<< Back to man.ChinaUnix.net

Network Configuration

Endian Firewall provides a Network Setup Wizard for easy and fast configuration of your network interfaces and your uplink. The Wizard is divided into steps with intuitive dialogues. Some steps may have substeps. The first line of each dialogue window will display the actual step or substep, how many you need to go through and a short description about the actual page. You can go forth or back with the buttons next and back during network wizard as you wish. On the last dialogue window you will be asked if you really want to save the configuration you created using the wizard. If you proceed the configuration will be stored and Endian Firewall will reconfigure it's interfaces. This takes some time and over this period of time you will not be able to reach the web interface anymore.

Choose type of RED interface

Figure 2.5. Network wizard step 1: Choose type of RED interface

Network wizard step 1: Choose type of RED interface

The RED interface is supposed to be the interface which connects your Firewall to the "outside", the untrusted network, which normaly of course is the internet, or the uplink to your internet provider.

Endian Firewall does support the following types of RED interfaces. Some may be network interfaces, other may be PCI cards or USB devices:

NONE

Your firewall has no RED interface. This is unusual since a firewall normaly need to have two interfaces as minimum. But for some scenarios this possibility does make sense. For example if you want to use only a specific service of the firewall. If you choose this you will be able later to set a default gateway which does not lie within RED network.

ADSL

If you have a USB or PCI ADSL modem you are right with this option.

ISDN

Select this if you have an ISDN USB device or PCI card.

ETHERNET STATIC

Select this if your RED interface is a simple ethernet card and you need to setup network information like IP address, Netmask and so on manually. If your need to connect your RED interface to a simple router so this may be the right choice. Remember that in most cases you will need a crossover cable in order to connect it correctly.

ETHERNET DHCP

Select this if your RED interface is a simple ethernet card which needs to get network information through DHCP. Most Cable modems, ADSL/ISDN router provide this possibility.

PPPoE

If your RED interface is a simple ethernet card connected to a device which needs you to use PPPoE in order to connect to your provider, then select this. Pay attention to not confuse with the ETHERNET DHCP or ADSL option. This is only needed if your modem uses bridging mode and does not connect itself via PPPoE to the internet provider. Some ADSL router let you connect using DHCP or STATIC and establish the ADSL connections themselves using PPPoE. Also this is the wrong option if you have a USB or PCI ADSL modem and want the modem to connect using PPPoE.

On this page you will find also a box which displays the amount of network cards which could be found. Depending of this value and if you already have exhaused a network card selecting a RED type which needs a network card, the following step let's you configure more or less zones.

Choose network zones

Figure 2.6. Network wizard showing Step2: Choose network zones

Network wizard showing Step2: Choose network zones

With this step you can decide which zones you want to configure on your firewall. Endian Firewall assumed IPCops idea of different zones. The following zones does exist:

GREEN

is the trusted network. This is supposed to be your LAN from where you connect to the administration interface. This zone is the only which is mandatory and one network interface is reserved for it.

ORANGE

is the demilitarized zone (DMZ). If you host servers it is wise to have them on a different network than your local network. If one manages it to break in on one of your server, so the attacker does not automatically compromise the local network, but it is trapped within the DMZ and can't gain sensible information from your local network. Note that it makes no sense to use ORANGE if the servers behind ORANGE and the workstations behind GREEN share the same switch or hub!

BLUE

is the wireless zone. You can attach a hotspot or Wifi access point to an interface assigned to this zone. There is only a logical difference between this zone and ORANGE. Since wireless networks normally are not really secure you may prefer to put them into a separate zone since they have no access to the local network behind GREEN and cannot reach hosts behind ORANGE without configuration.

RED

As already described, the RED zone is stands for the uplink to the internet provider or to an untrusted network of which the firewall should protect the other zones. You automatically have this zone except you selected NONE on the dialogue before.

You need to have at least one network card per zone so some options may not be visible for you if you do not have enough network cards. Note that one network card is reserved for the GREEN zone and one may be already assigned to the RED zone if you have selected a RED type which needs a network card.

You can choose between the following options:

NONE

Choose this if you do not need additional zones. You live with GREEN and RED.

ORANGE

You want to have only the ORANGE zone in addition to GREEN and RED.

BLUE

You want to have only the BLUE zone in addition to GREEN and RED.

ORANGE & BLUE

You want to have both, ORANGE and BLUE and will continue with a full featured firewall.

Network preferences

This step asks you for configuration of all your ethernet zones you enabled in the page before (GREEN, ORANGE and/or BLUE). The configuration of each zone is always the same, therefore you will see only the configuration of the GREEN zone on the following screenshot. At the bottom of this page it is also possible to configure the hostname and domainname of your firewall.

