Bridges and interfaces
Bridges
“General configuration” tab
Address range
IPv6 address
| Fixed IP (static) | When this option is selected, the bridge will have a static IPv6 address. |
| Address/ Mask | IP address assigned to the bridge (all interfaces contained in a bridge have the same IP address). Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox. |
| Comments | Allows adding comments regarding the bridge’s address. |
Several IP addresses and associated masks can be defined for the same bridge (when aliases need to be created, for example). These aliases can allow you to use the Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub-networks with a different address range. To add or remove them, simply use the Add and Delete buttons located above the fields in the table.
Several IP addresses (aliases) can be added in the same address range on an interface. In this case, these addresses must all have the same mask.
“Routing configuration” tab
On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.
This advertisement allows an IPv6 node to obtain the following information:
- The address of the default router, in this case, the address of the firewall,
- The prefix(es) used on the link (in 64 bits),
- Indication of the use of SLAAC or DHCPv6 (Managed)
- Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
- DNS parameters, if any (RFC4862).
Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.
For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery Protocol – Duplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.
By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. DNS servers are those configured for the firewall by default (System> Configuration module).
NOTE
If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.
Automatic configuration settings
| Automatic detection | If the DHCPv6 service has been enabled on the firewall (Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they have to be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default). If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces. If the DHCPv6 service is inactive, the sending of RAs will be disabled. |
| Send RA | The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual. This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC. |
| Disable | No router advertisement (RA) has been sent out. This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link). |
Router advertisements (RA)
| Announce the prefix extracted from the interface address | The prefix advertised is the prefix configured in the interface’s IPv6 address range (Configuration tab). The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits. |
Configuration with DHCPv6 server
| The DHCPv6 server assigns addresses (Managed) | The advertisement indicates that the IPv6 addresses solicited will be distributed by the DHCPv6 service enabled on the firewall (Network > DHCP). This service is implemented by the firewall or a relay that is directly connected (local link). |
| The DHCPv6 server delivers additional options (Other config) | The advertisement indicates that other auto-configuration parameters such as the addresses of DNS servers or other types of servers, will be delivered by the DHCPv6 server (firewall or relay) that is directly connected (local link). |
Advanced properties
DNS settings
| Domain name | Default domain name to contact a queried server that does not have a domain. |
| Primary DNS server | IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (System > Configuration) |
| Secondary DNS server | IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (System > Configuration) |
Announced prefixes
Even though it is recommended that the announced prefix be the same as the interface’s prefix, in the event the interface specifies several, this field will indicate the prefix to use.
| Prefixes | Prefix to announce to hosts |
| Autonomous | Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address. |
| On link | This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router. NOTE |
| Comments | Allows adding comments for the announced prefix. |
Optional parameters
Certain specific parameters for router advertisements can be configured in CLI, such as the maximum size of a packet sent (MTU) over the link, the validity duration of the prefix(es) used over the link or the field Router Lifetime.
For more details and the possible values of these parameters, please refer to the guide “CLI serverd command reference – V1.0” available in your client area.
Ethernet interface in bridge mode
“Advanced properties” tab
Routing without analysis
| Authorize without analyzing | Allows IPv6 packets to move between the interfaces of the bridge. No higher analysis or filter will then be applied on this protocol. |
IMPORTANT
For each of the interfaces included in a bridge, you must unselect the option Authorize without analyzing for IPv6 in order for filtering to be applied on this traffic.
Ethernet interface in advanced mode
“General configuration” tab
To configure an interface in a network that does not belong to a bridge, simply remove it from the tree structure of the bridge by dragging it with the mouse.
During this detachment, the address range window will appear.
| IPv4 address range | When this option is selected, the bridge will have an IPv4 address. If this address is static, this has to be indicated (followed by it network mask) in the field below the checkbox. By default, a dynamic address will be assigned to it via DHCP. |
| IPv6 address range | When this option is selected, the bridge will have a static IPv6 address. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox. |
Once the interface is outside the bridge, you will be able to access the parameters of the interface described in the section Ethernet interface in bridge mode.
VLAN
“General configuration” tab
Address range
IPv6 address
| Fixed IP (static) | When this option is selected, the VLAN will have a static IPv6 address. |
| Address/ Mask | IP address assigned to the VLAN. Enter this address and its associated network mask in CIDR notation (example: 2001:db8::70/32), in the field below the checkbox. |
| Comments | Enables comments regarding the VLAN's address. |
“Routing configuration” tab
For options regarding Automatic configuration settings and Router advertisements, refer to the section “Router advertisement (RA)” tab in the Bridge menu.