ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

Users Manual Part 2

USG20(W)-VPN Series User’s Guide140CHAPTER 9Interfaces9.1 Interface OverviewUse the Interface screens to configure the USG’s interfaces. You can also create interfaces on top of other interfaces. •Ports are the physical ports to which you connect cables.•Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the USG. For example, You connect the LAN network to the LAN interface. •Zones are groups of interfaces used to ease security policy configuration. 9.1.1 What You Can Do in this Chapter•Use the Port Role screen (Section 9.2 on page 145) to create port groups and to assign physical ports and port groups to Ethernet interfaces.•Use the Ethernet screens (Section 9.3 on page 146) to configure the Ethernet interfaces. Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.•Use the PPP screens (Section 9.4 on page 166) for PPPoE or PPTP Internet connections.•Use the Cellular screens (Section 9.5 on page 173) to configure settings for interfaces for Internet connections through an installed mobile broadband card.•Use the Tunnel screens (Section 9.6 on page 182) to configure tunnel interfaces to be used in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels.•Use the VLAN screens (Section 9.7 on page 188) to divide the physical network into multiple logical networks. VLAN interfaces receive and send tagged frames. The USG automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.•Use the Bridge screens (Section 9.8 on page 201) to combine two or more network segments into a single network. •Use the Auxiliary screens (Section 9.9 on page 213) to configure the USG’s auxiliary interface to use an external modem.•Use the Virtual Interface screen (Section 9.9.1 on page 213) to create virtual interfaces on top of Ethernet interfaces to tell the USG where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.•Use the Trunk screens (Section 9.11 on page 218) to configure load balancing.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1419.1.2 What You Need to Know Interface CharacteristicsInterfaces generally have the following characteristics (although not all characteristics apply to each type of interface).• An interface is a logical entity through which (layer-3) packets pass.• An interface is bound to a physical port or another interface.• Many interfaces can share the same physical port.• An interface belongs to at most one zone.• Many interfaces can belong to the same zone.• Layer-3 virtualization (IP alias, for example) is a kind of interface.Types of InterfacesYou can create several types of interfaces in the USG.• Setting interfaces to the same port role forms a port group. Port groups creates a hardware connection between physical ports at the layer-2 (data link, MAC address) level. Port groups are created when you uUse the Interface > Port Roles or Interface > Port Groups screen to set multiple physical ports to be part of the same interface.•Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.•Tunnel interfaces send IPv4 or IPv6 packets from one network to a specific network through the Internet or a public network.•VLAN interfaces receive and send tagged frames. The USG automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.•Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the USG. You can also assign an IP address and subnet mask to the bridge.•PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.•Cellular interfaces are for mobile broadband WAN connections via a connected mobile broadband device.•Virtual interfaces provide additional routing information in the USG. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.•Trunk interfaces manage load balancing between interfaces.Port groups and trunks have a lot of characteristics that are specific to each type of interface. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and virtual--have a lot of similar
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide142characteristics. These characteristics are listed in the following table and discussed in more detail below.Note: - * The format of interface names other than the Ethernet and ppp interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, wan2, lan1, lan2, dmz; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.Relationships Between InterfacesIn the USG, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports or port groups. The relationships between interfaces are explained in the following table. Table 60 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface CharacteristicsCHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUALName* wan1, wan2 lan1, lan2, dmzpppxcellularx vlanxbrx**Configurable Zone No No Yes Yes Yes Yes NoIP Address AssignmentStatic IP address Yes Yes Yes Yes Yes Yes YesDHCP client Yes No Yes Yes Yes Yes NoRouting metric Yes Yes Yes Yes Yes Yes YesInterface ParametersBandwidth restrictions Yes Yes Yes Yes Yes Yes YesPacket size (MTU) Yes Yes Yes Yes Yes Yes NoDHCPDHCP server No Yes No No Yes Yes NoDHCP relay No Yes No No Yes Yes NoConnectivity Check Yes No Yes Yes Yes Yes NoTable 61 Relationships Between Different Types of InterfacesINTERFACE REQUIRED PORT / INTERFACEEthernet interface physical portVLAN interface Ethernet interfacebridge interface Ethernet interface*VLAN interface*
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide143Note: * You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.IPv6 OverviewIPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. IPv6 AddressingAn 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways:• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. • Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.Prefix and Prefix LengthSimilar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address PPP interface Ethernet interface*VLAN interface*bridge interfaceWAN1, WAN2, OPT*virtual interface(virtual Ethernet interface)(virtual VLAN interface)(virtual bridge interface)Ethernet interface*VLAN interface*bridge interfacetrunk Ethernet interfaceCellular interfaceVLAN interfacebridge interfacePPP interfaceTable 61 Relationships Between Different Types of Interfaces (continued)INTERFACE REQUIRED PORT / INTERFACE
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide144compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32means that the first 32 bits (2001:db8) from the left is the network prefix.Link-local AddressA link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows.Subnet MaskingBoth an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F). Each block’s 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.Stateless AutoconfigurationWith stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the owner and status of addresses don’t need to be maintained by a DHCP server. Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own Ethernet MAC address) to form a complete IPv6 address.When IPv6 is enabled on a device, its interface automatically generates a link-local address (beginning with fe80).When the USG’s WAN interface is connected to an ISP with a router and the USG is set to automatically obtain an IPv6 network prefix from the router for the interface, it generates another address which combines its interface ID and global and subnet information advertised from the router. (In IPv6, all network interfaces can be associated with several addresses.) This is a routable global IP address.Prefix DelegationPrefix delegation enables an IPv6 router (the USG) to use the IPv6 prefix (network address) received from the ISP (or a connected uplink router) for its LAN. The USG uses the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs) regularly by multicast, the router passes the IPv6 prefix information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.Table 62 Link-local Unicast Address Format1111 1110 10 0 Interface ID10 bits 54 bits 64 bits
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide145IPv6 Router AdvertisementAn IPv6 router sends router advertisement messages periodically to advertise its presence and other parameters to the hosts in the same network.DHCPv6The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages using UDP.Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC address, time, vendor assigned ID and/or the vendor's private enterprise number registered with the IANA. It should not change over time even after you reboot the device.9.1.3 What You Need to Do First For IPv6 settings, go to the Configuration > System > IPv6 screen to enable IPv6 support on the USG first.9.2 Port Role ScreenTo access this screen, click Configuration > Network > Interface > Port Role. Use the PortRole screen to set the USG’s flexible ports as part of the lan1, lan2, or dmz interfaces. This creates a hardware connection between the physical ports at the layer-2 (data link, MAC address) level. This provides wire-speed throughput but no security.Note the following if you are configuring from a computer connected to a lan1, lan2, or dmz port and change the port's role:• A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the USG's lan1, lan2, or dmz IP address.• Use the appropriate lan1, lan2, or dmz IP address to access the USG.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide146Figure 118 Configuration > Network > Interface > Port Role The physical Ethernet ports are shown at the top and the Ethernet interfaces and zones are shown at the bottom of the screen. Use the radio buttons to select for which interface (network) you want to use each physical port. For example, select a port’s LAN radio button to use the port as part of the LAN interface. The port will use the USG’s LAN IP address and MAC address.When you assign more than one physical port to a network, you create a port group. Port groups have the following characteristics:• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security.• It can increase the bandwidth between the port group and other interfaces.• The port group uses a single MAC address.Click Apply to save your changes and apply them to the USG.Click Reset to change the port groups to their current configuration (last-saved values).9.3 Ethernet Summary ScreenThis screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure Ethernet interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration > Network > Interface > Ethernet.Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of them. If an Ethernet interface does not have any physical ports assigned to it, the Ethernet interface is effectively removed from the USG, but you can still configure it.Physical PortsDefaultinterface (ZONE)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide147Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict the amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.Use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The USG supports two routing protocols, RIP and OSPF. See Chapter 10 on page 238 for background information about these routing protocols.Figure 119 Configuration > Network > Interface > Ethernet Each field is described in the following table. Table 63 Configuration > Network > Interface > EthernetLABEL DESCRIPTIONConfiguration / IPv6 ConfigurationUse the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network. Both sections have similar fields as described below.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a virtual interface, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an interface, select it and click Activate.Inactivate To turn off an interface, select it and click Inactivate.Create Virtual InterfaceTo open the screen where you can create a virtual Ethernet interface, select an Ethernet interface and click Create Virtual Interface.Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.# This field is a sequential value, and it is not associated with any interface.Status This icon is lit when the entry is active and dimmed when the entry is inactive.Name This field displays the name of the interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1489.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, connectivity check, and MAC address settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 9.3 on page 146.)The OPT interface’s Edit > Configuration screen is shown here as an example. The screens for other interfaces are similar and contain a subset to the OPT interface screen’s fields. Note: If you create IP address objects based on an interface’s IP address, subnet, or gateway, the USG automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change the LAN’s IP address, the USG automatically updates the corresponding interface-based, LAN subnet address object.With RIP, you can use Ethernet interfaces to do the following things.• Enable and disable RIP in the underlying physical port or port group.• Select which direction(s) routing information is exchanged - The USG can receive routing information, send routing information, or do both.• Select which version of RIP to support in each direction - The USG supports RIP-1, RIP-2, and both versions.• Select the broadcasting method used by RIP-2 packets - The USG can use subnet broadcasting or multicasting.With OSPF, you can use Ethernet interfaces to do the following things.• Enable and disable OSPF in the underlying physical port or port group.• Select the area to which the interface belongs.• Override the default link cost and authentication method for the selected area.• Select in which direction(s) routing information is exchanged - The USG can receive routing information, send routing information, or do both.IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0 (in the IPv4 network) or :: (in the IPv6 network), the interface does not have an IP address yet.In the IPv4 network, this screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.In the IPv6 network, this screen also shows whether the IP address is a static IP address (STATIC), link-local IP address (LINK LOCAL), dynamically assigned (DHCP), or an IPv6 StateLess Address AutoConfiguration IP address (SLAAC). See Section 9.1.2 on page 141 for more information about IPv6.Mask This field displays the interface’s subnet mask in dot decimal notation.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 63 Configuration > Network > Interface > Ethernet (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide149Set the priority used to identify the DR or BDR if one does not exist.IGMP ProxyInternet Group Management Protocol (IGMP) proxy is used for multicast routing. IGMP proxy enables the USG to issue IGMP host messages on behalf of hosts that the USG discovered on its IGMP-enabled interfaces. The USG acts as a proxy for its hosts. Refer to the following figure.• DS: Downstream traffic• US: Upstream traffic•R: Router• MS: Multicast Server• Enable IGMP Upstream (US) on the USG interface that connects to a router (R) running IGMP that is closer to the multicast server (MS).• Enable IGMP Downstream on the USG interface which connects to the multicast hosts.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide150• Configuration > Network > Interface > Ethernet > Edit (External Type)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide151Configuration > Network > Interface > Ethernet > Edit (External Type
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide152Figure 120 Configuration > Network > Interface > Ethernet > Edit (Internal Type)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide153Configuration > Network > Interface > Ethernet > Edit (Internal Type)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide154Figure 121 Configuration > Network > Interface > Ethernet > Edit (OPT)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide155Configuration > Network > Interface > Ethernet > Edit (OPT)
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide156This screen’s fields are described in the table below. Table 64 Configuration > Network > Interface > Ethernet > EditLABEL DESCRIPTIONIPv4/IPv6 View / IPv4 View / IPv6 ViewUse this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields.Show Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.General SettingsEnable Interface Select this to enable this interface. Clear this to disable this interface.General IPv6 SettingEnable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.Interface PropertiesInterface Type This field is configurable for the OPT interface only. Select to which type of network you will connect this interface. When you select internal or external the rest of the screen’s options automatically adjust to correspond. The USG automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The USG automatically adds default SNAT settings for traffic flowing from this interface to an external interface.external is for connecting to an external network (like the Internet). The USG automatically adds this interface to the default WAN trunk. For general, the rest of the screen’s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.Port This is the name of the Ethernet interface’s physical port.Zone Select the zone to which this interface is to belong. You use zones to apply security settings such as security policy, and remote management.MAC Address This field is read-only. This is the MAC address that the Ethernet interface uses.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.IP Address AssignmentThese IP address fields configure an IPv4 IP address on the interface itself. If you change this IP address on the interface, you may also need to change a related address object for the network connected to the interface. For example, if you use this screen to change the IP address of your LAN interface, you should also change the corresponding LAN subnet address object.Get Automatically This option appears when Interface Type is external or general. Select this to make the interface a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server.Use Fixed IP Address This option appears when Interface Type is external or general. Select this if you want to specify the IP address, subnet mask, and gateway manually.IP Address Enter the IP address for this interface.Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide157Gateway This option appears when Interface Type is external or general. Enter the IP address of the gateway. The USG sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.Metric This option appears when Interface Type is external or general. Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Enable IGMP SupportSelect this to allow the USG to act as an IGMP proxy for hosts connected on the IGMP downstream interface.IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server.IGMP Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.IPv6 Address AssignmentThese IP address fields configure an IPv6 IP address on the interface itself.Enable Stateless Address Auto-configuration (SLAAC)Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the network.Link-Local address This displays the IPv6 link-local address and the network prefix that the USG generates itself for the interface.IPv6 Address/Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Address from DHCPv6 Prefix DelegationUse this table to have the USG obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 144 for more information.To use prefix delegation, you must:• Create at least one DHCPv6 request object before configuring this table.• The external interface must be a DHCPv6 client. You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix-delegation.• Assign the prefix delegation to an internal interface and enable router advertisement on that interface. Add Click this to create an entry. Edit Select an entry and click this to change the settings. Remove Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use from the drop-down list.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide158 Suffix Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The USG will append it to the delegated prefix.For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. Address This field displays the combined IPv6 IP address for this interface.Note: This field displays the combined address after you click OK and reopen this screen.DHCPv6 SettingDUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 145 for more information.DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.Customized DUID If you want to use a customized DUID, enter it here for the interface.Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.Information Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.DHCPv6 Request Options / DHCPv6 Lease OptionsIf this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server. If the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what additional information to offer to the DHCPv6 clients. Add Click this to create an entry in this table. See Section 9.3.3 on page 164 for more information. Remove Select an entry and click this to delete it from this table. Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example. # This field is a sequential value, and it is not associated with any entry. Name This field displays the name of the DHCPv6 request or lease object. Type This field displays the type of the object. Value This field displays the IPv6 prefix that the USG obtained from an uplink router (Server is selected) or will advertise to its clients (Client is selected).Interface When Relay is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server.Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.IPv6 Router Advertisement SettingEnable Router Advertisement Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 145 for more information.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide159Advertised Hosts Get Network Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6. Clear this to have the USG indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.Advertised Hosts Get Other Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain DNS information through DHCPv6.Clear this to have the USG indicate to hosts that DNS information is not available in this network.Router Preference Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the USG. This helps hosts to choose their default router especially when there are multiple IPv6 router in the network.Note: Make sure the hosts also support router preference to make this function work.MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG discards the packet and sends an error message to the sender to inform this.Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.Advertised Prefix Table Configure this table only if you want the USG to advertise a fixed prefix to the network. Add Click this to create an IPv6 prefix address. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. IPv6 Address/ Prefix LengthEnter the IPv6 network prefix address and the prefix length.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Advertised Prefix from DHCPv6 Prefix DelegationThis table is available when the Interface Type is internal. Use this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix. Add Click this to create an entry in this table. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use for generating the network prefix for the network. Suffix Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The USG will append it to the selected delegated prefix. The combined address is the network prefix for the network.For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide160 Address This is the final network prefix combined by the delegated prefix and the suffix.Note: This field displays the combined address after you click OK and reopen this screen.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.Connectivity Check These fields appear when Interface Properties is External or General. The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.DHCP Setting This section appears when Interface Type is internal or general. DHCP Select what type of DHCP service the USG provides to the network. Choices are:None - the USG does not provide any DHCP services. There is already a DHCP server on the network.DHCP Relay - the USG routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.DHCP Server - the USG assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The USG is the DHCP server for the network.These fields appear if the USG is a DHCP Relay.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide161Relay Server 1 Enter the IP address of a DHCP server for the network.Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.These fields appear if the USG is a DHCP Server.IP Pool Start Address Enter the IP address from which the USG begins allocating IP addresses. If you want to assign a static IP address to a specific computer, use the Static DHCP Table.If this field is blank, the Pool Size must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the USG can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.If this field is blank, the IP Pool Start Address must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.First DNS Server, Second DNS Server, Third DNS ServerSpecify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.Custom Defined - enter a static IP address.From ISP - select the DNS server that another interface received from its DHCP server.USG - the DHCP clients use the IP address of this interface and the USG works as a DNS relay.First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’ default gateway.To use another IP address as the default router, select Custom Defined and enter the IP address.Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:infinite - select this if IP addresses never expire.days, hours, and minutes - select this to enter how long IP addresses are valid.Extended Options This table is available if you selected DHCP server.Configure this table if you want to send more information to DHCP clients through DHCP packets. Add Click this to create an entry in this table. See Section 9.3.4 on page 165. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Name This is the name of the DHCP option. Code This is the code number of the DHCP option. Type This is the type of the set value for the DHCP option.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide162 Value This is the value set for the DHCP option.Enable IP/MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.Enable Logs for IP/MAC Binding ViolationSelect this option to have the USG generate a log if a device connected to this interface attempts to use an IP address that is bound to another device’s MAC address. Static DHCP Table Configure a list of static IP addresses the USG assigns to computers connected to the interface. Otherwise, the USG assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size.Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry.IP Address Enter the IP address to assign to a device with this entry’s MAC address.MAC Enter the MAC address to which to assign this entry’s IP address.Description Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.RIP Setting See Section 10.6 on page 238 for more information about RIP.Enable RIP Select this to enable RIP in this interface.Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.BiDir - This interface sends and receives routing information.In-Only - This interface receives routing information.Out-Only - This interface sends routing information.Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 and 2.Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2.V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the USG uses multicasting.OSPF Setting See Section 10.7 on page 240 for more information about OSPF.Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.Passive Interface Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1639.3.2 Object ReferencesWhen a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object.Authentication Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are:Same-as-Area - use the default authentication method in the areaNone - disable authenticationText - authenticate OSPF routing information using a plain-text passwordMD5 - authenticate OSPF routing information using MD5 encryptionText Authentication KeyThis field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MD5 Authentication IDThis field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255.MD5 Authentication KeyThis field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MAC Address SettingThis section appears when Interface Properties is External or General. Have the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer. Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address. By default, the USG uses the factory assigned MAC address to identify itself.Overwrite Default MAC AddressSelect this option to have the interface use a different MAC address. Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning. Once it is successfully configured, the address will be copied to the configuration file. It will not change unless you change the setting or upload a different configuration file. Related SettingConfigure PPPoE/PPTP Click PPPoE/PPTP if this interface’s Internet connection uses PPPoE or PPTP.Configure VLAN Click VLAN if you want to configure a VLAN interface for this Ethernet interface.Configure WAN TRUNK Click WAN TRUNK to go to a screen where you can set this interface to be part of a WAN trunk for load balancing.Configure Policy Route Click Policy Route to go to the policy route summary screen where you can manually associate traffic with this interface.You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to general. You can also configure a policy route to override the default routing and SNAT behavior for an interface with an Interface Type of internal or external.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 64 Configuration > Network > Interface > Ethernet > Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide164Figure 122 Object ReferencesThe following table describes labels that can appear in this screen.9.3.3 Add/Edit DHCPv6 Request/Release OptionsWhen you configure an interface as a DHCPv6 server or client, you can additionally add DHCPv6 request or lease options which have the USG to add more information in the DHCPv6 packets. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCPv6 Server or DHCPv6 Client in the DHCPv6 Setting section, and then click Add in the DHCPv6 Request Options or DHCPv6 Lease Options table.Figure 123 Configuration > Network > Interface > Ethernet > Edit > Add DHCPv6 Request/Lease Options Table 65 Object ReferencesLABEL DESCRIPTIONObject Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window.# This field is a sequential value, and it is not associated with any entry.Service This is the type of setting that references the selected object. Click a service’s name to display the service’s configuration screen in the main window.Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays.Name This field identifies the configuration item that references the object.Description If the referencing configuration item has a description configured, it displays here. Refresh Click this to update the information in this screen.Cancel Click Cancel to close the screen.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide165Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting.9.3.4 Add/Edit DHCP Extended OptionsWhen you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the USG to add more information in the DHCP packets. The available fields vary depending on the DHCP option you select in this screen. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP Setting section, and then click Add or Edit in the Extended Options table.Figure 124 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options The following table describes labels that can appear in this screen.Table 66 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended OptionsLABEL DESCRIPTIONOption Select which DHCP option that you want to add in the DHCP packets sent through the interface. See the next table for more information. Name This field displays the name of the selected DHCP option. If you selected User Defined in the Option field, enter a descriptive name to identify the DHCP option. You can enter up to 16 characters (“a-z”, “A-Z, “0-9”, “-”, and “_”) with no spaces allowed. The first character must be alphabetical (a-z, A-Z).Code This field displays the code number of the selected DHCP option. If you selected User Defined in the Option field, enter a number for the option. This field is mandatory.Type This is the type of the selected DHCP option. If you selected User Defined in the Option field, select an appropriate type for the value that you will enter in the next field. Only advanced users should configure User Defined. Misconfiguration could result in interface lockout.Value Enter the value for the selected DHCP option. For example, if you selected TFTP Server Name (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This field is mandatory.First IP Address, Second IP Address, Third IP AddressIf you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC (138), or TFTP Server (150), you have to enter at least one IP address of the corresponding servers in these fields. The servers should be listed in order of your preference.First Enterprise ID, Second Enterprise IDIf you selected VIVC (124) or VIVS (125), you have to enter at least one vendor’s 32-bit enterprise number in these fields. An enterprise number is a unique number that identifies a company. First Class, Second ClassIf you selected VIVC (124), enter the details of the hardware configuration of the host on which the client is running, or of industry consortium compliance.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide166The following table lists the available DHCP extended options (defined in RFCs) on the USG. See RFCs for more information.9.4 PPP InterfacesUse PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network.First Information, Second InformationIf you selected VIVS (125), enter additional information for the corresponding enterprise number in these fields.OK Click this to close this screen and update the settings to the previous Edit screen.Cancel Click Cancel to close the screen.Table 67 DHCP Extended OptionsOPTION NAME CODE DESCRIPTIONTime Offset 2 This option specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC).Time Server 4 This option specifies a list of Time servers available to the client.NTP Server 42 This option specifies a list of the NTP servers available to the client by IP address.TFTP Server Name 66 This option is used to identify a TFTP server when the “sname” field in the DHCP header has been used for DHCP options. The minimum length of the value is 1. Bootfile 67 This option is used to identify a bootfile when the “file” field in the DHCP header has been used for DHCP options. The minimum length of the value is 1. SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server.VIVC 124 Vendor-Identifying Vendor Class optionA DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs.VIVS 125 Vendor-Identifying Vendor-Specific optionDHCP clients and servers may use this option to exchange vendor-specific information.CAPWAP AC 138 CAPWAP Access Controller addresses optionThe Control And Provisioning of Wireless Access Points Protocol allows a Wireless Termination Point (WTP) to use DHCP to discover the Access Controllers to which it is to connect. This option carries a list of IPv4 addresses indicating one or more CAPWAP ACs available to the WTP. TFTP Server 150 The option contains one or more IPv4 addresses that the client may use. The current use of this option is for downloading configuration from a VoIP server via TFTP; however, the option may be used for purposes other than contacting a VoIP configuration server.Table 66 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide167Figure 125 Example: PPPoE/PPTP InterfacesPPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.• You must also configure an ISP account object for the PPPoE/PPTP interface to use.Each ISP account specifies the protocol (PPPoE or PPTP), as well as your ISP account information. If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/PPTP interface. You should not have to change any network policies.• You do not set up the subnet mask or gateway.PPPoE/PPTP interfaces are interfaces between the USG and only one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the USG always treats the ISP as a gateway.9.4.1 PPP Interface SummaryThis screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP.Figure 126 Configuration > Network > Interface > PPP
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide168Each field is described in the table below.9.4.2 PPP Interface Add or Edit Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.This screen lets you configure a PPPoE or PPTP interface. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure PPP interfaces used for your IPv6 networks on this screen. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen.Table 68 Configuration > Network > Interface > PPPLABEL DESCRIPTIONUser Configuration / System DefaultThe USG comes with the (non-removable) System Default PPP interfaces pre-configured. You can create (and delete) User Configuration PPP interfaces. System Default PPP interfaces vary by model.Add Click this to create a new user-configured PPP interface.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a user-configured PPP interface, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Connect To connect an interface, select it and click Connect. You might use this in testing the interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP interface.Disconnect To disconnect an interface, select it and click Disconnect. You might use this in testing the interface.Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.#This field is a sequential value, and it is not associated with any interface.Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.The connect icon is lit when the interface is connected and dimmed when it is disconnected.Name This field displays the name of the interface.Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is.Account Profile This field displays the ISP account used by this PPPoE/PPTP interface.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide169Figure 127 Configuration > Network > Interface > PPP > Add