Figure 2.7. Network wizard showing Step 3: Network preferences

Network wizard showing Step 3: Network preferences

You need to configure the following fields for each zones:

IP address

Provide the IP address which you like to use for the interface of the respective zone. For example: 10.1.1.1. Pay attention to use an IP address which is not already used within your network, especially if you would like to change the IP address of your GREEN zone. Note that you need to use different subnet's for different zones. For example if you use 10.1.1.1 in GREEN, you may use 10.2.2.1 for ORANGE, but not an IP address of the same network, like 10.1.1.2! The network wizard will not allow you to go forth if networks will overlap or if you do not fill out all necessary fields. It is considered to follow the standards described in RFC1918 and use only IP addresses which are reserved for private networks. The following blocks of IP address space has been reserved for private networks by the Internet Assigning Numbers Authority (IANA):

  • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)

  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)

  • 192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16)

It also may be wise to follow some conventions and always assign the first ip address to the firewall. For example 192.168.0.1.

Note that ip addresses ending with 0 (example: 192.168.0.0) and with 255 (example: 192.168.0.255) are reserved for network address and broadcast address. You shall not assign them to any device.

Pay attention if you reconfigure Endian Firewall and change some ip addresses, then you need to change the ip address also within configuration of some services like the HTTP proxy, which is descibed later in the section called “HTTP Proxy”.

Network mask

Provide the network mask which you like to use for the interface of the respective zone and the network behind it. For example: 255.255.255.0. Pay attention to use the same network mask on all of your computers behind the same zone or some may not be able to pass the firewall.

Interface

Each zone needs to have at least one interface assigned. The network wizards gives you a suggestion about interface assignement. You certainly may change this. One interface can be assigned only to one zone. The network wizard does not allow you to go forth if you choose the same interfaces on different zones. You can assign multiple interfaces per zone. Multiple interfaces can be added by pressing Ctrl and clicking on the desired interfaces. The interfaces will then internally bridged together, so they have the same functionality like a switch.

The interface list shows you all necessary information to identify your network card:

  • consecutive numbers: The interface list will be sorted on the basis of the PCI slot identification number. Therefore you are save to give your PCI mounted network cards an index counting from the first to the last. The first network card in your computer should be the card with number 1. The second with number 2, and so forth.

  • device description: We use lspci to read out this description. If your device is not included within our pci devices list because it is to new or to exotic, the description will be something like "Unknown device".

  • MAC address: The original MAC address of the device. This address should be worldwide unique (In reality it's not always). Most devices have printed their MAC address somewhere on the card or within manual.

Note: Interfaces which are not supported by ethtool will not be supported by the network wizard because the necessary information cannot be gathered.

Note that each of this zones will be internally handled as bridges, regardless of the amount of assigned interfaces. Remember this if you find any interface names. The interface name of a zone is always called brX and not ethX. ethX is just the name of the physical interface which is part of the respective zone.

Internet Access preferences

Within this step you can configure the preferences needed to connect to the internet or your untrusted network ahead of your firewall. You will find different questions on thie page, depending of which RED type you have choosen on the first wizard page. Some RED types need to ask you some more questions, therefore here you may find substeps. The following will descibe this step for each RED type.

RED type: NONE

If you have choosen NONE as RED type on the first wizard page, you probably want to read this.

Figure 2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE

Network wizard showing Step 4: Internet Access Preferences for RED type NONE

Since you have no RED, you do not need to configure it. Wow, how impressive.

In order to allow your Security Device (In this case I do not dare to speak of a firewall) to access other networks like the internet you need to configure a default gateway. Here you can set this up. In this only case you can use each ip address as default gateway, which belongs to a network of your other zones (GREEN, ORANGE or BLUE). Normally you want to use an IP address belonging to the GREEN network, which probably may be another firewall and gateway to the internet.

RED type: ADSL

If you chose ADSL as RED type then this will interest you.

Since ADSL modem need a bunch of information this step is subdivided into three substeps.

Selection of the modem

Figure 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem

Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem

Within the first substep you need to select which modem you like to use. The box on this page shows you all the modems which will be actually supported by the Endian Firewall. If you can't find your modem then it obviously will not be supported and will not work. If your modem is already plugged in, Endian Firewall will recognize it automatically and preselects the first detected. The following string will be displayed on each modem which have been automatically detected:

--> detected <--

The following modems will actually be supported:

  • ADSL modems with Conexant chipset.

