2018-04-10

FB2900 and Let's Encrypt

Well, the FB2900 is out!

The retail prices are lower than the old FB2700, £500+VAT for base, and £550+VAT for fully loaded with £35+VAT for rack mount kit. We should have the DC powered models available soon.

We have gone for lower prices to encourage more take up in the SME market. It is a bit of a gamble, but this is a really good product - not just a gateway router handling multiple ISPs, but even a VoIP switch / PABX. Perfect for most small businesses and even some large businesses.

The delay, for a week or so, was down to wanting to ensure https was working - this meant a lot of loading Windows VMs and testing on all sorts of different browsers. It needs manual loading of key pair and cert but it works well. I am really impressed with the work of my colleague, Cliff, on this, as the end result is just as fast to use as http. Very impressed.

It is timely as safari, and I am sure others, are now getting quite pushy on sending any form to a site not using https.


But we have said we expect to release more new code soon. The FireBrick s/w has always been free, and we have ensured the older models FB2500, FB2700 and the FB6000 series, all have the update for https now. But the next code issue should make it a lot cooler.

First off, I am planning some simple self signed stuff so you can use https before setting anything up. This is a bit naff, but every other idea we have come up with has flaws, and it is what everyone else does. The key thing is that it stops passive snooping as a threat, but not not proper security.

You need a proper key pair, and certificate, to do https without warnings. The FB2900 have a key pair loaded individually as part of the production process which means we just need a certificate. The FB2500, FB2700 and FB6000 series will need a key pair loading. This is partly because we are not yet confident we can make a "good" key pair. We are very cautious when it comes to security, and this is an area that has gone wrong for others, so we want to be careful. When we are happy we can, we will, but whilst FB2900 has a hardware true random number generator, the older models do not, so it will not really help for non FB2900s.

But even with a key pair loaded, which is not hard, you need a certificate. This is where we plan to do way better than most embedded systems. We plan to use ACME with Let's Encrypt as standard!

So the idea is simple, tell the FireBrick its public hostname (and if not an FB2900 then load a key pair) and it will make a CSR, apply for a certificate from Let's Encrypt and install it and renew it as needed. Proper working https with no warnings and no faffing about renewing things. That's the plan.

The same certificates and keys can then be used for IPsec, obviously.

It is not that easy as it is aimed more at a traditional machine / server, and not an embedded device, but I believe we should be able to do that within a few weeks and have a new s/w release.

In the mean time, do enjoy the new s/w release for the whole range - which will be a formal release shortly after beta testers are done with it.

P.S. (18th April) All going well, and we expect to issue alpha code any day. Test bricks with just adding public host name working on https 4 seconds later. This is "fun" coding!

66 comments:

  1. A bit on the pricey side for me (domestic rather than SME) but I thought I'd take a look at the manuals...

    Both the PDF and HTML links on the Firebrick website are dead.

    http://www.firebrick.co.uk/fbsoftware/2901/V/FB2900/V-2901-FB2900-.pdf
    http://www.firebrick.co.uk/fbsoftware/2901/V/FB2900/V-2901-FB2900--html/toc.html

    Just thought you'd like to know :)

    ReplyDelete
  2. Did you / are you thinking of doing a Firebrick-Lite for use as a pro/serious rackmount ADSL and VDSL router? Perhaps around £250 ? Those Zyxels really aren't robust (either physically or in software terms).

    ReplyDelete
    Replies
    1. Really tricky given what they cost to make, not just one-off but the R&D that goes in behind the scenes. We'll see what we can do over time.

      Delete
    2. Of course - not suggesting you sell at below or too near to the cost price. You must make a profit or you have no business.

      Delete
    3. I bought an FB2700 for home use two years ago. After two failed attempts to wrap my brain around the complex configuration, it now sits on the shelf gathering dust taunting me. I guess I should have sold it over a year ago, its value will have dropped now the FB2900 is out at a lower price.

