EFW Network Configuration

8/7/2019 EFW Network Configuration

1/17

Network Configuration

Prev Chapter 2. System Web pages Next

Network Configuration

Endian Firewall provides a Network Setup Wizard for easy and fast configuration of your networkinterfaces and your uplink. The Wizard is divided into steps with intuitive dialogues. Some steps may havesubsteps. The first line of each dialogue window will display the actual step or substep, how many youneed to go through and a short description about the actual page. You can go forth or back with thebuttons next (>>>) and back (


2/17

ETHERNET STATIC

Select this if your RED interface is a simple ethernet card and you need to setup network informationlike IP address, Netmask and so on manually. If your need to connect your RED interface to a simplerouter so this may be the right choice. Remember that in most cases you will need a crossover cablein order to connect it correctly.

ETHERNET DHCP

Select this if your RED interface is a simple ethernet card which needs to get network information

through DHCP. Most Cable modems, ADSL/ISDN router provide this possibility.

PPPoE

If your RED interface is a simple ethernet card connected to a device which needs you to use PPPoEin order to connect to your provider, then select this. Pay attention to not confuse this option with theETHERNET DHCP or ADSL option. This is only needed if your modem uses bridging mode and doesnot connect itself via PPPoE to the internet provider. Some ADSL routers let you connect usingDHCP or STATIC and establish the ADSL connections themselves using PPPoE. Also this is thewrong option if you have a USB or PCI ADSL modem and want the modem to connect using PPPoE.

If you do not want your red interface to connect to your uplink while booting you have to tick the Do notautomatically connect on boot checkbox.

On this page you will find also a box which displays the amount of network cards which could be found.Depending of this value and if you already have exhaused a network card selecting a RED type whichneeds a network card, the following step let's you configure more or less zones.

Choose network zones

Figure 2.6. Network wizard showing Step2: Choose network zones

With this step you can decide which zones you want to configure on your firewall. Endian Firewallassumed IPCops idea of different zones. The following zones are available:

GREEN

is the trusted network. This is supposed to be your LAN from where you connect to theadministration interface. This is the mandatory zone and one network interface is reserved for it.

ORANGE

is the demilitarized zone (DMZ). If you host servers it is wise to have them on a different network thanyour local network. If someone manages it to break in to one of your servers, this attacker does notautomatically compromise the local network, but it is trapped within the DMZ and can't gain sensible

information from your local network. Note that it makes no sense to use ORANGE if the serversbehind ORANGE and the workstations behind GREEN share the same switch or hub!

BLUE

is the wireless zone. You can attach a hotspot or Wifi access point to an interface assigned to this

work Configuration http:/ /docs.endian.com/archive/2.1/efw.system.network_configuration.html

17 2/15/2011 10:21 AM


3/17

zone. There is only a logical difference between this zone and ORANGE. Since wireless networksnormally are not really secure you may prefer to put them into a separate zone since they have noaccess to the local network behind GREEN and cannot reach hosts behind ORANGE withoutconfiguration.

RED

As already described, the RED zone stands for the uplink to the internet provider or to anotheruntrusted network - basically most of the times all the other zones have to be protected fromintruders from this zone. You automatically have this zone unless you selected NONE on the

dialogue before.

You need to have at least one network card per zone so some options may not be visible for you if you donot have enough network cards. Note that one network card is reserved for the GREEN zone and one maybe already assigned to the RED zone if you have selected a RED type which needs a network card.

You can choose between the following options:

NONE

Choose this if you do not need additional zones. You live with GREEN and RED.

ORANGE

You want to have only the ORANGE zone in addition to GREEN and RED.

BLUE

You want to have only the BLUE zone in addition to GREEN and RED.

ORANGE & BLUE

You want to have both, ORANGE and BLUE and will continue with a full featured firewall.

Network preferences

This step asks you for configuration of all the ethernet zones you enabled on the previous page (GREEN,

ORANGE and/or BLUE). Each zone has to be configured in the same way - on our screenshot below youcan see the configuration of the green and orange interfaces. At the bottom of this page it is also possibleto configure the hostname and domainname of your firewall.

