12.6.2. Interfaces

enabled

Enable/disable a network interface:

• on.

• off.

description

Network interface description.

iface-type

Interface type:

• l3: interface works in Layer 3 mode (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode).

• mirror: interface works in Mirror mode (it can receive traffic from the network equipment SPAN port to analyze it).

zone

Zone to which the interface belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

lldp-profile

Profile to send data using Link Layer Discovery Protocol (LLDP). For more details on configuring Netflow profiles, see Configuring LLDP Profiles.

iface-mode

IP address assignment mode:

• dhcp: obtain a dynamic IP address via DHCP.

• manual: no address.

Static mode is set automatically when an IP address is assigned to the interface.

ip-addresses

Assign a static IP address to the interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.

mac

Interface MAC address.

mtu

Specify the MTU size.

dhcp-relay

Settings for the DHCP relay on the interface. You need to specify the following:

• enabled: enable/disable the relay:

  • on.

  • off.

• utm-address: IP address of the UserGate interface on which the relay function is added (possible values: <ip | none>).

• server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

ip-addresses

Specified IP address.

dhcp-relay server-address

DHCP server IP address.

enabled

Enable/disable a VLAN interface:

• on.

• off.

description

Interface description.

iface-type

Interface type:

• l3: Layer 3 (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode).

• mirror: interface works in Mirror mode (it can receive traffic from the network equipment SPAN port to analyze it).

tag

VLAN tag. Up to 4094 interfaces can be created.

node-name

Cluster node name where the VLAN is created.

interface

The physical interface on which the VLAN is being created.

zone

Zone to which the interface belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

iface-mode

IP address assignment mode:

• dhcp: obtain a dynamic IP address via DHCP.

• manual: no address.

Static mode is set automatically when an IP address is assigned to the interface.

ip-addresses

Assign a static IP address to the interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.

mac

Interface MAC address.

mtu

Specify the MTU size.

dhcp-relay

Settings for the DHCP relay on the interface. You need to specify the following:

• enabled: enable/disable the relay:

  • on.

  • off.

• utm-address: IP address of the UserGate interface on which the relay function is added.

• server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

ip-addresses

Specified IP address.

dhcp-relay server-address

DHCP server IP address.

enabled

Enable/disable the interface:

• on.

• off.

description

Interface description.

node-name

Cluster node where the bond interface is created.

zone

Zone to which the bond belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

interface-name

Enter a number to include in the interface name (for example, if you enter 1 the interface name will be bond1).

bonding

Additional bond interface parameters:

• aggr-mode: bond operation mode:

  • round-robin: Round robin mode (packets are sent sequentially starting with the first available interface and ending with the last one. This policy is used to provide load balancing and high availability.)

  • active-backup: Active backup mode (only one network interface out of the bond will be active. Another slave interface can become active only if the currently active interface fails. With this policy, the MAC address of the bond interface is only visible externally through one network port to avoid problems with the switch. This policy is used to provide high availability).

• xor: XOR mode (the transmission is allocated among the NICs using the following formula: [(<Source MAC address> XOR <Destination MAC address>) MOD <Interface count>]. This means that the same NIC sends packets to the same recipients. Optionally, the transmission allocation can also be based on the xmit_hash policy. The XOR policy is used for load balancing and high availability).

  • broadcast: Broadcast mode (broadcasts everything to all network interfaces. This policy is used for high availability).

  • 802.3ad: IEEE 802.3ad mode (the default mode supported by most network switches. Creates aggregated groups of NICs with identical speed and duplex settings. When combined like this, all links in the active aggregation participate in transmission as per IEEE 802.3ad. The choice of interface for packet transmission is determined by the policy. By default, the XOR policy is used, with the xmit_hash policy as a possible alternative).

  • transmit: Adaptive transmit load balancing mode (outgoing traffic is distributed depending on the loading of each NIC (determined by the load speed). No additional configuration on the switch is required. The incoming traffic is received by the current network card. If this card fails, another card assumes the MAC address of the failed one).

  • load: Adaptive load balancing mode. Includes the previous policy plus incoming traffic balancing. No additional configuration on the switch is required. The incoming traffic is balanced through ARP negotiation. The driver intercepts ARP responses sent from the local NICs to the outside and overwrites the source MAC address with one of the unique MAC addresses of the NIC in the bond. Thus, different peers use different server MAC addresses. The incoming traffic is balanced sequentially (round-robin) among the interfaces.

• mii-monitoring: MII monitoring period in milliseconds. Determines how often the link state will be checked for failures.

• down-delay: delay time (in milliseconds) before an interface is disabled if a connection failure occurs. This option is only valid for MII monitoring (miimon). The parameter value must be a multiple of miimon.

• up-delay: delay time in milliseconds before deploying the channel if it is detected to be restored. This parameter is only valid with MII monitoring (miimon). The parameter value must be a multiple of miimon.

• lacp-rate: interval with which the partner transmits LACPDU packets in 802.3ad mode. Enumerated options:

  • slow: request the partner to transmit LACPDU packets once every 30 seconds.

  • fast: request the partner to transmit LACPDU packets once per second.

• failover-mac: define the assignment type of MAC addresses to bond interfaces in Active backup mode when switching interfaces. Enumerated options:

  • disabled: the same MAC address is set on all interfaces during switching.

  • active: MAC address on the bond interface is always the same as on the currently active interface. The MAC addresses on the backup interfaces are not changed. The MAC address on the bond interface changes during the failover processing.

  • follow: MAC address on the bond interface is the same as the one on the first interface added to the bond. This MAC is not set on the second and subsequent interfaces while they are in backup mode. That MAC address gets assigned during a failover: when a backup slave interface becomes active, it assumes a new MAC (the one on the bond interface), and the formerly active slave is assigned the MAC that the currently active one used to have.

• xmit-hash: define a hash policy for sending packets over bond interfaces in XOR or IEEE 802.3ad mode. Enumerated options:

  • l2: use only MAC addresses to generate the hash. With this algorithm, the traffic for a particular network host is always sent over the same interface. This algorithm is compatible with IEEE 802.3ad.

  • l2-3: use both MAC and IP addresses to generate the hash. This algorithm is compatible with IEEE 802.3ad.

  • l3-4: uses IP addresses and transport layer protocols (TCP or UDP) to generate the hash. This algorithm is not universally compatible with IEEE 802.3ad, as both fragmented and non-fragmented packets can be transmitted within a single TCP or UDP interaction. Fragmented packets lack the source and destination ports. As a result, packets from the same session can reach the recipient in an order other than the intended one because they are sent via different slaves.

• interface: interfaces to be bonded.

iface-mode

IP address assignment mode:

• dhcp: obtain a dynamic IP address via DHCP.

• manual: no address.

Static mode is set automatically when an IP address is assigned to the interface.

ip-addresses

Assign a static IP address to the interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.

mac

Interface MAC address.

mtu

Specify the MTU size.

dhcp-relay

Settings for the DHCP relay on the interface. You need to specify the following:

• enabled: enable/disable the relay:

  • on.

  • off.

• utm-address: IP address of the UserGate interface on which the relay function is added.

• server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

ip-addresses

Specified IP address.

dhcp-relay server-address

DHCP server IP address.

bonding interface

Bonded interfaces.

enabled

Enable/disable a bridge:

• on.

• off.

interface-name

Enter a number to include in the interface name (for example, if you enter 1 the interface name will be bridge1).

description

Bridge interface description.

node-name

Node name of the cluster where the bridge is created.

zone

Zone to which the bridge belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

bridging

Additional bridge parameters:

• iface-type: interface mode:

  • l2: Layer 2 (you do not need to assign an IP address or specify routes and gateways for the bridge to work correctly. In this mode, the bridge works at the MAC address level by forwarding packets from one network segment to another. Mail security rules cannot be used in this case; content filtering is available in this mode).

  • l3: Layer 3 (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode).

• interface: interfaces to use to create the bridge.

• stp: enable/disable STP (Spanning Tree Protocol) for protection against network loops:

  • on.

  • off.

• forward-delay: delay before the bridge switches to the active mode (Forwarding) if the STP is enabled (in seconds).

• max-age: time after which the STP connection is considered lost (in seconds).

• bypass-pair: interface pair to use to build the bypass bridge. UserGate HSC support is required.

iface-mode

IP address assignment mode:

• dhcp: obtain a dynamic IP address via DHCP.

• manual: no address.

Static mode is set automatically when an IP address is assigned to the interface.

ip-addresses

Assign a static IP address to the interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.

mac

Interface MAC address.

mtu

Specify the MTU size.

dhcp-relay

Settings for the DHCP relay on the interface. You need to specify the following:

• enabled: enable/disable the relay:

  • on.

