIDR notation can also be used in the FB2500 to express general IP address ranges such as in session rules trusted IP lists access control lists etc In these cases the notation is the same as for routing destinations or subnets i e the address specified is the starting address of the range and th
302. r interface pages used to change the device configuration are referred to as the config pages in this manual these pages are accessed by clicking on the Edit item in the sub menu under the Config main menu item Note The config pages utilise JavaScript for their main functionality you must therefore have JavaScript enabled in your web browser in order to configure your FB2500 using the web interface 3 4 1 1 Customising the layout The following aspects of the user interface layout can be customised The banner area can be reduced in height or removed all together e The main menu strip can be positioned vertically at the left or right hand sides or horizontally at the top under the banner if present Additionally you can choose to use the default fonts that are defined in your browser setup or use the fonts specified by the user interface 11 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration These customisations are controlled using three icons on the left hand side of the page footer as shown in Figure 3 2 below Figure 3 2 Icons for layout controls t A0 FireBrick is a registered trademark of FireBrick Ltd The first icon an up down arrow controls the banner size visibility and cycles through three settings full size banner reduced height banner no banner The next icon a left right arrow controls the menu strip position and cycles t
303. radius service RADIUS service definition ooocoocccccnnccnnccnnconnconnconnccnnconnconacinnoos 156 J 2 16 radius service match Matching rules for RADIUS service oocooccccccncccnccnnconnccnncono 157 J 2 17 radius server RADIUS server settings ooooooccnnconnconoconoconocnnaconcnnnronaconccnnccnninono 158 J 2 18 ethernet Physical port controls ooococooccnnconcconccnnccnnccnncnnncnnccnnronnccnnccnnconaconncos 159 J 2 19 portdef Port grouping and naming occccooccnnnccnnnccnnniconnccnnnnccnnnncnnnccnnnnconnninnnnios 159 J 2 20 interface Port group VLAN interface settings ooocoocccccnnccnnccnnccnnccnnccnnconaconicinose 160 J 221 subnet Subnet settings 533 oss soccer iaa tte penicilina Whe 161 3 2 22 Vrrp VRRP Settings iS ee hbo doe as ees 161 3 2 23 dhcps DHCP Servet settings ons rone ee p EE eet acepeeeaebes esop asisto 162 J 2 24 dhcp attr hex DHCP server attributes hex ooococcoococonocccononoconococononoconanoconanonos 163 J 2 25 dhcp attr string DHCP server attributes string oooccocccnccnccnnncnnccnnccnnconnccnnccnncons 163 J 2 26 dhcp attr number DHCP server attributes numeric ce eee eeee ee ceeeeeeeeeeern tener 164 J 2 27 dhcp attr 1p DHCP server attributes IP 0 0 0 0 cece cece cece ce eece een eeneeeneeeneees 164 32 28 pppoe PPPOE Settings rinier eaa T E endear tidied RES 164 J 2 29 ppp toute PPP routes osre gives a R E R EEE eee 165 3 2 30 route Static routes ents E
304. raffic shaping In such cases an earlier rule will use the continue action to jump out of the earlier rule set 7 3 3 Defining Rule Sets and Rules A rule set is defined by a rule set top level object To create or edit rule sets in the web user interface select the Firewall category icon here you will see the list of existing rule set objects if any and a Add link next to each To create a new rule set click on an Add link to insert a new rule set before the one associated with the link This will take you to a new rule set defintion Editing an existing rule set works similarly click the Edit link next to the rule set you want to modify As described in Section 7 3 2 a rule set can optionally specify entry criteria in the web user interface these come under the heading Matching criteria for whole set when editing a rule set definition The entry criteria are detemined by the following attributes all of which are optional but if they are specified then the criteria must be met for processing of the rules within the rule set to occur These are also critera than can be specified on individual rules within a rule set e criteria regarding where the session is originating from e source interface one or more interfaces e source ip source IP address or address range s e source port source protocol port number for protocols that use the port number concept e g TCP and UDP e source mac on individual ru
305. rebrick co uk If you used Method 2 you should browse to the FireBrick s IP address as listed below Table 2 3 IP addresses to access the FireBrick IPv6 IPv4 http 2001 DB8 1 http 10 0 0 1 If you used Method 3 you will need to be able to access a list of allocations made by the DHCP server in order to identify which IP address has been allocated to the FB2500 and then browse this address from your computer If your DHCP server shows the client name that was supplied in the DHCP request then you will see FB2500 in the client name field assuming a factory reset configuration if you only have one FB2500 in factory reset state on your network then it will be immediately obvious via this client name Otherwise you will need to locate the allocation by cross referring with the MAC address range used by the FB2500 you are www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Getting Started interested in if necessary refer to Appendix C to see how to determine which MAC address you are looking for in the list of allocations Once you are connected to the FB2500 you should see a page with Configuration needed prominently displayed as shown below Figure 2 1 Initial web page in factory reset state E FireBrick FB2500 Z Test Brick Configuration needed This is a factory reset configuration No usernames and passwords have been configured to access
306. rements is covered in Section 7 3 2 The firewalling check diagnostic facility allows you to submit the following traffic parameters and the FB2500 will show how the processing flow procedes given those parameters at the end of this is a statement of whether the session will be allowed or not e Source IP address e Target IP address e Protocol number 1 ICMP 6 TCP 17 UDP 58 ICMPv6 e Target port number only for protocols using port numbers e g TCP UDP e Source port number OPTIONAL In the web user interface this facility is accessed by clicking on Firewall check in the Diagnostics menu Once you have filled in the required parameters and clicked the Check button the FB2500 will produce a textual report of how the processing flow proceded it may be helpful to also refer to the flow chart shown in Figure 7 2 For example if we submit parameters that describe inbound i e from a WAN connection traffic that would result from trying to access a service on a host behind the FB2500 we have implemented a default drop policy firewalling method and we have not explicitly allowed such sessions we would see Checking rule set 1 filters No matched rules in rule set 79 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Network Diagnostic Tools no match action is DROP NO further rule sets considered Final action is to DROP the session 14 2 Access check
307. rk but it usually a compromise of some sort and prone to problems The FB2500 provides some key ways to tackle the issues of NAT e An FB2500 FB2700 can be used as a gateway device in a home or office using PPPoE to connect to the Internet This means the FireBrick has a real external IP address without NAT The FireBrick can then connect to SIP handsets on the LAN using private IP addresses The FireBrick provides a gateway for VoIP with no NAT implications Note Some ISPs may start using Carrier Grade NAT CGNAT and so a real 1P address may involve additional cost e The FireBrick can make use of the current Internet Protcol IPv6 At present there are few carriers and handsets that work with IPv6 but this is improving all of the time IPv6 avoids the need for NAT The 88 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP FireBrick acts as a media gateway which makes firewalling rules simple even when using IPv6 and allows IPv4 and IPv6 devices to interwork with no problems The FireBrick when acting as a call server outside of any NAT connected telephones can handle cases where devices are behind a simple port mapping NAT which has a timeout of at least 60 seconds It recognises REGISTER and INVITE requests that appear to be behind NAT and will treat the requester IP port as the contact rather than the stated contact in the message At RTP level it will send all audio to the same
308. row with an Add link Where the order of the objects matter there will be an Add link against each object clicking an Add link for a particular object will insert a new object before it To add a new object after the last existing one click on the Add link on the bottom or only row of the table Tip If there is no Add link present then this means there can only exist a limited number of objects of that type possibly only one and this many already exist The existing object s may have originated from the factory reset configuration You can push down into the hierarchy by clicking the Edit link in a table row This takes you to a page to edit that specific object The page also shows any child objects of the object being edited using the same horizontal line delimited section style used in the top level categories You can navigate back up the hierarchy using various methods see Section 3 4 3 Caution Clicking the Add link will create a new sub object which will have blank default settings This can be useful to see what attributes an object can take but if you do not want this blank object to be part of the configuration you later save you will need to click Erase Simply going back Up or moving to another part of the config will leave this newly created empty object and that could have undesirable effects on the operation of your FireBrick if saved 3 4 2 2 Object settings The details of an object are displ
309. rs log error This is when things happen that should not It could be something as simple as bad login on telnet Note that if 1og error is not set but 1og is set then errors are logged to the log target by default log debug This is extra detail and is normally only used when diagnosing a problem Debug logging can be a lot of information for example in some cases whole packets are logged e g PPP It is generally best only to use debug logging when needed 5 3 Logging to external destinations Entries in the buffer can also be sent on to external destinations such as via email or syslog Support for triggering SNMP traps may be provided in a future software release You can set these differently for each log target There is inevitably a slight lag between the event happening and the log message being sent on and in some cases such as email you can deliberately delay the sending of logs to avoid getting an excessive number of emails If an external logging system cannot keep up with the rate logs are generated then log entries can be lost The fastest type of external logging is using syslog which should manage to keep up in pretty much all cases 5 3 1 Syslog The FB2500 supports sending of log entries across a network to a syslog server Syslog is described in RFC5424 http tools ietf org html rfc5424 and the FB2500 includes microsecond resolution time stamps the hostname from system settings and a m
310. rs AVPs which are sent and expected for each message E 1 Start Control Connection Request Table E 1 SCCRQ AVP No Incoming Outgoing Message Type 0 Value 1 Value 1 Protocol Version 2 Mandatory value 1 expected Value 1 Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Tie Breaker 5 Ignored as FireBrick only accepts Not sent connections for inbound calls Firmware Revision 6 Ignored FireBrick s w version string Host Name 7 Used to select which incoming L2TP As per config RADIUS request configuration applies Vendor Name 8 Ignored FireBrick Ltd Assigned Tunnel ID 9 Mandatory Mandatory our tunnel ID Receive Window Size 10 Accepted assumed 4 if not present or Value 4 less than 4 is specified Challenge 11 Accepted if a configured secret is Not sent at present defined a response is sent in the SCCRP E 2 Start Control Connection Reply Table E 2 SCCRP AVP No Incoming Outgoing Message Type 0 Value 2 Value 2 Protocol Version 2 Value 1 expected Value 1 Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Firmware Revision 6 Ignored FireBrick s w ID number Host Name 7 Logged as hostname for tunnel Configured hostname if defined Vendor Name 8 Ignored FireBrick Ltd Assigned Tunnel ID 9 Expected as far end ID Mandatory our tunnel ID Receive Window Size 10 Accepted as
