Bridging is a packet forwarding technique primarily used in Ethernet networks. Unlike routing, bridging makes no assumptions about where in a network a particular address is located. Instead, it depends on broadcasting to locate unknown devices.
Through bridging, several Ethernet networks or segments can be connected to each other. The data packets are forwarded through bridging tables, which assign the MAC addresses to a bridge port. The resulting bridge will transparently pass traffic across the bridge interfaces.
Note – Such traffic must explicitly be allowed by means of appropriate firewall rules. Most virtual hosts do not permit MAC address changes or promiscuous mode by default on their virtual interfaces. For bridging to work on virtual hosts, make sure that on the virtual host MAC address validation is disabled and promiscuous mode is allowed.
Note – If you had an configured bridge in Sophos UTM on AWS version 9.2 under the Interfaces & Routing > Bridging > Status tab, this configuration will be displayed and marked with a note of the former version under the interface overview.
To configure a Ethernet Bridge, proceed as follows:
On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Ethernet Bridge from the drop-down list.
Note – If you edit an existing interface you can change the type and convert the interface into an Ethernet Bridge. After the conversion a note will be displayed under the changed interface in the interface overview. An converted Ethernet Bridge can also be converted back to an Ethernet interface.
Bridge selected NICs: You can select individual NICs that should form the bridge. This requires that there are unused network interface cards available. Select one or more of them to form the bridge. It is also possible to specify a Convert Interface that will be copied to the new bridge.
Dynamic IP Activate if you want to use a dynamic IP address.
IPv4 Address: Enter the IP address of the interface.
Note – IP address 0.0.0.0 is possible in Ethernet Bridge. In this case you have an bridge without address.
Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.
IPv4/IPv6 default GW (optional): Select this option if you want to use a statically defined default gateway.
Default GW IP (optional): Enter the IP address of the default gateway.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
MTU: Enter the maximum transmission unit for the interface in bytes. You must enter a value fitting your interface type here if you want to use traffic management. A sensible value for the interface type is entered by default. Changing this setting should only be done by technically adept users. Entering wrong values here can render the interface unusable. An MTU size greater than 1500 bytes must be supported by the network operator and the network card (e.g., Gigabit interface).By default, an MTU of 1500 bytes is set for the Ethernet interface type.
Default route metric: Enter the default route metric for the interface. The metric value is used to distinguish and prioritize routes to the same destination and is valid for all interfaces.
Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP function is disabled (Off).This option is available on broadcast-type interfaces. When you switch it on, Sophos UTM on AWS will "attract" traffic on that interface for hosts "behind" it and pass it on. It will do that for all hosts that it has a direct interface route for. This allows you to build "transparent" network bridging while still doing firewalling. Another use for this feature is when your ISP's router just puts your "official" network on its Ethernet interface (does not use a host route).
Optionally, make the following advanced bridge settings:
Allow ARP broadcasts: Turn on to allow global ARP broadcasts to be forwarded by the bridge. If enabled, the bridge forwards broadcasts destined to the Target MAC address FF:FF:FF:FF:FF:FF of the ARP packet. This, however, could be used by an alleged attacker to gather various information about the network cards employed within the respective network segment or even the security product itself. Therefore, the default setting is not to let such broadcasts pass the bridge.
Caution – Be aware that the Spanning Tree Protocol is known to provide no security, therefore attackers may be able to alter the bridge topology.
Virtual MAC address: Here you can enter a static MAC address for the bridge. By default (and as long as the entry is 00:00:00:00:00:00), the bridge uses the lowest MAC address of all member interfaces.
Forwarded EtherTypes: By default, a bridge configured on Sophos UTM on AWS only forwards IP packets. If you want additional protocols to be forwarded, you have to add their EtherType to this box. The types have to be entered as four-digit hexadecimal numbers. Popular examples are AppleTalk (type 809B), Novell (type 8138), or PPPoE (types 8863 and 8864). A typical use case would be a bridge between your RED interfaces which should forward additional protocols between the connected networks.
The system will now check the settings for validity. After a successful check the new interface will appear in the interface list. The interface is not yet enabled (toggle switch is gray).
Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be displayed as being Down. The system requires a short time to configure and load the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to have displayed from the drop-down list. To either edit or delete an interface, click the corresponding buttons.