In this page you find:
The network menu can be used to tweak the networking configuration by adding specific hosts and routes, or configuring the uplink and adding VLANs. This menu should not be confused with the Network configuration wizard available at Menubar ‣ System ‣ Network Configuration, that allows to configure interfaces, zones, and to define uplinks, although many settings and configuration options, especially in the Interfaces menu item are the same found there.
The sub-menu on the left-hand side of the screen contains these items, each of which groups several configuration options:
Edit hosts - define hosts for local domain name resolution.
Routing - set up static routes and policy routing.
Interfaces - edit the uplinks or create VLANs.
Wireless - set up wireless network connections.
On top of the page appears the table of custom defined hosts, right above the table showing the Hosts for system services. The former table contains host entries defined by the administrators, while the latter shows hosts that are automatically added by the Endian UTM Appliance when some services, like e.g., the HTTP or SMTP proxy, are enabled, since they are required to operate correctly.
The two tables share the same structure and content: Each entry contains an IP address, the associated hostname, and the domain name, if specified. The only difference is that the Hosts for system services table does not contain any Actions: Because these entries are needed by the system, they can not be edited, therefore the three available actions are available only in the first table.
A new entry in the file can be added by clicking on the Add new host link right above the table.
Hint
New entries will be added to the /etc/hosts
file, so
do not edit that file manually, because changes to that file will
be overwritten.
A simple form will replace the table, in which to enter the following options:
The IP address of the remote host.
The hostname associated to the IP address.
An optional domain name. If not supplied, the default domain name of the Endian UTM Appliance will be used.
Hint
The domain name is displayed in the Hosts for system services table below and can be retrieved from the CLI by using the hostname -d command.
An optional description of the host.
Tick the checkbox to enable the host. If not enabled, it can not be used.
Note
Unlike in standard Linux systems, in the /etc/hosts
file (see below), each IP address corresponds to one hostname and
vice-versa. To associate more hostnames to the same IP address,
repeat the procedure by inserting the same IP address but a
different name.
The choice can be confirmed by clicking on the Add button, then a click on the Apply button in the green callout will reload the daemon with the new host.
Below the first table, a drop-down menu allows to execute the same action on a number of hosts defined in the table:
After one or more hosts are selected, by clicking on the small checkbox in the table’s first column, clicking on this button allows to select an action that will be carried out on all the selected hosts.
At the bottom of the page, a table shows also those host that are automatically created by system services, which must be defined for the service to work correctly and can not be modified manually.
Hosts management, dnsmasq and /etc/hosts
.
The dnsmasq application is used in small networks as DNS server for local hosts and as a DNS forwarder and caching server for worldwide DNS servers. The Endian UTM Appliance uses dnsmasq to be able to correctly resolve and answer DNS requests coming from the GREEN, ORANGE, and BLUE zones. It is sometimes desirable (e.g., for testing purposes on a remote website) to override some entries in dnsmasq, or to add some local server to dnsmasq’s cache, for local clients to be able to connect to it.
Both custom and system hosts listed in this page are stored in the
/etc/hosts
file at every restart of the daemon. Host added
to that files directly via CLI will not persist after a reboot of
the Endian UTM Appliance or a restart of dnsmasq.
The /etc/hosts
file contains the so-called static lookup
table, in the form:
IP1 hostname1 [hostname2]
IP2 hostname3 [hostname4] [hostname5]
Here, IP1 and IP2 are unique (numerical) IP addresses and
hostname1, hostname2, hostname3, hostname4, and hostname5
are custom names given to those IPs. Names within square brackets
are optional: In other words, each IP address can be associated
with one or more names of known hosts. Custom host entries can be
added to the file, that will then be resolved for all the clients
connecting through the Endian UTM Appliance. On a typical Endian UTM Appliance, the
/etc/hosts
file contains at least the following entries:
127.0.0.1 localhost.localhost localhost
172.20.0.21 myappliance.localdomain myappliance
172.20.0.21 spam.spam spam
172.20.0.21 ham.ham ham
172.20.0.21 wpad.localdomain wpad
Here, 127.0.0.1 is the IP address of the loopback device, called localhost, which is a mandatory entry for the correct working of any Linux system; while 172.20.0.21 is the IP address of the GREEN interface. The entries listed for that IP have the following meaning and purposes:
The hostname and domainname of the Endian UTM Appliance, as set up during the Network configuration.
These two entries combined are used for the training of the spamassassin e-mail filter.
A facility for some browsers to detect and apply proxy settings automatically without the user’s interaction when the prosy is not transparent.
Besides the default routing table, that can be seen in Menubar ‣ Status ‣ Network status, the routing on the Endian UTM Appliance can be improved with static and policy routing rules. This page displays a unique table that contains all the custom rules added. However, since static and policy routing rules have different options and settings, they are configured in two separate tabs: Static routing and Policy Routing.
The main difference between static and policy routing is that the former routes all the traffic from a source network or to a destination network through a (static) gateway, while the latter provides more choices to define sources and destinations of traffic, and type of gateway. Moreover, additional option allow to select the service that creates the traffic and the TOS. For this reason, when defining policy routing rules, the order of the rules is important.
Whenever a change is carried out on the routing table, it is required that the changes be saved and the service be restarted.
If no rule has been defined, this page is empty, otherwise a table called Current routing entries is displayed, which carries the following information: the source and destination networks or zones, the gateway, a remark, and the list of available actions.
A static route allows to associate specific source and destination networks with a given gateway or uplink. A click on the Add a new route link above the table allows create new routes by defining the following fields in the form that will appear:
The source network, in CIDR notation.
The destination network, in CIDR notation.
Hint
To specify a single source or destination host, use the /32 suffix, like e.g., 192.168.100.1/32.
Four options are available to define through which means should the traffic be channeled: Static Gateway, Uplink, OpenVPN User, or L2TP User. In the case Static Gateway is selected, the IP address of the gateway must be provided in the text box on the right, otherwise, a drop-down will present the available choices among the uplinks, OpenVPN users, or L2TP users.
A ticked checkbox means that the rule is enabled, otherwise the rule is only created and can be enabled later.
A remark or comment to explain the purpose of this rule.
See also
A guide to set up basic static routes.
A policy route rule allows to associate specific network addresses, zones, or services (expressed as port and protocol) with a given uplink.
The policy routing table shows all the rules defined for both static and policy routing, since the former can be seen as a special case of policy routing, in which the whole traffic from a source network to a destination network is routed via a static host. For this reason, this table shows more properties of a rule than the corresponding table for static routing, namely: Source and destination networks, TOS, Gateway, Service, Remark, and the available actions.
As mentioned before, rules that appear higher in the table have higher priority and will be evaluated first. Traffic will then be routed according to the first matching rule found.
When clicking on the Create a policy routing rule link, a form will open, which seems very similar to the firewall rule’s editor. This editor gives more control over the definition of the rule, while the setup of the rule is guided by several drop-down menus, that assist in the rule creation.
The following options are available:
The first drop-down menu allows to choose the source of the traffic. More entries, one per line, are accepted, but all must belong to the same type, either: A zone or interface, OpenVPN or L2TP users, IPs or networks, or MAC addresses. Depending on the choice, different values shall be supplied. To apply the rule to all sources, select <ANY>.
The second drop-down menu permits the choice of the destination of the traffic, in form of a list of IPs, networks, OpenVPN or L2TP users. Again, by selecting <ANY> the rule will match every destination.
The next two drop-down menus allow to specify the service, protocol, and a destination port for the rule when the TCP, UDP, or TCP + UDP protocols are selected. Some predefined combinations service/protocol/port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports. User defined permits to specify a custom protocol and the ports to block, an option that proves useful when running services on ports different from the standard ones.
The type of traffic that is interested by the rule: TCP, UDP, TCP+UDP, ESP, GRE, and ICMP. TCP and UDP are the most used, GRE is used by tunnels, ESP by IPsec, and ICMP by the ping and traceroute commands.