Figure 2.7. Network wizard showing Step 3: Network preferences


17 2/15/2011 10:21 AM


4/17

You need to configure the following fields for each zones:

IP address

Provide the IP address which you'd like to use for the interface of the respective zone. For example:10.1.1.1. Pay attention to use an IP address which is not already used within your network,

especially if you would like to change the IP address of your GREEN zone. Note that you need touse different subnet's for different zones. For example if you use 10.1.1.1 in GREEN, you may use

10.2.2.1 for ORANGE, but not an IP address of the same network, like 10.1.1.2! The network

wizard will not allow you to go forth if networks will overlap or if you do not fill out all necessaryfields. It is suggested to follow the standards described in RFC1918 and use only IP addresses

which are reserved for private networks. The following blocks of IP address space have beenreserved for private networks by the Internet Assigning Numbers Authority (IANA):

10.0.0.0 - 10.255.255.255 (10.0.0.0/8)

172.16.0.0 - 172.31.255.255 (172.16.0.0/12)


17 2/15/2011 10:21 AM


5/17

192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16)

Note

It may also be wise to follow some conventions and always assignthe first ip address to the firewall. For example 192.168.0.1.

Note

IP addresses ending in .0 (example: 192.168.0.0) and in .255(example: 192.168.0.255) are reserved for network address andbroadcast address. You shall not assign them to any device.

Note

Pay attention if you reconfigure Endian Firewall and change someip addresses, then you need to change the ip address also within

configuration of some services like the HTTP proxy, which isdescibed later in efw.proxy.http.

Network mask

Provide the network mask which you like to use for the interface of the respective zone and thenetwork behind it. For example: 255.255.255.0.

Note

Pay attention to use the same network mask on all of your computersbehind the same zone or some may not be able to pass the firewall.

Interface

Each zone needs to have at least one interface assigned. The network wizards gives you asuggestion about interface assignement. You certainly may change this. One interface can beassigned only to one zone. The network wizard does not allow you to go forth if you choose thesame interfaces on different zones. You can assign multiple interfaces per zone. Multiple interfacescan be added by pressing Ctrl and clicking on the desired interfaces. The interfaces will theninternally bridged together, so they have the same functionality like a switch.

The interface list shows you all necessary information to identify your network card:

consecutive numbers: The interface list will be sorted on the basis of the PCI slot identificationnumber. Therefore you are save to give your PCI mounted network cards an index countingfrom the first to the last. The first network card in your computer should be the card withnumber 1. The second with number 2, and so forth.

device description: We use lspci to read out this description. If your device is not includedwithin our pci devices list because it is to new or to exotic, the description will be something like"Unknown device".

MAC address: The original MAC address of the device. This address should be worldwideunique (In reality it's not always). Most devices have printed their MAC address somewhere onthe card or within manual.


17 2/15/2011 10:21 AM


6/17

Note

Interfaces which are not supported by ethtool will not besupported by the network wizard because the necessaryinformation cannot be gathered.

Note

Note that each of this zones will be internally handled as bridges, regardlessof the amount of assigned interfaces. Remember this if you find any interfacenames. The interface name of a zone is always called brX and not ethX. ethXis just the name of the physical interface which is part of the respective zone.

Internet Access preferences

During this step you can configure the preferences needed to connect to the internet or your untrustednetwork outside your firewall. You will find different configuration options on this page, depending on the

type of RED interface you have chosen on the first page of this connection wizard. Some RED types needmore configuration steps than others, therefore you may find substeps. The following section will descibeevery step for each RED interface type.

RED type: NONE

If you have choosen NONE as RED type on the first wizard page, you probably want to read this.

Figure 2.8. Network wizard showing Step 4: Internet Access Preferences for RED type

NONE

Since you have no RED, you do not need to configure it. Wow, how impressive.

In order to allow your Security Device (In this case I do not dare to speak of a firewall) to access othernetworks like the internet you need to configure a default gateway. Here you can set this up. In this only

case you can use each ip address as default gateway, which belongs to a network of your other zones(GREEN, ORANGE or BLUE). Normally you want to use an IP address belonging to the GREEN network,which probably may be another firewall and gateway to the internet.

RED type: ADSL

If you have chosen ADSL as RED type then this will be of interest to you.

Since ADSL modems need a bunch of information this step is divided into three substeps.

Selection of the modem

Figure 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selectionof the modem


17 2/15/2011 10:21 AM


7/17

Within the first substep you need to select which modem you like to use. The box on this page shows youall the modems which will be actually supported by the Endian Firewall. If you can't find your modem thenit obviously will not be supported and will not work. If your modem is already plugged in, Endian Firewallwill try to recognize it automatically and preselects the first detected modem. The following string will bedisplayed on each modem which has been detected automatically:

--> detected


8/17

RFC1483 static IP

Basically this is a protocol which allows you to handle your modem like an ethernet device to whichyou assign an IP address manually which you negotiated with your provider before. If you have areal static IP you may need to use this option. You can find further information about this protocol onRFC Editor. http://www.rfc-editor.org/rfc/rfc1483.txt

RFC1483 dhcp

Basically this is the same as RFC1483 except that the provider assigns your ip address using DHCP.

