Barracuda NextGen Firewall F

How to Configure an ISP with xDSL xDSL (in its many variants such as ADSL, SDSL, etc.) has become popular as a low cost medium performance alternative to leased lines. You can configure a maximum of four xDSL links. Standard Linux implementations rely on the use of a combination of PPP and PPTP or PPPoE. To bring up the xDSL link, you must identify yourself to the xDSL provider with a username and password. Because the IP address assigned by your xDSL provider is dynamic and will change every time the link is brought up, an xDSL link to the Internet is not convenient for granting access to parts of your network. Alternatively, you can ask your provider for a fixed IP address. Because telecommunication providers may periodically disconnect your xDSL modem from the network, the xDSL link management automatically introduces and deactivates routes, rules, and tables required by the xDSL link. It continuously monitors the link status and the reachability of certain configurable addresses. If required, the link will be brought down and re-established afterwards. This ensures the availability of the link. In this article:

Configure an xDSL To enable and configure an xDSL: 1. 2. 3. 4. 5. 6.

Log into the Barracuda NG Firewall. Open the Network page (Config > Full Config > Box > Network). From the Configuration menu in the left navigation pane, click xDSL/DHCP/ISDN. Click Lock. From the xDSL Enabled list, select yes. If your system comes with an integrated DSL modem, select the ADSL version of the integrated modem from the Integrated xDSL Modem list. 7. In the xDSL Links table, click + to add an entry for your link. 8. Enter a name for the xDSL link and click OK. Only ciphers and characters from the Latin character set excluding special characters are allowed in the link name. 9. In the xDSL Links window, configure the link properties, connection, authentication, routes, and connection monitoring. For more information on the xDSL settings, see the following xDSL Settings section. 10. Click OK. 11. Click Send Changes and then click Activate. xDSL Settings The following sections provide more information on the settings that you can configure in the xDSL Links window from the Network - xDSL/DHCP/ISDN page: Some of the settings are only available in advanced configuration mode. To access this mode, expand the Configuration Mode menu in the left navigation pane and then click Switch to Advanced.

How to Configure an ISP with xDSL 1/7

Barracuda NextGen Firewall F Link Properties

Setting Link Active

Description If set to yes, the link is taken into account for link management. Otherwise, it is ignored. To activate and monitor the link after a network activation, select no. If you select yes, the activation and subsequent monitoring of the link must be triggered externally. Note that for a PPP multilink bundle, the primary link settings are adopted for all links. The Standby Mode setting also lets you combine HA setups for HA xDSL connections. When you select yes from the Standby Mode list, the following steps are implemented: 1. The involved routes are set to pending state, and it is not checked whether they are established. 2. The configuration is completely run through but the connection is not yet established. Connecting is handled via a server-side script that is used for starting and stopping the connection with corresponding command lines:

Standby Mode

⚬ connection start: /etc/phion/dynconf/network/openxdsl start ⚬ connection stop: /etc/phion/dynconf/network/openxdsl stop When the server is up, the connection is established automatically. When the server is deactivated, the connection is stopped automatically. As a result, you can implement HA setups with broadband links. To avoid routing conflicts in multiprovider environments, be aware that every provider usually assigns the same gateway to a dynamically assigned IP address. Do not configure multiple xDSL links managed by the same provider, unless you are sure that the assigned addresses stem from distinctive IP pools and use clearly distinguishable gateways.

Enable PPP Multilink

(Advanced Configuration Mode) To configure the link as part of a PPP multilink bundle, select yes. If you are using PPP multilink, the ISP providing the links must support it.

Primary Link

(Advanced Configuration Mode) If you enabled PPP multilink, select the primary link of the PPP multilink bundle from this list.

Endpoint Descriptor

(Advanced Configuration Mode) Optional. A description of the local system that can be sent to the peer during multilink negotiation. By default, the MAC address of the first Ethernet interface is used if it is available. Otherwise, the IPv4 address corresponding to the hostname is used if it is not in the multicast or locally-assigned IP address ranges, or the localhost address. The endpoint discriminator can be the string null or of the form type: value, where type is a decimal number or one of the strings local, IP, MAC, magic, or phone. The value is an IP address in dotted-decimal notation for the IP type, or a string of bytes in hexadecimal, separated by periods or colons for the other types. For the MAC type, the value may also be the name of an Ethernet or similar network interface.

Synchronous PPP

To configure PPP and the transport protocol daemons to initiate a connection in synchronous mode, select yes. In special cases, enabling this feature may result in a higher PPP performance. Contact your ISP to verify if synchronous PPP is supported. Enabling this feature without support of the remote server may cause an unstable connection and massive performance loss.

