Netgate SG-2100 Manual Download Page 54 | Manualshive

Page: 54 / 70

background image

Security Gateway Manual

SG-2100

Gateway IPv4

The IPv4 address of the gateway inside the same subnet.

Description

Optional text describing the purpose of the gateway.

–

Click

Add

–

Ensure the new gateway is selected as the

IPv4 Upstream Gateway

• Check

Block private networks

This will block private network traffic on the interface, though if the firewall rules for this WAN are not permis-
sive, this may be unnecessary.

• Check

Block bogon networks

This will traffic from bogus or unassigned networks on the interface, though if the firewall rules for this WAN
are not permissive, this may be unnecessary.

• Click

Save

• Click

Apply Changes

The presence of a selected gateway in the interface configuration causes the firewall to treat the interface as a WAN
type interface. This is manual for static configurations, as above, but is automatic for dynamic WANs (e.g. DHCP,
PPPoE).

The firewall applies outbound NAT to traffic exiting WAN type interfaces but does not use WAN type interface net-
works as a source for outbound NAT on other interfaces. Firewall rules on WAN type interfaces get

reply-to

added

to ensure traffic entering a WAN exits the same WAN, and traffic exiting the interface is nudged toward its gateway.
The DNS Resolver will not accept queries from clients on WAN type interfaces without manual ACL entries.

See also:

Interface Configuration

11.4 Outbound NAT

For clients on local interfaces to get to the Internet from private addresses to destinations through this WAN, the
firewall must apply Outbound NAT on traffic leaving this new WAN.

• Navigate to

Firewall > NAT

,

Outbound

tab

• Check the current outbound NAT mode

If the mode is set to

Automatic

or

Hybrid

, then this may not need further configuration. Ensure there are rules for the

new WAN listed as a

Interface

in the

Automatic Rules

at the bottom of the page. If so, skip ahead to the next section.

If the mode is set to

Manual

, create a new rule or set of rules to cover the new WAN.

If there are existing rules in the

Mappings

table, they can be copied and adjusted to use the new WAN. Otherwise,

create them manually:

• Click

to add a new rule at the top of the list.

• Configure the rule as follows:

Interface

Choose the new WAN interface (e.g.

WAN2

)

Address Family

IPv4

Protocol

Any

© Copyright 2022 Rubicon Communications LLC

52

«
...
52
53
54
55
56
...
»

Summary of Contents for SG-2100

Page 1: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC Jul 22 2022...

Page 2: ...24 7 Connecting to the Console Port 27 8 Reinstalling pfSense Plus Software 36 9 Optional M 2 SATA Installation 40 10 Configuring the Switch Ports 44 11 Configuring an OPT interface as an additional...

Page 3: ...Appliance It will provide the information needed to keep the appliance up and running Tip Before getting started a good practice is to download the PDF version of the Product Manual and the PDF versio...

Page 4: ...nd Output Ports section of the Netgate appliance The other end of the same cable should be inserted into a LAN port on the ISP CPE device such as a cable or fiber modem If the CPE device provided by t...

Page 5: ...WAN and LAN so if the default IP address on the ISP supplied modem is also 192 168 1 1 24 disconnect the WAN interface until the LAN interface on the firewall has been renumbered to a different subne...

Page 6: ...nterface Open a web browser Google Chrome in this example and enter 192 168 1 1 in the address bar Press Enter Fig 1 Enter the Default LAN IP Address 2 A warning message may appear If this message or...

Page 7: ...Security Gateway Manual SG 2100 Fig 2 Click Advanced and then Proceed to 192 168 1 1 unsafe Fig 3 Click Next Copyright 2022 Rubicon Communications LLC 5...

Page 8: ...ddress Timezone Select the time zone for the location of the firewall For this guide the Timezone will be set to America Chicago for US Central time 5 The WAN interface is the Public IP address the ne...

Page 9: ...Security Gateway Manual SG 2100 Fig 5 Change the Timezone and Click Next Fig 6 Default Settings Should be Acceptable Click Next Copyright 2022 Rubicon Communications LLC 7...

