Netgate SG-3100, Manual

Page 1: ...Security Gateway Manual SG 3100 Copyright 2022 Rubicon Communications LLC Jul 22 2022...

Page 2: ...CONTENTS 1 Out of the Box 2 2 How To Guides 25 3 References 61 i...

Page 3: ...Appliance and will provide the information needed to keep the appliance up and running Tip Before getting started a good practice is to download the PDF version of the Product Manual and the PDF versi...

Page 4: ...he Input and Output Ports section of the Netgate appliance The other end of the same cable should be inserted into a LAN port on the ISP CPE device such as a cable or fiber modem If the CPE device pro...

Page 5: ...h WAN and LAN so if the default IP address on the ISP supplied modem is also 192 168 1 1 24 disconnect the WAN interface until the LAN interface on the firewall has been renumbered to a different subn...

Page 6: ...step in the configuration to avoid having conflicting subnets on the WAN and LAN 1 From the computer log into the web interface Open a web browser Google Chrome in this example and enter 192 168 1 1...

Page 7: ...is used Domain The default home arpa is used for the purposes of this tutorial DNS Servers For purposes of this setup guide use the Google public DNS servers 8 8 8 8 and 8 8 4 4 4 Use the following i...

Page 8: ...Security Gateway Manual SG 3100 Fig 4 Type in the DNS Server information and Click Next Fig 5 Change the Timezone and Click Next Copyright 2022 Rubicon Communications LLC 6...

Page 9: ...p in the configuration to avoid having conflicting subnets on the WAN and LAN 7 Change the Admin Password Enter the same password in both fields 8 Click Reload to save the configuration 9 After a few...

Page 10: ...Security Gateway Manual SG 3100 Fig 7 Read and Click Accept Copyright 2022 Rubicon Communications LLC 8...

Page 11: ...n be done through the dashboard This orientation will help to navigate and further configure the firewall Fig 8 The pfSense Plus Dashboard Section 1 Important system information such as the model Seri...

Page 12: ...lick Download configuration as XML and save a copy of the firewall configuration to the computer con nected to the Netgate firewall This backup or any backup can be restored from the same screen by ch...

Page 13: ...Security Gateway Manual SG 3100 Fig 10 Backup Restore Fig 11 Click Download configuration as XML Copyright 2022 Rubicon Communications LLC 11...

Page 14: ...xtensive Resource Library 1 4 Input and Output Ports 1 4 1 Rear Side Fig 12 Rear view of the Netgate 3100 Firewall Appliance The items in this image are described by entries in Routed Ethernet Switche...

Page 15: ...net ports on the SG 3100 did not support auto MDI X and required crossover cable unless the client side connection supported auto MDI X This was resolved with 2 4 3 and later versions and a crossover...

Page 16: ...PS Battery Backups Cellular modems GPS units and storage devices Though the operating system also supports wired and wireless network devices these are not ideal and should be avoided 1 4 2 Front Side...

Page 17: ...Security Gateway Manual SG 3100 1 5 Hardware Specifications Copyright 2022 Rubicon Communications LLC 15...

Page 18: ...GB eMMC Flash onboard upgradable to 32 GB M 2 SATA SSD Memory 2 GB DDR4L Expansion 2x M 2 B key sockets SSD LTE 1x M 2 E key socket 2230 form factor for WiFi Bluetooth 1x miniPCIe WiFi microSIM Conso...

Page 19: ...t is not the provided approved type If a 3 prong plug is provided never use an adapter plug to connect to a 2 wire outlet as this will defeat the continuity of the grounding wire b The equipment requi...

Page 20: ...onic equipment via designated collection facilities appointed by the government or local authorities Correct disposal and recycling will help prevent potential negative consequences to the environment...

Page 21: ...on et le recyclage en bonne et due forme ont pour but de lutter contre l impact n faste potentiel de ce type de produits sur l environnement et la sant publique Pour plus d informations sur le mode d...

Page 22: ...akuuttaa t ten ett NETGATE device tyyppinen laite on direktiivin 1999 5 EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen Fran ais French Par la pr sente NETGATE d clare...

Page 23: ...nzjali u ma provvedimenti o rajn relevanti li hemm fid Dirrettiva 1999 5 EC Norsk Norwegian NETGATE erkl rer herved at utstyret NETGATE device er i samsvar med de grunnleggende krav og vrige relevante...

Page 24: ...IEW OF AN ARBITRATION AWARD IS LIMITED HOWEVER AN ARBITRATOR CAN AWARD ON AN INDIVIDUAL BASIS THE SAME DAM AGES AND RELIEF AS A COURT INCLUDING INJUNCTIVE AND DECLARATORY RELIEF OR STATU TORY DAMAGES...

Page 25: ...ine limit construe or describe the scope or extent of such section Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar br...

Page 26: ...E AND CONSEQUENTIAL DAMAGES UNLESS OTHERWISE SPECIFIED IN WRITING IN NO EVENT WILL RCL S OR ESF S LIABILITY TO YOU EXCEED THE PURCHASE PRICE PAID FOR THE PRODUCT OR SERVICE THAT IS THE BASIS OF THE CL...

Page 27: ...r on the workstation used to connect with the device Windows There are drivers available for Windows available for download macOS There are drivers available for macOS available for download For macOS...

Page 28: ...tter to wait until the terminal is open before connecting power so the client can view the entire boot output 2 1 4 Locate the Console Port Device The appropriate console port device that the workstat...

Page 29: ...ciated with the system console is likely to show up as dev ttyUSB0 Look for messages about the device attaching in the system log files or by running dmesg Note If the device does not appear in dev se...

Page 30: ...FreeBSD For FreeBSD the best practice is to run GNU screen or cu An example of how to configure GNU screen is below Client Specific Examples PuTTY in Windows Open PuTTY and select Session under Catego...

Page 31: ...Security Gateway Manual SG 3100 Fig 1 An example of using PuTTY in Windows Copyright 2022 Rubicon Communications LLC 29...

Page 32: ...le port 115200 Note The sudo command will prompt for the local workstation password of the current account If portions of the text are unreadable but appear to be properly formatted the most likely cu...

Page 33: ...ing With a USB serial console there are a few reasons why the serial port may not be present in the client operating system including No Power Some models require power before the client can connect t...

Page 34: ...the proper console e g ttyS1 in Linux Consult the various operating install guides on this site for further information PuTTY has issues with line drawing PuTTY generally handles most cases OK but ca...

Page 35: ...ket with a name such as pfSense plus SG 3100 recover 22 05 RELEASE armv7 img gz Note pfSense Plus is preinstalled on Netgate appliances which is optimally tuned for Netgate hardware and contains featu...

Page 36: ...Security Gateway Manual SG 3100 Copyright 2022 Rubicon Communications LLC 34...

Page 37: ...nstalled as an upgrade or to bypass the onboard eMMC flash memory Warning Before proceeding 1 Backup the configuration file if possible 2 Unplug the system for at least 60 seconds to ensure all phanto...

Page 38: ...e Plus software please visit the pfSense Documen tation page This installation example uses the J11 M 2 SATA slot with a 2242 M 2 SATA Drive The procedures to install a 2280 M 2 SATA Drive in the J10...

Page 39: ...Security Gateway Manual SG 3100 Fig 3 SG 3100 M 2 SATA Locations Copyright 2022 Rubicon Communications LLC 37...

Page 40: ...ew M 2 SATA drive 7 Restore the configuration backup if one is available See also For information on restoring from a previously saved configuration see Backup and Restore 2 4 Configuring the Switch P...

Page 41: ...Security Gateway Manual SG 3100 Fig 5 M 2 SATA Location and Screw Fig 6 M 2 SATA Location and Screw Close up Copyright 2022 Rubicon Communications LLC 39...

Page 42: ...Security Gateway Manual SG 3100 Fig 7 Insert the M 2 SATA Drive at about a 30 Angle Fig 8 The M 2 SATA Drive Installed Copyright 2022 Rubicon Communications LLC 40...

Page 43: ...GUI 1 Open the pfSense Plus software GUI and log in 2 From the menu navigate to Interfaces Assignments 3 Go to the VLANs tab 4 In the lower right hand corner of the screen click Add 5 Choose mvneta1 M...

Page 44: ...94 Avoid using values that are already in use Best practice is not to use 1 7 Go to the Interface Assignments tab 8 Ensure Available network ports is correct It is VLAN 4084 on mvneta1 lan Lan port 4...

Page 45: ...e check box 11 Change the IPv4 Configuration Type from None to Static IPv4 12 Scroll down and make the IPv4 Address 192 168 100 1 24 in this example 13 Click Save 14 Click Apply Changes 15 Go to Inter...

Page 46: ...eway Manual SG 3100 16 Go to the VLANs tab Click in the Enable 802 1q VLAN mode check box and click Save The table will change to reflect the new mode 17 Click Add Tag Copyright 2022 Rubicon Communica...

Page 47: ...N Tag and 4 for Member s This represents LAN4 port 4 and tagged should be unchecked 19 Click Add Member to add the LAN Uplink 5 This member should be tagged as shown 20 Click Save 21 Click on beside V...

Page 48: ...084 the new VLAN ID 26 Click Save This completes the configuration of a discrete port on the SG 3100 By default all traffic is blocked Create the appropriate firewall rules to allow the traffic Go to...

Page 49: ...bound NAT Firewall Rules Gateway Groups DNS Setup Policy Routing Dynamic DNS VPN Considerations Testing 2 5 1 Requirements This guide assumes the underlying interface is already present e g physical p...

Page 50: ...Configure the gateway as follows Default Check if this new WAN should be the default gateway Gateway Name Name it the same as the interface e g WAN2 or a variation thereof Gateway IPv4 The IPv4 addres...

Page 51: ...matic or Hybrid then this may not need further configuration Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page If so skip ahead to the next...

Page 52: ...eferWAN PreferWAN2 and LoadBalance Navigate to System Routing Gateway Groups tab Click Add to create a new gateway group Configure the group as follows Group Name PreferWAN Gateway Priority Gateway fo...

Page 53: ...g mode or the firewall is using the DNS Forwarder instead then maintaining functional DNS requires manually configuring gateways for forwarding DNS servers Navigate to System General Setup Add at leas...

Page 54: ...gateway set Navigate to Firewall Rules LAN tab Click to add a new rule at the top of the list Configure the rule as follows Action Pass Interface LAN Protocol Any Source LAN net Destination The other...

Page 55: ...a better test is to unplug the upstream connection from the CPE This more accurately simu lates a typical type of upstream connectivity failure Do not power off the CPE or unplug the connection betwe...

Page 56: ...example if there are no current OPT interfaces the new interface will be OPT1 The next will be OPT2 and so on Note As this guide does not know what that number will be on a given configuration it wil...

Page 57: ...o bound of automatic addresses assigned to clients The rest can be left at defaults Click Save See also DHCPv4 Configuration 2 6 5 Outbound NAT For clients on this interface to get to the Internet fro...

Page 58: ...suffice Navigate to Firewall Rules on the OPTx tab or the custom name Click to add a new rule at the top of the list Configure the rule as follows Action Pass Interface OPTx or the custom name should...

Page 59: ...face OPTx or the custom name Protocol TCP UDP Source OPTx Net or the custom name Destination This Firewall self If clients are to use DNS servers other than the firewall use those as the destination i...

Page 60: ...from this network to private networks Click to add a new rule at the bottom of the list Configure the rule as follows Action Reject Interface OPTx or the custom name Protocol Any Source Any Destinatio...

Page 61: ...tings which need accounted for when adding a new local interface If the DNS resolver has specific interface bindings add the new interface to the list If using ALTQ traffic shaping re run the shaper w...

Page 62: ...Security Gateway Manual SG 3100 Reset from the GUI Navigate to Diagnostics Factory Defaults to perform the reset Copyright 2022 Rubicon Communications LLC 60...

Page 63: ...s the corresponding operating system interface for the switch uplink The internal uplink port operates at 2 5 Gbps and connects the switch to the SoC From the perspective of the operating system the o...

Page 64: ...s no default configuration See Configuring the Switch Ports for details on configuring this mode 3 2 Additional Resources 3 2 1 Netgate Training Netgate training offers training courses for increasing...

Page 65: ...e com 3 3 Warranty and Support One year manufacturer s warranty Please contact Netgate for warranty information or view the Product Lifecycle page All Specifications subject to change without notice F...