Ethernet-Bridge

Configuration of a bridge in connection with eth interfaces

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Beta version

11.8 11.7

Introduction

A bridge connects two physical networks into a single network.
The interfaces connected in this way share an IP, and the IP addresses of the connected devices are in the same subnet.

notempty

The firewall must not be administered via the interface that is to be added to a bridge!

Access to the admin interface will be lost as soon as the IP address is removed from the interface currently used to access the UTM.
If all available internal interfaces are added to a bridge (e.g., A1 and A2 on a Black Dwarf), access to the firewall must be established externally via A0.

Port forwarding from an internal network via an external IP address is not possible over a bridge.
Solution: Set up a forward zone in the UTM's name server. For this, the UTM must be configured as the name server for internal clients. The external URL called internally then points directly to the internal target server.
Instructions for setting up the forward zone can be found in the Nameserver Wiki under Forward-Zone.

The bridge is fully Layer 2 compatible. Broadcast packets, for example, are transparently forwarded to all interfaces within the bridge.

Prepare administration access

Identify an interface on the firewall that should not be bridged.
In the menu Network Network Configuration Area Network interfaces IP Addresses note down or assign existing IP address of this interface (e.g. 10.0.10.1/24 or 10.10.10.193/29).
Find a free IP address from the corresponding network.
Add this IP address or the entire associated network (e.g. 10.0.10.0/24 or 10.10.10.192/29) in the menu Network Server Settings Area Administration and authorize it for administration.
Establish access on the selected interface via this IP address or this network (e.g.: 10.0.10.1:11115 or 10.10.10.193:11115).

Prepare interfaces

Edit Ethernet interfaces UTMuser@firewall.name.fqdnNetworkNetwork configuration Removing IP address

First, remove all IP addresses from the interfaces to be used for the bridge.
Menu → in the corresponding interface → Tab IP Addresses.
Remove IP addresses. In the example »192.168.100.1/24 by clicking on ✕

Under no circumstances may the IP address be removed which is used for the current access!

Remove zones In the second step, all zones are removed from the interfaces to be used for the bridge.
Menu → in the corresponding interface → Tab Zones.
Remove the zones by clicking on ✕. In the example »dmz1 »firewall-dmz1.
Then Save.

Under no circumstances may the zone be removed which is used for the current access!

Fig.1

Initial position interfaces

Fig.2

Prepared interfaces

Create a Bridge

In the example, the interfaces A1 and A2 are to be combined to a DMZ.
Start the wizard in the menu Network Network Configuration Area Network interfaces button + Bridge.

Step 1 Step 1
Caption	Value	Description	Add interface UTMuser@firewall.name.fqdnNetworkNetwork configuration Assistant step 1
Name:	bridge0	Name of the bridge interface
IP address:	10.50.50.1/24	Example-IP address of the bridge interface
STP:	Off	In addition, the Spanning Tree Protocol can be activated. The Spanning Tree Protocol prevents parallel connections in networks with multiple switches and thus avoids unwanted circular packets .
STP Bridge Priority:	32768
Continue		Next step

Step 2 Step 2
Interfaces:	»A1 »A2	Interfaces that are to be combined. Available interfaces can be selected in the click box.	Assistant step 2
Continue		Next step

Step 3 Step 3
Zones:	»dmz1 »firewall-dmz1	Zones that are to be linked with the bridge interface. In our example dmz1 and firewall-dmz1.	Assistant step 3
Add new zone:	Off dmz2	If activated, a new zone can be added to the bridge alternatively or additionally.
Generate Rules:	Off	Packetfilter rules are automatically created for the new zone. These rules first allow any network traffic of the bridge to the internet (any rules) and must be replaced unconditionally by customized rules!
Update associated network objects:	On	If activated, all network objects whose zone is assigned to another interface and which have specified an interface as the target are now assigned the new bridge as the target.
Finish		Completes the bridge setup.

Configured bridge			Network configuration UTMuser@firewall.name.fqdnNetwork Configured bridge

Set up packetfilter rule

A packetfilter rule is required to allow network traffic between the interfaces belonging to the bridge.
A new network object is created for this purpose.

Caption	Value	Description	Add network object UTMuser@firewall.name.fqdnFirewallNetwork objects
Name:	all-dmz	Choose any name
Type:	Network (address)
Address:	0.0.0.0/0	Any network traffic should be possible. The restriction is made by specifying the zone.
Zone:	dmz1	Zone linked to the bridge.

Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter Packetfilter rule for the bridge

Finally, only the packetfilter rule with the network object just created has to be created.

At this point a any-rule may actually be used so that the interfaces can communicate completely with each other.

		#	Source	Destination	Service	NAT	Action	Active
		4	all-dmz	all-dmz	any		Accept	On

Network traffic to other networks (internal or external) should then be restricted by rules that work with the network objects that are mapped to the bridge zone.

Example rule to release only ftp services from the DMZ

		#	Source	Destination	Service	NAT	Action	Active
		4	dmz1-network	internet	ftp	HNE	Accept	On

The bridge setup is completed with .

Introduction

Prepare administration access

Prepare interfaces

Create a Bridge

Step 1

Step 2

Step 3

Set up packetfilter rule