Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

I have made the following changes to the firebrick config ready to go to more than threee modems.

<port name="Port-LAN"  ports="1" comment="To main LAN switch"/>
<port name="Port-WAN"  ports="2 3 4" comment="To small switch then to ADSL modems"/>

instead of having multiple separate entries defining Port-WAN1, Port-WAN2 Port-WAN2

For admin and stats access, I now have

<interface name="IF-Mdm1" port="Port-WAN" plan="101">
      <subnet ip="192.168.1.254/24"/>
</interface>
<interface name="IF-Mdm2" port="Port-WAN" vlan="102">
      <subnet ip="192.168.2.254/24"/>
</interface>
<interface name="IF-Mdm3" port="Port-WAN" vlan="103">
      <subnet ip="192.168.3.254/24"/>
</interface>
<interface name="IF-Mdm4" port="Port-WAN" vlan="104">
      <subnet ip="192.168.4.254/24"/>
</interface

<!-- and -->
<!-- == Modem admin interface helper NAT rules: ‘firewall’ rules which make return traffic work by NATing
   See also above ##_MDM-REVERSE-NAT
   The address .254 must match that earlier - see #_MDM_RETURN_NAT_254 and the interface names have to match
   Return traffic from the modem goes to the Brick at 192.168._xx_.254 and then gets NAT-rewritten to direct it onwards back to the original sender.
-->
<!-- -->
<rule-set name="Modem 1 admin NAT" target-interface="IF-Mdm1" no-match-action="continue">
      <rule set-source-ip="192.168.1.254"/>
</rule-set>
<rule-set name="Modem 2 admin NAT" target-interface="IF-Mdm2" no-match-action="continue">
      <rule set-source-ip="192.168.2.254"/>
</rule-set>
<rule-set name="Modem 3 admin NAT" target-interface="IF-Mdm3" no-match-action="continue">
      <rule set-source-ip="192.168.3.254"/>
</rule-set>
<rule-set name="Modem 4 admin NAT" target-interface="IF-Mdm4" no-match-action="continue">
      <rule set-source-ip="192.168.4.254"/>
</rule-set>

with the VLAN tag values 100-104 that are used in the AA standard switch config posted in the article on the AA website about accomoding more than three modems with a mux switch, and I have got rid of the distinct suffixed numbers on the physical port sockets Port-WAN1, Port-WAN2 etc. The second block is a load of firewall rules that perform NAT rewriting because the modem replies to admin requests, stats queries, telnet etc by talking back to 192.168.modem_n.254 on the Firebrick-to-modem link.

I am hoping that this is enough. I do not know if the last bit will work, as the incoming stuff is arriving VLAN-tagged and it has to have the tag recognised and removed as well as being NATed and passed on to the main LAN, directed to the remembered rewritten destination.

Notice the extra one-liner comments <!-- --> these are inserted as a workaround for bad bugs in the xml parser of the Firebrick, where it does not process comments properly sometimes, perhaps when there are newlines in the comment but not always. This is very poorly understood. It is known that some times it fails to recognise the end of a comment. A second close-comment marker always fixes such a bug. I have written a tool that tries to spot the known problem cases and warns appropriately, but it is not perfect. I have thus far failed to persuade RevK to simply fix the parser properly. I could just write my own tool to strip comments out though of course.

[burakkucat]

In your second displayed quotation from the configuration, line number 12 shows as --

</interface

That needs a little bit of attention, unless it is just a copy (from Firebrick) / paste (to forum post) mishap.

Now returning attention to the first displayed quotation from the configuration, what exactly is the second line specifying?

<port name="Port-WAN"  ports="2 3 4" comment="To small switch then to ADSL modems"/>

If I loose the comment (which is faultless, I just want to remove any distraction) the line becomes --

<port name="Port-WAN"  ports="2 3 4"/>

My reaction to that line is now 

Either I have completely misunderstood the proposed physical set-up or I do not follow that usage variation of XML . . .

Each of the four Openreach provided metallic pathway is terminated on a ZyXEL VMG1312-B10A modem. Each of those four modems are connected to a small switch, acting as a mux/demux. There is only one physical cable linking the small switch to the Firebrick. I am troubled by the --

  ports="2 3 4"

Is that usage another Adrian Kennard creation? 

[Weaver]

I am so glad your eyeballs are sharp. I checked the original, and it is correct, it was copy-paste-error. Thank you so much for your alertness.

As for the multiple ports. What I wanted to say was "any of the ethernet ports 2 / 3 / 4".

I looked into this and it seems to be of type set-of-integers or set-of-ports, so that allows multiple physical ports in a bridge group by so programming the ethernet interfaces to be like a switch, if I have understood. I think this because can see it listed as an available option in the Firebrick's UI. I had better check that with staff. I should go and look at the XML schema to check.

This has not been tried out yet. I keep asking Mrs Weaver to help me plug it in but she is unwilling to help.

As you probably know, before the application of XML schemas or equivalents of various types, which constrain what is 'well-formed' as opposed to merely 'valid', all attributes’ values are simply meaningless strings. There are not even any numbers in XML everything has to be converted from unicode text however necessary. In xhtml web pages this is syntactically like the specification of class eg class="greater spotted nuthatch gobbler" where there is a space-delimited set of substring values.