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide170Each field is explained in the following table.Table 69 Configuration > Network > Interface > PPP > AddLABEL DESCRIPTIONIPv4/IPv6 View / IPv4 View / IPv6 ViewUse this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields.Show Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create New Object Click this button to create an ISP Account or a DHCPv6 request object that you may use for the ISP or DHCPv6 settings in this screen.General SettingsEnable Interface Select this to enable this interface. Clear this to disable this interface.General IPv6 SettingEnable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.Interface PropertiesInterface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.Base Interface Select the interface upon which this PPP interface is built.Note: Multiple PPP interfaces can use the same base interface.Zone Select the zone to which this PPP interface belongs. The zone determines the security settings the USG uses for the interface.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.ConnectivityNailed-Up Select this if the PPPoE/PPTP connection should always be up. Clear this to have the USG establish the PPPoE/PPTP connection only when there is traffic. You might use this option if a lot of traffic needs to go through the interface or it does not cost extra to keep the connection up all the time.Dial-on-Demand Select this to have the USG establish the PPPoE/PPTP connection only when there is traffic. You might use this option if there is little traffic through the interface or if it costs money to keep the connection available.ISP SettingAccount Profile Select the ISP account that this PPPoE/PPTP interface uses. The drop-down box lists ISP accounts by name. Use Create new Object if you need to configure a new ISP account (see Chapter 29 on page 528 for details).Protocol This field is read-only. It displays the protocol specified in the ISP account.User Name This field is read-only. It displays the user name for the ISP account.Service Name This field is read-only. It displays the PPPoE service name specified in the ISP account. This field is blank if the ISP account uses PPTP.IP Address AssignmentClick Show Advanced Settings to display more settings. Click Hide Advanced Settings to display fewer settings.Get Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces.Use Fixed IP Address Select this if you want to specify the IP address manually.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide171IP Address This field is enabled if you select Use Fixed IP Address.Enter the IP address for this interface.Metric Enter the priority of the gateway (the ISP) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.IPv6 Address AssignmentThese IP address fields configure an IPv6 IP address on the interface itself.Enable Stateless Address Auto-configuration (SLAAC)Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the network.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Address from DHCPv6 Prefix DelegationUse this table to have the USG obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 144 for more information.To use prefix delegation, you must:• Create at least one DHCPv6 request object before configuring this table.• The external interface must be a DHCPv6 client. You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix-delegation.• Assign the prefix delegation to an internal interface and enable router advertisement on that interface. Add Click this to create an entry. Edit Select an entry and click this to change the settings. Remove Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use from the drop-down list. Suffix Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The USG will append it to the delegated prefix.For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. Address This field displays the combined IPv6 IP address for this interface.Note: This field displays the combined address after you click OK and reopen this screen.DHCPv6 SettingDHCPv6 Select Client to obtain an IP address and DNS information from the service provider for the interface. Otherwise, select N/A to diable the function.DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 145 for more information.DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.Customized DUID If you want to use a customized DUID, enter it here for the interface.Table 69 Configuration > Network > Interface > PPP > Add (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide172Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.Request Address Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.DHCPv6 Request Options Use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server. Add Click this to create an entry in this table. See Section 9.3.4 on page 165 for more information. Remove Select an entry and click this to delete it from this table. Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example. # This field is a sequential value, and it is not associated with any entry. Name This field displays the name of the DHCPv6 request object. Type This field displays the type of the object. Value This field displays the IPv6 prefix that the USG will advertise to its clients.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Table 69 Configuration > Network > Interface > PPP > Add (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1739.5 Cellular Configuration ScreenMobile broadband is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices. Note: The actual data rate you obtain varies depending on the mobile broadband device you use, the signal strength to the service provider’s base station, and so on.You can configure how the USG’s mobile broadband device connects to a network (refer to Section 9.5.1 on page 176): • You can set the mobile broadband device to connect only to the home network, which is the network to which you are originally subscribed. • You can set the mobile broadband device to connect to other networks if the signal strength of the home network is too low or it is unavailable. 3G3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.4G4G is the fourth generation of the mobile telecommunications technology and a successor of 3G. Both the WiMAX and Long Term Evolution (LTE) standards are the 4G candidate systems. 4G only supports all-IP-based packet-switched telephony services and is required to offer gigabit speed access.Note: Note: The actual data rate you obtain varies depending on your mobile environment. The environmental factors may include the number of mobile devices which are currently connected to the mobile network, the signal strength to the mobile network, and so on.Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.Related SettingConfigure WAN TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 69 Configuration > Network > Interface > PPP > Add (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide174See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 4G wireless technologies.To change your mobile broadband WAN settings, click Configuration > Network > Interface > Cellular. Note: Install (or connect) a compatible mobile broadband USB device to use a cellular connection.Note: The WAN IP addresses of a USG with multiple WAN interfaces must be on different subnets. Table 70 2G, 2.5G, 2.75G, 3G, 3.5G and 4G Wireless TechnologiesNAME TYPE MOBILE PHONE AND DATA STANDARDS DATA SPEEDGSM-BASED CDMA-BASED2G Circuit-switchedGSM (Global System for Mobile Communications), Personal Handy-phone System (PHS), etc.Interim Standard 95 (IS-95), the first CDMA-based digital cellular standard pioneered by Qualcomm. The brand name for IS-95 is cdmaOne. IS-95 is also known as TIA-EIA-95.Slow2.5G Packet-switchedGPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc.CDMA2000 is a hybrid 2.5G / 3G protocol of mobile telecommunications standards that use CDMA, a multiple access scheme for digital radio. CDMA2000 1xRTT (1 times Radio Transmission Technology) is the core CDMA2000 wireless air interface standard. It is also known as 1x, 1xRTT, or IS-2000 and considered to be a 2.5G or 2.75G technology.2.75G Packet-switchedEnhanced Data rates for GSM Evolution (EDGE), Enhanced GPRS (EGPRS), etc. 3G Packet-switchedUMTS (Universal Mobile Telecommunications System), a third-generation (3G) wireless standard defined in ITU specification, is sometimes marketed as 3GSM. The UMTS uses GSM infrastructures and W-CDMA (Wideband Code Division Multiple Access) as the air interface. The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services.CDMA2000 EV-DO (Evolution-Data Optimized, originally 1x Evolution-Data Only), also referred to as EV-DO, EVDO, or just EV, is an evolution of CDMA2000 1xRTT and enables high-speed wireless connectivity. It is also denoted as IS-856 or High Data Rate (HDR).3.5G Packet-switchedHSDPA (High-Speed Downlink Packet Access) is a mobile telephony protocol, used for UMTS-based 3G networks and allows for higher data transfer speeds. 4G/LTE Packet-switchedThe LTE (Long Term Evolution) standard is based on the GSM and UMTS network technologies. Fast
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide175Figure 128 Configuration > Network > Interface > Cellular The following table describes the labels in this screen.Table 71 Configuration > Network > Interface > CellularLABEL DESCRIPTIONAdd Click this to create a new cellular interface.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Connect To connect an interface, select it and click Connect. You might use this in testing the interface or to manually establish the connection.Disconnect To disconnect an interface, select it and click Disconnect. You might use this in testing the interface.Object ReferencesSelect an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.# This field is a sequential value, and it is not associated with any interface.Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.The connect icon is lit when the interface is connected and dimmed when it is disconnected.Name This field displays the name of the interface.Extension Slot This field displays where the entry’s cellular card is located.Connected DeviceThis field displays the name of the cellular card.ISP Settings This field displays the profile of ISP settings that this cellular interface is set to use.Mobile Broadband Dongle SupportYou should have registered your USG at myzyxel.com. Myzyxel.com hosts a list of supported mobile broadband dongle devices. You should have an Internet connection to access this website.Latest Version This displays the latest supported mobile broadband dongle list version number.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1769.5.1 Cellular Choose Slot To change your mobile broadband settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that contains the mobile broadband device, then the Add Cellular configuration screen displays.9.5.2 Add / Edit Cellular ConfigurationThis screen displays after you select the slot that contains the mobile broadband device in the previous pop-up window.Current Version This displays the currently supported (by the USG) mobile broadband dongle list version number.Update Now If the latest version number is greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the USG.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 71 Configuration > Network > Interface > Cellular (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide177Figure 129 Configuration > Network > Interface > Cellular > Add / Edit
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide178The following table describes the labels in this screen.Table 72 Configuration > Network > Interface > Cellular > Add / EditLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.General SettingsEnable Interface Select this option to turn on this interface.Interface PropertiesInterface Name Select a name for the interface. Zone Select the zone to which you want the cellular interface to belong. The zone determines the security settings the USG uses for the interface.Extension Slot This is the USB slot that you are configuring for use with a mobile broadband card.Connected Device This displays the manufacturer and model name of your mobile broadband card if you inserted one in the USG. Otherwise, it displays none.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.ConnectivityNailed-Up Select this if the connection should always be up. Clear this to have the USG to establish the connection only when there is traffic. You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available.Idle timeout This value specifies the time in seconds (0~360) that elapses before the USG automatically disconnects from the ISP’s server. Zero disables the idle timeout. ISP Settings Profile Selection Select Device to use one of the mobile broadband device’s profiles of device settings. Then select the profile (use Profile 1 unless your ISP instructed you to do otherwise).Select Custom to configure your device settings yourself.APN This field is read-only if you selected Device in the profile selection. Select Custom in the profile selection to be able to manually input the APN (Access Point Name) provided by your service provider. This field applies with a GSM or HSDPA mobile broadband card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method.You can enter up to 63 ASCII printable characters. Spaces are allowed.Dial String Enter the dial string if your ISP provides a string, which would include the APN, to initialize the mobile broadband card.You can enter up to 63 ASCII printable characters. Spaces are allowed.This field is available only when you insert a GSM mobile broadband card.Authentication Type The USG supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:None: No authentication for outgoing calls.CHAP - Your USG accepts CHAP requests only. PAP - Your USG accepts PAP requests only.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide179User Name This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this mobile broadband card exactly as the service provider gave it to you. You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must be alphanumeric or -_@$./. Spaces are not allowed.Password This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection and the password is included in the mobile broadband card’s profile. If this field is configurable, enter the password for this SIM card exactly as the service provider gave it to you.You can use 0 ~ 63 alphanumeric and `~!@#$%^&*()_-+={}|;:'<,>./ characters. Spaces are not allowed.Retype to Confirm This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection and the password is included in the mobile broadband card’s profile. If this field is configurable, re-enter the password for this SIM card exactly as the service provider gave it to you.SIM Card SettingPIN Code This field displays with a GSM or HSDPA mobile broadband card. A PIN (Personal Identification Number) code is a key to a mobile broadband card. Without the PIN code, you cannot use the mobile broadband card.Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the mobile broadband card may be blocked by your ISP and you cannot use the account to access the Internet.If your ISP disabled PIN code authentication, enter an arbitrary number.Retype to Confirm Type the PIN code again to confirm it.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492.Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Table 72 Configuration > Network > Interface > Cellular > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide180Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.Related SettingConfigure WAN TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.Configure Policy Route Click Policy Route to go to the policy route summary screen where you can configure a policy route to override the default routing and SNAT behavior for the interface.IP Address AssignmentGet Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Assignment Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP Address. Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Device SettingsBand Selection This field appears if you selected a mobile broadband device that allows you to select the type of network to use. Select the type of mobile broadband service for your mobile broadband connection. If you are unsure what to select, check with your mobile broadband service provider to find the mobile broadband service available to you in your region.Select auto to have the card connect to an available network. Choose this option if you do not know what networks are available.You may want to manually specify the type of network to use if you are charged differently for different types of network or you only have one type of network available to you.Select GPRS / EDGE (GSM) only to have this interface only use a 2.5G or 2.75G network (respectively). If you only have a GSM network available to you, you may want to select this so the USG does not spend time looking for a WCDMA network.Select UMTS / HSDPA (WCDMA) only to have this interface only use a 3G or 3.5G network (respectively). You may want to do this if you want to make sure the interface does not use the GSM network.Select LTE only to have this interface only use a 4G LTE network. This option only appears when a USB dongle for 4G technology is inserted.Table 72 Configuration > Network > Interface > Cellular > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide181Network Selection Home network is the network to which you are originally subscribed. Select Home to have the mobile broadband device connect only to the home network. If the home network is down, the USG’s mobile broadband Internet connection is also unavailable.Select Auto (Default) to allow the mobile broadband device to connect to a network to which you are not subscribed when necessary, for example when the home network is down or another mobile broadband base station's signal is stronger. This is recommended if you need continuous Internet connectivity. If you select this, you may be charged using the rate of a different network. Budget SetupEnable Budget Control Select this to set a monthly limit for the user account of the installed mobile broadband card. You can set a limit on the total traffic and/or call time. The USG takes the actions you specified when a limit is exceeded during the month.Time Budget Select this and specify the amount of time (in hours) that the mobile broadband connection can be used within one month. If you change the value after you configure and enable budget control, the USG resets the statistics.Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the mobile broadband connection within one month.Select Download to set a limit on the downstream traffic (from the ISP to the USG).Select Upload to set a limit on the upstream traffic (from the USG to the ISP).Select Download/Upload to set a limit on the total traffic in both directions.If you change the value after you configure and enable budget control, the USG resets the statistics.Reset time and data budget counters onSelect the date on which the USG resets the budget every month. If the date you selected is not available in a month, such as 30th or 31st, the USG resets the budget on the last day of the month.Reset time and data budget countersThis button is available only when you enable budget control in this screen.Click this button to reset the time and data budgets immediately. The count starts over with the mobile broadband connection’s full configured monthly time and data budgets. This does not affect the normal monthly budget restart; so if you configured the time and data budget counters to reset on the second day of the month and you use this button on the first, the time and data budget counters will still reset on the second.Actions when over budget Specify the actions the USG takes when the time or data limit is exceeded. Log Select None to not create a log, Log to create a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also select recurring every to have the USG send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.New connection Select Allow to permit new mobile broadband connections or Disallow to drop/block new mobile broadband connections.Current connection Select Keep to maintain an existing mobile broadband connection or Drop to disconnect it. You cannot set New connection to Allow and Current connection to Drop at the same time. If you set New connection to Disallow and Current connection to Keep, the USG allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected.Table 72 Configuration > Network > Interface > Cellular > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1829.6 Tunnel InterfacesThe USG uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels.GRE TunnelingGRE tunnels encapsulate a wide variety of network layer protocol packet types inside IP tunnels. A GRE tunnel serves as a virtual point-to-point link between the USG and another router over an IPv4 network. At the time of writing, the USG only supports GRE tunneling in IPv4 networks.Figure 130 GRE Tunnel ExampleIPv6 Over IPv4 TunnelsTo route traffic between two IPv6 networks over an IPv4 network, an IPv6 over IPv4 tunnel has to be used.Figure 131 IPv6 over IPv4 Network On the USG, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method:Actions when over % of time budget or % of data budget Specify the actions the USG takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the USG resets the statistics.Log Select None to not create a log when the USG takes this action, Log to create a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also select recurring every to have the USG send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 72 Configuration > Network > Interface > Cellular > Add / Edit (continued)LABEL DESCRIPTIONInternetIPv4 IPv4IPv6 IPv6
