Download
Share
Print this page
Netgate SG-3100 Manual
  1. Manuals
  2. Brands
  3. Netgate Manuals
  4. Gateway
  5. SG-3100
  6. Manual

Netgate SG-3100 Manual

Hide thumbs Also See for SG-3100:

Advertisement

Quick Links

Download this manual
Security Gateway Manual
SG-3100
© Copyright 2022 Rubicon Communications LLC
Jul 22, 2022

Advertisement

loading
Need help?

Need help?

Do you have a question about the SG-3100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netgate SG-3100

Summary of Contents for Netgate SG-3100

  • Page 1 Security Gateway Manual SG-3100 © Copyright 2022 Rubicon Communications LLC Jul 22, 2022...
  • Page 2 CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
  • Page 3 Security Gateway Manual SG-3100 This Quick Start Guide covers the first time connection procedures for the Netgate® 3100 Firewall Appliance and will provide the information needed to keep the appliance up and running. Tip: Before getting started, a good practice is to download the...
  • Page 4 OUT OF THE BOX 1.1 Getting Started The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance should be unplugged at this time. Connect one end of an Ethernet cable to the WAN port (shown in the...
  • Page 5 Connecting to the Console Port. Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also 192.168.1.1/24, disconnect the WAN interface until the LAN interface on the firewall has been renumbered...
  • Page 6 If the CPE on WAN (e.g. DSL or Cable Modem) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the WAN port on the Netgate 3100 Security Gateway before proceeding. Change the default LAN IP Address of the device during a later step in the configuration to avoid having conflicting subnets on the WAN and LAN.
  • Page 7 1. Click Next to start the Setup Wizard. Fig. 3: Click Next 2. Click Next after reading the information on Netgate Global Support. 3. On the General Information page, use the following as a guide to configure the firewall. Hostname Any desired name can be entered. For the purposes of this guide, the default hostname pfsense is used.
  • Page 8 Security Gateway Manual SG-3100 Fig. 4: Type in the DNS Server information and Click Next Fig. 5: Change the Timezone and Click Next © Copyright 2022 Rubicon Communications LLC...
  • Page 9 Tip: If the CPE on WAN (e.g. DSL or Cable Modem) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the WAN port on the Netgate 3100 Security Gateway before proceeding. Change the default LAN IP Address of the device during a later step in the configuration to avoid having conflicting subnets on the WAN and LAN.
  • Page 10 Security Gateway Manual SG-3100 Fig. 7: Read and Click Accept © Copyright 2022 Rubicon Communications LLC...
  • Page 11 firewall. ® Fig. 8: The pfSense Plus Dashboard Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. ® Section 2 Identifies what version of pfSense Plus software is installed, and if an update is available.
  • Page 12 Click Download configuration as XML and save a copy of the firewall configuration to the computer con- nected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
  • Page 13 Security Gateway Manual SG-3100 Fig. 10: Backup & Restore Fig. 11: Click Download configuration as XML © Copyright 2022 Rubicon Communications LLC...
  • Page 14 See also: Port. Cable is required. Connecting to the Console Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training course or browse the extensive Resource Library.
  • Page 15 Left Flashes with 10 Mb traffic, solid with link. Note: Prior to pfSense® software version 2.4.3, the switched Ethernet ports on the SG-3100 did not support auto MDI-X and required crossover cable unless the client-side connection supported auto MDI-X. This was resolved with 2.4.3 and later versions and a crossover cable is no longer required.
  • Page 16 For example, UPS/Battery Backups, Cellular modems, GPS units, and storage devices. Though the operating system also supports wired and wireless network devices, these are not ideal and should be avoided. 1.4.2 Front Side Fig. 13: Front view of the Netgate 3100 Firewall Appliance LED Patterns Description...
