Description:

In highly heterogeneous environments with network devices from different manufacturers, integrating a LANCOM R&S®Unified Firewall with UTM features can be a challenge. The simplest solution is to use the transparent bridge mode. This allows all of the features of existing network devices to remain in use (e.g. existing VPN connections).

This article describes how the UTM features of a LANCOM R&S®Unified Firewall are operated in heterogeneous network environments by means of the transparent bridge mode.

All UTM functions can be operated in this scenario.



Requirements:

  • LANCOM R&S®Unified Firewall with LCOS FX as of version 10.13 RU8
  • Basic or full license (full license required for UTM functions)
  • Installed and functional network scenario
  • The Unified Firewall must be in its ex-factory state
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario:

  • The router supports the IP network 192.168.100.0/24 and operates with the IP address 192.168.100.254
  • The router works as the default gateway and also operates the DHCP and DNS servers.
  • On the Unified Firewall, the interfaces eth1 and eth2 are collected in bridge br0 and this is assigned the IP address 192.168.100.253.

Diagram showing components of a network system labeled 'UnifiedFirewall', 'Router', 'INTERNET', and 'LAN', with additional settings and IP address details.



Procedure:

1) Configuring transparent bridge mode on the Unified Firewall: 

1.1) Connect to the Unified Firewall using a web browser, switch to the menu Network → Connections → Network Connections, and use the “trash can” icons to delete two unused connections so that the two Ethernet ports are available for the bridge (in this example the interfaces eth1 and eth2).

The image displays a network configuration interface with various settings including firewall status, network connections with status and type, DHCP interfaces, DNS settings, and ERB configuration, all categorized and labeled for system management.

1.2) Navigate to the menu Network → Interfaces → Bridge Interfaces and click on the “+” icon to create a new interface.

Image showing a detailed network configuration interface, featuring settings for Firewall, DHCP, DNS, Dynamic DNS accounts, and various interface types including Ethernet, Bond, and Bridge interfaces.

1.3) Enter the ports deleted in step 1.1 (in this example eth1 and eth2) and click Create.

Image showing a technical user interface related to the configuration settings of Spanning Tree Protocol, including parameters such as Priority and Hello Interval seconds.

1.4) Change to the menu Network → Connections → Network Connections and click on the “+” icon to create a new interface.

Screenshot of a network configuration interface showing various connection settings, including firewall, PPP connections, DHCP interfaces, and DNS settings.

1.5) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example Bridge-Interface).
  • Interface: Select the bridge interface created in step 1.3 (in this case br0).
  • IP Addresses: Enter a free IP address in CIDR format on the network where the Unified Firewall is to be integrated (in this example 192.168.100.253/24).

On the WAN tab, do not set a default gateway!

An image of a network configuration interface displaying settings for a Bridge Interface with details like name, type, used by, status, internet connection, public IP address, and network WAN failover.

1.6) Change to the menu Network → Routing → Routing Tables and click on the “edit” icon to modify the settings of the Table 254.

Screenshot of a network device interface showing various configuration options including firewall settings, routing tables, monitoring statistics, DNS settings, and WLAN settings.

1.7) Click on the “+” icon to create an additional routing entry.

Screenshot of a routing table interface displaying various routes with destination, interface, gateway, and type details for network configuration.

1.8) Modify the following parameters and then click OK:

  • Interface: From the drop-down menu select the bridge interface created in step 1.3 (in this case br0).
  • Destination: Enter the address 0.0.0.0/0. This routes packets for any destination via this route (default route).
  • Gateway: Enter the IP address of the default gateway on the available network.

Screenshot of a network configuration interface showing options for editing route, destination, gateway, and attached subnets with fields for preferred source and metric input.

1.9.) Click on Save.

Screenshot of a network interface configuration menu showing a list of routes with their destination, interface, gateway type, and options to reset or logout.

1.10) Click the icon to create a new network to create an object for the local network.

Image showing a user interface with an option labeled 'eavActiate Ojolsea Firewall', possibly part of a software configuration screen.

1.11) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example Production).
  • Interface: Select the bridge interface created in step 1.3 (in this case br0).
  • Network IP: Enter the network address of the existing network in CIDR format (in this example 192.168.100.0/24).

Screenshot of a technical configuration interface displaying options for network settings, including fields for name, description, tags, and network IP.

1.12) Click the icon to create a new network once again to create an object for the Internet connection.

Screenshot of a software interface displaying options to activate or release a firewall.

1.13) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example Internet).
  • Interface: Select the interface any.
  • Network IP: Enter the address 0.0.0.0/0. This stands for any destination.

Image of a network configuration interface with options for internet network settings, tags, color customization, IP configuration, and login permissions.



2) Allow DHCP communication:

A firewall rule is required to enable DHCP communication between the end devices and the DHCP server on the router.

If a DHCP server is operated “behind” the Unified Firewall, the DHCP packets do not pass through it. In this case, the following configuration steps are not necessary.

2.1) Click the icon to create a host to create an object for the DHCP source.

Image displaying a user interface setting labeled 'vs toSosa Firewall'.

2.2) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example DHCP_Source).
  • Interface: Select the interface any.
  • IP address: Enter the IP address 0.0.0.0. All DHCP requests are performed with this source address.  

Screenshot of a technical configuration menu related to DHCP settings with options for description, login allowance, device icons, server versions, and IP address management.

2.3) Click the icon to create a host once again to create an object for the DHCP target.

Image of a user interface displaying firewall configuration settings with the label 'vs toSosa'.

2.4) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example DHCP_Target).
  • Interface: Select the interface any.
  • IP address: Enter the IP address 255.255.255.255. All DHCP requests are performed with this target address. This is the broadcast address.

Screenshot of a DHCP target host configuration menu with options for name, description, IP address, and login permissions.

2.5) Change to the menu Desktop → Services → User-defined Services and click on the “+” icon to create a user-defined service.

A screenshot of a technical configuration interface showing various network service options such as Monitoring Statistics, Network Safety, Desktop Connections, and User-defined Services.

2.6) Give it a descriptive name and click on the “+” icon to add the Ports and Protocols.

The image displays a technical configuration menu for DHCP user-defined service showing options related to ports and protocols.

2.7) Enter the ports 67 to 68 and select the UDP protocol. Then click on OK.

Screenshot of a network configuration menu showing options to edit user-defined services and protocol settings for TCP (Transmission Control Protocol).

2.8) Click on Create.

Screenshot of a DHCP user-defined service configuration menu, displaying options for new changes, session preservation, ports, and protocols with a 'Cancel' button.

2.9) On the desktop, click the DHCP source object (DHCP_Source) created in step 2.2, select the connection tool and click the DHCP target object (DHCP_Target) created in step 2.4

Image showing a fragmented view of a technical configuration screen, possibly related to DHCP settings.

2.10) Use the “+” icon to add the user-defined service created for DHCP in step 2.6 - 2.8

Screenshot of a network configuration interface showing options for connection settings, DHCP sources and targets, and rules for URL content filtering, application filtering, and application-based routing, indicating no items have been added yet.  Screenshot of a computer interface displaying various user-defined services and default settings options, with partial visibility of terms related to Microsoft Exchange.

2.11) Click Create to create the firewall rule.

Screenshot of a network configuration interface showing DHCP settings, rules, and filters such as URL Content Filter, Application Filter, and Application-Based Routing.

2.12) This concludes the configuration of the transparent bridge. Finally, implement the changes by clicking Activate

A computer screen displaying a firewall configuration menu.



3) Configuring UTM features:

You can now set up the UTM features:

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH