Page 2
CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
Page 3
XG-1537 This Quick Start Guide covers the first time connection procedures for the Netgate® 1537 1U Firewall Appliance will provide the information needed to keep the appliance up and running. Tip: Before getting started, a good practice is to download the...
Page 4
Input and Output Ports Netgate appliance. Connect the other end to the network connection on the computer. To access the GUI, the PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet with a subnet mask of 255.255.255.0.
Page 5
Security Gateway Manual XG-1537 1.1.2 Logging Into the Web Interface Browse to https://192.168.1.1 to access the web interface. In some instances, the browser may respond with a message indicating a problem with website security. Below is a typical example in Google Chrome. If this message or similar message is encountered, it is safe to proceed.
Page 6
Security Gateway Manual XG-1537 1.1.3 Wizard Upon successful login, the GUI displays the following 1.1.4 Configuring Hostname, Domain Name and DNS Servers 1.1.5 Hostname For Hostname, any desired name can be entered as it does not affect functionality of the firewall. Assigning a hostname to the firewall will allow clients to access the GUI by hostname as well as IP address.
Page 7
Security Gateway Manual XG-1537 1.1.7 DNS Servers The DNS server fields can be left blank if the DNS Resolver will be left in the default non-forwarding mode. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS server IP addresses.
Page 8
Security Gateway Manual XG-1537 This depicts the four possible WAN interface types. Static, DHCP, PPPoE and PPTP. One must be selected from the drop-down list. Further information from the ISP is required to proceed when selecting Static, PPPoE and PPTP such as login name and password or as with static addresses, an IP address, subnet mask and gateway address.
Page 9
Security Gateway Manual XG-1537 leaving this field blank allows the system to default to 1500-byte packets. PPPoE is slightly smaller at 1492-bytes. Leave this blank for a basic configuration. 1.1.14 Configuring DHCP Hostname Some ISPs specifically require a DHCP Hostname entry. Unless the ISP requires the setting, leave it blank.
Page 10
Security Gateway Manual XG-1537 1.1.16 Block Private Networks and Bogons When enabled, the firewall will block all private network traffic from entering the WAN interface. Private addresses are reserved for use on internal LANs and blocked from outside traffic so these address ranges may be reused by all private networks.
Page 11
Security Gateway Manual XG-1537 A static IP address of 192.168.1.1 and a subnet mask (CIDR) of 24 was chosen for this installation. If there are no plans to connect this network to any other network via VPN, the 192.168.1.x default is sufficient.
Page 12
Security Gateway Manual XG-1537 1.1.20 Basic Firewall Configured To proceed to the GUI, make the selection as highlighted. The browser will then display the Dashboard. 1.1.21 Backing Up and Restoring At this point, basic LAN and WAN interface configuration is complete. Before proceeding, backup the firewall con- figuration.
Page 14
Ports Warning: If the ISP Customer Premise Equipment (CPE) on WAN (e.g. Fiber or Cable Router) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the WAN port on the Netgate 1537 1U Security Gateway before proceeding.
Page 16
1. Click Next to start the Setup Wizard. Fig. 3: Setup Wizard starting page 2. Click Next after reading the information on Netgate Global Support. 3. Use the following items as a guide to configure the options on the General Information page: Hostname Any desired hostname name can be entered to identify the firewall.
Page 17
Security Gateway Manual XG-1537 DNS Servers For purposes of this setup guide, use the Google public DNS servers (8.8.8.8 and 8.8.4.4). Note: The firewall defaults to acting as a resolver and clients will not utilize these forwarding DNS servers. However, these servers give the firewall itself a way to ensure it has working DNS if resolving the default way does not work properly.
Page 18
Plus dashboard, click Finish. Note: This step of the wizard also contains several useful links to Netgate resources and methods of obtaining assistance with the product. Be sure to read through the items on this page before finishing the wizard.
Page 19
Plus software is highly configurable, all of which can be done through the dashboard. This orientation will help to navigate and further configure the firewall. Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 ®...
Page 21
Click Download configuration as XML and save a copy of the firewall configuration to the computer connected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
Page 23
See also: Port. Cable is required. Connecting to the Console Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training course or browse the extensive Resource Library.
Page 24
OPT2 SFP+ 10 Gbps Note: Both the WAN and LAN ports of the Netgate® appliance support auto-MDIX and are capable of utilizing either straight-through or crossover Ethernet cables. Optional Quad Port Expansion Cards Default port configuration for 4-port expansion cards.