Page 10: ...seconds a message will indicate the Setup Wizard has completed To proceed to the pfSense Plus dashboard click Finish 10 A final notification screen will appear with the Copyright and Trademark Notice...

Page 11: ...e Dashboard pfSense Plus software is highly configurable all of which can be done through the dashboard This orientation will help to navigate and further configure the firewall Fig 1 The pfSense Plus...

Page 12: ...at the top of the page browse to Diagnostics Backup Restore Click Download configuration as XML and save a copy of the firewall configuration to the computer con nected to the Netgate firewall This ba...

Page 13: ...Security Gateway Manual SG 2100 Fig 3 Backup Restore Fig 4 Click Download configuration as XML Copyright 2022 Rubicon Communications LLC 11...

Page 14: ...e access has been locked out or the password has been lost or forgotten See also Connecting to the Console Port Cable is required Tip To learn more about getting the most out of a Netgate appliance si...

Page 15: ...rnet and Other Ports 4 1 1 Routed Ethernet The WAN Combo Port is shared between an RJ 45 port and an SFP port Only one port can be used Interface Name Port Name WAN mvneta0 LED Pattern Description Lef...

Page 16: ...ly green Left Flashes with 10Mb traffic solid with link Warning The LAN ports do not support the Spanning Tree Protocol STP Two or more ports connected to another Layer 2 switch or connected to 2 or m...

Page 17: ...Cellular modems GPS units and storage devices Though the operating system also supports wired and wireless network devices these are not ideal and should be avoided 4 2 Front Side Fig 2 Front view of...

Page 18: ...alified service technician 3 This equipment is provided with a detachable power cord which has an integral safety ground wire intended for connection to a grounded safety outlet a Do not substitute th...

Page 19: ...B Canada 5 5 Australia and New Zealand This is a AMC Compliance level 2 product This product is suitable for domestic environments 5 6 CE Marking CE marking on this product represents the product is...

Page 20: ...ida y eliminaci n de residuos de su zona o pregunte en la tienda donde adquiri el producto 5 7 4 Fran ais La directive europ enne 2002 96 CE exige que l quipement sur lequel est appos ce symbole sur l...

Page 21: ...declares that this NETGATE device is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC 5 8 5 Eesti Estonian K esolevaga kinnitab NETGATE seadme NETGATE...

Page 22: ...ni pertinenti stabilite dalla direttiva 1999 5 CE 5 8 12 Latviski Latvian Ar o NETGATE deklar ka NETGATE device atbilst Direkt vas 1999 5 EK b tiskaj m pras b m un citiem ar to saist tajiem noteikumie...

Page 23: ...s da Directiva 1999 5 CE 5 8 21 Rom na Romanian Prin prezenta NETGATE declara ca acest dispozitiv NETGATE este n conformitate cu cerint ele esent iale s i alte prevederi relevante ale Directivei 1999...

Page 24: ...tor may be enforced by the courts located in Austin Texas or any other court having jurisdiction over you 5 11 Site Policies Modification and Severability Please review our other policies such as our...

Page 25: ...ITNESS FOR A PAR TICULAR PURPOSE RCL AND ESF DO NOT WARRANT THAT THE PRODUCTS SERVICES INFORMA TION CONTENT MATERIALS PRODUCTS INCLUDING SOFTWARE OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILA...

Page 26: ...PTER SIX NETGATE 2100 WALL MOUNT The Netgate 2100 has built in wall mount keyholes on the bottom of the appliance This page provides an overview and a PDF template for attaching the system to the wall...

Page 27: ...the weight of the cables on the ports Click on the button below to download the Wall Mount Template Print the template out at 100 Scale for it to be accurate Note The 100 Scale setting varies by prin...

Page 28: ...Security Gateway Manual SG 2100 Follow the pictured instructions on the PDF to complete the wall mount installation Copyright 2022 Rubicon Communications LLC 26...

Page 29: ...workstation used to connect with the device Windows There are drivers available for Windows available for download macOS There are drivers available for macOS available for download For macOS choose...

