VLAN interface

Adding a VLAN

Adding a VLAN without members

  1. Click on Add.
  2. Scroll over VLAN.
  3. Click on No members.
    The new VLAN will be added to the interfaces and its control panel appears.

Adding a VLAN that contains selected interfaces

  1. Select the interfaces to include in the new VLAN beforehand.
  2. Click on Add.
  3. Scroll over VLAN.
  4. Click on With interface_1, interface_2 ....
    The new VLAN will be added to the interfaces and its control panel appears.

VLAN interface control panel

Double-click on the VLAN interface control panel to open it. There are several tabs in the control panel.

Status

ON / OFF

Set the switch to ON/OFF to enable or disable the interface.
Disabled interfaces cannot be used. An interface that has been disabled because it is not in use, or will be deployed later, is an additional security measure against intrusions.

General settings

Name Name of the interface. The name assigned by default can be changed.
Comments Allows you to enter comments regarding the interface.
Parent interface Physical name of the interface to which the VLAN is attached.
ID Identifier for the VLAN, which must be any value between 1 and 4094 inclusive, and must be unique (unless it is a VLAN associated with another bridge in a crossing VLAN).
Priority (CoS) This CoS (Class of Service field) priority will then be imposed for all packets sent by the VLAN.
This interface is

An interface can be:

  • Internal (protected): when this option is selected, this means that the interface is protected (a shield appears). a protected interface only accepts packets coming from a known address range, such as a directly connected network or a network defined by a static route. This protection includes remembering machines that have logged on to this interface, conventional traffic security mechanisms (TCP) and implicit rules for services offered by the firewall such as DHCP.

  • External (public): choosing this option indicates that the interface does not benefit from the protection of a protected interface and can therefore receive packets coming from any address range (which are not assigned to internal interfaces). This type of interface is used mainly to connect the firewall to the Internet.

Address range

Address range inherited from the bridge When this option is selected, the interface becomes part of a bridge. Several parameters, such as the address range, will then be inherited from the bridge. This will unlock the Bridge field. Select the parent bridge of the interface in this field.
Dynamic / Static

Selecting this option indicates that the IP address of the interface is dynamic (obtained via DHCP) or static. This will unlock the IPv4 address field and IPv6 address field if IPv6 was enabled in the firewall’s configuration. The same options must be configured in both fields.
Dynamic IP (obtained by DHCP)

When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:

  • DNS name (optional): a fully qualified DHCP host name (FQDN) can be indicated for the DHCP request.

    If a value is entered in this field and the external DHCP server has the option of automatically updating the DNS server, the DHCP server automatically updates the DNS server with the name of the firewall, its assigned IP address and allocated lease time (field below).

  • Requested lease time (seconds): in addition to the DNS name, enter the duration for which the IP address is kept before renegotiation.

  • Request domain name servers from the DHCP server and create host objects: select this parameter so that the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address. When this option is selected, two objects will be created: Firewall_<interface name>_dns1 and Firewall_<interface name>_dns2. They can then be used in the configuration of the DHCP service. So if the firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.
Fixed IP (static)

When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range.

If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow.

NOTE
This tab appears only if IPv6 is enabled in the firewall’s configuration.

On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.

This advertisement allows an IPv6 node to obtain the following information:

  • The address of the default router, in this case, the address of the firewall,
  • The prefix(es) used on the link (in 64 bits),
  • Indication of the use of SLAAC or DHCPv6 (Managed)
  • Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
  • DNS parameters, if any (RFC4862).

Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.

For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery ProtocolDuplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.

By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. By default, DNS servers are those configured for the firewall in the Configuration module > System > Configuration, Network settings tab.

NOTE
If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.

Automatic configuration settings

Automatic detection If the DHCPv6 service is enabled on the firewall (Configuration module > Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they must be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default).
If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces.
If the DHCPv6 service is inactive, the sending of RAs will be disabled.
Send RA

The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual. This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC.
Disable No router advertisement (RA) has been sent out. This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link).

Router advertisements (RA)

This zone can be accessed only if the Send RA option has been selected.

Announce the prefix extracted from the interface address The prefix advertised is the prefix configured in the interface’s IPv6 address range in the General configuration tab. The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits.

Configuration with DHCPv6 server

The DHCPv6 server assigns addresses (Managed)

The advertisement indicates that the IPv6 addresses contacted will be distributed by the DHCPv6 service enabled on the firewall (Configuration module > Network > DHCP). This service is implemented by the firewall or a relay that is directly connected (local link).
The DHCPv6 server delivers additional options (Other config)

The advertisement indicates that other auto-configuration parameters, such as the addresses of DNS servers or other types of servers, will be issued by the DHCPv6 server (firewall or relay) that is directly connected (local link).

Advanced properties

DNS Parameters

This section can be accessed if the option The DHCPv6 server delivers additional options (Other config) is not enabled.

Domain name Default domain name to contact a queried server that does not have a domain.
Primary DNS server IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab).
Secondary DNS server IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab).

Announced prefixes

This grid can be accessed if the option The DHCPv6 assigns addresses (Managed) is not enabled.

Prefixes

Prefix to announce to hosts. We recommend using the interface’s prefix as the announced prefix. If the interface specifies several prefixes, this field will indicate the prefix to use.
Autonomous

Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address.
On link This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router. In IPv4, such information was deduced from the network mask.
Comments Allows adding comments for the announced prefix.

Other settings

MTU Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation.
Physical MAC address MAC address of the network interface the VLAN belongs to.

Routing without analysis

This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.

Authorize without analyzing Allows letting IPX (Novell network), Netbios (on NETBEUI), AppleTalk (for Macintosh), PPPoE or Ipv6 packets pass between the bridge’s interfaces. No high-level analysis or filtering will be applied to these protocols (the firewall will block or pass).

Routing by interface

This zone appears only if the option Address range inherited from the bridge is selected in the Address range field in the General configuration tab.

Keep initial routing This option will ask the firewall to not modify the destination in the Ethernet layer when a packet goes through it. The packet will be resent to the same MAC address from which it was received. The purpose of this option is to facilitate the integration of firewalls transparently into an existing network, as this makes it possible to avoid the need for modifying the default route of machines on the internal network.
This option must be enabled to ensure that a DHCP server located on the interface in question, and which sends unicast responses to requests, runs properly
Known limitations
Features on a firewall that inserts or modifies packets in sessions may fail to function correctly. The affected features are:
  • Connection reinitialization caused by an alarm,
  • SYN proxy (enabled in filtering),
  • Requests to resend packets that were dropped in order to speed up analysis,
  • Rewriting of packets by application analyses (SMTP, HTTP and web 2.0, FTP and NAT, SIP and NAT).
Keep VLAN IDs This option enables the transmission of tagged frames without the firewall having to be the VLAN endpoint. The VLAN tag on these frames is kept so that the Firewall can be placed in the path of a VLAN without the firewall interrupting this VLAN. The Firewall runs seamlessly for this VLAN.
To use this option, the previous option "Keep initial routing” must be enabled.

Deleting a VLAN

To delete a VLAN:

  1. Select the VLAN in the interface directory.
  2. Click on Delete in the toolbar.
    The message “Delete this interface?” will appear.
  3. Confirm or cancel the deletion.
    If you confirm the deletion, a check will be performed to see if the interface is in use.