311. s Routing destinations are expressed using CIDR notation if you are not familiar with this notation please refer to Appendix B for an overview Note that ip groups cannot be used when defining subnets or routes IP groups allow arbitrary ranges and not just prefixes but routes can only use prefixes There are two cases that deserve special attention e A routing destination may be a single IP address in which case it is a 32 in CIDR notation for IPv4 The 32 part for IPv4 or 128 for IPv6 is not shown when displaying such prefixes e A routing destination may encompass the entire IPv4 or IPv6 address space written as 0 0 0 0 0 for IPv4 or 0 for IPv6 in CIDR notation Since the prefix is zero length all destination IP addresses will match this route however it is always the shortest prefix route present and so will only match if there are no more specific routes Such routes therefore acts as a default route The decision of where to send the packet is based on matching the packet s destination IP address to one or more routing table entries If more than one entry matches then the longest most specific prefix entry is used The longest prefix is assumed to be associated with the optimal route to the destination IP address since it is the most specific i e it covers a smaller IP address range than any shorter matching prefix For example if you have two routes one for 10 0 1 32 27 and another for 10 0
312. s that apply to addresses in that pool 6 4 Physical port settings The detailed operation of each physical port can be controlled by creating ethernet top level objects one for each port that you wish to define different behaviour for vs default behaviour To create a new ethernet object or edit an existing object select the Interface category from the top level icons Under the section headed Ethernet port settings you will see the list of existing ethernet objects if any and an Add link In a factory reset configuration there are no ethernet objects and all ports assume the following defaults 38 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets e Link auto negotiation is enabled both speed and duplex mode are determined via auto negotiation which should configure the link for highest performance possible for the given link partner which will need to be capable of and participating in auto negotiation for this to happen e Auto crossover mode is enabled the port will swap Receive and Transmit pairs if required to adapt to cable link partner configuration e The green port LED is configured to show combined Link Status and Activity indication the LED will be off if no link is established with a link partner When a link is established at any speed the LED will be on steady when there is no activity and will blink when there is activity
313. s as a separate concurrent process alongside normal traffic handling Table 13 1 lists the services that the FB2500 can provide Table 13 1 List of system services Service Function SNMP server provides clients with access to management information using the Simple Network Management Protocol NTP client automatically synchronises the FB2500 s clock with an NTP time server usually using an Internet public NTP server Telnet server provides an administration command line interface accessed over a network connection HTTP server serves the web user interface files to a user s browser on a client machine DNS relays DNS requests from either the FB2500 itself or client machines to one or more DNS resolvers RADIUS Configuration of RADIUS service for platform RADIUS for L2TP Configuration of RADIUS client accessing external RADIUS servers Services are configured under the Setup category under the heading General system services where there is a single services object XML element lt services gt The services object doesn t have any attributes itself all configuration is done via child objects one per service If a service object is not present the service is disabled Clicking on the Edit link next to the services object will take you to the lists of child objects Where a service object is not present the table in that section will contain an Add link A maximum of one instance of each servic
314. s group 406 unsignedInt 606 Hunt group response for group 406 status group 486 unsignedInt 600 Hunt group response for group 486 user agent string Version specific User Agent to send withhold string 141 CLI withhold prefix Table J 91 voip Elements Element Type Instances Description carrier carrier Optional up to 200 VoIP carriers group ringgroup Optional up to 20 Ring groups telephone telephone Optional up to 200 VoIP users tone tone Optional up to 25 Defined tones J 2 66 carrier VoIP carrier details VoIP carrier details Table J 92 carrier Attributes Attribute Type Default Description allow List of Allow from List of IP ranges from which invite IPNameRange anywhere accepted cli format voip format national CLI number format for outgoing calls comment string Comment cui string Chargeable user identity for call accounting of incoming calls display name string Text name to use expires duration 1 00 00 Registration expiry time extn string Local number assumed for incoming call use X for digits from end of called numbers force dtmf boolean Always send DTMF in band from string From SIP address for outbound registration and invites hold tone boolean true Send hold tones to carrier incoming format voip format national Dialled number format for incoming calls max calls unsignedInt Maximum simultaneous calls allowed name NMTOKE
315. s in the range start with 00 03 97 14 7C e the first address in the range has zero for the remaining digits 00 e the last address in the range has F for the remaining digits FF Therefore this range spans 00 03 97 14 7C 00 to 00 03 97 14 7C FF inclusive 256 addresses If your DHCP server shows the name of the client FB2500 that issued the DHCP request then you will see a value that depends on whether the system name is set on the FB2500 as shown in Table C 1 Refer to Section 4 2 1 for details on setting the system name Table C 1 DHCP client names used System name Client name used not set e g factory reset configuration FB2500 set Main application software running If the FB2500 s system name is set and your DHCP server shows client names then this is likely to be the preferred way to locate the relevant DHCP allocation in a list rather than trying to locate it by MAC address If the FB2500 is in a factory reset state then the system name will not be set and you will have to locate it by MAC address 115 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix D VLANs A primer An Ethernet Layer 2 broadcast domain consists of a group of Ethernet devices that are interconnected typically via switches such that an Ethernet broadcast packet which specifies a reserved broadcast address as the destination Ethernet address of the packet sent by one of the device
316. s is always received by all the other devices in the group A broadcast domain defines the boundaries of a single Local Area Network When Virtual LANs VLANs are not in use a broadcast domain consist of devices such as PCs and routers physical cables switches or hubs and possibly bridges In this case creating a distinct Layer 2 broadcast domain requires a distinct set of switch hub bridge hardware not physically interconnected with switch hub bridge hardware in any other domain A network using Virtual LANs is capable of implementing multiple distinct Layer 2 broadcast domains with shared physical switch hardware The switch es used must support VLANs and this is now common in cost effective commodity Ethernet switches Inter working of VLAN switch hardware requires that all hardware support the same VLAN standard the dominant standard being IEEE 802 1Q Such switches can seggregate physical switch ports into user defined groups with one VLAN associated with each group Switching of traffic only occurs between the physical ports in a group thus isolating each group from the others Where more than one switch is used with an uplink connection between switches VLAN tagging is used to multiplex packets from different VLANs across these single physical connections A TEEE 802 1Q VLAN tag is a small header prefixed to the normal Ethernet packet payload includes a 12 bit number range 1 4095 that identifies the tagged packet as
317. s is normally what is done in the telephone exchange before the data is sent over the telephone network The key difference with VoIP is that the bytes are placed in packets typically 20ms long and these are sent via Internet Protocol Unlike the telephone network IP can cause packets to be delayed lost or even copied It is the job of the receiving end to cope with this and produce the audio again for the recipient to hear The end result is that telephone calls can be made over the Internet This can cause confusion as this is often seen simply as free calls Apart from costs for Internet traffic this is indeed true where calls do not involve the traditional telephone network and you control both ends but typically you will need to subscribe to a carrier who can route calls to and from the traditional telephone network The FB2500 s role in this it to handle the IP packets used for VoIP It does not get involved in converting sound to or from packets of data but in passing those packets of data between VoIP devices and carriers The protocol involves complex sequences of messages for control and authentications which the FB2500 handles 16 2 Registration and Proxies One of the common confusions with SIP VoIP is the way registrations work 16 2 1 Registrar A SIP device can register with a service e g with the FB2500 or with a SIP carrier This is like logging in and means that incoming calls are then sent to the device The device wil
318. s rate limit b s table unsignedByte 0 99 0 Routing table number for L2TP session routetable tcp mss fix boolean false Adjust MSS option in TCP SYN to fix session MSS test List of IPAddr List of IPs to which routing must exist else tunnel dropped deprecated 175 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Table J 56 12tp incoming Elements Element Type Instances Description match 12tp relay Optional unlimited Rules for relaying connections and local authentication J 2 42 2tp relay Relay and local authentication rules for L2TP Rules for relaying L2TP or local authentication Table J 57 12tp relay Attributes Attribute Type Default Description called station id List of string One or more patterns to match called station id calling station id List of string One or more patterns to match calling station id comment string Comment graph token graphname Graph name ip over lcp boolean Send IP over LCP local auth localpref unsignedInt 4294967295 Localpref for remote ip routes highest wins name string Name password Secret Password check profile NMTOKEN Profile name relay hostname string Hostname for L2TP connection relay ip List of IPAddr Target IP s for L2TP connection relay pick boolean If set try one of
319. sence of an IP address prefix specification causes the FB2500 to attempt to obtain an address from a DHCP server which must be in the same broadcast domain It may help to use the Comment field to note that the subnet is configured via DHCP 36 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets In its simplest form a DHCP configured subnet is created by the following XML lt subnet gt Tip It is possible to specify multiple DHCP client subnets like this and the FB2500 will reserve a separate MAC address for each This allows the FB2500 to aquire multiple independant IP addresses by DHCP on the same interface if required 6 3 2 Setting up DHCP server parameters The FB2500 can act as a DHCP server to dynamically allocate IP addresses to clients Optionally the allocation can be accompanied by information such as a list of DNS resolvers that the client should use Since the DHCP behaviour needs to be defined for each interface specifically each broadcast domain the behaviour is controlled by one or more dhcp objects which are children of an interface object Address allocations are made from a pool of addresses the pool is either explicitly defined using the ip attribute or if ip is not specified it consists of all addresses on the interface i e from all subnets but excluding network or broadcast addresses or any addresses that the FB2500 has seen ARP respo
