PANEL_editInterface
Configuring Interfaces
This section is divided into:
Configuring the Static Interfaces
For general information on interfaces, see Network > Interfaces.
Static means that you assign a fixed IP address to the interface.
Note: You cannot enter an IP address that is in the same subnet as another zone.
To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.
Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.
Configuring Advanced Settings for the Interface
If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.
The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.
Check Enable Multicast Support to allow multicast reception on this interface.
Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.
Configuring Interfaces in Transparent Mode
Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. To configure an interface for transparent mode, complete the following steps:
See Network > Address Objects for more information.
To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.
Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.
Configuring Advanced Settings for the Interface
If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.
Check Enable Multicast Support to allow multicast reception on this interface.
Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.
Configuring Wireless Interfaces
A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points.
Note: The upper limit of the subnet mask is determined by the number of SonicPoints you select in the SonicPoint Limit field. If you are configuring several interfaces or subinterfaces as Wireless interfaces, you may want to use a smaller subnet (higher) to limit the number of potential DHCP leases available on the interface. Otherwise, if you use a class C subnet (subnet mask of 255.255.255.0) for each Wireless interface you may exceed the limit of DHCP leases available on the security appliance.
|
Note: The above table depicts the maximum subnet mask sizes allowed. You can still use class-full subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24-bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.
Configuring Advanced Settings for the Interface
If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.
The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
Warning: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well.
You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.
Check Enable Multicast Support to allow multicast reception on this interface.
On SonicWALL NSA series appliances, select the Enable 802.1p tagging checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.
Configuring the WLAN Interface (SonicWALL TZ series wireless appliances)
The WLAN interface is only available on the SonicWALL TZ series wireless. You can only configure the WLAN interface with a static IP address.
Note: The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address.
Configuring Advanced Settings for the Interface
Check Enable Multicast Support to allow multicast reception on this interface.
Configuring a WAN Interface
Configuring the WAN interface enables Internet connect connectivity. You can configure up to two WAN interfaces on the SonicWALL security appliance.
Note: For Windows clients, L2TP is supported by Windows 2000 and Windows XP. If you are running other versions of Windows, you must use PPTP as your tunneling protocol.
To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.
Configuring the Advanced Settings for the WAN Interface
The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, setting up bandwidth management, and creating a default NAT policy automatically.
Ethernet Settings
If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.
Caution: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL as well.
Check Enable Multicast Support to allow multicast reception on this interface.
On SonicWALL NSA series appliances, check Enable 802.1p tagging to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.
You can also specify any of these additional Ethernet Settings:
Bandwidth Management
SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.
Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.
Note: The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured.
Configuring the NSA Expansion Pack Module Interface (NSA 2400MX and 250M only)
The SonicWALL NSA 2400MX and NSA 250M security appliances support the following optional NSA Expansion Pack modules:
These interfaces are listed in the Interface Settings table as the Mx interfaces.
Caution: Before attempting to insert and configure the module, you must power off the appliance. Once the appliance has been powered down, remove the rear module plate cover and insert the expansion module.Tighten the screws to secure the module, then power on the appliance.
Log into the SonicWALL management interface. You can now begin configuring the desired expansion module. The following sections describe how to configure the
Configuring the ADSL Expansion Module
ADSL is an acronym for Asymmetric Digital Subscriber Line (or Loop). The line is asymmetric because, when connected to the ISP, the upstream and downstream speeds of transmission are different. The DSL technology allows non-voice services (data) to be provided on regular single copper wire-pair POTS connections (such as your home phone line). It allows voice calls and data to pass through simultaneously by using higher band frequencies for data transmission.
The SonicWALL ADSL module cards support only one subscriber ADSL line (one port). Two types of ADSL module cards are supported:
The following ADSL standards are supported
|
The ADSL module card uses 2 LEDs to indicate connectivity status. The upper green LED is the ADSL link. Its status is as follows:
The lower green LED shows the system and ADSL module activity.
The ADSL module card is detected on boot, and assigned an interface name of M0 or M1. The interface name is based to it based on the expansion slot hosting the module card. You will see the assigned entry when you log into the Network Interfaces page.
The ADSL interface never unassigned. When plugged in, it is always present in the WAN zone and zone assignment cannot be modified by the administrator
Click on the Configure icon to the right of the interface entry. You will see a menu with three tabs: General, Advanced, and DSL Settings. The DSL Settings tab allows you to configure ISP-specific settings for the ADSL connection.
It displays the configurable DSL fields:
Virtual Path Identifier (VPI)
Virtual Channel Identifier (VCI)
Multiplexing Method (LLC or VC)
The values for these parameters should match the settings on the ISP DSLAM, and are provided by the ISP. These values vary from one ISP to another, and from country to country.
The SNWL default uses the most common values in the USA. The VPI and VCI settings are used to create the Permanent Virtual Circuit (PVC) from the NSA2400MX to the ISP DSLAM.
When finished configuring these ISP settings, click OK.
The Ethernet-specific settings on the Advanced tab, even if set, do not apply to the ADSL module. The Link Speed field in the Advanced tab has a fixed "N/A" selection, since it does not apply to ADSL. The ADSL link speed can't be customized but is predetermined by the DSL Provider.
The standard WAN ethernet settings are not affected by the presence of the ADSL module.
When the ADSL module is first plugged in, it should be added to the WAN Load Balancing default group so that the ADSL module can be used to handle default route traffic. Go to the Failover and LB screen and click the Configure icon to edit the settings.
On the General menu, add the ADSL interface to the Load Balancing group. If the default primary WAN, X1, is unused or unconfigured, it can be removed for a cleaner interface configuration.
When done, click OK, and the ADSL module will be added to the group.
Configuring the T1/E1 Module
The 1-port T1/E1 Module provides the connection of a T1 or E1 (digitally multiplexed telecommunications carrier system) circuit to a SonicWALL appliance using an RJ-45 jack.
The SonicWALL T1/E1 module fully supports Point-to-Point Protocol (PPP) and Cisco HDLC encapsulation, and can connect to Cisco routers and HP ProCurve devices.
Note: Only one T1/E1 module can be configured on each appliance.
To configure the T1/E1 Module, perform the following tasks:
The General tab allows you to set up the type of encapsulation: PPP or HDLC, as well as the management interface type and level of user security login. The Zone setting is disabled.
If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also set the level of security (HTTP or HTTPS) at this time.
You will see two radio buttons, one for T1 and one for E1. Only one button should be selected at a time. Different Line Coding, Framing and Encapsulation configuration choices are offered, depending on the button.
If desired, you can specify the Data DSO range.
For T1, the range is 1 to 24 (default)
For E1, the range is 1 to 31
Each number can be individually set. For example, “5 to 15”, “1 to 1”, 1 to 20” are valid settings.
CRC is configured with an enable/disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4.
You can also choose to enable multicast.
The T1/E1 module interface will be added to the pool of available WAN interfaces
Configuring the LAN Bypass Module
This module allows you to perform a physical bypass of the firewall when the interface is bridged to another interface with LAN bypass capability. This allows network traffic to continue flowing if an unrecoverable firewall error occurs.
If the checkbox is not enabled, the ports will behave like normal Ethernet ports.
Click OK to configure the interface.
Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules
Select one of the following LAN Network Addressing Modes from the IP Assignment menu.
Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.
Configuring the Advanced Settings for the Module Interface
The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, enabling multicast support on the interface, and enabling 802.1p tagging. Packets sent out with 802.1p tagging are tagged VLAN id=0 and carry 802,1p priority information. Devices connected to this interface need to support priority frames.
Configuring Additional Interfaces
For each interface, on the General tab of the Edit Interface window, select LAN from the Zone menu. Fill in the desired IP assignment. The subnet will be assigned for you. Add the desired management options and click Okay. Then configure the Advanced settings.