My first weekend with a FireBrick FB2900

Work carried out

In the course of the weekend, I've configured it to do the following:

• PPPoE connection over VDSL with v4 and v6. 2x routed v4 blocks and routed v6, as well as NAT'd v4 connectivity
• Multiple internal VLANs with different stateful firewalling configuration - both between VLANs and to/from the internet
• Automatic fallback connection via 4G USB dongle when the PPPoE fails using profiles - this took me about an hour minutes to get working. Far easier than any other kit I've ever tried for this. I've since improved this further by setting up the 4G connection as a separate routing table and then using l2tp over that to provide full v4 and v6 connectivity on my normal IPs rather than just NAT'ing to one v4 address
• Three IPSec tunnels - two with Mikrotik hardware (both v4 and v6 carried) and one with StrongSwan (v4 only)
• A wide variety of ICMP and interface graphing to monitor connection quality and identify sources of disproportionate bandwidth usage
• Graph archiving to a web server so that historical data is easily viewed - this is all documented in the manual with examples!
• Multiple routing tables to allow the firebrick to also provide ICMP graphs for a second (mostly separate) connection
• Static routes to direct traffic more efficiently between mostly separate private networks between separate internet connectivity
  

Positive feedback:

• performance is exactly as advertised - I performed some iperf3 tests between VLANs routed by the FireBrick, and with minimal firewalling I was attaining ~720mbit/s.
• reboot times are crazy fast. From hitting the reboot button to a re-established PPP session and internet connectivity is as little as 5 seconds. This makes reboots for testing a lot less annoying.
• I have found the configuration editor quick and easy to pick up, but also exceptionally configurable - you can do seemingly everything both via the UI and via XML.
• The manual is clear, but perhaps a little terse.
• it is exceptionally nice to not have to specify separate rules for v4 vs v6 configuration - firewalling, routing and interface configuration has both addresses in the same place, with both v4 and v6 given equal weighting and functionality.
• it's also very nice that named IP groups can be used as drop-in replacements for IP addresses almost everywhere in the configuration. This makes configuration much easier to follow logically - I don't have to remember the significance of 1.2.3.4/27 and 2001:db8::/64 - I can instead name them and use this virtually everywhere.
• the flow-chart visualisation in the firewall editor makes longer firewall chains trivial to understand.
• FireBrick CQM graphs are easy to configure, easy to read, easy to scrape for archival, and it's great to be able to configure arbitrary ICMP graphs, as well as having these working for tunnel protocols like l2tp and ipsec.

Overall

I've found it very easy to make the jump from other networking kit - I've used in the past a variety - pfSense, Mikrotik, Ubiquiti, and Cisco - as well as plain Linux and BSD-based routers. Networking concepts are identical, and the FireBrick's configuration maps well onto my understanding of Ethernet, IP & various other protocols. The Web UI was easy to pick up and within half an hour of opening the box I had a basic PPP setup with simple firewalling, NAT, and working v4 and v6 routing.

Comparisons to other vendors:

• Compared to other vendors the web UI is far less restrictive and is *actually feature complete*. This can't be overstated as a benefit as it makes features much easier to discover.
• The ease of configuring failover can't be overstated - it is massively easier than any other router I have tried. The profiles functionality makes this absolutely a piece of cake, plus it means you can do things like block unnecessary high-traffic services when you fail over to avoid it costing you a fortune.