Page 30: ...tter to wait until the terminal is open before connecting power so the client can view the entire boot output 7 4 Locate the Console Port Device The appropriate console port device that the workstatio...

Page 31: ...ciated with the system console is likely to show up as dev ttyUSB0 Look for messages about the device attaching in the system log files or by running dmesg Note If the device does not appear in dev se...

Page 32: ...BSD For FreeBSD the best practice is to run GNU screen or cu An example of how to configure GNU screen is below 7 5 1 Client Specific Examples PuTTY in Windows Open PuTTY and select Session under Cate...

Page 33: ...Security Gateway Manual SG 2100 Fig 1 An example of using PuTTY in Windows Copyright 2022 Rubicon Communications LLC 31...

Page 34: ...le port 115200 Note The sudo command will prompt for the local workstation password of the current account If portions of the text are unreadable but appear to be properly formatted the most likely cu...

Page 35: ...Missing With a USB serial console there are a few reasons why the serial port may not be present in the client operating system including No Power Some models require power before the client can conne...

Page 36: ...e proper console e g ttyS1 in Linux Consult the various operating install guides on this site for further information 7 7 3 PuTTY has issues with line drawing PuTTY generally handles most cases OK but...

Page 37: ...See No Serial Output Device OS Serial Console Settings Ensure the installed operating system is configured to activate the serial console and that it is configured for the proper console e g ttyS1 in...

Page 38: ...USB memstick is covered in detail under Writing Flash Drives 3 Connect to the console port of the Netgate device 4 Insert the memstick into the USB port and boot the system Tip The best practice is t...

Page 39: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC 37...

Page 40: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC 38...

Page 41: ...wer to complete the installation Remove the power cable from the Netgate SG 2100 and plug it back in See also For information on restoring from a previously saved configuration go to Backup and Restor...

Page 42: ...overed by the hardware warranty Note pfSense Plus software must be reinstalled on the M 2 SATA drive By default the M 2 SATA drive will then be the first drive recognized by pfSense Plus software Note...

Page 43: ...scratched Identify where the M 2 SATA drive slot is located and remove the screw from the standoff Note If the standoff turns while attempting to remove the screw hold the standoff with a fine pair o...

Page 44: ...ff 5 Place the cover back on and turn the Netgate 2100 over Replace the four 4 T10 Torx case screws Be careful not to crossthread the screws or overtighten them 6 Reinstall the pfSense Plus software o...

Page 45: ...Security Gateway Manual SG 2100 Fig 4 The M 2 SATA Drive Installed Copyright 2022 Rubicon Communications LLC 43...

Page 46: ...d to suit other requirements SG 2100 Ethernet Port LAN4 IP Address Assignment 192 168 100 1 24 VLAN Tag 4084 VLAN tags should be 4081 4084 for LAN Ports 1 4 Note When connecting to the GUI do NOT conn...

Page 47: ...the Description Click Save Note This guide uses 4084 as an example The value for the tags must be unique for each VLAN and must be between 1 and 4094 Avoid using values that are already in use Best p...

Page 48: ...Interface that matches the new VLAN being created 10 Check the Enable Interface check box 11 Change the IPv4 Configuration Type from None to Static IPv4 12 Scroll down and make the IPv4 Address 192 1...

Page 49: ...14 Click Apply Changes 15 Go to Interfaces Switches 16 Go to the VLANs tab Click in the Enable 802 1q VLAN mode check box and click Save The table will change to reflect the new mode 17 Click Add Tag...

Page 50: ...N Tag and 4 for Member s This represents LAN4 port 4 and tagged should be unchecked 19 Click Add Member to add the LAN Uplink 5 This member should be tagged as shown 20 Click Save 21 Click on beside V...

Page 51: ...the new VLAN ID 26 Click Save This completes the configuration of a discrete port on the Netgate SG 2100 By default all traffic is blocked Create the appropriate firewall rules to allow the traffic Go...

Page 52: ...rview This guide configures an OPT port as an additional WAN type interface These interfaces connect to upstream networks providing connectivity to the Internet or other remote destinations See also M...