  • Fritz!Card DSL

  • Fritz!Card DSL v2

  • Fritz!Card DSL SL

  • Fritz!Card DSL SL USB

  • Fritz!Card DSL USB

  • Fritz!Card DSL USB Analog

Choose ADSL connection type

Figure 2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type

Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type

Endian Firewall supports four different possibilites to connect to an ADSL concentrator. You need to know which connection types will be supported by your internet provider and use the respective type. Often internet provider allows you to choose between PPPoA and PPPoE, then you can select whatever you want. Keep in mind that PPPoE causes a little more traffic overhead according to PPPoA, if this is of inportance. The four possibilities are:

PPPoA

PPP over ATM. You can find further information about this protocol on Wikipedia.

PPPoE

PPP over Ethernet. You can find further information about this protocol on Wikipedia

RFC1483 static IP

Basically this is a protocol which allows you to handle your modem like an ethernet device to which you assign an IP address manually which you negotiated with your provider before. If you have a real static IP you may need to use this option. You can find further information about this protocol on RFC Editor. http://www.rfc-editor.org/rfc/rfc1483.txt

RFC1483 dhcp

Basically this is the same as RFC1483 except that the provider assigns your ip address using DHCP.

Supply connection information

This substep depends on your decision you made on the substep before. Depending of the selected ADSL connection type the substep asks you for different information. Most of the asked information will be provided by your internet service provider. The following fields are common for each ADSL type. They depend on the infrastructure of your ISP so you need to fill in the values you get from your provider:

  • VPI number

  • VCI number

  • Encapsulation

PPPoA/PPPoE

Figure 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)

Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)

Configuration for PPPoA and PPPoE are quite the same, therefore only PPPoA will be described here. The following fields do exist additionally to the common one described above:

Username

Provide the username which you got from your ISP.

Password

Provide the password which you got from your ISP.

Authentication method

There do exist different protocols which can be used to authenticate against the providers system. The following authentication methods do exist:

  • PAP - Password Authentication Method

  • CHAP - Challenge Handshake Authentication Protocol

  • PAP or CHAP - both authentication methods are implemented.

Some provider may support only one authentication method. In that case you should got that information from your provider. Most provider implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly.

RFC1483 static ip

Figure 2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)

Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)

If you got a real static IP from your provider, then normally this type will be used. This type does not know any authentication or protocols to establish the connection. Therefore the the providers system cannot automatically send you configuration parameters (like IP address, DNS, ...) during connection establishment. You need to ask your provider for this information and need to configure them manually. Once configured there is no system which changes them automatically like with the other ADSL types. The following fields do exist additionally to the common one descibed above:

Static IP

Fill in your public IP address which your provider assigned to you. Ask your provider if you do not have this information. If you use the wrong IP address you may not be able to use the connection.

Netmask

The network mask which you got from your provider. For example: 255.255.255.0

Gateway

The IP address of the gateway located on your providers side which should be used as your default gateway.

RFC1483 DHCP

Figure 2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)

Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)

This ADSL type is the same as RFC1483 static ip, except that you do not need to provide IP address, netmask and gateway because that information will be automatically got using DHCP. The following fields does exist additionally to the common one described above:

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly.

RED type: ISDN

If you chose ISDN as RED type sou will see the following dialogue page within the fourth step.

Figure 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences

Network wizard showing step 4 with RED type ISDN: Internet Access Preferences

The following will describe each of the fields:

Please select the driver of your modem

Here you need to select which modem you like to use. The selection box shows you all the modems which will be actually supported by the Endian Firewall. If you can't find your modem then it obviously will not be supported and will not work. If your modem is already plugged in, Endian Firewall will recognize it automatically and preselects the first detected. The following string will be displayed on each modem which have been automatically detected:

--> detected <--

The following modems will actually be supported:

  • AVM GmbH, Fritz Card USB2 (Version 3.0)

  • AVM GmbH, Fritz Card USB2 (Version 2.0)

  • HFC-S PCI (Billion and compatible)

  • HFC-S USB TA (Billion, Trust or compatible)

  • AVM GmbH, Fritz Card PCI

  • AVM GmbH, Fritz Card USB

Phonenumber to dial

Fill in the telephone number of your Internet Service Provider, which you need to dial to connect to the Internet.

Your phone number to be used to dial out

Fill in the telephone number of your telephone which you want to be used when you dial out. This number may be also known as MSN.

Username

Provide the username which you got from your ISP.

Password

Provide the password which you got from your ISP.

Authentication method

There do exist different protocols which can be used to authenticate against the providers system. The following authentication methods do exist:

  • PAP - Password Authentication Method

  • CHAP - Challenge Handshake Authentication Protocol

  • PAP or CHAP - both authentication methods are implemented.