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide183IPv6-in-IPv4 TunnelingUse this mode on the WAN of the USG if • your USG has a public IPv4 IP address given from your ISP,and• you want to transmit your IPv6 packets to one and only one remote site whose LAN network is also an IPv6 network. With this mode, the USG encapsulates IPv6 packets within IPv4 packets across the Internet. You must know the WAN IP address of the remote gateway device. This mode is normally used for a site-to-site application such as two branch offices.Figure 132 IPv6-in-IPv4 Tunnel In the USG, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work.6to4 TunnelingThis mode also enables IPv6 packets to cross IPv4 networks. Unlike IPv6-in-IPv4 tunneling, you do not need to configure a policy route for a 6to4 tunnel. Through your properly pre-configuring the destination router’s IP address in the IP address assignments to hosts, the USG can automatically forward 6to4 packets to the destination they want to go. A 6to4 relay router is required to route 6to4 packets to a native IPv6 network if the packet’s destination do not match your specified criteria.In this mode, the USG should get a public IPv4 address for the WAN. The USG adds an IPv4 IP header to an IPv6 packet when transmitting the packet to the Internet. In reverse, the USG removes the IPv4 header from an IPv6 packet when receiving it from the Internet. An IPv6 address using the 6to4 mode consists of an IPv4 address, the format is as the following:2002:[a public IPv4 address in hexadecimal]::/48For example, a public IPv4 address is 202.156.30.41. The converted hexadecimal IP string is ca.9c.1Ee.29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48.IPv6 IPv4 IPv6 Internet
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide184Figure 133 6to4 Tunnel9.6.1 Configuring a TunnelThis screen lists the USG’s configured tunnel interfaces. To access this screen, click Network > Interface > Tunnel.Figure 134 Network > Interface > TunnelEach field is explained in the following table. InternetIPv6 IPv4 IPv6 IPv6 Table 73 Network > Interface > TunnelLABEL DESCRIPTIONAdd Click this to create a new GRE tunnel interface.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.#This field is a sequential value, and it is not associated with any interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1859.6.2 Tunnel Add or Edit ScreenThis screen lets you configure a tunnel interface. Click Configuration > Network > Interface > Tunnel > Add (or Edit) to open the following screen. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.Name This field displays the name of the interface.IP Address This is the IP address of the interface. If the interface is active (and connected), the USG tunnels local traffic sent to this IP address to the Remote Gateway Address.Tunnel Mode This is the tunnel mode of the interface (GRE, IPv6-in-IPv4 or 6to4). This field also displays the interface’s IPv4 IP address and subnet mask if it is a GRE tunnel. Otherwise, it displays the interface’s IPv6 IP address and prefix length.My Address This is the interface or IP address uses to identify itself to the remote gateway. The USG uses this as the source for the packets it tunnels to the remote gateway.Remote Gateway AddressThis is the IP address or domain name of the remote gateway to which this interface tunnels traffic.Apply Click Apply to save your changes back to the USG.Reset Click Reset to begin configuring this screen afresh.Table 73 Network > Interface > Tunnel (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide186Figure 135 Network > Interface > Tunnel > Add/EditEach field is explained in the following table. Table 74 Network > Interface > Tunnel > Add/EditLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.General SettingsEnable Select this to enable this interface. Clear this to disable this interface.Interface PropertiesInterface Name This field is read-only if you are editing an existing tunnel interface. Enter the name of the tunnel interface. The format is tunnelx, where x is 0 - 3. For example, tunnel0.Zone Use this field to select the zone to which this interface belongs. This controls what security settings the USG applies to this interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide187Tunnel Mode Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 9.6 on page 182 for more information.IP Address AssignmentThis section is available if you are configuring a GRE tunnel.IP Address Enter the IP address for this interface.Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.IPv6 Address AssignmentThis section is available if you are configuring an IPv6-in-IPv4 or a 6to4 tunnel.IPv6 Address/Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.6to4 Tunnel ParameterThis section is available if you are configuring a 6to4 tunnel which encapsulates IPv6 to IPv4 packets.6to4 Prefix Enter the IPv6 prefix of a destination network. The USG forwards IPv6 packets to the hosts in the matched network.If you enter a prefix starting with 2002, the USG will forward the matched packets to the IPv4 IP address converted from the packets’ destination address. The IPv4 IP address can be converted from the next 32 bits after the prefix you specified in this field. See 6to4 Tunneling on page 183 for an example. The USG forwards the unmatched packets to the specified Relay Router.Relay Router Enter the IPv4 address of a 6to4 relay router which helps forward packets between 6to4 networks and native IPv6 networks.Remote Gateway Prefix Enter the IPv4 network address and network bits of a remote 6to4 gateway, for example, 14.15.0.0/16.This field works if you enter a 6to4 Prefix not starting with 2002 (2003 for example). The USG forwards the matched packets to a remote gateway with the network address you specify here, and the bits converted after the 6to4 Prefix in the packets.For example, you configure the 6to4 prefix to 2003:A0B::/32 and the remote gateway prefix to 14.15.0.0/16. If a packet’s destination is 2003:A0B:1011:5::8, the USG forwards the packet to 14.15.16.17, where the network address is 14.15.0.0 and the host address is the remain bits converted from 1011 after the packet’s 6to4 prefix (2003:A0B).Gateway SettingsMy Address Specify the interface or IP address to use as the source address for the packets this interface tunnels to the remote gateway. The remote gateway sends traffic to this interface or IP address. Remote Gateway AddressEnter the IP address or domain name of the remote gateway to which this interface tunnels traffic.Automatic displays in this field if you are configuring a 6to4 tunnel. It means the 6to4 tunnel will help forward packets to the corresponding remote gateway automatically by looking at the packet’s destination address.Table 74 Network > Interface > Tunnel > Add/Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1889.7 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.Connectivity Check This section is available if you are configuring a GRE tunnel.The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Check Port This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.Related SettingWAN TRUNK Click this link to go to a screen where you can configure WAN trunk load balancing.Policy Route Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 74 Network > Interface > Tunnel > Add/Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide189Figure 136 Example: Before VLANIn this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.Alternatively, you can divide the physical networks into three VLANs.Figure 137 Example: After VLANEach VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.)• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network.• Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router.This approach provides a few advantages.• Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users.ABCAB
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide190• Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN.• Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.In this example, the new switch handles the following types of traffic:•Inside VLAN 2.• Between the router and VLAN 1.• Between the router and VLAN 2.• Between the router and VLAN 3.VLAN Interfaces OverviewIn the USG, each VLAN is called a VLAN interface. As a router, the USG routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces.Note: Each VLAN interface is created on top of only one Ethernet interface.Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.9.7.1 VLAN Summary ScreenThis screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure VLAN interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration > Network > Interface > VLAN.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide191Figure 138 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 75 Configuration > Network > Interface > VLANLABEL DESCRIPTIONConfiguration / IPv6 ConfigurationUse the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network. Both sections have similar fields as described below.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Create Virtual InterfaceTo open the screen where you can create a virtual interface, select an interface and click Create Virtual Interface.Object ReferencesSelect an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.#This field is a sequential value, and it is not associated with any interface.Status This icon is lit when the entry is active and dimmed when the entry is inactive.Name This field displays the name of the interface.Port/VID For VLAN interfaces, this field displays• the Ethernet interface on which the VLAN interface is created• the VLAN IDFor virtual interfaces, this field is blank.IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.Mask This field displays the interface’s subnet mask in dot decimal notation.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide1929.7.2 VLAN Add/Edit Select an existing entry in the previous scrren and click Edit or click Add to create a new entry. The following screen appears.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide193Figure 139 Configuration > Network > Interface > VLAN > Add /Edit
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide194Each field is explained in the following table. Table 76 Configuration > Network > Interface > VLAN > Add / EditLABEL DESCRIPTIONIPv4/IPv6 View / IPv4 View / IPv6 ViewUse this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields.Show Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.General SettingsEnable Interface Select this to turn this interface on. Clear this to disable this interface.General IPv6 SettingEnable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.Interface PropertiesInterface Type Select one of the following option depending on the type of network to which the USG is connected or if you want to additionally manually configure some related settings.internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The USG automatically adds default SNAT settings for traffic flowing from this interface to an external interface.external is for connecting to an external network (like the Internet). The USG automatically adds this interface to the default WAN trunk. For general, the rest of the screen’s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface.Interface Name This field is read-only if you are editing an existing VLAN interface. Enter the number of the VLAN interface. You can use a number from 0~4094. For example, use vlan0, vlan8, and so on. The total number of VLANs you can configure on the USG depends on the model.Zone Select the zone to which the VLAN interface belongs.Base Port Select the Ethernet interface on which the VLAN interface runs.VLAN ID Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 - 4094. (0 and 4095 are reserved.)Priority Code This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table 158 on page 407. The setting configured in Configuration > BWM overwrites the priority setting here.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.IP Address AssignmentGet Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically.You should not select this if the interface is assigned to a VRRP group.Use Fixed IP Address Select this if you want to specify the IP address, subnet mask, and gateway manually.IP Address This field is enabled if you select Use Fixed IP Address.Enter the IP address for this interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide195Subnet Mask This field is enabled if you select Use Fixed IP Address.Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.Gateway This field is enabled if you select Use Fixed IP Address.Enter the IP address of the gateway. The USG sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Enable IGMP SupportSelect this to allow the USG to act as an IGMP proxy for hosts connected on the IGMP downstream interface.IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server.IGMP Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.IPv6 Address AssignmentThese IP address fields configure an IPv6 IP address on the interface itself.Enable Stateless Address Auto-configuration (SLAAC)Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the network.Link-Local address This displays the IPv6 link-local address and the network prefix that the USG generates itself for the interface.IPv6 Address/Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to configure a static IP address for this interface. This field is optional.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Address from DHCPv6 Prefix DelegationUse this table to have the USG obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 144 for more information.To use prefix delegation, you must:• Create at least one DHCPv6 request object before configuring this table.• The external interface must be a DHCPv6 client. You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix-delegation.• Assign the prefix delegation to an internal interface and enable router advertisement on that interface. Add Click this to create an entry. Edit Select an entry and click this to change the settings. Remove Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide196 Delegated Prefix Select the DHCPv6 request object to use from the drop-down list. Suffix Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The USG will append it to the delegated prefix.For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. Address This field displays the combined IPv6 IP address for this interface.Note: This field displays the combined address after you click OK and reopen this screen.DHCPv6 SettingDUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 145 for more information.DUID as MAC Select this to have the DUID generated from the interface’s default MAC address.Customized DUID If you want to use a customized DUID, enter it here for the interface.Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.Information Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.DHCPv6 Request Options / DHCPv6 Lease OptionsIf this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.If this interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what to offer to the DHCPv6 clients. Add Click this to create an entry in this table. See Section 9.3.3 on page 164 for more information. Remove Select an entry and click this to change the settings. Object Reference Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry. Name This field displays the name of the DHCPv6 request or lease object. Type This field displays the type of the object. Value This field displays the IPv6 prefix that the USG obtained from an uplink router (Server is selected) or will advertise to its clients (Client is selected).Interface When Relay is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server.Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.IPv6 Router Advertisement SettingTable 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide197Enable Router Advertisement Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 145 for more information.Advertised Hosts Get Network Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6. Clear this to have the USG indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.Advertised Hosts Get Other Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain DNS information through DHCPv6.Clear this to have the USG indicate to hosts that DNS information is not available in this network.Router Preference Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the USG. This helps hosts to choose their default router especially when there are multiple IPv6 router in the network.Note: Make sure the hosts also support router preference to make this function work.MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments.Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.Advertised Prefix Table Configure this table only if you want the USG to advertise a fixed prefix to the network. Add Click this to create an IPv6 prefix address. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. IPv6 Address/ Prefix LengthEnter the IPv6 network prefix address and the prefix length.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Advertised Prefix from DHCPv6 Prefix DelegationUse this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix. Add Click this to create an entry in this table. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use for generating the network prefix for the network. Suffix Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The USG will append it to the selected delegated prefix. The combined address is the network prefix for the network.For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide198 Address This is the final network prefix combined by the delegated prefix and the suffix.Note: This field displays the combined address after you click OK and reopen this screen.