GRETAP interface
Tunnels that use GRETAP interfaces allow encapsulating Level 2 traffic (Ethernet). They can then be used to link sites sharing the same IP address range through a bridge or to transport non-IP protocols over a bridge.
Adding a GRETAP interface
- Click on Add.
- Click on GRETAP interface.
The GRETAP interface is added to the interfaces and its control panel appears.
GRETAP interface control panel
Double-click on the GRETAP interface control panel to open it. There are several tabs in the control panel.

Status
ON / OFF |
Set the switch to ON/OFF to enable or disable the interface. |
General settings
Name | Name of the interface. This name can be changed. |
Comments | Allows you to enter comments regarding the interface. |
This interface is |
An interface can be:
|
GRETAP tunnel address
Tunnel source | Select the network object that corresponds to the bridge that supports the GRETAP interface. |
Tunnel destination | Select (or create) the network object that corresponds to the public address of the appliance that hosts the remote GRETAP interface. |
Address range
Address range inherited from the bridge | When this option is selected, the interface becomes part of a bridge. Several parameters, such as the address range, will then be inherited from the bridge. This will unlock the Bridge field. Select the parent bridge of the interface in this field. |
Dynamic / Static |
Selecting this option indicates that the IP address of the interface is dynamic (obtained via DHCP) or static. This will unlock the IPv4 address field. |
Dynamic IP (obtained by DHCP) |
When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:
|
Fixed IP (static) |
When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range. If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow. |

Other settings
MTU | Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation. This option is not available for interfaces contained in a bridge. |
Physical (MAC) address | Makes it possible to specify a MAC address for an interface instead of using the address assigned by the firewall. If the interface is contained in a bridge, it will have the same MAC address as the bridge. |
Routing without analysis
This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.
Authorize without analyzing | Allows letting IPX (Novell network), Netbios (on NETBEUI), AppleTalk (for Macintosh), PPPoE or Ipv6 packets pass between the bridge’s interfaces. No high-level analysis or filtering will be applied to these protocols (the firewall will block or pass). |
Routing by interface
This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.
Keep initial routing |
This option will ask the firewall to not modify the destination in the Ethernet layer when a packet goes through it. The packet will be resent to the same MAC address from which it was received. The purpose of this option is to facilitate the integration of firewalls transparently into an existing network, as this makes it possible to avoid the need for modifying the default route of machines on the internal network. Known limitations
Features on a firewall that inserts or modifies packets in sessions may fail to function correctly. The affected features are:
|
Keep VLAN IDs | This option enables the transmission of tagged frames without the firewall having to be the VLAN endpoint. The VLAN tag on these frames is kept so that the Firewall can be placed in the path of a VLAN without the firewall interrupting this VLAN. The Firewall runs seamlessly for this VLAN. To use this option, the previous option "Keep initial routing” must be enabled. |