How the traffic should be routed for this rule. Four options are available:
Static gateway: In this case an IP Address shall be provided
Uplink: The uplink that should be used for this rule. There is the option, when the uplink becomes unavailable, that the routing be carried over to the backup link corresponding to the selected uplink. This option is enabled when the checkbox next to the drop-down menu is ticked.
OpenVPN user: An OpenVPN user, chosen from those available in the drop-down menu.
L2TP user: An L2TP user, chosen from those available in the drop-down menu.
Note
At least one OpenVPN or L2TP user must have already be created to use one of the latter two options.
The type of service (TOS) can be chosen here. Four values can be chosen, depending on what is the most important characteristic of the traffic interested by that rule: default, lowdelay, reliability, or throughput.
A remark or comment to explain the purpose of this rule.
The position in which to insert the rule (relative position in the list of rules).
Tick this checkbox to enable the rule (default). If unchecked, the rule is created but not active: A rule can be enabled later.
This checkbox must be ticked to log all the packets affected by this rule.
Warning
The activation of this option may cause the size of the log files to dramatically improve.
A click on the Create Rule will save the rule, to reload the routing rules with the new entry, click on the Apply button in the green callout.
See also
There is a tutorial to set up basic policy routes available here.
The uplink manager allows to carry out a number of tasks that are related with the uplink and the interfaces, and in particular to define custom VLANs on the network interfaces.
By default, the uplink editor shows the available uplinks that have been created, with the following information for each: The unique ID, a Description, the Type, which is the Backup uplink, - if defined, and the available Actions.
Note
The main uplink can not be deleted, so there is no icon for it.
Additional uplinks can be defined by clicking on the Create an uplink hyperlink above the list of uplinks. In the page that will open. Depending on the type of uplink chosen, the available settings will differ.
Since most of the uplink’s configuration options here are the same of the network configuration wizard and depend on the type of the uplink chosen, not all the available options are described here. Please refer to that section for the full explanation of each option.
In this section, one additional uplink type can be defined, PPTP. For this uplink, the following values are available.
This whether the PPTP should work in static or in DHCP mode.
If the static method has been chosen, write in these two textfields the necessary values.
Supplementary IP addresses/netmask or IP addresses/CIDR combinations can be added in the textarea below if this checkbox is ticked.
The next three options are not required but may be needed for some configurations to work, depending on the provider’s settings.
The phone number used to set up the PPTP connection.
The username for the PPTP authentication.
The username for the PPTP authentication.
Depending on the ISP, this value can be either PAP or CHAP: if unsure, keep the default value PAP or CHAP.
The IP address of the gateway used by the PPTP connection.
The remainder of the options, available for all types of uplink chosen are:
A description of the uplink.
The mode in which the uplink will operate, to be chosen between Routed, Bridged, and No uplink.
Choose the type of uplink among those available in the drop-down menu.
Note
When choosing Mobile Broadband or Analog Modem, the SIM card must be plugged in before the Endian UTM Appliance is turned on.
Tick this checkbox to enable the uplink.
This checkbox specifies whether an uplink should be enabled at boot time or not. This option proves useful for backup uplinks which are managed but do not need to be started during the boot procedure.
Tick this checkbox for the uplink to be managed. See the Uplink Information Plugin under Menubar ‣ System ‣ Dashboard for a discussion about managed and manual modes.
Tick this checkbox to disable the download of newer signatures whenever this uplink is enabled. This can prove useful for mobile or satellite connection with high data rates.
Note
Disabling signature download might result in security issues, since newer threats might not be recognised.
If enabled, an alternative connection can be chosen from a drop-down menu, which will be activated when this uplink fails.
Tick this option to enter a list of IP or hostnames that will be ping-ed when the uplink fails, to check whether it has reconnected.
Hint
One of those hosts could be the provider’s DNS server or gateway.
In the advanced settings panel, three other options can be customised:
Tick the checkbox if the MAC address of the network interface associated to the uplink must be customised.
