Table of ContentsPreviousNextIndex

SonicWALL, Inc.

Network/Edit_Interface.htm

Configuring the F0, F1, X0 - X9, LAN and OPT Interfaces (Static)

For general information on interfaces, see Network > Interfaces.

Static means you assign a fixed IP address to the interface.

  1. Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.

    2. You can configure F0, F1, X0 through X9, LAN, or OPT.

    If you select OPT, select LAN, WAN, DMZ, WLAN, a custom zone, or Create new zone for Zone.

    If you want to create a new zone, select Create new zone. The Add Zone window is displayed. See Network > Zones for instructions on adding a zone.

  2. Select a Zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone.
  3. Select Static from the IP Assignment menu.
  4. Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields.
    5. Note: You cannot enter an IP address that is in the same subnet as another zone.
  5. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  6. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, and/or SNMP.
  7. If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
  8. Click OK.
    9. Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance's address.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

Alert: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.

Configuring Interfaces in Transparent Mode

Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. You can configure the following interfaces in Transparent Mode

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

Alert: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.

Configuring Wireless Interfaces

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points.

  1. Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.

    2. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface.

  2. In the Zone list, select WLAN or a custom Wireless zone.
  3. Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields.
    4. Note: The upper limit of the subnet mask is determined by the number of SonicPoints you select in the SonicPoint Limit field. If you are configuring several interfaces or sub-interfaces as Wireless interfaces, you may want to use a smaller subnet (higher) to limit the number of potential DHCP leases available on the interface. Otherwise, if you use a class C subnet (subnet mask of 255.255.255.0) for each Wireless interface you may exceed the limit of DHCP leases available on the security appliance.
  4. In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface.

    5. This value determines the highest subnet mask you can enter in the Subnet Mask field. The following table shows the subnet mask limit for each SonicPoint Limit selection and the number of DHCP leases available on the interface if you enter the maximum allowed subnet mask.

    Available Client IPs assumes 1 IP for the SonicWALL gateway interface, in addition to the presence of the maximum number of SonicPoints allowed on this interface, each consuming an IP address.

    SonicPoints per Interface
    Maximum Subnet Mask
    Total Usable IPs
    Available Client IPs
    No SonicPoints
    30bits - 255.255.255.252
    2
    2
    2 SonicPoints
    29bits - 255.255.255.248
    6
    3
    4 SonicPoints
    29bits - 255.255.255.248
    6
    1
    8 SonicPoints
    28bits - 255.255.255.240
    14
    5
    16 SonicPoints
    (PRO 4060, PRO 4100, and PRO 5060 only)
    27bits - 255.255.255.224
    30
    13
    32 SonicPoints
    (PRO 5060 only)
    26bits - 255.255.255.192
    62
    29

    Note: The above table depicts the maximum subnet mask sizes allowed. You can still use class-full subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
  5. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  6. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, Ping, and/or SNMP.
  7. If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
  8. Click OK.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

Check Enable 802.1p tagging to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Bandwidth Management.

Configuring the WLAN Interface

The WLAN interface is only available on the TZ 170 Wireless and TZ 170 SP Wireless.

You can only configure the WLAN interface with a static IP address.

  1. Click on the Notepad icon in the Configure column for Unassigned Interface you want to configure. The Edit Interface window is displayed.
  2. Select the WLAN interface. If you want to create a new zone for the interface, select Create a new zone. The Add Zone window is displayed. See Chapter 11 for instructions on adding a zone.
  3. Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields.
  4. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  5. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, Ping, and/or SNMP.
  6. If you want to allow selected users with limited management rights, select HTTP and/or HTTPS in User Login.
  7. Click OK.
    8. Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance's address.

Configuring Advanced Settings for the Interface

Check Enable Multicast Support to allow multicast reception on this interface.

Configuring a WAN Interface

Configuring the WAN interface enables Internet connect connectivity. You can configure up to two WAN interfaces on the SonicWALL security appliance.

  1. Click on the Notepad icon in the Configure column for the F1, WAN, X1 or Unassigned Interface you want to configure. The Edit Interface window is displayed.
  2. If you're configuring an Unassigned Interface, select WAN from the Zone menu. If you selected the Default WAN Interface, WAN is already selected in the Zone menu.
  3. Select one of the following WAN Network Addressing Mode from the IP Assignment menu. Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.

    4. Static - configures the SonicWALL for a network that uses static IP addresses.

    DHCP - configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.

    PPPoE - uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.

    PPTP - uses PPTP (Point to Point Tunneling Protocol) to connect to a remote server. It supports older Microsoft Windows implementations requiring tunneling connectivity.

    L2TP - uses IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations.

    Note: For Windows clients, L2TP is supported by Windows 2000 and Windows XP. If you are running other versions of Windows, you must use PPTP as your tunneling protocol.
  4. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTPS, Ping, and/or SNMP. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.
  5. If you want to allow selected users with limited management rights to log directly into the security appliance from this interface, select HTTP and/or HTTPS in User Login.
  6. Check Add rule to enable redirect from HTTP to HTTPS, if you want an HTTP connection automatically redirected to a secure HTTPS connection to the SonicWALL security appliance management interface.
  7. After completing the WAN configuration for your Network Addressing Mode, click OK

Configuring the Advanced Settings for the WAN Interface

The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC Address, setting up bandwidth management, and creating a default NAT policy automatically.

Ethernet Settings

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field.

Alert: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL as well.

Check Enable Multicast Support to allow multicast reception on this interface.

Check Enable 802.1p tagging to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Bandwidth Management.

You can also specify any of these additional Ethernet Settings:

Bandwidth Management

SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP's intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.

Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds.

The Bandwidth Management section allows you to specify the available outbound bandwidth for this interface in Kbps.

NAT Policy Settings

Selecting Create default NAT Policy automatically translates the Source Address of packets from the Default LAN (Primary LAN) to your new WAN Interface.

Cross Reference:  For more information on NAT Policies, see Chapter 15 Configuring Network NAT Policies.

Configuring Modem Settings

The SonicWALL TZ 170 SP and TZ 170 SP Wireless security appliances include a built-in modem. You can use the modem as your primary WAN connection, or as an automatic backup for your WAN.

Note: Before configuring the Modem interface, you must create at least one Dial-up Profile. See Modem > Dialup Profiles for instructions on creating Dial-up Profiles.

Set up the Modem Interface

  1. Click on the edit icon in the Configure column for the Modem interface.
  2. In the Modem Settings page, configure the following settings:
    • Speaker Volume - Select whether you want the modem's speaker turned on or off. The default value is On.
    • Modem Initialization - Select Initialize Modem For Use In and select the country from the drop-down menu. United States is selected by default. If the modem uses AT commands to initialize, select Initialize Modem Using AT Commands. Enter any AT commands used for the modem in the AT Commands (for modem initialization) field. AT commands are instructions used to control a modem such as ATS7=30 (allows up to 30 seconds to wait for a dial tone), ATS8=2 (sets the amount of time the modem pauses when it encounters a comma (",") in the string).
  3. Specify the Dial on Data Categories you want the SonicWALL security appliance modem to detect for outbound data before the modem dials the ISP. Outbound data does not need to originate from computers on the LAN, but can also be packets generated by the SonicWALL security appliance security applications. You can select from the following data categories:
    • NTP packets
    • GMS Heartbeats
    • System log e-mails
    • AV Profile Updates
    • SNMP Traps
    • Licensed Updates
    • Firmware Update requests
    • Syslog traffic
  4. Select any of the supported management protocol(s) for management of the SonicWALL security appliance from the Modem interface: HTTPS, Ping, and/or SNMP. Select Add rule to enable redirect from HTTP to HTTPS to allow the SonicWALL to automatically convert HTTP requests to HTTPS requests for added security.
  5. Click the Profile tab.
  6. For Primary Profile, select a dialing profile. If you have an alternative profile, select the profile from the Alternate Profile 1 menu. If the Primary Profile cannot establish a connection, the SonicWALL security appliance uses the Alternate Profile 1 profile to access the modem and establish a connection. If you have an additional alternate profile, select it from the Alternate Profile 2 menu.
  7. Click the Advanced tab.
  8. The Remotely Triggered Dial-out feature allows you to remotely manage the SonicWALL appliance via the WAN interface when the modem is the only WAN connection. When this feature is enabled, you can dial in to the modem's phone number remotely, and that will trigger the modem to dial out. Check Enable Remotely Triggered Dial-out to enable the modem to respond to remote management requests.

    9. Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites:

    • The dial profile is configured for dial-on-data.
    • The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely.
    • Enter a value in the Enable Max Connection Time (minutes) field. If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and you will have to manually terminate sessions by clicking the Disconnect button.
  9. If you want the remotely triggered dial-out to require a password, check Requires Authentication, enter the password into the Password field, and reenter the password in the Confirm Password field.
  10. Click OK.

Connecting the Modem

If you need to use the modem as your primary WAN interface, you can connect it now: In the Network > Interfaces page click Connect on the same line as the Modem interface.

Configuring SonicWALL PortShieldtm Interfaces (PRO 1260)

SonicWALL PortShieldTM is a feature of the SonicWALL PRO 1260 security appliance running SonicOS Enhanced 3.1 or newer.

PortShield architecture enables you to configure any or all of the 24 LAN switch ports on the PRO 1260 into separate security zones, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each security zone has its own wire-speed switch ports that enjoy the protection of a dedicated, deep packet inspection firewall.

Adding a PortShield Interface

To add a PortShield interface:

  1. In the Network > Interfaces page, click Add Interface.
  2. Configure the Wireless_Access interface:
    • Zone: The zone assigned to this interface
    • PortShield Interface Name: The name of the interface
    • IP Address: An appropriate IP address that does not conflict with another address range.
    • Subnet Mask: 255.255.255.0 is the default

  3. In the Switch Ports tab, assign ports 23 and 24 to the Wireless_Access PortShield interface

Configuring VLAN Sub-Interfaces (PRO 2040, PRO 3060, PRO 4060, PRO 4100, PRO 5060)

When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone.

Adding a virtual interface

  1. In the left-navigation menu click on Network and then Interfaces to display the Network > Interfaces page.
  2. At the bottom of the Interface Settings table, click Add Interface. The Edit Interface window displays.

  3. Select a Zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned.

    4. Your configuration choices for the network settings of the sub-interface depend on the zone you select.

      • LAN, DMZ, or a custom zone of Trusted type: Static or Transparent
      • WAN or a custom zone of Untrusted type: static IP only (no IP Assignment list).
      • WLAN or a custom Wireless zone: static IP only (no IP Assignment list).
  4. Assign a VLAN tag (ID) to the sub-interface. Valid VLAN ID's are 1 to 4095, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN sub-interface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance.
  5. Declare the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign - you may assign sub-interfaces up to the system limit (100 for the PRO 2040, 300 for the PRO 3060 and PRO 4060, 400 for the PRO 4100 and PRO 5060).
  6. Configure the sub-interface network settings based on the zone you selected. See the interface configuration instructions earlier in this chapter:
  7. Select the management and user-login methods for the sub-interface.
  8. Click OK.

Deploying VLANs

The following examples illustrate some typical deployments of a VLAN within a corporate network.

The above illustration depicts a sample VLAN implementation as might be employed by one location of a geographically redundant online retailer. The network has a PRO 5060 and a core switch located in the same server room. Also in the server room are dedicated management workstations and shared file servers connected to X0 (LAN Zone) of the PRO 5060. A small collection of publicly available FTP and mail servers are connected to X3 (DMZ) which is operating in transparent mode using a block of addresses from the WAN. Attached to X2 (WLAN) are a series of SonicPoints which have been located throughout the four floors of the building. On each of the four floors is a 48 port workgroup switch, connected back to the core switch with gigabit Ethernet links.

The switch on Floor 1 provides connectivity to the company's technical support and IT departments, and while most of their network communications occur within their broadcast domain, they require regular access to the rest of the network, particularly to the servers connected to X0. All 48 ports on the switch are assigned to VLAN 100.

Floors 2 and 4 contain mixed groups of users, primarily from the Sales and Engineering teams. Ports to which Engineering users are connected are assigned to VLAN 250, and ports to which Sales and other users are connected are assigned to VLAN 150. Each group has dedicated servers, with appropriate VLAN assignations, and both groups communicate regularly with the servers connected to X0.

Floor 3 houses the company's main public server farm, with dozens of load balanced web-servers. The load-balancers present three public facing IP addresses, and distribute the traffic among the real servers. The public facing interfaces of the load-balancers are connected to 6 ports on the switch, which have been assigned to VLAN 200. The remainder of the switch ports have been assigned to VLAN 210, and have connected to them the real servers and the internal interfaces of the load-balancers. The only network access to these servers is through the load-balancers.

The core switch is layer 3 capable, but rather than routing between the VLANs it trunks VLANs 100, 150, 200, and 250 to the PRO 5060 with a single gigabit connection to X4. Since most of the workgroups' traffic remains within the workgroup, the bandwidth capacity of this approach proves adequate, although if their utilization continues to grow, they can trunk VLAN 100 and 200 via one link to X4 and trunk VLAN 150 and 250 via a second link to X5, thus doubling their effective capacity.

DHCP Services can be enabled on all physical interfaces and all VLAN sub-interfaces, allowing clients to automatically obtain addressing:

VLAN Integration

When a packet with a VLAN tag arrives on a physical interface, the VLAN ID is evaluated to determine if it is supported. The VLAN tag is stripped, and packet processing continues as it would for any other traffic. A simplified view of the inbound and outbound packet path includes the following potentially reiterative steps (refer to the SonicOS Enhanced State Diagram for a more complete reference):

At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination. The packet egress path includes:

On egress, if the route policy lookup determines that the gateway interface is a VLAN sub-interface, the packet is tagged (encapsulated) with the appropriate VLAN ID header. The creation of VLAN sub-interfaces automatically updates the SonicWALL's routing policy table:

The auto-creation of NAT policies, Access Rules with regard to VLAN sub-interfaces behave exactly the same as with physical interfaces. Customization of the rules and policies that govern the traffic between VLANs can be performed with customary SonicOS ease and efficiency.

When creating a zone (either as part of general administration, or as a step in creating a sub-interface), a checkbox will be presented on the Zone creation page to control the auto-creation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have `Create GroupVPN for this Zone' enabled, although the option can be enabled for other Zone types by selecting the checkbox during creation.

Management of security services between VLAN sub-interfaces is accomplished at the Zone level. All security services are configurable and applicable to zones comprising physical interfaces, VLAN sub-interfaces, or combinations of physical and VLAN sub-interfaces.

Gateway Anti-Virus and Intrusion Prevention Services between the different workgroups can easily be employed with the use of VLAN segmentation, obviating the need for dedicated physical interfaces for each protected segment:

VLAN support enables organizations to offer meaningful internal security (as opposed to simple packet filtering) between various workgroups, and between workgroups and server farms without having to use dedicated physical interfaces on the SonicWALL. The robust VLAN support of SonicOS Enhanced allows for extremely flexible configurations, such as:

Here the ability to assign VLAN sub-interfaces to the WAN Zone, and to use the WAN client mode (only Static addressing is supported on VLAN sub-interfaces assigned to the WAN Zone) is illustrated, along with the ability to support WAN Load-balancing and failover. Also demonstrated is the distribution of SonicPoints throughout the network by means of connecting them to access mode VLAN ports on workgroup switches. These switches are then backhauled to the core switch, which then connects all the VLANs to the PRO 5060 via a trunk link.

www.SonicWALL.com
SonicWALL, Inc.
http://www.sonicwall.com
1160 Bordeaux Drive
Sunnyvale, CA 94089-1209
Table of ContentsPreviousNextIndex