Supply connection information

This substep depends on the decision you made during the previous substep. Depending on the selectedADSL connection type this substep will show you different configuration options. Most of the neededinformation will be provided by your internet service provider. The following fields are common for eachADSL type. They depend on the infrastructure of your ISP so you need to fill in the values you get fromyour provider:

VPI number

VCI number

Encapsulation

PPPoA/PPPoE

Figure 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3:

Supply connection information (PPPoE)

Configuration for PPPoA and PPPoE are quite the same, therefore only PPPoE will be describedhere. The following fields do exist additionally to the common fields described above:

Username

Provide the username which you got from your ISP.

Password

Provide the password which you got from your ISP.


17 2/15/2011 10:21 AM


9/17

Authentication method

Different protocols can be used to authenticate against the providers system. The followingauthentication methods are supported:

PAP - Password Authent ication Method

CHAP - Challenge Handshake Authentication Protocol

PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get thatinformation from your provider. Most providers implement both authentication methods, then itis safe to use whatever you want or to leave the decision to the system by selecting PAP orCHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends informationabout which DNS servers you need to use as DNS resolver. If you select automatic thosevalues will be used. If you wish to configure them manually, then select manually. In somecases this may be useful, for example if your provider sends wrong information or if thesupplied DNS resolvers do not work correctly.

RFC1483 static ip


Supply connection information (RFC1483 static ip)

If you got a real static IP from your provider, then normally this type will be used. This type does notknow any authentication or protocols to establish the connection. Therefore the providers systemcannot automatically send you configuration parameters (like IP address, DNS, ...) during connectionestablishment. You need to ask your provider for this information and need to configure everythingmanually here. Once configured there is no system that changes these parameters automatically likewith the other ADSL types. The following fields do exist additionally to the common fields descibedabove:

Static IP

Fill in your public IP address your provider assigned to you. If you do not have this informationask your provider. If you use the wrong IP address you may not be able to use the connection.

Netmask


17 2/15/2011 10:21 AM


10/17

The network mask you got from your provider. For example: 255.255.255.0

Gateway

The IP address of the gateway located on your provider's side which should be used as yourdefault gateway.

RFC1483 DHCP


Supply connection information (RFC1483 DHCP)

This ADSL type is the same as RFC1483 static ip, except that you do not need to provide IP address,netmask and gateway because that information will be automatically retrieved using DHCP. Thefollowing fields do exist additionally to the common fields described above:

DNS

During connection establishment of a PPP connection, the provider normally sends informationabout which DNS servers you need to use. If you select automatic those values will be used. Ifyou wish to configure them manually, then select manually. In some cases this may be useful,for example if your provider sends wrong information or if the supplied DNS resolver do notwork correctly.

RED type: ISDN

If you chose ISDN as RED type you will see the following dialogue page within the fourth step.

Figure 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access

Preferences


f 17 2/15/2011 10:21 AM


11/17

The following section will describe each of the fields:

Please select the driver of your modem

Here you need to select the type of modem you are using. The selection box shows you all the

modems that are actually supported by the Endian Firewall. If you can't find your modem thenunfortunately it is not supported and will not work. If your modem is already plugged in, EndianFirewall will try to recognize it automatically and preselects the first detected modem. The followingstring will be displayed next to each modem that has been automatically detected:

--> detected


12/17

Provide the username you got from your ISP.

Password

Provide the password you got from your ISP.



PAP - Password Authentication Method



Some providers may support only one authentication method. In that case you should get thatinformation from your provider. Most providers implement both authentication methods, then it is safeto use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

Use both B-Channels

Enable this if you want to use both ISDN channels bundled in order to double your bandwith. Your

provider must support this.

Hang up after minutes of inactivity

If you want the modem to close the connection to your internet service provider if no data will be sentthrough it you may enable this. If you select a value different to off, the modem will close theconnection after the selected minutes of inactivity.

DNS

During connection establishment of a PPP connection, the provider normally sends informationabout which DNS servers you need to use as DNS resolver. If you select automatic those values willbe used. If you wish to configure them manually, then select manually. In some cases this may beuseful, for example if your provider sends wrong information or if the supplied DNS resolvers do notwork correctly.

RED type: ETHERNET STATIC

This dialogue page will be shown if you chose ETHERNET STATIC as your RED type.