  • Page 17 Security Gateway Manual SG-3100 1.5 Hardware Specifications © Copyright 2022 Rubicon Communications LLC...
  • Page 18 Security Gateway Manual SG-3100 Category Description ARM v7 Cortex-A9 @ 1.6 GHz with NEON SIMD and FPU CPU Cores Dual Core Networking Two 1 Gigabit Ethernet Ports, configured as dual WAN or one WAN one LAN plus four-port 1 Gbps Marvell 88E6141 switch, uplinked at 2.5 Gbps to the third port on the SoC...
  • Page 19 Security Gateway Manual SG-3100 1.6 Safety and Legal 1.6.1 Safety Notices 1. Read, follow, and keep these instructions. 2. Heed all warnings. 3. Only use attachments/accessories specified by the manufacturer. Warning: Do not use this product in location that can be submerged by water.
  • Page 20 Security Gateway Manual SG-3100 Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment.
  • Page 21 1.6.8 Declaration of Conformity ˇ Cesky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og...
  • Page 22 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. © Copyright 2022 Rubicon Communications LLC...
  • Page 23 Con la presente NETGATE dichiara che questo NETGATE device, è conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Latviski [Latvian] Ar o NETGATE deklar , ka NETGATE device, atbilst Direkt vas 1999/5/EK b tiskaj m pras b m un citiem ar to saist tajiem noteikumiem. Lietuviškai [Lithuanian] NETGATE deklaruoja, kad šis NETGATE ı...
  • Page 24 Niniejszym, firma NETGATE o wiadcza, e produkt serii NETGATE device, spełnia zasadnicze wymagania i inne istotne postanowienia Dyrektywy 1999/5/EC. Português [Portuguese] NETGATE declara que este NETGATE device, está conforme com os requisitos essenciais e outras disposições da Directiva 1999/5/CE. Român ˘ a [Romanian] Prin prezenta, NETGATE declar˘...
  • Page 25 Security Gateway Manual SG-3100 1.6.10 Applicable Law By using any Products/Services, you agree that the Federal Arbitration Act, applicable federal law, and the laws of the state of Texas, without regard to principles of conflict of laws, will govern these terms and conditions of use and any dispute of any sort that might arise between you and RCL and/or ESF.
  • Page 26 Security Gateway Manual SG-3100 KIND ARISING FROM THE USE OF ANY PRODUCTS/SERVICES, OR FROM ANY INFORMATION, CON- TENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH ANY PRODUCTS/SERVICES, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING.
  • Page 27 CHAPTER HOW-TO GUIDES 2.1 Connecting to the Console Port This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration. There are times when directly accessing the console is required. Perhaps GUI or SSH access has been locked out, or the password has been lost or forgotten.
  • Page 28 Security Gateway Manual SG-3100 Tip: Be certain to gently push in the USB Mini-B (5-pin) connector on the device side completely. With most cables there will be a tangible “click”, “snap”, or similar indication when the cable is fully engaged.
  • Page 29 Security Gateway Manual SG-3100 macOS The device associated with the system console is likely to show up as, or start with, /dev/cu.usbserial-<id>. Run ls -l /dev/cu. * from a Terminal prompt to see a list of available USB serial devices and locate the ap- propriate one for the hardware.
  • Page 30 Security Gateway Manual SG-3100 2.1.5 Launch a Terminal Program Use a terminal program to connect to the system console port. Some choices of terminal programs: Windows For Windows the best practice is to run or SecureCRT. An example of how to configure PuTTY is PuTTY in Windows below.
  • Page 31 Security Gateway Manual SG-3100 Fig. 1: An example of using PuTTY in Windows © Copyright 2022 Rubicon Communications LLC...
  • Page 32 Security Gateway Manual SG-3100 Fig. 2: An example of using PuTTY in Linux GNU screen In many cases screen may be invoked simply by using the proper command line, where <console-port> is the console port that was located above. sudo screen <console-port>...
  • Page 33 Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. Hardware Failure There could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assistance.
  • Page 34 Security Gateway Manual SG-3100 No Serial Output If there is no output at all, check the following items: USB Cable Not Plugged In For USB consoles, the USB cable may not be fully engaged on both ends. Gently, but firmly, ensure the cable has a good connection on both sides.
  • Page 35 firmware by selecting Firmware Access as the General Problem and then select Netgate 3100 for the platform. Make sure to include the serial number in the ticket to expedite access.
  • Page 36 Security Gateway Manual SG-3100 © Copyright 2022 Rubicon Communications LLC...
  • Page 37 Backup and Restore. 2.3 M.2 SATA Installation The SG-3100 has built-in onboard eMMC storage. Optionally, a M.2 SATA drive could be installed as an upgrade or to bypass the onboard eMMC flash memory. Warning: Before proceeding: 1. Backup the configuration file, if possible.
  • Page 38 SG-3100 Note: The SG-3100 does not support NVMe drives. The SG-3100 has two slots capable of installing M.2 SATA drives, J10 and J11. J10 The J10 connector is for a 2280 (22mm x 80mm) M.2 SATA only. The 80mm standoff cannot be moved.
  • Page 39 Security Gateway Manual SG-3100 Fig. 3: SG-3100 M.2 SATA Locations © Copyright 2022 Rubicon Communications LLC...
  • Page 40 4. Gently push down the M.2 SATA card and replace the screw into the standoff. 5. Place the cover back on and turn the SG-3100 over. Replace the four (4) T10 Torx case screws. Be careful not to crossthread the screws.
  • Page 41 Security Gateway Manual SG-3100 Fig. 5: M.2 SATA Location and Screw Fig. 6: M.2 SATA Location and Screw Close-up © Copyright 2022 Rubicon Communications LLC...
  • Page 42 Security Gateway Manual SG-3100 Fig. 7: Insert the M.2 SATA Drive at about a 30° Angle Fig. 8: The M.2 SATA Drive Installed © Copyright 2022 Rubicon Communications LLC...
  • Page 43 Security Gateway Manual SG-3100 Note: When connecting to the GUI, do NOT connect to any port being configured during this procedure or the device will lose connectivity to the GUI. ® 1. Open the pfSense Plus software GUI and log in.
  • Page 44 Security Gateway Manual SG-3100 Note: This guide uses 4084 as an example. The value for the tags must be unique for each VLAN and must be between 1 and 4094. Avoid using values that are already in use. Best practice is not to use 1.
  • Page 45 Security Gateway Manual SG-3100 10. Check the Enable Interface check-box. 11. Change the IPv4 Configuration Type from None to Static IPv4. 12. Scroll down and make the IPv4 Address 192.168.100.1/24 (in this example). 13. Click Save. 14. Click Apply Changes.
  • Page 46 Security Gateway Manual SG-3100 16. Go to the VLANs tab. Click in the Enable 802.1q VLAN mode check-box and click Save. The table will change to reflect the new mode. 17. Click + Add Tag. © Copyright 2022 Rubicon Communications LLC...
  • Page 47 Security Gateway Manual SG-3100 18. Type 4084 for the VLAN Tag and 4 for Member(s). This represents LAN4 (port 4) and tagged should be unchecked. 19. Click + Add Member to add the LAN Uplink, 5. This member should be tagged as shown.
  • Page 48 25. Click on Port VID 1 beside LAN4. Backspace through 1 and insert 4084, the new VLAN ID. 26. Click Save. This completes the configuration of a discrete port on the SG-3100. to allow the traffic. Go to Firewall > Rules and By default all traffic is blocked.
  • Page 49 2.5 Configuring an OPT interface as an additional WAN Note: The default configuration of the Netgate 3100 includes one assigned OPT port which is separate from the switch. The switch ports may also be configured as additional discrete OPT ports, see Switch Overview for details.
  • Page 50 Security Gateway Manual SG-3100 The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so Note: As this guide does not know what that number will be on a given configuration, it will refer to the interface...
  • Page 51 Security Gateway Manual SG-3100 The firewall applies outbound NAT to traffic exiting WAN type interfaces but does not use WAN type interface net- works as a source for outbound NAT on other interfaces. Firewall rules on WAN type interfaces get reply-to added to ensure traffic entering a WAN exits the same WAN, and traffic exiting the interface is nudged toward its gateway.
  • Page 52 Security Gateway Manual SG-3100 2.5.5 Firewall Rules By default there are no rules on the new interface, so the firewall will block all traffic. This is ideal for a WAN, so is safe to leave as-is. Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis.
  • Page 53 Security Gateway Manual SG-3100 Now set the default gateway to a failover group: • Navigate to System > Routing, Gateways tab • Set Default gateway IPv4 to PreferWAN • Click Save • Click Apply Changes Note: This is important for failover from the firewall itself so it always has outbound access. While this also enables basic failover for client traffic, it’s better to use policy routing rules to control client traffic behavior.
  • Page 54 Security Gateway Manual SG-3100 2.5.8 Setup Policy Routing Policy routing involves setting a gateway on firewall rules which direct matching traffic out specific WANs or failover groups. In simple cases (one LAN, no VPNs) the only requirement to configure policy routing is to add a gateway to existing rules.
  • Page 55 2.6 Configuring an OPT interface as an additional LAN Note: The default configuration of the Netgate 3100 includes one assigned OPT port which is separate from the switch. The switch ports may also be configured as additional discrete OPT ports, see Switch Overview for details.
  • Page 56 Security Gateway Manual SG-3100 2.6.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc). • Choose a new local subnet to use for the additional LAN type interface. This example uses 192.168.2.0/24. 2.6.2 Assign the Interface The first step is to assign an OPT interface.
  • Page 57 Security Gateway Manual SG-3100 The lack of a selected gateway in the interface configuration causes the firewall to treat the interface as a LAN type interface. The firewall uses LAN type interfaces as sources of outbound NAT traffic but does not apply outbound NAT on traffic exiting a LAN.
  • Page 58 Security Gateway Manual SG-3100 Description Text describing the rule, e.g. Guest LAN outbound on WAN • Click Save • Click Apply Changes Alternately, clone existing NAT rules and adjust as needed to match the new LAN. 2.6.6 Firewall Rules By default there are no rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the LAN clients will need to contact hosts through the firewall.
  • Page 59 Security Gateway Manual SG-3100 Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all of the RFC1918 networks is a safer practice • Navigate to Firewall > Aliases • Click • Configure it as follows:...
  • Page 60 Security Gateway Manual SG-3100 Source OPTx Net (or the custom name) Destination This Firewall (self) Description Allow client ICMP to the firewall • Click Save Add rule to reject any other traffic to firewall • Click to add a new rule at the bottom of the list.
  • Page 61 • Consider using captive portal to control access the interface 2.7 Factory Reset Procedure The Netgate 3100 firewall appliance does not have a hardware button to reset the configuration to factory defaults. On this device it is still possible to perform a Factory Reset from GUI or Console.
  • Page 62 Security Gateway Manual SG-3100 Reset from the GUI: • Navigate to Diagnostics > Factory Defaults to perform the reset. © Copyright 2022 Rubicon Communications LLC...
  • Page 63 3.1.1 Interface Links The four LAN ports on the Netgate 3100 are connected internally to a switch. In addition to the four physical ports there is also an internal switch port (Port 5) which acts as an uplink, and the mvneta1 interface which is the corresponding operating system interface for the switch uplink.
  • Page 64 Netgate training has got you covered. https://www.netgate.com/training 3.2.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.2.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or...
  • Page 65 Netgate forum. https://forum.netgate.com/ 3.3 Warranty and Support • One year manufacturer’s warranty. • Please contact Netgate for warranty information or view the Product Lifecycle page. • All Specifications subject to change without notice For support information, view support plans offered by Netgate.