The Network Menu¶
The network menu can be used to tweak the network configuration by adding specific hosts and routes, or configuring the uplink and adding VLANs. This menu should not be confused with the Network configuration wizard available at Menubar ‣ System ‣ Network Configuration, that allows to configure interfaces, zones, and to define uplinks. Many settings and configuration options, especially under Interfaces below are however the same found under the network wizard, to which to refer for a more detailed help.
The sub-menu on the left-hand side of the screen contains three items, each of which groups several configuration options:
- Edit hosts - define hosts for local domain name resolution
- Routing - set up static routes and policy routing
- Interfaces - edit the uplinks or create VLANs
- Wireless - set up wireless network connections
New in version 2.5: the wireless module
Edit hosts¶
The Endian UTM Appliance features a caching DNS server (dnsmasq) that reads the system’s /etc/hosts file for hostname lookups. That file contains the so-called static lookup table, in the form
Here, IP1 and IP2 are unique (numerical) IP addresses and hostname are custom names given to those IPs. In other words, each IP address can be associated with one or more names of known hosts. Custom host entries can be added to the file, that will then be resolved for all the clients connecting through the Endian UTM Appliance.
The initial screen is either empty or contains the list of hosts previously defined. Each line contains an IP address, the associated hostname, and the domain name, if specified. Two available actions are available for each entry: To edit it or to delete it.
A new entry in the file can be added by clicking on the Add a host link right above the table. A simple form will replace the table, in which to enter the IP address and hostname, which are mandatory, and the optional domain name. The choice can be confirmed by clicking on the Add Host button. To associate more hostnames to the same IP address, repeat the procedure by inserting the same IP address but a different name.
The actions available on each host are to edit or to remove it.
Warning
Deleting an host entry by clicking on the small 
icon does not require any confirmation and is not reversible. If
deleted by mistake, an entry must be re-added manually.
Routing¶
Besides the default routing table, that can be seen in Menubar ‣ Status ‣ Network status, the routing table can be improved with static and policy routing rules. This page displays a unique table that contains all the custom routings, although new rules are added from two different tabs, since they require slight different settings. The table contains a summary of the rule: the source and destination networks or zones, the gateway, a remark, and the list of available actions: Enable or disable, edit, and delete a rule.
Whenever a modification is carried out on the routing table, it is required that the changes be saved and the service be restarted.
Static routing¶
A static route allows to associate specific source and destination networks with a given gateway or uplink. A click on the Add a new route link above the table allows create new routes by defining the following fields in the form that will appear:
- Source Network
- The source network, in CIDR notation.
- Destination Network
- The destination network, in CIDR notation.
- Route Via
Four options are available to define through which means should the traffic be channeled: Static Gateway, Uplink, OpenVPN User, or L2TP User. In the case the Static Gateway is selected, the IP address of a gateway should be provided in the text box on the right. Otherwise, a drop-down will appear, proposing the choice among the available uplinks, OpenVPN iusers, or L2TP users.
New in version 2.5: Routing via OpenVPN and L2TP Users.
- Enabled
- A ticked checkbox means that the rule is enabled (default). If unchecked, then the rule is only created but not activated: It can always be enabled later.
- Remark
- A remark or comment to explain the purpose of this rule.
See also
A guide to set up basic static routes.
Policy routing¶
A policy route rule allows to associate specific network addresses, zones, or services (expressed as port and protocol) with a given uplinks. When clicking on the Create a policy routing rule link, a form will open, which seems rather more complicated then the one for static routes and very similar to the firewall rule’s editor. However, this policy rule editor is much like the previous one, but gives more control over the definition of the rule. Additionally, the setup of the rule is guided by several drop-down menus, to simplify entering the data in the following fields:
- Source
- The first drop-down menu allows to choose the source networks. More entries, one per line, are accepted, but all must belong to the same type, either: A zone or interface, OpenVPN or L2TP users, IPs or networks, or MAC addresses. Depending on the choice, different values shall be supplied. To apply the rule to all sources, select <ANY>.
- Destination
- The second drop-down menu permits the choice of the destination networks, in form of a list of IPs, networks, OpenVPN or L2TP users. Again, by selecting <ANY> the rule will match every destination.
- Service/Port
- The next two drop-down menus allow to specify the service, protocol, and a destination port for the rule when the TCP, UDP, or TCP + UDP protocols are selected. Some predefined combinations service/protocol/port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports. User defined permits to specify a custom protocol and the ports to block, an option that proves useful when running services on ports different from the standard ones.
- Protocol
- The type of traffic that is interested by the rule: TCP, UDP, TCP+UDP, ESP, GRE, and ICMP. TCP and UDP are the most used, GRE is used by tunnels, ESP by IPsec, and ICMP by the ping and traceroute commands.
- Route Via
- The uplink that should be used for this rule. There is the option, when the uplink becomes unavailable, that the routing be carried over to the backup link corresponding to the selected uplink. This option is enabled when the checkbox next to the drop-down menu is ticked.
- Type Of Service
- The type of service (TOS) can be chosen here. See below for more about that.
- Remark
- A remark or comment to explain the purpose of this rule.
- Position
- The position in which to insert the rule (relative position in the list of rules).
- Enabled
- Tick this checkbox to enable the rule (default). If unchecked, the rule is created but not active: A rule can be enabled later.
- Log all accepted packets
- This checkbox must be ticked to log all the packets affected by this rule.
TOS (Type of service) and DSCP (Differentiated Services Code Point).
The TOS is an eight bit log field of the IP header of an IPv4 packet, initially intended to provide a means for the servers to manage that packet along its path to the destination. It was originally defined in RFC 791 and RFC 1349.
The binary number behind each type of service describes how this type works. The first three bits describe the precedence of the packet (000 default precedence, 111 highest precedence), the fourth bit describes the delay (0 means normal delay, 1 low delay), the fifth bit describes the throughput (1 increases throughput, 0 normal throughput), the sixth bit controls the reliability (1 increases reliability, 0 normal reliability). The last 2 bits are unused.
Due to its scarce use, the eight-bit field used for TOS was reused for DSCP, the evolution of TOS which represents a means to define Quality of Service on network traffic.
In the Endian UTM Appliance, the values for the TOS can be selected among the following, which are actually DSCP:
- Eight IP precedence values for Class Selectors (CS0-7), which denote backward compatibility with the TOS field. In other words, these are ‘true’ TOS values.
- Twelve values for Assured Forwarding (AF*xy*, x being a class from 1 to 4 and y being a ‘drop precedence’ from 1 to 3 -low, medium, high) that provide low packet loss with minimum guarantees about latency. AFs are defined in RFC 2597 and RFC 3260.
- One value for Expedited Forwarding (EF PHB), defined in RFC 3246 and used to give the highest priority to packets. It is useful for services requiring low delay, low latency, and low rate of losses, like e.g., VoIP or video streaming.
See also
A tutorial to set up basic policy routes is available here.
Interfaces¶
The uplinks manager allows to carry out a number of tasks that are related with the uplink and the interfaces, and in particular to define custom VLANs on the network interfaces.
Uplink editor¶
By default, the uplink editor shows the available uplinks that have been created. Additional uplinks are defined by clicking on the Create an uplink hyperlink above the list of uplinks. A rather long page, full of configurable options will open, that should be filled with appropriate values very similar to those in the network configuration wizard. Depending on the type of uplink chosen, the available settings will differ.
Note
Not all the available options are described here: They are the same that are present in the network configuration and depend on the type of the uplink chosen, so please refer to that section (see link below) for the full explanation of each option.
- Type
- The selection of the type of RED connection includes one additional protocol, compared to those available in the network configuration wizard: PPTP. PPTP can be configured to work in static or in DHCP mode, selectable from the respective value from the “PPTP method” drop-down. The IP address and netmask must be defined in the appropriate textfields if the static method has been chosen, in which case additional IP/netmask or IP/CIDR combinations can be added in the field below if the checkbox is ticked. Phone number, username, and password are not required but may be needed for some configurations to work, depending on the provider’s settings. The authentication method can be either PAP or CHAP: if unsure, keep the default value “PAP or CHAP”.
- Uplink is enabled
- Tick this checkbox to enable the uplink.
- Start uplink on boot
- This checkbox specifies whether an uplink should be enabled at boot time or not. This option proves useful for backup uplinks which are managed but do not need to be started during the boot procedure.
- Uplink is managed
- Tick this checkbox for the uplink to be managed. See the Uplink Information Plugin under Menubar ‣ System ‣ Dashboard for a discussion about managed and manual modes.
- if this uplink fails activate
- If enabled, an alternative connection can be chosen from a drop-down menu, which will be activated when this uplink fails.
- Check if these hosts are reachable
- Tick this option to enter a list of IP or hostnames that will be ping-ed when the uplink fails, to check whether it has reconnected.
In the advanced settings panel, two other options can be customised:
- Reconnection timeout
- The time interval (in seconds) after which an uplink tries to reconnect if it fails. This value depends on the provider’s settings. If unsure, leave this field empty.
- MTU
- A custom value for the MTU size. See here for a discussion about the reasons to modify the default value.
See also
- Network configuration, steps 1, 4, and 5.
- Menubar ‣ System ‣ Network Configuration
A tutorial that explains the setup of a failover uplink.
VLANs¶
The idea behind offering VLAN support in Endian UTM Appliance is to allow arbitrary associations of VLAN IDs to firewall zones and to provide an additional level of separation between zones. The existing VLANS are shown in the table, if any had already been created.
A new VLAN can be defined by clicking on the Add new VLAN hyperlink above the VLAN list. In the form that will open a few click suffice to create an association between an interface and a VLAN, by specifying a few values:
- Interface
- The physical interface to which the VLAN is connected to. Only the available interfaces can be chosen from the drop-down menu. The menu also shows the status of the link of the interface.
- VLAN ID
- The VLAN ID, which must be an integer number between 0 and 4095.
- Zone
- The zone to which the VLAN is associated with. Only the zones that have been defined in the network configuration wizard can be selected. The option “NONE” can be chosen, if that interface is used as a High Availability management port.
Warning
It is not possible to define a VLAN that serves one zone (e.g., a VLAN on BLUE) on an interface that already serves another zone (e.g., eth1 serving GREEN). When trying to do so, the form closes and a red callout appears, informing that the VLAN can not be created.
Whenever a virtual LAN is created, a new interface is created and named as ethX.y where X is the number of the interface and y is the VLAN ID. This interface is then assigned to the chosen zone and will show up as a regular interface in the various sections that report network information, like Menubar ‣ Status ‣ Network Configuration or in the Dashboard, where it can be selected to be drawn in the graph.
Wireless¶
New in version 2.5.
The wireless module presents some options to configure the Endian UTM Appliance as an access point. If not enabled, only the switch to activate wireless support is shown in the page. Upon activation, a box appears, divided in two parts by the Add new SSID link. In the upper part appears a panel carrying the overall configuration options, while in the lower part there is the list of the available SSIDs, right below a navigation and search bar and above a set of buttons to carry out an action on more SSIDs at once. The following options are available to configure the wireless module:
- Country
- The Country in which the Endian UTM Appliance operates, chosen from a drop-down menu. It is used to tailor the availability of the channels.
- Channel
- The channel(s) on which the wireless should broadcast the Wireless signal. The channels available for wireless depend on the national regulations on the telecommunications.
- Wireless Mode
- The mode used by the wireless, in terms of 802.11 standards (b, g, or n).
The list of the SSIDs, which is initially empty, presents the following information: The SSID name, the zone, the encryption, and a remark, which are described below.
To add a new SSID, click on the Add new SSID to open the editor, in which to supply the following information:
- SSID
- The name of the SSID as it will be seen by local clients.
- Broadcast SSID
- The SSID is broadcast by default (i.e., the checkbox is ticked) meaning that clients will see it when active. If the SSID is not broadcast, it is hidden from the client’s view and to access it, it will be necessary for the client to provide the SSID’s name.
- Zone
- The zone to which the clients will belong, chosen from the drop-down menu among the available ones.
- Encryption
- The type of encryption to be used for the wireless connection. The options are: no encryption, WPA, Personal WPA2 or Enterprise WPA2.
- Enabled
- Tick this checkbox to enable the SSID.
- Remark
- A custom comment on this connection.