Netgate SG-3100 User Manual

Security Gateway Manual

SG-3100

Netgate

Feb 19, 2019

CONTENTS

1 I/O Ports 2

2 SG-3100 Switch Overview 5

3 Getting Started 11

4 Connecting to Console Port 22

5 Additional Resources 29

6 Warranty and Support Information 30

7 Safety and Legal 31

8 Reinstalling pfSense 39

9 Optional M.2 SATA Installation 42

i

Security Gateway ManualSG-3100

Thank you for your purchase of the pfSense® SG-3100 System. This hardware platform provides a powerful, reliable,
cost-effective solution.

Quick Start Guide

The Quick Start Guide covers the first time connection procedures and will provide you with the information you need
to get your appliance up and running.

CONTENTS 1

1.1 Rear Side

CHAPTER

ONE

I/O PORTS

Ports are assigned as pictured.

1.1.1 Routed Ethernet

LED Pattern Description

Left LED only green Flashes with 1Gb traffic, solid with link.
Both LEDs green Both flash with 100Mb traffic, solid with link.
Right LED only green Flashes with 10Mb traffic, solid with link.

Interface Name Port Name

WAN mvneta2
OPT1 mvneta0

2

Security Gateway ManualSG-3100

1.1.2 Switched Ethernet

Interface Name Port Name

LAN1 mvneta1
LAN2 mvneta1
LAN3 mvneta1
LAN4 mvneta1

LED Pattern Description

Both LEDs green Left Flashes with 1Gb traffic, solid with link.
Left LED only green Left flashes with 100Mb traffic, solid with link.
Right LED only green Left Flashes with 10Mb traffic, solid with link.

Note: Prior to pfSense software version 2.4.3, the switched Ethernet ports on the SG-3100 did not support auto
MDI-X and required crossover cable unless the client-side connection supported auto MDI-X. This was resolved with

2.4.3 and later versions and a crossover cable is no longer required.

Warning: The LAN ports do not support the Spanning Tree Protocol (STP). Two or more ports connected to
another Layer 2 switch, or connected to 2 or more different interconnected switches, could create a flooding loop
between the switches. This can cause the router to stop functioning until the loop is resolved.

1.1.3 Other Ports

• Power (12 VDC with threaded locking connector)

• Recessed Reset Button (performs a hard reset, immediately turning the system off)

• USB 3.0

• Micro SIM

• Console (Mini-USB)

Warning: A hard reset of the system could cause data corruption and should be avoided. Halt or reboot the
system through the console menu or the web configurator to avoid data corruption.

1.1. Rear Side 3

1.2 Front Side

LED Pattern Description

Boot Process The sequence, circle -> square -> diamond, quickly flashes blue.
Boot Completed The diamond slowly flashes blue.
Update is Available The square slowly flashes orange.

Security Gateway ManualSG-3100

1.2. Front Side 4

CHAPTER

TWO

SG-3100 SWITCH OVERVIEW

This optional guide shows the steps required to configure the 4 switched Ethernet ports as discrete ports.

Note: When connecting to the webConfigurator, be sure you are NOT connected to the port you are going to configure
or you will lose connectivity during this procedure.

The following attributes are used in this configuration guide but can be changed to suit your particular requirements:

SG-3100 Ethernet Port: LAN4

IP Address Assignment: 192.168.100.1/24

VLAN Tag: 4084 (VLAN tags should be 4081-4084 for LAN Ports 1-4)

2.1 Configuring the Switch

1. Open the pfSense WebGUI and log in.

2. From the menu, navigate to Interfaces > Assignments.

3. Go to the VLANs sub-menu.

5

Security Gateway ManualSG-3100

4. In the lower right-hand corner of the screen, click + Add.

5. Choose mvneta1 (MAC Address) - lan from the Parent Interface drop-down menu.

6. Set the VLAN Tag to 4084. Type Lan port 4 as the Description. Click Save.

Note: 4084 in is used as an example in this guide. The value for the tags must be unique for each VLAN and
must be between 1 and 4094. Avoid using values that are already in use. Best practice is not to use 1.

2.1. Configuring the Switch 6

Security Gateway ManualSG-3100

7. Go to the Interface Assignments sub-menu.

8. Ensure Available network ports: is correct. It is VLAN 4084 on mvneta1 - lan (Lan port 4) in this example.
Click on + Add.

9. Click on OPT2. This is the Interface that matches the new VLAN being created.

10. Check the Enable Interface check-box.

11. Change the IPv4 Configuration Type from None to Static IPv4.

2.1. Configuring the Switch 7

Security Gateway ManualSG-3100

12. Scroll down and make the IPv4 Address 192.168.100.1/24 (in this example).

13. Click Save.

14. Click Apply Changes.

15. Go to Interfaces -> Switches.

16. Go to the VLANs sub-menu. Click in the Enable 802.1q VLAN mode check-box and click Save.

17. You will notice that the table changes. Click + Add Tag.

2.1. Configuring the Switch 8

Security Gateway ManualSG-3100

18. Type 4084 for the VLAN Tag and 4 for Member(s). This represents LAN4 (port 4) and tagged should be
unchecked.

19. Click + Add Member to add the LAN Uplink, 5. This member should be tagged as shown.

20. Click Save.

21. Click on |fa-pencil| beside VLAN group 0.

2.1. Configuring the Switch 9

Security Gateway ManualSG-3100

22. Click Delete beside Member(s) 4. This will remove LAN4 from this VLAN group.

23. Click Save.

24. Go to the Ports sub-menu.

25. Click on Port VID 1 beside LAN4. Backspace through 1 and insert 4084, the new VLAN ID.

26. Click Save.

This completes the configuration of a discrete port on the SG-3100.

You will need to create the appropriate firewall rules because by default, all traffic is blocked. Go to Firewall > Rules
and then the OPT2 sub-menu (in this example) to configure the firewall rules.

You should also enable DHCP if necessary, by going to Services > DHCP Server > OPT2 (for the example above).

2.1. Configuring the Switch 10

CHAPTER

THREE

GETTING STARTED

The basic firewall configuration begins with connecting the pfSense appliance to the Internet. Neither the modem nor
the pfSense appliance should be powered on at this time.

Establishing a connection to an Internet Service Provider (ISP) starts with connecting one end of an Ethernet cable to
the WAN port (shown in the I/O Ports section) of the pfSense appliance.

Warning: The default LAN subnet on the firewall is 192.168.1.0/24. The same subnet cannot be used on
both WAN and LAN, so if the subnet on the WAN side of the firewall is also 192.168.1.0/24, disconnect the
WAN interface until the LAN interface has been renumbered to a different subnet.

The opposite end of the same Ethernet cable should be inserted in to the LAN port of the ISP-supplied modem. The
modem provided by the ISP might have multiple LAN ports. If so, they are usually numbered. For the purpose of this
installation, please select port 1.

The next step is to connect the LAN port (shown in the I/O Ports section) of the pfSense appliance to the computer
which will be used to access the firewall console.

Connect one end of the second Ethernet cable to the LAN port (shown in the I/O Ports section) of the pfSense appli­ance. Connect the other end to the network connection on the computer. In order to access the web configurator, the
PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet with a subnet
mask of 255.255.255.0. Do not use 192.168.1.1, as this is the address of the firewall, and will cause an IP
conflict.

3.1 Initial Setup

The next step is to power up the modem and the firewall. Plug in the power supply to the power port (shown in the I/O

Ports section).

Once the modem and pfSense appliance are powered up, the next step is to power up the computer.

Once the pfSense appliance is booted, the attached computer should receive a 192.168.1.x IP address via DHCP
from the pfSense appliance.

3.2 Logging Into the Web Interface

Browse to https://192.168.1.1 to access the web interface. In some instances, the browser may respond with a message
indicating a problem with website security. Below is a typical example in Google Chrome. If this message or similar
message is encountered, it is safe to proceed.

11

Security Gateway ManualSG-3100

At the login page enter the default pfSense password and username:

Username admin

Password pfsense

Click Login to continue

3.3 Wizard

Upon successful login, the following is displayed.

3.3. Wizard 12

Security Gateway ManualSG-3100

3.4 Configuring Hostname, Domain Name and DNS Servers

3.5 Hostname

For Hostname, anydesired name can be enteredas it does not affect functionality ofthe firewall. Assigning a hostname
to the firewall will allow the GUI to be accessed by hostname as well as IP address.

For the purposes of this guide, use pfsense for the hostname. The default hostname, pfsense may be left un­changed.

Once saved in the configuration, the GUI may be accessed by entering http://pfsense as well as http://192.168.1.1

3.6 Domain

If an existing DNS domain is in use within the local network (such as a Microsoft Active Directory domain), use that
domain here. This is the domain suffix assigned to DHCP clients, which should match the internal network.

For networks without any internal DNS domains, enter any desired domain name. The default localdomain is used
for the purposes of this tutorial.

3.7 DNS Servers

The DNS server fields can be left blank if the DNS Resolver is used in non- forwarding mode, which is the default
behavior. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet

3.4. Configuring Hostname, Domain Name and DNS Servers 13