Skip to main content

Use the DrawBridgeOS Terminal

Applicable only to DrawBridgeOS systems. See the Platform information on your local DrawBridge System Overview page.
(Note: the System Overview link only will work on the LAN of a DrawBridge-protected network.)

About the DrawBridgeOS Terminal

Location in the DrawBridgeOS web portal: System / Configuration / DrawBridge Terminal.

This terminal gives system administrators the ability to perform the common network configuration tasks listed below.

Note: This configuration terminal is considered an "interim solution" until a more graphical configuration interfaces is designed for these networking components.

About Mode & Endpoint

Mode options
  • Command Builder Mode: an easier "hold-your-hand" experience: to run a command, you must first select the Section and Node you wish to act on.
  • Advanced Command Mode: a free-text entry field designed for power-users who are familar with the required command syntax.
Endpoint options

"Endpoints" define the context for a command. Here's the four endpoint options, with additional information or example scenarios:

  • configure - Used to set or delete particular configuration details
  • generate - Generally used for PKI and VPN functions
  • reset - Generally used for cache-clearing operations
  • show - Used to display current configuration and service information

See the next section, Network Configuration Tasks, below, for additional information.

Network Configuration Tasks

Show current configuration: show config

This is generally your first step to see what the actual current configuration of the DrawBridge is:

  • Command Builder Mode:
    • not available
  • Advanced Command Mode:
    1. Endpoint: show
    2. Command: config
    3. Click the Run button
    4. Review the output (in the area below the command entry) as needed.

Ethernet interface addressing (IPv4)

You may wish to review the output of show config (above) first.

You'll need to know the interface name (eg eth3) that you wish to configure.

Set a new static IP address
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: set

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> address <address-w-netmask>

      • For example: eth3 address 10.22.6.1/24

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: set interfaces ethernet <interface> address <address-w-netmask>

      • For example: set interfaces ethernet eth3 address 10.22.6.1/24

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Configuring a WAN/internet interface? You'll need to configure a Static Route for "all networks" 0.0.0.0/0 -- see Configure Static Routing, below.

Configuring a LAN interface? Several things may need updated:
- Firewall rules for transparent filtering
- Firewall zone-interface association
- DHCP server subnet settings
- DNS server allow-from and listen addresses

Delete an existing static IP address
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> address <address-w-netmask> For example: eth3 address 10.22.6.1/24

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete interfaces ethernet <interface> address <address-w-netmask>

      • For example: delete interfaces ethernet eth3 address 10.22.6.1/24

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Removing a static IP address on a WAN interface? You may need to remove your "all networks" 0.0.0.0/0 Static Route. See Configure Static Routing, below.

Set an Ethernet interface to use DHCP-assigned addressing (DHCP client)
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: set

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> address dhcp

      • For example: eth3 address dhcp

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: set interfaces ethernet <interface> address dhcp

      • For example: set interfaces ethernet eth3 address dhcp

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Delete an Ethernet interface DHCP-assigned addressing configuration (DHCP Client)
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> address dhcp

      • For example: eth3 address dhcp

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete interfaces ethernet <interface> address dhcp

      • For example: delete interfaces ethernet eth3 address dhcp

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

vLAN interfaces and addressing

You may wish to review the output of show config (above) first.

You'll need to know the physical interface name (eg eth6) on which you wish to put your vLAN interface.

Create a new vLAN interface and/or set an address (static or DHCP-client)
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: set

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> vif <vLAN ID> address <address-w-netmask--or-dhcp>

      • For example: eth6 vif 223 address 192.168.99.1/24
      • Or, for a DHCP client example: eth6 vif 223 address dhcp

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: set interfaces ethernet <interface> vif <vLAN ID> address <address-w-netmask--or-dhcp>

      • For example: set interfaces ethernet eth6 vif 223 address 192.168.99.1/24
      • Or, to configure the interface to be a dhcp client: set interfaces ethernet eth6 vif 223 address dhcp

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Configuring a WAN/internet interface? You'll need to configure a Static Route for "all networks" 0.0.0.0/0 -- see Configure Static Routing, below.