320. set local authentication details based on circuit ID and or username and password This bypasses RADIUS and can be used to handle individual lines or patterns of login e g use of a realm to steer to another LNS for a wholesale customer 105 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Internet Service Providers In an ISP scenario this is typically used for special cases test lines etc The main use of this feature is for a corporate LNS handling direct point to point tunnels e g from other offices or roaming users 18 5 Accounting RADIUS can also be used for accounting This involves a RADIUS message at start and end of each connection and also interim accounting updates Interim accounting is done on a snapshot basis Normally this is hourly On the hour within a second the details are recorded and then sent by RADIUS The RADIUS updates may take many minutes to be sent and confirmed by a RADIUS server but the timestamp on the messages is the hourly snapshot This is useful where an ISP is charging differently at different times of day Interim updates can also be sent based on reaching a pre set time or data usage level defines in the authentication RADIUS response 18 6 RADIUS Control messages The FireBrick also supports RADIUS control messages These can be used to disconnect a connection or to update the details of the connection including line speed time or data limits
321. set object Start processing rules within the rule set No rules within the tule set matched Yes Allrules in the rule set processed Examine next tule object no match Session Allowed action is accept No no match action is drop reject ignore action is drop reject ignore Packet Dropped Packet Dropped Session Allowed Ss FS VY SH 4242 Rule Set Processing Rule Processing for drop and reject a short lived drop session is created 45 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling It is helpful to understand that a session rule contributes to the final set of information recorded in the session table entry a rule does not necessarily completely define what the session table will contain unless it is the only rule that matches the traffic under consideration It is for this reason that the rules contain attributes with names such as set nat the set refers to the action of setting a flag or a parameter in the session table entry that is being constructed It is possible and quite common for more than one rule in different rule sets to match given traffic In such cases the rules generally serve different purposes earlier ones might be for firewalling whilst later ones might be used to subsequently assign some of the allowed traffic to t
322. set to true The effect is that if a path attribute we understand is wrong and it is optional and trhe router that sent it to us did not understand or check it partial bit is set we ignore the specific route rather than dropping the whole BGP session 17 2 8 lt network gt element The network element defines a prefix that is to be announced by BGP but has no internal on routing Table 17 3 Network attributes Attribute Meaning ip One or more prefixes to be announced as path Optional AS path to be used as if we had received this prefix from another AS with this path localpref Applicable localpref to announce bgp The bgp mode one of the well known community tags or true the default which is announced by BGP with no extra tags 17 2 9 lt route gt lt subnet gt and other elements Subnet and route elements used for normal set up of internal routing can be announced by BGP using the bgp attribute with the same values as the well known community tags please true meaning simply announce with no tags and false meaning the same as no advertise Many other objects in the configuration which can cause routes to be inserted have a bgp attribute which can be set to control whether the routes are announced or not 101 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 BGP 17 2 10 Route feasibility testing The FB2500 has an aggressive route feasibility test th
323. settings and also specific attributes for SNMP such as community Table J 12 snmp service Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description allow List of Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment community string public Community string local only boolean false Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events 152 Configuration Objects log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 161 Service port profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable J 2 9 ntp service NTP service settings The NTP settings define how the system clock is set from what servers and controls for daylight saving summer time The defaults are those that apply to the EU Table J 13 ntp service Attributes www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Attribute Type Default Description allow List of Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment local
324. simed 4 if not present or Not sent assume 4 less than 4 117 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported L2TP Attribute Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined E 3 Start Control Connection Connected Table E 3 SCCCN AVP No Incoming Outgoing Message Type 0 Value 3 Value 3 Challenge Response 13 Not expected Sent if was challenged E 4 Stop Control Connection Notification Table E 4 StopCCN AVP No Incoming Outgoing Message Type 0 Value 4 Value 4 Result Code 1 Ignored logged Sent as appropriate for tunnel close Assigned Tunnel ID 9 Expected see note Sent if a tunnel has been allocated Note that a StopCCN may not have a zero tunnel ID in the header If this is the case the source IP port and assigned tunnel are used to identify the tunnel If an unknown tunnel ID is received on any any incoming packet a StopCCN is generated once per 10 seconds with header tunnel ID 0 and specified assigned tunnel ID E 5 Hello Table E 5 HELLO AVP No Incoming Outgoing Message Type 0 Value 6 Value 6 Always responded to Sent periodically if no other messages sent
325. sion siete casein eee aos ye eee A aaa go Le sae Saar ee corneal 87 16 13 Wohat 15 VOIP A 87 16 2 Registration and Proxies enis eee cece aes Ea ce eece cena E EO R EEE N E EE EES 87 16 2 ly NON 87 16 2 2 PrOXY sisri arri e R iia 87 16 3 Home Office phone system iiias ennn ee a a ad 88 16 4 Network Address Translation ooccoccoccoconcnnconcnnconconcnnconcnnconcnnconcnnroncnnroncnnroncnnroncnarones 88 16 53 Number plan ksn a e re T R E E E Ee E EERE EROE EATE E OES 89 16 6 Telephone handsetsa i iii A ees EEE I E EE ede 89 16 75 VOIP Call Carriers rra adie eaa Sod un aea a thaw a eaa Uke a eae ees 90 16 3 Hunt PrOUPS e aere Seca O S E E EEE E E TE 90 16 81 Rano Type oa O E 91 16 8 2 RNS Order seriusna o a TE Monk ede gan Mv E E E T aS 91 16 83 OVETTIOW ina e ies head enna e a E ANE A ER wel aa E NE EE 91 10 8 4 Out of NOUTS A A ide 91 16 9 Call pickUp steal evoca iran tte criado optica andes danas doe E ESE anette 92 16 10 B sy lamp fielde id eae ashe aes 92 16 11 Using RADIUS eree ea a a tage deen a E a E a E aae a Eaa 92 16 114 RADIUS dccountin ti EEE TES 93 16 112 RADIUS Authentication sssr resnais ni a E E E a E a raes 93 16 11 2 1 Call routing by RADIUS 0 0 00 ee ra E E E Ea 94 16 12 Call TECOTAMO ensen Seek Sas Pee e a a a a E EA A E a eaa 94 16 13 Voicemail and IVR Services oocooccoccocnncnoconcnoroncnoroncnoroncnnroncnnroncnnroncnnroncnnroncnnronenarones 95 16 14 Call Data Record o a E E A NE T EA 95 16 15
326. sit type Table J 46 bgppeer Elements Element Type Instances Description 169 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects export bgpmap Optional Mapping and filtering rules of announcing prefixes to peer import bgpmap Optional Mapping and filtering rules of accepting prefixes from peer J 2 36 bgpmap Mapping and filtering rules of BGP prefixes This defines the rules for mapping and filtering of prefixes to from a BGP peer Table J 47 bgpmap Attributes Attribute Type Default Description comment string Comment detag List of Community List of community tags to remove drop boolean Do not import export this prefix localpref unsignedInt Set localpref highest wins med unsignedInt Set MED prefix List of 1PFilter Drop all that are not in this prefix list source string Source of data used in automated config management tag List of Community List of community tags to add Table J 48 bgpmap Elements Element Type Instances Description match bgprule Optional unlimited List rules in order of checking J 2 37 bgprule Individual mapping filtering rule An individual rule for BGP mapping filtering Table J 49 bgprule Attributes Attribute Type Default Description comment string Comment community Co
327. ssumes any such LCP codes are IPv4 IPv6 when received and using a RADIUS response can send IP packets using LCP This is specifically to bypass any carrier IP specific shaping or DPI F 9 4 Closed User Group Each session can have a CUG defined 1 32768 which may be allow or restrict Interfaces port VLAN may also be defined in the same way A packet from an interface session with a CUG is tagged with that packet If the source is restricted that packet can only leave via an interface session with the same CUG Similarly if the target interface session is restricted than only a packet tagged with the same CUG can be sent to it F 9 5 Routing table The FireBrick operates independent routing cores allowing a totally independent routing table to be used for L2TP wrapper traffic and payload traffic It is also possible to set the payload table in use on a per session basis from RADIUS thus allowing a walled garden to be set up or a private network or simple an unusable session 130 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Appendix G Supported RADIUS Attribute Value Pairs for VoIP operation RADIUS is used to authenticate REGISTRATION requests allowing registration of telephones It is also used to authenticate INVITE requests and provide call routing information RADIUS Accounting is used to provide details of calls in progress G 1 Authentication request Authentication requests ar
328. stem Services 13 5 3 Auto DHCP DNS The FB2500 can also look for specific matching names and IP addresses for forward and reverse DNS that match machines on your LAN This is done by telling the FireBrick the domain for your local network Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP This is applied in reverse for reverse DNS mapping an IP address back to a name You can enable this using the aut o dhcp attribute 13 6 NTP configuration The NTP service automatically sets the FB2500 s real time clock using time information provided by a Network Time Protocol NTP server There are public NTP servers available for use on the Internet and a factory reset configuration does not specify an NTP server which means a default of ntp firebrick ltd uk You can set your preferred NTP server instead The NTP service is currently only an NTP client A future software version is likely to add NTP server functionality allowing other NTP clients typically those in your network to use the FB2500 as an NTP server Configuration of the NTP client service typically only requires setting the t imeserver attribute to specify one or more NTP servers using either DNS name or IP address 13 7 SNMP configuration The SNMP service allows other devices to query the FB2500 for management related information using the Simple Network Management Pr
329. string gt This causes the FB2500 to crash causing a panic event with a specified message You need to specify confirm yes for the command to work This can be useful to test fallback scenarios by simulating a fatal error 140 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Command line reference Note that panic crash logs are emailed to the FireBrick support by default so please use a meaningful string e g panic testing fallback confirm yes H 8 2 Reboot reboot lt unsignedInt gt hard confirm lt string gt A reboot is a more controlled shutdown and restart unlike the panic command The first argument is a block number see show flash contents and forces reboot to run a specific software stored in flash Normally the reboot will run the latest valid code The hard option forces the reboot to clear the Ethernet ports and other hardware so takes a couple of seconds You must specify confirm yes for this to work H 8 3 Screen width set command screen width lt unsignedInt gt This allows you to set the screen width H 8 4 Make outbound command session start command session lt IPAddr gt port lt unsignedShort gt table lt routetable gt This allows a reverse telnet connection to be made A TCP connection is made to the IP address and port where a user can login This can be useful where a firewall policy prevents incoming access to
