PANEL_editInterface

PANEL_editInterface

Configuring Interfaces

This section is divided into:

Configuring the Static Interfaces

For general information on interfaces, see Network > Interfaces.

Static means that you assign a fixed IP address to the interface.

  1. Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.
  2. Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone.
  3. Select Static from the IP Assignment menu.
  4. Enter the IP address and subnet mask of the zone in the IP Address and Subnet Mask fields.
  5. Note: You cannot enter an IP address that is in the same subnet as another zone.

  6. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  7. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.
  8. To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

  9. If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
  10. Click OK.

Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.

Configuring Interfaces in Transparent Mode

Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. To configure an interface for transparent mode, complete the following steps:

  1. Click on the Configure icon in the Configure column for Unassigned Interface you want to configure. The Edit Interface window is displayed.
  2. Select an interface.
  3. Select Transparent Mode from the IP Assignment menu.
  4. From the Transparent Range menu, select an address object that contains the range of IP addresses you want to have access through this interface. The address range must be within the WAN zone and must not include the WAN interface IP address. If you do not have an address object configured that meets your needs:
  1. In the Transparent Range menu, select Create New Address Object.
  2. In the Add Address Object window, enter a name for the address range.
  1. For Zone Assignment, select WAN.
  2. For Type, select:
  3. Enter the IP address of the host, the beginning and ending address of the range, or the IP address and subnet mask of the network.
  4. Click OK to create the address object and return to the Edit Interface window.
  5. See Network > Address Objects for more information.

  6. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  7. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.
  8. To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

  9. If you want to allow selected users with limited management rights to log directly into the security appliance through this interface, select HTTP and/or HTTPS in User Login.
  10. Click OK.

Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.

Configuring Wireless Interfaces

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points.

  1. Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.
  2. In the Zone list, select WLAN or a custom Wireless zone.
  3. Enter the IP address and subnet mask of the zone in the IP Address and Subnet Mask fields.
  4. Note: The upper limit of the subnet mask is determined by the number of SonicPoints you select in the SonicPoint Limit field. If you are configuring several interfaces or subinterfaces as Wireless interfaces, you may want to use a smaller subnet (higher) to limit the number of potential DHCP leases available on the interface. Otherwise, if you use a class C subnet (subnet mask of 255.255.255.0) for each Wireless interface you may exceed the limit of DHCP leases available on the security appliance.

  5. In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface.
  6. SonicPoints per Interface

    Maximum Subnet Mask

    Total Usable IP addresses

    Available Client IPs

    No SonicPoints

    30 bits – 255.255.255.252

    2

    2

    2 SonicPoints

    29 bits – 255.255.255.248

    6

    3

    4 SonicPoints

    29 bits – 255.255.255.248

    6

    1

    8 SonicPoints

    28 bits – 255.255.255.240

    14

    5


    16 SonicPoints(NSA 240)

    27 bits – 255.255.255.224

    30

    13


    32 SonicPoints(NSA 2400)

    26 bits – 255.255.255.192

    62

    29


    48 SonicPoints(NSA 3400)

    25 bits - 255.255.255.128

    126

    61


    64 SonicPoints(NSA 4500, 5000)

    25 bits - 255.255.255.128

    126

    61


    96 SonicPoints(NSA E5500)

    24 bits - 255.255.255.0

    190

    93


    128 SonicPoints(NSA E6500, NSA E7500)

    23 bits - 255.255.254.0

    254

    125

    Note: The above table depicts the maximum subnet mask sizes allowed. You can still use class-full subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24-bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.

  7. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  8. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.
  9. To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

  10. If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
  11. Click OK.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

Warning: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

Check Enable Multicast Support to allow multicast reception on this interface.

On SonicWALL NSA series appliances, select the Enable 802.1p tagging checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.

Configuring the WLAN Interface (SonicWALL TZ series wireless appliances)

The WLAN interface is only available on the SonicWALL TZ series wireless. You can only configure the WLAN interface with a static IP address.

  1. Click on the Edit icon in the Configure column for Unassigned Interface you want to configure. The Edit Interface window is displayed.
  2. Select the WLAN interface. If you want to create a new zone for the interface, select Create a new zone. The Add Zone window is displayed. See Chapter 11 for instructions on adding a zone.
  3. Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields.
  4. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
  5. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, Ping, and/or SNMP.
  6. If you want to allow selected users with limited management rights, select HTTP and/or HTTPS in User Login.
  7. Click OK.

Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.

Configuring Advanced Settings for the Interface

Check Enable Multicast Support to allow multicast reception on this interface.

Configuring a WAN Interface

Configuring the WAN interface enables Internet connect connectivity. You can configure up to two WAN interfaces on the SonicWALL security appliance.

  1. Click on the Edit icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.
  2. If you’re configuring an Unassigned Interface, select WAN from the Zone menu. If you selected the Default WAN Interface, WAN is already selected in the Zone menu.
  3. Select one of the following WAN Network Addressing Mode from the IP Assignment menu. Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.
  4. Note: For Windows clients, L2TP is supported by Windows 2000 and Windows XP. If you are running other versions of Windows, you must use PPTP as your tunneling protocol.

  5. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.
  6. To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

  7. If you want to allow selected users with limited management rights to log directly into the security appliance from this interface, select HTTP and/or HTTPS in User Login.
  8. Check Add rule to enable redirect from HTTP to HTTPS, if you want an HTTP connection automatically redirected to a secure HTTPS connection to the SonicWALL security appliance management interface.
  9. After completing the WAN configuration for your Network Addressing Mode, click OK.

Configuring the Advanced Settings for the WAN Interface

The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, setting up bandwidth management, and creating a default NAT policy automatically.

Ethernet Settings

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL as well.

Check Enable Multicast Support to allow multicast reception on this interface.

On SonicWALL NSA series appliances, check Enable 802.1p tagging to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.

You can also specify any of these additional Ethernet Settings:

Bandwidth Management

SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.

Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.

Note: The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured.

Configuring the NSA Expansion Pack Module Interface (NSA 2400MX and 250M only)

The SonicWALL NSA 2400MX and NSA 250M security appliances support the following optional NSA Expansion Pack modules:

These interfaces are listed in the Interface Settings table as the Mx interfaces.

Caution: Before attempting to insert and configure the module, you must power off the appliance. Once the appliance has been powered down, remove the rear module plate cover and insert the expansion module.Tighten the screws to secure the module, then power on the appliance.

Log into the SonicWALL management interface. You can now begin configuring the desired expansion module. The following sections describe how to configure the

Configuring the ADSL Expansion Module

ADSL is an acronym for Asymmetric Digital Subscriber Line (or Loop). The line is asymmetric because, when connected to the ISP, the upstream and downstream speeds of transmission are different. The DSL technology allows non-voice services (data) to be provided on regular single copper wire-pair POTS connections (such as your home phone line). It allows voice calls and data to pass through simultaneously by using higher band frequencies for data transmission.

The SonicWALL ADSL module cards support only one subscriber ADSL line (one port). Two types of ADSL module cards are supported:

The following ADSL standards are supported

Standard Name

Common Name

T1.413

ADSL

G.992.1

ADSL G.DMT

G.992.2

ADSL Lite (G. Lite)

G.992.3

ADSL2

G.992.5

ADSL2+M with Annex M and Annex L

The ADSL module card uses 2 LEDs to indicate connectivity status. The upper green LED is the ADSL link. Its status is as follows:

The lower green LED shows the system and ADSL module activity.

The ADSL module card is detected on boot, and assigned an interface name of M0 or M1. The interface name is based to it based on the expansion slot hosting the module card. You will see the assigned entry when you log into the Network Interfaces page.

The ADSL interface never unassigned. When plugged in, it is always present in the WAN zone and zone assignment cannot be modified by the administrator

Click on the Configure icon to the right of the interface entry. You will see a menu with three tabs: General, Advanced, and DSL Settings. The DSL Settings tab allows you to configure ISP-specific settings for the ADSL connection.

It displays the configurable DSL fields:

Virtual Path Identifier (VPI)

Virtual Channel Identifier (VCI)

Multiplexing Method (LLC or VC)

The values for these parameters should match the settings on the ISP DSLAM, and are provided by the ISP. These values vary from one ISP to another, and from country to country.

The SNWL default uses the most common values in the USA. The VPI and VCI settings are used to create the Permanent Virtual Circuit (PVC) from the NSA2400MX to the ISP DSLAM.

When finished configuring these ISP settings, click OK.

The Ethernet-specific settings on the Advanced tab, even if set, do not apply to the ADSL module. The Link Speed field in the Advanced tab has a fixed "N/A" selection, since it does not apply to ADSL. The ADSL link speed can't be customized but is predetermined by the DSL Provider.

The standard WAN ethernet settings are not affected by the presence of the ADSL module.

When the ADSL module is first plugged in, it should be added to the WAN Load Balancing default group so that the ADSL module can be used to handle default route traffic. Go to the Failover and LB screen and click the Configure icon to edit the settings.

On the General menu, add the ADSL interface to the Load Balancing group. If the default primary WAN, X1, is unused or unconfigured, it can be removed for a cleaner interface configuration.

When done, click OK, and the ADSL module will be added to the group.

Configuring the T1/E1 Module

The 1-port T1/E1 Module provides the connection of a T1 or E1 (digitally multiplexed telecommunications carrier system) circuit to a SonicWALL appliance using an RJ-45 jack.

The SonicWALL T1/E1 module fully supports Point-to-Point Protocol (PPP) and Cisco HDLC encapsulation, and can connect to Cisco routers and HP ProCurve devices.

Note: Only one T1/E1 module can be configured on each appliance.

To configure the T1/E1 Module, perform the following tasks:

  1. Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface window is displayed.
  2. The General tab allows you to set up the type of encapsulation: PPP or HDLC, as well as the management interface type and level of user security login. The Zone setting is disabled.

  3. Select the desired type of encapsulation: PPP, HDLC, or Cisco HDLC. If you select a type of encapsulation other than PPP, you will need to assign the IP address and netmask.
  4. If HDLC or Cisco HDLC is selected, assign the IP address and subnet mask for the network mask assigned to the subnet.These are auto-filled for you, but you can change them if desired.
  5. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also set the level of security (HTTP or HTTPS) at this time.

  6. Click on the Advanced Tab.
  7. You will see two radio buttons, one for T1 and one for E1. Only one button should be selected at a time. Different Line Coding, Framing and Encapsulation configuration choices are offered, depending on the button.

  8. Select the Clock Source: Internal or External. This selection is the same for both T1 and E1.
  9. Select the Line Coding option:
  10. Select the Framing configuration:
  11. Select the DSO speed: 56 KB or 64KB (default).
  12. If desired, you can specify the Data DSO range.

    For T1, the range is 1 to 24 (default)

    For E1, the range is 1 to 31

    Each number can be individually set. For example, “5 to 15”, “1 to 1”, 1 to 20” are valid settings.

  13. Line Build Out is available with T1. The options are: 0.0 dB, -7.5 dB, -15 dB, -22.5 dB.
  14. CRC is configured with an enable/disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4.

    You can also choose to enable multicast.

  15. When finished with configuration, click OK.

The T1/E1 module interface will be added to the pool of available WAN interfaces

Configuring the LAN Bypass Module

This module allows you to perform a physical bypass of the firewall when the interface is bridged to another interface with LAN bypass capability. This allows network traffic to continue flowing if an unrecoverable firewall error occurs.

  1. Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface window is displayed. The Bypass option is only displayed if an interface capable of performing the bridge is present.
  2. The window shows the LAN interface, and has a checkbox “Engage Physical ByPass on Malfunction” to enable the physical bypass feature. This is only displayed when the interface is bridged to another interface capable of performing the LAN bypass. Enabling this checkbox means that the packets between the bridged pairs will not fail, even if the firmware or NSA appliance fails.

If the checkbox is not enabled, the ports will behave like normal Ethernet ports.

Click OK to configure the interface.

Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules

  1. Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface window is displayed.
  2. If you’re configuring an Unassigned Interface, you can select any zone from the Zone menu. LAN is already selected in the Zone menu.
  3. Select one of the following LAN Network Addressing Modes from the IP Assignment menu.

    Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.

  4. Assign the IP address and subnet mask for the network mask assigned to the subnet.These are auto-filled for you, but you can change them if desired.
  5. If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also use a checkbox to add a rule to redirect from HTTP to HTTPS to enforce security on the interface.
  6. Click OK to configure the interface.
  7. Configuring the Advanced Settings for the Module Interface

    The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, enabling multicast support on the interface, and enabling 802.1p tagging. Packets sent out with 802.1p tagging are tagged VLAN id=0 and carry 802,1p priority information. Devices connected to this interface need to support priority frames.

    Configuring Additional Interfaces

  8. Each expansion module interface must be individually configured. These initially appear as unassigned interfaces.
  9. Click on the Edit icon in the Configure column for the Interface you want to configure.

For each interface, on the General tab of the Edit Interface window, select LAN from the Zone menu. Fill in the desired IP assignment. The subnet will be assigned for you. Add the desired management options and click Okay. Then configure the Advanced settings.