In simple use cases, a device manages two local networks only: The intranet and the DMZ. In more complex environments, however, it is often desirable to realize more than one intranet and one DMZ with a device, for example to provide Internet access to multiple IP networks by means of a central device. Depending on the model, current devices support up to 64 different IP networks.
Various scenarios are possible when realizing multiple IP networks:
- One network per interface.
- Multiple networks per interface.
- Multiple VLANs per interface; one or more networks per VLAN (which corresponds with a combination of the first two scenarios).
The realization of these scenarios is facilitated by advanced routing and forwarding (ARF), which provides very flexible options in the definition of IP networks and the assignment of these networks to the interfaces. The diagram below illustrates the network/interface assignment at various levels. The configuration options applied here are described in the following chapters.
The assignment of IP networks to interfaces proceeds as follows:
- The various models have different numbers of physical interfaces, i.e. Ethernet ports or WLAN modules. The logical interface(s) is/are assigned to the physical interface:
- For the Ethernet ports, assignment is handled by Ethernet port mapping. Note: For some but not all models, the number of logical LAN interfaces corresponds to the number of physically available Ethernet ports.
- In the case of the WLAN modules, the establishment of point-to-point connections (P2P) and/or the use of Multi-SSID can mean that multiple WLAN interfaces are assigned to each physical WLAN module: Up to 16 wireless networks and up to 16 P2P connections per module
- For the Ethernet ports, assignment is handled by Ethernet port mapping.
- These logical interfaces are further specified and grouped in the next stage:
- For devices supporting VLAN, multiple VLANs can be defined for each logical interface simply by using VLAN-IDs. Although the data traffic for the various VLANs flows via a common logical interface, the VLAN-ID ensures that the different VLANs remain strictly separated. From the perspective of the device, the VLANs are completely separate interfaces, meaning that a single logical interface becomes multiple logical interfaces for the device, and each of which can be addressed individually.
- For devices with WLAN modules, the individual logical interfaces can be grouped together. This is handled by the LAN bridge which regulates data transfer between the LAN and WLAN interfaces. The formation of bridge groups (BRG) allows multiple logical interfaces to be addresses at once and they appear as a single interface to the device—in effect achieving the opposite of the VLAN method.
- In the final stage, the ARF forms a connection between the logical interfaces with VLAN tags and the bridge groups on the one side, and the IP networks on the other. For this reason, an IP network is configured with a reference to a logical network (with VLAN-ID, if applicable) or to a bridge group. Furthermore, for each IP network an interface tag can be set, with which the IP network can be separated from other networks without having to use firewall rules.
The definition of routing tags for IP networks as described above is one of the main advantages of Advanced Routing and Forwarding. This option allows "virtual routers" to be realized. By using the interface tag, a virtual router uses only a part of the routing table for an IP network, and in this way controls the routing specifically for that one IP network. This method allows, for example, several default routes to be defined in the routing table, each of which is given a routing tag. Virtual routers in the IP networks use the tags to select the default route which applies to the IP network with the appropriate interface tag. The separation of IP networks via virtual routers even permits multiple IP networks with one and the same address range to be operated in parallel on a single device.
An example: Within an office building, a number of companies have to be connected to the Internet via a central device, even though each of these companies has its own Internet provider. All of the companies want to use the popular IP network '10.0.0.0' with the netmask '255.255.255.0'. To implement these requirements, each company is given an IP network '10.0.0.0/255.255.255.0' with a unique name and a unique interface tag. In the routing table, a default route with the corresponding routing tag is created for each Internet provider. This allows the clients in the different company networks, all of which use the same IP addresses, to access the Internet via their own provider. Employing VLANs enables logical networks to be separated from one another even though they use the same physical medium (Ethernet).
The differences between routing tags and interface tags
Routing tags as assigned by the firewall and interface tags as defined by the IP networks have a great deal in common, but also some important differences:
- The router interprets both tags in the same way. Packets with the interface tag '2' are valid for routes with the routing tag set to '2' in the routing table (and all routes with the default route tag '0'). The same routes apply for packets which the firewall has assigned with the routing tag '2'. Thus the interface tag is used in the same way as a routing tag.
- Interface tags have the additional ability to delimit the visibility (or accessibility) between different networks:
- In principle, only networks with the same interface tag are "visible" to one another and thus able to interconnect.
- Networks with the interface tag '0' have a special significance; they are in effect supervisor networks. The networks can see all of the other networks and can connect to them. Networks with an interface tag not equal to '0' cannot make connections to supervisor networks, however.
- Networks of the type 'DMZ' are visible to all other networks, independent of any interface tags—this is useful as the DMZ often hosts public servers such as web servers, etc. The DMZ networks themselves can only see networks with the same interface tag (and any other DMZ networks, of course).
- A special case involves networks of the type ’DMZ’ with the interface tag '0': As "supervisor networks" they can see all other networks and they are visible to all other networks.
Note: For cases which do not allow IP addresses to be uniquely assigned by interface tag, the Advanced Routing and Forwarding can be supported by firewall rules. In the above example, this would be the case if each of the networks were to support a public web or mail server, all of which use the same IP address.
