Download Print this page

Netgate SG-1100 Manual

Security gateway
Hide thumbs Also See for SG-1100:

Advertisement

Quick Links

Security Gateway Manual
SG-1100
© Copyright 2024 Rubicon Communications LLC
Sep 09, 2024

Advertisement

loading
Need help?

Need help?

Do you have a question about the SG-1100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Netgate SG-1100

  • Page 1 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC Sep 09, 2024...
  • Page 2 CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
  • Page 3 Security Gateway Manual SG-1100 This Quick Start Guide covers the first time connection procedures for the Netgate® 1100 Firewall Appliance and will provide the information needed to keep the appliance up and running. © Copyright 2024 Rubicon Communications LLC...
  • Page 4 OUT OF THE BOX 1.1 Getting Started The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance should be unplugged at this time. Connect one end of an Ethernet cable to the WAN port (shown in the...
  • Page 5 Connecting to the USB Console Port. Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also 192.168.1.1/24, disconnect the WAN interface until the LAN interface on the firewall has been renumbered to...
  • Page 6 Allow 4 or 5 minutes to boot up completely. Warning: If the ISP Customer Premise Equipment (CPE) on WAN (e.g. Fiber or Cable Router) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the WAN port on the Netgate 1100 Security Gateway before proceeding.
  • Page 7 Security Gateway Manual SG-1100 Fig. 2: Example certificate warning message © Copyright 2024 Rubicon Communications LLC...
  • Page 8 Fig. 3: Setup Wizard starting page 1. Click Next to start the Setup Wizard. 2. Click Next after reading the information on Netgate Global Support. 3. Use the following items as a guide to configure the options on the General Information page: Hostname Any desired hostname name can be entered to identify the firewall.
  • Page 9 Security Gateway Manual SG-1100 Fig. 4: General Information page in the Setup Wizard © Copyright 2024 Rubicon Communications LLC...
  • Page 10 Plus dashboard, click Finish. Note: This step of the wizard also contains several useful links to Netgate resources and methods of obtaining assistance with the product. Be sure to read through the items on this page before finishing the wizard.
  • Page 11 Read and click Accept to continue to the dashboard. If the Ethernet cable was unplugged at the beginning of this configuration, reconnect it to the WAN port now. This completes the basic configuration for the Netgate appliance. © Copyright 2024 Rubicon Communications LLC...
  • Page 12 Security Gateway Manual SG-1100 Fig. 7: Copyright and Trademark Notices © Copyright 2024 Rubicon Communications LLC...
  • Page 13 ® Fig. 8: The pfSense Plus Dashboard Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 ® Identifies what version of pfSense Plus software is installed, and if an update is available.
  • Page 14 Click Download configuration as XML and save a copy of the firewall configuration to the computer connected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
  • Page 15 Security Gateway Manual SG-1100 Fig. 10: Backup & Restore Fig. 11: Click Download configuration as XML © Copyright 2024 Rubicon Communications LLC...
  • Page 16 See also: Port. Cable is required. Connecting to the USB Console Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training course or browse the extensive Resource Library.
  • Page 17 For example, UPS/Battery Backups, Cellular modems, GPS units, and storage devices. Though the operating system also supports wired and wireless network devices, these are not ideal and should be avoided. 1.4.2 Rear Side Fig. 13: Rear view of the Netgate 1100 Firewall Appliance From left to right: 1. Power Connector •...
  • Page 18 Security Gateway Manual SG-1100 3. Recessed Reset Button (performs a hard reset, immediately turning the system off) Warning: A hard reset of the system could cause data corruption and should be avoided. Halt or reboot the system through the console menu or the GUI to avoid data corruption.
  • Page 19 Security Gateway Manual SG-1100 1.5.2 Electrical Safety Information 1. Compliance is required with respect to voltage, frequency, and current requirements indicated on the manu- facturer’s label. Connection to a different power source than those specified may result in improper operation, damage to the equipment or pose a fire hazard if the limitations are not followed.
