After the installer completes and the firewall reboots, the firewall software looks for network interfaces and attempts to assign interface mappings automatically.
The automatic interface assignment profiles used by the firewall are:
- RCC-VE 4860/8860
WAN: igb1, LAN: igb0
- RCC-VE 2220/2440
WAN: igb0, LAN: igb1
WAN: re1, LAN: re2
- Other Devices
For other devices the firewall looks for common interfaces and attempts to assign them appropriately, for example:
WAN: igb0, LAN: igb1
WAN: em0, LAN: em1
WAN: re1, LAN: re2
The factory firmware for devices from the Netgate Store includes additional default mappings appropriate to the hardware, which varies depending upon the hardware ordered with the device.
If the firewall cannot automatically determine the network interface layout, it will present a prompt for interface assignment as in Figure Interface Assignment Screen. This is where the network cards installed in the firewall are given their roles as WAN, LAN, and Optional interfaces (OPT1, OPT2 … OPTn).
The firewall displays a list of detected network interfaces and their MAC (Media
Access Control) addresses, along with an indication of their link state if that
is supported by the network card. The link state is denoted by
appearing after the MAC address if a link is detected on that interface.
The Media Access Control (MAC) address of a network card is a unique identifier assigned to each card, and no two network cards should have the same MAC address. If a duplicate MAC address is present on a network, either by chance or by intentional spoofing, all conflicting nodes will experience connectivity problems.
After printing the network interface list, the firewall prompts for VLAN
configuration. If VLANs are desired, answer
y, otherwise, type
For information about configuring VLANs, see Virtual LANs (VLANs).
The firewall prompts to set the WAN interface first. As the firewall typically contains more than one network card, a dilemma may present itself: How to tell which network card is which? If the identity of each card is already known, enter the proper device names for each interface. If the difference between network cards is unknown, the easiest way to figure it out is to use the auto-detection feature.
For automatic interface assignment, follow this procedure:
Unplug all network cables from the firewall
Plug a network cable into the WAN interface of the firewall
Wait a few moments for the firewall to detect the link up event
If all went well, the firewall can determine which interface to use for the WAN.
Repeat the same process for the LAN and optional interfaces, if any are necessary. If the firewall prints a message stating “No link-up detected”, see Manually Assigning Interfaces for more information on sorting out network card identities.
Once the list of interfaces for the firewall is correct, press
Enter at the
prompt for additional interfaces. The firewall will ask Do you want to
proceed (y|n)? If the network interface assignment list is correct, type
Enter. If the assignment is incorrect, type
n and press
Enter to repeat the assignment process.
In addition to the normal routing/firewall mode with multiple interfaces, a firewall may also run in Appliance Mode where it has only a single interface (WAN). The firewall places the GUI anti-lockout rule on the WAN interface so a client may access the firewall web interface from that network. The usual routing and NAT functions are not active in this mode since there is no internal interface or network. This type of configuration is useful for VPN appliances, DHCP servers, and other stand-alone roles.
Manually Assigning Interfaces¶
If the auto-detection feature did not work, there is still hope of telling the difference between network cards prior to installation. One way is by MAC address, which the firewall prints next to the interface names on the assignment screen:
vmx0 00:0c:29:50:a4:04 vmx1 00:0c:29:50:ec:2f
The MAC address is sometimes printed on a sticker somewhere physically on the network card. For virtualized systems, the virtual machine configuration usually contains the MAC address for each network card. MAC addresses are assigned by manufacturer, and there are several online databases which offer reverse lookup functionality for MAC addresses in order to find the company which made the card: http://www.8086.net/tools/mac/, http://www.coffer.com/mac_find/, and http://aruljohn.com/mac.pl, among many others.
Network cards of different makes, models, or sometimes chipsets may be detected
with different drivers. It may be possible to tell an Intel-based card using
igb driver apart from a Broadcom card using the
bge driver by
looking at the cards themselves and comparing the names printed upon the
The probe order of network cards can be unpredictable, depending on how the hardware is designed. In a few cases, devices with a large number of ports may use different chipsets that probe in different ways, resulting in an unexpected order. Add-on and Multi-port NICs are generally probed in bus order, but that can vary from board to board. If the hardware has onboard NICs that are the same brand as an add-in NIC, be aware that some systems will list the onboard NIC first, and others will not. In cases when the probe order makes multiple NICs of the same type ambiguous, it may take trial and error to determine the port placements and driver name/number combinations.
After the network cards have been identified, type the name of each card at the
interface assignment screen when prompted. In the above example,
be WAN and
vmx1 will be LAN. To assign them these roles, follow this
Enterwhen prompted for the WAN address
Enterwhen prompted for the LAN address
Enteragain to stop the assignment process, since this example does not contain any optional interfaces.
Enterto confirm the interface assignments