=== LAN === The lan interface provides your connection to privet network. To access the lan, you will needa properly configured LAN interface and an Internet connection. .. image:: ./wan/image1.png :scale: 100% **Interface Configuration** Once an interface has been assigned under Interfaces (assign), it is allocated a default name such as OPT1, OPT2, etc. The first two interfaces are named WAN and LAN for historical reasons, but you may now rename at will. These OPTx names appear under the Interfaces menu, such as Interfaces OPT1. Selecting the menu option for the interface will take you to that interface’s configuration page. If you have never used this interface before, you’ll be greeted by a page containing only a single option Enable Interface. By checking Enable Interface, the remainder of the options will appear. After selecting perticuler interface and click.open the new tab with option. .. image:: ./wan/image4.png :scale: 100% **enable** **click in box** to enable interface. **Description** The interface can be renamed by entering a new name into the Description box. This will change the name of the interface on the Interfaces menu, on the tabs under Firewall Rules, under Services DHCP, and else where throughout the GUI. These interfacenames may only contain letters, numbers and the only special character that is allowed is an underscore (“_”). This makes it much easier to remember not only what an interface is for, but also to identify an interface for adding firewall rules or choosing other per-interface functionality. **IPv4 configuration type** there are many option availabale select perticuler choice your wan configuration - None - Static ipv4 - DHCP - PPP - PPPOE - PPTP - L2TP **IPv6 configuration type** gives details information to below . - None - Static ipv6 - DHCP6 - SLAAC - 6rd Tunnel - 6to4 Tunnel - Track Interface .. image:: ./wan/image2.1.png :scale: 100% **MAC address** You may change the MAC address of an interface should you need to spoof the MAC Address of a previous piece of equipment. Generally this should be avoided, as the old MAC would generally be cleared out by resetting the equipment to which this firewall connects, or by clearing the ARP table, or waiting for the old ARP entries to expire. In some cases it can be desirable to “clone” or“spoof” the MAC address of a previous piece of equipment. This can allow for a smooth transition from an old router to a new router, so that ARP caches on devices and upstream routers are not a concern. It can also be used to fool a piece of equipment into believing that it’s talking to the same device that it was talking to before, as in cases wherea certain network router is using static ARP or otherwise filters based on MAC address. This is common on cable modems, where you may need to registerthe MAC with the ISP if and when it changes. One down side to spoofing the MAC is that, unless the old piece of equipment is permanently retired, you run the risk of later having a MAC address conflict on your network, which can leadto connectivity problems. Also ARP cache problems tend to be very temporary, resolving automatically within minutes or by power cycling other equipment. Should the old MAC address need to be restored,this box must be cleared out and then the firewall must be rebooted. **MTU (Maximum Transmission Unit)** The Maximum Transmission Unit (MTU) size field can typically be left blank, but can be changedif desired. Some situations may call for a lower MTU to ensure packets are sized appropriately for your Internet connection. In most cases, the default assumed values for the WAN connection type will work properly. It can be increased for those using jumbo frames on their network. **MSS (Maximum Segment Size)** Similar to the MTU field, the MSS field will “clamp” the Maximum Segment Size (MSS) of TCP connections to the specified size in order to work around issues with Path MTU Discovery. **Speed and Duplex** The default value for link speed and duplex is to let the Operating System decide what is best. That option typically defaults to Autoselect, which negotiates the best possible speed and duplex settings with the peer, typically a switch. .. image:: ./wan/image5.png :scale: 100% **Block Private Networks** If you select Block private networks, DefenseBolt will insert a rule automatically that will prevent any RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback (127.0.0.0/8) from communicating on that interface. This option is usually only desirable on WAN type interfaces, to prevent the possibility of privately numbered traffic coming in over a public interface. **Block bogon networks** If the Block bogon networks option is checked, DefenseBolt will periodically download and block traffic from a list of unallocated and reserved networks. Now that the IPv4 space has all been assigned, this list is quite small, containing mostly networks that have been reserved in some way by IANA. These networks should never bein active use on a network, especially one facing the Internet, so it’s a good thing to use on WAN type interfaces. For IPv6, the list is still quite large, containing large chunks of the possible IPv6 space that has yet to be allocated. On systems with low amounts of RAM, this list may be too large, or the default value of Firewall Maximum Table Entries may be too smallThat value may be adjusted under System Advanced on the Firewall/NAT tab. IPv4 Lan Types Once an interface has been assigned, in most cases you will want to configure an IP address. For IPv4 connections, you can choose from: Static, DHCP, PPP, PPPoE, PPTP, and L2TP. These options are selected using the IPv4 Configuration Type selector. **None** Setting the IPv4 Configuration Type to None will disable IPv4 on the interface. This is usefulif the interface has no IPv4, or if the IP address on the interface is being managed in some other way, such as for an OpenVPN