330. t this is a pre shared secret string that must be set to the same value in the tunnel definitions on both end point devices e ip the IP address of the far end end point device OPTIONAL The far end IP address is optional and if omitted tunnel wrapper packets will be sent to the IP address from which wrapper packets are being received if any As such at least one of the two end points involved must have a far end IP address specified but it is not necessary for both ends to specify the other This allows you to setup a tunnel on an end point without knowing or caring what the far end IP address is this means you can handle cases such as one of end points being behind a NAT router that has a dynamic WAN IP address or can be used to simplify administration of end points that are used to terminate a large number of tunnels by omitting the far end IP address in tunnel definitions on such shared end points The latter case is typical where an ISP deploys a FireBrick device to provide a head end device for tunnel bonding If you wish to use a different UDP port number than the default of 1 specify the port number using the port attribute 12 2 3 Viewing tunnel status The status of all configured FB105 tunnels can be seen in the web User Interface by selecting FB105 from the Status menu The tunnels are listed in ascending Local ID order showing the far end IP in use the tunnel name and the state The table row background colour
331. t default dos limit unsignedInt 1000 Interrupt DoS packet limit leave at default intro string Home page text location string Location description log NMTOKEN Web console Log system events log debug NMTOKEN Not logging Log system debug messages log error NMTOKEN Web Flash console Log system errors log eth NMTOKEN Web console Log Ethernet messages log eth debug NMTOKEN Not logging Log Ethernet debug log eth error NMTOKEN Web Flash console Log Ethernet errors log panic NMTOKEN Web logs Log system panic messages log stats NMTOKEN Not logging Log one second stats name string System hostname nat64 IP6Prefix IPv6 NAT6 4 mapping prefix nat64 source IP4Addr IPv6 NAT6 4 return IPv4 soft watchdog boolean false Debug use only if advised do not use on an unattended FireBrick source string Source of data used in automated config management sw update autoloadtype factory Load new software automatically sw update profile NMTOKEN Profile name for when to load new s w Table J 4 system Elements Element Type Instances Description link link Optional unlimited Home page links 149 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects J 2 2 link Web links Links to other web pages Table J 5 link Attributes Attribute Type Default Description comment string
332. t of community tags to add in addition to any import filters in soft boolean Mark received routes as soft ip List of IPAddr One or more IPs of neighbours omit to allow incoming log debug NMTOKEN Not logging Log debug max prefix unsignedInt 10000 Limit prefixes IPv4 IPv6 1 10000 bgp prefix limit md5 Secret MDS signing secret name string Name next hop self boolean false Force us as next hop outbound no fib boolean Don t include received routes in packet forwarding pad unsignedByte Pad prefix stuff our AS on export by this many profile NMTOKEN Profile name same ip type boolean true Only accept send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers send default boolean false Send a default route to this peer send no routes boolean false Don t send any normal routes shutdown boolean Shutdown this neighbour deprecated use profile source string Source of data used in automated config management timer idle unsignedInt 60 Idle time after error timer openwait unsignedInt 10 Time to wait for OPEN on connection timer retry unsignedInt 10 Time to retry the neighbour ttl security byte Enable RFC5082 TTL security if ve 1 to 127 i e 1 for adjacent router If ve 1 to 128 set forced sending TTL i e 1 for TTL of 1 sending and not checking type peertype normal Type of neighbour affects some defaults use vrrp as self boolean true if customer Use VRRP address as self if possible tran
333. te EA a 141 x www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual H 8 4 Make outbound command session oocococcnnccnnconnconcnnocnnonnnocnnconronccnnccnnccnnccnnioos 141 H 8 5 Show command Sessions rossa e n EE a aE ence E a E cece eens TETEE SEEN 141 H 8 6 Kill Command Sessions iaei ee a a weston A E derrota 141 28 72 Flash Memory Mt A tia eesti 141 H 8 8 Delete block from flashs a a e a a pN o EEEo Eae 141 F829 BOOT lO Aer R E E E E E EN IN 142 H810 Flash O NN 142 I Constant Quality Monitoring technical details oooonooccnnccnnccnnconoconeconncnnncnnncnnrcnoccnccnnccnninnno 143 1 1 Broadband back haul providers oooccocccoccnnccnnconnconnconoconnconncnnnnnnnnnnronrnnccnnccnnccnnccnnioos 143 1 27 Access to graphs and OS vito dilo dida 143 12 1 Trusted ACCESS civil tirate ist i 143 12 2 Dated information iio Ad ii 144 1 23 Authenticated ACCESS torio donostia ito coat ice Es 144 L3 Graphe display Options ni A tido 144 LIL Data POmts lt sec5 eves sor couscous seeahasdau sates areal rap pido 144 TS ZeAdeditiomal iO ee ONS Oe a tee dss 145 1 3 3 Other colours and Spacine sorrie a ses voce geen eonncs E E NEE Epa 145 1 4 Overnight archi vine au castes das Sos oo eee is ds 145 LAI Boll URE Tomate os Abe ese ii tati deb cinc 146 14 2 10ad handling it AD NR 146 LS rap COTOS nyep severe ae guns Cea eshsuane noite aid 146 1 6 Creati
334. ter 3 Configuration 3 1 The Object Hierarchy The FB2500 has at its core a configuration based on a hierarchy of objects with each object having one or more attributes An object has a type which determines its role in the operation of the FB2500 The values of the attributes determine how that object affects operation Attributes also have a type or datatype which defines the type of data that attribute specifies This in turn defines what the valid syntax is for a value of that datatype for example some are numeric some are free form strings others are strings with a specific format such as a dotted quad IP address Some examples of attribute values are e IP addresses and subnet definitions in CIDR format e g 192 168 10 0 24 e free form descriptive text strings e g a name for a firewall rule e Layer 4 protocol port numbers e g TCP ports e data rates used to control traffic shaping e enumerated values used to control a feature e g defining Ethernet port LED functions The object hierarchy can be likened to a family tree with relationships between objects referred to using terms such as Parent Child Sibling Ancestor and Descendant This tree like structure is used to e group a set of related objects such as a set of firewall rules the parent object acts as a container for a group of child objects and may also contribute to defining the detailed behaviour of the group e define a context for an object for exampl
335. ter is of the form of a letter possibly followed by number digits The accounting start lists relevant filters that have been set each in a separate filter id AVP Unknown filters are ignored Table F 9 Filter ID Filter meaning Tn Set routing table for payload traffic This can be used for private routing and for walled garden credit control An Specify this connection is a member of a closed user group n 1 32767 but has normal IP access as well This connection is not filtered by traffic can go to from connections that are filtered in the same CUG Rn Specify this connection is a member of a closed user group n 1 32767 and is restricted to sending traffic to from connections in the same CUG H Sets the connection to send HDLC framing headers on all PPP packets This adds 2 extra byte to the packet This is the default setting h Sets the connection not to send HDLC framing headers on all PPP packets This is in accordance with the L2TP PPP RFCs This does not work on BT 21CN BRASs Sets TCP MTU fix flag which causes the MTU option in TCP SYN to be adjusted if necessary to fit MTU f Sets no TCP MTU fix M Sets the connection to ignore the MRU Actually the MRU is used to generate ICMP errors for IPv6 and IPv4 with DF set but otherwise full size packets are sent on the connection even if a lower MRU was advised This is in accordance with the PPP RFC but breaks some routers that do not accept 1500 byte pa
336. tes IP Table J 35 dhcp attr ip Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested id unsignedByte Not optional Attribute type code name string Name value IP4Addr Not optional Value vendor boolean Add as vendor specific option under option 43 J 2 28 pppoe PPPoE settings PPPoE endpoint settings Table J 36 pppoe Attributes Attribute Type Default Description ac name string Any a c name Access concentrator name accept dns boolean true Accept DNS servers specified by far end bgp bgpmode BGP announce mode for routes comment string Comment cug unsignedShort Closed user group ID 1 32767 cug cug restrict boolean Closed user group restricted traffic only to from same CUG ID www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 164 Configuration Objects fast retry boolean Aggressive re connect graph token graphname Graph name ip over lcp boolean auto Sends all IP packets as LCP Icp rate unsignedByte 10 LCP interval seconds Icp timeout unsignedByte 61 LCP timeout seconds local IP4Addr Local IPv4 address localpref unsignedInt 4294967295 Localpref for route highest wins log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log deb
337. that keys used for integrity checking and encryption are only known to the two real endpoints Authentication can prevent a Man in the Middle attack where someone who knows the keys can set himself up between the two endpoints and without their knowledge can masquerade as the other endpoint to each end Note that a Man in the Middle can both read the data and modify it without either of the endpoints being aware that this has happened It is worth noting that there is scope for confusion in the use of the term Authentication It is sometimes also used to mean integrity checking and indeed the Authentication Header AH should really be known as the Integrity Check Header IPsec can be used in what is known as manual keying mode When used this way both endpoints need to trust each other and choose and agree on the integrity and encryption keys to be used using some private mechanism which they know to be secure before the IPsec connection is configured For example the system administrators may already know each other and may arrange to meet in private and exchange keying information which they trust they will not divulge to anyone else and then configure their FireBricks to use the agreed keys Choosing and configuring the algorithms and keys as well as any other required connection parameters for a link is a complex business and also has its own security implications as you must install the same parameters including the keys at b
338. the format described above Setting a timeout to 0 means unlimited and shoudl obviously be used with care 4 1 4 Restricting user logins 4 1 4 1 Restrict by IP address You can restrict logins by a given user to be allowed only from specific IP addresses using the a11ow attribute This restriction is per user and is distinct from and applies in addition to any restrictions specified on either the web or telnet for command line interface access services see Section 13 3 and Section 13 4 or any firewall rules that affect web or telnet access to the FB2500 itself 4 1 4 2 Logged in IP address The FireBrick allows a general definition of JP groups which allow a name to be used in place of a range of IP addresses This is a very general mechanism that can be used for single IP addresses or groups of ranges 22 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Administration IPs e g admin machines may be a list or range of the IP addresses from which you want to allow some access The feature can also be useful even where only one IP is in the group just to give the IP a meaningful name in an access list These named IP groups can be used in the allow list for a user login along with specific IP addresses or ranges if needed However IP groups can also list one or more user names and implicitely include the current IP address from which those users are logged in to the web interfac
339. the correct LNS and hostname 18 3 The importance of CQM graphs The FireBrick has Constant Quality Monitoring When used with the FireBrick acting as an LNS the CQM graphs play an important role Per connection monitoring Each connection is assigned a CQM graph name This is normally set based on the circuit ID passed by the carrier or if not present the username used A long graph name over 20 characters is reduced to a hash The name can also be set by RADIUS response Chargeable User Identity attribute Each graph shows the send and receive throughput for each 100 seconds The graph also shows the loss and latency with minimum average and maximum per 100 seconds This is based on an LCP echo sent every second on every connection The interval can be configured to be lower if you wish either in the config or by RADIUS The per connection graphs also have a downlink speed setting This is set based on the connection speed from L2TP connection This can also be set in the RADIUS response This limits the speed of traffic to the line This is usually done so that the LNS is in control of the speed of the line as the FireBrick will drop larger packets before smaller packets which helps VoIP and many other protocols work well even on a full link The speed control can also be used to provide slower services In addition to the per connection graphs there is also an aggregate graph based on the incoming L2TP connection settings e g typica
