Ethernet-Bridge

Configuration of a bridge in connection with eth interfaces

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Beta version

11.8 11.7

Introduction

Eine Bridge (Netzwerkbrücke) verbindet zwei physikalische Netzwerke zu einem gemeinsamen Netz.
Die so zusammengeschlossenen Schnittstellen haben eine IP und die IP-Adressen der angeschlossenen Geräte liegen im selben Subnetz.

notempty

Die Firewall darf nicht über diejenige Schnittstelle administriert werden, die zu einer Bridge hinzugefügt werden soll!

Die Verbindung zum Admin-Interface fällt weg, sobald die IP-Adresse von der Schnittstelle entfernt wird, über die gerade auf die UTM zugegriffen wird.
Wenn alle verfügbaren internen Schnittstellen zu einer Bridge hinzugefügt werden (z. B. A1 und A2 bei einer Black Dwarf), muss der Zugriff auf die Firewall von außen über A0 erfolgen.

Eine Portweiterleitung aus einem internen Netzwerk über eine externe IP-Adresse ist über eine Bridge nicht möglich.
Lösung: Eine Forward-Zone im Nameserver der UTM einrichten. Dafür muss die UTM als Nameserver für die internen Clients konfiguriert sein. Dann verweist die externe URL, die von Intern aufgerufen wird, direkt auf den Internen Ziel-Server.
Eine Anleitung zum einrichten der Forward-Zone befindet sich unter Forward-Zone im Nameserver Wiki.

Die Bridge ist vollständig Layer 2 kompatibel. Broadcast-Pakete werden z.B. transparent an alle Schnittstellen innerhalb der Bridge weitergeleitet.

Prepare administration access

Identify an interface on the firewall that should not be bridged.
In the menu Network Network Configuration Area Network interfaces IP Addresses note down or assign existing IP address of this interface (e.g. 10.0.10.1/24 or 10.10.10.193/29).
Find a free IP address from the corresponding network.
Add this IP address or the entire associated network (e.g. 10.0.10.0/24 or 10.10.10.192/29) in the menu Network Server Settings Area Administration and authorize it for administration.
Establish access on the selected interface via this IP address or this network (e.g.: 10.0.10.1:11115 or 10.10.10.193:11115).

Prepare interfaces

Edit Ethernet interfaces UTMuser@firewall.name.fqdnNetworkNetwork configuration Removing IP address

First, remove all IP addresses from the interfaces to be used for the bridge.
Menu → in the corresponding interface → Tab IP Addresses.
Remove IP addresses. In the example »192.168.100.1/24 by clicking on ✕

Under no circumstances may the IP address be removed which is used for the current access!

Remove zones In the second step, all zones are removed from the interfaces to be used for the bridge.
Menu → in the corresponding interface → Tab Zones.
Remove the zones by clicking on ✕. In the example »dmz1 »firewall-dmz1.
Then Save.

Under no circumstances may the zone be removed which is used for the current access!

Fig.1

Initial position interfaces

Fig.2

Prepared interfaces

Create a Bridge

In the example, the interfaces A1 and A2 are to be combined to a DMZ.
Start the wizard in the menu Network Network Configuration Area Network interfaces button + Bridge.

Step 1 Step 1
Caption	Value	Description	Add interface UTMuser@firewall.name.fqdnNetworkNetwork configuration Assistant step 1
Name:	bridge0	Name of the bridge interface
IP address:	10.50.50.1/24	Example-IP address of the bridge interface
STP:	Off	In addition, the Spanning Tree Protocol can be activated. The Spanning Tree Protocol prevents parallel connections in networks with multiple switches and thus avoids unwanted circular packets .
STP Bridge Priority:	32768
Continue		Next step

Step 2 Step 2
Interfaces:	»A1 »A2	Interfaces that are to be combined. Available interfaces can be selected in the click box.	Assistant step 2
Continue		Next step

Step 3 Step 3
Zones:	»dmz1 »firewall-dmz1	Zones that are to be linked with the bridge interface. In our example dmz1 and firewall-dmz1.	Assistant step 3
Add new zone:	Off dmz2	If activated, a new zone can be added to the bridge alternatively or additionally.
Generate Rules:	Off	Packetfilter rules are automatically created for the new zone. These rules first allow any network traffic of the bridge to the internet (any rules) and must be replaced unconditionally by customized rules!
Update associated network objects:	On	If activated, all network objects whose zone is assigned to another interface and which have specified an interface as the target are now assigned the new bridge as the target.
Finish		Completes the bridge setup.

Configured bridge			Network configuration UTMuser@firewall.name.fqdnNetwork Configured bridge

Set up packetfilter rule

A packetfilter rule is required to allow network traffic between the interfaces belonging to the bridge.
A new network object is created for this purpose.

Caption	Value	Description	Add network object UTMuser@firewall.name.fqdnFirewallNetwork objects
Name:	all-dmz	Choose any name
Type:	Network (address)
Address:	0.0.0.0/0	Any network traffic should be possible. The restriction is made by specifying the zone.
Zone:	dmz1	Zone linked to the bridge.

Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter Packetfilter rule for the bridge

Finally, only the packetfilter rule with the network object just created has to be created.

At this point a any-rule may actually be used so that the interfaces can communicate completely with each other.

		#	Source	Destination	Service	NAT	Action	Active
		4	all-dmz	all-dmz	any		Accept	On

Network traffic to other networks (internal or external) should then be restricted by rules that work with the network objects that are mapped to the bridge zone.

Example rule to release only ftp services from the DMZ

		#	Source	Destination	Service	NAT	Action	Active
		4	dmz1-network	internet	ftp	HNE	Accept	On

The bridge setup is completed with .

Introduction

Prepare administration access

Prepare interfaces

Create a Bridge

Step 1

Step 2

Step 3

Set up packetfilter rule