Figure 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet

Access Preferences


f 17 2/15/2011 10:21 AM


13/17

Configuration is pretty the same as described before in the section called Network preferences. Actuallyyou can have only one RED device, therefore you cannot select multiple interfaces. Additionally you needto configure a default gateway. That is the IP address of your remote host to which the firewall isconnected to and which will be used as gateway to the internet. This IP address must be located withinthe RED network. The network wizard does not allow you to provide a default gateway which is not withinthe RED network. For example if you use 192.168.0.1 as IP address and 255.255.255.0 as network mask,

the default gateway cannot be 192.168.1.1. A possible value would be 192.168.0.2.

RED type: ETHERNET DHCP

This dialogue page will be shown if you chose ETHERNET DHCP as RED type.

Figure 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet

Access Preferences


f 17 2/15/2011 10:21 AM


14/17

ETHERNET DHCP is pretty the same as ETHERNET STATIC, except that there is no need to configure thedevice, since all necessary information will be retrieved from the DHCP server. You only need to selectwhich interface you would like to use for your RED zone. Since there is actually no possibility to have morethan one RED interface, you can not select multiple interfaces. The following configuration options exist:

Interface

Select the interface you want to use as RED interface as already described above.

DNS

The DHCP server will also send you the IP addresses of your DNS servers. If you select automaticthese addresses will be used. If you wish to configure them manually, then select manually. In somecases this may be useful, for example if your DHCP server sends wrong information or if thesupplied DNS resolvers do not work correctly.

RED type: PPPoE

This dialogue page will be shown if you chose PPPoE as RED type.

Figure 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access

Preferences


f 17 2/15/2011 10:21 AM


15/17

As already mentioned before, you use this type if you have an ADSL modem with a simple ethernetconnection to your Endian Firewall.

Note

This cable in most of the cases has to be crossover!

The following configuration options are supported for this type:

Interface

Select the interface you want to use as RED interface and to which you connected the ADSLethernet modem.

ADSL type

This option will disappear. It makes no difference what you select here.

Username

Fill in the username you got from your internet service provider

Password

Fill in the password you got from your internet serivce provider



f 17 2/15/2011 10:21 AM


16/17


PAP - Password Authentication Method



Some providers may support only one authentication method. In that case you should get that

information from your provider. Most providers implement both authentication methods, then it is safeto use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends informationabout which DNS servers you need to use as DNS resolvers. If you select automatic those values willbe used. If you wish to configure them manually, then select manually. In some cases this may beuseful, for example if your provider sends wrong information or if the supplied DNS resolvers do notwork correctly.

Service

Some ISPs provide different services, therefore you may insert the service name here in order toselect which one you want to use if it is necessary. In most cases this option is meaningless.

Concentrator name

Specifies the desired access concentrator name. In most cases you should not specify this option.Use it only if you know that there are multiple access concentrators and your ISP wants you tospecify a particular one.

Configure DNS resolver

This step is only needed if the RED connection type does not automatically provide the addresse of theDNS resolvers which should be used or if you have selected in the previous step that you want to set theDNS resolvers manually. If DNS resolvers are retrieved automatically then no configuration fields will beshown here. You can safely go ahead. Otherwise you will see two fields labeled DNS 1 and DNS 2.

Figure 2.18. Network wizard showing step 5: configure DNS resolver

Fill the both fields with the DNS servers you want to use as resolvers. If you have only one then it is safeto fill in the same value in both fields but this is not recommended since you will not be able to resolvenames anymore if that nameserver will not answer temporarily. You need a working DNS resolver in orderto resolve names. If resolving does not work you may not be able to access internet sites.

Apply configuration

This is the last step of the network wizard. It only asks you to confirm the modifications.

Figure 2.19. Network wizard showing step 6: Apply configuration


f 17 2/15/2011 10:21 AM


17/17

Click the button OK, apply configuration to go ahead. Once you did this, the network wizard will writedown the data, reconfigure all necessary devices and restart all depending services. This may take up to20 seconds. During the restarting process you may not be able to connect to the administration interfaceand for a short time no connections through the firewall are possible. So no worries, that's normal. Theadministration interface will automatically reload after 20 seconds.

If you changed the ip address of the GREEN zone you will be redirected to the new IP address, after the20 seconds of course. In this case and/or if you have changed the hostname a new SSL certificate will begenerated.

Note

There is an issue when managing more than one Endian Firewalls. Thebrowser will refuse the new certificate because it finds that the certificate iscorrupt. You can solve this issue by removing all accepted certificates fromthe browser cache or closing all running browser windows and then restartthe browser.

Prev Up Next

Home Administrative Window Home EN registration


EFW Network Configuration

Documents

Transcript of EFW Network Configuration