Interfaces

From Wiki of WFilter NG Firewall
(Difference between revisions)
Jump to: navigation, search
(LAN)
(DHCP Options)
 
(5 intermediate revisions by one user not shown)
Line 3: Line 3:
 
= Introduction  =
 
= Introduction  =
  
WFilter NGF can act as a gateway or network bridge.
+
WFilter NGF supports three types of deployment: gateway, network bridge and passby deployment, please check: [[Features_per_deployment|Features comparison of different deployment]]:
* A network bridge can be deployed transparently with no changes to your existing network. Most features are available in bridge mode.
+
 
* In gateway deployment, all features are available, including VLAN, port forwarding, VPN... which are not available in bridge mode.
 
* In gateway deployment, all features are available, including VLAN, port forwarding, VPN... which are not available in bridge mode.
 +
* A network bridge can be deployed transparently with no changes to your existing network. Most features are available in bridge mode.
 +
* In passby deployment, the NGF system listens internet traffic on a mirroring port in your switch.
  
 
= Gateway Deployment =
 
= Gateway Deployment =
Line 27: Line 28:
 
[[File:interface_gateway05.png|900px]]
 
[[File:interface_gateway05.png|900px]]
  
[[File:interface_gateway03.png|600px]]
+
[[File:interface_gateway03.png|800px]]
  
 
[[File:interface_gateway04.png|800px]]
 
[[File:interface_gateway04.png|800px]]
Line 36: Line 37:
 
=== DHCP Options ===
 
=== DHCP Options ===
 
* In default, DHCP gateway and dns server are all configured as WFilter's lan ip address.
 
* In default, DHCP gateway and dns server are all configured as WFilter's lan ip address.
* In case you need to modify the default DHCP options, the syntax is "DHCP code,Value". For examples:
+
* In case you need to modify the default DHCP options, the syntax is "DHCP code,Value"(one option per line). For examples:
 
** 3,192.168.1.1(default gateway)
 
** 3,192.168.1.1(default gateway)
 
** 6,8.8.8.8(default dns server)
 
** 6,8.8.8.8(default dns server)
 +
** 6,8.8.8.8,8.8.4.4(multiple dns servers)
  
 
= Bridge Deployment =
 
= Bridge Deployment =
Line 65: Line 67:
  
 
You can build new bridges from "undefined interfaces". For new bridges, you only need to configure LAN & WAN interfaces.
 
You can build new bridges from "undefined interfaces". For new bridges, you only need to configure LAN & WAN interfaces.
 +
 +
= Passby Deployment =
 +
 +
Passby Deployment: the NGF system listens internet traffic on a mirroring port in your switch. You need to setup a mirroring port(SPAN port) in your switch.
 +
 +
[[File:ros_guide_passby.png|600px]]
 +
 +
* Observ Port
 +
The observ port shall be connected to a mirroring port in your core switch to listen internet traffic.
 +
* Mangement Port
 +
The management port is for NGF system to access network. It's also used for sending RST packets to block clients TCP connections. The management port VLAN shall be able to reach other clients VLANs.
 +
 +
[[Category:Network]]

Latest revision as of 15:17, 1 November 2023


Contents

[edit] 1 Introduction

WFilter NGF supports three types of deployment: gateway, network bridge and passby deployment, please check: Features comparison of different deployment:

  • In gateway deployment, all features are available, including VLAN, port forwarding, VPN... which are not available in bridge mode.
  • A network bridge can be deployed transparently with no changes to your existing network. Most features are available in bridge mode.
  • In passby deployment, the NGF system listens internet traffic on a mirroring port in your switch.

[edit] 2 Gateway Deployment

Gateway deployment: WFilter NG Firewall acts as the gateway for local nework. Usually, your current gateway shall be replaced with WFilter NG Firewall. Network diagram:

Ros guide gateway.png

[edit] 2.1 WAN

Interface gateway01.png

Interface gateway02.png

  • Protocol: PPPoE, DHCP, static IP.
  • Peer DNS: Use the dynamic assigned DNS server in PPPoE and DHCP protocols. If disabled, use the DNS servers configured in "DNS" instead.
  • MAC Clone: Modify the MAC address of this WAN interface.
  • VLAN ID: Enable 802.1q VLAN in this WAN interface.

[edit] 2.2 LAN

Interface gateway05.png

Interface gateway03.png

Interface gateway04.png

  • You can have different subnet in every LAN interface. Or all LAN interfaces share a same subnet.
  • Each LAN interface can have a DHCP service.
  • When IP-MAC Binding is enabled, clients will always be assigned with the bound IP via DHCP service.

[edit] 2.2.1 DHCP Options

  • In default, DHCP gateway and dns server are all configured as WFilter's lan ip address.
  • In case you need to modify the default DHCP options, the syntax is "DHCP code,Value"(one option per line). For examples:
    • 3,192.168.1.1(default gateway)
    • 6,8.8.8.8(default dns server)
    • 6,8.8.8.8,8.8.4.4(multiple dns servers)

[edit] 3 Bridge Deployment

Bridge Deployment: Build network bridge(s) on certain interfaces. With bridge deployment, you can transparently deploy WFilter, without changing current network topology. Network diagram:

Ros guide bridge.png

[edit] 3.1 Settings

Interface bridge01.png

  • Each bridge has one LAN interface and one WAN interface.
  • You can build multiple bridges if needed.
  • You can setup a management interface to access web UI.

Interface bridge02.png

  • Management Interface:
    • The management interface is for web UI access, web authentication UI access...
    • IP, Mask: IP, Mask of the management interface.
    • Gateway: Gateway of the mangement interface. WFilter needs a gateway to access interface to get updates.
    • Subnet(s): local subnets to be managed. Syntax: 192.168.1.0/24, one subnet per line. "-" starts a subnet exception, for example: "-192.168.1.20/32".

Interface bridge03.png

You can build new bridges from "undefined interfaces". For new bridges, you only need to configure LAN & WAN interfaces.

[edit] 4 Passby Deployment

Passby Deployment: the NGF system listens internet traffic on a mirroring port in your switch. You need to setup a mirroring port(SPAN port) in your switch.

Ros guide passby.png

  • Observ Port

The observ port shall be connected to a mirroring port in your core switch to listen internet traffic.

  • Mangement Port

The management port is for NGF system to access network. It's also used for sending RST packets to block clients TCP connections. The management port VLAN shall be able to reach other clients VLANs.

Personal tools
Namespaces

Variants
Actions
Navigation
Tools