interface. **Static IPv4** Selecting Static IPv4 will allow you to manually set the IP address for the interface to use. Using this option enables three additional fields on the interface configuration screen: IPv4 address, a CIDR subnet mask selector, and a Gateway field. Enter the IPv4 address for the interface into the IPv4 address box, and choose the subnet maskfrom the CIDR drop down after the address box. If this is a WAN type interface, you should select a Gateway or add one if one does not already exist. To pick one that already exists, click and selected from the drop-down list. If you click add a new one, a form will appear to add the gateway. If the form field does not appear, try a different web browser. Historically, Internet Explorer has had issues with some of our JavaScript and AJAX driven forms, this one especially, but it should work fine with current IE versions in 2.1 and newer. To add a gateway, after clicking add a new one,fill in the details requested on the new form. If this is the only WAN or will be a new default WAN, check Default gateway. The Gateway Name is used to refer to the gateway internally, as well as in places like Gateway Groups, the Quality Graphs, and elsewhere. The Gateway IPv4 field is where you enter the actual gateway IP address. This address must be inside of the same subnet as the Static IPv4 address. The Description box allows you to enter a bit of text to indicate the purpose of the gateway. When finished, click **Save Gateway.** .. Note:: Selecting a Gateway from the drop-down list, or adding a new gateway and selecting it, will make DefenseBolt treat that interface as a WAN type interface for NAT and related functions. This is not desirable for internal-facing interfaces, such as LAN or a DMZ. You may stilluse gateways on those interfaces for the purpose of static routes without selecting a Gateway here on the interfaces screen. The default IPv4 and IPv6 gateways work independently of one another. The two need not be on the same circuit. Changing the default IPv4 gateway has no effect on the IPv6 gateway, and viceversa. **DHCP** Choosing DHCP from the list will cause pfSense to attempt automatic IPv4 configuration of thisinterface via DHCP. This option also activates three additional fields on the page: Hostname, Alias IPv4 address, and a CIDR drop-down for Alias IPv4 address. Under most circumstances these additional fields may simply be left blank. Some ISPs require the Hostname for client identification. The value in the Hostname field is sent as the DHCP client identifier and hostname when requesting a DHCP lease. The value entered in the Alias IPv4 address field is used as a fixed alias IPv4 address by theDHCP client. This can be useful for accessing apiece of gear on a separate, statically numbered network outside of the DHCP scope. One example would be for reaching a cable modem’s management IP address. With a static IPv4 address you could simply add an IP alias type VIP, but since that is notavailable on DHCP, this option allows one to be configured. The Reject Leases From box allows you to put inan IPv4 address for a DHCP server that should be ignored. For example, if you have a cable modem that hands out private IPs when the cable sync has been lost, you can enter the modem’s private IP here, e.g. 192.168.100.1, and your firewall will never pick up the private IP and attempt to use it. **PPP Types** The various PPP-based connection types such as PPP, PPPoE, PPTP, and L2TP were all covered in detail earlier in this chapter (PPPs). When youselect them here on the interfaces screen you can set or change their basic options as described. To access the advanced options, follow the link on this page or navigate to Interfaces (assign) on the PPPs tab, find the entry, and editit there. **IPv6 WAN Types** Similar to IPv4, the IPv6 Configuration Type controls if and how an IPv6 address is assigned to an interface. There are several different ways to configure IPv6, the exact method you will need to use depends on the network to which you are connected and how the ISP has deployed IPv6 on that network. For more information on IPv6, including a basic introduction, see IPv6. **None** Setting the IPv6 Configuration Type to None will disable IPv6 on the interface. This is usefulif the interface has no IPv4, or if the IP address on the interface is being managed in some other way, such as for an OpenVPN interface. **Static IPv6** Selecting Static IPv6 will allow you to manually set the IPv6 address for the interface to useUsing this option enables three additional fields on the interface configuration screen: IPv6 address, a Prefix Length selector, and a Gateway field. Enter the IPv6 address for the interface into the IPv6 address box, and choose the prefix length from the drop-down list after the address box. If this is a WAN type interface, you should select a Gateway or add one if one does not already exist. To pick one that already exists, clickand selected from the drop-down list. If you click add a new one, a form will appear to add the gateway. If the form field does not appear,try a different web browser. Historically, Internet Explorer has had issues with some of our JavaScript and AJAX driven forms, this one especially, but it should work fine with current IE versions in 2.1 and newer. To add a gateway, after clicking add a new one,fill in the details requested on the new form. If this is the only IPv6 WAN or will be a new default IPv6 WAN, check Default v6 gateway. The Gateway Name IPv6 is used to refer to the gateway internally, as well as in places like Gateway Groups, the Quality Graphs, and else where. The Gateway IPv6 field is where you enter the actual gateway IP address. This address must be inside of the same subnet as the Static IPv6 address. The Description box allows you toenter a bit of text to indicate the purpose of the gateway. When finished, click Save Gateway. .. Note:: Selecting a Gateway from the drop-down list, or adding a new gateway and selecting it, will make DefenseBolt treat that interface as a WAN type interface. This is not desirable for internal-facing interfaces, such as LAN or a DMZ. You may still use gateways on those interfaces for the purpose of static routes withoutselecting a Gateway here on the interfaces screen. The default IPv6 and IPv4 gateways work independently of one another. The two need not be on the same circuit. Changing the default IPv6 gateway has no effect on the IPv4 gateway, and viceversa. **DHCP6** Choosing DHCP6 from the list will cause DefenseBolt to attempt automatic IPv6 configuration ofthis interface via DHCPv6. DHCPv6 will configure the interface with an IP address, prefix length, DNS servers, etc. but not a gateway. The gateway is still obtained via router advertisements, so this interface will be set to accept router advertisements. This is a design choice as part of the IPv6 specification, not a limitation of DefenseBolt. For more information on router advertisements, see Router Advertisements. When DHCPv6 is active, another field is also available: DHCPv6 Prefix Delegation size. If yourISP is providing you with a routed IPv6 network via prefix delegation, they will tell you thedelegation size, which can be selected here. Itis typically a value somewhere between 48 and 64 . For more information on how DHCPv6 prefix delegation works,see DHCP6 Prefix Delegation. To use this delegation, you should set another internal interface’s IPv6 Configuration Type to be Track Interface (Track Interface) sothat it can use the addresses delegated by theupstream DHCPv6 server. **SLAAC** Choosing Stateless address autoconfiguration, or SLAAC, as the IPv6 type will make DefenseBoltattempt to configure the IPv6 address for the interface from router advertisements (RA) that advertise the prefix and related information. Note that DNS is not typically provided via RA, so DefenseBolt will still attempt to get the DNSservers via DHCPv6 when using SLAAC. In the future, the RDNSS extensions to the RA process mayallow DNS servers to beobtained from RA. For more information on router advertisements, see Router Advertisements. **6RD Tunnel** 6RD is am IPv6 tunneling technology employed bysome ISPs to quickly enable IPv6 support for their networks, passing IPv6 traffic inside specially crafted IPv4 packets between the user’s router and the ISP’s relay. It is related to 6to4 but is intended to be used within the ISP’s network, using the ISP’s IPv6 addresses for client traffic. To use 6RD, your ISP should havesupplied you with three pieces of information: The 6RD prefix, the 6RD Border Relay, and the 6RD IPv4 Prefix length. In the 6RD prefix box, enter the 6RD IPv6 prefix assigned by your ISP, such as 2001:db8::/32. The 6RD Border Relay is the IPv4 address of your ISP’s 6RD relay. The 6RD IPv4 Prefix length controls how much ofthe end user’s IPv4 address is encoded inside of the 6RD prefix. This is normally supplied by the ISP. A value of 0 means the entire IPv4 address will be embedded inside the 6RD prefix. This value allows ISPs to effectively route more IPv6 addresses to customers by removing redundant IPv4 information if an ISP’s allocation is all within the same larger subnet. **6to4 Tunnel** Similar to 6RD, 6to4 is another method of tunneling IPv6 traffic inside IPv4. Unlike 6RD however, 6to4 uses constant prefixes and relays. As such there are no user-adjustable settings for using the 6to4 option. The 6to4 prefix is always 2002::/16. Any address inside of the 2002::/16 is considered a 6to4 address rather than a native IPv6 address. Also unlike 6RD, a 6to4 tunnel can be terminated anywhere on the Internet, not just at the user’s ISP, so the quality of the connection between the user and the 6to4 relay can vary widely. 6to4 tunnels are always terminated at the IPv4 address of 192.88.99.1. This IPv4 address is anycasted, meaning that although the IPv4 address is the same everywhere, it can be routed regionally toward a node close to the user. Another deficiency of 6to4 is that is relies upon other routers to relay traffic between the 6to4 network and the remainder of the IPv6 network. There is a possibility that some IPv6 peers may not have connectivity to the 6to4 network, and thus these would be unreachable by clients connecting to 6to4 relays, and this could also vary depending upon the 6to4 node to which the user is actually connected. **Track Interface** The Track Interface choice works in concert with another IPv6 interface using DHCPv6 Prefix Delegation. When a delegation is received from the ISP, this option designates which interface will be assigned the IPv6 addresses delegated bythe ISP. After selecting Track Interface, the IPv6 Interface option appears which lists all interfaces on the system currently set for dynamic IPv6 WAN types offering prefix delegation (DHCPv6, PPPoE, 6rd, etc.). Select the interface from the list which will be receiving the delegated subnet information from the ISP.If the ISP has delegated more than one prefix via DHCPv6, the IPv6 Prefix ID controls which of the delegated subnets will be used on this interface. This value is specified in hexadecimal. If you are unsure what to put here, leave it blank or contact your ISP. For more information on how prefix delegation works, see DHCP6 Prefix Delegation. Many different types of network interfaces can be used with pfSense, either using physical interfaces directly or by layering other protocols on top such as PPP or VLANs. In DefenseBolt 1.2.3 this was primarily limited to using the interfaces themselves, VLANs, or PPPoE/PPTP. In DefenseBolt, many new interface types are supported. Most of these were supported in DefenseBolt, with theIPv6 types being the major addition for DefenseBolt. Interface assignments and the creation of new virtual interfaces are all handled under Interfaces (assign).