Bridge interface
Adding a bridge
Adding a bridge without members
- Click on Add.
- Scroll over Bridge.
- Click on No members.
- Give the new bridge a name, then click on Apply.
The new bridge will be added to the interfaces and its control panel appears.
Adding a bridge that contains selected interfaces
- Select the interfaces to include in the new bridge beforehand.
- Click on Add.
- Scroll over Bridge.
- Click on With interface_1, interface_2 ....
- Give the new bridge a name, then click on Apply.
The new bridge will be added to the interfaces and its control panel appears.
Bridge control panel
Double-click on the bridge interface control panel to open it. There are several tabs in the control panel.

General settings
Name | Name of the interface. This name can be changed. |
Comments | Allows you to enter comments regarding the interface. |
Address range
NOTE
The same options must be configured in the IPv4 and IPv6 address fields. The IPv6 address field appears only if IPv6 is enabled in the firewall’s configuration.
Dynamic IP (obtained by DHCP) |
When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:
|
Fixed IP (static) |
When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range. If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow. |
Managing members
At least two interfaces must be selected to make up a bridge. To add or remove members from the bridge, move the interfaces from one section to another by using the arrows, dragging and dropping, or double-clicking on the interface.

NOTE
This tab appears only if IPv6 is enabled in the firewall’s configuration.
On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.
This advertisement allows an IPv6 node to obtain the following information:
- The address of the default router, in this case, the address of the firewall,
- The prefix(es) used on the link (in 64 bits),
- Indication of the use of SLAAC or DHCPv6 (Managed)
- Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
- DNS parameters, if any (RFC4862).
Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.
For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery Protocol – Duplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.
By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. By default, DNS servers are those configured for the firewall in the Configuration module > System > Configuration, Network settings tab.
NOTE
If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.
Automatic configuration settings
Automatic detection | If the DHCPv6 service is enabled on the firewall (Configuration module > Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they must be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default). If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces. If the DHCPv6 service is inactive, the sending of RAs will be disabled. |
Send RA |
The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual. This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC. |
Disable | No router advertisement (RA) has been sent out. This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link). |
Router advertisements (RA)
This zone can be accessed only if the Send RA option has been selected.
Announce the prefix extracted from the interface address | The prefix advertised is the prefix configured in the interface’s IPv6 address range in the General configuration tab. The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits. |
Configuration with DHCPv6 server
The DHCPv6 server assigns addresses (Managed) |
The advertisement indicates that the IPv6 addresses contacted will be distributed by the DHCPv6 service enabled on the firewall (Configuration module > Network > DHCP). This service is implemented by the firewall or a relay that is directly connected (local link). |
The DHCPv6 server delivers additional options (Other config) |
The advertisement indicates that other auto-configuration parameters, such as the addresses of DNS servers or other types of servers, will be issued by the DHCPv6 server (firewall or relay) that is directly connected (local link). |
Advanced configuration
DNS settings
This section can be accessed if the option The DHCPv6 server delivers additional options (Other config) is not enabled.
Domain name | Default domain name to contact a queried server that does not have a domain. |
Primary DNS server | IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab). |
Secondary DNS server | IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab). |
Announced prefixes
This grid can be accessed if the option The DHCPv6 assigns addresses (Managed) is not enabled.
Prefixes |
Prefix to announce to hosts. We recommend using the interface’s prefix as the announced prefix. If the interface specifies several prefixes, this field will indicate the prefix to use. |
Autonomous |
Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address. |
On link | This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router. In IPv4, such information was deduced from the network mask. |
Comments | Allows adding comments for the announced prefix. |

Other settings
MTU |
Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation. This option is not available for interfaces contained in a bridge. |
MAC address | Specifies a MAC address for the bridge. |
Physical MAC address | This field is not available for bridges. |
Loop detection (Spanning Tree)
This section makes it possible to enable a network loop detection protocol (Spanning Tree) on the bridge. This feature is available only on SN-S-Series-220, SN-S-Series-320, SN510, SN-M-Series-520, SN710, SN-M-Series-720, SN910, SN-M-Series-920, SN1100, SN2100, SN-L-Series-2200, SN3100, SN-L-Series-3200, SN-XL-Series-5200, SN6100, SN-XL-Series-6200, SNi10, SNi20, SNi40, SNxr1200, EVA1, EVA2, EVA3, EVA4 and EVAU models.
Disable Spanning Tree protocols | Disables the use of Spanning Tree protocols (RSTP and MSTP) in the bridge. This option is enabled by default. |
Enable Rapid Spanning Tree Protocol (RSTP) | Enables Rapid Spanning Tree Protocol (RSTP) on the bridge. |
Enable Multiple Spanning Tree Protocol (MSTP) | Enables Multiple Spanning Tree Protocol (MSTP) on the bridge. If this option is selected, the MSTP configuration zone appears. |
MSTP configuration
This zone appears only if Enable Multiple Spanning Tree Protocol (MSTP) is selected. On SNS firewalls, an MSTP configuration can only define one region.
Region name (MSTP region) | Enter the name of the MSTP region in which the firewall is located. It must be the same in the MSTP configuration on all network appliances belonging to this region. |
Format selector | This field specifies the information needed to define a region. Its default value is 0, indicating that a region’s properties are:
The format selector must be the same in the MSTP configuration on all network appliances belonging to this region. |
Revision number | Select a revision number for the region. The revision number must be the same in the MSTP configuration on all network appliances belonging to this region. NOTE |
Common and Internal Spanning Tree (CIST) | Priority assigned to the firewall for traffic involving VLANs that were not declared in any MSTP instances (see grid of MSTP instances). |
MSTP instances
List of VLAN IDs in the instance | Indicate the various VLAN identifiers (list of identifiers separated by commas) included in the selected instance. |
Priority | Set the priority of an MSTP instance in relation to the root bridge. which has the lowest priority. NOTE |