VLAN interface
Adding a VLAN
Adding a VLAN without members
- Click on Add.
- Scroll over VLAN.
- Click on No members.
The new VLAN will be added to the interfaces and its control panel appears.
Adding a VLAN that contains selected interfaces
- Select the interfaces to include in the new VLAN beforehand.
- Click on Add.
- Scroll over VLAN.
- Click on With interface_1, interface_2 ....
The new VLAN will be added to the interfaces and its control panel appears.
VLAN interface control panel
Double-click on the VLAN interface control panel to open it. There are several tabs in the control panel.

Status
ON / OFF |
Set the switch to ON/OFF to enable or disable the interface. |
General settings
Name | Name of the interface. The name assigned by default can be changed. |
Comments | Allows you to enter comments regarding the interface. |
Parent interface | Physical name of the interface to which the VLAN is attached. |
ID | Identifier for the VLAN, which must be any value between 1 and 4094 inclusive, and must be unique (unless it is a VLAN associated with another bridge in a crossing VLAN). |
Priority (CoS) | This CoS (Class of Service field) priority will then be imposed for all packets sent by the VLAN. |
This interface is |
An interface can be:
|
Address range
Address range inherited from the bridge | When this option is selected, the interface becomes part of a bridge. Several parameters, such as the address range, will then be inherited from the bridge. This will unlock the Bridge field. Select the parent bridge of the interface in this field. |
Dynamic / Static |
Selecting this option indicates that the IP address of the interface is dynamic (obtained via DHCP) or static. This will unlock the IPv4 address field and IPv6 address field if IPv6 was enabled in the firewall’s configuration. The same options must be configured in both fields. |
Dynamic IP (obtained by DHCP) |
When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:
|
Fixed IP (static) |
When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range. If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow. |

NOTE
This tab appears only if IPv6 is enabled in the firewall’s configuration.
On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.
This advertisement allows an IPv6 node to obtain the following information:
- The address of the default router, in this case, the address of the firewall,
- The prefix(es) used on the link (in 64 bits),
- Indication of the use of SLAAC or DHCPv6 (Managed)
- Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
- DNS parameters, if any (RFC4862).
Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.
For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery Protocol – Duplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.
By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. By default, DNS servers are those configured for the firewall in the Configuration module > System > Configuration, Network settings tab.
NOTE
If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.
Automatic configuration settings
Automatic detection | If the DHCPv6 service is enabled on the firewall (Configuration module > Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they must be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default). If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces. If the DHCPv6 service is inactive, the sending of RAs will be disabled. |
Send RA |
The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual. This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC. |
Disable | No router advertisement (RA) has been sent out. This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link). |
Router advertisements (RA)
This zone can be accessed only if the Send RA option has been selected.
Announce the prefix extracted from the interface address | The prefix advertised is the prefix configured in the interface’s IPv6 address range in the General configuration tab. The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits. |
Configuration with DHCPv6 server
The DHCPv6 server assigns addresses (Managed) |
The advertisement indicates that the IPv6 addresses contacted will be distributed by the DHCPv6 service enabled on the firewall (Configuration module > Network > DHCP). This service is implemented by the firewall or a relay that is directly connected (local link). |
The DHCPv6 server delivers additional options (Other config) |
The advertisement indicates that other auto-configuration parameters, such as the addresses of DNS servers or other types of servers, will be issued by the DHCPv6 server (firewall or relay) that is directly connected (local link). |
Advanced properties
DNS Parameters
This section can be accessed if the option The DHCPv6 server delivers additional options (Other config) is not enabled.
Domain name | Default domain name to contact a queried server that does not have a domain. |
Primary DNS server | IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab). |
Secondary DNS server | IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab). |
Announced prefixes
This grid can be accessed if the option The DHCPv6 assigns addresses (Managed) is not enabled.
Prefixes |
Prefix to announce to hosts. We recommend using the interface’s prefix as the announced prefix. If the interface specifies several prefixes, this field will indicate the prefix to use. |
Autonomous |
Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address. |
On link | This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router. In IPv4, such information was deduced from the network mask. |
Comments | Allows adding comments for the announced prefix. |

Other settings
MTU | Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation. |
Physical MAC address | MAC address of the network interface the VLAN belongs to. |
Routing without analysis
This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.
Authorize without analyzing | Allows letting IPX (Novell network), Netbios (on NETBEUI), AppleTalk (for Macintosh), PPPoE or Ipv6 packets pass between the bridge’s interfaces. No high-level analysis or filtering will be applied to these protocols (the firewall will block or pass). |
Routing by interface
This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.
Keep initial routing | This option will ask the firewall to not modify the destination in the Ethernet layer when a packet goes through it. The packet will be resent to the same MAC address from which it was received. The purpose of this option is to facilitate the integration of firewalls transparently into an existing network, as this makes it possible to avoid the need for modifying the default route of machines on the internal network. This option must be enabled to ensure that a DHCP server located on the interface in question, and which sends unicast responses to requests, runs properly Known limitations Features on a firewall that inserts or modifies packets in sessions may fail to function correctly. The affected features are:
|
Keep VLAN IDs | This option enables the transmission of tagged frames without the firewall having to be the VLAN endpoint. The VLAN tag on these frames is kept so that the Firewall can be placed in the path of a VLAN without the firewall interrupting this VLAN. The Firewall runs seamlessly for this VLAN. To use this option, the previous option "Keep initial routing” must be enabled. |
Deleting a VLAN
To delete a VLAN:
- Select the VLAN in the interface directory.
- Click on Delete in the toolbar.
The message “Delete this interface?” will appear. - Confirm or cancel the deletion.
If you confirm the deletion, a check will be performed to see if the interface is in use.