Ethernet Interfaces

Creating and configuring an Ethernet interface

Last adaptation to the version: 14.0.0 (11.2024)

New:

New autonegotiation option: Default
Speed and duplex are adjustable, even if autonegotiation is switched on
Interfaces can be reset

notempty

This article refers to a Beta version

12.6.0 12.5.1 11.7

Network interfaces General

Only if → Show reset interface options On
Button	Description		Network configuration UTMuser@firewall.name.fqdnNetwork Network interfaces overview
Edit	Edit the respective interface
Resetnotempty New as of v14.0.0	Resetting the interface options, this includes everything that is found with the CLI command interface get in the options column (list here), as well as the hotwire configuration.
Delete	Deletes the respective interface

In the table settings (), the display and content of the table can be configured. notempty New as of v14.0.0
Show reset of interface options:	Off	When activated On, the button for resetting a network interface is displayed	Table settings
Style:	Default	Customizes the style of the table for this table (for more detailed information on the configuration options, see Tools)
Entries per page:	Default	Adjusts the entries per page of the table individually for this table (for more detailed information on the configuration options, see Tools)
Max height:	Default	Adjusts the maximum display height of the table for this table individually (for more detailed information on the configuration options, see Tools)

Creating an Ethernet interface

The creation of an Ethernet interface is done with a wizard in the menu Area Network interfaces button Ethernet.

Any number of interfaces can be created on UTMs with the naming scheme “eth”x.
On UTMs with the naming scheme “LAN”x or “A”x, only interfaces that actually exist can be created.

Caption	Value	Description	Add interface UTMuser@firewall.name.fqdnNetworkNetwork configuration
Name:	LAN4	Name of the interface. If ther is an existing unused interface by default the next free LANx name is used. The name can also be entered manually.
IP Address:	192.168.176.1/24	If the interface is to have a fixed IP, this is entered here.
DHCP-Client:	Off IPv4 IPv6 IPv4 & IPv6	Here the setting is made whether - and if so, for which IP protocol - the interface should obtain its IP addresses from a DHCP server.

Zones:		Previously created zones can be selected by clicking in the click box.
Add new zone:	No dmz1	If activated, a new zone with a freely selectable name (here: dmz1) is created.
Auto-generate rules:	No	If activated, autogenerated rules are created to enable network traffic to all existing networks. notempty These rules serve exclusively to facilitate the commissioning of the interface. They cannot be edited and must absolutely be replaced by individualized rules and subsequently deactivated or deleted!
Update associated network objects: notempty New as of v12.6.0	On	If an existing zone has been selected, all network objects that are already in this zone and have an interface as a target are moved to the new interface.

Finish the wizard with the Finish button.

Edit an Ethernet interface

The configuration of an Ethernet interface is done in the menu Network Network configuration Area Network interfaces button

General

Caption	Value	Description	Edit interface UTMuser@firewall.name.fqdnNetworkNetwork configuration
Name:	LAN1	The name of the interface cannot be changed afterwards.
DHCP-Client:	Off IPv4 IPv6 IPv4 & IPv6	Here the setting is made whether - and if so, for which IP protocol - the interface should obtain its IP addresses from a DHCP server.
Router Advertisement:	Off	If the UTM has received an IPv6 prefix (on an external interface), it can make the Default Gateway and the subnet known via router advertisement and at the same time distribute corresponding IPv6 addresses in the connected network. (See article IPv6 Prefix Delegation).
Assign IPv6 addresses:	On	If it is not desired that the UTM distributes IPv6 addresses, but only the default gateway, then this option must be deactivated.
IPv6 Prefix Delegation:	Off	Enables IPv6 prefex delegation to get IPv6 prefixes allocated on this interface. (For external interfaces only.)
Settings Settings
MTU:	1500	The Maximum Transmission Unit specifies the maximum packet size that can be transmitted without fragmentation. Depending on the type of network (cable, Ethernet, VPN use), other values can help with connection problems here.
Autonegotiation: notempty New option: Default	Off OnDefault	Allows (on) or prohibits (off) Ethernet network ports from independently negotiating and configuring the maximum possible transmission speed and duplex mode. Or does not perform an autonegotiation check (default) and therefore does not generate an error if the option cannot be changed.
Speed: notempty Even with autonegotiation activated	10 MBit/s 100 MBit/s 1000 MBit/s	Speed of network communication
Duplex: notempty Even with autonegotiation activated	full half	Duplex allows data packets to be sent and received simultaneously. HUBs usually only support Halfduplex. If autonegotiation mode is enabled at one end of the link and full-duplex operation is forced at the other end, the autonegotiating subscriber will recognize the link as half-duplex, resulting in a large number of transmission errors. →Wikipedia
Route Hint IPv4:	192.0.2.192/---	Via the field "Route Hint" it is possible to define the gateway of the interface. This has the advantage, for example, that only the interface (e.g. LAN3) has to be specified in routing and not directly the gateway IP.
Route Hint IPv6:	2001:DB8::123/---	Via the field "Route Hint" it is possible to define the gateway of the interface. This has the advantage, for example, that only the interface (e.g. LAN3) has to be specified in routing and not directly the gateway IP.
Flow control can also be configured via CLI. Enable autonegotiate: interface set name "LAN1" options [ pause_autoneg=1 ] activate RX (The interface can receive pause frames.) : interface set name "LAN1" options [ pause_rx=1 ] activate TX (The interface can send pause frames to other participants in the network.): interface set name "LAN1" options [ pause_tx=1 ] View configuration: interface get
IP Addresses IP Addresses
IP Addresses	»192.168.121.1/24»fc80:1234::1/64	Under the menu item IP addresses one or more addresses can be assigned to an interface.