  • Page 20 Security Gateway Manual SG-1100 1.5.5 CE Marking CE marking on this product represents the product is in compliance with all directives that are applicable to it. 1.5.6 RoHS/WEEE Compliance Statement English European Directive 2002/96/EC requires that the equipment bearing this symbol on the product and/or its packaging must not be disposed of with unsorted municipal waste.
  • Page 21 1.5.7 Declaration of Conformity Česky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og...
  • Page 22 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
  • Page 23 NETGATE erklærer herved at utstyret NETGATE device, er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav...
  • Page 24 Security Gateway Manual SG-1100 Rubicon Communications LLC Attn.: Legal Dept. 4616 West Howard Lane, Suite 900 Austin, Texas 78728 legal@netgate.com The arbitration will be conducted by the American Arbitration Association (AAA) under its rules. The AAA’s rules are available at www.adr.org. Payment of all filing, administration and arbitrator fees will be governed by the AAA’s rules.
  • Page 25 Security Gateway Manual SG-1100 1.5.12 Limited Warranty DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUD- ING SOFTWARE) AND OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY US ON AN “AS IS” AND “AS AVAILABLE” BA- SIS, UNLESS OTHERWISE SPECIFIED IN WRITING.
  • Page 26 Netgate 1100 Wall Mount Kit. Tip: Save the Netgate 1100 MAC Address, Serial Number, and NDI, located on the bottom of the system, before attaching the Netgate 1100 to the wall. Fig. 1: Loop one side of the Silcone Band under the wall mount of the Netgate 1100...
  • Page 27 Security Gateway Manual SG-1100 Fig. 2: Stretch the Silicone Band to the opposite side of the wall mount © Copyright 2024 Rubicon Communications LLC...
  • Page 28 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 29 Security Gateway Manual SG-1100 Fig. 3: Loop the silicone band under the opposite side of the wall mount © Copyright 2024 Rubicon Communications LLC...
  • Page 30 Security Gateway Manual SG-1100 Fig. 4: The silicone band should look like this © Copyright 2024 Rubicon Communications LLC...
  • Page 31 Security Gateway Manual SG-1100 Fig. 5: Tuck both sides of the silicone band under the wall mount © Copyright 2024 Rubicon Communications LLC...
  • Page 32 Note: Remove the rubber standoff feet from the Netgate 1100 prior to attaching to the wall mount. Do not remove the screws that are under the rubber standoff feet. Fig. 6: Place the Netgate 1100 over the silver aluminum standoffs on the wall mount and pull one side of the silicone band over the Netgate 1100, then the other Tip: Remember to save the Netgate 1100 MAC Address, Serial Number, and NDI, located on the bottom of the system, before attaching the Netgate 1100 to the wall.
  • Page 33 Security Gateway Manual SG-1100 Fig. 7: When mounted properly, the Netgate 1100 should look like this © Copyright 2024 Rubicon Communications LLC...
  • Page 34 Security Gateway Manual SG-1100 Fig. 8: Note the silicone band under the Netgate 1100 when installed correctly © Copyright 2024 Rubicon Communications LLC...
  • Page 35 Security Gateway Manual SG-1100 Fig. 9: An Netgate 1100 wall mount kit correctly installed © Copyright 2024 Rubicon Communications LLC...
  • Page 36 Security Gateway Manual SG-1100 2.2 Connecting to the USB Console Port This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration. There are times when directly accessing the console is required. Perhaps GUI or SSH access has been locked out, or the password has been lost or forgotten.
  • Page 37 Security Gateway Manual SG-1100 2.2.3 Apply Power to the Device On some devices when using a USB serial console port the serial port will not appear on the client operating system until the device is plugged into a power source.
  • Page 38 Security Gateway Manual SG-1100 The device associated with the system console is likely to show up as /dev/cuaU0. Look for messages about the device attaching in the system log files or by running dmesg. Note: If the serial device is not present, ensure the device has power and then check again.
  • Page 39 Security Gateway Manual SG-1100 Fig. 10: An example of using PuTTY in Windows © Copyright 2024 Rubicon Communications LLC...
  • Page 40 Security Gateway Manual SG-1100 PuTTY in Linux • Open PuTTY from a terminal by typing sudo putty Note: The sudo command will prompt for the local workstation password of the current account. • Set the Connection type to Serial • Set Serial line to /dev/ttyUSB0 •...