  • off.

• utm-address: IP address of the UserGate interface on which the relay function is added.

• server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

ip-addresses

Specified IP address.

dhcp-relay server-address

DHCP server IP address.

enabled

Enable/disable a PPPoE interface:

• on.

• off.

interface-name

Enter a number to include in the interface name (for example, if you enter 1 the interface name will be ppp1).

description

PPPoE interface description.

node-name

Cluster node name where the interface is created.

zone

Zone to which the interface belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

pppoe-config

Additional PPPoE interface parameters:

• interface: interface where the PPPoE interface is created.

• login: login name for PPPoE connection.

• password: password for PPPoE connection.

• persist-connection: automatic reconnection in case of connection failure:

  • on.

  • off.

• auth-type: authentication type:

  • CHAP.

  • PAP.

• holdoff: time period (in seconds) to restart the connection after it was broken.

• default-route: use the PPPoE interface as the default route:

  • on.

  • off.

• lcp-echo-interval: interval to check the connection.

• lcp-echo-failure: number of LCP echo failures after which UserGate assumes there is no connection and drops it.

• providers-dns: use DNS servers provided by the ISP:

  • on.

  • off.

• connection-attempts: number of unsuccessful connection attempts, after which auto-connection attempts will stop.

• service-name: specify the service name if provided by the ISP.

mtu

Specify the MTU size. Set by default to a value of 1492 bytes compatible with the standard Ethernet frame size.

enabled

Enable/disable a VPN interface:

• on.

• off.

interface-name

Enter a number to include in the interface name (for example, if you enter 1 the interface name will be tunnel1).

description

VPN interface description.

zone

Zone to which the interface belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

netflow-profile

The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.

iface-mode

IP address assignment mode:

• dhcp: obtain a dynamic IP address via DHCP.

• manual: no address.

Static mode is set automatically when an IP address is assigned to the interface.

If the interface is to be used for accepting VPN connections (Site-2-Site VPN or Remote access VPN), a static IP address must be used. To use an interface as a client, select the dynamic mode.

ip-addresses

Assign a static IP address to the interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.

mtu

Specify the MTU size for the selected interface.

enabled

Enable/disable the tunnel:

• on.

• off.

interface-name

Enter a number to include in the tunnel name (for example, if you enter 1 the interface name will be gre1).

description

Tunnel description.

node-name

Cluster node where the tunnel is created.

zone

Zone to which the interface belongs.

link-info

Settings for network interface parameters:

• bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface.

• proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. As for proxy_arp UserGate will respond to ARP requests from addresses outside the interface network; for proxy_arp_vlan UserGate will respond to ARP requests from addresses inside the interface network.

To specify them, use the following format:

Admin@UGOS# create network interface <iface-type> ... link-info [ key/value ]

where key is the parameter name. The name can consist of lowercase Latin letters (a-z) and an underscore (_).

value is the parameter value. Parameter values can only be integers.

For example, to enable the Proxy ARP mechanism, use the following key/value: proxy_arp/1; to disable: proxy_arp/0.

The link-info field is displayed only when adding parameters.

Important! You cannot delete the specified parameters.

mtu

The MTU size for the selected interface.

tunnel-config

Additional interface parameters:

• local-ip: Point-to-Point interface local address.

• remote ip: Point-to-Point interface remote address.

• iface-mode: tunnel mode:

  • gre: GRE (a network packet tunneling protocol developed by Cisco Systems. Its main purpose is to encapsulate network layer packets into IP packets. The IP protocol number is 47).

  • ipip: IPIP (an IP tunneling protocol that encapsulates one IP packet in another IP packet. Encapsulating one IP packet in another IP packet adds an external header with Source IP which is the entry point into the tunnel, and Destination which is the exit point out of the tunnel).

  • vxlan: VXLAN (tunneling protocol from Layer 2 Ethernet frames to UDP packets, port 4789).

• vni: VXLAN ID. Relevant only for a VXLAN tunnel.

ip-addresses

The IP address assigned to the tunnel interface.

IP address should be specified in the following formats: [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ] if you want to assign several addresses (they should be listed using space); use decimal format to specify network mask.

Important! Square brackets should be separated by spaces on both sides.