Page 2
CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
Page 3
Security Gateway Manual XG-7100-1U This Quick Start Guide covers the first time connection procedures for the Netgate® XG-7100 1U Firewall Appliance and will provide the information needed to keep the appliance up and running. Tip: Before getting started, we recommend downloading the...
Page 4
Netgate appliance. Connect the other end to the network connection on the computer. In order to access the webConfigurator, the PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet with a subnet mask of 255.255.255.0.
Page 5
Security Gateway Manual XG-7100-1U 1.1.2 Logging Into the Web Interface Browse to https://192.168.1.1 to access the web interface. In some instances, the browser may respond with a message indicating a problem with website security. Below is a typical example in Google Chrome. If this message or similar message is encountered, it is safe to proceed.
Page 6
Security Gateway Manual XG-7100-1U 1.1.3 Wizard Upon successful login, the following is displayed. 1.1.4 Configuring Hostname, Domain Name and DNS Servers 1.1.5 Hostname For Hostname, any desired name can be entered as it does not affect functionality of the firewall. Assigning a hostname to the firewall will allow the GUI to be accessed by hostname as well as IP address.
Page 7
Security Gateway Manual XG-7100-1U 1.1.7 DNS Servers The DNS server fields can be left blank if the DNS Resolver is used in non- forwarding mode, which is the default behavior. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS server IP addresses.
Page 8
Security Gateway Manual XG-7100-1U This depicts the four possible WAN interface types. Static, DHCP, PPPoE and PPTP. One must be selected from the drop-down list. Further information from the ISP is required to proceed when selecting Static, PPPoE and PPTP such as login name and password or as with static addresses, an IP address, subnet mask and gateway address.
Page 9
Security Gateway Manual XG-7100-1U 1.1.14 Configuring DHCP Hostname Some ISPs specifically require a DHCP Hostname entry. Unless the ISP requires the setting, leave it blank. 1.1.15 Configuring PPPoE and PPTP Interfaces Information added in these sections is assigned by the ISP. Configure these settings as directed by the ISP...
Page 10
Security Gateway Manual XG-7100-1U 1.1.16 Block Private Networks and Bogons When enabled, all private network traffic originating on the internet is blocked. Private addresses are reserved for use on internal LANs and blocked from outside traffic so these address ranges may be reused by all private networks.
Page 11
Security Gateway Manual XG-7100-1U A static IP address of 192.168.1.1 and a subnet mask (CIDR) of 24 was chosen for this installation. If there are no plans to connect this network to any other network via VPN, the 192.168.1.x default is sufficient.
Page 12
Security Gateway Manual XG-7100-1U 1.1.20 Basic Firewall Configured To proceed to the webConfigurator, make the selection as highlighted. The Dashboard display will follow. 1.1.21 Backing Up and Restoring At this point, basic LAN and WAN interface configuration is complete. Before proceeding, backup the firewall con- figuration.
Page 14
Warning: If your DSL or Cable Modem has a default IP Address of 192.168.1.1, please disconnect the Ethernet cable from the ETH1 port on your XG-7100 1U Netgate Security Gateway before proceeding. You will need to change the default IP Address of the device during a later step in the configuration.
Page 15
1. Click Next to start the Setup Wizard. 2. Click Next after you have read the information on Netgate Global Support. 3. On the General Information page, use the following as a guide to configure the firewall.
Page 18
Tip: If your DSL or Cable Modem has a default IP Address of 192.168.1.1, change the IP Address of your XG-7100 1U Netgate Security Gateway to a different subnet, such as 192.168.2.1 with a subnet mask of 24 to avoid an IP Address conflict.
Page 19
firewall. Fig. 8: The pfSense Dashboard Section 1 shows important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 identifies what version of pfSense software is installed, and if an update is available.
Page 20
Click Download configuration as XML and save a copy of the firewall configuration to the computer con- nected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
Page 21
See also: Connecting to the Console Port Connect to the console. Cable is required. Tip: To learn more about getting the most out of your Netgate appliance, sign up for a pfSense Training course or browse our extensive Resource Library.
Page 22
Security Gateway Manual XG-7100-1U 1.4 Input and Output Ports 1.4.1 Front Side Networking Ports Interface Name Port Name Port Type Port Speed ETH1 RJ-45 1 Gbps ETH2-ETH8 RJ-45 1 Gbps OPT1 SFP+ 10 Gbps OPT2 SFP+ 10 Gbps RJ-45 Ethernet Ports ETH1-8 are switched ports sharing 5 Gbps (2x 2.5 Gbps) to the Intel SoC.
Page 23
Security Gateway Manual XG-7100-1U Warning: There is an Intel-supplied driver issue for the C3000, preventing 1Gbps and 10Gbps copper modules from being recognized on the SFP+ ports. Copper modules are not supported. Compatible SFP/SFP+ Modules Below are some general guidelines for compatible SFP/SFP+ modules: •...
Page 24
Security Gateway Manual XG-7100-1U Optional 4-Port Intel 1 Gbps Expansion Card Interface Name Port Name Port Type Port Speed OPT3 igb0 RJ-45 1 Gbps OPT4 igb1 RJ-45 1 Gbps OPT5 igb2 RJ-45 1 Gbps OPT6 igb3 RJ-45 1 Gbps Optional 2-Port Intel 1 Gbps Expansion Card...
Page 25
Security Gateway Manual XG-7100-1U Warning: A hard reset of the system could cause data corruption and should be avoided. Halt or reboot the system through the console menu or the webConfigurator to avoid data corruption. 1.4.2 Rear Side Other Ports, Buttons, and Indicators •...
Page 26
Security Gateway Manual XG-7100-1U e) Protective bonding must be installed in accordance with local national wiring rules and regulations. 1.5.3 FCC Compliance Changes or modifications not expressly approved by the party responsible for compliance could void the user’s au- thority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1.
Page 27
Security Gateway Manual XG-7100-1U Deutsch Die Europäische Richtlinie 2002/96/EC verlangt, dass technische Ausrüstung, die direkt am Gerät und/oder an der Verpackung mit diesem Symbol versehen ist, nicht zusammen mit unsortiertem Gemeindeabfall entsorgt werden darf. Das Symbol weist darauf hin, dass das Produkt von regulärem Haushaltmüll getrennt entsorgt werden sollte. Es liegt in Ihrer Verantwortung, dieses Gerät und andere elektrische und elektronische Geräte über die dafür zuständigen und von...
Page 28
XG-7100-1U 1.5.8 Declaration of Conformity ˇ Cesky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
Page 29
Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
Page 30
Security Gateway Manual XG-7100-1U Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG.
Page 31
Security Gateway Manual XG-7100-1U Austin, Texas 78728 legal@netgate.com The arbitration will be conducted by the American Arbitration Association (AAA) under its rules. The AAA’s rules are available at www.adr.org. Payment of all filing, administration and arbitrator fees will be governed by the AAA’s rules.
Page 32
Security Gateway Manual XG-7100-1U 1.5.13 Limited Warranty DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUD- ING SOFTWARE) AND OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY US ON AN “AS IS” AND “AS AVAILABLE” BA- SIS, UNLESS OTHERWISE SPECIFIED IN WRITING.
Page 33
CHAPTER HOW-TO GUIDES 2.1 Configuring the Switch Ports See also: For an overview of how the switch ports are set up, see Switch Ports Overview. 2.1.1 Switch Section From the pfSense® webGUI, there is a menu option called Switches under the Interfaces drop-down. This section contains switch specific configuration options.
Page 34
Security Gateway Manual XG-7100-1U System Fig. 1: Information on the Marvell 6000 switch LAGGs Fig. 2: Information on members of the switch LAG Ports Information on switchport status and port names. If 802.1q is enabled, this section can also be used to specify the native VLAN ID for each port.
Page 37
Security Gateway Manual XG-7100-1U Interface Assignments Under Interface Assignments, notice LAGG0 (UPLINK) is displayed as an available port but is not enabled in the list of interfaces. This is because the default configuration is only expecting VLAN tagged traffic so the VLAN child interface 4090 and 4091 are enabled instead.
Page 38
Security Gateway Manual XG-7100-1U 2.1.3 Switch Configuration Examples Dedicated LAN switch In this scenario, SFP+ port ix0 will be configured as the WAN interface. ETH1-8 will be configured as a LAN switch. For this specific example, I’ll perform the WAN interface reassignment over console. Re-assigning the WAN can be done from the webGUI as well.
Page 40
Security Gateway Manual XG-7100-1U At this point SFP+ port ix0 is now configured as the WAN interface. The LAN interface is still configured the same as the default. Next, the switch will need to be updated so that ETH1 (previously WAN) acts the same as ETH2-8. This will be done from the webGUI.
Page 42
Security Gateway Manual XG-7100-1U Then click on Save: At this point, everything should be configured properly. ETH1-8 will act as a single LAN switch. One final step that should be performed is to remove the old VLAN 4090 from pfSense. So far VLAN 4090 was only removed from the switch.
Page 43
Security Gateway Manual XG-7100-1U Two LAN switches In this scenario, the LAN switch from the previous example will be split into two LAN switches. A new LAN network should be created in pfSense first. Similar to the existing LAN interface, another VLAN interface should be used so the switch can segment traffic appropriately.
Page 44
Security Gateway Manual XG-7100-1U Also create any necessary firewall rules under Firewall -> Rules. Now that pfSense knows of this new VLAN network, configure the switch so that ETH1-4 use the new network. To do this, go to Interfaces -> Switches -> VLANs and click the Add Tag button. Input the VLAN tag for the new network (same as the VLAN ID configured in the previous steps) and add ETH1-4 and PORT9-10 (uplinks) as members.
Page 45
Security Gateway Manual XG-7100-1U Once this is done, delete the untagged members 1,2,3,4 from VLAN group 2 and click the Save button. The final result should look like this: Lastly, update the Port VIDs to use the new 4081 VLAN rather than 4091 on ETH1-4 and click Save:...
Page 46
Security Gateway Manual XG-7100-1U Now ETH1-4 act as a switch for the VLAN 4081 LAN and ETH5-8 act as a switch for the VLAN 4091 LAN. Trunking VLAN tagged traffic For expanding on the previous example, let’s assume there is a management VLAN of 4000 where devices are already tagged on this VLAN prior to hitting pfSense.
Page 47
Security Gateway Manual XG-7100-1U Untagged traffic on ETH8 will be assigned a VLAN ID of 4091. ETH8 and the uplinks will also accept traffic that has already been tagged with a VLAN ID of 4000 as well. 2.2 Connecting to the Console Port There are times when directly accessing the console is required.
Page 48
Security Gateway Manual XG-7100-1U 2.2.2 Connect a USB Cable Next, locate an appropriate USB cable that has a USB Mini-b (5-pin) connector on one end and a regular USB Type A plug on the other end. These cables are commonly used with smaller USB peripherals such as GPS units, cameras, and so on.
Page 49
Security Gateway Manual XG-7100-1U Mac OSX The device associated with the system console is likely to show up as /dev/cu.SLAB_USBtoUART. Linux The device associated with the system console is likely to show up as /dev/ttyUSB0. Look for messages about the device attaching in the system log files or by running dmesg.
Page 50
Security Gateway Manual XG-7100-1U 2.2.4 Launch a Terminal Program Use a terminal program to connect to the system console port. Some choices of terminal programs: Windows For Windows it is recommended to run PuTTY or SecureCRT. An example of how to configure Putty is below.
Page 52
Security Gateway Manual XG-7100-1U Terminal Settings The settings to use within the terminal program are: Speed 115200 baud, the speed of the BIOS Data bits 8 Parity none Stop bits 1 Flow Control Off or XON/OFF. Hardware flow control (RTS/CTS) must be disabled.
Page 53
firmware by selecting Firmware Access as the General Problem and then select Netgate XG-7100 1U for the platform. Make sure to include the serial number in the ticket to expedite access.
Page 54
Security Gateway Manual XG-7100-1U Note: Options such as the type of disk partition can be modified through this installation if required. 8. The installer will then prompt to choose the type of system being installed, which pre-configures device-specific defaults. Choose the option that exactly matches the unit being reinstalled. If the model is unknown, check the sticker on the bottom of the unit.
Page 55
4. Any hardware damage incurred during this procedure is not covered by the hardware warranty. Note: By default, the M.2 SATA drive will be the first drive recognized by the Netgate® device. pfSense® must be reinstalled on the M.2 SATA drive.
Page 56
Security Gateway Manual XG-7100-1U 2. Unplug the Power Supply Connector from the system board, being careful not to flex the board. Fig. 9: Power Supply Connector Location Warning: Be sure to pull from the connector, not the wires. 3. Unplug the fans from the system board, being careful not to flex the board.
Page 61
Security Gateway Manual XG-7100-1U 7. Push the M.2 SATA drive down until it is parallel with the system board and use the screw to secure the M.2 SATA drive in place. Fig. 14: Secure the M.2 SATA Drive 8. Turn the board over and place it into the chassis. Secure the system board with four (4) board screws.
Page 64
3. Anti-static protection must be used throughout this procedure. 4. Any hardware damage incurred during this procedure is not covered by the hardware warranty. The XG-7100 PCIe Installation Kit from Netgate includes the components pictured below. Fig. 17: Bracket, Screws, Riser, and Extender When installing an optional expansion card, first install the riser and extender using the riser mounting bracket.
Page 68
2.6 BIOS Flash Procedure 2.6.1 Update via the GUI Warning: This only works with Netgate systems running pfSense® version 2.3 or greater. 1. To install the package, navigate to System > Package Manager > Available Packages. 2. Click the Install button for the package named Netgate_Coreboot_Upgrade.
Page 77
4. When the installation is complete a message will appear saying: pfSense-pkg-Netgate_Coreboot_Upgrade installation successfully completed 5. Now that the package is installed, navigate to System > Netgate Coreboot Upgrade. 6. This page will show you the latest version of Coreboot available and the current version that is running on the system.
Page 78
CHAPTER THREE REFERENCES 3.1 Switch Ports Overview 3.1.1 Interface Links In addition to two SFP+ interfaces, there is also an ethernet switch on the XG-7100. There are eight ethernet ports on this switch that are physically accessible - these interfaces are referred to as ETH1-ETH8. In addition to those 8 ports, there are also three additional ports that operate behind the scenes - PORT 0, PORT 9 (ix2), and PORT 10 (ix3).
Page 79
Security Gateway Manual XG-7100-1U From the operating systems perspective, there are four physical interfaces present: ix0 - 10Gbps SFP+ ix1 - 10Gbps SFP+ ix2 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) ix3 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) 3.1.2 High Availability...
Page 80
Security Gateway Manual XG-7100-1U 3.1.3 Switch LAGG ix2 and ix3 (switch uplink ports 9 and 10), are configured as a load-balanced LAGG. This provides an aggregate uplink capable of 5Gbps for ethernet switchports ETH1-8. This is further demonstrated in the diagram below: When data is received on ETH1-8, the switch is capable of utilizing LAGG to determine whether that data should be sent out of PORT 9 or PORT 10.
Page 81
Security Gateway Manual XG-7100-1U VLAN 4090 VLAN 4091 ETH1-8 are configured to act as Access ports. • When data comes into the ETH1 interface, a VLAN tag of 4090 is added to the ethernet frame. • When data comes into interfaces ETH2-8, a VLAN tag of 4091 is added to the ethernet frame.
Page 82
3.2 Additional Resources 3.2.1 Netgate Training Netgate training offers training courses for increasing your knowledge of pfSense® products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction;...
Page 83
Security Gateway Manual XG-7100-1U 3.2.2 Resource Library To learn more about how to use your Netgate appliance and for other helpful resources, make sure to browse our Resource Library. https://www.netgate.com/resources 3.2.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or cir- cuits, network design, and conversion from other firewalls to pfSense software.
Need help?
Do you have a question about the XG-7100-1U and is the answer not in the manual?
Questions and answers