Zones Zones
Zones	»internal»firewall-internal»internal_v6»fireall-internal_v6	Under the menu item Zones the zones of the interface are defined. Important: The zone internal should always be assigned to an interface. If the zone internal is not assigned to an interface and the administration via the web interface is not explicitly enabled, the web interface can not be accessed anymore!

DynDNS DynDNS
Enabled:	Yes	Enables or disables (default) the DynDNS function	DynDNS settings
Hostname:	hostname.spdns.de	Desired Hostname
User:	hostname.spdns.de	The corresponding user name must be entered here. If linked to a reseller account, the corresponding host name must be entered here
Password:		The password must be entered here. If linked to a reseller account, the update token must be entered here.
Server:	update.spdyn.de	The securepoint update server
MX:
Webresolver:	On	Must be activated if the NAT router is located before the DNS (i.e.: UTM → Fritzbox/Speedport → internet)
Protocol:		The DNS service can be activated for IPv4 or IPv6 addresses only, or both IPv4 and IPv6.


Fallback Fallback
Fallback interface:	wan3	Interface that stands in for the main interface in the case of a malfunction. The absence of malfunctions is verified by ping-checking an IP. Further notes on the configuration of a fallback can be found in a separate Wiki article.	Fallback settings
Ping-check IP:	»203.0.2.203 »192.0.2.192 Example IPs must be replaced	Host(s) to which the ping check is to be performed. This can also be a host in the internal network if necessary. This may also be a host in the internal network. If a ping check host does not respond, the subsequent IP address is tried immediately. If none of the ping check hosts responds, this is considered a failed attempt and checked again after the ping check interval.
Ping-check Intervall:	5 Seconds	Period between ping attempts
Ping-check Threshold:	4 Attempts	Number of failed ping attempts before switching to the fallback interface.

Create default route

A default route must be created for this connection: Network Network Configuration Area Routing button Add Default Route
Gateway Type Interface Gateway Type: Interface
Caption	Value	Description	Add Default-Route UTMuser@firewall.name.fqdnNetworkNetwork configuration Create default route
Gateway:	wan0	Select the desired interface.
Dialog Save and close

Default route for IPv4. If necessary, another default route for IPv6 must be created.			Network configuration UTMuser@firewall.name.fqdnNetwork Routing with PPPoE

Gateway Type IP Gateway Type: IP
Caption	Value	Description	Add Default-Route UTMuser@firewall.name.fqdnNetworkNetwork configuration Create default route
Gateway:	fe80:1234::1/---	IP address of the gateway. If a Link Local IPv6 is recognised, the "Interface" button is displayed and an interface must be selected.
Interface: Only for link local IPv6	LAN1	Interface via which the IP address can be accessed.
Dialog Save and close

Default route for IPv6. If necessary, another default route for IPv4 must be created.			Network configuration UTMuser@firewall.name.fqdnNetwork Routing with PPPoE

Network interfaces General

Creating an Ethernet interface

Edit an Ethernet interface

General

Settings

IP Addresses

Zones

DynDNS

Fallback

Create default route

Gateway Type Interface

Gateway Type IP