GIF (Generic tunnel InterFace)¶
A Generic Tunneling Interface (GIF) is similar to GRE; Both protocols are a means to tunnel traffic between two hosts without encryption. In addition to tunneling IPv4 or IPv6 directly, GIF may be used to tunnel IPv6 over IPv4 networks and vice versa. GIF tunnels are commonly used to obtain IPv6 connectivity to a tunnel broker such as Hurricane Electric in locations where IPv6 connectivity is unavailable.
See Connecting with a Tunnel Broker Service for information about connecting to a tunnelbroker service.
GIF interfaces carry more information across the tunnel than can be done with GRE, but GIF is not as widely supported. For example, a GIF tunnel is capable of bridging layer 2 between two locations while GRE cannot.
To create or manage a GIF interface:
- Navigate to Interfaces > (assign), GIF tab
- Click Add to create a new GIF instance, or click to edit an existing interface.
- Complete the settings as follows:
Parent interface: The interface upon which the GIF tunnel will terminate. Often this will be WAN or a WAN-type connection. GIF Remote Address: The address of the remote peer. This is the address where the GIF packets will be sent by this firewall; The routable external address at the other end of the tunnel. For example, in a IPv6-in-IPv4 tunnel to Hurricane Electric, this would be the IPv4 address of the tunnel server, such as
GIF tunnel local address: The internal address for the end of the tunnel on this firewall. The firewall will use this address for its own traffic in the tunnel, and tunneled remote traffic would be sent to this address by the remote peer. For example, when tunneling IPv6-in-IPv4 via Hurricane Electric, they refer to this as the Client IPv6 Address. GIF tunnel remote address: The address used by the firewall inside the tunnel to reach the other end. Traffic destined for the other end of the tunnel must use this address as a gateway for routing purposes. For example, when tunneling IPv6-in-IPv4 via Hurricane Electric, they refer to this as the Server IPv6 Address. GIF Tunnel Subnet: The subnet mask or prefix length for the interface address. In this example it would be
Route Caching: The Route caching option controls whether or not the route to the remote endpoint is cached. If the path to the remote peer is static, setting this can avoid one route lookup per packet. However if the path to the far side can change, this option could result in the GIF traffic failing to flow when the route changes. ECN Friendly Behavior: The ECN friendly behavior option controls whether or not the Explicit Congestion Notification (ECN)-friendly practice of copying the TOS bit into/out of the tunnel traffic is performed by the firewall. By default the firewall clears the TOS bit on the packets or sets it to
0, depending on the direction of the traffic. With this option set, the bit is copied as needed between the inner and outer packets to be more friendly with intermediate routers that can perform traffic shaping. This behavior breaks RFC 2893 so it must only be used when both peers agree to enable the option.
Description: A short description of this GIF tunnel for documentation purposes.
- Click Save
If the GIF interface is assigned under Interfaces > (assign), set the IPv4 Configuration Type and IPv6 Configuration Type to None. The firewall will automatically create a dynamic gateway in this situation.