Netgate XG-7100-1U Product Manual
  1. Manuals
  2. Brands
  3. Netgate Manuals
  4. Firewall
  5. XG-7100-1U
  6. Product manual

Netgate XG-7100-1U Product Manual

Hide thumbs Also See for XG-7100-1U:
Table of Contents

Advertisement

Quick Links

Product Manual
XG-7100-1U
Netgate
Aug 08, 2018

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the XG-7100-1U and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netgate XG-7100-1U

Summary of Contents for Netgate XG-7100-1U

  • Page 1 Product Manual XG-7100-1U Netgate Aug 08, 2018...

  • Page 2: Table Of Contents

    CONTENTS 1 Quick Start Guide I/O Ports ..........XG-7100 Switch Overview .

  • Page 3: Contents

    Product ManualXG-7100-1U Thank you for your purchase of the pfSense® XG-7100 1U System. This Netgate appliance provides a powerful, reliable, cost-effective solution. Quick Start Guide Quick Start Guide covers the first time connection procedures and will provide you with the information you need to get your appliance up and running.

  • Page 4: Quick Start Guide

    CHAPTER QUICK START GUIDE This Quick Start Guide covers first time connection procedures for a new appliance. Table of Contents 1.1 I/O Ports Ports are assigned as pictured.
  • Page 5 Product ManualXG-7100-1U 1.1.1 Ethernet Ports Interface Name Port Name Port Type Port Speed ETH1 RJ-45 1 Gbps ETH2-ETH8 RJ-45 1 Gbps OPT1 SFP+ 10 Gbps OPT2 SFP+ 10 Gbps Note: ETH1-8 are switched ports sharing 5 Gbps (2x 2.5 Gbps) to the Intel SoC. These ports can be isolated as an independent interface with the configuration of VLAN tagging as shown in XG-7100 Switch Overview.