  • Page 41 Security Gateway Manual SG-1100 If portions of the text are unreadable but appear to be properly formatted, the most likely culprit is a character encoding mismatch in the terminal. Adding the -U parameter to the screen command line arguments forces it to use UTF-8 for character encoding: sudo screen -U <console-port>...
  • Page 42 Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. Hardware Failure There could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assis- tance. © Copyright 2024 Rubicon Communications LLC...
  • Page 43 Security Gateway Manual SG-1100 No Serial Output If there is no output at all, check the following items: USB Cable Not Plugged In For USB consoles, the USB cable may not be fully engaged on both ends. Gently, but firmly, ensure the cable has a good connection on both sides.
  • Page 44 Plus software on a Netgate-1100 device. ® Note: pfSense Plus is preinstalled on Netgate appliances. It is optimally tuned for Netgate hardware and contains features that cannot be found elsewhere, such as ZFS Boot Environments, OpenVPN DCO, Built-in IPFIX Export, and AWS VPC Wizard.
  • Page 45 Security Gateway Manual SG-1100 2.3.1 Download Installation Media Netgate Installer can be downloaded from the Netgate Store using a Netgate Store Account. See also: For a more detailed walkthrough of the download process, see Download Installation Media in the pfSense Software Documentation.
  • Page 46 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 47 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 48 During the installation process the installer will prompt to select a target drive. The installer will then write pfSense Plus to the chosen drive. The Netgate-1100 device only supports its internal storage for this purpose, which is mmcsd0. 2.3.6 Install pfSense Plus Software The installer will automatically launch and present several options.
  • Page 49 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 50 Security Gateway Manual SG-1100 Warning: VLAN group 0 must remain in place and VLAN groups 1-3 must include 0t as a member, to function properly. 7. Click Delete for Member 1, then click Save. 8. Click on the button on VLAN group 2.
  • Page 51 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 52 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 53 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 54 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 55 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 56 The LAN port could be used as a management port. In normal operation, the switch would only need to be connected to OPT, with WAN and LAN disconnected. 1. Connect to the LAN port on the SG-1100. ®...
  • Page 57 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 58 Security Gateway Manual SG-1100 6. Click on the button for VLAN group 2. 7. Click on the Add member button, Enter Member 1, check tagged and then click Save. 8. Click on the button for VLAN group 1. 9. Click on the Add member button, Enter Member 1, check tagged and then click Save.
  • Page 59 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 60 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 61 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 62 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 63 Security Gateway Manual SG-1100 © Copyright 2024 Rubicon Communications LLC...
  • Page 64 2.6 Configuring an OPT interface as an additional WAN Note: The default configuration of the Netgate 1100 has the OPT port already assigned. This guide configures an OPT port as an additional WAN type interface. These interfaces connect to upstream networks providing connectivity to the Internet or other remote destinations.
  • Page 65 Security Gateway Manual SG-1100 • Click The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so Note: As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx and the customized name WAN2.
  • Page 66 Security Gateway Manual SG-1100 • Click Apply Changes The presence of a selected gateway in the interface configuration causes the firewall to treat the interface as a WAN type interface. This is manual for static configurations, as above, but is automatic for dynamic WANs (e.g. DHCP, PPPoE).
