Configuration Wizard¶
This section describes the necessary operations to set up the UTM after the first boot. After the wizard has been successfully completed, the UTM will be registered to Endian Network and fully operational. After each step, click on the
button to proceed to the next step or on to go back to the previous step.Welcome¶
Only one option is present here.
- Language
Choose from the drop-down menu the language used in the GUI among those supported: English, German, and Italian.
Service and Licence Agreement¶
In this screen, read carefully the SLA, before proceeding to the next page. No option is present here, but by clicking on the
Button in this screen, the SLA is implicitly accepted.Configuration Mode¶
This page is the actual starting point for the configuration of the UTM' functionalities. Three options are present in this page. Select the preferred one by clicking on it, then click on the
button to start the setup.- Plug & Connect
With this option, the Plug & Connect wizard starts. Use this procedure to set up a VPN connection to am existing Switchboard instance. Full documentation for this wizard can be found in section plug-and-connect.
Note
To access this procedure, the UTM must be able to access a Switchboard instance.
- Restore a backup
Selecting this option allows to upload to the UTM an existent backup and restore a previous configuration.
The following option is available.
- Choose File
Click on this button to open a pop-up window from which to select the backup file from the local file system.
An additional option appears when clicking on Advanced settings.
- Import Registration to Endian Network
By ticking the checkbox, the registration information to Endian Network will be imported with the rest of the configuration, and the UTM will be automatically registered.
- Setup assistant
By choosing this option, a manual, guided configuration will be started, which is described in the remainder of this section.
Device access¶
In this page, a few basic settings can configured.
Root & admin password
In this section, the password for the root and admin users can be set.
- Password, confirm password
Choose a strong password (which should be at least 8 characters long) to be used for both the two default users.
Hint
Passwords can be changed independently at a later time in sections SSH password for the root user and Users for the admin user.
Device name
In this section, the name of the computer can be set, by configuring the following options.
- Hostname
The hostname of the UTM.
- Domain name
The name of the local domain of which the UTM will be part.
Time Zone¶
This page is used to configure the timezone of the UTM. Two alternative methods are available:
- Timezone
Select from the drop-down menu the timezone.
- Map
Select with the mouse the country in which the UTM is located.
Network Mode¶
In this page, the network configuration starts, by selecting the operating mode of the Uplink (i.e., the Internet connection) used by the UTM, among three mutually exclusive choices:
- Routed
This choice corresponds to the classical uplinks available in UTM, which act as the default gateway of the network(s) that lay behind it. This mode requires that devices within the network have DHCP enabled or appropriate network setting (IP address, netmask, and gateway at least) to be able to communicate with other devices.
- Bridged
In bridged mode, the UTM acts transparently within an existing infrastructure. No change in the local device’s setup is required.
- No uplink
This choice corresponds to the mode previously known as Gateway mode and is similar to the bridged mode, but it allows remote devices to connect to the UTM and the local network.
Note
When operating in no uplink mode, it suffices to have one NIC, because only one zone is required, otherwise it is necessary to have two network cards.
Depending on the choice made, the subsequent steps of the wizard will change. The description of the routed mode follows, while the bridged and no uplink modes can be found further on.
Internet Connection¶
Choose how the UTM receives its IP Address for the uplink (RED zone).
- Ethernet DHCP
The RED interface receives its network configuration via (dynamic) DHCP from a local server, router, or modem, i.e., the RED interface is connected to a simple router but without the need to have a fixed address.
- Ethernet Static
The RED interface is in a LAN and has fixed IP address and netmask, for example when connecting the RED interface to a simple router but with the convenience that the UTM be always reachable at the same IP address.
- Broadband (PPPoE)
The RED interface is directly connected to an ADSL modem. This option is only needed when the modem uses bridging mode and requires to use PPPoE to connect to the provider.
Hint
This option should not be confused with the Ethernet Static or Ethernet DHCP options, used to connect to ADSL routers that handle the PPPoE themselves.
- Wi-Fi
The RED interface is connected to a wireless network. No cable is needed, but a username, a password, or both might be required to access the network.
New in version 6.0.
IPv4 and CIDR notation.
An IPv4 address is a network address whose length is 32 bits, divided in four, 8-bits long octets. In decimal, each octet can assume any value between 0 and 255 (28= 256).
When specifying a network range, the IP address of the first host on the network along with the subnet mask, or netmask for short, is given, which defines the number of hosts available in that network. The subnet is defined as the length of the network prefix, i.e., that part of the address shared by all the hosts in a network.
There are two possibilities to denote the network/netmask pair:
explicitly, i.e., both are given in quad dotted notation. For example:
network 192.168.0.0 netmask 255.255.255.0
This is a network starting at the address 192.168.0.0 with 256 host available, i.e., the network range from 192.168.0.0 to 192.168.0.255. The first three octet in the netmask are 255, showing that there are no free host (or that this part of the address is the network prefix), while the fourth is 0, meaning that all hosts (256 - 0 = 0) are available.
in CIDR notation, a more compact way to show the network range, in which the free bits instead of the free hosts are given. The same network range as above is expressed as:
192.168.0.0/24
This notation shows the length in bits of the shared part of the IP address. 24 means that the first three octets (each consisting of 8 bits) are shared, while the fourth octet is free, giving a number of free hosts that is equivalent to 32 - 24 = 8 bits, i.e., 256 hosts.
The same line of reasoning can apply to an IPv6 address, with the only difference that IPv6 addresses are 128 bits long.
Internet Connection: DHCP¶
Configure more settings for the DHCP connection. Click on one of the available ETH ports the one assigned to the uplink, then click on the + symbol to open additional panels.
Manual DNS
This panel allows to specify custom DNS servers, that override those sent by the upstream DHCP server.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Proxy support
This panel allows to define the option to connect to the Internet through an upstream proxy server.
If the uplink connection passes through a proxy server, configure it in this page.
- Address
The hostname or IP address of the upstream server.
- Port
The port on which the proxy is listening.
- Proxy server requires authentication
Tick the checkbox if it is necessary to authenticate to access the proxy server. The next two options appear.
- Username
Write the username to authenticate to the proxy.
- Password
Write the password to authenticate to the proxy.
Warning
The password will be visible, so make sure no one is peeping!
Advanced settings
The following settings are available in this panel.
- MAC Address
A custom MAC address, different from the uplink’s physical one.
- MTU
Choose a suitable value for the MTU size, if it is necessary to change it from its default value (1500)
Warning
An incorrect value of the MTU size can result in the communication with the uplink to stop working, so be careful.
The MTU size.
While the vast majority of the ISPs uses a standard value of 1500 bytes, in some circumstances the standard MTU size results too high. If that happens, some strange network behaviours will noticed, like e.g., downloads which always stop after a while or connections which will not work at all.
If the ISP does not use a standard MTU size, it is easy to discover the correct one, by sending special ICMP packets with a specific value, that can be lowered until no errors are encountered: At theist point, the MTU size is correct and this value should be entered in the configuration options.
In order to send the icmp packets do the following:
Log in to the EFW and choose a host which can be actually reached (e.g., the ISP’s DNS, which should always be reachable) and ping that host with the following command:
ping -c1 -M do -s 1460 <host> (please refer to the ping(8) manpage for more info).
If the MTU size 1460 is correct, ping replies like the following one are received:
PING 10.10.10.10 (10.10.10.10) 1460(1488) bytes of data. 1468 bytes from 10.10.10.10: icmp_seq=1 ttl=49 time=75.2 msIf however the current MTU size is still too big for packets of the size 1460, an error message like this will appear:
PING 10.10.10.10 (62.116.64.82) 1461(1489) bytes of data. ping: sendmsg: Message too longRetry with different packet sizes (i.e., the value after the -s option), until the correct size has found and no error is displayed. The value shown within brackets in the ping command’s output is the MTU size. In this example the output is 1460(1488), therefore 1488 is the value to select for the MTU size.
An MTU value lower than 1500 may cause problems also in the OpenVPN setup and require to adjust some setting there.
The configuration wizard continues with the set up of a Backup Connection.
Internet Connection: Static¶
In this section it is possible to configure a static IP setup for the internet connection. Click on one of the available ETH ports the one assigned to the uplink, then provide suitable values for the following available options.
- IP Address
Write the IP address that the UTM receives in the network.
- Subnet
Choose a suitable subnet for the zone.
- Remove
Click on this button to remove the IP Address/ Subnet pair from the configuration.
Note
This button appears only if more than one IP Address has been configured on the same NIC.
- Add more
Click on this button to add another IP Address/Subnet to the network interface.
- Gateway
Write the IP address of the Gateway used by the UTM to access the Internet.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Proxy support
If the uplink connection passes through a proxy server, configure it in this page.
- Address
The hostname or IP address of the upstream server.
- Port
The port on which the proxy is listening.
- Proxy server requires authentication
Tick the checkbox if it is necessary to authenticate to access the proxy server. The next two options appear.
- Username
Write the username to authenticate to the proxy.
- Password
Write the password to authenticate to the proxy.
Warning
The password will be visible, so make sure no one is peeping!
Advanced settings
The following settings are available in this panel.
- MAC Address
A custom MAC address, different from the uplink’s physical one.
- MTU
Choose a suitable value for the MTU size, if it is necessary to change it from its default value (1500)
Warning
An incorrect value of the MTU size can result in the communication with the uplink to stop working, so be careful.
The MTU size is explained in the previous section, along with a few suggestions for troubleshooting.
The configuration wizard continues with the set up of a Backup Connection.
Internet Connection: PPPoE¶
Configure the PPPoE connection. Click on one of the available ETH ports to assign it to the uplink, then fill in the other option, if necessary.
- Username
The username needed to authenticate.
- Password
The password that corresponds to the username.
- Authentication
Select from the drop down menu whether to use PAP, CHAP, or both methods should be used to authenticate.
Hint
If unsure whether to select PAP or CHAP authentication, keep the default option.
Manual DNS
This panel allows to specify custom DNS servers, that override those sent by the upstream DHCP server.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Advanced settings
These settings are usually not necessary and need to be filled in only if the ISP supplies them.
- Concentrator name
The concentrator name.
- Service name
The service name.
- MAC Address
A custom MAC address, different from the uplink’s physical one.
- MTU
The MTU size, if different from the default value of 1500 bits.
The configuration wizard continues with the set up of a Backup Connection.
Internet Connection: Wi-Fi (client)¶
The uplink connects to a Wireless Network.
Right after the choice of the Wi-Fi uplink, a number of buttons will populate the page, each containing the name of a wireless connection that hass been detected by the UTM and its security level (i.e., WPA2, OPEN or if it is a HIDDEN network. To select and configure a wireless network, click on it. The list of networks will be replaced by a couple of options to configure the selected network.
Note
When a Wi-Fi uplink is configured, it is not possible to use the UTM as a Wireless Access Point (see ): The two features are mutually exclusive.
- Back to network selection
Click on this link to go back to the list of networks.
- Password
Write in the textfield the password needed to access the network.
Stations
This informative box shows several information about the access point to which the UTM is connected.
DNS configuration
This box allows to manually configure the DNS servers and override any DNS setting sent by the Wi-Fi device.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Static IP
Configure a static IP address if needed.
- IP Address
The static IP address assigned to the UTM.
- Subnet
The subnet of the assigned IP.
Click on this button to add another static IP address.
- Gateway
The gateway used by the UTM, needed to access external networks.
Below the list of networks, two other buttons appear:
If the desired network is hidden, it does not appear on the list. By clicking on this button it is possible to configure it, by providing the SSID name and the Security.
Click on this button to update the list of networks.
Backup Connection¶
Three options are available to set up a secondary connection to the Internet.
- No backup
No additional connection will be configured.
- Ethernet DHCP
Choose this option to set up an additional Internet connection with dynamically assigned IP address.
- Ethernet Static
Choose this option to set up an additional Internet connection with a static IP address.
Backup Internet Connection: DHCP¶
The options available here are the same as in section Internet Connection: DHCP.
Backup Internet Connection: Static¶
The options available here are the same as in section Internet Connection: Static.
The wizard continues with the Zones Setup.
Internet Connection: Bridged¶
In this page it is possible to manually configure the UTM's Internet connection, because it will not directly access the Internet. Click on one free network interface device to configure the UTM's network.
- IP Address
Write the IP address that the UTM receives in the network.
- Subnet
Choose a suitable subnet for the zone.
Click on this button to remove the IP Address/ Subnet pair from the configuration.
Note
This button appears only if more than one IP Address has been configured on the same NIC.
Click on this button to add another IP Address/Subnet to the network interface.
- Gateway
Write the IP address of the Gateway used by the UTM to access the Internet.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Proxy support
If the uplink connection passes through a proxy server, configure it in this page.
- Address
The hostname or IP address of the upstream server.
- Port
The port on which the proxy is listening.
- Proxy server requires authentication
Tick the checkbox if it is necessary to authenticate to access the proxy server. The next two options appear.
- Username
Write the username to authenticate to the proxy.
- Password
Write the password to authenticate to the proxy.
Warning
The password will be visible, so make sure no one is peeping!
The wizard continues with the Zones Setup.
No uplink¶
In this page, configure the gateway and DNS used by the UTM to access the Internet.
- Gateway
Write the IP address of the Gateway used by the UTM to access the Internet.
- Primary DNS
Write in the textfield the IP address of the primay DNS server
- Secondary DNS
Optionally write in the textfield the IP address of the secondary DNS server, used when the primary is not available.
Zones Setup¶
This page allows to configure additional zones beside the default RED and GREEN, if enough Ethernet devices are present on the system. This is always the case on Endian hardware devices, but might not be the case when setting up a software or virtual appliance.
Click on one free network interface device and a drop-down menu will appear.
- Zone
Select the zone to which the Ethernet device will be assigned, among the available choices: Not assigned (The interface will remain disabled), Device/LAN (the GREEN zone), DMZ (the ORANGE zone), and Wi-Fi (the BLUE zone, used by the Hotspot).
Note
Select multiple interface to assign all of them to one zone at once, and deselect those that are already assigned.
Once done, it will be possible to configure the zone one by one in the next page.
See also
The zones are detailed in section The zones.
Zones configuration¶
On top of this page will appear one button for each active zone, including those selected in the previous step. By clicking on each of them, the following options can be configured.
- IP Address
Write the IP address that the UTM has in the local network.
- Subnet
Choose a suitable netmask for the zone.
- Add more
Click on this button to add another subnet to the zone.
DHCP server
This panel is used to configure the DHCP server within the zone.
- Enable DHCP Server
Tick the checkbox to show configuration options for the DHCP server.
- Range from
The starting IP address that the UTM will assign to the clients.
- Range to
The end of the interval from which the UTM will assign IP addresses to the clients.
Warning
The range assigned to the DHCP server must fall within the zone’s network.
Outgoing Mail Server¶
In this section it is possible to define a default outgoing SMTP server that will be used to deliver all emails that originate from the UTM. These options can be modified or even configured at a later point from Outgoing mail server under .
- Email sender address
The address that will appear as the sender of the e-mail.
- Email recipient address for notifications
The address to which the e-mail will be sent.
- SMTP address
The IP address or domain name of the SMTP server.
- SMTP port
The port on which the SMTP server runs.
- Connection security
Choose from the drop-down menu which type of security is required by the connection, either STARTTLS or SSL/TLS.
- SMTP server required authentication
Tick the checkbox if authentication is required on the server side. The next three options appear
- Username
The username needed to authenticate on the SMTP server.
- Password
The password needed to authenticate on the SMTP server.
- Authentication method
The authentication methods required by the SMTP server: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. Multiple methods can be chosen by ticking the checkboxes in the multiselect drop-down menu.
Setup Completed¶
Click on the
button to complete the setup. The configuration will be saved and applied to the UTM. Wait for a few seconds, then it will be possible to register the UTM to Endian Network.Register to Endian Network¶
In this page it is possible to decide to register immediately the UTM to Endian Network or defer the registration. In the latter case, click on the
button. These options are available.- Do you already have an Endian Network account?
Select Yes if you already have an account, No if you never registered a Endian device to Endian Network.
See also
The necessary steps required to register the UTM, including the creation of a new account, are described in this article https://help.endian.com/hc/en-us/articles/218144848 on Endian's help portal.