Netgate 7100 Manual

Security gateway

Hide thumbs

page of 82

/ 82
Bookmarks

Quick Links

Download this manual

Security Gateway Manual

XG-7100

Jun 27, 2024

Need help?

Do you have a question about the 7100 and is the answer not in the manual?

Questions and answers

Summary of Contents for Netgate 7100

Page 2 CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
Page 3 XG-7100 This Quick Start Guide covers the first time connection procedures for the Netgate® 7100 Desktop Firewall Appliance and will provide the information needed to keep the appliance up and running. Tip: Before getting started, a good practice is to download the...
Page 4 OUT OF THE BOX 1.1 Getting Started The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance should be unplugged at this time. Connect one end of an Ethernet cable to the WAN port (shown in the...
Page 5 Connecting to the USB Console Port. Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also 192.168.1.1/24, disconnect the WAN interface until the LAN interface on the firewall has been renumbered to...
Page 6 Allow 4 or 5 minutes to boot up completely. Warning: If the ISP Customer Premise Equipment (CPE) on WAN (e.g. Fiber or Cable Router) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the ETH1 port on the Netgate 7100 Security Gateway before proceeding.
Page 8 Fig. 3: Setup Wizard starting page 1. Click Next to start the Setup Wizard. 2. Click Next after reading the information on Netgate Global Support. 3. Use the following items as a guide to configure the options on the General Information page: Hostname Any desired hostname name can be entered to identify the firewall.
Page 10 Plus dashboard, click Finish. Note: This step of the wizard also contains several useful links to Netgate resources and methods of obtaining assistance with the product. Be sure to read through the items on this page before finishing the wizard.
Page 11 Read and click Accept to continue to the dashboard. If the Ethernet cable was unplugged at the beginning of this configuration, reconnect it to the ETH1 port now. This completes the basic configuration for the Netgate appliance. © Copyright 2024 Rubicon Communications LLC...
Page 13 ® Fig. 8: The pfSense Plus Dashboard Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 ® Identifies what version of pfSense Plus software is installed, and if an update is available.
Page 14 Click Download configuration as XML and save a copy of the firewall configuration to the computer connected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
Page 16 See also: Port. Cable is required. Connecting to the USB Console Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training course or browse the extensive Resource Library.
Page 17 Switch LAGG section of the Netgate 7100 Switch Overview page. Warning: The LAN ports do not support the Spanning Tree Protocol (STP). Two or more ports connected to another Layer 2 switch, or connected to 2 or more different interconnected switches, could create a flooding loop between the switches.
Page 18 Security Gateway Manual XG-7100 Compatible SFP/SFP+ Modules Below are some general guidelines for compatible SFP/SFP+ modules: • Intel-branded SFP+ SR/LR Dual Speed (1G/10G) optical modules. • Intel-branded SFP+ DA twin-ax cables that comply with SFF-8431 v4.1 and SFF-8472 v10.4 specifications.
Page 19 – Power Consumption 20W (idle) Note: When a graceful shutdown is performed, the Netgate 7100 Power (PWR) LED will turn red but will stay lit. The Ethernet activity LEDs will turn off. The power supply fan will continue to run. Turning off the rocker switch on the back of the power supply will eliminate all power to the system.
Page 20 (UPS) or a combination of those devices. Failure to take such precautions could result in premature failure, and/or damage to your Netgate appliance, which is not covered under the product warranty. Such an event may also present the risk of electric shock, fire, or explosion.
Page 21 Security Gateway Manual XG-7100 1.5.4 Industry Canada This Class B digital apparatus complies with Canadian ICES-3(B). Cet appareil numérique de la classe B est conforme à la norme NMB-3(B) Canada. 1.5.5 Australia and New Zealand This is a AMC Compliance level 2 product. This product is suitable for domestic environments.
Page 22 1.5.8 Declaration of Conformity Česky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og...
Page 23 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
Page 24 NETGATE erklærer herved at utstyret NETGATE device, er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav...