Connection Type

Specifies the transport protocol for PPP. If you are using PPP multilink bundles, all of the links must use the same connection type.

Static Local IP

(Advanced Configuration Mode) Enter the static IP address if your ISP does not assign it automatically.

Static Gateway IP

(Advanced Configuration Mode) Enter the static gateway IP address if your ISP does not assign it automatically.

How to Configure an ISP with xDSL 2/7

Barracuda NextGen Firewall F PPoE Connection Details

Setting

Description

The name of the Ethernet interface to which the xDSL modem or PPPoE server is Ethernet Interface attached. If using a PPPoE server, a crossover cable is required. Max. Segment Size

(Advanced Configuration Mode) The maximum segment size for the encapsulated traffic. The default value is 1412 bytes.

PPTP Connection Details

Setting

Description

Modem IP

The address of the xDSL modem or PPTP server to which a PPTP connection is supposed to be established.

Local IP Selection

You can select: • Static – The local address is used. • DHCP – DHCP is the old get address from DHCP option. • Dynamic – The device selects the address that is provided by routing to reach the PPTP server. This address is then reported to the firewall engine for GRE registration.

Required DHCP Link

You can only configure this setting if you set Local IP via DHCP to yes. In this field, enter the name of the DHCP section that this xDSL link relies upon for providing a routing path to the specified modem IP address.

Local IP

Only needed with PPTP selected. Determines the local IP address that is used to establish a connection with the specified modem IP address. You must use a local IP address that is already configured. The specified address is used for local GRE protocol registration with the local firewall. This option and the Local IP via DHCP option are mutually exclusive.

Gateway to Modem IP

(Optional) If the xDSL modem or PPTP server are not directly attached to the gateway, you can specify the IP address of the gateway. Note that this option and the Local IP via DHCP option are mutually exclusive. A gateway route will automatically be created for PPTP.

Max MTU/MRU Size

(Advanced Configuration Mode) Default setting is 1492. You can enter values from 60 to 1492.

Authentication

Setting

Description

Authentication Method

You can select PAP, CHAP, PAP_or_CHAP, or NONE.

User Access ID

The principal account name (PPP username) assigned to you by your provider.

PPPoE-only option. Some providers (for example, Deutsche Telekom) assign this sub-ID, which is separated from the user access ID by the number sign (#). Do not type the number sign. The complete user ID is formatted as follows: [user_id]#[access_sub_id]@[provider_name] User Access Sub-ID For example, the complete ID would be notated as follows: 000xxxxxxxxx520069204717#[email protected][1] When phion.a is used to configure the user details, the # and @ symbols are generated automatically. Do not enter the # and @ symbols; just enter the ciphers into the available fields. Access Password

The PPP password assigned to you by your ISP.

Provider Name

(Advanced Configuration Mode) PPPoE-only option. Some providers assign user access IDs, which contain a provider name separated from the actual user access ID (and optional sub-ID) by the @ symbol. Do not enter the @ symbol; it is automatically generated (for example, username#subid@provider).

PPPoE Acceleration PPPoE-only option. Use only if required. How to Configure an ISP with xDSL 3/7

Barracuda NextGen Firewall F Access Concentrator

(Advanced Configuration Mode) Use only if required. PPPoE-only option. You must use an access concentrator name (PPPoE server) that is specified by the provider.

Service Name

(Advanced Configuration Mode) Optional.

Use Provider DNS

To use the DNS servers assigned by your provider, select yes. (Advanced Configuration Mode) To activate and configure dynamic DNS, select yes. To use dynamic DNS, you must register with www.dyndns.org[2]

Use Dynamic DNS

. Check with your provider if using dynamic DNS is advisable when using a static address or an address that rarely changes. If you use static or rarely changing addresses, dynamic DNS might not be appropriate because the address must change once a month. (Advanced Configuration Mode) Click Edit to configure dynamic DNS settings. In the Dynamic DNS Params window, you can configure the following settings: • Service Type – The dynamic DNS service type. You can select DynamicDNS (default), StaticDNS, or CustomDNS. For more information about dynamic DNS service types, see

Dynamic DNS Params

. • DynDNS Name – The dynamic DNS name that you registered at dyndns.org. • Secure Update – To use HTTPS for secure updates, select yes. Otherwise, HTTP is used. • User Access ID – The user ID for accessing the server as defined during registration at dyndns.org. • Access Password – The password for accessing the server as defined during registration at dyndns.org. • Wildcard Support – To allow the resolution to sub-hostnames (regardless of the domain, the IP address pointed to is the same), this setting is set to yes by default. To disable it, select no. • MX Record – The mail handler (Mail eXchanger) for the given domain. MXs are used for directing mail to other servers than the one that the hostname points to. • Backup MX – To use the specified MX record as a backup mail server, select yes. The registered dynamic DNS name is then used as the primary mail server. To only use the MX record, select no. It is not recommended to use the MX settings offered. If you still choose to use the MX settings, see for detailed information. • Retry Time [mins] – After this length of time, the update is restarted if the previous attempt failed.

