manualshive.com logo in svg

Netgate SG-2100, Manual

The Netgate SG-2100 is a powerful network security appliance designed for small to medium-sized businesses. Ensure optimal performance by downloading the free user manual from our website. Find everything you need to know about setting up and maintaining your SG-2100 with the comprehensive manual available for download.

Share
Download
background image

Security Gateway Manual

SG-2100

12.6.2 Isolated

In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed
in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more
complicated rules.

This scenario is common for locked down networks such as for IOT devices, a DMZ with public services, untrusted
Guest/BYOD networks, and other similar scenarios.

Warning:

Do not rely on tricks such as using policy routing to isolate clients. A full set of reject rules as described

in this example are the best practice.

Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all
of the RFC1918 networks is a safer practice

• Navigate to

Firewall > Aliases

• Click

Add

• Configure it as follows:

Name

PrivateNets

Description

Private Networks

Type

Network(s)

• Add entries for:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

• Click

Save

• Navigate to

Firewall > Rules

, on the

OPTx

tab (or the custom name)

Add rule to pass DNS to firewall (or other DNS servers)

• Click

to add a new rule at the bottom of the list.

• Configure the rule as follows:

Action

Pass

Interface

OPTx

(or the custom name)

Protocol

TCP/UDP

Source

OPTx Net

(or the custom name)

Destination

This Firewall (self)

If clients are to use DNS servers other than the firewall, use those as the destination instead.

Destination Port Range

DNS

, or choose

Other

and enter

53

To allow DNS over TLS as well, add another rule for DNS over TLS or port

853

.

Description

Text describing the rule, e.g.

Allow clients to resolve DNS through

the firewall

© Copyright 2022 Rubicon Communications LLC

61

Summary of Contents for SG-2100

Page 1: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC Jul 22 2022...

Page 2: ...24 7 Connecting to the Console Port 27 8 Reinstalling pfSense Plus Software 36 9 Optional M 2 SATA Installation 40 10 Configuring the Switch Ports 44 11 Configuring an OPT interface as an additional...

Page 3: ...Appliance It will provide the information needed to keep the appliance up and running Tip Before getting started a good practice is to download the PDF version of the Product Manual and the PDF versio...

Page 4: ...nd Output Ports section of the Netgate appliance The other end of the same cable should be inserted into a LAN port on the ISP CPE device such as a cable or fiber modem If the CPE device provided by t...

Page 5: ...WAN and LAN so if the default IP address on the ISP supplied modem is also 192 168 1 1 24 disconnect the WAN interface until the LAN interface on the firewall has been renumbered to a different subne...

Page 6: ...nterface Open a web browser Google Chrome in this example and enter 192 168 1 1 in the address bar Press Enter Fig 1 Enter the Default LAN IP Address 2 A warning message may appear If this message or...

Page 7: ...Security Gateway Manual SG 2100 Fig 2 Click Advanced and then Proceed to 192 168 1 1 unsafe Fig 3 Click Next Copyright 2022 Rubicon Communications LLC 5...

Page 8: ...ddress Timezone Select the time zone for the location of the firewall For this guide the Timezone will be set to America Chicago for US Central time 5 The WAN interface is the Public IP address the ne...

Page 9: ...Security Gateway Manual SG 2100 Fig 5 Change the Timezone and Click Next Fig 6 Default Settings Should be Acceptable Click Next Copyright 2022 Rubicon Communications LLC 7...

Page 10: ...seconds a message will indicate the Setup Wizard has completed To proceed to the pfSense Plus dashboard click Finish 10 A final notification screen will appear with the Copyright and Trademark Notice...

Page 11: ...e Dashboard pfSense Plus software is highly configurable all of which can be done through the dashboard This orientation will help to navigate and further configure the firewall Fig 1 The pfSense Plus...

Page 12: ...at the top of the page browse to Diagnostics Backup Restore Click Download configuration as XML and save a copy of the firewall configuration to the computer con nected to the Netgate firewall This ba...

Page 13: ...Security Gateway Manual SG 2100 Fig 3 Backup Restore Fig 4 Click Download configuration as XML Copyright 2022 Rubicon Communications LLC 11...

Page 14: ...e access has been locked out or the password has been lost or forgotten See also Connecting to the Console Port Cable is required Tip To learn more about getting the most out of a Netgate appliance si...