Page 25 Security Gateway Manual XG-7100 Română [Romanian] Prin prezenta, NETGATE declară că acest dispozitiv NETGATE este în conformitate cu cerint ele esent iale s i alte prevederi relevante ale Directivei 1999/5/CE. 1.5.9 Disputes ANY DISPUTE OR CLAIM RELATING IN ANY WAY TO YOUR USE OF ANY PRODUCTS/SERVICES, OR TO ANY PRODUCTS OR SERVICES SOLD OR DISTRIBUTED BY RCL OR ESF WILL BE RESOLVED BY BINDING ARBITRATION IN AUSTIN, TEXAS, RATHER THAN IN COURT.
Page 26 Security Gateway Manual XG-7100 1.5.11 Site Policies, Modification, and Severability Please review our other policies, such as our pricing policy, posted on our websites. These policies also govern your use of Products/Services. We reserve the right to make changes to our site, policies, service terms, and these terms and conditions of use at any time.
Page 27 CHAPTER HOW-TO GUIDES 2.1 Configuring the Switch Ports See also: For an overview of how the switch ports operate and their capabilities, see Switch Ports Overview. 2.2 Switch Section ® In the pfSense Plus software GUI, there is a menu option Switches under the Interfaces drop-down. This section contains switch specific configuration options.
Page 28 Security Gateway Manual XG-7100 2.2.1 System Fig. 1: Information on the Marvell 6000 switch 2.2.2 LAGGs Fig. 2: Information on members of the switch LAG 2.2.3 Ports Information on switchport status and port names. If 802.1q is enabled, this section can also set the native VLAN ID for each port.
Page 31 Security Gateway Manual XG-7100 2.3.1 Interface Assignments Under Interface Assignments, notice LAGG0 (UPLINK) is displayed as an available port but is not enabled in the list of interfaces. This is because the default configuration is only expecting VLAN tagged traffic so the VLAN child interfaces 4090 and 4091 are enabled instead.
Page 32 This example performs the WAN interface reassignment using the console. The WAN assignment can be changed using the GUI. This is what the default interface assignments look like on a Netgate 7100 DT: In this example, ix0 is the WAN, so select option 1 to re-assign WAN from lagg0.4090 to ix0:...
Page 33 Security Gateway Manual XG-7100 No additional VLANs are needed for this, so enter n to continue. Input ix0 as the new WAN interface name: Input the same default LAN interface of lagg0.4091 for the LAN interface name and press Enter to complete the...
Page 34 Security Gateway Manual XG-7100 At this point SFP+ port ix0 is now configured as the WAN interface. The LAN interface is still configured the same as the default. Next, the switch will need to be updated so that ETH1 (previously WAN) acts the same as ETH2-8. This will be done from the GUI.
Page 35 Security Gateway Manual XG-7100 This example removed VLAN 4090 from the switch with Now edit the VLAN 4091 entry to include Member 1 as shown below: Next, update the Port VID for ETH1 so that it uses VLAN 4091 rather than the previous VLAN 4090. To do this,...
Page 36 Security Gateway Manual XG-7100 At this point, everything should be configured properly. ETH1-8 will act as a single LAN switch. One final step that ® should be performed is to remove the now unnecessary VLAN 4090 from pfSense Plus software. So far VLAN 4090 was only removed from the switch.
Page 38 Security Gateway Manual XG-7100 Also create any necessary firewall rules under Firewall > Rules. ® Now that pfSense Plus software knows of this new VLAN network, configure the switch so that ETH1-4 all use the new network. To do this, go to Interfaces > Switches, VLANs tab and click the Add Tag button. Input the VLAN tag for the new network (same as the VLAN ID configured in the previous steps) and add ETH1-4 and PORT9-10 (uplinks) as members.
Page 39 Security Gateway Manual XG-7100 Once this is done, delete the untagged members 1,2,3,4 from VLAN group 2 and click the Save button. The final result should look like this: Lastly, update the Port VID values to use the new 4081 VLAN rather than 4091 on ETH1-4 and click Save:...
Page 40 Security Gateway Manual XG-7100 Now ETH1-4 act as a switch for the VLAN 4081 LAN and ETH5-8 act as a switch for the VLAN 4091 LAN. 2.4.3 Trunking VLAN tagged traffic Expanding on the previous example, assume there is a management VLAN of 4000 where devices are already tagged on this VLAN prior to reaching the device.
Page 41 Security Gateway Manual XG-7100 Untagged traffic on ETH8 will be assigned a VLAN ID of 4091. ETH8 and the uplinks will also accept traffic that has already been tagged with a VLAN ID of 4000 as well. 2.5 Connecting to the USB Console Port This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration.
Page 42 Security Gateway Manual XG-7100 2.5.2 Connect a USB Cable Next, locate an appropriate USB cable that has a USB Mini-B (5-pin) connector on one end and a regular USB Type A plug on the other end. These cables are commonly used with smaller USB peripherals such as GPS units, cameras, and so on.