[burakkucat]

I am so glad your eyeballs are sharp. I checked the original, and it is correct, it was copy-paste-error. Thank you so much for your alertness.

Good. So there's nothing there that needs to be corrected.

As for the latter, I will feel more comfortable when you can say that it just works.

[Weaver]

I don't know if it will work, it's just based on the web ui which can shown something like "3 items..." literally. The attribute should be named port-group really then.

[Weaver]

An amazing thought came to me - I could consult the manual - which is on the web. (Usual brain fog at work - I can never go and just look things up.) Anyway what do you know:

6.1.1. Port groups
Up to four port groups can be defined, with each group comprising a set of one or more physical ports that doesn't overlap with any other group. The ports within the group work as a conventional Ethernet switch, directly transferring traffic at wire-speed that is destined for a MAC address that is present on one of the other ports in the group.
The port group has a trunk setting which defaults to being false. When only one port is in the group it makes no difference how this is set. With more than one port, when trunk is false, the ports work as a switch, passing traffic directly at gigabit speeds between the physical ports. With more than one port, when trunk is true, the ports work as a link aggregation trunk and not as a switch. There is no option for some ports in a group to be trunked and switched to other ports.
When using a trunked port group, the ports normally use and required LACP to a suitably configured switch. Only when the LACP confirms the correct config is the trunk set up. Until them the first active port is used on its own. If you do not wish to use LACP for the trunk (static config) you can edit the individual ethernet port settings to set lacp to false. If lacp mode is not set then it is assumed to be active for trunked ports, and passive for non trunked ports.

I am not sure if I can specify 'trunk' and put it into LACP mode as it might whine that the trunk is broken because some of the links are down. But that is really good to know. You can not put 3 lots of 1Gbps into the FB2900 though anyway (don't know about the FB60xx series). I can soon try it.

[Weaver]

And I also found

K.27
        …
portdef:       …

ports  Set of port string    Physical port(s)

so that makes me a bit more hopeful.

[burakkucat]

As I have hinted, in the past, I find the Firebrick documentation to be rather unhelpful.    Unhelpful, as in a lack of providing details how to configure the devices. To me, it seems as if the author(s) just delight in giving a lecture on some topic . . . 

[vic0239]

That should work ok, I have a similar notation in my configuration.

Code: [Select]

<port name="LAN"
       ports="1 2"/>
 <port name="WAN1"
       ports="3"/>
 <port name="WAN2"
       ports="4"/>

[Weaver]

I agree. Documentation is an art, and developers are usually useless because they are too close. Should have hired someone professional to write the docs, because that actually helps protect the developer from their own risk of assuming too much. Also a load of solutions and full explanations are needed. If I were fit enough, which I certainly am not, and also knew how the thing worked, I would volunteer, not that that would be likely to get very far.

[vic0239]

I also noticed a weird incantation in this snipppet.

<interface name="IF-Mdm1" port="Port-WAN" plan="101">
      <subnet ip="192.168.1.254/24"/>
</interface>

“plan”?

[burakkucat]

Well spotted! 

How a vlan became a plan, I'm unsure. Certain typos can be easily understood by the proximity of the keys. Perhaps Pangur Bŕn nosed the iPad?

[Weaver]

That is not in the original either. My textastic source editor has no stupid autocorrect, but things got accidentally corrupted after I pasted it into Safari. I am so grateful for the proofreading. The brick will pick that kind of error up and complain. But all are very much appreciated so keep ’em coming if you can be bothered. A pint or two to every contributor, have to come to collect it tho.

I should put the entire conic up if anyone is interested, to see if anyone else can find some more bugs, or suggest improvements, or for general interest.

[DaveC]

Hi,

The basic idea seems fine  - I'm assuming your modems are 192.168.1.1, 192.168.2.1, 192.168.3.1 and 192.168.4.1 ?  What about your switch?  How do you deal with access to that?

One thing I would perhaps do differently is use the vlan ID as part of each modem's subnet prefix.  So use subnets 192.168.201.0/24 etc.  But that's just personal preference.

Not 100% sure, but instead of set-source-ip="192.168.1.254", I think you can just do set-nat="true".  The Firebrick should then pick its own IP appropriately.  You could probably then combine the four rules into 1.  But I would probably test your version first, and then try that as an optimisation later.


I don't know the Zyxels, but on the HG612 in bridge mode, you can set LAN routing rules, and these avoid the need for NAT on the firebrick.  You can't set a default route, so I set a route for each subnet in my home network. 

e.g. I have various subnets under 10.0.0.0/8, so to enable me to access the modems from there, each HG612 has the route  "Address: 10.0.0.0, Netmask: 255.0.0.0, Gateway: 10.10.5.1" (where gateway is my firebrick's IP on the same subnet as the HG612).

But it's probably easier to add the NAT rules to the firebrick.

[DaveC]

To me, it seems as if the author(s) just delight in giving a lecture on some topic . . . 

Having just glanced at the section on NAT in the Firebrick manual, you couldn't be any more accurate... 

Although to be fair, in the past I have found some of the lectures in the manual useful.