Page 15: ...rnet and Other Ports 4 1 1 Routed Ethernet The WAN Combo Port is shared between an RJ 45 port and an SFP port Only one port can be used Interface Name Port Name WAN mvneta0 LED Pattern Description Lef...

Page 16: ...ly green Left Flashes with 10Mb traffic solid with link Warning The LAN ports do not support the Spanning Tree Protocol STP Two or more ports connected to another Layer 2 switch or connected to 2 or m...

Page 17: ...Cellular modems GPS units and storage devices Though the operating system also supports wired and wireless network devices these are not ideal and should be avoided 4 2 Front Side Fig 2 Front view of...

Page 18: ...alified service technician 3 This equipment is provided with a detachable power cord which has an integral safety ground wire intended for connection to a grounded safety outlet a Do not substitute th...

Page 19: ...B Canada 5 5 Australia and New Zealand This is a AMC Compliance level 2 product This product is suitable for domestic environments 5 6 CE Marking CE marking on this product represents the product is...

Page 20: ...ida y eliminaci n de residuos de su zona o pregunte en la tienda donde adquiri el producto 5 7 4 Fran ais La directive europ enne 2002 96 CE exige que l quipement sur lequel est appos ce symbole sur l...

Page 21: ...declares that this NETGATE device is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC 5 8 5 Eesti Estonian K esolevaga kinnitab NETGATE seadme NETGATE...

Page 22: ...ni pertinenti stabilite dalla direttiva 1999 5 CE 5 8 12 Latviski Latvian Ar o NETGATE deklar ka NETGATE device atbilst Direkt vas 1999 5 EK b tiskaj m pras b m un citiem ar to saist tajiem noteikumie...

Page 23: ...s da Directiva 1999 5 CE 5 8 21 Rom na Romanian Prin prezenta NETGATE declara ca acest dispozitiv NETGATE este n conformitate cu cerint ele esent iale s i alte prevederi relevante ale Directivei 1999...

Page 24: ...tor may be enforced by the courts located in Austin Texas or any other court having jurisdiction over you 5 11 Site Policies Modification and Severability Please review our other policies such as our...

Page 25: ...ITNESS FOR A PAR TICULAR PURPOSE RCL AND ESF DO NOT WARRANT THAT THE PRODUCTS SERVICES INFORMA TION CONTENT MATERIALS PRODUCTS INCLUDING SOFTWARE OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILA...

Page 26: ...PTER SIX NETGATE 2100 WALL MOUNT The Netgate 2100 has built in wall mount keyholes on the bottom of the appliance This page provides an overview and a PDF template for attaching the system to the wall...

Page 27: ...the weight of the cables on the ports Click on the button below to download the Wall Mount Template Print the template out at 100 Scale for it to be accurate Note The 100 Scale setting varies by prin...

Page 28: ...Security Gateway Manual SG 2100 Follow the pictured instructions on the PDF to complete the wall mount installation Copyright 2022 Rubicon Communications LLC 26...

Page 29: ...workstation used to connect with the device Windows There are drivers available for Windows available for download macOS There are drivers available for macOS available for download For macOS choose...

Page 30: ...tter to wait until the terminal is open before connecting power so the client can view the entire boot output 7 4 Locate the Console Port Device The appropriate console port device that the workstatio...

Page 31: ...ciated with the system console is likely to show up as dev ttyUSB0 Look for messages about the device attaching in the system log files or by running dmesg Note If the device does not appear in dev se...

Page 32: ...BSD For FreeBSD the best practice is to run GNU screen or cu An example of how to configure GNU screen is below 7 5 1 Client Specific Examples PuTTY in Windows Open PuTTY and select Session under Cate...

Page 33: ...Security Gateway Manual SG 2100 Fig 1 An example of using PuTTY in Windows Copyright 2022 Rubicon Communications LLC 31...

Page 34: ...le port 115200 Note The sudo command will prompt for the local workstation password of the current account If portions of the text are unreadable but appear to be properly formatted the most likely cu...

Page 35: ...Missing With a USB serial console there are a few reasons why the serial port may not be present in the client operating system including No Power Some models require power before the client can conne...

Page 36: ...e proper console e g ttyS1 in Linux Consult the various operating install guides on this site for further information 7 7 3 PuTTY has issues with line drawing PuTTY generally handles most cases OK but...

Page 37: ...See No Serial Output Device OS Serial Console Settings Ensure the installed operating system is configured to activate the serial console and that it is configured for the proper console e g ttyS1 in...

Page 38: ...USB memstick is covered in detail under Writing Flash Drives 3 Connect to the console port of the Netgate device 4 Insert the memstick into the USB port and boot the system Tip The best practice is t...

Page 39: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC 37...

Page 40: ...Security Gateway Manual SG 2100 Copyright 2022 Rubicon Communications LLC 38...

Page 41: ...wer to complete the installation Remove the power cable from the Netgate SG 2100 and plug it back in See also For information on restoring from a previously saved configuration go to Backup and Restor...

Page 42: ...overed by the hardware warranty Note pfSense Plus software must be reinstalled on the M 2 SATA drive By default the M 2 SATA drive will then be the first drive recognized by pfSense Plus software Note...

Page 43: ...scratched Identify where the M 2 SATA drive slot is located and remove the screw from the standoff Note If the standoff turns while attempting to remove the screw hold the standoff with a fine pair o...

Page 44: ...ff 5 Place the cover back on and turn the Netgate 2100 over Replace the four 4 T10 Torx case screws Be careful not to crossthread the screws or overtighten them 6 Reinstall the pfSense Plus software o...

Page 45: ...Security Gateway Manual SG 2100 Fig 4 The M 2 SATA Drive Installed Copyright 2022 Rubicon Communications LLC 43...

Page 46: ...d to suit other requirements SG 2100 Ethernet Port LAN4 IP Address Assignment 192 168 100 1 24 VLAN Tag 4084 VLAN tags should be 4081 4084 for LAN Ports 1 4 Note When connecting to the GUI do NOT conn...

Page 47: ...the Description Click Save Note This guide uses 4084 as an example The value for the tags must be unique for each VLAN and must be between 1 and 4094 Avoid using values that are already in use Best p...

Page 48: ...Interface that matches the new VLAN being created 10 Check the Enable Interface check box 11 Change the IPv4 Configuration Type from None to Static IPv4 12 Scroll down and make the IPv4 Address 192 1...

Page 49: ...14 Click Apply Changes 15 Go to Interfaces Switches 16 Go to the VLANs tab Click in the Enable 802 1q VLAN mode check box and click Save The table will change to reflect the new mode 17 Click Add Tag...

Page 50: ...N Tag and 4 for Member s This represents LAN4 port 4 and tagged should be unchecked 19 Click Add Member to add the LAN Uplink 5 This member should be tagged as shown 20 Click Save 21 Click on beside V...

Page 51: ...the new VLAN ID 26 Click Save This completes the configuration of a discrete port on the Netgate SG 2100 By default all traffic is blocked Create the appropriate firewall rules to allow the traffic Go...

Page 52: ...rview This guide configures an OPT port as an additional WAN type interface These interfaces connect to upstream networks providing connectivity to the Internet or other remote destinations See also M...

Page 53: ...er corresponding to the internal interface designation For example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not kno...

Page 54: ...ll rules on WAN type interfaces get reply to added to ensure traffic entering a WAN exits the same WAN and traffic exiting the interface is nudged toward its gateway The DNS Resolver will not accept q...

Page 55: ...a case by case basis Warning Do not add any blanket allow all style rules on any WAN 11 6 Gateway Groups Gateway Groups do not control traffic directly but can be used in other places such as firewal...

Page 56: ...ays resolve hostnames using DNS even when running on a secondary WAN The needs here depend upon the configuration of the DNS Resolver or Forwarder If the DNS Resolver is in its default resolver mode t...

Page 57: ...routing is to add a gateway to existing rules Navigate to Firewall Rules LAN tab Edit the default pass rule for the LAN Click Display Advanced Set the Gateway to one of the gateway groups based on th...

Page 58: ...itiating it will always use the current default gateway Static routes can nudge traffic for a specific peer out a specific WAN OpenVPN can use a gateway group as an interface for clients or servers Cl...

Page 59: ...nterface see Switch Overview This guide configures an OPT port as an additional LAN type interface These local interfaces can perform a variety of tasks such as being a guest network DMZ IOT isolation...

Page 60: ...nation For example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not know what that number will be on a given configurat...

Page 61: ...This sets the lower From and upper To bound of automatic addresses assigned to clients The rest can be left at defaults Click Save See also DHCPv4 Configuration 12 5 Outbound NAT For clients on this...

Page 62: ...ios administrators typically choose for local interfaces Open and Isolated 12 6 1 Open On an open LAN hosts in that LAN are free to contact any other host through the firewall This might be a host on...

Page 63: ...ll of the RFC1918 networks is a safer practice Navigate to Firewall Aliases Click Add Configure it as follows Name PrivateNets Description Private Networks Type Network s Add entries for 192 168 0 0 1...

Page 64: ...ottom of the list Configure the rule as follows Action Reject Interface OPTx or the custom name Protocol Any Source Any Destination This Firewall self Description Reject all other traffic to the firew...

Page 65: ...e isolated network it s also possible to be much more strict with rules to only allow specific outbound ports When creating this type of configuration 12 7 Other Services In most cases the above confi...

Page 66: ...eping the button depressed apply power to the device 4 Keep the button depressed for about 30 seconds until the device boots far enough to check the button state All three LEDs will rapidly flash red...

Page 67: ...corresponding operating system interface for the switch uplink The internal uplink port operates at 2 5 Gbps and connects the switch to the SoC From the perspective of the operating system the only po...

Page 68: ...LAN B LAN1 4 configured as individual network interfaces LAN1 2 configured as a switch for LAN A LAN3 configured for WAN B and LAN4 configured for WAN C Each of the switch ports LAN1 4 and Port 5 are...

Page 69: ...pful resources make sure to browse the Netgate Resource Library https www netgate com resources 15 3 Professional Services Support does not cover more complex tasks such as CARP configuration for redu...

Page 70: ...for warranty information or view the Product Lifecycle page All Specifications subject to change without notice For support information view support plans offered by Netgate See also For more informat...

Reviews:

No comments

Related manuals for SG-2100

ABB AWIN GW120 Quick Setup Manual preview
AWIN GW120
Brand: ABB Pages: 2
HMS Networks Intesis IN701-KNX Series User Manual preview
Intesis IN701-KNX Series
Brand: HMS Networks Pages: 48
DEUTSCHMANN AUTOMATION UNIGATE IC - Powerlink Instruction Manual preview
UNIGATE IC - Powerlink
Brand: DEUTSCHMANN AUTOMATION Pages: 50
Zennio KLIC-MITT v2 Manual preview
KLIC-MITT v2
Brand: Zennio Pages: 38
Eurotech ReliaGATE 10-10-00 User Manual preview
ReliaGATE 10-10-00
Brand: Eurotech Pages: 30
ZyXEL Communications P-661HNU-FX Quick Start Manual preview
P-661HNU-FX
Brand: ZyXEL Communications Pages: 18
Ubiquiti UniFi USG Quick Start Manual preview
UniFi USG
Brand: Ubiquiti Pages: 22
Sangoma Netborder SS7 Quick Start Manual preview
Netborder SS7
Brand: Sangoma Pages: 4
Pace 4112N Installation Manual preview
4112N
Brand: Pace Pages: 17
SMC Networks EZ Connect SMC8014WG-SI Specification Sheet preview
EZ Connect SMC8014WG-SI
Brand: SMC Networks Pages: 2
SMC Networks EX500-GPN2 Series Instruction Manual preview
EX500-GPN2 Series
Brand: SMC Networks Pages: 2
SMC Networks DOCSIS 3.0 Commercial Cable Modem Gateway SMCD3G-BIZ Specifications preview
DOCSIS 3.0 Commercial Cable Modem Gateway SMCD3G-BIZ
Brand: SMC Networks Pages: 2
SMC Networks EZ Networking SMC8013WG Install Manual preview
EZ Networking SMC8013WG
Brand: SMC Networks Pages: 42
SMC Networks LEC-GPR1 Series Operation Manual preview
LEC-GPR1 Series
Brand: SMC Networks Pages: 59
ERT VIPER User Manual preview
VIPER
Brand: ERT Pages: 45
Abus SHGW10000 Instruction Manual preview
SHGW10000
Brand: Abus Pages: 30
VOPtel VG2020 User Manual preview
VG2020
Brand: VOPtel Pages: 38
Kaon CG2200 Quick Installation Manual preview
CG2200
Brand: Kaon Pages: 12

Brands by name

Popular brands

Load more brands