Configuring a LAN interface? Several things may need configured/updated:
- Firewall rules for transparent filtering
- Firewall zone-interface association
- DHCP server subnet settings
- DNS server allow-from and listen addresses

Delete a vLAN interface address or dhcp-client configuration
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> vif <vLAN ID> address <address-w-netmask--or-dhcp>

      • For example: eth6 vif 223 address 192.168.99.1/24
      • Or, removing a dhcp-client configuration: eth6 vif 223 address dhcp

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete interfaces ethernet <interface> vif <vLAN ID> address <address-w-netmask--or-dhcp>

      • For example: delete interfaces ethernet eth6 vif 223 address 192.168.99.1/24
      • Or, for a dhcp-client example: delete interfaces ethernet eth6 vif 223 address dhcp

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Configuring a LAN interface? Several things may need configured/updated:
- Firewall rules for transparent filtering
- Firewall zone-interface association
- DHCP server subnet settings
- DNS server allow-from and listen addresses

Delete an existing vLAN interface
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: interfaces

    4. Node: ethernet

    5. Command: <interface> vif <vLAN ID> For example: eth6 vif 223

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete interfaces ethernet <interface> vif <vLAN ID>=

      • For example: delete interfaces ethernet eth6 vif 223

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Removing a vLAN interface altogether? Be sure to remove any zone-relationships. For example: delete firewall zone eastwoodtc interface eth6.223

Static Routing

Static Routes tell DrawBridgeOS where to go to find networks. This is most commonly used/needed when you've configured a static IP address on your WAN interface (vs using DHCP, which handles the routes automatically).

Note: when configuring a route to an upstream internet gateway (such as your modem), you'll use 0.0.0.0/0 to indicate "all networks". This is what the examples below are showing, with the "modem" address being 192.168.3.1.

For other scenarios, for example making a new remote subnet (eg. 10.44.44.0/24) accessible over a VPN link (perhaps via router 192.168.22.2) -- you'd specify that (10.44.44.0/24), rather than the "all networks" 0.. mentioned above, and the ...22.2 router as your next-hop.

You may wish to review the output of show config (above) first.

Set a new static route
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: set

    3. Section: protocols

    4. Node: static

    5. Command: <network-w-netmask> next-hop <ip-address>

      • For example: 0.0.0.0/0 next-hop 192.168.3.1

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: set protocols static route <network-w-netmask> next-hop <ip-address>

      • For example: set protocls static route 0.0.0.0/0 next-hop 192.168.3.1

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Delete an existing static route
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: protocols

    4. Node: static

    5. Command: <network-w-netmask> next-hop <ip-address>

      • For example: 0.0.0.0/0 next-hop 192.168.3.1

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete protocols static route <network-w-netmask> next-hop <ip-address>

      • For example: delete protocls static route 0.0.0.0/0 next-hop 192.168.3.1

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Network Address Translation

Network Address Translation (NAT) is best-known for its role enabling your entire LAN to use one (or more) public IPv4 address(es) assigned to you by your internet service provider. On the technical side, though, there are two types of NAT:

  • Source NAT -- modifies packet SOURCE headers (address and/or port)
  • Destination NAT -- modifies packet DESTINATION headers (address and/or port)

The DrawBridge by-default performs a Source-NAT Masquerade to the WAN interface address for egress IPv4 traffic. If you have multiple public IP addresses from your ISP, however, it's likely that you'll want to add one or more rules to ensure the services you're hosting are using the proper address for egress traffic.

Looking for the instructions on how to forward a port to a server on your network? You'll need a Destination NAT rule.

Create a new NAT rule

Unfortunately, the creation of new NAT rules is not supported with this Terminal interface. However, existing rules can be modified. Contact support@compassfoundation.io with the configuration needed for your situation.

Modify an existing rule

Get your current configuration with the show config command in Advanced Command Mode.

  1. Locate the existing rule that you wish to change. For example:
        rule 220 {
            description eastwoodtc-webserver
            destination {
                port 443
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 192.168.2.5
            }
        }
  1. Determine which components you need to change for your requirements. For this example, we'll change the Destination ports from just 443 to 80,443
    • Command Builder Mode:

      1. Endpoint: configure

      2. Operation: set

      3. Section: nat

      4. Node: destination

      5. Command: rule <rule-number> destination port <new-port(s)>

        • For example: rule 220 destination port 80,443

      6. Click the Commit and Test button. You should receive a Success! message in the output area below.

      7. When finished making changes, click the Save Config File button to write the changes to disk.

        (Changes will not survive a reboot if they aren't saved!)

  2. Run show config again. You should now see the updated value in the rule: 
      rule 220 {
      description eastwoodtc-webserver
      destination {
          port 80,443
      }
      inbound-interface eth0
      protocol tcp
      translation {
          address 192.168.2.5
      }
  }
  3. You're all set! Note that the Advanced Command Mode can also be used to achieve the same outcome Advanced Command Mode
    1. Endpoint: configure
    2. Command: set nat destination rule <rule-number> destination port <new-port(s)>
      • For example: nat destination rule 220 destination port 80,443
    3. Click the Commit and Test button. You should receive a Success! message in the output area below.
    4. When finished making changes, click the Save Config File button to write the changes to disk.
Delete a NAT rule

You do have the option of completely removing a NAT rule by referencing just the rule number:

  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: nat

    4. Node: destination or source

    5. Command: rule <rule-number>

      • For example: rule 220

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

    7. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete nat <destination/source> rule <rule-number>

      • For example: delete nat destination rule 220

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Firewall

The DrawBridgeOS firewall is a zone-based firewall system. This simply means that a Zone "layer" abstracts away actual interfaces from the rules. In other words, rather than writing firewall rules and referencing a specific interface, instead, rules are writtent for zone-relationship pairs.

The primary benefit of a Zone-based approach is that multiple interfaces can belong to a zone, enabling much simpler firewall configuration on complex networks.

For example, all Drawbridges will have at least the following zones configured:
- internet - Member interface: eth0
- eastwoodtc - Member interface: eth4 -- the main LAN interface. Generally the business name is used; "Eastwood Trading Company" is our fictitious example company in this documentation.
- local - Member interface: local -- the actual DrawBridge system itself

Now, with this example in mind, suppose Eastwood Trading Co gets an additional internet connection for redundancy, and they connect this to eth1.

With a zone-based firewall, it's as simple as adding eth1 to the internet zone, and the firewall configuration is pretty much done -- the same rules that secure eth0 from unsolicited inbound traffic, for example, automatically apply now to eth1 as well, by virtue of adding eth1 to the internet firewall zone.

Firewall rules perform several functions on the DrawBridge:

  • Secure the DrawBridge (and the local network behind it) from unsolicited traffic
  • Selectively allow traffic for legitimate remote device filtering and remote access
  • Transparently redirect LAN-origin web requests for content filtering

Looking for port-forwarding assistance? Note that you'll need to perform the actual port-forward operation with NAT (Network Address Translation), and then allow the traffic with a firewall rule.

The DrawBridge firewall also supports "groups", which enables the reuse of port and address lists across multiple rules.

Before embarking on rule changes below, you may wish to review the output of show config (above). to get the current context of the system: firewall zone-relationships, existing rule numbers and actions, and so forth.

Set a new firewall rule

Creating a new firewall rule is a multi-step process.

1. Specify a rule number and default-action within an existing firewall namespace:

  • Command Builder Mode:
    1. Endpoint: configure
    2. Operation: set
    3. Section: firewall
    4. Node: name
    5. Command: <firewall-namespace> rule <rule-number> action <action>
      • For example: internet-eastwoodtc rule 107 action accept`
    6. Click the Commit and Test button. You should receive a Success! message in the output area below.
  • Advanced Command Mode:

    1. Endpoint: configure

    2. Operation:Command: set firewall name <firewall-namespace> rule <rule-number> action <action>

      • Section: protocols

      • Node: static

      • Command: <network-w-netmask> next-hop <ip-address> For example: 0.0.0.0/0set next-hopfirewall 192.168.3.1name internet-eastwoodtc rule 107 action accept

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

      4. 2.
    4. Specify

      Whensource finishedor makingdestination changes,address clickdetails; theyou Savewill Config File buttonneed to writeuse thethis changescommand again if you wish to disk.

      set

      (ChangesBoth willsource notand survivedestination a reboot if they aren't saved!)addresses:

  • AdvancedCommand CommandBuilder Mode:

    1. Endpoint: configure

    2. Operation:

      set

    3. Section: firewall
    4. Node: name
    5. Command: set<firewall-namespace> protocols static routerule <network-w-netmaskrule-number> next-hop<source/destination> address <ip-address>

      • For example: setinternet-eastwoodtc protoclsrule static107 routedestination 0.0.0.0/0 next-hopaddress 192.168.3.110.3

    6. Click the Commit and Test button. You should receive a Success! message in the output area below.

  • Advanced Command Mode:
    1. Endpoint: configure
    2. Command: set firewall name <firewall-namespace> rule <rule-number> <source/destination> address <address>
      • For example: set firewall name internet-eastwoodtc rule 107 destination address 192.168.10.3
    3. Click the Commit and Test button. You should receive a Success! message in the output area below. 2. Specify source or destination port details; you will need to use this command again if you wish to set Both source and destination ports:
  • Command Builder Mode:
    1. Endpoint: configure
    2. Operation: set
    3. Section: firewall
    4. Node: name
    5. Command: <firewall-namespace> rule <rule-number> <source/destination> port <port(s)>
      • For example: internet-eastwoodtc rule 107 destination port 443
    6. Click the Commit and Test button. You should receive a Success! message in the output area below.
  • Advanced Command Mode:
    1. Endpoint: configure
    2. Command: set firewall name <firewall-namespace> rule <rule-number> <source/destination> port <port(s)>
      • For example: set firewall name internet-eastwoodtc rule 107 destination port 443
    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

4. Give the rule a name:

  • Command Builder Mode:

    1. Endpoint: configure
    2. Operation: set
    3. Section: firewall
    4. Node: name
    5. Command: <firewall-namespace> rule <rule-number> description <your-text-no-spaces
      • For example: internet-eastwoodtc rule 107 description web-server
    6. Click the Commit and Test button. You should receive a Success! message in the output area below.
    7. When finished making changes, click the Save Config File button to write the changes to disk.

    (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure
    2. Command: set firewall name <firewall-namespace> rule <rule-number> description <your-text-no-spaces
      • For example: set firewall name internet-eastwoodtc rule 107 description web-server
    3. Click the Commit and Test button. You should receive a Success! message in the output area below.
    4. When finished making changes, click the Save Config File button to write the changes to disk.

    (Changes will not survive a reboot if they aren't saved!)

Delete an existing firewall rule
  • Command Builder Mode:

    1. Endpoint: configure

    2. Operation: delete

    3. Section: protocolsfirewall

    4. Node: staticname

    5. Command: <network-w-netmaskfirewall-namespace> next-hoprule <ip-addressrule-number>

    • For example: 0.0.0.0/0internet-eastwoodtc next-hoprule 192.168.3.1223

    1. Click the Commit and Test button. You should receive a Success! message in the output area below.

    2. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

  • Advanced Command Mode:

    1. Endpoint: configure

    2. Command: delete protocolsfirewall static routename <network-w-netmaskfirewall-namespace> next-hoprule <ip-addressrule-number>

      For example: delete protoclsfirewall staticname routeinternet-eastwoodtc 0.0.0.0/0rule next-hop 192.168.3.1223

    3. Click the Commit and Test button. You should receive a Success! message in the output area below.

    4. When finished making changes, click the Save Config File button to write the changes to disk.

      (Changes will not survive a reboot if they aren't saved!)

Back to top