340. the link on the home page conditional on a profile 4 3 Software Upgrades FB2500 users benefit from FireBrick s pro active software development process which delivers fast fixes of important bugs and implementation of many customer enhancement requests and suggestions for improvement As a matter of policy FireBrick software upgrades are always free to download for all FireBrick customers To complement the responsive UK based development process the FB2500 is capable of downloading and installing new software directly from Firebrick s servers providing the unit has Internet access This Internet based upgrade process can be initiated manually refer to Section 4 3 3 1 or the FB2500 can download and install new software automatically without user intervention If the unit you want to upgrade does not have Internet access then new software can be uploaded to the unit via a web browser instead see Section 4 3 4 Caution Software upgrades are best done using the Internet based upgrade process if possible this ensures the changes introduced by Breakpoint releases are automatically accounted for see Section 4 3 1 1 Software upgrades will trigger an automatic reboot of your FB2500 this will cause an outage in routing and can cause connections that are using NAT to drop However the FB2500 reboots very quickly and in many cases users will be generally unaware of the event You can also use a profile to restrict when software up
341. the relay IPs at random first relay secret Secret Shared secret for L2TP connection remote ip IP4Addr Remote end PPP IPv4 local auth remote netmask IP4Addr Remote end PPP Netmask local auth routes List of IPPrefix Additional routes when link up local auth source string Source of data used in automated config management test List of IPAddr List of IPs that must have routing for this target to be valid deprecated username List of string One or more patterns to match username J 2 43 fb105 FB105 tunnel definition FB105 tunnel definition Table J 58 fb105 Attributes Attribute Type Default Description bgp bgpmode BGP announce mode for routes comment string Comment 176 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects fast udp boolean true Send UDP packets marked not to be reordered graph token graphname Graph name internal ip IP4Addr local ip Internal IP for traffic originated and sent down tunnel ip IP4Addr dynamic tunnel Far end IP keep alive boolean true if 1p set Constantly send keep alive packets local id unsignedB yte Not optional Unique local end tunnel ID local ip IP4Addr Force specific local end IP localpref unsignedInt 4294967295 Localpref for route highest wins log NMTOKEN Not
342. these general tests is selected corresponding attribute specified then they must all pass along with all other tests defined for the overall result to be pass 9 2 2 2 Time date tests Time and or date tests are specified by date and or t ime objects which are child objects of the profile object You can define multiple date ranges via multiple date objects the date test will pass if the current date is within any of the defined ranges Similarly you can define multiple time ranges via multiple t ime objects the time test will pass if the current time is within any of the defined ranges Tip Unlike other tests the chanhe of state because of a date time test takes effect immediately rather than waiting for several seconds to confirm it is still Saturday or some such 9 2 2 3 Ping tests Like time date tests a Ping test is specified by a ping object as a child of the profile object At most one Ping test can be defined per profile logical combinations of profiles can be used to combine Ping tests if necessary 9 2 3 Inverting overall test result The tests described in the previous section are used to form an overall test result Normally this overall result is used to determine the profile state using the mapping Pass gt Active and Fail gt Inactive By setting the invert attribute to t rue the overall result is inverted Pass changed to Fail and vice versa first before applying the mapping 9 2 4 Manual override Yo
343. ting tables As such this feature is rarely useful and probably not the configuration setting you are looking for waves hand in front of your face 53 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 9 Profiles Profiles allow you to enable disable various aspects of the FB2500 s configuration and thus functionality based on things such as time of day or presence absence of Ping responses from a specified device 9 1 Overview A profile is a two state control entity it is either Active or Inactive On or Off like a switch Once a profile is defined it can be referenced in various configuration objects where the profile state will control the behaviour of that object A profile s state is determined by one or more defined tests which are performed periodically If multiple tests are specified then the overall test result will be pass only if all the individual test results are pass Assuming the profile s state is Active then when the overall test result has been fail for a specified duration the profile transitions to Inactive Similary once the overall test result has been pass for a specified duration the profile transitions to Active These two durations are controlled by attributes and provide a means to filter out short duration blips that are of little interest An example of a test that can be performed is a Ping test ICMP echo request packets are sent
344. ting the routes attribute on the tunnel definition specifying one or more routing destinations in CIDR format as discussed in Section 8 1 12 2 5 Tunnel bonding Multiple FB105 tunnels can be bonded together to form a set such that traffic routed down the bonded tunnel set is distributed across all the tunnels in the set This distribution is done on a round robin per packet basis i e the first packet to be sent is routed down the first tunnel in the set each subsequent packet is routed down the subsequent tunnel in the set and the N 1 th packet where N is the number of tunnels in the set is again routed down the first tunnel This provides the ability to obtain aggregated bandwidths when each tunnel is carried over a different physical link for example such as using multiple ADSL or VDSL FTTC connections 71 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels Note Using tunnel bonding to aggregate access network connections such as ADSL or VDSL to provide a single fat pipe to the Internet requires there to be another FB105 tunnel end point device to terminate the tunnels Ideally this head end device is owned and operated by your ISP but it is also possible to use a head end device hosted by a third party or in a datacentre in which you already have equipment ISPs that can offer tunnel bonding for Internet access include Andrews amp Arnold http aa net uk and Watchfront
345. tings or edit the exiting entry on the tunnel setup page 12 1 2 1 Global IKE parameters There are some global parameters affecting all connections which can be set on the main IKE entry The logging options log log error and log debug can be used to steer IKE logging information which is not specific to a particular connection to a selected logging target The allow and trusted entries can be used to restrict IKE connections to particular IPs and or IP ranges An IKE connection setup request can potentially be received from any device and setting up a connection involves some CPU intensive calculations The IKE implementation attempts to guard against the possibility of Denial of Service attacks from rogue devices requesting bogus connections by limiting the initial connection rate but 64 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Tunnels for added security the allow and trusted settings are provided If either is set only connections from the ranges listed are accepted and connection requests from the trusted list are given higher priority There is also a Force NAT option which will force the FireBrick to assume that remote devices on the list are behind NAT boxes IKE has built in NAT detetion so this option is rarely needed See the separate section on NAT Traversal for more details 12 1 2 2 IKE proposals When IKE connections are negotiated a selection of compatible algorith
346. tion has a nat attribute which can be set to t rue to enable NAT for all sessions originating from that subnet this is a shortcut that can be used instead of creating a session tule to achieve this and is useful for RFC1918 private IP subnets The subnet nat attribute sets the NAT status at the start of checking any rule sets so it can be set to false by specific rules if necessary overriding the subnet setting Finally after checking rule sets if NAT was not set specifically either true or false and the destination is a PPPoE link with the nat attribute set to t rue then NAT is requested This is a shortcut for such devices that can be used if they only have one routed IP address 48 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Session Handling Quite separately to firewalling and session tracking the FB2500 has to route traffic and this is done using normal routing logic see Chapter 8 The routing is done based on the destination IP address as normal However it can be useful for session tracking rules to override the normal routing The set gat eway allows a different IP address to be used for the routing decision instead of the actual destination IP in the packets Setting this causes all subsequent packets matching the session to use that gateway IP for routing decisions 7 3 3 3 Graphing and traffic shaping The set graph and set reverse graph attributes cause the session traff
347. tion to either of these modes you can set the duplex attribute to either half or full This will cause the port to only advertise the specified mode if the auto negotiate capable link partner does not support that mode the link will fail to establish If auto negotiation is disabled the duplex attribute simply sets the port s duplex mode Note If you do not set the autoneg attribute checkbox is unticked and you set both port speed and duplex mode to values other than auto auto negotiation will be disabled this behaviour is to reduce the potential for duplex mis match problems that can occur when connecting the FB2500 to some vendors notably Cisco equipment that has auto negotation disabled by default 6 4 4 Defining port LED functions For each port the green and yellow port LEDs can be set to indicate any of the conditions shown in Table 6 1 by setting the values of the green and or yellow attributes Table 6 1 Port LED functions Value Indication 39 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Interfaces and Subnets Link Activity On when link up any speed blink off when Tx or Rx activity Default for Green LED Link1000 Activity On when link up at 1 Gbit s blink off when Tx or Rx activity Link100 Activity On when link up at 100Mbit s blink off when Tx or Rx activity
348. to 10 Custom AS path as if network received unsignedInt bgp bgpmode true BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name 166 Configuration Objects profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable tag List of Community List of community tags J 2 32 blackhole Dead end networks Networks that go nowhere Table J 41 blackhole Attributes Attribute Type Default Description as path List up to 10 Custom AS path as if network received unsignedInt bgp bgpmode false BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable tag List of Community List of community tags J 2 33 loopback Locally originated networks Loopback addresses define local IP addresses Table J 42 loopback Attributes Attribute Type Default Description as path List up to 10 Custom A