      Seriously though, a FireBrick to replace the Zyxels has a bigger mountain to climb than price. The config is several orders of magnitude more complicated and works in a completely different way.

      Delete
    4. We have added a "wizard" at the start now, to assist with basics like setting up an Internet connection, etc. We to take on feedback, honest.

      Delete
    5. If I ever get any free time I might try again to the configure the FB2700.

      Delete
    6. Ah, there is a catch 22. My FB2700 has 2 year old software, so I can't use the wizard to configure it to connect to the internet to upgrade it. If I just connect it to my existing home network will it DHCP and connect to the upgrade server?

      Delete
    7. Possibly if you connect port 4, and also, once done follow factory reset process with cables using port 1 and 2. However, I'd wait a few days for the current 1.47.010 release to be promoted from a beta as that is what has the wizard now.

      Delete
    8. If you “just” want Internet connectivity, isn’t there a reasonable chance that it’s simply plug-and-play? Port 4 to the modem, port 1 to your computer, and you’re probably up and running.

      Delete
    9. Not quite. I need at least one more port that is on the same network, and that doesn't seem to happen by default on the FireBrick. I also need an IPv4 NAT port mapping for my server, and some DHCP reservations since the SqueezeBox software gets upset if any of the IP addresses that system uses change. Then I need to change the DNS server in the DHCP response to my local Pi, because I have the DNS cache turned off on my WHS v1 server (because it is crap and doesn't expire things) and I don't want to be doing all DNS lookups direct to the outside world with no cache anywhere. And as far as I could tell the firewall in the FireBrick was off by default until I could work out how to set one up. But apart from that it's a standard internet connection :-)

      When I tried two years ago I was also trying to keep my VPN working, which meant more port mappings and not using 192.168... IP addresses. But Apple broke that in an iOS update so I can probably ditch that requirement.

      Part of my problem was the culture shock of the FireBrick config. I wasn't expecting a huge pile of XML, and the web UI appeared to be unable to set some things. I detest XML, it is an exercise in pointless complexity.

      Delete
    10. All sounds perfectly sensible and not hard to do. Well, it has 4 ports but any arrangement, and the FB2900 has 5. Firewall of LAN is on by default. Firebrick can do IKEv2 IPsec VPN directly now as well. The web UI can set *ALL* things that you can in the XML and that is the config, so you do not have to touch the XML. The web UI also presents all the fields including some help text so making it simpler than XML.

      Delete
    11. There were some things that I could not find in the web UI. Also whenever I asked on IRC or found examples of FireBrick config on the wiki, they always gave the XML. This implied to me editing the XML was the way to go. If wiki pages and IRC had said which web UI screen to use to set something then I might have been able to find it.

      I can see that saving web UI settings to put on a wiki page isn't easy. But saying that all config should be done using the web UI and then having most of the examples given as XML saved config is rather contradictory.

      Delete
    12. >Pepwave Surf SOHO

      Charges for VPN licenses, only does 120mbit, and I can't even find a retail price anywhere. Not to mention I don't see a single reference to IPv6 *anywhere* on their site.

      I don't see how this is a good product choice for a comparison!

      Delete
    13. Except the web UI follows the XML structure and uses all the same attribute names, being as it is just a “friendly” way to edit the XML

      Delete
    14. Oh, cool, that all looks readily do-able. I'm sure support can offer far better advice than some bloke on the Internet but, in case you're hoping to give it a go this weekend, this might help:

      > I need at least one more port that is on the same network, and that doesn't seem to happen by default on the FireBrick.

      Not something I've tried myself, but look at the "port grouping" setting under "interfaces". If you wanted ports 1 and 2 to be on the same network (as opposed to plugging a switch into port 1), I think you'd just set up a port group containing ports 1 and 2.

      Then, either select one of the existing interfaces or create a new one, and set the "port" setting to your new port group.