Page 43 Security Gateway Manual XG-7100 macOS The device associated with the system console is likely to show up as, or start with, /dev/cu.usbserial-<id>. Run ls -l /dev/cu.* from a Terminal prompt to see a list of available USB serial devices and locate the appropriate one for the hardware.
Page 44 Security Gateway Manual XG-7100 2.5.5 Launch a Terminal Program Use a terminal program to connect to the system console port. Some choices of terminal programs: Windows For Windows the best practice is to run or SecureCRT. An example of how to configure PuTTY is PuTTY in Windows below.
Page 46 Security Gateway Manual XG-7100 Fig. 8: An example of using PuTTY in Linux GNU screen In many cases screen may be invoked simply by using the proper command line, where <console-port> is the console port that was located above. sudo screen <console-port>...
Page 47 Security Gateway Manual XG-7100 Terminal Settings The settings to use within the terminal program are: Speed 115200 baud, the speed of the BIOS Data bits Parity None Stop bits Flow Control Off or XON/OFF. Warning: Hardware flow control (RTS/CTS) must be disabled.
Page 48 Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. Hardware Failure There could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assis- tance. No Serial Output...
Page 49 Security Gateway Manual XG-7100 Wrong Terminal Settings Ensure the terminal program is configured for the correct speed. The default BIOS speed is 115200, and many other modern operating systems use that speed as well. Some older operating systems or custom configurations may use slower speeds such as 9600 or 38400.
Page 50 TAC ticket to request access by selecting Firmware Access as the General Problem and then select Netgate 7100 Desktop for the platform. Make sure to include the serial number in the ticket to expedite access. Once the ticket is processed, the latest stable version of the firmware will be attached to the ticket, with a name such as: pfSense-plus-memstick-serial-24.03-RELEASE-amd64.img.gz...
Page 51 7. The installer will automatically launch and several options will be presented. On Netgate appliances, choosing Enter for the default options will complete the installation process. Note: Options such as the type of disk partition can be modified through this installation if required.
Page 52 Security Gateway Manual XG-7100 (continued from previous page) umass1: detached uhub1: detached 10. Remove the USB drive from the USB port. Important: If the USB drive remains attached, the system will boot into the installer again because by default the system firmware is configured so that a device plugged into the USB port will be booted with a higher priority.
Page 53 Security Gateway Manual XG-7100 • Dynamic DNS • VPN Considerations • Testing 2.7.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc). • The WAN configuration type and settings must be known before starting. For example, this might be an IP address, subnet mask, and gateway value for static addresses or credentials for PPPoE.
Page 54 Security Gateway Manual XG-7100 Default Check if this new WAN should be the default gateway. Gateway Name Name it the same as the interface (e.g. WAN2), or a variation thereof. Gateway IPv4 The IPv4 address of the gateway inside the same subnet.
Page 55 Security Gateway Manual XG-7100 • Configure the rule as follows: Interface Choose the new WAN interface (e.g. WAN2) Address Family IPv4 Protocol Source Network, and fill in the LAN subnet, e.g. 192.168.1.0/24. If there is more than one LAN subnet, create rules for each or use other methods such as aliases or CIDR summarization to cover them all.
Page 56 Security Gateway Manual XG-7100 Description Prefer WAN, fail to WAN2 • Click Save • Click Add to create another gateway group • Configure the group as follows: Group Name PreferWAN2 Gateway Priority Gateway for WAN on Tier 2, and WAN2 on Tier 1...
Page 57 Security Gateway Manual XG-7100 2.7.7 DNS DNS is critical for Internet access and it’s important to ensure the firewall can always resolve hostnames using DNS even when running on a secondary WAN. The needs here depend upon the configuration of the DNS Resolver or Forwarder.
Page 58 Security Gateway Manual XG-7100 • Click to add a new rule at the top of the list • Configure the rule as follows: Action Pass Interface Protocol Source LAN net Destination The other local subnet, VPN network, or an alias of such networks.
Page 59 Security Gateway Manual XG-7100 2.7.11 Testing Methods for testing depend on the type of WANs and gateway groups in use. • For most WANs, a better test is to unplug the upstream connection from the ISP Customer Premise Equipment (CPE). This more accurately simulates a typical type of upstream connectivity failure. Do not power off the CPE or unplug the connection between the firewall and the CPE.