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.Connectivity Check The USG can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often to check the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces.DHCP Select what type of DHCP service the USG provides to the network. Choices are:None - the USG does not provide any DHCP services. There is already a DHCP server on the network.DHCP Relay - the USG routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.DHCP Server - the USG assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The USG is the DHCP server for the network.These fields appear if the USG is a DHCP Relay.Relay Server 1 Enter the IP address of a DHCP server for the network.Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide199These fields appear if the USG is a DHCP Server.IP Pool Start Address Enter the IP address from which the USG begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP.If this field is blank, the Pool Size must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the USG can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.If this field is blank, the IP Pool Start Address must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.First DNS ServerSecond DNS ServerThird DNS ServerSpecify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.Custom Defined - enter a static IP address.From ISP - select the DNS server that another interface received from its DHCP server.USG - the DHCP clients use the IP address of this interface and the USG works as a DNS relay.First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’ default gateway.To use another IP address as the default router, select Custom Defined and enter the IP address.Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:infinite - select this if IP addresses never expiredays, hours, and minutes - select this to enter how long IP addresses are valid.Extended Options This table is available if you selected DHCP server.Configure this table if you want to send more information to DHCP clients through DHCP packets. Add Click this to create an entry in this table. See Section 9.3.4 on page 165. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Name This is the option’s name. Code This is the option’s code number. Type This is the option’s type. Value This is the option’s value.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide200Enable IP/MAC Binding Select this option to have the USG enforce links between specific IP addresses and specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.Enable Logs for IP/MAC Binding ViolationSelect this option to have the USG generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device’s MAC address.Static DHCP Table Configure a list of static IP addresses the USG assigns to computers connected to the interface. Otherwise, the USG assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size.Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry.IP Address Enter the IP address to assign to a device with this entry’s MAC address.MAC Address Enter the MAC address to which to assign this entry’s IP address.Description Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.RIP Setting See Section 10.6 on page 238 for more information about RIP.Enable RIP Select this to enable RIP on this interface.Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box.BiDir - This interface sends and receives routing information.In-Only - This interface receives routing information.Out-Only - This interface sends routing information.Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 and 2.Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2.V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the USG uses multicasting.OSPF Setting See Section 10.7 on page 240 for more information about OSPF.Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR.Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface.Passive Interface Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2019.8 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces.Bridge OverviewA bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.Authentication Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are:Same-as-Area - use the default authentication method in the areaNone - disable authenticationText - authenticate OSPF routing information using a plain-text passwordMD5 - authenticate OSPF routing information using MD5 encryptionText Authentication KeyThis field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MD5 Authentication IDThis field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255.MD5 Authentication KeyThis field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.Related SettingConfigure WAN TRUNK Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN trunk for load balancing.Configure Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 76 Configuration > Network > Interface > VLAN > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide202When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received).In the example above, computer A sends a packet to computer B. Bridge X records the source address 0A:0A:0A:0A:0A:0A and port 2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly.Bridge Interface OverviewA bridge interface creates a software bridge between the members of the bridge interface. It also becomes the USG’s interface for the resulting network.Unlike the device-wide bridge mode in ZyNOS-based USGs, this USG can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole USG as a transparent bridge, add all of the USG’s interfaces to a bridge interface. A bridge interface may consist of the following members:• Zero or one VLAN interfaces (and any associated virtual VLAN interfaces)• Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)When you create a bridge interface, the USG removes the members’ entries from the routing table and adds the bridge interface’s entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.250.0/23) between lan1 and vlan1. Table 77 Example: Bridge Table After Computer A Sends a Packet to Computer BMAC ADDRESS PORT0A:0A:0A:0A:0A:0A 2Table 78 Example: Bridge Table After Computer B Responds to Computer AMAC ADDRESS PORT0A:0A:0A:0A:0A:0A 20B:0B:0B:0B:0B:0B 4Table 79 Example: Routing Table Before and After Bridge Interface br0 Is CreatedIP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION210.210.210.0/24 lan1 221.221.221.0/24 vlan0210.211.1.0/24 lan1:1 230.230.230.192/26 wan2221.221.221.0/24 vlan0 241.241.241.241/32 dmz222.222.222.0/24 vlan1 242.242.242.242/32 dmz230.230.230.192/26 wan2 250.250.250.0/23 br0
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide203In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed.9.8.1 Bridge SummaryThis screen lists every bridge interface and virtual interface created on top of bridge interfaces. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure bridge interfaces used for your IPv6 network on this screen. To access this screen, click Configuration > Network > Interface > Bridge.Figure 140 Configuration > Network > Interface > Bridge Each field is described in the following table. 241.241.241.241/32 dmz242.242.242.242/32 dmzTable 79 Example: Routing Table Before and After Bridge Interface br0 Is Created (continued)IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATIONTable 80 Configuration > Network > Interface > BridgeLABEL DESCRIPTIONConfiguration / IPv6 ConfigurationUse the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network. Both sections have similar fields as described below.Add Click this to create a new entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Create Virtual InterfaceTo open the screen where you can create a virtual interface, select an interface and click Create Virtual Interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2049.8.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add orEdit icon in the Bridge Summary screen. The following screen appears.Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.#This field is a sequential value, and it is not associated with any interface.Status This icon is lit when the entry is active and dimmed when the entry is inactive.Name This field displays the name of the interface.IP Address This field displays the current IP address of the interface. If the IP address is 0.0.0.0, the interface does not have an IP address yet.This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces.Member This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 80 Configuration > Network > Interface > Bridge (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide205Figure 141 Configuration > Network > Interface > Bridge > Add / Edit
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide206Configuration > Network > Interface > Bridge > Add Each field is described in the table below.Table 81 Configuration > Network > Interface > Bridge > Add / EditLABEL DESCRIPTIONIPv4/IPv6 View / IPv4 View / IPv6 ViewUse this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields.Show Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this screen.General SettingsEnable Interface Select this to enable this interface. Clear this to disable this interface.General IPv6 Setting
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide207Enable IPv6 Select this to enable IPv6 on this interface. Otherwise, clear this to disable it.Interface PropertiesInterface Type Select one of the following option depending on the type of network to which the USG is connected or if you want to additionally manually configure some related settings.internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The USG automatically adds default SNAT settings for traffic flowing from this interface to an external interface.external is for connecting to an external network (like the Internet). The USG automatically adds this interface to the default WAN trunk. For general, the rest of the screen’s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface.Interface Name This field is read-only if you are editing the interface. Enter the name of the bridge interface. The format is brx, where x is 0 - 11. For example, br0, br3, and so on.Zone Select the zone to which the interface is to belong. You use zones to apply security settings such as security policy and remote management.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.Member ConfigurationAvailable This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface. An interface is not available in the following situations:• There is a virtual interface on top of it• It is already used in a different bridge interfaceSelect one, and click the >> arrow to add it to the bridge interface. Each bridge interface can only have one VLAN interface.Member This field displays the interfaces that are part of the bridge interface. Select one, and click the << arrow to remove it from the bridge interface.IP Address AssignmentGet Automatically Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically.Use Fixed IP Address Select this if you want to specify the IP address, subnet mask, and gateway manually.IP Address This field is enabled if you select Use Fixed IP Address.Enter the IP address for this interface.Subnet Mask This field is enabled if you select Use Fixed IP Address.Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.Gateway This field is enabled if you select Use Fixed IP Address.Enter the IP address of the gateway. The USG sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Enable IGMP SupportSelect this to allow the USG to act as an IGMP proxy for hosts connected on the IGMP downstream interface.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide208IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server.IGMP Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts.IPv6 Address AssignmentThese IP address fields configure an IPv6 IP address on the interface itself.Enable Stateless Address Auto-configuration (SLAAC)Select this to enable IPv6 stateless auto-configuration on this interface. The interface will generate an IPv6 IP address itself from a prefix obtained from an IPv6 router in the network.Link-Local address This displays the IPv6 link-local address and the network prefix that the USG generates itself for the interface.IPv6 Address/Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address. This field is optional.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Gateway Enter the IPv6 address of the default outgoing gateway using colon (:) hexadecimal notation.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Address from DHCPv6 Prefix DelegationUse this table to have the USG obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. You have to also enter a suffix address which is appended to the delegated prefix to form an address for this interface. See Prefix Delegation on page 144 for more information.To use prefix delegation, you must:• Create at least one DHCPv6 request object before configuring this table.• The external interface must be a DHCPv6 client. You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix-delegation.• Assign the prefix delegation to an internal interface and enable router advertisement on that interface. Add Click this to create an entry. Edit Select an entry and click this to change the settings. Remove Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use from the drop-down list. Suffix Address Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The USG will append it to the delegated prefix.For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field. Address This field displays the combined IPv6 IP address for this interface.Note: This field displays the combined address after you click OK and reopen this screen.DHCPv6 SettingDUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 145 for more information.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide209DUID as MAC Select this if you want the DUID is generated from the interface’s default MAC address.Customized DUID If you want to use a customized DUID, enter it here for the interface.Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load.Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work.Information Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.Request Address This field is available if you set this interface to DHCPv6 Client. Select this to get an IPv6 IP address for this interface from the DHCP server. Clear this to not get any IP address information through DHCPv6.DHCPv6 Request Options / DHCPv6 Lease OptionsIf this interface is a DHCPv6 client, use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.If the interface is a DHCPv6 server, use this section to configure DHCPv6 lease settings that determine what to offer to the DHCPv6 clients. Add Click this to create an entry in this table. See Section 9.3.3 on page 164 for more information. Remove Select an entry and click this to change the settings. Object Reference Select an entry and click this to delete it from this table. # This field is a sequential value, and it is not associated with any entry. Name This field displays the name of the DHCPv6 request or lease object. Type This field displays the type of the object. Value This field displays the IPv6 prefix that the USG obtained from an uplink router (Server is selected) or will advertise to its clients (Client is selected).Interface When Relay is selected, select this check box and an interface from the drop-down list if you want to use it as the relay server.Relay Server When Relay is selected, select this check box and enter the IP address of a DHCPv6 server as the relay server.IPv6 Router Advertisement SettingEnable Router Advertisement Select this to enable this interface to send router advertisement messages periodically. See IPv6 Router Advertisement on page 145 for more information.Advertised Hosts Get Network Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6. Clear this to have the USG indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.Advertised Hosts Get Other Configuration From DHCPv6Select this to have the USG indicate to hosts to obtain DNS information through DHCPv6.Clear this to have the USG indicate to hosts that DNS information is not available in this network.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide210Router Preference Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the USG. This helps hosts to choose their default router especially when there are multiple IPv6 router in the network.Note: Make sure the hosts also support router preference to make this function work.MTU The Maximum Transmission Unit. Type the maximum size of each IPv6 data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments.Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination. When forwarding an IPv6 packet, IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0.Advertised Prefix Table Configure this table only if you want the USG to advertise a fixed prefix to the network. Add Click this to create an IPv6 prefix address. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. IPv6 Address/ Prefix LengthEnter the IPv6 network prefix address and the prefix length.The prefix length indicates what the left-most part of the IP address is the same for all computers in the network, that is, the network address.Advertised Prefix from DHCPv6 Prefix DelegationUse this table to configure the network prefix if you want to use a delegated prefix as the beginning part of the network prefix. Add Click this to create an entry in this table. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Delegated Prefix Select the DHCPv6 request object to use for generating the network prefix for the network. Suffix Address Enter the ending part of the IPv6 network address plus a slash (/) and the prefix length. The USG will append it to the selected delegated prefix. The combined address is the network prefix for the network.For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively. But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix. Address This is the final network prefix combined by the selected delegated prefix and the suffix.Note: This field displays the combined address after you click OK and reopen this screen.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide211Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the USG divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.DHCP SettingDHCP Select what type of DHCP service the USG provides to the network. Choices are:None - the USG does not provide any DHCP services. There is already a DHCP server on the network.DHCP Relay - the USG routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.DHCP Server - the USG assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The USG is the DHCP server for the network.These fields appear if the USG is a DHCP Relay.Relay Server 1 Enter the IP address of a DHCP server for the network.Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network.These fields appear if the USG is a DHCP Server.IP Pool Start Address Enter the IP address from which the USG begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP.If this field is blank, the Pool Size must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the USG can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses.If this field is blank, the IP Pool Start Address must also be blank. In this case, the USG can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.First DNS ServerSecond DNS ServerThird DNS ServerSpecify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.Custom Defined - enter a static IP address.From ISP - select the DNS server that another interface received from its DHCP server.USG - the DHCP clients use the IP address of this interface and the USG works as a DNS relay.First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Default Router If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’ default gateway.To use another IP address as the default router, select Custom Defined and enter the IP address.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide212Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:infinite - select this if IP addresses never expiredays, hours, and minutes - select this to enter how long IP addresses are valid.Extended Options This table is available if you selected DHCP server.Configure this table if you want to send more information to DHCP clients through DHCP packets. Add Click this to create an entry in this table. See Section 9.3.4 on page 165. Edit Select an entry in this table and click this to modify it. Remove Select an entry in this table and click this to delete it. # This field is a sequential value, and it is not associated with any entry. Name This is the option’s name. Code This is the option’s code number. Type This is the option’s type. Value This is the option’s value.Enable IP/MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.Enable Logs for IP/MAC Binding ViolationSelect this option to have the USG generate a log if a device connected to this interface attempts to use an IP address that is bound to another device’s MAC address.Static DHCP Table Configure a list of static IP addresses the USG assigns to computers connected to the interface. Otherwise, the USG assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size.Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry.IP Address Enter the IP address to assign to a device with this entry’s MAC address.MAC Address Enter the MAC address to which to assign this entry’s IP address.Description Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.Connectivity Check The interface can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the USG stops routing to the gateway. The USG resumes routing to the gateway the first time the gateway passes the connectivity check.Enable Connectivity CheckSelect this to turn on the connection check.Check Method Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Check Period Enter the number of seconds between connection check attempts.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2139.9 Virtual Interfaces Use virtual interfaces to tell the USG where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 21 on page 332).Virtual interfaces can be created on top of Ethernet interfaces, VLAN interfaces, or bridge interfaces. Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, security policies) that apply to the underlying interface automatically apply to the virtual interface as well.Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you can restrict bandwidth through virtual interfaces, but you cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available.9.9.1 Virtual Interfaces Add/EditThis screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click the Create Virtual Interface icon in the Ethernet, VLAN, or bridge interface summary screen.Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.Check Fail Tolerance Enter the number of consecutive failures before the USG stops routing through the gateway.Check Default Gateway Select this to use the default gateway for the connectivity check.Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.Related SettingConfigure WAN TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing.Configure Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this bridge interface.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 81 Configuration > Network > Interface > Bridge > Add / Edit (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide214Figure 142 Configuration > Network > Interface > Create Virtual InterfaceEach field is described in the table below. Table 82 Configuration > Network > Interface > Create Virtual InterfaceLABEL DESCRIPTIONInterface PropertiesInterface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.Description Enter a description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.IP Address AssignmentIP Address Enter the IP address for this interface.Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.Gateway Enter the IP address of the gateway. The USG sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.Metric Enter the priority of the gateway (if any) on this interface. The USG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the USG uses the one that was configured first.Interface ParametersEgress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the USG can send through the interface to the network. Allowed values are 0 - 1048576.Ingress Bandwidth This is reserved for future use.Enter the maximum amount of traffic, in kilobits per second, the USG can receive from the network through the interface. Allowed values are 0 - 1048576.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2159.10 Interface Technical ReferenceHere is more detailed information about interfaces on the USG.IP Address AssignmentMost interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table.Figure 143 Example: Entry in the Routing Table Derived from InterfacesFor example, if the USG gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1. If the USG gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1.In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address.In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually.In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients.In the example above, if the USG gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the USG should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on ge2. In this case, the USG creates the following entry in the routing table.Table 83 Example: Routing Table Entries for InterfacesIP ADDRESS(ES) DESTINATION100.100.1.1/16 lan1200.200.200.1/24 wan1Table 84 Example: Routing Table Entry for a GatewayIP ADDRESS(ES) DESTINATION0.0.0.0/0 200.200.200.100lan1 wan1
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide216The gateway is an optional setting for each interface. If there is more than one gateway, the USG uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the USG uses the one that was set up first (the first entry in the routing table). In PPPoE/PPTP interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric.If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any.Interface Parameters The USG restricts the amount of traffic into and out of the USG through each interface.• Egress bandwidth sets the amount of traffic the USG sends out through the interface to the network.• Ingress bandwidth sets the amount of traffic the USG allows in through the interface from the network.At the time of writing, the USG does not support ingress bandwidth management.If you set the bandwidth restrictions very high, you effectively remove the restrictions.The USG also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the USG divides it into smaller fragments. Each fragment is sent separately, and the original packet is re-assembled later. The smaller the MTU, the more fragments sent, and the more work required to re-assemble packets correctly. On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets.DHCP SettingsDynamic Host Configuration Protocol (DHCP, RFC 2131, RFC 2132) provides a way to automatically set up and maintain IP addresses, subnet masks, gateways, and some network information (such as the IP addresses of DNS servers) on computers in the network. This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently.In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client.In the USG, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server.As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.As a DHCP server, the interface provides the following information to DHCP clients.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide217• IP address - If the DHCP client’s MAC address is in the USG’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.The USG cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface’s IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the USG cannot assign 50.50.50.0 or 50.50.50.255. If the subnet mask is 255.255.0.0, the USG cannot assign 50.50.0.0 or 50.50.255.255. Otherwise, it can assign every IP address in the range, except the interface’s IP address.If you do not specify the starting address or the pool size, the interface the maximum range of IP addresses allowed by the interface’s IP address and subnet mask. For example, if the interface’s IP address is 9.9.9.1 and subnet mask is 255.255.255.0, the starting IP address in the pool is 9.9.9.2, and the pool size is 253.• Subnet mask - The interface provides the same subnet mask you specify for the interface. See IP Address Assignment on page 215.• Gateway - The interface provides the same gateway you specify for the interface. See IP Address Assignment on page 215.• DNS servers - The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a company’s own DNS server), or you can refer to DNS servers that other interfaces received from DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients.It is not possible for an interface to be the DHCP server and a DHCP client simultaneously.WINSWINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network’s computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name’s IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.PPPoE/PPTP OverviewPoint-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages:• The access and authentication method works with existing systems, including RADIUS.• You can access one of several network services. This makes it easier for the service provider to offer the serviceTable 85 Example: Assigning IP Addresses from a PoolSTART IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS50.50.50.33 5 50.50.50.33 - 50.50.50.3775.75.75.1 200 75.75.75.1 - 75.75.75.20099.99.1.1 1023 99.99.1.1 - 99.99.4.255120.120.120.100 100 120.120.120.100 - 120.120.120.199
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide218• PPPoE does not usually require any special configuration of the modem.PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions.1The first one runs on TCP port 1723. It is used to start and manage the second one.2The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions.9.11 Trunk Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths. You could set up a trunk that uses spillover or weighted round robin load balancing so time-sensitive traffic (like video) usually goes through the higher-bandwidth interface. For other traffic, you might want to use least load first load balancing to even out the distribution of the traffic load.Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B. Or maybe one of the USG's interfaces is connected to an ISP that is also your Voice over IP (VoIP) service provider. You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface (connected to another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface’s connection is up.•Use the Trunk summary screen (Section 9.12 on page 221) to view the list of configured trunks and which load balancing algorithm each trunk uses.•Use the Add Trunk screen (Section 9.12.1 on page 222) to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses.•Use the Add System Default screen (Section 9.12.2 on page 224) to configure the load balancing algorithm for the system default trunk.9.11.1 What You Need to Know• Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the USG sends traffic through another member of the trunk. • For example, you connect one WAN interface to one ISP and connect a second WAN interface to a second ISP. The USG balances the WAN traffic load between the connections. If one interface's connection goes down, the USG can automatically send its traffic through another interface.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide219You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. • If that interface’s connection goes down, the USG can still send its traffic through another interface.• You can define multiple trunks for the same physical interfaces. 1LAN user A logs into server B on the Internet. The USG uses wan1 to send the request to server B. 2The USG is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through wan2.3The server finds that the request comes from wan2’s IP address instead of wan1’s IP address and rejects the request.If link sticking had been configured, the USG would have still used wan1 to send LAN user A’s request to the server and server would have given the user A access.Load Balancing Algorithms The following sections describe the load balancing algorithms the USG can use to decide which interface the traffic (from the LAN) should use for a session. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. The available bandwidth you configure on the USG refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using. Least Load First The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth. Here the USG has two WAN interfaces connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively.Figure 144 Least Load First ExampleThe outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The USG calculates the load balancing index as shown in the table below.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide220Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the USG will send the subsequent new session traffic through WAN 2.Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty.The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the USG to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight.For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the USG to distribute the network traffic between the two interfaces by setting the weight of wan1 and wan2 to 2 and 1 respectively. The USG assigns the traffic of two sessions to wan1 and one session's traffic to wan2 in each round of 3 new sessions.Figure 145 Weighted Round Robin Algorithm ExampleSpilloverThe spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface’s maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them.Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface.In this example figure, the upper threshold of the first interface is set to 800K. The USG sends network traffic of new sessions that exceed this limit to the secondary WAN interface.Table 86 Least Load First Example INTERFACE OUTBOUND LOAD BALANCING INDEX (M/A)AVAILABLE (A) MEASURED (M) WAN 1 512 K 412 K 0.8WAN 2 256 K 198 K 0.77
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide221Figure 146 Spillover Algorithm Example9.12 The Trunk Summary ScreenClick Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use.Figure 147 Configuration > Network > Interface > Trunk The following table describes the items in this screen. Table 87 Configuration > Network > Interface > TrunkLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Configuration Configure what to do with existing passive mode interface connections when an interface set to active mode in the same trunk comes back up.Disconnect Connections Before Falling BackSelect this to terminate existing connections on an interface which is set to passive mode when any interface set to active mode in the same trunk comes back up.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2229.12.1 Configuring a User-Defined TrunkClick Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the following screen. Use this screen to create or edit a WAN trunk entry.Figure 148 Configuration > Network > Interface > Trunk > Add (or Edit) Enable Default SNAT Select this to have the USG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The USG automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.Default Trunk SelectionSelect whether the USG is to use the default system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces.User Configuration / System DefaultThe USG automatically adds all external interfaces into the pre-configured system default SYSTEM_DEFAULT_WAN_TRUNK. You cannot delete it. You can create your own User Configuration trunks and customize the algorithm, member interfaces and the active/passive mode.Add Click this to create a new user-configured trunk.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a user-configured trunk, select it and click Remove. The USG confirms you want to remove it before doing so.Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 9.3.2 on page 163 for an example.# This field is a sequential value, and it is not associated with any interface.Name This field displays the label that you specified to identify the trunk.Algorithm This field displays the load balancing method the trunk is set to use. Apply Click this button to save your changes to the USG. Reset Click this button to return the screen to its last-saved settings. Table 87 Configuration > Network > Interface > Trunk (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide223Each field is described in the table below. Table 88 Configuration > Network > Interface > Trunk > Add (or Edit)LABEL DESCRIPTIONName This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Load Balancing AlgorithmSelect a load balancing method to use from the drop-down list box. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the USG chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic in each round of 3 new sessions.Select Least Load First to send new session traffic through the least utilized trunk member.Select Spillover to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used (and so on).Load Balancing Index(es)This field is available if you selected to use the Least Load First or Spillover method.Select Outbound, Inbound, or Outbound + Inbound to set the traffic to which the USG applies the load balancing method. Outbound means the traffic traveling from an internal interface (ex. LAN) to an external interface (ex. WAN). Inbound means the opposite.The table lists the trunk’s member interfaces. You can add, edit, remove, or move entries for user configured trunks.Add Click this to add a member interface to the trunk. Select an interface and click Add to add a new member interface after the selected member interface.Edit Select an entry and click Edit to modify the entry’s settings. Remove To remove a member interface, select it and click Remove. The USG confirms you want to remove it before doing so.Move To move an interface to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface.# This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is important since they are used in the order they are listed.Member Click this table cell and select an interface to be a group member. If you select an interface that is part of another Ethernet interface, the USG does not send traffic through the interface as part of the trunk. For example, if you have physical port 5 in the ge2 representative interface, you must select interface ge2 in order to send traffic through port 5 as part of the trunk. If you select interface ge5 as a member here, the USG will not send traffic through port 5 as part of the trunk.Mode Click this table cell and select Active to have the USG always attempt to use this connection.Select Passive to have the USG only use this connection when all of the connections set to active are down. You can only set one of a group’s interfaces to passive mode.Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio. This ratio determines how much traffic the USG assigns to each member interface. The higher an interface’s weight is (relative to the weights of the interfaces), the more sessions that interface should handle.
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide2249.12.2 Configuring the System Default Trunk In the Configuration > Network > Interface > Trunk screen and the System Default section, select the default trunk entry and click Edit to open the following screen. Use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface.Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk. Figure 149 Configuration > Network > Interface > Trunk > Edit (System Default) Ingress Bandwidth This is reserved for future use.This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the USG is to allow to come in through the interface per second. Note: You can configure the bandwidth of an interface in the corresponding interface edit screen.Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the USG is to send out through the interface per second.Note: You can configure the bandwidth of an interface in the corresponding interface edit screen.Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface. When this spillover bandwidth limit is exceeded, the USG sends new session traffic through the next interface. The traffic of existing sessions still goes through the interface on which they started.The USG uses the group member interfaces in the order that they are listed. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 88 Configuration > Network > Interface > Trunk > Add (or Edit) (continued)LABEL DESCRIPTION
Chapter 9 InterfacesUSG20(W)-VPN Series User’s Guide225Each field is described in the table below. Table 89 Configuration > Network > Interface > Trunk > Edit (System Default)LABEL DESCRIPTIONName This field displays the name of the selected system default trunk.Load Balancing AlgorithmSelect the load balancing method to use for the trunk.Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the USG chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic in each round of 3 new sessions.Select Least Load First to send new session traffic through the least utilized trunk member.Select Spillover to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used (and so on).The table lists the trunk’s member interfaces. This table is read-only.# This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is important since they are used in the order they are listed.Member This column displays the name of the member interfaces. Mode This field displays Active if the USG always attempt to use this connection.This field displays Passive if the USG only use this connection when all of the connections set to active are down. Only one of a group’s interfaces can be set to passive mode.Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight (1~10) for the interface. The weights of the different member interfaces form a ratio. sIngress Bandwidth This is reserved for future use.This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the USG is to allow to come in through the interface per second. Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm. It displays the maximum number of kilobits of data the USG is to send out through the interface per second.Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface. When this spillover bandwidth limit is exceeded, the USG sends new session traffic through the next interface. The traffic of existing sessions still goes through the interface on which they started.The USG uses the group member interfaces in the order that they are listed.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.
USG20(W)-VPN Series User’s Guide226CHAPTER 10Routing10.1 Policy and Static Routes OverviewUse policy routes and static routes to override the USG’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the USG’s LAN interface. The USG routes most traffic from Ato the Internet through the USG’s default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a separate network behind another router (R3) connected to the LAN.Figure 150 Example of Policy Routing TopologyNote: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. 10.1.1 What You Can Do in this Chapter•Use the Policy Route screens (see Section 10.2 on page 228) to list and configure policy routes. •Use the Static Route screens (see Section 10.3 on page 235) to list and configure static routes.WANR1R2AR3LAN
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide22710.1.2 What You Need to Know Policy RoutingTraditionally, routing is based on the destination address only and the USG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.How You Can Use Policy Routing• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.• Bandwidth Shaping – You can allocate bandwidth to traffic that matches routing policies and prioritize traffic. You can also use policy routes to manage other types of traffic (like ICMP traffic) and send traffic through VPN tunnels.• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.• NAT - The USG performs NAT by default for traffic going to or from the WAN interfaces. A routing policy’s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.Note: The USG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.Static RoutesThe USG usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the USG send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 10 on page 238 for more on RIP and OSPF.Policy Routes Versus Static Routes• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.• Policy routes are only used within the USG itself. Static routes can be propagated to other routers using RIP or OSPF. • Policy routes take priority over static routes. If you need to use a routing policy on the USG and propagate it to other routers, you could configure a policy route and an equivalent static route.DiffServQoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide228DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.DSCP Marking and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.10.2 Policy Route ScreenClick Configuration > Network > Routing to open the Policy Route screen. Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.The actions that can be taken include:• Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk.• Limiting the amount of bandwidth available and setting a priority for traffic.IPPR follows the existing packet filtering facility of RAS in style and in implementation.If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen.Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information.DSCP (6 bits) Unused (2 bits)
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide229Figure 151 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 90 Configuration > Network > Routing > Policy RouteLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Enable BWM This is a global setting for enabling or disabling bandwidth management on the USG. You must enable this setting to have individual policy routes apply bandwidth management. IPv4 Configuration / IPv6 ConfigurationUse the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network. Both sections have similar fields as described below.Use IPv4/IPv6 Policy Route to Override Direct RouteSelect this to have the USG forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Move To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.The ordering of your rules is important as they are applied in order of their numbering.#This is the number of an individual policy route.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide23010.2.1 Policy Route Edit ScreenClick Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon in the IPv4 Configuration or IPv6 Configuration section. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. Both IPv4 and IPv6 policy route have similar settings except the Address Translation (SNAT) settings.Status This icon is lit when the entry is active, red when the next hop’s connection is down, and dimmed when the entry is inactive.User This is the name of the user (group) object from which the packets are sent. any means all users.Schedule This is the name of the schedule object. none means the route is active at all times if enabled.Incoming This is the interface on which the packets are received.Source This is the name of the source IP address (group) object. any means all IP addresses.Destination This is the name of the destination IP address (group) object. any means all IP addresses.DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 237 for more details.Service This is the name of the service object. any means all services.Source Port This is the name of a service object. The USG applies the policy route to the packets sent from the corresponding service port. any means all service ports.Next-Hop This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or trunk.DSCP Marking This is how the USG handles the DSCP value of the outgoing packets that match this route. If this field displays a DSCP value, the USG applies that DSCP value to the route’s outgoing packets.preserve means the USG does not modify the DSCP value of the route’s outgoing packets. default means the USG sets the DSCP value of the route’s outgoing packets to 0.The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 237 for more details.SNAT This is the source IP address that the route uses.It displays none if the USG does not perform NAT for this route.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 90 Configuration > Network > Routing > Policy Route (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide231Figure 152 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration)
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide232Figure 153 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration)The following table describes the labels in this screen. Table 91 Configuration > Network > Routing > Policy Route > Add/EditLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create new Object Use this to configure any new settings objects that you need to use in this screen.ConfigurationEnable Select this to activate the policy.Description Enter a descriptive name of up to 31 printable ASCII characters for the policy.CriteriaUser Select a user name or user group from which the packets are sent. Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the USG itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection.Source Address Select a source IP address object from which the packets are sent.Destination Address Select a destination IP address object to which the traffic is being sent. If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the USG uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide233DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 237 for more details.User-Defined DSCP Code Use this field to specify a custom DSCP code point when you select User Define in the previous field.Schedule Select a schedule to control when the policy route is active. none means the route is active at all times if enabled.Service Select a service or service group to identify the type of traffic to which this policy route applies.Source Port Select a service or service group to identify the source port of packets to which the policy route applies.Next-HopType Select Auto to have the USG use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field. You have to set up the next-hop router or switch as a HOST address object first.Select VPN Tunnel to route the matched packets via the specified VPN tunnel. Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm.Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). Gateway This field displays when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your USG that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your USG's interface(s).VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the USG directly.Auto Destination Address This field displays when you select VPN Tunnel in the Type field. Select this to have the USG use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy. Leave this cleared if you want to manually specify the destination address.Trunk This field displays when you select Trunk in the Type field. Select a trunk group to have the USG send the packets via the interfaces in the group.Interface This field displays when you select Interface in the Type field. Select an interface to have the USG send traffic that matches the policy route through the specified interface.Table 91 Configuration > Network > Routing > Policy Route > Add/Edit (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide234DSCP Marking Set how the USG handles the DSCP value of the outgoing packets that match this route.Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 237 for more details.Select preserve to have the USG keep the packets’ original DSCP value. Select default to have the USG set the DSCP value of the packets to 0.User-Defined DSCP Code Use this field to specify a custom DSCP value.Address Translation Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop.Source Network Address TranslationSelect none to not use NAT for the route.Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. To use SNAT for a virtual interface that is in the same WAN trunk as the physical interface to which the virtual interface is bound, the virtual interface and physical interface must be in different subnets.Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route.Use Create new Object if you need to configure a new address (group) to use as the source IP address(es) of the packets that match this route.Healthy Check Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down.Disable policy route automatically while Interface link downSelect this to disable the policy if the interface is down or disabled. This is available for Interface and Trunk in the Type field above.Enable Connectivity CheckSelect this to turn on the connection check. This is available for Interface and Gateway in the Type field above.Check Method: Select the method that the gateway allows. Select icmp to have the USG regularly ping the gateway you specify to make sure it is still available. Select tcp to have the USG regularly perform a TCP handshake with the gateway you specify to make sure it is still available.Check Period: Enter the number of seconds between connection check attempts (5-600 seconds).Check Timeout: Enter the number of seconds to wait for a response before the attempt is a failure (1-10 seconds).Check Fail Tolerance:Enter the number of consecutive failures before the USG stops routing using this policy (1-10).Check Port: This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check (1-65535).Check this address: Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 91 Configuration > Network > Routing > Policy Route > Add/Edit (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide23510.3 IP Static Route ScreenClick Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure static routes used for your IPv6 networks on this screen.Figure 154 Configuration > Network > Routing > Static RouteThe following table describes the labels in this screen. 10.3.1 Static Route Add/Edit ScreenSelect a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route.Table 92 Configuration > Network > Routing > Static RouteLABEL DESCRIPTIONIPv4 Configuration / IPv6 ConfigurationUse the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your USG to an IPv6 network. Both sections have similar fields as described below.Add Click this to create a new static route.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.#This is the number of an individual static route.Destination This is the destination IP address. Subnet Mask This is the IP subnet mask.Prefix This is the IPv6 prefix for the destination IP address.Next-Hop This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your USG's interface(s). The gateway helps forward packets to their destinations.Metric This is the route’s priority among the USG’s routes. The smaller the number, the higher priority the route has.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide236Figure 155 Configuration > Network > Routing > Static Route > Add (IPv4 Configuration) Figure 156 Configuration > Network > Routing > Static Route > Add (IPv6 Configuration) The following table describes the labels in this screen. Table 93 Configuration > Network > Routing > Static Route > AddLABEL DESCRIPTIONDestination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, enter the specific IP address here and use a subnet mask of 255.255.255.255 (for IPv4) in the Subnet Mask field or a prefix of 128 (for IPv6) in the Prefix Length field to force the network number to be identical to the host ID.For IPv6, if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field, enter :: in this field and 0 in the Prefix Length field.Subnet Mask Enter the IP subnet mask here.Prefix Length Enter the number of left-most digits in the destination IP address, which indicates the network prefix. Enter :: in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field.Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your USG's interface(s). The gateway helps forward packets to their destinations.Interface Select the radio button and a predefined interface through which the traffic is sent.Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide23710.4 Policy Routing Technical ReferenceHere is more detailed information about some of the features you can configure in policy routing.NAT and SNATNAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.Assured Forwarding (AF) PHB for DiffServAssured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers in the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.Maximize Bandwidth UsageThe maximize bandwidth usage option allows the USG to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth. When you enable maximize bandwidth usage, the USG first makes sure that each policy route gets up to its bandwidth allotment. Next, the USG divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the USG gives the extra bandwidth to that policy route. When multiple policy routes require more bandwidth, the USG gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The USG distributes the available bandwidth equally among policy routes with the same priority level. Table 94 Assured Forwarding (AF) Behavior GroupCLASS 1 CLASS 2 CLASS 3 CLASS 4Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34)Medium Drop Precedence AF12 (12) AF22 (20) AF32 (28) AF42 (36)High Drop Precedence AF13 (14) AF23 (22) AF33 (30) AF43 (38)
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide23810.5 Routing Protocols Overview Routing protocols give the USG routing information about the network from other routers. The USG stores this routing information in the routing table it uses to make routing decisions. In turn, the USG can also use routing protocols to propagate routing information to other routers.Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises.•Use the RIP screen (see Section 10.6 on page 238) to configure the USG to use RIP to receive and/or send routing information. •Use the OSPF screen (see Section 10.7 on page 240) to configure general OSPF settings and manage OSPF areas. •Use the OSPF Area Add/Edit screen (see Section 10.7.2 on page 244) to create or edit an OSPF area. 10.5.1 What You Need to KnowThe USG supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed further in the rest of the chapter.Finding Out MoreSee Section 10.8 on page 247 for background information on routing protocols.10.6 The RIP ScreenRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).• In the USG, you can configure two sets of RIP settings before you can use it in an interface.•First, the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent. This is discussed in more detail in Authentication Types on page 247.• Second, the USG can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms.• RIP uses UDP port 520.Table 95 RIP vs. OSPFRIP OSPFNetwork Size Small (with up to 15 routers) LargeMetric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide239Use the RIP screen to specify the authentication method and maintain the policies for redistribution.Click Configuration > Network > Routing > RIP to open the following screen.Figure 157 Configuration > Network > Routing > RIPThe following table describes the labels in this screen. Table 96 Configuration > Network > Routing Protocol > RIPLABEL DESCRIPTIONAuthenticationAuthentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication.Text uses a plain text password that is sent over the network (not very secure).MD5 uses an MD5 password and authentication ID (most secure).Text Authentication Key This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MD5 Authentication ID This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255.MD5 Authentication Key This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.RedistributeActive OSPF Select this to use RIP to advertise routes that were learned through OSPF.Metric Type the cost for routes provided by OSPF. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used.Active Static Route Select this to use RIP to advertise routes that were learned through the static route configuration.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide24010.7 The OSPF ScreenOSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP.• OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently.• OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.• OSPF responds to changes in the network, such as the loss of a router, more quickly.• OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.• OSPF converges more quickly than RIP.Naturally, OSPF is also more complicated than RIP, so OSPF is usually more suitable for large networks.OSPF uses IP protocol 89.OSPF AreasAn OSPF Autonomous System (AS) is divided into one or more areas. Each area represents a group of adjacent networks and is identified by a 32-bit ID. In OSPF, this number may be expressed as an integer or as an IP address.There are several types of areas.• The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone.• A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS.• A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected. It relies on a default route to send information outside the OSPF AS.• A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS.Metric Type the cost for routes provided by the static route configuration. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used.Apply Click this button to save your changes to the USG. Reset Click this button to return the screen to its last-saved settings. Table 96 Configuration > Network > Routing Protocol > RIP (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide241Each type of area is illustrated in the following figure.Figure 158 OSPF: Types of AreasThis OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y. Area 3 is a NSSA. It has routing information about the OSPF AS and network Y but not about network X.OSPF RoutersEvery router in the same area has the same routing information. They do this by exchanging Hello messages to confirm which neighbor (layer-3) devices exist, and then they exchange database descriptions (DDs) to create a synchronized link-state database. The link-state database contains records of router IDs, their associated links and path costs. The link-state database is then constantly updated through Link State Advertisements (LSA). Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations.Like areas, each router has a unique 32-bit ID in the OSPF AS, and there are several types of routers. Each type is really just a different role, and it is possible for one router to play multiple roles at one time.• An internal router (IR) only exchanges routing information with other routers in the same area.• An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them.• An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.• A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.Table 97 OSPF: Redistribution from Other Sources to Each Type of AreaSOURCE \ TYPE OF AREA NORMAL NSSA STUBStatic routes Yes Yes NoRIP Yes Yes Yes
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide242Each type of router is illustrated in the following example.Figure 159 OSPF: Types of RoutersIn order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group. The DR and BDR are selected by priority; if two routers have the same priority, the highest router ID is used.The DR and BDR are selected in each group of routers that are directly connected to each other. If a router is directly connected to several groups, it might be a DR in one group, a BDR in another group, and neither in a third group all at the same time.Virtual LinksIn some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example.Figure 160 OSPF: Virtual LinkIn this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone.You cannot create a virtual link to a router in a different area.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide243OSPF ConfigurationFollow these steps when you configure OSPF on the USG.1Enable OSPF.2Set up the OSPF areas.3Configure the appropriate interfaces. See Section 9.3.1 on page 148.4Set up virtual links, as needed.10.7.1 Configuring the OSPF ScreenUse the first OSPF screen to specify the OSPF router the USG uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them.Click Configuration > Network > Routing > OSPF to open the following screen.Figure 161 Configuration > Network > Routing > OSPFThe following table describes the labels in this screen. See Section 10.7.2 on page 244 for more information as well. Table 98 Configuration > Network > Routing Protocol > OSPFLABEL DESCRIPTIONOSPF Router ID Select the 32-bit ID the USG uses in the OSPF AS.Default - the first available interface IP address is the USG’s ID.User Defined - enter the ID (in IP address format) in the field that appears when you select User Define.RedistributeActive RIP Select this to advertise routes that were learned from RIP. The USG advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide24410.7.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 10.7 on page 240), and click either the Add icon or an Edit icon.Type Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2.Type 1 - cost = OSPF AS cost + external cost (Metric)Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored.Metric Type the external cost for routes provided by RIP. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214.Active Static Route Select this to advertise routes that were learned from static routes. The USG advertises routes learned from static routes to all types of areas.Type Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2.Type 1 - cost = OSPF AS cost + external cost (Metric)Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored.Metric Type the external cost for routes provided by static routes. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214.Area This section displays information about OSPF areas in the USG.Add Click this to create a new OSPF area.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.# This field is a sequential value, and it is not associated with a specific area.Area This field displays the 32-bit ID for each area in IP address format.Type This field displays the type of area. This type is different from the Type field above.Authentication This field displays the default authentication method in the area.Apply Click this button to save your changes to the USG. Reset Click this button to return the screen to its last-saved settings. Table 98 Configuration > Network > Routing Protocol > OSPF (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide245Figure 162 Configuration > Network > Routing > OSPF > AddThe following table describes the labels in this screen. Table 99 Configuration > Network > Routing > OSPF > AddLABEL DESCRIPTIONArea ID Type the unique, 32-bit identifier for the area in IP address format.Type Select the type of OSPF area.Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS.Stub - This area is an stub area. It has routing information about the OSPF AS but not about networks outside the OSPF AS. It depends on a default route to send information outside the OSPF AS.NSSA - This area is a Not So Stubby Area (NSSA), per RFC 1587. It has routing information about the OSPF AS and networks that are outside the OSPF AS and are directly connected to the NSSA. It does not have information about other networks outside the OSPF AS.Authentication Select the default authentication method used in the area. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication.Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). Text Authentication KeyThis field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MD5 Authentication IDThis field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255.MD5 Authentication KeyThis field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.Virtual Link This section is displayed if the Type is Normal. Create a virtual link if you want to connect a different area (that does not have a direct connection to the backbone) to the backbone. You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone.Add Click this to create a new virtual link.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide24610.7.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 10.7.2 on page 244) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following.Figure 163 Configuration > Network > Routing > OSPF > Add > AddEdit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.# This field is a sequential value, and it is not associated with a specific area.Peer Router ID This is the 32-bit ID (in IP address format) of the other ABR in the virtual link.Authentication This is the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication.Text uses a plain text password that is sent over the network (not very secure). Hover your cursor over this label to display the password.MD5 uses an MD5 password and authentication ID (most secure). Hover your cursor over this label to display the authentication ID and key.Same as Area has the virtual link also use the Authentication settings above.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 99 Configuration > Network > Routing > OSPF > Add (continued)LABEL DESCRIPTION
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide247The following table describes the labels in this screen. 10.8 Routing Protocol Technical ReferenceHere is more detailed information about RIP and OSPF.Authentication TypesAuthentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it. If the received message is verified, then the receiving router accepts the updated routing information. The transmitting and receiving routers must have the same key. The USG supports three types of authentication for RIP and OSPF routing protocols:•None - no authentication is used.•Text – authentication using a plain text password, and the (unencrypted) password is sent over the network. This method is usually used temporarily to prevent network problems.•MD5 – authentication using an MD5 password and authentication ID.MD5 is an authentication method that produces a 128-bit checksum, called a message-digest, for each packet. It also includes an authentication ID, which can be set to any value between 1 and 255. The USG only accepts packets if these conditions are satisfied.• The packet’s authentication ID is the same as the authentication ID of the interface that received it.Table 100 Configuration > Network > Routing > OSPF > Add > AddLABEL DESCRIPTIONPeer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link.Authentication Select the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication.Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). Same as Area has the virtual link also use the Authentication settings above.Text Authentication KeyThis field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.MD5 Authentication IDThis field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255.MD5 Authentication KeyThis field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.
Chapter 10 RoutingUSG20(W)-VPN Series User’s Guide248• The packet’s message-digest is the same as the one the USG calculates using the MD5 password.For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the USG supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information.
USG20(W)-VPN Series User’s Guide249CHAPTER 11 DDNS11.1 DDNS OverviewDynamic DNS (DDNS) services let you use a domain name with a dynamic IP address.11.1.1 What You Can Do in this Chapter•Use the DDNS screen (see Section 11.2 on page 250) to view a list of the configured DDNS domain names and their details.•Use the DDNS Add/Edit screen (see Section 11.2.1 on page 251) to add a domain name to the USG or to edit the configuration of an existing domain name.11.1.2 What You Need to KnowDNS maps a domain name to a corresponding IP address and vice versa. Similarly, Dynamic DNS (DDNS) maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current (dynamic) IP address.Note: You must have a public WAN IP address to use Dynamic DNS.You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the USG. When registration is complete, the DNS service provider gives you a password or key. At the time of writing, the USG supports the following DNS service providers. See the listed websites for details about the DNS services offered by each. Note: Record your DDNS account’s user name, password, and domain name to use to configure the USG.After you configure the USG, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly.Table 101 DDNS Service ProvidersPROVIDER SERVICE TYPES SUPPORTED WEBSITEDynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.comDynu Basic, Premium www.dynu.comNo-IP No-IP www.no-ip.comPeanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.orgSelfhost Selfhost selfhost.de
Chapter 11 DDNSUSG20(W)-VPN Series User’s Guide25011.2 The DDNS ScreenThe DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.Figure 164 Configuration > Network > DDNS The following table describes the labels in this screen. Table 102 Configuration > Network > DDNSLABEL DESCRIPTIONAdd Click this to create a new entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.#This is the number of an individual DDNS profile.Status This icon is lit when the entry is active and dimmed when the entry is inactive.Profile Name This field displays the descriptive profile name for this entry.DDNS Type This field displays which DDNS service you are using.Domain Name This field displays each domain name the USG can route.Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the USG determines the IP address for the domain name.from interface - The IP address comes from the specified interface.auto detected -The DDNS server checks the source IP address of the packets from the USG for the IP address to use for the domain name.custom - The IP address is static.Backup Interface/IP This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the USG determines the IP address for the domain name. The USG uses the backup interface and IP address when the primary interface is disabled, its link is down or its connectivity check fails.from interface - The IP address comes from the specified interface.auto detected -The DDNS server checks the source IP address of the packets from the USG for the IP address to use for the domain name.custom - The IP address is static.
Chapter 11 DDNSUSG20(W)-VPN Series User’s Guide25111.2.1 The Dynamic DNS Add/Edit ScreenThe DDNS Add/Edit screen allows you to add a domain name to the USG or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen.Figure 165 Configuration > Network > DDNS > Add Apply Click this button to save your changes to the USG. Reset Click this button to return the screen to its last-saved settings. Table 102 Configuration > Network > DDNS (continued)LABEL DESCRIPTION
Chapter 11 DDNSUSG20(W)-VPN Series User’s Guide252Figure 166 Configuration > Network > DDNS > Add - Custom The following table describes the labels in this screen. Table 103 Configuration > Network > DDNS > AddLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Enable DDNS Profile Select this check box to use this DDNS entry.Profile Name When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the USG. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.This field is read-only when you are editing an entry.DDNS Type Select the type of DDNS service you are using. Select User custom to create your own DDNS service and configure the DYNDNS Server, URL, and Additional DDNS Options fields below.HTTPS Select this to encrypt traffic using SSL (port 443), including traffic with username and password, to the DDNS server. Not all DDNS providers support this option.Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed.For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website.Password Type the password provided by the DDNS provider. You can use up to 64 alphanumeric characters and the underscore. Spaces are not allowed.Retype to Confirm Type the password again to confirm it.
Chapter 11 DDNSUSG20(W)-VPN Series User’s Guide253DDNS SettingsDomain name Type the domain name you registered. You can use up to 255 characters.Primary Binding Address Use these fields to set how the USG determines the IP address that is mapped to your domain name in the DDNS server. The USG uses the Backup Binding Address if the interface specified by these settings is not available. Interface Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface.IP Address The options available in this field vary by DDNS provider.Interface -The USG uses the IP address of the specified interface. This option appears when you select a specific interface in the Primary Binding Address Interface field.Auto - If the interface has a dynamic IP address, the DDNS server checks the source IP address of the packets from the USG for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the USG and the DDNS server.Note: The USG may not determine the proper IP address if there is an HTTP proxy server between the USG and the DDNS server.Custom - If you have a static IP address, you can select this to use it for the domain name. The USG still sends the static IP address to the DDNS server.Custom IP This field is only available when the IP Address is Custom. Type the IP address to use for the domain name.Backup Binding Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Binding Interface settings is not available.Interface Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address.IP Address The options available in this field vary by DDNS provider.Interface -The USG uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field.Auto -The DDNS server checks the source IP address of the packets from the USG for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the USG and the DDNS server.Note: The USG may not determine the proper IP address if there is an HTTP proxy server between the USG and the DDNS server.Custom - If you have a static IP address, you can select this to use it for the domain name. The USG still sends the static IP address to the DDNS server.Custom IP This field is only available when the IP Address is Custom. Type the IP address to use for the domain name.Enable Wildcard This option is only available with a DynDNS account.Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.Table 103 Configuration > Network > DDNS > Add (continued)LABEL DESCRIPTION
Chapter 11 DDNSUSG20(W)-VPN Series User’s Guide254Mail Exchanger This option is only available with a DynDNS account.DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes e-mail for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger.If you are using this service, type the host record of your mail server here. Otherwise leave the field blank.See www.dyndns.org for more information about mail exchangers.Backup Mail ExchangerThis option is only available with a DynDNS account.Select this check box if you are using DynDNS’s backup service for e-mail. With this service, DynDNS holds onto your e-mail if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service.DYNDNS Server This field displays when you select User custom from the DDNS Type field above. Type the IP address of the server that will host the DDSN service.URL This field displays when you select User custom from the DDNS Type field above. Type the URL that can be used to access the server that will host the DDSN service.Additional DDNS OptionsThis field displays when you select User custom from the DDNS Type field above. These are the options supported at the time of writing:• dyndns_system to specify the DYNDNS Server type - for example, dyndns@dyndns.org• ip_server_name which should be the URL to get the server’s public IP address - for example, http://myip.easylife.tw/OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving.Table 103 Configuration > Network > DDNS > Add (continued)LABEL DESCRIPTION

Navigation menu