Some provider may support only one authentication method. In that case you should got that information from your provider. Most provider implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

Use both B-Channels

Enable this if you want to use both ISDN channels bundled in order to double your bandwith. Your provider must support this.

Hang up after minutes of inactivity

If you want the modem to close the connection to your internet service provider if no data will be sent through it you may enable this. If you select a value different to off, the modem will close the connection after the selected minutes of inactivity.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly.

RED type: ETHERNET STATIC

This dialogue page will be shown if you chose ETHERNET STATIC as your RED type.

Figure 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences

Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences

Configuration is pretty the same as described before in the section called “Network preferences”. Actually you can have only one RED device, therefore you cannot select multiple interfaces. Additionally you need to configure a default gateway. That is the IP address of your remote host to which the firewall is connected to and which will be used as gateway to the internet. This IP address must be located within the RED network. The network wizard does not allow you to provide a default gateway which is not within the RED network. For example if you use 192.168.0.1 as IP address and 255.255.255.0 as network mask, the default gateway cannot be 192.168.1.1. A possible value would be 192.168.0.2.

RED type: ETHERNET DHCP

This dialogue page will be shown if you chose ETHERNET DHCP as RED type.

Figure 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences

Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences

ETHERNET DHCP is pretty the same as ETHERNET STATIC, except that there is no need to configure the device, since all necessary information will be got from the DHCP server. You only need to select which interface you would like to use as RED. Since there is actually no possibility to have more than one RED interface, you can not select multiple interfaces. The following configuration options do exist:

Interface

Select the interface you want to use as RED interface as already described above.

DNS

The DHCP server sends you also the DNS servers you need to use as DNS resolver. If you select automatic the values of the DHCP server will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your DHCP server sends wrong information or if the supplied DNS resolver do not work correctly.

RED type: PPPoE

This dialogue page will be shown if you chose PPPoE as RED type.

Figure 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences

Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences

As already mentioned above, you use this type if you have a ADSL modem which you can connect through an ethernet cable to a network card of your Endian Firewall. Note that this cable in most cases must be crossover!

The following configuration options does exist for this type:

Interface

Select the interface you want to use as RED interface and to which you connected the ADSL ethernet modem.

ADSL type

This option will disappear. It makes no difference what you select here.

Username

Fill in the username which you got from your internet service provider

Password

Fill in the password which you got from your internet serivce provider

Authentication method

There do exist different protocols which can be used to authenticate against the providers system. The following authentication methods do exist:

  • PAP - Password Authentication Method

  • CHAP - Challenge Handshake Authentication Protocol

  • PAP or CHAP - both authentication methods are implemented.

Some provider may support only one authentication method. In that case you should got that information from your provider. Most provider implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly.

Service

Some ISP does provide different services, therefore you may insert the service name here in order to select which one you want to use if it is necessary. In most cases this option is needless.

Concentrator name

Specifies the desired access concentrator name. Inmost cases you should not specify this option. Use it only if you know that there are multiple access concentrators and your ISP wants you to specify a specific one.

Configure DNS resolver

This step is only needed if the RED connection type does not send automatically the DNS resolvers which should be used or if you have selected within the step before that you want to set the DNS resolvers manually. If DNS resolvers will be get automatically then no configuration fields will be shown here. You can safely go ahead. Otherwise you will see two fields labeled DNS 1 and DNS 2.

Figure 2.18. Network wizard showing step 5: configure DNS resolver

Network wizard showing step 5: configure DNS resolver

Fill the both fields with the DNS servers you want to use as resolvers. If you have only one then it is safe to fill in the same value in both fields but this is not recommended since you will not be able anymore to resolve names if that only nameserver will not answer temporarily. You need a working DNS resolver in order to resolve names. If resolving does not work you may not be able to access internet sites.

Apply configuration

This is the last step of the network wizard. It only asks you to confirm the modifications.

Figure 2.19. Network wizard showing step 6: Apply configuration

Network wizard showing step 6: Apply configuration

Click the button OK, apply configuration, to go ahead. Once you did this, the network wizard will write down the data, reconfigures all necessary devices and restarts all depending services. This may take up to 20 seconds. While the restarting process you may not be able to connect to the administration interface and for a short time no connections through the firewall will be possible. So no worries, that's normal. The administration interface will automatically reload after 20 seconds.

If you changed the ip address of the GREEN zone you will be redirected to the new ip address, after the 20 seconds of course. In this case and/or if you have changed the hostname a new SSL certificate will be generated. Note that there is an issue if you manage more Endian Firewalls, then the browser will not refuse the new certificate because it finds that the certificate is corrupt. You can solve this issue by removing all accepted certificates from the browser cache or to close all running browsers and then reopen.