Page 60 Security Gateway Manual XG-7100 2.8.2 Assign the Interface The first step is to assign an OPT interface. • Navigate to Interfaces > Assignments Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.
Page 61 Security Gateway Manual XG-7100 See also: Interface Configuration 2.8.4 DHCP Server Next, configure DHCP service for this local interface. This is a convenient and easy way assign addresses for clients on the interface, but is optional if clients will be statically addressed instead.
Page 62 Security Gateway Manual XG-7100 Description Text describing the rule, e.g. Guest LAN outbound on WAN • Click Save • Click Apply Changes Alternately, clone existing NAT rules and adjust as needed to match the new LAN. 2.8.6 Firewall Rules By default there are no rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the LAN clients will need to contact hosts through the firewall.
Page 63 Security Gateway Manual XG-7100 Isolated In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more complicated rules.
Page 64 Security Gateway Manual XG-7100 Destination This Firewall (self) If clients are to use DNS servers other than the firewall, use those as the destination instead. Destination Port Range DNS, or choose Other and enter 53 To allow DNS over TLS as well, add another rule for DNS over TLS or port 853.
Page 65 Security Gateway Manual XG-7100 Destination This Firewall (self) Description Reject all other traffic to the firewall • Click Save Add rule to reject traffic from this network to private networks • Click to add a new rule at the bottom of the list.
Page 66 • Consider using captive portal to control access the interface 2.9 M.2 SATA Installation The XG-7100 Desktop has 32 GB of onboard eMMC storage. Optionally, a M.2 SATA drive can be installed as an upgrade or to bypass the onboard eMMC flash memory.
Page 67 M.2 SATA drive. Note: The XG-7100 does not support NVMe drives. The M.2 SATA slot is located underneath the XG-7100 system board, so the entire board must be removed. The standoff is for the 2280 (22mm x 80mm) M.2 SATA drive.
Page 70 Security Gateway Manual XG-7100 board is free. Fig. 13: Board Screw Locations 5. Turn the board over and locate the M.2 SATA slot. 6. Insert the gold leads of the M.2 SATA drive into the slot at the angle shown.
Page 75 Note: This package was formerly known as “Netgate Coreboot Upgrade” 2.11.1 Install the Netgate Firmware Upgrade Package This package is present on relevant Netgate hardware installations by default, but can be added manually. If the package is already present, skip to the next section.
Page 76 Security Gateway Manual XG-7100 2.12 Factory Reset Procedure The Netgate 7100 DT firewall appliance does not have a hardware button to reset the configuration to factory defaults. On this device it is still possible to perform a Factory Reset from GUI or Console.
Page 77 3.1.1 Interface Links In addition to two SFP+ interfaces, there is also an Ethernet switch on the XG-7100. There are eight Ethernet ports on this switch that are physically accessible – these interfaces are referred to as ETH1-ETH8. In addition to those 8 ports, there are also three additional ports that operate behind the scenes - PORT 0, PORT 9 (ix2), and PORT 10 (ix3).
Page 78 Security Gateway Manual XG-7100 From the operating systems perspective, there are four physical interfaces present: ix0 - 10 Gbps SFP+ ix1 - 10 Gbps SFP+ ix2 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) ix3 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) 3.1.2 Switch LAGG...
Page 79 Security Gateway Manual XG-7100 When data is received on ETH1-8, the switch is capable of utilizing LAGG to determine whether that data should be sent out of PORT 9 or PORT 10. That data then passes over one of two 2.5 Gbps switch links (PORT 9/10) to the SoC.
Page 80 Security Gateway Manual XG-7100 • When data comes into interfaces ETH2-8, a VLAN tag of 4091 is added to the Ethernet frame. PORT9-10 are configured to act as Trunk ports. • By default, only Ethernet frames containing a VLAN tag of 4090 or 4091 are allowed over the trunk.
Page 81 3.2.1 Netgate Training ® Netgate training offers training courses for increasing your knowledge of pfSense Plus products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction;...
Page 82 Security Gateway Manual XG-7100 3.2.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.2.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, ®...

This manual is also suitable for:

Xg-7100

Netgate 7100 Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Netgate 7100

Summary of Contents for Netgate 7100

This manual is also suitable for: