About Network Modes and Interfaces

A primary component of your Firebox setup is the configuration of network interface IP addresses. When you run the Web Setup Wizard or Quick Setup Wizard, you set up the external and trusted interfaces so traffic can flow from protected devices to an outside network. You can change the interface configuration to add other components of your network to the configuration. For example, you can set up an optional interface for public servers such as a web server.

Your Firebox physically separates the networks on your Local Area Network (LAN) from those on a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from networks it protects to networks outside your organization. To route packets through your device to the correct destinations, your device must know which networks are connected on each interface.

We recommend that you record basic information about your network and VPN configuration in the event that you need to contact technical support. This information can help your technician resolve your problem quickly. For guidelines about what information to have ready before you call WatchGuard for support, go to Working with WatchGuard Customer Support.

To resolve network connectivity issues, go to Troubleshoot Network Connectivity.

Network Modes

Your Firebox supports several network modes:

Mixed routing mode

In mixed routing mode, you can configure your Firebox to send network traffic between a wide variety of physical and virtual network interfaces. This is the default network mode, and this mode offers the greatest amount of flexibility for different network configurations. However, you must configure each interface separately, and you might have to change network settings for each computer or client protected by your Firebox. The Firebox uses Network Address Translation (NAT) to send information between network interfaces.

For more information, go to About Network Address Translation (NAT).

The requirements for mixed routing mode are: 

  • All interfaces of the Firebox must be configured on different subnets unless the interface type is VLAN or Bridged.
  • All computers connected to the trusted and optional interfaces must have an IP address from that network.

The default Firebox configuration includes external (WAN) and trusted (LAN) interfaces. You also can configure one or more optional interfaces. For example, you might configure an optional interface for a DMZ.

In most cases, Firebox configurations have an external interface and trusted interfaces. However, an external interface is not required if the Firebox is not an edge firewall. For example, you do not have to configure an external interface on a Firebox used on your LAN to isolate networks if another device protects the edge between the LAN and WAN. To configure a Firebox without any external interfaces, go to Configure the Firebox Without External Interfaces.

For more information about mixed routing mode, go to Mixed Routing Mode.

Drop-in mode

In a drop-in configuration, your Firebox is configured with the same IP address on all interfaces. You can put your Firebox between the router and the LAN and not have to change the configuration of any local computers. This configuration is known as drop-in because your Firebox is dropped in to an existing network. Some network features, such as bridges and VLANs (Virtual Local Area Networks), are not available in this mode.

For drop-in configuration, you must: 

  • Assign a static external IP address to the Firebox.
  • Use one logical network for all interfaces.
  • Not configure multi-WAN in Round-robin or Failover mode.

For more information, go to Drop-In Mode.

Bridge mode

Bridge mode is a feature that enables you to place your Firebox between an existing network and its gateway to filter or manage network traffic. When you enable this feature, your Firebox processes and forwards all incoming network traffic to the gateway IP address you specify. When the traffic arrives at the gateway, it appears to have been sent from the original device. In this configuration, your Firebox cannot perform several functions that require a public and unique IP address. For example, you cannot configure a Firebox in bridge mode to act as an endpoint for a VPN (Virtual Private Network).

For more information, go to Bridge Mode.

Interface Types

When you enable a Firebox interface, you must configure the interface as one of these four interface types:

External Interfaces

An external interface is used to connect your Firebox to a network outside your organization. Often, an external interface is the method by which you connect your Firebox to the Internet.

When you configure an external interface, you must choose the method your Internet service provider (ISP) uses to give you an IP address for your Firebox. If you do not know the method, get this information from your ISP or network administrator.

External interfaces are members of the Any-External alias. External interfaces always have a default route, which is also known as a zero route (

If you disable all external interfaces, or if you change all external interfaces to internal interfaces, the Firebox prompts you to specify a default gateway IP address for the Firebox. You cannot add a default route for the Firebox in the Network > Routes configuration.

Trusted Interfaces

Trusted interfaces connect to the private LAN (local area network) or internal network of your organization. A trusted interface usually provides connections for employees and secure internal resources. Trusted interfaces are members of the Any-Trusted alias.

Optional Interfaces

Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted network. Examples of computers often found on an optional interface are public web servers, FTP servers, and mail servers. The settings for an optional interface are the same as for a trusted interface. The only difference is that optional interfaces are members of the Any-Optional alias.

Custom Interfaces

Custom interfaces are connected to the internal network of your organization. You can use a custom interface when you want to configure a security zone that is separate from the trusted or optional security zones. For more information about custom interfaces, go to Configure a Custom Interface.

Trusted, optional, and custom interfaces are all internal interfaces, and all have the same configurable settings. The IP address for an internal interface must be static. Usually, internal interfaces use private or reserved IP addresses that conform to RFC 1918 and RFC 8190. We recommend that you do not use public IP addresses that you do not own on your internal network.

When you configure the interfaces on your Firebox, you must use slash notation to denote the subnet mask. For example, you would enter the IPv4 network range subnet mask as A trusted interface with the IPv4 address of has a subnet mask of

In mixed routing mode, you can also configure Bridge, VLAN, and Link Aggregation interfaces. Each of these interface types must be in the External, Trusted, Optional, or Custom security zone. For more information about settings that apply to all interface types, go to Common Interface Settings.

In mixed routing mode, multiple interfaces of the same type are separate from each other. For example, if you configure multiple Trusted interfaces, hosts on one Trusted network cannot connect to hosts on a separate Trusted network, unless you configure a Firebox policy that allows the connection.

For more information on slash notation, go to About Slash Notation.

Modem Interfaces

Some Firebox models support installation of modems. In Fireware v12.1 and higher, modems are configured as external interfaces with modem failover enabled. Modem interfaces can participate in multi-WAN on Firebox and XTM devices that support multi-WAN. For more information, go to About Modem Interfaces.

Modular Interfaces

Some Firebox models support installation of interface modules. You must install an interface module before you can configure the additional interfaces. The numbering of modular interfaces appears similar to other physical interfaces. For Firebox models that support modular interfaces, the interface list also contains a Module column that indicates the port numbers as they are labeled on the front of each interface module.

For more information about modular interfaces, go to About Modular Interfaces.

Wireless Interfaces

After you enable at least one wireless access point on a Firebox wireless device, these interfaces correspond to the wireless access points.

Single Radio Firebox

Access Point Interface Name
Access Point 1 ath1 (2.4 or 5 GHz)
Access Point 2 ath2 (2.4 or 5 GHz)
Access Point 3 ath3 (2.4 or 5 GHz)

Dual Radio Firebox

Access Point Interface Name
Access Point 1 ath1 - 2.4 GHz
ath5 - 5 GHz
Access Point 2 ath2 - 2.4 GHz
ath6 - 5 GHz
Access Point 3 ath3 - 2.4 GHz
ath7 - 5 GHz

You configure these wireless network interfaces in the Network > Wireless settings.

For information about wireless interface configuration settings, go to Enable Wireless Connections.

DNS Settings

In the network configuration, you can configure:

  • DNS and WINS servers
  • DNS forwarding
  • Conditional DNS forwarding rules

In Fireware v12.6.4 or higher, you can also disable the DNS cache.

For information about DNS servers and services on your Firebox, and for information about the DNS cache, go to About DNS on the Firebox.

For information about DNS forwarding, go to About DNS Forwarding.

Gratuitous ARP (GARP)

In Fireware v12.8 or higher, from Fireware CLI, you can run a command to disable gratuitous ARP (GARP) on Ethernet-like interfaces in Mixed Routing Mode:

  • Physical interfaces
  • Link aggregation interfaces
  • Bridge interfaces
  • VLAN interfaces
  • Wireless interfaces

By default, GARP is enabled for these interface types. If you disable GARP, the Firebox no longer sends GARP broadcasts. The GARP setting is added to the Firebox XML configuration and remains after a reboot.

You cannot disable GARP for 1-to-1 NAT or for FireCluster failover. Even if you disable GARP for interfaces included in 1-to-1 NAT or FireCluster failover configurations, GARP broadcasts required for these features are not suppressed.

To disable GARP, from Fireware CLI:

  1. In the Configuration Command Mode, enter the Interface Command Mode and specify an interface.
  2. To disable GARP for the interface, run this command: no garp enable
  3. To enable GARP for the interface, run this command: garp enable


WG(config/if-fe01)#garp enable

WG(config/if-fe01)#no garp enable

This setting is not available in Fireware Web UI or Policy Manager.

Related Topics

Routes and Routing

About Multi-WAN

Troubleshoot Network Connectivity