NG-UTM is not a traditional UTM or firewall; it is conceptualized as a UTM based on the router.
Strictly speaking, it does not have the distinction of LAN, DMZ, and WAN like a firewall. Instead, it employs ZONE-to-ZONE control.
Essentially, one or more physical or even virtual network interfaces can be combined into a ZONE. Each packet that enters or leaves each ZONE can execute firewall filtering conditions.
This chapter will provide detailed instructions on how to combine one or more physical network interfaces or even virtual network interfaces established by the IP Tunnel protocol into ZONEs.
Additionally, it will explain how to add WAN interface types such as PPPOE, including router management and VLANs associated with the router.
By default, NG-UTM labels Eth0 as ZONE 0. The combination of ZONE 0 and Eth0 cannot be deleted by administrators, but other physical ports can be added to ZONE 0.
The default IPv4 address for Eth0 is 192.168.1.1.
When any ZONE contains more than one physical port, each physical port within that ZONE automatically performs Layer 2 bridging functionality.
This can be thought of simply as a switch. In other words, no configuration is required, and communication between any ports within the ZONE is seamless.
The area status diagram lists which ZONE each physical port currently belongs to, using colors and numbers for differentiation. Ports within the same ZONE will share the same color.
If any port is not assigned to any ZONE, administrators can press the button to create a new ZONE or add the port to an existing ZONE.
To move a physical port X from ZONE 1 to ZONE 2, first remove port X from ZONE 1, making it unassigned to any ZONE, then add port X to ZONE 2.
Creating a new zone
If there are empty physical ports not yet assigned to a zone, administrators can add a new zone by pressing to begin adding a new zone.
【Interface】: At the base of the ZONE, it is divided into LAN/WAN/Bridge/HA, and a numeric code selected.
【Interface Name】: Select the numeric code for the new ZONE. The system prefixes the ZONE with the code, followed by a number.
For example: ZONE 0, ZONE 1, etc. Since each physical port can be a separate ZONE, the maximum number represents the number of physical ports on the device. When choosing a number, it can be selected arbitrarily without following any specific order.
【Name】: Add a memorable name for the ZONE, such as Accounting, Engineering, etc.
【Color】: Select the color for the ZONE.
【Port】: Select the physical port(s) for the ZONE. Any port not marked with a number can be selected, and multiple ports can be combined to form a ZONE.
After adding, it will return to the zone list, where NG-UTM will display each zone, its name, color, and the physical ports it possesses.
You can click on to enter modification mode or directly delete (only ZONE 0 does not have a delete button).
Each ZONE in NG-UTM can specify the network card speed, and there are two methods for setting the network card speed:
1. From Network Settings > Zone Settings > Link Configuration, administrators can set the network card speed from the menu.
2. From the “Port Information” section accessible from the homepage: By clicking on the desired physical port, administrators can adjust the network card speed.
【Interface】: Indicate which ZONE this port belongs to.
【Port】: Specify the physical port’s position.
【Link Status】: Indicate the current connection status of this port. It will display “Disconnected” if no device is connected and “Connected” for a normal connection.
【MAC Address】: Display the MAC address of the physical port.
【Speed and Duplex Mode】: Show the current speed of the network card and record past connection statuses.
Administrators can manually adjust the network card speed, choosing from options such as 10Mbps, 100Mbps, 1000Mbps, and full or half duplex modes.
note
When administrators create a WAN interface, they have two methods for setting up WAN connections:
1. They can use one ZONE (physical port) for each WAN link, allowing for detailed configuration of bandwidth and management for each WAN connection.
2. Alternatively, they can use one ZONE (physical port) with a switch connected to multiple WAN links.
The difference between the two methods lies in the level of detail in bandwidth management.
The former allows for detailed bandwidth configuration and management for each individual WAN link under the ZONE, while the latter only allows bandwidth management for the interface as a whole and does not permit individual WAN link bandwidth.management under the ZONE.
After completing “Network Settings > Zone Settings,” all created interfaces will appear in the tab list here. Administrators can then proceed to configure network IP addresses, connection speeds, and other network information for each interface.
As mentioned before, NG-UTM retains ZONE 0 as the default ZONE, so the first tab will belong to the LAN, which is a part of ZONE 0.
Any additional interfaces added will be arranged in order according to the sequence of physical interfaces. Clicking on the tab will allow access to network settings for that interface.
NG-UTM supports SDN controllers. Apart from the default ZONE 0, newly added ZONEs can be managed by an SDN controller.
Once a ZONE is managed by an SDN controller, NG-UTM will not inspect the network packets passing through the physical ports within that ZONE.
However, when packets from this SDN-managed ZONE need to reach other ZONEs, NG-UTM will inspect the packets and perform firewall functions.
【Interface Name】: Indicate which zone this interface belongs to (as defined in “Network Settings > 3-1. Zone Setting “)
【MAC Address】: The unique MAC address of this interface. MAC addresses must not be duplicated within devices managed by the same NG-UTM.
【Activation】: The LAN interface is enabled by default and cannot be disabled. Other newly added interfaces can be either disabled, set as STATIC, or DHCP.
·STATIC: The interface’s IP address is configured in 3-2-7. interface addresses, or PPPoE dial-up . If PPPoE dial-up used, set the interface as STATIC first, then configure PPPoE dial-up.
·DHCP: The interface’s IP address is assigned by the DHCP server.
【MTU】: Maximum Transmission Unit (MTU) in bytes. Default is 1500, with a configurable range of 1400 to 1500 bytes.
【Defined as an external】: This function only shows in specific model (NU-8700C/F/T, NU-8800T). It define this zone as external network. This affects the present of Source Interface in Incoming and Outgoing policy.
3-2-2. Managing Packet Transmission Between Ports within Control Areas¶
Appears when multi-port mode is set to Bridge :
【IP Address Translation】: Whether to access the internet through other network interfaces.
【Source Interface】: Configuring which physical interfaces within the Bridge need to access the internet through other interfaces.
【Source Network】: Configuring the network segments included in packets from the source interface.
【ARP Reply】: Conducting ARP Reply when the outbound line detects disconnection.
【Designated Gateway】: After configuring in ” 3-3-2. Designated Gateway ” selectable lines will appear.
When the multi-port mode is set to Switch, NG-UTM allows configuring certain physical ports into a ZONE and delegates the control of network packets within this ZONE to an SDN controller.
This configuration excludes Eth0 of ZONE 0, delivering all physical ports of the device to the SDN controller, effectively transforming NG-UTM into an SDN switch.
【Simple Mode/Advanced Mode】: There are two different operational modes to switch between. In Simple Mode, operation is straightforward after configuring the IP address and port number of the controller.
Advanced Mode allows further differentiation between Out-of-Band/In-band packet handling, assigning them to different SDN controllers. Additionally, multiple SDN controllers can be specified.
【Enable】: Activation cannot proceed if an IP address is bound to the interface. Clicking enable indicates that all physical ports under this ZONE will be managed by the specified SDN controller.
【SDN Controller Mode】: In Advanced Mode, specify which SDN controller handles Out-of-Band or In-band for the ZONE. Different SDN controllers can be assigned.
【SDN Controller】: Configuration instructions for both modes are as follows:
· Simple Mode: Set the IP address and port number of the SDN controller.
· Advanced Mode: Set the IP address and TCP port number of the SDN controller. Clicking on allows adding a second entry for another SDN controller.
NG-UTM has the function of bonding two or more NICs into one network interface, which has the advantage of increasing the bandwidth of the network interface, and this technology is called Network Bonding, which can also be called Link aggregation, Trunking.
Currently, 7 modes are supported. Some modes need to be supported by the connected switches and set the same mode to work.
Mode
Name
Description
0
balance-rr
Round-robin policy, the packets are delivered sequentially from the first NIC, even if one of the NICs fails, the network connection is still ensured. Requires the cooperation of the switch.
1
active-backup
Only one NIC operates at the same time, divided into primary and backup NICs. When the primary is disconnected, the backup NIC will take over. No switch support is required.
2
balance-xor
Source address and destination address are used for XOR operation and then transmitted, with load balancing and fault tolerance mechanism.
3
broadcast
All NICs receive the same packet, so even if one of them fails, it will still function normally.
4
802.3ad(LACP)
802.3ad is the official aggregation technology of the switch, which requires the switch to support the same 802.3ad function in order to operate.
5
balance-tlb
Outgoing traffic is load-balanced by the primary NIC, while incoming traffic is handled by the secondary NIC. This mode does not require a cooperated switch.
6
balance-alb
Outgoing/incoming traffic is load-balanced and fault-tolerant. This mode does not require a cooperated switch.
【Enable Visit】: Specify whether the interface accepts queries from or allows access to management interfaces from other IP addresses.
·SNMP: Specify whether the interface accepts SNMP queries. When it’s enabled, this interface will send certain information via SNMP protocol to remote SNMP servers.
·Ping: Specify whether the IP address assigned to this interface that responds to ICMP protocol. When it’s enabled, the IP address configured on the interface will respond to ICMP packets.
·HTTPS: Specify whether the interface accepts access to the management interface via the HTTPS protocol. When it’s enabled, all IP addresses configured on the interface can receive HTTPS services.
【Firewall Protection Items】: Specify whether this interface should be protected by the firewall. Provide protection against SYN attacks, ICMP attacks, UDP attacks, and Port Scans for the IP addresses configured on this interface.
Administrators can enable one or more of these protections, or all of them. Clicking on “Log” will allow you to view past attack and defense records.
The protection capabilities against SYN attacks, ICMP attacks, and UDP attacks can be configured in “Object > 5-8. Firewall Protection “.
Define the IP address for each physical interface. Once the settings are added, they will be displayed in a list.
Click on to enter the interface for adding a new IP address.
Figure 3-5. Network Interface IP Address Settings¶
【Type】: Choose between STATIC or PPPoE. STATIC settings can be configured here, while PPPoE settings will redirect to the PPPoE setup screen. For more details, please refer to “Network Settings > 3-5. PPPoE Dial-up “.
【Name】: Assign a recognizable name to this interface such as Wan1:2.
【IP Address】: Add an IP address to the interface such as 192.168.1.1.
【Subnet Mask】: Specify the range covered by the IP address. For example, for a Class C subnet, enter 255.255.255.0.
【Default Gateway】: If the interface belongs to the WAN type or is connected to other routers behind it, enter the gateway address here. This is not necessary if there are no other routing devices behind the internal type of interface.
【Automatically Set as Exit Route】: When checked, the system will automatically create a route for the exit line. Any packets without defined routes will exit through the default route.
【Management IP】: Specifies whether the IP address on the interface allows administrators to log in for management.
The system default routing table cannot be modified. To make changes, you need to reset the IP address and subnet mask from the “Interface Address” setting.
In addition to the default routing table generated by network interfaces, NG-UTM allows the addition of static routing tables. Static routes can be specified to be effective on specific interfaces.
Pressing the button will take you to add a new static route.
【Name】: A memorable name for easy identification, for example: “10 Network” or “Default Gateway”.
【Destination IP】: Any IP address within the destination network such as 10.10.10.1.
【Mask】: Specify the range covered by the destination network’s IP addresses. For example, for a Class C subnet, enter 255.255.255.0.
【Gateway】: Enter the gateway address for the destination network.
【Interface】: Specify which interface the added route belongs to. Upon selecting from the dropdown menu, the system will display all established interfaces for the administrator to choose from.
The options are color-coded to distinguish between different network interfaces, including physical network interfaces, IP tunnels, GRE tunnels, PPPoE dial-up interfaces, VLANs, PPTP, and SSL VPN.
