Ethernet-Bridge

A bridge (network bridge) connects two physical networks to a common one.
The interfaces connected in this way have an IP and the IP addresses of the connected devices are in the same subnet.

The firewall must not be administered via the interface that is to be added to a bridge!

The connection to the admin interface is lost as soon as the IP address is removed from the interface currently used to access the UTM.
If all available internal interfaces are to be added to a bridge (e.g. eth1 and eth2 for a Black Dwarf), external access to the firewall must be via eth0.
Port forwarding from an internal network via an external IP address is not possible via a bridge.
This could be remedied by setting up a forward zone in the UTM name server, provided that the UTM is set up as the name server for the internal clients. In this case, the external URL called by Internal refers directly to the internal target server.
Instructions for setting up the forward zone can be found under Forward-Zone in the Nameserver Wiki.

• Identify an interface on the firewall that should not be bridged.
• In the menu → Network →Network Configuration IP Addresses note down or assign existing IP address of this interface (e.g. 10.0.10.1/24 or 10.10.10.193/29).
• Find a free IP address from the corresponding network.
• Add this IP address or the entire associated network (e.g. 10.0.10.0/24 or 10.10.10.192/29) in the menu → Network →Server Settings tab Administration Add IP / Network and authorize it for administration
• Establish access on the selected interface via this IP address or this network (e.g.: 10.0.10.1:11115 or 10.10.10.193:11115)

Removing IP address

First, remove all IP addresses from the interfaces to be used for the bridge.
→ Network →Network Configuration → in the corresponding interface → Tab IP Addresses.
Remove IP addresses. In the example » ✕192.168.100.1/24 by clicking on ✕

Under no circumstances may the IP address be removed which is used for the current access!

Datei:UTM v11.8.7 Netwerk Konfiguration Schnittstellen Zonen-en.png

Removing zones

In the second step, all zones are removed from the interfaces to be used for the bridge.
→ Network →Network Configuration → in the corresponding interface → Tab Zones.
Remove the zones by clicking on ✕. In the example » ✕dmz1 » ✕firewall-dmz1 » ✕dmz1_v6 » ✕interface-dmz1_v6}
Then Save

Under no circumstances may the zone be removed which is used for the current access!

Then save

In the example, the interfaces eth2 and eth3 are to be combined to a DMZ.
Start the wizard in the menu → Network →Network ConfigurationTab Network interfaces Button + Bridge

After setting up the interface, the network objects whose zones have been assigned to the bridge must be adapted. The bridge must be entered there as the interface.
Under → Firewall →Port FilterTab Network objects → Button for each network object belonging to the bridge.
Change Interface to bridge0
This step can be skipped for automatically created zones:

• Two new network objects are created for each of these zones:
• The network objects are each linked to a zone:
  • zone-interface with the zone firewall-zone and
  • zone-network with the zone zone

Orphaned network objects whose zones are no longer assigned to an independent interface should be removed.

A port filter rule is required to allow network traffic between the interfaces belonging to the bridge.
A new network object is created for this purpose.

Port filter rule for the bridge

Finally, only the port filter rule with the network object just created has to be created.

At this point a any-rule may actually be used so that the interfaces can communicate completely with each other.

		#	Source	Destination	Service	NAT	Action
		4	all-dmz	all-dmz	any		Accept	On

Network traffic to other networks (internal or external) should then be restricted by rules that work with the network objects that are mapped to the bridge zone.

		#	Source	Destination	Service	NAT	Action
		4	dmz1-network	internet	ftp	HNE	Accept	On

The bridge setup is completed with Add and close Update rules.