Routing

For PPP multilink bundles, the routing settings of the primary link are adopted for the bundled link. The routing settings of the other link members are ignored. Setting

How to Configure an ISP with xDSL 4/7

Description

Barracuda NextGen Firewall F

Own Routing Table

(Advanced Configuration Mode) To only insert routes in the main and default tables, select no. To use policy routing, select yes. With policy routing activated, a new table named adslN (where N is the positional index of the section in the list of xDSL sections) is introduced to the main routing table. Routes are only inserted into this table, unless you set Clone Routes to yes. All routes involving the xDSL link will use this policy routing table. If this setting is set to yes, you will only be able to select LCP as the monitoring method.

Use Assigned IP

(Advanced Configuration Mode) To use the IP address dynamically assigned by your Internet provider as the source network for policy routing, select yes. Until the ISP has successfully assigned an address, the rule uses 0.0.0.0 as a source address. You can only enable this setting when Own Routing Table is set to yes.

Source Networks

(Advanced Configuration Mode) In this table, add source networks or single hosts that will point to the adslN policy routing table. Use IP/mask notation. For a single host, enter 32 as its netmask (see link).

To automatically introduce the default route assigned by the provider, select yes. Create Default If the default route will be introduced in an environment where multiple dynamic links are Route available, you must specify a Route Metric (see below). Target Networks

(Advanced Configuration Mode) In this table, add target networks that are supposed to be reachable through this link.

Advertise Route

(Advanced Configuration Mode) To advertise this route via dynamic routing protocols when the OSPF/RIP/BGP service is used, select yes.

Trust Level

(Advanced Configuration Mode) Specifies which IP address types are counted by the firewall for traffic on this interface. The interface can be classified as one of the following: • Unclassified • Trusted • DMZ • Untrusted • Internal01 • Internal02

Route Metric

The preference number assigned to the routes to the specified target networks. To use your xDSL uplink as a backup connection (provider failover), enter a value larger than 0.

Clone Routes

(Advanced Configuration Mode) If you select yes, all routes will be cloned from the adslN table to the main or default tables (depending on the route target). This setting is useful for setups where application-based selection (explicit binding in a firewall rule) of a traffic path is supposed to coexist with link failover (proxy dynamic).

GRE with Assigned IP

(Advanced Configuration Mode) To register the assigned IP address for IP protocol 47, select yes.

Connection Monitoring

Setting

Description

Log Level

If you need verbose log files to troubleshoot any issues, select debug.

Monitoring Method

The monitoring method. The method that you select does not affect monitoring of the gateway IP address. For example, if you select LCP, the gateway IP address is still pinged. You can select one of the following options: • LCP – If the Internet provider does not allow pings, you must select LCP to probe the dialin daemon directly. • ICMP – The reachable IP addresses specified in the Reachable IPs table (see below) are probed first. If there is no response, the gateways are probed. ICMP is not available if you set Own Routing Table to yes. • StrictLCP – No ICMP probing occurs.

How to Configure an ISP with xDSL 5/7

Barracuda NextGen Firewall F

Reachable IPs

In this table, add target IP addresses that will be regularly pinged to monitor the availability of the connection. You must enter least one single IP address that will be accessible only via the xDSL connection. Each IP address that you enter is pinged every 20 seconds (2 ICMP packets each). If none of the IP addresses respond, the link is deactivated. Then an attempt is made to re-establish the link.

LCP Check Interval

(Advanced Configuration Mode) The time between two successive LCP echo checks.

No. of LCP Checks

(Advanced Configuration Mode) The number of successive failed LCP echo checks before the PPP connection is terminated by the local PPPD.

No. of ICMP Probes

(Advanced Configuration Mode) The number of ICMP echo requests sent to each probing target IP address (maximum value: 9, default: 2).

Waiting Period [s/probe]

(Advanced Configuration Mode) The number of seconds per probe that a reply is waited for.

Check Interval [s] (Advanced Configuration Mode) The time between link probes. Failure Standoff [s]

(Advanced Configuration Mode) The delay period before subsequent attempts to establish the link; this delay helps decrease the number of failed attempts to log.

How to Configure an ISP with xDSL 6/7

Barracuda NextGen Firewall F

Links

How to Configure an ISP with xDSL 7/7