If an interface is specified, the route will only be effective on the interface it belongs to.
If the interface is set to “NONE”, the route settings will be effective for all interfaces on the local machine. All statically created routing tables by administrators can be exported or imported.
NG-UTM allows one or more interfaces to be connected to WAN lines. If you want to add WAN lines, dedicated lines, or MPLS internal VPN lines to NG-UTM, you need to set them up here.
NG-UTM needs to know how to route packets to the next gateway when transmitting packets externally.
After administrators have created several Designated Gateway, they can bind Designated Gateway of the same type into an Designated Gateway Group.
For WAN Designated Gateway, each Designated Gateway represents a WAN line. Binding several Designated Gateway into an Designated Gateway Group accomplishes load balancing across the lines.
Each line providing internet connection is an exit route, and there are two methods for configuration:
1. Assigning each external line to a zone.
2. Connecting all external lines to a switch via an external zone. In this case, all external lines are connected to the switch, and you need to configure all IP addresses provided by the external lines in “Network > Network Interfaces > 3-2-7. interface addresses, or PPPoE dial-up “.
Each method has its advantages. The former one is convenient for management, line recognition, and problem finding. The latter one allows for connection to many external lines, exceeding the port limit of NG-UTM itself.
Pressing the button will take you to configure exit routes.
【Name】: The name of the specified gateway, for example: “WAN-1”, “PPPoE-1”, etc.
【Destination Address】: Optional. Any IP address within the destination network. If left blank, it represents 0.0.0.0/0. For WAN type lines, this is usually not required.
【Gateway】: Mandatory. The gateway address of the exit route.
【Interface】: Specifies which interface the added exit route belongs to. Upon selecting from the dropdown menu, the system will display all established interfaces for the administrator to choose from.
The options are color-coded to distinguish between different network interfaces, including physical network interfaces, IP tunnels, GRE tunnels, PPPoE dial-up interfaces, VLANs, PPTP, and SSL VPN.
【Line Detection Method】: Utilizes detection to check if the line is disconnected. There are 3 detection methods: ARP, ICMP, or DNS. At intervals, NG-UTM sends ARP/ICMP packets or DNS queries to the IP address set in “Gateway” to determine the status of the connection. The default is ICMP.
You can choose NONE, in which case NG-UTM will not check for disconnection on the gateway, assuming the line is always clear.
When the WAN line is PPPoE, you can optionally select the PPPoE detection mode. It will automatically use the DNS method to test the line’s survival between NG-UTM and the PPPoE Server.
Detect from】: Specify which IP address to use as the source IP address for conducting line detection. Generally, the IP address assigned to this line is selected.
【Detected IP Address】: Optional. Specifies which destination IP address to use for line detection. If left blank, the gateway address assigned to the exit route is used by default.
【Detection Frequency】: Specifies the frequency (in seconds) to send check packets.
【Enable Spare Gateway】: When the Designated Gateway is disconnected, packets are redirected to the redundant Designated Gateway, allowing the network packets of the Designated Gateway to be transmitted normally. Up to 2 redundant gateways can be set.
【Spared Gateway 1 and 2】: When the Designated Gateway is disconnected, packets are automatically redirected to the redundant gateway. The redundant gateway refers to another Designated Gateway that has been set up (select the zone where the redundant gateway is located).
note
The spared gateway function enabled by “Enable Redundancy” is different from the load balancing mode provided by Designated Gateway Groups. The redundancy gateway function does not have the concept of weights and operates in a specified 1-to-1 or 1-to-N redundancy mode.
For example, if the original line’s external speed is 100Mbps and the configured spare gateway speed is only 10Mbps, when the original line is disconnected, all 100Mbps network packets will be routed to the 10Mbps redundant line. Even if there is a third line available, the system will not automatically redirect packets to the third line.
However, in the line load balancing mode provided by Designated Gateway Group, you can distribute 100Mbps network packets to valid Designated Gateway based on the configured weight or load balancing mode. Therefore, if there are more than three WAN type lines, you can make good use of Designated Gateway Group.
NG-UTM provides the functionality of a link load balancer, treating each outbound line as a WAN-type line.
According to the load balancing mode and weight settings, network packets are evenly distributed across each line.
Clicking on the button initiates the addition of a specified gateway group. Administrators can configure multiple groups based on actual requirements, facilitating subsequent selection in the “Policy” section.
【Group Name】: The name of this outbound line group such as WAN-ALL, All External Networks, etc.
【Load Balancing Mode】: The method of distributing network packets, with four selectable modes:
·Session: Distributes based on session weight regardless of source or destination IP address.
For example, if Line A has a weight of 1 and Line B has a weight of 2, the first session goes to Line A, the second and third sessions to Line B, and so forth.
·Source IP: Distributes based on source IP address weight.
For example, if Line A has a weight of 1 and Line B has a weight of 2, the first session from the same source IP address goes to Line A, the second and third sessions to Line B, and so on. Distribution for different source IP addresses follows the same pattern.
·Destination IP: Distributes based on destination IP address weight.
For example, if Line A has a weight of 1 and Line B has a weight of 2, the first session to the same destination IP address goes to Line A, the second and third sessions to Line B, and so forth. Distribution for different destination IP addresses follows the same pattern.
·MINFIRST: Distributes network packets based on actual load conditions, with smaller loads receiving more packets.
【Disconnect Detection】: Specifies how often the system checks if the line is functioning normally, serving as the basis for line switching.
【Outbound Line】: The outbound line(s) used by this group and their assigned weights. All gateways configured in the outbound lines will be displayed here for administrators to select and configure.
【Weight】: The load capacity of the outbound line. For example, if Line A is set with a weight of 1 and Line B with a weight of 10, NG-UTM sends one packet to Line A and then ten packets to Line B, etc.
When administrators haven’t configured outbound lines and no routes are specified for destination IP addresses in static routing, packets destined for specific IP addresses won’t be transmitted and will be discarded.
To prevent such situation, setting up a default gateway for NG-UTM is crucial. This default gateway ensures that all destination IP addresses without defined routes are directed to this gateway.
In addition to the default gateway, in a multi-WAN environment, setting up a backup gateway is advisable. If the default gateway goes offline, the system automatically switches to the backup gateway to maintain connectivity.
【Detection Frequency】: Specifies how often the system checks for the existence of the default gateway. The default value is 10 seconds, with a configurable range of 1-999 seconds.
After clicking on , you’ll enter the interface for adding a default gateway.
【Default Gateway IP】: The IP address of the default gateway. All destination IP addresses not defined in the routing table will be directed to this gateway.
【Interface】: Specifies the interface to which the default gateway belongs. The system lists all interfaces for the administrator to select.
【Assign Internet IP】: When an interface has multiple IP addresses, specifies which one to use for NAT address translation. You can use the IP address configured for the interface or define a customized one.
NG-UTM supports the RIP dynamic routing protocol. By specifying the interface and routing cycle, the system can learn all routing protocols and provide them for system usage.
The routing table will be listed in the dynamic routing list.
【Service Status】: Displays whether OSPF is enabled, check the box to enable.
【Router ID】: A unique number that identifies the router in the OSPF environment, in the format x.x.x.x
【Advanced Settings】:
Passive Interface: Interfaces that do not send out OSPF packets, reducing traffic and system loading
Redistribute: Information from different routing protocols can be introduced into OSPF, and route costs can be set by adjusting the metric-type and metric values.
【OSPF Interface】: The settings for each interface when sending OSPF packets. Select an interface from the drop-down menu, and then click Settings to edit.
Hello Inrterval: UTM sends Hello Messages to neighboring devices at this intervals to maintain the adjacencies.
Dead Interval: If no response is received from the neighboring device after this setting time, the neighboring device will be considered offline.
Cost: Specifies the routing cost for this interface, the smaller the value the lower the cost.
Priority: Use this value to select the Designated Router. The larger value is prioritized.
Authentication: Whether the routing exchange of this interface needs to be authenticated. Can be verified using plain text keys or MD5.
【OSPF area】: Adding UTM segments to the OSPF area
Area ID: The unique number of this area in the OSPF network, in the format x.x.x.x
Type: Specify the type of this OSPF area; using the appropriate type can reduce the size of the routing table and the propagation of OSPF messages across the network.
VLAN 802.1Q is a fundamental feature in switches, allowing the segmentation of internal networks into several independent subnetworks. Each segment operates independently without interfering with each other.
In Figure 3-10, an actual example illustrates how VLAN operates. Switch-A is connected to three segments: 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24.
Three different VLAN IDs are configured on Switch-A: 10, 20, and 30. Computers with these three different VLAN IDs cannot communicate with each other until routing is set up on Switch-A or higher-level network devices. Only computers within the same VLAN ID can communicate.
When network packets are sent from Switch-A to NG-UTM, NG-UTM needs to disassemble and assemble these VLAN-tagged network packets to determine their next destination.
This section explains how to disassemble VLAN ID settings.
After clicking on , you’ll enter the interface for adding a VLAN.
After clicking on “Add”, you’ll enter the interface for adding a VLAN. Before adding, it’s important to confirm that the associated switch has already configured the same VLAN ID and network segment. The network segment includes both IPv4 and IPv6 addresses.
If these two pieces of information do not match with the connected switch, network packets won’t be properly disassembled and assembled, resulting in network failure.
【Name】: The default name for the VLAN is VLAN, which cannot be changed. Only the ID can be used to differentiate between different VLANs.
【Enable】: Specify whether to enable this VLAN ID. Administrators can pre-configure VLAN IDs and then decide whether to activate them.
【Interface】: Specify the zone to which the newly created VLAN belongs. NG-UTM lists all zones for administrators to choose from.
【MTU】: Set the maximum byte size for each packet. Default is 1500, with a configurable range of 1400 to 1500.
【VLAN ID】: Assign a numerical code to this VLAN. VLAN IDs must be unique within the same NG-UTM device, with a numerical range of 1 to 4094.
【IP Address】: Specify the network IP address and segment included under the VLAN ID. Both IPv4 and IPv6 addresses can be configured.
【Comment】: Allow comments or notes for clarification.
【Enable Visit】: Specify whether the interface address for this VLAN ID accepts SNMP queries and ICMP responses. Both are disabled by default.
Once configured, NG-UTM interfaces can receive VLAN IDs from lower-level switches. After disassembling them, according to routing settings, network packets are sent to the destination network.
Similarly, network packets received from the destination network are sent to the corresponding VLAN through VLAN ID combination.
In WAN connections, PPPoE is a common dial-up method, and NG-UTM supports standard PPPoE functionality.
Regardless of whether they are in the same or different zones, multiple PPPoE accounts can be configured for each zone.
Clicking on will begin adding a PPPoE account.
Before adding, ensure that the PPPoE account and password are ready, and confirm which zone and port the PPPoE connection is attached to. NG-UTM currently supports a maximum of 9 PPPoE account dial-up connections.
【Name】: Specify the name of this PPPoE dial-up connection.
【Enable】: Specify whether to enable this PPPoE account. It can be pre-configured and activated as needed.
【Interface】: Specify which zone this PPPoE account belongs to. NG-UTM lists all defined zones for administrators to choose from.
【Account】: Specify the PPPoE account username, e.g., 75139012@hinet.net.
【Password】: Specify the PPPoE account password. Case sensitivity should be noted.
【MTU】: Specify the maximum packet size that can pass through the data link layer, typically 1492.
【IPv6】: Indicate whether the PPPoE account provides IPv6 allocation. If it’s unchecked, it means PPPoE dial-up can only obtain IPv4 addresses.
【VLAN ID】: Specify the VLAN ID if the connection passes through a VLAN-tagged switch or if the modem sends packets with VLAN tags. This allows the firewall to correctly identify VLANs.
【Auto Set】: In PPPoE mode, to simplify settings, checking “Designated Gateway” and “Default Gateway” will automatically add it. There’s no need to configure them separately.
• PPPoE Alive Detection
【Line Detection Method】: Utilize detection to check whether the line is disconnected. There are three detection methods: ARP, ICMP, or DNS. NG-UTM periodically sends ARP/ICMP packets or DNS queries to the IP address set on the “Gateway” to determine whether the line is connected or disconnected based on the response from the server.
Clicking on the in the PPPoE account list allows the administrator to check whether the line is connected after successful PPPoE dial-up.
The default is NONE. In NONE mode, NG-UTM does not check the gateway for disconnection; the system assumes the line is always in a connected state.
【Detected IP Address】: The selected line detection method checks the configured IP. If set to NONE, it will automatically be set to 0.0.0.0.
• Visit Control
【Enable Access】: Specifies whether the interface address for this VLAN ID accepts SNMP queries, ICMP responses, and management interface logins. All are disabled by default.
• Firewall Protection
【Firewall Protection Items】: Specify whether to enable firewall protection for this interface to prevent attacks.
All newly added PPPoE accounts will be presented in a list format.
In the “Activation” column, indicates that the PPPoE connection is currently enabled, while indicates that it is currently paused. Clicking on the icon allows for direct toggling between enabling and disabling.
In the “Connection Status” column, represents a successful dial-up connection, while indicates a failed connection.
Clicking on in the “Line Detection” and “Records” sections respectively provides access to different record information.
“Line Detection” shows whether the PPPoE connection to the Internet is functioning properly after successful dial-up, while “Records” indicate whether the PPPoE account has passed authentication from the remote PPPoE server.
WWAN stands for Wireless Wide Area Network. It is a wireless communication technology that allows firewalls to connect to the Internet using 3G, 4G LTE USB network cards.
• Setting WWAN
【Name】: Set the name of this WWAN connection
【Enable】: Turn on to enable this WWAN service
【Visit Control】: Whether the interface address of this WWAN accepts SNMP queries, ICMP responses, and management interface logins. The default is off.
【Firewall Protection Items】: Whether or not to enable firewall protection for this interface.
【USB】: Select the USB device to be used for this WWAN interface.
IP Tunnel is a special feature of NG-UTM. Apart from establishing a VPN network between two NG-UTM devices, it can also establish an IP Tunnel with other gateways that support the IP Tunnel protocol.
Unlike other gateways, once the IP Tunnel is established, NG-UTM can control the packets within these tunnels.
For instance, NG-UTM allows Web, SMTP, and POP3 packets to enter the tunnel while rejecting other packets.
Referencing the network architecture in the diagram where NG-UTM is deployed at the central site, overseeing the entire network’s external connections. Gateways or firewalls with IP Tunnel functionality are deployed at branch sites.
The fundamental requirement is to enable secure access from the branch’s POS machines or computers to the server resources at the central site, such as accounting or ERP systems.
Using IP Tunnel allows for the rapid establishment and deployment of this type of network architecture. On NG-UTM, administrators can control which applications at each branch is able to access the Internet or internal network.
Services other than these specified applications will be denied.
The benefit of centralized management is that administrators only need to control one NG-UTM device to oversee the entire network dynamically. This is because all network packets, including those from the central site and all branches, pass through it.
System automatically adds a virtual network interface for each IP Tunnel created. For example, physical port interfaces named Eth0, Eth1, the default virtual network interface name follows the format tunl+number, such as tunl1, tunl2.
The number increments automatically starting from 1.
Once created, a default static route is automatically generated. This new static route will appear in “Network > Route > 3-3-1. Static Routing ” and will be labeled with the interface name tunl+number.
If NG-UTM acts as the client end of the IP Tunnel, i.e., it needs to use the remote IP Tunnel to access the internet, you need to establish an exit route and specify which services should go through this IP Tunnel in the rule set.
Click on to start adding a new IP Tunnel. Before adding, prepare the WAN IP address of the peer and the tunnel subnet.
【Tunnel Name】: A name to easily identify this IP Tunnel.
【Enable】: Determines whether to enable this IP Tunnel. Administrators can pre-configure IP Tunnels and activate them as needed.
【Encryption Mode】: Specifies whether encryption should be enabled within the IP Tunnel. If enabled, each packet passing through the tunnel will undergo encryption.
【NONE】:Encryption is not enabled within the IP Tunnel.
【GRE】: Encryption using GRE with a specified encryption key for encryption and decryption.
【IPSEC】: Encryption using IPSEC with a specified encryption key for encryption and decryption. Administrators can choose between encryption strengths of 256 bit or 128 bit.
【Remote IP Address】: The IP address of the remote endpoint with which NG-UTM establishes the IP Tunnel such as 5.5.5.5.
【Local IP Address】: The IP address used by NG-UTM to establish the IP Tunnel.
This address must belong to the local jurisdiction and is typically the IP address bound to a physical port in “Network > Interface.”
【Tunnel Interface Address】: The gateway address within the IP Tunnel for internal routing. When packets are sent to this address, they will be automatically forwarded through the IP Tunnel to the other end.
【Detected IP Address】: The IP address used to ensure the connectivity of the IP Tunnel, usually set to the gateway address at the other end of the tunnel.
【Detection Rate】: Interval at which line detection actions are performed, measured in seconds. It can be set within the range of 1-999 seconds.
【Encryption Format】: Only appears when IPSEC is selected as the encryption protocol. Two modes are available:
·High Security: Utilizes AES 256 bit encryption mechanism.
·Low Security: Utilizes AES 128 bit encryption mechanism.
【KEY】: The pre-shared encryption password set by both ends of the tunnel when GRE or IPSEC encryption is selected. It can be any combination of alphanumeric characters.
【MTU】: Maximum byte size of each packet, default is 1480 bytes.
This default value is lower than the default MTU setting in “Network Settings” (1500) because IP Tunnels require additional packet headers.
Setting it to 1500 bytes would exceed the MTU setting in the network configuration, causing packet transmission failures. The allowable range for MTU setting is set 1400 to 1500 bytes.
NG-UTM employs multi-core CPU architecture to support its diverse range of services, each with varying traffic demands across network interfaces.
By default, the system autonomously allocates CPU resources to each service.
However, in scenarios where certain network interfaces experience exceptionally high traffic, the automated CPU resource allocation may exacerbate the workload on busy CPUs while leaving idle CPUs underutilized.
To address this issue, NG-UTM offers administrators CPU interrupt services, enabling them to adjust system resources accordingly.
Based on the interrupt requests from physical interfaces, CPU resources are allocated accordingly. For instance, when each network interface’s TX/RX issues an interrupt request, specific CPU services are assigned.
Assigning CPU resources based on interfaces defined as zones differs significantly from hardware interrupts in that within the same zone, there may be multiple physical ports.
to create a new ZONE or add the port to an existing ZONE.
to enter modification mode or directly delete 
(only ZONE 0 does not have a delete button).
allows adding a second entry for another SDN controller.
to enter the interface for adding a new IP address.
or 
modes. NG-UTM will toggle the display or configuration mode for the entire device regarding IP settings.
button will take you to add a new static route.
allows you to view the past connection status of the line, including the disconnection and connection times of the line.
indicates that the PPPoE connection is currently enabled, while 
indicates that it is currently paused. Clicking on the icon allows for direct toggling between enabling and disabling.
represents a successful dial-up connection, while 
indicates a failed connection.
Both software and hardware interrupts have automatic configuration options. Clicking on it and the CPU interrupts are allocated by default ways.