  • Page 67 Security Gateway Manual SG-1100 Translation Address WAN2 Address (or the custom name of the new WAN interface) Description Text describing the rule, e.g. LAN outbound on WAN2 • Click Save • Click Apply Changes Repeat as needed for additional local networks.
  • Page 68 Security Gateway Manual SG-1100 • Click Add to create another gateway group • Configure the group as follows: Group Name LoadBalance Gateway Priority Gateways for WAN and WAN2 both on Tier 1 Description Load Balance Connections on WAN and WAN2 Note: Rules using this group enable connection-based load balancing, not per-packet load balancing.
  • Page 69 Security Gateway Manual SG-1100 Each server address must be unique, the same server cannot be listed more than once. DNS Hostname Leave this field blank unless the server will be contacted using DNS over TLS through the DNS Resolver. In this case, enter the FQDN of the DNS server so its name can be validated against its TLS certificate.
  • Page 70 Security Gateway Manual SG-1100 • Configure the rule as follows: Action Pass Interface Protocol Source LAN subnets Destination The other local subnet, VPN network, or an alias of such networks. Description Pass to local and VPN networks Do not set a gateway on this rule.
  • Page 71 2.7 Configuring an OPT interface as an additional LAN Note: The default configuration of the Netgate 1100 has the OPT port already assigned. This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more.
  • Page 72 Security Gateway Manual SG-1100 2.7.2 Assign the Interface The first step is to assign an OPT interface. • Navigate to Interfaces > Assignments Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.
  • Page 73 Security Gateway Manual SG-1100 See also: Interface Configuration 2.7.4 DHCP Server Next, configure DHCP service for this local interface. This is a convenient and easy way assign addresses for clients on the interface, but is optional if clients will be statically addressed instead.
  • Page 74 Security Gateway Manual SG-1100 Protocol Source Either choose OPTx Subnets, which will automatically reference the new interface, or choose Network or Alias and manually fill in the new subnet, e.g. 192.168.2.0/24. Destination Translation Address WAN Address (or the customized name matching the WAN/egress interface) Description Text describing the rule, e.g.
  • Page 75 Security Gateway Manual SG-1100 • Click Save • Click Apply Changes Isolated In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted with additional rules.
  • Page 76 Security Gateway Manual SG-1100 Allow DNS Add rule to allow DNS requests from local clients to the firewall itself or other DNS servers. • Click to add a new rule at the bottom of the list. • Configure the rule as follows:...
  • Page 77 Security Gateway Manual SG-1100 Tip: While ICMP is useful, some network administrators prefer to limit the allowed ICMP types to Echo Request only. This allows devices to use ICMP ping for diagnostic purposes, but no other types of ICMP traffic.
  • Page 78 Security Gateway Manual SG-1100 Interface OPTx (or the custom name) Protocol Source Destination Address or Alias, PrivateNets (the alias created earlier) Description Reject all other traffic to private networks • Click Save Allow Other Traffic Add rule to allow traffic from this interface network to any other destination, which enables clients on this interface to reach the Internet and/or other remote public networks.
  • Page 79 • Consider using captive portal to control access the interface 2.8 Factory Reset Procedure The Netgate 1100 firewall appliance does not have a hardware button to reset the configuration to factory defaults. On this device it is still possible to perform a Factory Reset from GUI or Console.
  • Page 80 3.1.1 Interface Links All three ports on the Netgate 1100 (WAN, LAN, OPT) are connected internally to a switch. In addition to the three physical ports there is also an internal port connected to the switch: Port 0 on the switch for an uplink and the mvneta0 interface which is the corresponding operating system interface for the switch uplink.
  • Page 81 Security Gateway Manual SG-1100 These scenarios are possible by utilizing VLANs. Each of the switch ports (LAN, WAN, OPT, and Port 0) are VLAN aware interfaces. They are capable of functioning as a standard access or trunk port: Access Port:...
  • Page 82 Netgate training has got you covered. https://www.netgate.com/training 3.2.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.2.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, ®...
Save PDF