GIF (Generic tunnel InterFace)¶
A Generic Tunneling Interface (GIF) is similar to GRE; Both protocols are a means to tunnel traffic between two hosts without encryption. In addition to tunneling IPv4 or IPv6 directly, GIF may be used to tunnel IPv6 over IPv4 networks and vice versa. GIF tunnels are commonly used to obtain IPv6 connectivity to a tunnel broker such as Hurricane Electric in locations where IPv6 connectivity is unavailable.
See Configuring IPv6 Through A Tunnel Broker Service for information about connecting to a tunnel broker service.
GIF interfaces carry more information across the tunnel than can be done with GRE, but GIF is not as widely supported. For example, a GIF tunnel is capable of bridging layer 2 between two locations while GRE cannot.
GIF interfaces can carry IPv4 or IPv6 traffic, but not both at the same time.
Support for GIF varies by vendor, but is not as common as others like GRE.
GIF Interface Settings¶
- Parent interface
The interface upon which the GIF tunnel will terminate. Often this will be WAN or a WAN-type connection.
- GIF Remote Address
The address of the remote peer. This is the address where the GIF packets will be sent by this firewall; The routable external address at the other end of the tunnel. For example, in a IPv6-in-IPv4 tunnel to Hurricane Electric, this would be the IPv4 address of the tunnel server, such as
- GIF tunnel local address
The internal address for the end of the tunnel on this firewall. The firewall will use this address for its own traffic in the tunnel, and tunneled remote traffic would be sent to this address by the remote peer. For example, when tunneling IPv6-in-IPv4 via Hurricane Electric, they refer to this as the Client IPv6 Address.
- GIF tunnel remote address
The address used by the firewall inside the tunnel to reach the far side. Traffic destined for the other end of the tunnel must use this address as a gateway for routing purposes. For example, when tunneling IPv6-in-IPv4 via Hurricane Electric, they refer to this as the Server IPv6 Address.
- GIF Tunnel Subnet
The subnet mask or prefix length for the interface address. Typically
64. This option is ignored with IPv6 and a
128prefix is enforced by the kernel instead.
- ECN Friendly Behavior
The ECN friendly behavior option controls whether or not the Explicit Congestion Notification (ECN)-friendly practice of copying the TOS bit into/out of the tunnel traffic is performed by the firewall. By default the firewall clears the TOS bit on the packets or sets it to
0, depending on the direction of the traffic. With this option set, the bit is copied as needed between the inner and outer packets to be more friendly with intermediate routers that can perform traffic shaping. This behavior breaks RFC 2893 so it must only be used when both peers agree to enable the option.
- Outer Source Filtering
When set, the firewall will not automatic filter based on the outer GIF source. This is normally desirable as it ensures a match with the configured remote peer, which is more secure. When disabled, martian and inbound filtering is not performed which allows asymmetric routing of the outer traffic. This is less secure, but some GIF peers may source traffic in this manner.
A short description of this GIF tunnel for documentation purposes.
GIF Interface Configuration¶
To create or manage a GIF interface:
Navigate to Interfaces > Assignments, GIF tab
The items in this list are managed in the usual way. See Managing Lists in the GUI.
Click Add to create a new GIF instance
Complete the settings as described in GIF Interface Settings
Navigate to Interfaces > Assignments
Select the new GIF interface in the Available network ports list
Note the name given to the new interface (e.g. OPT1)
Navigate to Interfaces > <name> where
<name>corresponds to the name of the GIF interface (e.g. OPT1)
Check Enable interface
Enter a new name for the interface in Description (optional)
Then use the interface as any other WAN-type interface. The firewall automatically creates a dynamic gateway for routing purposes. Depending on the use case, the interface may need NAT or firewall rules, static routes, and so on.