349. to check which connection details apply and the password confirms that the connection is authentic The FireBrick can be configured with many hostnames which would typically be used for different carriers to connect You can also use the hostname to separate different types of connection for example in the UK BT have 20CN IPStream and 21CN WBC connections which typically need separate monitoring and traffic 104 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Internet Service Providers shaping You could even use the hostname to separate different grades of service or if the ISP is providing wholesale connections for different ISP customers The incoming connection configuration includes the password and the RADIUS servers to use to validate the users and various defaults that apply to the PPP connections Most of these defaults can be set by the RADIUS server as well but it can be useful to make the RADIUS configuration simple to hav defaults in the FireBrick config Taking one step back the choice of LNS and hostname that the carrier uses when sending the connection to the ISP can eitehr be pre configured or more usefully it can be based on a RADIUS request sometimes called platform RADIUS This allows the ISP to decide on a per connection basis the tunnel endpoint details and steer sessions The FireBrick can act as a platform RADIUS server answering all queries to steer sessions to
350. tration Caution Alpha releases may be unstable and so we do not generally recommend setting your FB2500 to automatically install alpha releases 4 3 3 1 Manually initiating upgrades Whenever you browse to the main Status page the FB2500 checks whether there is newer software available given the current software version in use and whether alpha releases are allowed If new software is available you will be informed of this as shown in Figure 4 2 Figure 4 2 Software upgrade available notification Upgrade This FireBrick automatically upgrades to new factory releases Software upgrade Upgrade available A FireBrick is a registered trademark of FireBrick Ltd Copyright 2009 11 FireBrick Ltd All Rights Reserved To see what new software is available click on the Upgrade available link This will take you to a page that will show Release notes that are applicable given your current software version and the latest version available On that page there is an Upgrade button which will begin the software upgrade process 4 3 3 2 Controlling automatic software updates There are two attributes on the system object see Section 4 2 that affect the automatic software upgrade process Table 4 4 Attributes controlling auto upgrades Attribute Description sw update Controls what types of software releases the auto upgrade process will download install This attribute can also be used to disable the auto up
351. tribute then its value if needed is zero blank null empty string false internally it is zero bits In some cases the presence of an attribute will have meaning even 1f that attribute is an empty string or zero value In some cases the default for an attribute will not be a fixed value but will depend on other factors e g it may be auto or set if using xyz The description of the default value should make this clear Where an optional attribute is not ticked the attribute does not appear in the XML at all These can be seen in Figure 3 7 Figure 3 7 Attribute definitions Attribute name m name Name Attribute WAN fo descriptions port Port group name Attribute values 14 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration If the attribute value is shown in a strike through font with a horizontal line through it mid way vertically this illustrates that the attribute can t be set this will happen where the attribute value would reference an instance of particular type of object but there are not currently any instances of objects of that type defined Tip Since the attribute name is a compact concise and un ambiguous way of referring to an attribute please quote attribute names when requesting technical support and expect technical support staff to discuss your configuration primarily in terms of attribute and object element nam
352. tricted traffic only to from same CUG ID fail lockout unsignedByte 1 Interval kept in failed state graph string Graph name hdlc boolean true Send HDLC header FF03 on all PPP frames hello interval unsignedByte 10 Interval between HELLO messages hostname string Hostname quoted on incoming tunnel ip IPAddr Not optional IP of far end Icp rate unsignedByte 10 LCP interval seconds Icp timeout unsignedB yte 61 LCP timeout seconds local IP4Addr Local IPv4 address localpref unsignedInt 4294967295 Localpref for remote ip routes highest wins log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors min retry duration 10 Minimum session time before retrying connection 173 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects mtu unsignedShort Default MTU for sessions in this tunnel 576 2000 mtu name string Name open timeout unsignedByte 10 Interval before OPEN considered failed password Secret Password for login payload table unsignedByte 0 99 0 Routing table number for payload traffic routetable profile NMTOKEN Profile name remote IP4Addr Remote IPv4 address retry timeout unsignedByte 10 Interval to retry sending control messages before fail routes List of 1PPrefix Default gateway Routes when link up rx speed unsignedInt S
353. tting e Dialled number e Calling Line Identity The CUI is just a string of characters It can be set on a telephone user but defaults to ddi exten or name if not set It is typically the telephone number that should pay for the call being made In a simple example of a telephone calling an external number the call comes in inbound leg and an outgoing call is made to the carrier outbound leg A CDR record is attached to the outbound leg with the telephones CUI and the corresponding CLI and dialled number used When the call connects the start time is set on the CDR At the end of the call the CDR record is written out CDR records can be logged e g syslog and send by RADIUS accounting RADIUS accounting also carries details of each call leg start interim and stop and the CDR records are contained in the final RADIUS STOP message for the call so only in one record There are more complex examples such as A calls B and B diverts to C When a call is diverted or transferred the CDR for that outbound leg is moved to the new outbound leg along with any CDR for that outbound leg This means that in this example you get two final CDRs one for A to B and one for B to C each starting when the call connected and having the same duration 95 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP For a transfer e g A calls B B places on hold and calls C then B transfers call you have the
354. ttribute This allows simple BGP configuration such as lt bgp as 12345 gt lt peer as 666 name transitl type transit ip 1 2 3 4 gt lt peer as 777 Name transii2 tyoe transit ip 2 3 4 0 2 3 4 6 gt lt peer type internal ip 5 6 7 8 gt lt bgp gt This example has two transit providers the second of which is actually two peer IP addresses and one internal connection Note that the peer AS is optional and unnecessary on internal type as it has to match ours The exact elements that apply are defined in the XML XSD documentation for your software release 17 2 4 Peer type The type attribute controls some of the behaviour of the session and some of the default settings as follows Table 17 1 Peer types Type Meaning normal Normal mode no special treatment Follows normal BGP rules transit Used when talking to a transit provider or a peer that provides more than just their own routes Peers only with different AS The community no export is added to imported routes unless explicitly de tagged peer Used when talking to a peer providing only their own routes Peers only with different AS The community no export is added to imported routes unless explicitly de tagged allow only their as defaults to true customer Used when talking to customers routers expecting transit feed and providing their own routes Peers only with different AS allow only their as defaults to true
355. u can manually override all tests and force the profile state using the set attribute a value of t rue forces the state to Active and false forces it to Inactive 55 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Profiles You can also configure the set attribute with a value of control switch This causes the profile to be set manually based on a control switch which is not stored in the configuration itself The switch appears on the home web page allowing it to be turned on or off with one click It can also be changed from the command line You can restrict each switch to one or more specific users to define who has control of the switch This control applies even if the user has no access to make configuration changes as the switch is not part of the config The switch state is automatically stored in the dynamic peristent data along with DHCP settings etc so survives a power cycle restart Note that the value of the invert attribute is ignored when manual override is requested These fixed state profiles can be used as simple on off controls for configuration objects The following shows an example of two such profiles expressed in XML lt profile name 0ff set false gt lt profile name 0n set true gt lt profile name IT Support comment Allow IT support company access to server set control switch gt 56 www voipon co uk sales voipon co uk Tel
356. ual log target mechanism This is done by specifying one or more of the log 1og debug and log error attributes Note We recommend that you avoid setting these attributes such that specify the log target containing the email object otherwise you are likely to continually receive e mails as each previous e mail process log will trigger another e mail the hold off will limit the rate of these mails though 5 4 Factory reset configuration log targets A factory reset configuration has a log target named default which only logs to RAM Provided this log target has not been deleted you can therefore simply set 1og default on any appropriate object to immediately enable logging to this default log target which can then be viewed from the web User Interface or via the CLI A factory reset configuration also has a log target named fb support which is referenced by the 1og panic attribute of the system object see Section 5 7 This allows the FireBrick to automatically email the support team if there is a panic crash you can of course change or delete this if you prefer Caution Please only set things to log to fb support if requested by support staff 5 5 Performance The FireBrick can log a lot of information and adding logs can causes things to slow down a little The controls in the config allow you to say what you log in some detail However logging to flash will always slow things down a lot and should only be used where
357. ug log error NMTOKEN Not logging Log as events mode pppoe mode client PPPoE server client mode mtu unsignedShort 1492 MTU for link 576 2000 mtu name NMTOKEN Name nat boolean false NAT traffic to this link unless otherwise set password Secret User password pd interface List of NMTOKEN Auto Interfaces for IPv6 prefix delegation port NMTOKEN Physical port number or port group name profile NMTOKEN Profile name remote IP4Addr Remote IPv4 address routes List of IPPrefix Default gateway Routes when link up service string Any service Service name source string Source of data used in automated config management speed unsignedInt Default egress rate limit b s table unsignedByte 0 99 Routing table number for payload routetable tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS username string User name vlan unsignedShort 0 VLAN ID O untagged 0 4095 vlan Table J 37 pppoe Elements Element Type Instances Description route ppp route Optional unlimited Routes to apply when ppp link is up J 2 29 ppp route PPP routes Routes that apply when link is up Table J 38 ppp route Attributes Attribute Type Default Description 165 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects bgp bgpmode BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or m
358. unce low Announce as low priority medium Announce as medium priority high Announce as high priority true Announce as default medium priority J 3 20 dhcpv6control Control for RA and DHCPv6 bits Table J 116 dhcpv6control Control for RA and DHCPv6 bits Value Description false Don t set bit or answer on DHCPv6 true Set bit but do not answer on DHCPv6 dhcpv6 Set bit and do answer on DHCPv6 J 3 21 bgpmode BGP announcement mode BGP mode defines the default advertisement mode for prefixes based on well known community tags Table J 117 bgpmode BGP announcement mode Value Description 200 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects false Not included in BGP at all no advertise Not included in BGP not advertised at all no export Not normally exported from local AS confederation local as Not exported from local AS no peer Exported with no peer community tag true Exported as normal with no special tags added J 3 22 sfoption Source filter option Table J 118 sfoption Source filter option Value Description false No source filter checks blackhole Check replies have any valid route true Check replies down same port vlan J 3 23 pppoe mode Type of PPPoE connection Table J 119 pppoe mode Type of PPPoE connection Value Description client Norm