      > I also need an IPv4 NAT port mapping for my server

      Okay — this caused me a bit of a headache at first. How I've done it is this:

      I created a new firewall rule, at the bottom of the list. Because it's at the bottom, I've set the no-match-action to "drop".

      The rule-set name is "Mappings" (just for ease of reference), and I've set the target-ip to my chosen WAN IP.

      In that rule-set, create your mapping rules. For example, if you want port 80 TCP traffic to go to 192.168.1.3, set your "target-port" to 80, "protocol" to 6, and — here's the mapping bit — set "set-target-ip" to 192.168.1.3.

      Rinse and repeat for each new rule you want.

      So, in essence, the rule set applies where the destination of the traffic is your WAN IP (or, if you've got more than one, whichever one you want), and then a specific rule within that rule set which says that, where traffic is destined for port 80 ("target-port"), the rule should change the destination of that traffic ("set-target-ip") to the RFC1918 address.

      Under "Diagnostics", there's a firewall rule checker, which also includes your mapping rules. So, when you've set it up, use this as the first step to validating it — put in an external (source) IP (e.g. 8.8.8.8), give it your intended port, traffic type and destination IP, and see what it tells you about the routing.

      Delete
    15. > and some DHCP reservations

      There are a couple of ways of doing this.

      You can either use Status / DHCP / select your interface, and then "lock" particular MAC addresses to particular IPs. This is easy, but they don't (AFAIK) form part of the config, and so don't get backed up.

      Alternatively, you can set them yourself in the config. In the GUI, it's Interfaces / edit your interface / DHCP server settings, then add whatever you want.


      > I need to change the DNS server in the DHCP response to my local Pi

      I haven't tried this, as I'm using the FireBrick for primary caching, which then points to our DNS server.

      If you'd be happy having the clients first querying the FireBrick, and then the FireBrick going upstream to your Pi, in the GUI, you'd want
      System / General system services / DNS service settings, and pop your PI's IP address(s) into "resolvers".

      If you actually want DHCP to push it, so you don't use the brick's resolver at all, have a look under Interfaces / edit your interface / DHCP server settings. I suspect — not tried it — that it's the "domain" field.


      > as far as I could tell the firewall in the FireBrick was off by default until I could work out how to set one up


      AFAIK, it's got a default deny or drop rule to LAN, so you're not exposed immediately.


      > I was also trying to keep my VPN working, which meant more port mappings and not using 192.168... IP addresses. But Apple broke that in an iOS update so I can probably ditch that requirement.


      I use the FB as an IPSec server, and have my iPhone connected to it via an "on-demand" profile. Whenever I'm not connected to a trusted network, it auto-dials the brick and routes the traffic through there.

      It's not the most trivial thing to set up, and EAP authentication is much easier (but then can't be used "on-demand" on iOS), so it depends on your needs. But the instructions on the wiki are pretty good, and support has more detailed instructions on the "on-demand" side of things if you need them.

      Delete
    16. If the FireBrick runs a decent caching DNS server I'm happy to ditch the Pi. All it runs is dnsmasq as a DNS cache since the one in the Zyxels caches only a tiny number of entries and anyway I don't entirely trust the Zyxels.

      I note for some of these items you say they weren't easy to figure out how to do. I will give the Zyxels this: it was trivial to set all of my requirements up. They really know how to tailor the config to a home user. It's a shame they need power cycling about once a month to keep working as a router. I expect networking uptimes about like I get from my Apple Airport Extreme which runs my wifi, it only gets power cycled on power cuts.

      Delete
    17. I'm more than happy with the FireBrick's DNS. I use it for ad blocking at network level, and it works very well. (Either use the block function, or else resolve to 127.0.0.1/::1)

      I resolve upstream using my own bind server, for privacy reasons, but no particular need for that.

      For NAT, once I understood the syntax, it was easy — I'd send you an XML snippet, which you can easily modify, but I doubt you want that :)

      VPN was straightforward with EAP authentication (username and password), but I wanted certificate authentication, and that required me to learn more an openssl.

      I'm just another user, like yourself, but, if you want to drop me a line if/when you try to set it up rather than go to support, that's absolutely fine!

      Delete
  3. Well done on the release - it's always nerve-racking when releasing a new product like this.

    Just as a word of advice, be aware that the FB2900 is priced very similarly to the pfSense SG-4860, a full x86 PC with 4-core Atom C2550, 8GB, and 6x Intel GbE NICs made by ADI Engineering

    http://www.adiengineering.com/products/ https://shop.amicatech.co.uk/hardware/pfsense.html

    ReplyDelete
  4. LetsEncrypt is far too fragile for my liking. Last thing I want is their dodgy update system locking me out of (or letting anyone in to) my hardware

    ReplyDelete
    Replies
    1. Well it is optional, you can just load your own key and cert, and also the use of ACME will default to Let’s Encrypt but could use any CA via ACME. That said I was not aware Let’s Encrypt was an issue.

      Delete
    2. It isn't.. And 'locked out' seems like a sight exaggeration.

      Delete
    3. Unless you've foolishly put you FB on a HSTs preloaded domain, you can get locked out even if the cert is bad, you'll always get the warning to override it.
      That said, I understand having concerns about systems, even though I've had no issues with LE myself

      Delete
    4. We've had problems with contractors using LetsEncrypt without telling us & configuring it badly.. 3 months later, the site goes down.

      As a result we're not allowed to use LetsEncrypt even for testing any more.

      Delete
    5. Hardly sounds like a Let's Encrypt issue to be honest.

      Delete
    6. We've been using LetsEncrypt for customer appliances since the whole StartSSL fiasco. Never had a problem.

      Delete
    7. Does the FB send any warning if it fails to renew the cert? I'd assume you're using the reasonably standard practice of renewing after 60 days - if it warns on day 60 that's a decent 30 day window to fix it :)

      Delete
    8. We’re still coding the ACME stuff, but yes, that is the plan.

      Delete
  5. Congratulations, a nice piece of hardware.

    Do you have any plans to support any form of flow export (i.e. Netflow/sflow/IPFIX?) and/or port mirroring?

    ReplyDelete
  6. Can you point to a specific VDSL2 SFP that’s confirmed to work well? Any plans to resell them?

    Very tempted to replace my Fritz!Box 7490. I like the Fritz, but want a little more flexibility.

    ReplyDelete
    Replies
    1. Any chance that A&A/Firebrick could re-sell the SFP modules? Can't see a way of purchasing as a private individual

      Delete
    2. At some point, maybe, but I am not sure we have a sensible supply sorted yet, sorry.

      Delete
  7. Replies
    1. It sure is, Rob, it sure is. What feature do you like the most?

      Delete
  8. These little gizmos look very impressive. As a former user of a BT Business Hub, I now certainly appreciate the difference that a quality router makes!

    ReplyDelete
  9. I've ordered one yesterday evening with rackmount kit. I can't wait to use it (first time on a Firebrick), assuming there's plenty of stock that is and no backorder :).

    ReplyDelete
    Replies
    1. Dear Ixel, maybe you could do an "unboxing" review so that we can share the excitement with you. It would be lovely to hear a little review from you and details of how you get on with it, what your favourite features are, how it has helped you do your job and so on.

      Delete
    2. Wonderful!

      Sure, I'll do a written review with some photos as soon as I've some time to try it out and such. It will be replacing my EdgeRouter, the primary reason is for proper bonding functionality on the upstream.

      Delete
    3. Anonymous, here's a short review of the FB2900 and some pictures: http://forum.kitz.co.uk/index.php/topic,21359.0.html

      Delete
    4. Thank you very much! I really enjoyed reading that. You are a great writer!

      Delete
  10. I have upstream working with this:
    https://mikrotik.com/product/RB750r2
    £40

    ReplyDelete
    Replies
    1. Please confirm what you mean by upstream.

      I'm always on the lookup for something like this that I can put a stock Fedora or Debian on to replace the sheevaplug and beaglebone black I've been using.

      Delete
    2. I think he means he can upload??

      Delete
    3. Not quite in the same league, but I replaced my Sheevaplug with an MSI Cubi N a while ago - very nice device, pretty powerful, low power requirements and fanless.

      Delete
  11. Not sure if I'm reading the manual right (or even the right manual) but does this really top out at 750Mbps?

    Nice there's no fans & I'd almost buy it for that alone but its very expensive for a max of 750Mbps.

    Swings & roundabouts I guess.

    ReplyDelete
    Replies
    1. We have seen faster, which is odd, and the tests we did suggested 750. So not 100% sure to be honest. The hardware can do 1Gb/s so it is possible that s/w changes in future may help matters, it is something we are looking in to anyway, but it is pretty efficient as it is now.

      Delete
    2. The only reason I ask is its 500-600 quid on a (typical) 3 year depreciation cycle - so £200 a year give or take.

      I appreciate that its likely to last longer and also that proper fibre connections are rare as rocking horse shit but its still a hard sell if I/you have to tell the business it only does three quarters of a future "fibre connection". Management thinks in chunks so I mean 1Gbps symmetric, we all know that's not "fibre" but 1Gbps is what's getting punted to them by various suppliers on industrial estates.

      Don't get me wrong, its a big step up from the previous model and anything I know of that does 750Gbps sustained* uses fans - which I hate for SME stuff.

      *by this I mean has some firewall rules/vlans/etc, not something set to plain NAT to skew the figures :)

      Delete
    3. 750Mbps of course. 750Gbps - if only :D

      Delete
    4. One day I am sure :-) We are working on the FB9000 which we hope to have a few 10G ports on.

      Delete
    5. So it's about twice as fast as the FB2700 then, since that can do about 350mbps on its gigabit ports.

      Delete
    6. Like I said I like it but there really has to be a scenario/setup that can demonstrate to management that it will do 1Gbps.

      I know & you know its largely meaningless but its management we're dealing with & if they're paying for a GigE link someone climbing the greasy pole will point out the router can't do 1Gbps.

      Bit of presentation for the pointy-haired bosses really but I'd recommend a preset profile that does 1Gbps just for marketing/management (same thing in IT terms).

      Can't be that hard - have a play around at home instead of trying to get iStuff to work ;)

      Delete
    7. Would it be possible just to put a slightly faster processor in it? Sort of like an i5 instead of an i3 type approach? Also, anyone paying for a 1Gbps line can surely afford a little extra for the one-off spend on their Router?

      Delete
  12. Do you enable HSTS on your firebricks? We do on our appliances, but I've started to debate whether that's going to come back and bite us in the backside at some point...

    ReplyDelete
    Replies
    1. It is a header we could add as an option for customers to select. I think we'll leave that for a bit as we expect a new release soon with more https work (we can get an "A" in ssllabs tests now). Maybe once the ACME code is all in place.

      Delete
  13. Does it have a unilateral phase detractor?

    Also I wonder if it would benefit from a panometric fan?

    Hehe

    https://youtu.be/RXJKdh1KZ0w

    ReplyDelete
  14. I was considering purchasing a FireBrick but spotted that it is apparently developed, marketed and supported by a dormant UK company #04932284 (https://beta.companieshouse.gov.uk/company/04932284/filing-history).

    Is this a mistake?

    Jim

    ReplyDelete
    Replies
    1. It does explain on the site that the FireBrick product is made by Andrews & Arnold Ltd and Watchfront Ltd. FireBrick Ltd just holds the rights.

      Delete
    2. Thank you for explaining.

      Jim

      Delete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...