  • Page 6: Xg-7100 Switch Overview

    Product ManualXG-7100-1U 1.1.3 Other Ports, Buttons, and Indicators • Semi-recessed Power (PWR) (performs a graceful shutdown of pfSense software) • Recessed Reset Button (performs a hard reset, immediately turning the system off) • 1x USB 3.0 • Status LED • Power (PWR) LED (green when powered on, red after a graceful shutdown) •...
  • Page 7 Product ManualXG-7100-1U From the operating systems perspective, there are four physical interfaces present: 10Gbps SFP+ 10Gbps SFP+ Gbps (2500-Base-KX, switch link to SoC/CPU) Gbps (2500-Base-KX, switch link to SoC/CPU) 1.2.2 Switch LAGG ix2 and ix3 (switch uplink ports 9 and 10), are configured as a load-balanced LAGG. This provides an aggregate uplink capable of 5Gbps for ethernet switchports ETH1-8.
  • Page 8 Product ManualXG-7100-1U When data is received on ETH1-8, the switch is capable of utilizing LAGG to determine whether that data should be sent out of PORT 9 or PORT 10. That data then passes over one of two 2.5Gbps switch links (PORT 9/10) to the SoC. Data coming from PORT 9 has a direct line to ix2 and data from PORT 10 has a direct line to ix3.
  • Page 9 Product ManualXG-7100-1U • When data comes into the ETH1 interface, a VLAN tag of 4090 is added to the ethernet frame. • When data comes into interfaces ETH2-8, a VLAN tag of 4091 is added to the ethernet frame. PORT9-10 are configured to act as Trunk ports. •...
  • Page 10 Product ManualXG-7100-1U SWITCH-A PORT ETH1 PORT ETH2 PORT ETH3 PORT ETH4 PORT UPLINK PORT UPLINK SWITCH-B PORT ETH5 PORT ETH6 PORT ETH7 PORT ETH8 SWITCH-A ETH1-4 can talk to each other and to the LAGG uplink. PORT9-10 are members of this switch. . . this is required for this switch to have uplink to pfSense.
  • Page 11 Product ManualXG-7100-1U Selecting Switches from the drop-down will bring up the Switch page with four sections: System Fig. 1: Information on the Marvell 6000 switch LAGGs Ports Information on switchport status and port names. If 802.1q is enabled, this section can also be used to specify the native VLAN ID for each port.
  • Page 12 Product ManualXG-7100-1U Fig. 2: Information on members of the switch LAG Fig. 3: 802.1q enabled (default) Fig. 4: Port VLAN Mode 1.2. XG-7100 Switch Overview...
  • Page 13 Product ManualXG-7100-1U Fig. 5: 802.1q enabled (default) Fig. 6: Port VLAN Mode 1.2. XG-7100 Switch Overview...
  • Page 14 Product ManualXG-7100-1U Interfaces Section There is also relevant configurations under Interfaces -> Assignments. Interface Assignments Under Interface Assignments, notice LAGG0 (UPLINK) is displayed as an available port but is not enabled in the list of interfaces. This is because the default configuration is only expecting VLAN tagged traffic so the VLAN child interface 4090 and 4091 are enabled instead.
  • Page 15 Product ManualXG-7100-1U 1.2.5 Switch Configuration Examples Dedicated LAN switch In this scenario, SFP+ port ix0 will be configured as the WAN interface. ETH1-8 will be configured as a LAN switch. For this specific example, I’ll perform the WAN interface reassignment over console. Re-assigning the WAN can be done from the webGUI as well.
  • Page 16 Product ManualXG-7100-1U No additional VLANs are needed for this, so enter n to continue. Input ix0 as the new WAN interface name: Input the same default LAN interface of lagg0.4091 for the LAN interface name and press Enter to complete the interface reassignment: 1.2.
  • Page 17 Product ManualXG-7100-1U The interface assignments should show like this now: At this point SFP+ port ix0 is now configured as the WAN interface. The LAN interface is still configured the same as the default. Next, the switch will need to be updated so that ETH1 (previously WAN) acts the same as ETH2-8. This will be done from the webGUI.
  • Page 18 Product ManualXG-7100-1U VLAN 4090 is no longer needed since WAN is dedicated to ix0 now. You can either select on the row containing 4090 to delete this entry, or click to remove port 1 as a member: For this example, I simply removed VLAN 4090 from the switch with .
  • Page 19 Product ManualXG-7100-1U Next, update the PVID for ETH1 so that it uses VLAN 4091 rather than the old VLAN 4090. To do this, click on the Ports tab and click on the 4090 Port VID to modify it: Then click on Save: 1.2.
  • Page 20 Product ManualXG-7100-1U At this point, everything should be configured properly. ETH1-8 will act as a single LAN switch. One final step that should be performed is to remove the old VLAN 4090 from pfSense. So far VLAN 4090 was only removed from the switch.
  • Page 21 Product ManualXG-7100-1U Add, enable, and configure the VLAN interface under Interfaces Assignments: 1.2. XG-7100 Switch Overview...
  • Page 22 Product ManualXG-7100-1U Also create any necessary firewall rules under Firewall -> Rules. Now that pfSense knows of this new VLAN network, configure the switch so that ETH1-4 use the new network. To do this, go to Interfaces -> Switches -> VLANs and click the Add Tag button. Input the VLAN tag for the new network (same as the VLAN ID configured in the previous steps) and add ETH1-4 and PORT9-10 (uplinks) as members.
  • Page 23 Product ManualXG-7100-1U Once this is done, click the Save button. The final result should look like this: Lastly, update the Port VIDs to use the new 4081 VLAN rather than 4091 on ETH1-4 and click Save: 1.2. XG-7100 Switch Overview...
  • Page 24 Product ManualXG-7100-1U Now ETH1-4 act as a switch for the VLAN 4081 LAN and ETH5-8 act as a switch for the VLAN 4091 LAN. Trunking VLAN tagged traffic For expanding on the previous example, let’s assume there is a management VLAN of 4000 where devices are already tagged on this VLAN prior to hitting pfSense.

  • Page 25: Getting Started

    Tip: Before configuring the pfSense appliance it is best to activate it by following the instructions at https://www. netgate.com/register/. The basic firewall configuration begins with connecting the pfSense appliance to the Internet. Neither the modem nor the pfSense appliance should be powered up at this time.

  • Page 26: Initial Setup

    Product ManualXG-7100-1U 1.3.1 Initial Setup The next step is to power up the modem and the firewall. Plug in the power supply to the power port (shown in the Ports section). Once the modem and pfSense appliance are powered up, the next step is to power up the computer. Once the pfSense appliance is booted, the attached computer should receive a 192.168.1.x IP address via DHCP from the pfSense appliance.
  • Page 27 Product ManualXG-7100-1U Password pfsense Click Login to continue 1.3.3 Wizard Upon successful login, the following is displayed. 1.3.4 Configuring Hostname, Domain Name and DNS Servers 1.3.5 Hostname For Hostname, any desired name can be entered as it does not affect functionality of the firewall. Assigning a hostname to the firewall will allow the GUI to be accessed by hostname as well as IP address.

  • Page 28: Time Server Synchronization

    Product ManualXG-7100-1U 1.3.7 DNS Servers The DNS server fields can be left blank if the DNS Resolver is used in non- forwarding mode, which is the default behavior. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS server IP addresses.
  • Page 29 Product ManualXG-7100-1U This depicts the four possible WAN interface types. Static, DHCP, PPPoE and PPTP. One must be selected from the drop-down list. Further information from the ISP is required to proceed when selecting Static, PPPoE and PPTP such as login name and password or as with static addresses, an IP address, subnet mask and gateway address.
  • Page 30 Product ManualXG-7100-1U 1.3.14 Configuring DHCP Hostname Some ISPs specifically require a DHCP Hostname entry. Unless the ISP requires the setting, leave it blank. 1.3.15 Configuring PPPoE and PPTP Interfaces Information added in these sections is assigned by the ISP. Configure these settings as directed by the ISP 1.3.
  • Page 31 Product ManualXG-7100-1U 1.3.16 Block Private Networks and Bogons When enabled, all private network traffic originating on the internet is blocked. Private addresses are reserved for use on internal LANs and blocked from outside traffic so these address ranges may be reused by all private networks. The following inbound address Ranges are blocked by this firewall rule: •...
  • Page 32 Product ManualXG-7100-1U A static IP address of 192.168.1.1 and a subnet mask (CIDR) of 24 was chosen for this installation. If there are no plans to connect this network to any other network via VPN, the 192.168.1.x default is sufficient. Click Next to continue.
  • Page 33 Product ManualXG-7100-1U 1.3.20 Basic Firewall Configured To proceed to the webConfigurator, make the selection as highlighted. The Dashboard display will follow. 1.3.21 Backing Up and Restoring At this point, basic LAN and WAN interface configuration is complete. Before proceeding, backup the firewall con- figuration.
  • Page 34 Product ManualXG-7100-1U Click Download Configuration and save a copy of the firewall configuration. This configuration can be restored from the same screen by choosing the backup file under Restore configuration. 1.3. Getting Started...

  • Page 35: Connecting To Console Port

    Product ManualXG-7100-1U 1.3.22 Connecting to the Console There are times when accessing the console is required. Perhaps GUI console access has been locked out, or the password has been lost or forgotten. See also: Connecting to Console Port Connect to the console. Cable is required. 1.4 Connecting to Console Port 1.4.1 Simple Configuration Below are the simple instructions for connecting to the console port with Microsoft Windows.
  • Page 36 Product ManualXG-7100-1U Open PuTTY and locate the Session display as shown below. For the Connection type, select Serial. Set Serial line to the COM Port that is displayed in Windows Device Manager, COM4 for this example, and the Speed to 115200 bits per second, the speed of the BIOS in this case.
  • Page 37 Product ManualXG-7100-1U Select Open and the console screen will be displayed. 1.4.2 Advanced Configuration A Silicon Labs CP210x USB-to-UART bridge is used to provide access to the serial port that acts as a system console. This is exposed via a USB Mini-b (5-pin) port on the front of the case. There are several steps required to access the system console via this port.
  • Page 38 Product ManualXG-7100-1U Loading the Linux Driver If the device does not appear automatically, the CP210x driver module may need to be loaded manually, especially if the version of Linux being run is not recent. If the driver was provided with the Linux distribution, run modprobe cp210x as root or using sudo.
  • Page 39 Product ManualXG-7100-1U FreeBSD The device associated with the system console is likely to show up as /dev/cuaU1. Look for messages about the device attaching in the system log files or by running dmesg. Launch a Terminal Program Use a terminal program to connect to the system console port. PuTTY is a popular terminal program that is available on various operating systems.
  • Page 40 Product ManualXG-7100-1U PuTTY generally handles most cases OK but can have issues with line drawing characters on certain platforms. These settings seem to work best (tested on Windows): Window Columns x Rows = 80x24 Window > Appearance Font = Courier New 10pt or Consolas 10pt Window >...

  • Page 41: Additional Resources

    1.5.2 Netgate Training Netgate training offers training courses for increasing your knowledge of pfSense products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction;...

  • Page 42: Safety And Legal

    Product ManualXG-7100-1U 1.7 Safety and Legal Contents • Safety and Legal – Safety Notices – Electrical Safety Information – FCC Compliance – Industry Canada – Australia and New Zealand – CE Marking – RoHS/WEEE Compliance Statement – Declaration of Conformity –...
  • Page 43 Product ManualXG-7100-1U (a) Do not substitute the power cord with one that is not the provided approved type. If a 3 prong plug is provided, never use an adapter plug to connect to a 2-wire outlet as this will defeat the continuity of the grounding wire.
  • Page 44 Product ManualXG-7100-1U more detailed information about the disposal of your old equipment, please contact your local authorities, waste disposal service, or the shop where you purchased the product. Deutsch Die Europäische Richtlinie 2002/96/EC verlangt, dass technische Ausrüstung, die direkt am Gerät und/oder an der Verpackung mit diesem Symbol versehen ist, nicht zusammen mit unsortiertem Gemeindeabfall entsorgt werden darf.
  • Page 45 Product ManualXG-7100-1U 1.7.8 Declaration of Conformity ˇ Cesky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
  • Page 46 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
  • Page 47 Product ManualXG-7100-1U Español [Spanish] Por medio de la presente NETGATE declara que el NETGATE device, cumple con los requisitos esenciales y cua- lesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Polski [Polish] Niniejszym, firma NETGATE o wiadcza, e produkt serii NETGATE device, spełnia zasadnicze wymagania i inne istotne postanowienia Dyrektywy 1999/5/EC.

  • Page 48: Limited Warranty

    Product ManualXG-7100-1U 1.7.10 Applicable Law By using any Products/Services, you agree that the Federal Arbitration Act, applicable federal law, and the laws of the state of Texas, without regard to principles of conflict of laws, will govern these terms and conditions of use and any dispute of any sort that might arise between you and RCL and/or ESF.
  • Page 49 Product ManualXG-7100-1U KIND ARISING FROM THE USE OF ANY PRODUCTS/SERVICES, OR FROM ANY INFORMATION, CON- TENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH ANY PRODUCTS/SERVICES, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING.

  • Page 50: High Availability

    CHAPTER HIGH AVAILABILITY This document covers configuration of a High Availability cluster using the following features: • CARP for IP address redundancy • XMLRPC for configuration synchronization • pfsync for state table synchronization With this configuration, two units act as an “active/passive” cluster with the primary node working as the master unit and the secondary node in a backup role, taking over as needed if the primary node fails.
  • Page 51 Product ManualXG-7100-1U 2.1.3 Interface Assignments Interfaces must be assigned in the same order on all nodes exactly. If the interfaces are not aligned, configuration synchronization and other tasks will not behave correctly. The default configuration has all interfaces assigned by default, as seen in the IO Ports section of the unit’s product manual, which makes a good starting point for this guide.
  • Page 52 Product ManualXG-7100-1U If any CARP or VRRP traffic is shown, note the VHID/VRID and avoid using that identifier when configuring the CARP VIP VHIDs later. This guide assumes there is no other potentially conflicting traffic present. 2.1.6 Setup Requirements Using the Setup Wizard, or manually afterward, configure each firewall with a unique hostname and non-conflicting static IP addresses.

  • Page 53: Configuring A Ha Cluster

    Product ManualXG-7100-1U For example, the WAN ports of each node must connect to the same WAN switch, which then connects to the WAN CPE/Modem/Upstream link. The LAN ports would all connect to the same LAN switch, and so on. The Sync interface may be connected directly between the two nodes without a switch.
  • Page 54 Product ManualXG-7100-1U 3. Set Action to Pass 4. Set Source to SYNC Net 5. Set Destination to SYNC Address 6. Set Destination port range to 443 or choose HTTPS (443) from the drop-down selector 7. Set Description to Allow configuration synchronization 8.
  • Page 55 Product ManualXG-7100-1U 1. Navigate to Firewall > Rules on the SYNC tab 2. Click at the top of the list to create a new rule 3. Set Action to Pass 4. Set Protocol to any 5. Set Source to SYNC Net 6.
  • Page 56 Product ManualXG-7100-1U 5. Check the boxes for each area to synchronize to the secondary node. For this guide, as with most configurations, all boxes are checked. 6. Click Save As a quick confirmation that the synchronization worked, on the secondary node navigate to Firewall > Rules on the SYNC tab.
  • Page 57 Product ManualXG-7100-1U Repeat the above process for the LAN CARP VIP: 1. Navigate to Firewall > Virtual IPs 2. Click at the top of the list to create a new VIP 3. Set Type to CARP 4. Set Interface to LAN 5.
  • Page 58 Product ManualXG-7100-1U Fig. 4: CARP VIP Status on Secondary 2.2.5 Setup Manual Outbound NAT Now it is time to put the new CARP VIPs to use. The NAT settings will synchronize so these changes need only be made to the primary node. 1.
  • Page 59 Product ManualXG-7100-1U 2.2.7 Setup DHCP The DHCP server daemons on the cluster nodes need adjustments so that they can work together. The changes will synchronize from the primary to the secondary, so as with the VIPs and Outbound NAT, these changes need only be made on the primary node.

  • Page 60: Components Of A High Availability Cluster

    Product ManualXG-7100-1U 6. Configure the DHCP server for the new subnet, utilizing the CARP VIP for DNS and Gateway roles (Optional, Primary node only) 2.3 Components of a High Availability Cluster Though often erroneously called a “CARP Cluster”, two or more redundant pfSense firewalls are more aptly titled a “High Availability Cluster”, since CARP is only one of several technologies used to achieve High Availability with pfSense.

  • Page 61: Testing High Availability

    Product ManualXG-7100-1U A CARP type Virtual IP address (VIP) is shared between nodes of a cluster. One node is master and receives traffic for the IP address, and the other nodes maintain backup status and monitor for heartbeats to see if they need to assume the master role if the previous master fails.
  • Page 62 Product ManualXG-7100-1U 2.4.1 Verify General Functionality Setup a client on the LAN and ensure that it receives a DHCP IP address and that it shows the LAN CARP VIP as its gateway and DNS server. Verify that the client can reach the Internet and otherwise function as expected. 2.4.2 Verify XMLRPC Sync is working XMLRPC Configuration Synchronization can be tested several ways.

  • Page 63: Troubleshooting High Availability

    Product ManualXG-7100-1U 2.5 Troubleshooting High Availability In the event that any of the testing fails (Testing High Availability), there are a few common things to check. 2.5.1 Review the Configuration Before digging too deep into the technical details below, first review the configuration and ensure all steps were followed accurately.
  • Page 64 Product ManualXG-7100-1U Switch/Layer 2 Issues Typically a switch or layer 2 issue manifests itself as both units showing “MASTER” status for one or more CARP VIPs. If this happens, check the following items: 1. Ensure that the interfaces on both boxes (The WANs, LANs, etc, etc) are connected to the proper switch/VLAN/layer 2.
  • Page 65 Product ManualXG-7100-1U Fig. 11: XMLRPC Sync Failure Firewall Log Entry Check the Admin User Visit System > User Manager and ensure that the admin user is enabled on both systems and that the admin password is the same on both systems. Visit System > High Avail Sync and double check that the admin username has been entered and that the correct password is present.

  • Page 66: Upgrading Pfsense On A High Availability Cluster

    If at any point in this procedure a failure condition is encountered, seek assistance from support. 2.6.1 Review the Changelog and Upgrade Guide Before starting any part of an upgrade, first look at the Netgate Blog release changelogs for any notable changes or items to be aware of between the version currently in use and the one that will be in use after upgrading.
  • Page 67 Product ManualXG-7100-1U 2.6.2 Backup Before starting, take a fresh backup from Diagnostics > Backup/Restore on both nodes. Warning: Do not skip this step! A backup is quick and easy to do, and invaluable to have if the upgrade does not go as expected! Download installation media for the release currently in use if a reinstall is necessary.

  • Page 68: Reinstalling Pfsense

    Note: The pfSense factory version is the version that is preinstalled on units purchased from Netgate. The factory image is optimally tuned for our hardware and contains some features that cannot be found elsewhere, such as the AWS VPN Wizard.
  • Page 69 Product ManualXG-7100-1U...

  • Page 70: Bios Flash Procedure

    4. When the installation is complete a message will appear saying: pfSense-pkg-Netgate_Coreboot_Upgrade installation successfully completed 5. Now that the package is installed, navigate to System -> Netgate Coreboot Upgrade. 6. This page will show you the latest version of Coreboot available and the current version that is running on the system.

Table of Contents