Interfaces

Modifying a bridge

“Configuration of the interface” tab

IPv6 address range

In Stormshield Network version 1.0, IPv6 addresses assigned to the bridge must be static addresses.

 

IP address

IP address assigned to the bridge. (All interfaces contained in the bridge will have the same IP address).

Net Mask

Mask of the network to which the bridge belongs. The various interfaces belonging to the bridge have the same IP address: all networks connected to the firewall are therefore part of the same address range.

Comments

Allows adding comments regarding the bridge’s address.

Several IP addresses and associated masks can be defined for the same bridge (when aliases need to be created, for example). These aliases can allow you to use the Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub-networks with a different address range. To add or remove them, simply use the Add and Delete buttons located above the fields in the table.

Several IP addresses (aliases) can be added in the same address range on an interface. In this case, these addresses must all have the same mask.

“Router Advertisement (RA)” tab

On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.

This advertisement allows an IPv6 node to obtain the following information:

  • The address of the default router, in this case, the address of the firewall,
  • The prefix(es) used on the link (in 64 bits),
  • Indication of the use of SLAAC or DHCPv6 (Managed)
  • Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
  • DNS parameters, if any (RFC4862).

Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.

For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery ProtocolDuplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.

By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. DNS servers are those configured for the firewall by default (System> Configuration module).

NOTE 

If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.

 

Router advertisement

Send RA if DHCPv6 enabled

If the DHCPv6 service has been enabled on the firewall (Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they have to be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default).

 

If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces.

 

If the DHCPv6 service is inactive, the sending of RAs will be disabled.

Send RA

The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual.

 

This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC.

Disable

No router advertisement (RA) has been sent out.

 

This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link).

Router advertisement settings

Announce the prefix extracted from the interface address

The prefix advertised is the prefix configured in the interface’s IPv6 address range (Configuration tab).

 

The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits.

Configuration with DHCPv6 server

The DHCPv6 server assigns addresses (Managed)

The advertisement indicates that the IPv6 addresses solicited will be distributed by the DHCPv6 service enabled on the firewall (Network> DHCP).

 

This service is implemented by the firewall or a relay that is directly connected (local link).

The DHCPv6 server delivers additional options (Other config)

The advertisement indicates that other auto-configuration parameters such as the addresses of DNS servers or other types of servers, will be delivered by the DHCPv6 server (firewall or relay) that is directly connected (local link).

 

 

Advanced properties

DNS settings

Domain name

Default domain name to contact a queried server that does not have a domain.

Primary DNS server

IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (System > Configuration)

Secondary DNS server

IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (System > Configuration)

Announced prefixes

Even though it is recommended that the announced prefix be the same as the interface’s prefix, in the event the interface specifies several, this field will indicate the prefix to use.

Prefixes

Prefix to announce to hosts

Autonomous

Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address.

On link

This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router.

NOTE 

In IPv4, such information was deduced from the network mask.

Comments

Allows adding comments for the announced prefix.

Optional parameters

Certain specific parameters for router advertisements can be configured in CLI, such as the maximum size of a packet sent (MTU) over the link, the validity duration of the prefix(es) used over the link or the field Router Lifetime.

For more details and the possible values of these parameters, please refer to the guide “CLI serverd command reference – V1.0” available in your client area.

Creating a bridge

Address range

IPv4 address

When this option is selected, the bridge will have an IPv4 address. If this address is static, this has to be indicated in the field below the checkbox along with its network mask. By default, a dynamic address will be assigned to it via DHCP.

IPv6 address

When this option is selected, the bridge will have a static IPv6 address. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox.

 

Modifying an Ethernet interface (in bridge mode)

Address range

Hybrid resolution

When this option is selected, the interface must have at least an IPv4 address (dynamic or static) and an IPv6 address (static). In this case, you will need to indicate these IP addresses and their associated network mask in the tables “IPv4 address range” and “IPv6 address range”.

IPv6 address range

IP address

IP address assigned to the interface.

Net Mask

Mask of the sub-network to which the interface belongs. The network mask provides the firewall with information about the network to which it belongs.

Comments

Allows adding comments on the address range of the interface.

Several IP addresses (aliases) can be added in the same address range on an interface. In this case, these addresses must all have the same mask.

“Advanced properties” tab

Routing without analyzing

Authorize without analyzing

Allows IPv6 packets to move between the interfaces of the bridge. No higher scan or filter will then be applied on this protocol.

IMPORTANT

For each of the interfaces included in a bridge, you must unselect the option Authorize without analyzing for IPv6 in order for filtering to be applied on this traffic.

Modifying an Ethernet interface (advanced mode)

To configure an interface in a network that does not belong to a bridge, simply remove it from the tree structure of the bridge by dragging it with the mouse.

During this detachment, the address range window will appear.

IPv4 address

When this option is selected, the bridge will have an IPv4 address. If this address is static, this has to be indicated (followed by it network mask) in the field below the checkbox. By default, a dynamic address will be assigned to it via DHCP.

IPv6 address

When this option is selected, the bridge will have a static IPv6 address. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox.

Once the interface is outside the bridge, you will be able to access the parameters of the interface described in the section “Modifying an Ethernet interface (in bridge mode)”.

Creating a VLAN

VLAN attached to a single interface (VLAN endpoint)

Address range

IPv4 address

When this option is selected, the VLAN will have an IPv4 address. If this address is static, this has to be indicated in the field below the checkbox along with its network mask. By default, a dynamic address will be assigned to it via DHCP.

IPv6 address

When this option is selected, the VLAN will have a static IPv6 address. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox.

VLAN attached to 2 interfaces (crossing VLAN)

VLAN address range

Use an existing bridge

When this option is selected, you will need to select from the drop-down list the bridge to which the VLAN will be attached.

Create a new bridge

When this option is selected, a wizard will allow you to create a new bridge containing both of the interfaces to which the VLAN is attached.

IPv4 address

When this option is selected, the VLAN will have an IPv4 address. If this address is static, this has to be indicated in the field below the checkbox along with its network mask. By default, a dynamic address will be assigned to it via DHCP. This option is only available if you have chosen to create a new bridge.

IPv6 address

When this option is selected, the VLAN will have a static IPv6 address. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox. This option is only available if you have chosen to create a new bridge.

Modifying a VLAN

“Configuration of the interface” tab

Address range

Hybrid resolution

When this option is selected, the interface must have at least an IPv4 address (dynamic or static) and an IPv6 address (static). In this case, you will need to indicate these IP addresses and their associated network mask in the tables “IPv4 address range” and “IPv6 address range”.

“Router Advertisement (RA)” tab

For options regarding Router advertisements, please refer to the paragraph “Router advertisement (RA)” tab in the menu Modifying a Bridge.

“Advanced properties” tab

For advanced VLAN configuration options please refer to the paragraph “Advanced configuration” tab in the menu Modifying an Ethernet interface (in bridge mode).