359. unt high 4 bytes Gigawords Acct Input Packets 47 Rx packet count Acct Output Packets 48 Tx packet count Tunnel Type 64 Present for relayed L2TP sessions L2TP Tunnel Medium Type 65 Present for relayed L2TP 1 IPv4 or 2 IPv6 Tunnel Client 66 Present for relayed L2TP text IPv4 or IPv6 address of our address on the Endpoint outbound tunnel Tunnel Server 67 Present for relayed L2TP text IPv4 or IPv6 address of the far end address of Endpoint the outbound tunnel Tunnel Assignment 82 Present for relayed L2TP text local L2TP tunnel ID ID Tunnel Client Auth 90 Present for relayed L2TP local end hostname quoted by outgoing tunnel ID Tunnel Server Auth 91 Present for relayed L2TP far end hostname quoted by outgoing tunnel ID F 5 Accounting Stop As accounting interim update plus Table F 6 Accounting Stop AVP No Usage Acct Terminate 49 Cause code as appropriate Cause Cause codes of note are 2 Lost Carrier which is sent if LCP echos do not reply for several seconds and 14 Port Suspended which is sent if the dos limit is exceeded on a session For DOS handling is is recommended that subsequent authentication requests are rejected for several minutes or a fake accept is and session timeout is used as DOS attacks usually continue until the customer is off line 126 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADI
360. ut of hours List of string Numbers to ring if out of profile overflow List of string Numbers to ring when more than one call in queue overflow time duration 30 Include overflow after this time at head of queue profile NMTOKEN Profile name progress time duration 6 Time between each target called redirect boolean Allow calls to be diverted before ringing ring List of string Numbers to ring ringall time duration Switch to ring all after this time at head of queue source string Source of data used in automated config management type ring group type all Type of ring when one call in queue J 2 70 etun Ether tunnel Ether tunnel Table J 96 etun Attributes Attribute Type Default Description eth port NMTOKEN Not optional Port group name ip IPAddr Not optional Far end IP address log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors profile NMTOKEN Profile name source ip IPAddr Our IP address table unsignedByte 0 99 0 Routing table number routetable J 3 Data types J 3 1 autoloadtype Type of s w auto load Table J 97 autoloadtype Type of s w auto load Value Description www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 194 Configuration Objects false Do no auto load factory Load factory releases beta Load beta test releases
361. v2 and 00 00 5E 00 02 XX for VRRPv3 The master device will reply with this MAC address when an ARP request is sent for the virtual router s IP address Since the MAC address associated with the virtual IP address does not change ARP cache entries in other devices remain valid throughout the master backup switch over and other devices are not even aware that the switch has happened apart from a short black hole period until the backup starts routing When there is a switch over the VRRP packets that are multicast are sent from this special MAC so network switches will automatically modify internal MAC forwarding tables and start switching traffic to the appropriate physical ports for the physical router that is taking up the active routing role Note You can disable the use of the special MAC if you wish and use a normal FireBrick MAC However this can lead to problems in some cases 84 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VRRP 15 2 Configuring VRRP VRRP operates within a layer 2 broadcast domain so VRRP configuration on the FB2500 comes under the scope of an interface definition As such to set up your FB2500 to participate in a Virtual Router group you need to create a vrrp object as a child object of the interface that is in the layer 2 domain where the VRRP operates 15 2 1 Advertisement Interval A master indicates that it still alive by p
362. v6control Control for RA and DHCPV6 bits 2 0 00 cece ec ee ee ee eeeeeen eens 200 J 3 21 bgpmode BGP announcement mode oooccoccnnccnnconnconeconicononnncnnncnnnrnnccnncinnccnnioos 200 J 3 22 sfoption Source filter Option ooooooroncconronnronnononcnnocononononnornnn rro even scen sens rensees 201 J 3 23 pppoe mode Type of PPPoE connection ocoooccocccncnnncnnncnnccnnconnconnccnnconnconacinicos 201 J324 peertype BGP peer Type ss ceee senate peter eter E EEEE EA 201 J 3 25 ipsec auth algorithm IPsec authentication algorithm 0 eee ee ence ee eeeeeeee 201 J 3 26 ipsec crypt algorithm IPsec encryption algorithm 0 0 0 0 eee eee cence ee eeeeee eee 202 J 3 27 ike PRF IKE Pseudo Random Function cee ee cece ceeeceece seen secu seca een een eens 202 J 3 28 ike DH IKE Diffie Hellman group ooocooccnccnnccnnconnconncnnnconnconoconncnnncnnrcnnronicnnos 202 J 3 29 ike ESN IKE Sequence Number support oooccocccnccnncnnccnnccnnconnconnccnnccnnconnconaconoss 202 J 3 30 ike authmethod authentication method ooocoooccnnconoconoconccnnocnnonnncnnacnnccnnccnnccnnions 203 J 3 31 ike mode connection setup mode 2 0 0 0 cee eee ceee eee c ee ce ceca cece cena eeu ceueeeeeeeenees 203 J 3 32 ipsec type IPsec encapsulation type ocoooconccnnccnnocnncnnncnnncnnnonnconnccnnccnnconnconacnnnes 203 J 3 33 ipsec mode Manually keyed IPsec encapsulation mode ooooccoccnnccnncnnccnnccnnconncnnno 203 J 3 34
363. ve format Pv6 Bits IPv4 Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link Session Timeout 27 Absolute limit on session in seconds Terminate Action 29 If not specified or O then terminate on Session Timeout or Quota reached else send RADIUS Interim accounting update not an Access Request Connect Info 77 Text tx speed limit to apply to session Filter Id 11 See filter ID section The session is identified by Acct Session Id if present else by Chargeable User Identity No other identification parameters are supported If sent then they are ignored Parameters are left unchanged if not specified e If any route entries IPv4 or IPv6 are present then the existing routing apart from the PPP endpoint address are all removed and replaced with what has been sent To clear all routes send a framed route with a blank string The Framed IP Addreess cannot be changed 127 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Supported RADIUS Attribute Value Pairs for L2TP operation e To clear the session timeout send a value of 0 e To clear outbound shaping send connect speed of 0 No other parameters are supported and if sent then they are ignored F 8 Filter ID The Filter ID can be set in authentication response and change of authorisation There can be many records Each can have many filters Each fil
364. verted to that format when the configuration is saved You can also use name s of defined IP address group s which are pre defined ranges of IPs 13 3 HTTP Server configuration The HTTP server s purpose is to serve the HTML and supporting files that implement the web based user interface for the FB2500 It is not a general purpose web server that can be used to serve user documents and so there is little to configure 13 3 1 Access control By default the FB2500 will allow access to the user interface from any machine although obviously access to the user interface normally requires the correct login credentials to be provided However if you have no need for your FB2500 to be accessed from arbitrary machines then you may wish to lock down access to the user interface to one or more client machines thus removing an attack vector Access can be restricted using allow and 1ocal only controls as with any service If this allows access then a user can try and login However access can also be restricted on a per user basis to IP addresses and using profiles which block the login even if the passord is correct Additionally access to the HTTP server can be completely restricted to all clients under the control of a profile This can be used for example to allow access only during certain time periods 13 3 1 1 Trusted addresses Trusted addresses are those from which additional access to certain functions is available The
365. which service can be IPNameRange anywhere accessed comment string Comment local only boolean true Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 23 Service port profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number J 2 11 http service HTTP service settings Web management pages Table J 15 http service Attributes Attribute Type Default Description access control string Additional header for cross site javascript allow origin allow List of Allow from List of IP ranges from which service can be IPNameRange anywhere accessed comment string Comment css url string Additional CSS for web control pages local only boolean true Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 80 Service port profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 0 Routing table number routetable 154 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects
366. will be informed of this as shown in Figure 4 2 This step is necessary since the manual upgrade feature currently shares the page used for Internet based manual upgrades which is reached by clicking Upgrade available link After clicking this link you will find the manual upgrade method at the bottom of the page as shown in Figure 4 3 Figure 4 3 Manual Software upload Manual software upload WRAS asenon CODES Use this to upgrade software for the boot loader or main application as required Tick the box to force a reboot once new software is loaded 4 4 Boot Process The FB2500 contains internal Flash memory storage that holds two types of software e main application software generally referred to as the app e a bootloader runs immediately on power up initialises system and then loads the app It is possible for only one of these types of software or neither of them to be present in the Flash but when shipped from the factory the unit will contain a bootloader and the latest factory release application software The FB2500 can store multiple app software images in the Flash and this is used with an automatic fall back mechanism if a new software image proves unreliable it is demoted and the unit falls back to running older software The show flash contents CLI command can be used to see what is stored in the Flash see Appendix H 4 4 1 LED indications 4 4 1 1 Power LED status indications The green pow
367. with the default being routing table 0 zero The various ways to add routes allow the routing table to be specified and so allow completely independent routing for different routing tables The default table table zero is used when optional routing table specification attributes or CLI command parameters are omitted Each interface is logically in a routing table and traffic arriving on it is processed based on the routes in that routing table Tunnels like FB105 and L2TP allow the wrapped tunnel packets to work on one routing table and the tunnel payload packets to be on another It is possible to jump between routing tables using a tule in a rule set Routing tables can be very useful when working with tunnels of any sort placing the wrappers in one routing table allowing DHCP clients and so on without taking over the default route for all traffic The payload can then be in the normal routing table 0 8 5 Bonding A key feature of the FB2500 is the ability to bond multiple links at a per packet level This feature is only enabled on a fully loaded model of your FB2500 Bonding works with routing and shapers together See Chapter 10 for details of shapers 52 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Routing The basic principle is that you have two or more routes that are identical same target IP prefix and have the same localpref so that there is nothing to decide between t
368. www firebrick co uk fb 105 2700 php www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Introduction If you have one or more FB105 devices in your network you ll be pleased to know that the fully loaded FB2500 supports the FB105 tunnel protocol and will interwork seemlessly allowing you to upgrade devices as time and budgets allow Your dealer can also give you advice on converting configurations from older FB105 based networks 1 2 About this Manual 1 2 1 Version Every major FB2500 software release is accompanied by a release specific version of this manual This manual documents software version V1 27 001 please refer to Section 4 3 to find out more about software releases and to see how to identify which software version your FB2500 is currently running If your FB2500 is running a different version of system software then please consult the version of this manual that documents that specific version as there may be significant differences between the software versions Also bear in mind that if you are not reading the latest version of the manual and using the latest software release references in this manual to external resources such as the FireBrick website may be out of date You can find the latest revision of a manual for a specific software version on the FB2500 software downloads website http www firebrick co uk software php PRODUCT 2300 This includes the revision histor
