Interface Configuration

To assign a new interface:

  • Navigate to Interfaces > Assignments

  • Pick the new interface from the Available network ports list

  • Click fa-plus Add

The newly assigned interface will be shown in the list. The new interface will have a default name allocated by the firewall such as OPT1 or OPT2, with the number increasing based on its assignment order. The first two interfaces default to the names WAN and LAN but they can be renamed. These OPTx names appear under the Interfaces menu, such as Interfaces > OPT1. Selecting the menu option for the interface will open the configuration page for that interface.

General Configuration

The following options are available for all interface types.


The name of the interface. Interface names may only contain letters, numbers and the only special character that is allowed is an underscore (_).

This changes the name of the interface on the Interfaces menu, on the tabs under Firewall > Rules, under Services > DHCP, and elsewhere throughout the GUI. Using a custom name makes it easier to remember the purpose of an interface and to identify an interface for adding firewall rules or choosing other per-interface functionality.

IPv4 Configuration Type

Configures the IPv4 settings for the interface. Details for this option are in the next section, IPv4 Configuration Types.

IPv6 Configuration Type

Configures the IPv6 settings for the interface. Details for this option are in IPv6 Configuration Types.

MAC address

The MAC address of an interface can be changed (“spoofed”) to mimic a previous piece of equipment, depending on the type of interface.


The best practice is to not force a specific MAC address. The old MAC address will generally be cleared out by resetting the equipment to which this firewall connects, or by clearing the ARP table, or waiting for the old ARP entries to expire. Changing the MAC address is a long-term solution to a temporary problem.

Spoofing the MAC address of the previous firewall can allow for a smooth transition from an old router to a new router, so that ARP caches on devices and upstream routers are not a concern. It can also be used to fool a piece of equipment into believing that it’s talking to the same device that it was talking to before, as in cases where a certain network router is using static ARP or otherwise filters based on MAC address. This is common on cable modems, where they may require the MAC address to be registered if it changes.


ARP cache problems tend to be very temporary, resolving automatically within minutes or by power cycling other equipment.

One downside to spoofing the MAC address is that unless the old piece of equipment is permanently retired, there is a risk of later having a MAC address conflict on the network, which can lead to connectivity problems.

If the old MAC address must be restored, this option must be emptied out and then the firewall must be rebooted. Alternately, enter the original MAC address of the network card and save/apply, then empty the value again.

MTU (Maximum Transmission Unit)

The Maximum Transmission Unit (MTU) size field can typically be left blank, but can be changed when required. Some situations may call for a lower MTU to ensure packets are sized appropriately for an Internet connection. In most cases, the default assumed values for the WAN connection type will work properly. It can be increased for those using jumbo frames on their network.

On a typical Ethernet style network, the default value is 1500, but the actual value can vary depending on the interface configuration.

MSS (Maximum Segment Size)

Similar to the MTU field, the MSS field “clamps” the Maximum Segment Size (MSS) of TCP connections to the specified size in order to work around issues with Path MTU Discovery.

Speed and Duplex

The default value for link speed and duplex is to let the firewall decide what is best. That option typically defaults to Autoselect, which negotiates the best possible speed and duplex settings with the peer, typically a switch.

The speed and duplex setting on an interface must match the device to which it is connected. For example, when the firewall is set to Autoselect, the switch must also be configured for Autoselect. If the switch or other device has a specific speed and duplex forced, it must be matched by the firewall.

Switch Port

Netgate Appliances with an integrated switch have an option on this page which controls the link state for this interface by having it mirror the state of a switch port. In this way, a firewall interface configured as a VLAN which maps to a switch port can be set to follow the status of the physical switch port. Otherwise, since it is a VLAN attached to an internal uplink, the status would always show as up.

Consult the Netgate Product Manuals for more information on switch configuration.

Reserved Networks

Block Private Networks

When Block private networks is active, the firewall inserts a rule automatically which prevents any RFC 1918 networks (,, and loopback ( from communicating on that interface.

This option is typically only desirable on WAN type interfaces to prevent the possibility of privately numbered traffic coming in over a public interface.

Block bogon networks

When Block bogon networks is active, the firewall will block traffic from a list of unallocated and reserved networks. This list is periodically updated by the firewall automatically.


This option should only be used on external interfaces (WANs), it is not necessary on local interfaces and it can potentially block required local traffic.

See Block Bogon Networks for more details on how this feature works.