Network/Interfaces.htm

The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS Enhanced scheme of interface addressing works in conjunction with network zones and address objects. Physical interface objects include the LAN, WAN, OPT, and depending on which SonicWALL security appliance you have, Modem and WLAN ports in the SonicWALL security appliance.

Setup Wizard

The Setup Wizard button accesses the Setup Wizard. The Setup Wizard walks you through
step-by-step the configuration of the SonicWALL security appliance for Internet connectivity.

Physical Interfaces

Physical interfaces must be assigned to a Zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone.

The first two interfaces, LAN and WAN are fixed interfaces, permanently bound to the Trusted and Untrusted Zone types. The TZ 170 series appliances can also have two special interfaces for Modem and WLAN. The remaining Interfaces can be configured and bound to any Zone type, depending on your SonicWALL security appliance:

Permanently Assigned Interfaces

SonicWALL PRO series: X0 - The default LAN interface (In the PRO 5060 Fiber this can be changed to (F0).

SonicWALL TZ 170 series: LAN - The single LAN interface includes all five LAN ports on the back of the TZ 170 series appliances.

SonicWALL PRO 1260: LAN - The single LAN interface includes all twenty four numbered ports and the uplink port on the front of the PRO 1260 security appliance. These can be assigned to separate PortShield groups.

SonicWALL PRO series: X1 - The default WAN interface (In the PRO 5060 Fiber this can be changed to (F1).

SonicWALL PRO 1260 and : WAN

User-definable Interfaces

SonicWALL PRO 4100 security appliances include eight user-definable interfaces, X2 through X9.

SonicWALL PRO 3060/PRO 4060/PRO 5060 security appliances include four user-definable interfaces, X2 through X5.

SonicWALL PRO 2040 security appliance includes two user-definable interfaces, X2 and X3.

SonicWALL PRO 1260 security appliance includes one user definable interface, OPT. The 24 LAN ports can be effectively redefined by assigning them to portshield groups.

SonicWALL TZ 170 family security appliances include one user definable interface, OPT.

Virtual Interfaces (VLAN)

On the SonicWALL PRO 2040, PRO 3060, PRO 4060, PRO 4100, and SonicWALL PRO 5060 security appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection.

Virtual interfaces provide many of the same features as physical interfaces, including Zone assignment, DHCP Server, and NAT and Access Rule controls.

Virtual Local Area Networks (VLANs) can be described as a `tag-based LAN multiplexing technology' because through the use of IP header tagging, VLANs can simulate multiple LAN's within a single physical LAN. Just as two physically distinct, disconnected LAN's are wholly separate from one another, so too are two different VLANs, however the two VLANs can exist on the very same wire. VLANs require VLAN aware networking devices to offer this kind of virtualization - switches, routers and firewalls that have the ability to recognize, process, remove and insert VLAN tags in accordance with the network's design and security policies.

VLANs are useful for a number of different reasons, most of which are predicated on the VLANs ability to provide logical rather than physical broadcast domain, or LAN boundaries. This works both to segment larger physical LAN's into smaller virtual LAN's, as well as to bring physically disparate LAN's together into a logically contiguous virtual LAN. The benefits of this include:

Increased performance - Creating smaller, logically partitioned broadcast domains decreases overall network utilization, sending broadcasts only where they need to be sent, thus leaving more available bandwidth for application traffic.

Decreased costs - Historically, broadcast segmentation was performed with routers, requiring additional hardware and configuration. With VLANs, the functional role of the router is reversed - rather than being used for the purposes of inhibiting communications, it is used to facilitate communications between separate VLANs as needed.

Virtual workgroups - Workgroups are logical units that commonly share information, such as a Marketing department or an Engineering department. For reasons of efficiency, broadcast domain boundaries should be created such that they align with these functional workgroups, but that is not always possible: Engineering and Marketing users might be commingled, sharing the same floor (and the same workgroup switch) in a building, or just the opposite - the Engineering team might be spread across an entire campus. Attempting to solve this with complex feats of wiring can be expensive and impossible to maintain with constant adds and moves. VLANs allow for switches to be quickly reconfigured so that logical network alignment can remain consistent with workgroup requirements.

Security - Hosts on one VLAN cannot communicate with hosts on another VLAN unless some networking device facilitates communication between them.

Sub-Interfaces

VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.

Trunk links from VLAN capable switches are supported by declaring the relevant VLAN ID's as a sub-interface on the SonicWALL, and configuring them in much the same way that a physical interface would be configured. In other words, only those VLANs which are defined as sub-interfaces will be handled by the SonicWALL, the rest will be discarded as uninteresting. This method also allows the parent physical interface on the SonicWALL to which a trunk link is connected to operate as a conventional interface, providing support for any native (untagged) VLAN traffic that might also exist on the same link. Alternatively, the parent interface may remain in an `unassigned' state.