369. x A linux based call recording app is available to FireBrick customers for this purpose and some VOIP carriers may offer this as a service Tip If the SIP endpoint supports stereo a law then the recording is made in stereo with each side of the conversation on a channel The supplied call recording app makes stereo a law WAV files and can be configured to send these by email as each call ends 16 13 Voicemail and IVR services Voicemail is still in development The FB2500 will simply pass the call to a voicemail server via SIP This could be a local device on the network or a service provided by a carrier We will include a software package to run on a linux box that will save the recording Tip Most VoIP carriers provide voicemail 16 14 Call Data Records A Call Data Record CDR is a record that is used for charging for a call It consists of the following which are shown in a comma separated list e Start time when call connected UTC with milliseconds or if not connected then when call created e Duration of ringing seconds and milliseconds e Duration of call seconds and milliseconds or minus and call status if call not connected e Call Record Data Where the CDR is created based on the presence of a cui setting in the configuration the Call Record Data consists of the following fields Where RADIUS is used the Call Record Data is simply the data provided by RADIUS e Chargeable User Identiy the content of the cui se
370. x Atribute Siei E EEE TE E E S EE TEE 163 AA O 163 3 34 dhcpzattr number Att Dutes muito A id ee 164 5 35 dhep attr 1p2 A vega naniwe EE E NENE EE AE SEEE NRE E EEES 164 3 36 pppoe Attributes ise e E is E ec sh betes en da ated EA EE EEEE S 164 J 37 s pppoe Elements oenn a n E E NE E a EE EE RE EE EES 165 3 38 Ppp route Attributes e fos ec e E a R E ee ET E N 165 J39 TOUTE Attribute Ssa a e toe hen a E E AN N 166 TAO network Attributes A oe 166 J 41 blackhole Attributes ete iia 167 JA2 Joopbacks Aftrib te Sais ane rE ieeiete E E ate ate ng ce de E A aT 167 J43 Dep AMMDULES viiia n e a od E a E E E ET 168 a EA A NS 168 xvi www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 FireBrick FB2500 User Manual lA 168 3 46 beppeer Elements ts o SA A ES 169 3 47 bepmap gt AttrlDUtes e 224 sacceny saews ica da celica eatow eal ae Mus stench Se taccuuestewslonthae dea ciao 170 JAS bepmap Elements e525 aves seed E ieee A eae eaten cede 170 J49 Bepriile Attributes moneo n r wohese down a up dndee opp RO E R E E op Neda e sh weaesspuesn tee h bes 170 50 CDS Atri DULeS aeni A A A 171 IN O SN 173 5210 tp Elements a Syke tags esate aie el See eh ed ahd a Rate th tm ciate te ode 173 J53 12tp outeoing SA RO 173 J 54 12tp outgomg Elements sis ee vhs eee Gib eek eee deel be SR AS 174 J55 2tp mnConwn AAA A 174 3 56 2tp incomung Elements iii oi A ia ae api 176 E NAAA O TN 176 TOS
371. xt2 string Text line 2 text3 string Text line 3 text4 string Text line 4 timeformat string Y Yom d H Time format M S top unsignedByte 4 Pixels space at top of graph tx Colour 080 Colour for Tx traffic level J 2 39 I2tp L2TP settings L2TP settings for incoming and outgoing L2TP connections 172 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects Table J 51 tp Attributes Attribute Type Default accounting interval duration 1 00 00 Description Periodic interim accounting interval send acct delay boolean Send Acct Delay as well as Event Timestamp on accounting Table J 52 12tp Elements Element Type Instances Description incoming 12tp incoming Optional unlimited Incoming L2TP connections outgoing 12tp outgoing Optional unlimited Outgoing L2TP connections J 2 40 I2tp outgoing L2TP settings for outgoing L2TP connections L2TP tunnel settings for outgoing L2TP connections Table J 53 12tp outgoing Attributes Attribute Type Default Description bgp bgpmode BGP announce mode for routes called string called station idi to send calling string calling station id to send comment string Comment cug unsignedShort Closed user group ID 1 32767 cug cug restrict boolean Closed user group res
372. y are specified by setting the t rusted attribute using address ranges or IP address group names This trusted access allows visibility of graphs without the need for a password and is mandatory for packet dump access 75 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 System Services 13 4 Telnet Server configuration The Telnet server allows standard telnet protocol clients available for most client platforms to connect to the FB2500 and access a command line interface CLI The CLI is documented in Chapter 19 and in the Appendix H 13 4 1 Access control Access control can be restricted in the same way as the HTTP web service including per user access restrictions Note By default the FB2500 will only allow telnet access from machines that are on one of the locally attached Ethernet subnets This default is used since the CLI offers a degree of system control that is not available via the web interface for example software images stored in the on board Flash memory can be deleted via the CLI The example XML below shows the telnet service configured this way lt telnet allow 10007072A L051 03 938 10 100 1008s 10 99 9907 24 comment telnet service access restricted by IP address local only falet 13 5 DNS configuration The DNS service provides name resolution service to other tasks within the app software and can act as a relay for requests received
373. y for all software releases 1 2 2 Intended audience This manual is intended to guide FB2500 owners in configuring their units for their specific applications We try to make no significant assumption about the reader s knowledge of FireBrick products but as might be expected given the target market for the products it is assumed the reader has a reasonable working knowledge of common IP and Ethernet networking concepts So whether you ve used FireBrick products for years or have purchased one for the very first time and whether you re a novice or a network guru this Manual sets out to be an easy to read definitive guide to FireBrick product configuration for all FireBrick customers 1 2 3 Technical details There are a number of useful technical details included in the apendices These are intended to be a reference guild for key features 1 2 4 Document style At FireBrick we appreciate that different people learn in different ways some like to dive in hands on working with examples and tweaking them until they work the way they want referring to documentation as required Other people prefer to build their knowledge up from first principles and gain a thorough understanding of what they re working with Most people we suspect fall somewhere between these two learning styles This Manual aims to be highly usable regardless of your learning style material is presented in an order that starts with fundamental concepts and bui
374. y sending packets and assumes something with a lower speed is probably queuing them up later This record of how far ahead the traffic is gets used in two ways e If the shaper is too far ahead then packets are dropped causing the link to be rate limited to the selected speed Exactly how much is too far depends on the packet size with small packets less than 1000 bytes allowed more margin than large packets This has the effect of prioritising DNS interactive traffic VoIP etc e Where there are two or more links with shapers a link is picked based on which is the least far ahead This has the effect of balancing the traffic levels between multiple links based on the speed of each link exactly 59 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 11 PPPoE The FB2500 can operate as a PPPoE client This is typically used to connect to an Internet service provider either via a suitable PPPoE modem bridging router or direct connection The typical usage is to use one or more ports on the FB2500 each connected directly to a suitable PPPoE device such as a bridging router The PPPoE device is usually very dumb and may not need any configuration at all The FireBrick is responsible for the login to the ISP using the PPPoE link and the configuration for this is part of the FB2500 s configuration and not the router This makes it very easy to make use of spare routers etc without the comp
375. you are getting from your reseller please contact us http www firebrick co uk contact php 1 3 2 IRC Channel A public IRC channel is available for FireBrick discussion the IRC server is irc z je and the channel is firebrick 1 3 3 Application Notes FireBrick are building a library of Application Note documents that you can refer to each Application Note describes how to use and configure a FireBrick in specific scenarios such as using the device in a multi tenant Serviced Office environment or using the FireBrick to bond multiple WAN connections together 1 3 4 White Papers FireBrick White Papers cover topics that deserve specific discussion they are not related to specific Applications rather they aim to educate interested readers regarding networking protocols common best practice and real world issues encountered 1 3 5 Training Courses FireBrick provide training courses for the FB2x00 series products and also training course on general IP networking that are useful if you are new to networking with IP To obtain information about upcoming courses please contact us via e mail at training firebrick co uk www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Chapter 2 Getting Started 2 1 IP addressing You can configure your FireBrick using a web browser to do this you need IP connectivity between your computer and the FireBrick For a new FB2500 or one that h
376. you will need to set a registrar and or proxy which is usually either a host name or an IP address This will need to refer to the FB2500 s address 89 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 VoIP The handset will also have some form of login or username and a password Typically you would use the extension number or DDI as the username but in an office PABX you may want people s names as the user name On the FB2500 you add a telephone configuration object VoIP users for each telephone specifying a username and password If the handset will need to connect from somewhere that is not on the local network LAN then you also need to set local only to false You also need to set the extn and ddi for the phone Also in order to make external calls you need to select a carrier to use Tip There are a number of other settings which can be useful The display name will show the caller name on internal calls You can also limit the number of concurrent calls Some other features are described in corresponding sections below The VoIP status page shows the active registrations from handsets Tip The log register and log register debug settings can provide a lot of information about registrations and help diagnose any problems 16 7 VoIP call carriers A VoIP carrier is a service provider that can accept outgoing calls and route incoming calls Typically a VoIP carrier is expecting
377. ypically for IPv4 and IPv6 addresses for the same peer but this can be used for a group of similar peers Table J 45 bgppeer Attributes Attribute Type Default Description add own as boolean Add our AS on exported routes allow export boolean Ignore no export community and export anyway allow only their as boolean Only accept routes that are solely the peers AS allow own as boolean Allow our AS inbound as unsignedInt Peer AS capability as4 boolean true If supporting AS4 capability graceful boolean true If supporting Graceful Restart restart capability mpe ipv4 boolean true If supporting MPE for IPv4 capability mpe ipv6 boolean true If supporting MPE for IPv6 capability route boolean true If supporting Route Refresh refresh comment string Comment 168 www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Configuration Objects drop default boolean false Ignore default route received export med unsignedInt Set MED on exported routes unless export filter sets it holdtime unsignedInt 30 Hold time ignore bad optional boolean true Ignore routes with a recognised badly partial formed optional that is flagged partial import localpref unsignedInt Set localpref on imported routes unless import filter sets it import tag List of Community Lis
Download Pdf Manuals
Related Search