Page 2
CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
Page 3
Security Gateway Manual SG-5100 This Quick Start Guide covers the first time connection procedures for the Netgate® 5100 Firewall Appliance and will provide the information needed to keep the appliance up and running. Tip: Before getting started, a good practice is to download the...
Page 4
OUT OF THE BOX 1.1 Getting Started The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance should be unplugged at this time. Connect one end of an Ethernet cable to the WAN port (shown in the...
Page 5
Connecting to the Console Port. Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also 192.168.1.1/24, disconnect the WAN interface until the LAN interface on the firewall has been renumbered...
Page 6
Plug the power cable into the power port and press the power button on the back near the power connector (shown in Input and Output Ports section) to turn on the Netgate® Firewall. Allow 4 or 5 minutes to boot up completely. Warning: If the CPE on WAN (e.g.
Page 7
1. Click Next to start the Setup Wizard. Fig. 3: Click Next 2. Click Next after reading the information on Netgate Global Support. 3. On the General Information page, use the following as a guide to configure the firewall. Hostname Any desired name can be entered. For the purposes of this guide, the default hostname pfsense is used.
Page 9
Tip: If the CPE on WAN (e.g. DSL or Cable Modem) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the IGB0 port on the Netgate 5100 Security Gateway before proceeding. Change the default LAN IP Address of the device during a later step in the configuration to avoid having conflicting subnets on the WAN and LAN.
Page 11
firewall. ® Fig. 8: The pfSense Plus Dashboard Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. ® Section 2 Identifies what version of pfSense Plus software is installed, and if an update is available.
Page 12
Click Download configuration as XML and save a copy of the firewall configuration to the computer con- nected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
Page 14
See also: Port. Cable is required. Connecting to the Console Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training course or browse the extensive Resource Library.
Page 15
Blinking Amber Operating as a Gigabit connection (1000 Mbps) No link has been established Note: All Ethernet ports of the Netgate® appliance support auto-MDIX and are capable of utilizing either straight- through or crossover Ethernet cables. Other Ports and Indicators •...
Page 16
Center Pin Positive Note: The power button on the SG-5100 has been programmed to perform a graceful shutdown when depressed. The reset button is only used to reset the system back to factory defaults. It does not respond when pushed while the system is running.
Page 17
Security Gateway Manual SG-5100 Warning: Do not use this product during an electrical storm to avoid electrical shock. 1.5.2 Electrical Safety Information 1. Compliance is required with respect to voltage, frequency, and current requirements indicated on the manu- facturer’s label. Connection to a different power source than those specified may result in improper operation, damage to the equipment or pose a fire hazard if the limitations are not followed.
Page 18
Security Gateway Manual SG-5100 1.5.5 CE Marking CE marking on this product represents the product is in compliance with all directives that are applicable to it. 1.5.6 RoHS/WEEE Compliance Statement English European Directive 2002/96/EC requires that the equipment bearing this symbol on the product and/or its packaging must not be disposed of with unsorted municipal waste.
Page 19
1.5.7 Declaration of Conformity ˇ Cesky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og...
Page 20
Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
Page 21
NETGATE erklærer herved at utstyret NETGATE device, er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav...
Page 22
Security Gateway Manual SG-5100 Rubicon Communications LLC Attn.: Legal Dept. 4616 West Howard Lane, Suite 900 Austin, Texas 78728 legal@netgate.com The arbitration will be conducted by the American Arbitration Association (AAA) under its rules. The AAA’s rules are available at www.adr.org. Payment of all filing, administration and arbitrator fees will be governed by the AAA’s rules.
Page 23
Security Gateway Manual SG-5100 1.5.12 Limited Warranty DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUD- ING SOFTWARE) AND OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY US ON AN “AS IS” AND “AS AVAILABLE” BA- SIS, UNLESS OTHERWISE SPECIFIED IN WRITING.
Page 24
CHAPTER HOW-TO GUIDES 2.1 Connecting to the Console Port This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration. There are times when directly accessing the console is required. Perhaps GUI or SSH access has been locked out, or the password has been lost or forgotten.
Page 25
Security Gateway Manual SG-5100 2.1.3 Apply Power to the Device On some devices when using a USB serial console port the serial port will not appear on the client operating system until the device is plugged into a power source.
Page 26
Security Gateway Manual SG-5100 The device associated with the system console is likely to show up as /dev/cuaU0. Look for messages about the device attaching in the system log files or by running dmesg. Note: If the serial device is not present, ensure the device has power and then check again.
Page 28
Security Gateway Manual SG-5100 PuTTY in Linux • Open PuTTY from a terminal by typing sudo putty Note: The sudo command will prompt for the local workstation password of the current account. • Set the Connection type to Serial • Set Serial line to /dev/ttyUSB0 •...