The time interval (in seconds) after which an uplink tries to reconnect if it fails. This value depends on the provider’s settings. If unsure, leave this field empty.
A custom value for the MTU size. See here for a discussion about the reasons to modify the default value.
See also
Menubar ‣ System ‣ Network Configuration
A tutorial that explains the setup of a failover uplink.
The idea behind offering VLAN support in Endian UTM Appliance is to allow arbitrary associations of VLAN IDs to the zones and to provide an additional level of separation (and therefore another level of security) between the zones. The existing VLANS are shown in the table, if any had already been created.
A new VLAN can be defined by clicking on the Add new VLAN hyperlink above the VLAN list. In the form that will open, a few click suffice to create an association between an interface and a VLAN, by configuring the options:
The physical interface to which the VLAN is connected to. Only the available interfaces can be chosen from the drop-down menu. The menu also shows the status of the link of the interface.
The VLAN ID, which must be an integer number between 0 and 4095.
The zone to which the VLAN is associated with. Only the zones that have been defined in the network configuration wizard can be selected. The option “NONE” can be chosen, if that interface is used as a High Availability management port.
Warning
It is not possible to define a VLAN that serves one zone (e.g., a VLAN on BLUE) on an interface that already serves another zone (e.g., eth1 serving GREEN). When trying to do so, the form closes and a red callout appears, informing that the VLAN can not be created.
Whenever a virtual LAN is created, a new interface is created and
named as ethX.y
where X
is the number of the
interface and y
is the VLAN ID. This interface is then
assigned to the chosen zone and will show up as a regular interface in
the various sections that report network information, like
Menubar ‣ Status ‣ Network Configuration or in
the Dashboard, where it can be selected to be drawn in the graph.
The wireless module presents some options to configure the Endian UTM Appliance as an access point. If not enabled, only the switch to activate wireless support is shown in the page. Upon activation, a box appears, divided in two parts by the Add new SSID link. In the upper part appears a panel carrying the overall configuration options, while in the lower part there is the list of the available SSIDs, right below a navigation and search bar and above a set of buttons to carry out an action on more SSIDs at once. The following options are available to configure the wireless module:
The Country in which the Endian UTM Appliance operates, chosen from a drop-down menu. It is used to tailor the availability of the channels.
The mode used by the wireless, in terms of 802.11 standards (b, g, or n).
The channel(s) on which the wireless should broadcast the Wireless signal. The channels available for wireless depend on the national regulations on the telecommunications.
News in the Wireless module after the 3.0.5 release.
With the 3.0.5 release (2015), the behaviour of the GUI has slightly changed. When the Country is changed, which is a choice that should happen only at the first set up, it is necessary to save the settings, before being able to choose the Wireless Mode and the Channel. If the laws and regulations change in the Country, or the Endian is brought to another Country, it may happen that the currently configured channels are not valid anymore. In this case, the Endian Appliance detects the incompatibility and falls back to the safest channel available, which is 6.
Moreover, when the hardware adapter is replaced or changed and the newer one does not support the same channel configured on the older one, again the Endian Appliance falls back to the 6 channel.
The list of the SSIDs, which is initially empty, presents the following information: The SSID name, the zone which the wireless clients are part of, the encryption type, a remark, and the available actions, which are described below.
To add a new SSID, click on the Add new SSID to open the editor, in which to supply the following information.
The name of the SSID as it will be seen by local clients.
The SSID is broadcast by default (i.e., the checkbox is ticked) meaning that clients will see it when active. If the SSID is not broadcast, it is hidden from the client’s view and to access it, it will be necessary for the client to provide the SSID’s name.
The zone to which the clients will belong, chosen from the drop-down menu among the available ones.
The type of encryption to be used for the wireless connection. The options are: no encryption, WPA, Personal WPA2 or Enterprise WPA2.
Tick this checkbox to enable the SSID.
A custom comment on this connection.
Version 5.0
Version 3.2
Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1