Netgate SG-3100 Скачать руководство пользователя страница 59

Страница: 59 / 65

Security Gateway Manual

SG-3100

Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all
of the RFC1918 networks is a safer practice

• Navigate to

Firewall > Aliases

• Click

Add

• Configure it as follows:

Name

PrivateNets

Description

Private Networks

Type

Network(s)

• Add entries for:

–

192.168.0.0/16

–

172.16.0.0/12

–

10.0.0.0/8

• Click

Save

• Navigate to

Firewall > Rules

, on the

OPTx

tab (or the custom name)

Add rule to pass DNS to firewall (or other DNS servers)

• Click

to add a new rule at the bottom of the list.

• Configure the rule as follows:

Action

Pass

Interface

OPTx

(or the custom name)

Protocol

TCP/UDP

Source

OPTx Net

(or the custom name)

Destination

This Firewall (self)

If clients are to use DNS servers other than the firewall, use those as the destination instead.

Destination Port Range

DNS

, or choose

Other

and enter

To allow DNS over TLS as well, add another rule for DNS over TLS or port

853

Description

Text describing the rule, e.g.

Allow clients to resolve DNS through

the firewall

• Click

Save

Add rule to pass ICMP to firewall

• Click

to add a new rule at the bottom of the list.

• Configure the rule as follows:

Action

Pass

Interface

OPTx

(or the custom name)

Protocol

ICMP

ICMP Subtype

Any

is OK in this case, ICMP is useful but some people prefer to limit to to

Echo

Request

only to allow ping and nothing else.

Содержание SG-3100

Страница 2: ...CONTENTS 1 Out of the Box 2 2 How To Guides 25 3 References 61 i...

Страница 3: ...Appliance and will provide the information needed to keep the appliance up and running Tip Before getting started a good practice is to download the PDF version of the Product Manual and the PDF versi...

Страница 4: ...he Input and Output Ports section of the Netgate appliance The other end of the same cable should be inserted into a LAN port on the ISP CPE device such as a cable or fiber modem If the CPE device pro...

Страница 5: ...h WAN and LAN so if the default IP address on the ISP supplied modem is also 192 168 1 1 24 disconnect the WAN interface until the LAN interface on the firewall has been renumbered to a different subn...

Страница 6: ...step in the configuration to avoid having conflicting subnets on the WAN and LAN 1 From the computer log into the web interface Open a web browser Google Chrome in this example and enter 192 168 1 1...

Страница 7: ...is used Domain The default home arpa is used for the purposes of this tutorial DNS Servers For purposes of this setup guide use the Google public DNS servers 8 8 8 8 and 8 8 4 4 4 Use the following i...

Страница 9: ...p in the configuration to avoid having conflicting subnets on the WAN and LAN 7 Change the Admin Password Enter the same password in both fields 8 Click Reload to save the configuration 9 After a few...

Страница 11: ...n be done through the dashboard This orientation will help to navigate and further configure the firewall Fig 8 The pfSense Plus Dashboard Section 1 Important system information such as the model Seri...

Страница 12: ...lick Download configuration as XML and save a copy of the firewall configuration to the computer con nected to the Netgate firewall This backup or any backup can be restored from the same screen by ch...

Страница 14: ...xtensive Resource Library 1 4 Input and Output Ports 1 4 1 Rear Side Fig 12 Rear view of the Netgate 3100 Firewall Appliance The items in this image are described by entries in Routed Ethernet Switche...

Страница 15: ...net ports on the SG 3100 did not support auto MDI X and required crossover cable unless the client side connection supported auto MDI X This was resolved with 2 4 3 and later versions and a crossover...

Страница 16: ...PS Battery Backups Cellular modems GPS units and storage devices Though the operating system also supports wired and wireless network devices these are not ideal and should be avoided 1 4 2 Front Side...

Страница 18: ...GB eMMC Flash onboard upgradable to 32 GB M 2 SATA SSD Memory 2 GB DDR4L Expansion 2x M 2 B key sockets SSD LTE 1x M 2 E key socket 2230 form factor for WiFi Bluetooth 1x miniPCIe WiFi microSIM Conso...

Страница 19: ...t is not the provided approved type If a 3 prong plug is provided never use an adapter plug to connect to a 2 wire outlet as this will defeat the continuity of the grounding wire b The equipment requi...

Страница 20: ...onic equipment via designated collection facilities appointed by the government or local authorities Correct disposal and recycling will help prevent potential negative consequences to the environment...

Страница 21: ...on et le recyclage en bonne et due forme ont pour but de lutter contre l impact n faste potentiel de ce type de produits sur l environnement et la sant publique Pour plus d informations sur le mode d...

Страница 22: ...akuuttaa t ten ett NETGATE device tyyppinen laite on direktiivin 1999 5 EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen Fran ais French Par la pr sente NETGATE d clare...

Страница 23: ...nzjali u ma provvedimenti o rajn relevanti li hemm fid Dirrettiva 1999 5 EC Norsk Norwegian NETGATE erkl rer herved at utstyret NETGATE device er i samsvar med de grunnleggende krav og vrige relevante...

Страница 24: ...IEW OF AN ARBITRATION AWARD IS LIMITED HOWEVER AN ARBITRATOR CAN AWARD ON AN INDIVIDUAL BASIS THE SAME DAM AGES AND RELIEF AS A COURT INCLUDING INJUNCTIVE AND DECLARATORY RELIEF OR STATU TORY DAMAGES...

Страница 25: ...ine limit construe or describe the scope or extent of such section Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar br...

Страница 26: ...E AND CONSEQUENTIAL DAMAGES UNLESS OTHERWISE SPECIFIED IN WRITING IN NO EVENT WILL RCL S OR ESF S LIABILITY TO YOU EXCEED THE PURCHASE PRICE PAID FOR THE PRODUCT OR SERVICE THAT IS THE BASIS OF THE CL...

Страница 27: ...r on the workstation used to connect with the device Windows There are drivers available for Windows available for download macOS There are drivers available for macOS available for download For macOS...

Страница 28: ...tter to wait until the terminal is open before connecting power so the client can view the entire boot output 2 1 4 Locate the Console Port Device The appropriate console port device that the workstat...

Страница 29: ...ciated with the system console is likely to show up as dev ttyUSB0 Look for messages about the device attaching in the system log files or by running dmesg Note If the device does not appear in dev se...

Страница 30: ...FreeBSD For FreeBSD the best practice is to run GNU screen or cu An example of how to configure GNU screen is below Client Specific Examples PuTTY in Windows Open PuTTY and select Session under Catego...

Страница 32: ...le port 115200 Note The sudo command will prompt for the local workstation password of the current account If portions of the text are unreadable but appear to be properly formatted the most likely cu...

Страница 33: ...ing With a USB serial console there are a few reasons why the serial port may not be present in the client operating system including No Power Some models require power before the client can connect t...

Страница 34: ...the proper console e g ttyS1 in Linux Consult the various operating install guides on this site for further information PuTTY has issues with line drawing PuTTY generally handles most cases OK but ca...

Страница 35: ...ket with a name such as pfSense plus SG 3100 recover 22 05 RELEASE armv7 img gz Note pfSense Plus is preinstalled on Netgate appliances which is optimally tuned for Netgate hardware and contains featu...

Страница 37: ...nstalled as an upgrade or to bypass the onboard eMMC flash memory Warning Before proceeding 1 Backup the configuration file if possible 2 Unplug the system for at least 60 seconds to ensure all phanto...

Страница 38: ...e Plus software please visit the pfSense Documen tation page This installation example uses the J11 M 2 SATA slot with a 2242 M 2 SATA Drive The procedures to install a 2280 M 2 SATA Drive in the J10...

Страница 40: ...ew M 2 SATA drive 7 Restore the configuration backup if one is available See also For information on restoring from a previously saved configuration see Backup and Restore 2 4 Configuring the Switch P...

Страница 43: ...GUI 1 Open the pfSense Plus software GUI and log in 2 From the menu navigate to Interfaces Assignments 3 Go to the VLANs tab 4 In the lower right hand corner of the screen click Add 5 Choose mvneta1 M...

Страница 44: ...94 Avoid using values that are already in use Best practice is not to use 1 7 Go to the Interface Assignments tab 8 Ensure Available network ports is correct It is VLAN 4084 on mvneta1 lan Lan port 4...

Страница 45: ...e check box 11 Change the IPv4 Configuration Type from None to Static IPv4 12 Scroll down and make the IPv4 Address 192 168 100 1 24 in this example 13 Click Save 14 Click Apply Changes 15 Go to Inter...

Страница 46: ...eway Manual SG 3100 16 Go to the VLANs tab Click in the Enable 802 1q VLAN mode check box and click Save The table will change to reflect the new mode 17 Click Add Tag Copyright 2022 Rubicon Communica...

Страница 47: ...N Tag and 4 for Member s This represents LAN4 port 4 and tagged should be unchecked 19 Click Add Member to add the LAN Uplink 5 This member should be tagged as shown 20 Click Save 21 Click on beside V...

Страница 48: ...084 the new VLAN ID 26 Click Save This completes the configuration of a discrete port on the SG 3100 By default all traffic is blocked Create the appropriate firewall rules to allow the traffic Go to...

Страница 49: ...bound NAT Firewall Rules Gateway Groups DNS Setup Policy Routing Dynamic DNS VPN Considerations Testing 2 5 1 Requirements This guide assumes the underlying interface is already present e g physical p...

Страница 50: ...Configure the gateway as follows Default Check if this new WAN should be the default gateway Gateway Name Name it the same as the interface e g WAN2 or a variation thereof Gateway IPv4 The IPv4 addres...

Страница 51: ...matic or Hybrid then this may not need further configuration Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page If so skip ahead to the next...

Страница 52: ...eferWAN PreferWAN2 and LoadBalance Navigate to System Routing Gateway Groups tab Click Add to create a new gateway group Configure the group as follows Group Name PreferWAN Gateway Priority Gateway fo...

Страница 53: ...g mode or the firewall is using the DNS Forwarder instead then maintaining functional DNS requires manually configuring gateways for forwarding DNS servers Navigate to System General Setup Add at leas...

Страница 54: ...gateway set Navigate to Firewall Rules LAN tab Click to add a new rule at the top of the list Configure the rule as follows Action Pass Interface LAN Protocol Any Source LAN net Destination The other...

Страница 55: ...a better test is to unplug the upstream connection from the CPE This more accurately simu lates a typical type of upstream connectivity failure Do not power off the CPE or unplug the connection betwe...

Страница 56: ...example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not know what that number will be on a given configuration it wil...

Страница 57: ...o bound of automatic addresses assigned to clients The rest can be left at defaults Click Save See also DHCPv4 Configuration 2 6 5 Outbound NAT For clients on this interface to get to the Internet fro...

Страница 58: ...suffice Navigate to Firewall Rules on the OPTx tab or the custom name Click to add a new rule at the top of the list Configure the rule as follows Action Pass Interface OPTx or the custom name should...

Страница 59: ...face OPTx or the custom name Protocol TCP UDP Source OPTx Net or the custom name Destination This Firewall self If clients are to use DNS servers other than the firewall use those as the destination i...

Страница 60: ...from this network to private networks Click to add a new rule at the bottom of the list Configure the rule as follows Action Reject Interface OPTx or the custom name Protocol Any Source Any Destinatio...

Страница 61: ...tings which need accounted for when adding a new local interface If the DNS resolver has specific interface bindings add the new interface to the list If using ALTQ traffic shaping re run the shaper w...

Страница 63: ...s the corresponding operating system interface for the switch uplink The internal uplink port operates at 2 5 Gbps and connects the switch to the SoC From the perspective of the operating system the o...

Страница 64: ...s no default configuration See Configuring the Switch Ports for details on configuring this mode 3 2 Additional Resources 3 2 1 Netgate Training Netgate training offers training courses for increasing...

Страница 65: ...e com 3 3 Warranty and Support One year manufacturer s warranty Please contact Netgate for warranty information or view the Product Lifecycle page All Specifications subject to change without notice F...

Результаты поиска

Содержание SG-3100

Отзывы:

Похожие инструкции для SG-3100

Бренды по названию

Популярные бренды

Netgate SG-3100, Руководство пользователя

Результаты поиска

Содержание SG-3100

Отзывы:

Похожие инструкции для SG-3100

Бренды по названию

Популярные бренды