Page 29
Security Gateway Manual SG-5100 If portions of the text are unreadable but appear to be properly formatted, the most likely culprit is a character encoding mismatch in the terminal. Adding the -U parameter to the screen command line arguments forces it to use UTF-8 for character encoding: sudo screen -U <console-port>...
Page 30
Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. Hardware Failure There could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assistance.
Page 31
firmware by selecting Firmware Access as the General Problem and then select Netgate 5100 Desktop for the platform. Make sure to include the serial number in the ticket to expedite access.
Page 32
7. The installer will automatically launch and several options will be presented. On Netgate appliances, choosing Enter for the default options will complete the installation process. Note: Options such as the type of disk partition can be modified through this installation if required.
Page 33
The standoff for the M.2 SATA drive is not populated with a screw. A screw is provided in the original packaging with the SG-5100. If the original packaging is not available, a Standard M3 x 0.5 4mm Long Pan Head Screw can be used to secure the M.2 SATA drive in place.
Page 37
7. Gently push down the M.2 SATA card and place the screw into the standoff. 8. Locate the Thermal Pads that came with the SG-5100. There will be two (2) in a plastic bag. This procedure uses the larger of the two pads.
Page 45
Security Gateway Manual SG-5100 • VPN Considerations • Testing 2.4.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc). • The WAN configuration type and settings must be known before starting. For example, this might be an IP address, subnet mask, and gateway value for static addresses or credentials for PPPoE.
Page 46
Security Gateway Manual SG-5100 Default Check if this new WAN should be the default gateway. Gateway Name Name it the same as the interface (e.g. WAN2), or a variation thereof. Gateway IPv4 The IPv4 address of the gateway inside the same subnet.
Page 47
Security Gateway Manual SG-5100 Protocol Any Source Network, and fill in the LAN subnet, e.g. 192.168.1.0/24. If there is more than one LAN subnet, create rules for each or use other methods such as aliases or CIDR summarization to cover them all.
Page 48
Security Gateway Manual SG-5100 • Click Save • Click Add to create another gateway group • Configure the group as follows: Group Name LoadBalance Gateway Priority Gateways for WAN and WAN2 both on Tier 1 Description Prefer WAN2, fail to WAN Note: This performs connection-based load balancing, not per-packet load balancing.
Page 49
Security Gateway Manual SG-5100 This will tell the firewall to use the DNS servers entered on this page and to ignore servers provided by dynamic WANs such as DHCP or PPPoE. Occasionally these providers may push conflicting DNS server information so the best practice is to assign the DNS servers manually.
Page 50
Security Gateway Manual SG-5100 2.4.9 Dynamic DNS Dynamic DNS provides several benefits for multiple WANs, particularly with VPNs. If the firewall does not already have one or more Dynamic DNS hostnames configured, consider signing up with a provider and creating one or more.
Page 51
Security Gateway Manual SG-5100 • DHCP Server • Outbound NAT • Firewall Rules – Open – Isolated • Other Services 2.5.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc). • Choose a new local subnet to use for the additional LAN type interface. This example uses 192.168.2.0/24.
Page 52
Security Gateway Manual SG-5100 • Uncheck Block private networks This interface is a private network, this option would prevent it from functioning. • Uncheck Block bogon networks The rules on this interface should only allow traffic from the subnet on the interface, making this option unnec- essary.
Page 53
Security Gateway Manual SG-5100 Interface Choose the WAN interface. If there is more than one WAN interface, add separate rules for each WAN interface. Address Family IPv4 Protocol Any Source Network, and fill in the new LAN subnet, e.g. 192.168.2.0/24.
Page 54
Security Gateway Manual SG-5100 Isolated In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more complicated rules.
Page 55
Security Gateway Manual SG-5100 • Click Save Add rule to pass ICMP to firewall • Click to add a new rule at the bottom of the list. • Configure the rule as follows: Action Pass Interface OPTx (or the custom name)
Page 56
Security Gateway Manual SG-5100 Action Pass Interface OPTx (or the custom name) Protocol Any Source OPTx Net (or the custom name) Destination Any Description Default allow all from OTPx • Click Save With the rules all in place, now click Apply Changes to finish and activate the new rules.
Page 57
Security Gateway Manual SG-5100 2.6 Factory Reset Procedure This procedure performs a factory reset using the hardware button on the Netgate 5100. See also: • Factory Reset Video • Factory Reset from GUI or Console 1. Remove power from the device.
Page 58
Netgate training has got you covered. https://www.netgate.com/training 3.1.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.1.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or...
Page 59
Security Gateway Manual SG-5100 3.2 Warranty and Support • One year manufacturer’s warranty. • Please contact Netgate for warranty information or view the Product Lifecycle page. • All Specifications subject to change without notice For support information, view support plans offered by Netgate.
Need help?
Do you have a question about the SG-5100 and is the answer not in the manual?
Questions and answers