Page 53: ...er corresponding to the internal interface designation For example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not kno...

Page 54: ...ll rules on WAN type interfaces get reply to added to ensure traffic entering a WAN exits the same WAN and traffic exiting the interface is nudged toward its gateway The DNS Resolver will not accept q...

Page 55: ...a case by case basis Warning Do not add any blanket allow all style rules on any WAN 11 6 Gateway Groups Gateway Groups do not control traffic directly but can be used in other places such as firewal...

Page 56: ...ays resolve hostnames using DNS even when running on a secondary WAN The needs here depend upon the configuration of the DNS Resolver or Forwarder If the DNS Resolver is in its default resolver mode t...

Page 57: ...routing is to add a gateway to existing rules Navigate to Firewall Rules LAN tab Edit the default pass rule for the LAN Click Display Advanced Set the Gateway to one of the gateway groups based on th...

Page 58: ...itiating it will always use the current default gateway Static routes can nudge traffic for a specific peer out a specific WAN OpenVPN can use a gateway group as an interface for clients or servers Cl...

Page 59: ...nterface see Switch Overview This guide configures an OPT port as an additional LAN type interface These local interfaces can perform a variety of tasks such as being a guest network DMZ IOT isolation...

Page 60: ...nation For example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not know what that number will be on a given configurat...

Page 61: ...This sets the lower From and upper To bound of automatic addresses assigned to clients The rest can be left at defaults Click Save See also DHCPv4 Configuration 12 5 Outbound NAT For clients on this...

Page 62: ...ios administrators typically choose for local interfaces Open and Isolated 12 6 1 Open On an open LAN hosts in that LAN are free to contact any other host through the firewall This might be a host on...

Page 63: ...ll of the RFC1918 networks is a safer practice Navigate to Firewall Aliases Click Add Configure it as follows Name PrivateNets Description Private Networks Type Network s Add entries for 192 168 0 0 1...

Page 64: ...ottom of the list Configure the rule as follows Action Reject Interface OPTx or the custom name Protocol Any Source Any Destination This Firewall self Description Reject all other traffic to the firew...

Page 65: ...e isolated network it s also possible to be much more strict with rules to only allow specific outbound ports When creating this type of configuration 12 7 Other Services In most cases the above confi...

Page 66: ...eping the button depressed apply power to the device 4 Keep the button depressed for about 30 seconds until the device boots far enough to check the button state All three LEDs will rapidly flash red...

Page 67: ...corresponding operating system interface for the switch uplink The internal uplink port operates at 2 5 Gbps and connects the switch to the SoC From the perspective of the operating system the only po...

Page 68: ...LAN B LAN1 4 configured as individual network interfaces LAN1 2 configured as a switch for LAN A LAN3 configured for WAN B and LAN4 configured for WAN C Each of the switch ports LAN1 4 and Port 5 are...

Page 69: ...pful resources make sure to browse the Netgate Resource Library https www netgate com resources 15 3 Professional Services Support does not cover more complex tasks such as CARP configuration for redu...

Page 70: ...for warranty information or view the Product Lifecycle page All Specifications subject to change without notice For support information view support plans offered by Netgate See also For more informat...

Reviews:

No comments

Related manuals for SG-2100

SmartZone EPA126

Brand: Panduit Pages: 13

Brand: Star-net Pages: 31

Brand: RTA Pages: 59

Brand: ZyXEL Communications Pages: 2

Brand: Aaeon Pages: 26

Brand: Wiznet Pages: 53

Brand: NEC Pages: 81

Brand: Realm Pages: 8

Brand: Intermatic Pages: 6

Brand: 2Wire Pages: 30

Brand: Planet Networking & Communication Pages: 235

Brand: Technicolor Pages: 98

Brand: Telstra Pages: 34

P-2302R-P1 Series

Brand: ZyXEL Communications Pages: 294

Brand: IBM Pages: 2

Brand: IBM Pages: 20

Brand: Viola Systems Pages: 53

Brand: Philio Pages: 16

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands