Legacy productThe WF1740 described here is an old product and no longer supplied. Please see details of current FireBrick products.

FireBrick 105
Manuals
Home

Subnets

The FireBrick can operate like any conventional network device with an IP address and netmask. However, the FireBrick can have multiple addresses and be on multiple networks at the same time even on the same physical network. The subnets allow the network address to be defined as well as DHCP and other settings.

Name	This allows the subnet to be given a name, but default it uses the name of the interface. The choice of name is important when used with the DHCP restrict feature
Security	This sets the security level and controls who can view or edit this subnet
Profile	The subnet can be subject to a profile, allowing the subnet to be visible part time
Interface	This defines on what interface the subnet operates
IP address	This specifies the IP address of the FireBrick on this subnet. As such it cannot be the network or broadcast address for the subnet
Subnet Mask	This defines the subnet mask applicable.
DHCP Client	If selected then this subnet is a DHCP client, and most settings will be overridden when the FireBrick obtains an address by DHCP. To make a subnet DHCP you do not need to fill in the IP or netmask or any other details.
Stealth	Set this if there is a subnet on the other side of the FireBrick with the same IP range and traffic is to pass through by stealth.
NAT	Set this if this a subnet using a private address range and address translation is to be used
VLAN ID	For advanced use
Allocation IP range	To make the subnet act as a DHCP server, an address or range of addresses can be specified. This sets the range of addresses that can be allocated.
DNS servers	As a DHCP server, you can specify the DHCP server to issue. Leave blank for the FireBrick to act as a DNS relay. As a DHCP client, this shows the DHCP servers the FireBrick received.
Gateway	This is the gateway applicable for any traffic routed to this subnet. As a DHCP client, this is filled in automatically. As a DHCP server, this is given out as the gateway, or if blank then the FireBricks IP is given out instead.
BOOTP server IP	For advanced use
BOOTP filename	For advanced use
Exclude gateway	Setting this means the FireBrick does not issue a gateway address as a DHCP server, and does not accept one as a client.
Exclude Time server	Setting this means the FireBrick does not issue a time server address as a DHCP server, and does not accept one as a client.
Exclude Syslog server	Setting this means the FireBrick does not issue a syslog server address as a DHCP server, and does not accept one as a client.
Exclude DNS server	Setting this means the FireBrick does not issue a DNS server address as a DHCP server, and does not accept one as a client.
Exclude Domain	Setting this means the FireBrick does not issue a Domain name as a DHCP server, and does not accept one as a client.
Backup DHCP	Setting this means the FireBrick will not answer the first time for any DHCP client, allowing another server to answer normally and making the FireBrick a fallback server.
Don't check	For advanced use
DHCP restrict	For advanced use
DHCP Mirror	For advanced use

Technical Reference

The FireBrick uses a difference MAC address on each subnet, and so can be a DHCP client multiple times on the same interface.
Subnets that are on an inactive profile do not answer ARPs for their IP, but previous ARPs may remain cached by other machines for a short period allowing traffic to be routed via the FireBrick after a profile becomes inactive.
When a subnet is made active the FireBrick sends an ARP announcement.
The FireBrick treats the network address on a subnet as a valid IP and not as a broadcast IP
The subnet mask can be entered as a dotted quad (e.g. 255.255.255.0) or as a bit count (e.g. 24). It is normally displayed as a bit count.
As a DHCP client the FireBrick sends its name and the subnet name concatenated with a space between as the subnet name.
If stealth is set then the FireBrick will answer traffic for its IP, but other traffic on this subnet can be passed through the FireBrick (subnet to filtering) in stealth mode. If not set, then traffic for any of the IPs on this subnet are considered to be on that subnet and not passed through as stealth. In particular, this affects stealth transmission of ARP requests.
The NAT setting causes any traffic from the subnet to be NATed if there was not an explicit route used to direct the traffic. If an explicit route is used then the NAT setting for that route applies. Note that this means traffic between two private subnets using subnet based routes will NAT if the subnets are set to NAT even though this may not be necessary if both networks use the FireBrick as a gateway.
The DHCP range can be one address, a range, or an IP and mask or IP and bit count.
DHCP allocations check that the address to be allocated is no in use by another machine (using an ARP) and abort if it is. As such addresses can be marked as in use in the status/DHCP report and not actually allocated. This avoids duplicate IPs.
DHCP allocates are for 2 hours with 1 hour renewal, but allocations are persistent - using the same address each time unless all addresses were exhausted.
As a DHCP client the FireBrick normally checks the address it was offered is not already in use (using ARP) and rejects it if another machine is using the address. This can be disabled with the Don't check option, and is relevant if something is proxy ARPing an entire block, for example. (e.g. cable modem services in some parts of Colombia).
The BOOTP server and filername are sent in DHCP and BOOTP responses and allow network boot devices to obtain the information necessary to load.
The FireBrick supports the use of a /31 (255.255.255.254) subnet mask to create a point to point link as per RFC3021. In this case the FireBrick can be either of the two addresses, and will ARP for the other address. Not all equipment is compatible with this mode of operation and so you should always test correct operation in such cases.
The FireBrick also supports /32 (255.255.255.255) subnet mask. This means that the FireBrick will ARP for any other address, but that routing will be have to specifically directed to the subnet using routing rules.
Note that the DHCP gateway is used when any routing sends traffic toa subnet without specifying a gateway - this allows per subnet gateways. It is set when used as a DHCP client.
A more detailed description of routing is shown here.

DHCP restrict

The DHCP restrict mode allows the DHCP server to give different ranges of addresses to different machines on the network based on the name or MAC of those machines. The addresses could be on different subnets completely, or you could have multiple subnet entries with the same IP and netmask each with specific ranges to allocate on that subnet.

If a machine wanting an address quotes a name or MAC which starts with the restrict prefix or any subnet, then it can only have addresses from such subnets. If its name or MAC does not start with the restrict prefix of any subnet then it cannot use any subnet that has a restrict prefix set but can use any others that are unrestricted (restrict prefix is blank).

This is all within the restriction of subnets that are DHCP servers on the same interface (and same VLAN if using VLAN subnets). If you have VLAN subnets then that would normally a better way to manage allocations than using DHCP restrict.

The matching with the restrict prefix requires that the name quoted when requesting an address, of the full hex MAC address (no spaces or colons) starts with the prefix specified.

DHCP mirror

The DHCP mirror feature is specifically designed for cable modem situations where a single IP is available on the WAN using DHCP, but multiple machines may be required on the LAN using private addresses and NAT. In such cases it is often useful to have at least one machine on the LAN have the external IP address and not use NAT. This is simple enough except for the fact that the external address may change.

Typical use means that you set a WAN subnet as a DHCP client, and have a LAN subnet as private addresses DHCP server, but also have a LAN subnet set with DHCP mirror of the WAN subnet. This second LAN subnet is typically set to use DHCP restrict so that it only applies to one machine matching the subnet name (the machine that is to use the external address).

When the WAN gets an IP by DHCP, the mirroring LAN subnet is changed so that the FireBrick has the external gateway address, and it allocates only one DHCP address which is that received on the WAN. An address mapping entry can then be used to map traffic for the FireBrick on its WAN to the LAN hence passing through the external traffic (still subject to filtering).

When the WAN address changes, the mirroring LAN changes. The expiry on the mirroring LAN is set so as to be 10 seconds after the WAN and hence ensure a smooth change of IP on the LAN side as well.

VLAN subnets

VLAN subnets allows the FireBrick to operate with an external VLAN tagging network switch. Any traffic sent to a subnet with a VLAN ID will be tagged with that VLAN ID, and this can be used on the switch to direct the traffic to specific ports. This allows groups of actual ports to be assigned to different subnets.

This is particularly useful with DHCP as it allows different ports to get different address ranges. Routing can also be used to direct traffic to specific VLAN subnets.

Using VLANs on a network switch also means that separate groups of ports can be separated, hence forcing any traffic between them via the FireBrick and hence subject to filtering rules.

Note that filtering rules apply based on the actual interface, not the VLAN, but can specify IP ranges or groups to allow control of traffic between specific groups of ports.

If VLAN subnets is not available, all VLAN tags are dropped and ignored by the FireBrick, even in stealth mode.