VLAN sub-interfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support. The PRO 2040 supports up to 100 sub-interfaces, the PRO 3060 and PRO 4060 support up to 200 sub-interfaces, and the PRO 4100 and PRO 5060 support up to 400 sub-interfaces.

SonicOS Enhanced Secure Objects

The SonicOS Enhanced scheme of interface addressing works in conjunction with network zones and address objects. This structure is based on secure objects, which are utilized by rules and policies within SonicOS Enhanced. Physical interface objects include the LAN1 through LAN5, WAN, OPT, Modem and WLAN ports. Address objects comprise a host, a network, a range of addresses, or a MAC address.

Note: The LAN1 through LAN5 ports on a TZ 170 series security appliance are managed as a single interface, and share the same IP address and, if you enable the internal DHCP Server, they share the same DHCP address range. Essentially, the five LAN ports are a five-port switch for the LAN interface.

Secured objects include interface objects that are directly linked to physical interfaces and managed in the Network > Interfaces page. Address objects are defined in the Network > Address Objects page. Service and Scheduling objects are defined in the Firewall section of the SonicWALL security appliance Management Interface, and User objects are defined in the Users section of the SonicWALL security appliance Management Interface.

Zones are the hierarchical apex of SonicOS Enhanced's secure objects architecture. SonicOS Enhanced includes pre-defined zones as well as allow you to define your own zones. Predefined zones include LAN, DMZ, WAN, WLAN, and Custom. Zones can include multiple interfaces, however, the WAN Zone is restricted to a total of two interfaces. Within the WAN zone, either one or both WAN interfaces can be actively passing traffic depending on the WAN Failover and Load-Balancing configuration on the Network > WAN Failover & LB page.

Cross Reference: For more information on WAN Failover and Load Balancing on the SonicWALL security appliance, see Chapter 10 Setting Up Network WAN Failover and Load Balancing.

At the zone configuration level, the Allow Interface Trust setting for zones automates the processes involved in creating a permissive intra-zone Access Rule. It creates a comprehensive Address Object for the entire zone and a inclusively permissive Access Rule from zone address to zone addresses.

Transparent Mode

Transparent Mode in SonicOS Enhanced uses interfaces as the top level of the management hierarchy. Transparent Mode supports unique addressing and interface routing.

Interface Settings

The Interface Settings table lists the following information for each interface:

Name - listed as F0, F1, X0 through X9, LAN, WAN, WLAN, Modem, or OPT depending on your SonicWALL security appliance model.

Zone - LAN, DMZ/OPT, WAN, and WLAN are listed by default. As zones are configured, the names are listed in this column.

IP Address - IP address assigned to the interface.

Subnet Mask - the network mask assigned to the subnet.

IP Assignment - you can select

F0, X0, or LAN: Static or Transparent

F1, X1, or WAN: DHCP, Static, PPPoE, PPTP, or L2TP

X2 - X9, X1 (on PRO 5060 Fiber only), or OPT: The selection of IP assignment depends on the zone assigned to the user-defined port:

LAN, DMZ, or a custom zone of Trusted type: Static or Transparent

WAN or a custom zone of Untrusted type: DHCP, Static, PPPoE, PPTP, or L2TP

WLAN or a custom Wireless zone: static IP only (no IP Assignment list)

Modem: static or dynamic, set through the Dial-up Profile. See Modem > Dialup Profiles for instructions on creating Dial-up Profiles.

WLAN: static IP only (no IP Assignment list)

Status - the link status and speed.

Comment - any user-defined comments.

Configure - click the Configure icon

to display the Edit Interface window, which allows you to configure the settings for the specified interface.

Alert: You cannot change the Zones in the Edit Interface window for the X0, LAN, WAN, Modem, and WLAN interfaces.

Interface Traffic Statistics

The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces.

The following information is displayed for all SonicWALL security appliance interfaces:

Rx Unicast Packets - indicates the number of point-to-point communications received by the interface.

Rx Broadcast Packets - indicates the number of multipoint communications received by the interface.

RX Bytes - indicates the volume of data, in bytes, received by the interface.

Tx Unicast Packets - indicates the number of point-to-point communications transmitted by the interface.

Tx Broadcast Bytes - indicates the number of mutlipoint communications received by the interface.

Tx Bytes - indicates the volume of data, in bytes, transmitted by the interface.

To clear the current statistics, click the Clear Statistics button at the top right of the Network > Interfaces page.