Page 25
Security Gateway Manual XG-1537 Port Interface Name Port Name Port Type Port Speed SGP-i4 X710 SGP-i4 X710 SGP-i4 X710 SGP-i4 X710 OPT6 Unassigned igb0 ixl0 RJ-45 SFP+ 1 Gbps 10 Gbps OPT5 Unassigned igb1 ixl1 RJ-45 SFP+ 1 Gbps 10 Gbps...
Page 26
Security Gateway Manual XG-1537 RJ-45 Ports Table 1: RJ-45 LEDs Configuration Activity LED (Left) Link Speed LED (Right) Off = No Connection Amber = 1 Gbps Yellow Flashing = Activity Green = 100 Mbps Off = No Connection or 10 Mbps Note: Reverse the above table for the bottom port as it is inverted.
Page 27
Security Gateway Manual XG-1537 State Description Continuously on and red An overheat condition has occurred. (This may be caused by cable congestion.) Blinking red (1Hz) Fan failure, check for an inoperative fan. Blinking red (0.25Hz) Power failure, check for a non-operational power supply.
Page 28
Security Gateway Manual XG-1537 Other Ports Port I/O Type IPMI 2x USB 3.0 Ports VGA Console Reset & Power buttons Status LEDs USB Ports USB ports on the device can be used for a variety of purposes. The primary use for the USB ports is to install or reinstall the operating system on the device. Beyond that, there are numerous USB devices which can expand the base functionality of the hardware, including some supported by add-on packages.
Page 29
(UPS) or a combination of those devices. Failure to take such precautions could result in premature failure, and/or damage to your Netgate appliance, which is not covered under the product warranty. Such an event may also present the risk of electric shock, fire, or explosion.
Page 30
Security Gateway Manual XG-1537 1.5.4 Industry Canada This Class B digital apparatus complies with Canadian ICES-3(B). Cet appareil numérique de la classe B est conforme à la norme NMB-3(B) Canada. 1.5.5 Australia and New Zealand This is a AMC Compliance level 2 product. This product is suitable for domestic environments.
Page 31
1.5.8 Declaration of Conformity Česky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og...
Page 32
Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
Page 33
NETGATE erklærer herved at utstyret NETGATE device, er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav...
Page 34
Security Gateway Manual XG-1537 Română [Romanian] Prin prezenta, NETGATE declară că acest dispozitiv NETGATE este în conformitate cu cerint ele esent iale s i alte prevederi relevante ale Directivei 1999/5/CE. 1.5.9 Disputes ANY DISPUTE OR CLAIM RELATING IN ANY WAY TO YOUR USE OF ANY PRODUCTS/SERVICES, OR TO ANY PRODUCTS OR SERVICES SOLD OR DISTRIBUTED BY RCL OR ESF WILL BE RESOLVED BY BINDING ARBITRATION IN AUSTIN, TEXAS, RATHER THAN IN COURT.
Page 35
Security Gateway Manual XG-1537 1.5.11 Site Policies, Modification, and Severability Please review our other policies, such as our pricing policy, posted on our websites. These policies also govern your use of Products/Services. We reserve the right to make changes to our site, policies, service terms, and these terms and conditions of use at any time.
Page 36
Connecting to the VGA console is identical to connecting any computer to a monitor. Connect the VGA cable (DB-15) between the Netgate® system and the monitor. Use USB or PS/2 keyboard and mouse as applicable to the hardware. Note: If the device has both USB 2.0 (black) and USB 3.0 (blue) ports, use the USB 2.0 ports for better compatibility.
Page 38
Security Gateway Manual XG-1537 2.3 Changing the IPMI Password The IPMI password for Netgate appliances can be changed either through the browser-based IPMI console or by using ipmitool utility directly in pfSense® software. 2.3.1 Using IPMI Web Console To change the IPMI password in the web console: •...
Page 41
Warning: Usernames are case-sensitive. • Reset the password for a user The default ADMIN user is User ID 2, and the example below sets the password for this user to NETGATE. ipmitool user set password 2 NETGATE Warning: This password is for example purposes only. Use a secure password.
Page 42
Plus software on a Netgate XG-1537 1U device. ® Note: pfSense Plus is preinstalled on Netgate appliances. It is optimally tuned for Netgate hardware and contains features that cannot be found elsewhere, such as ZFS Boot Environments, OpenVPN DCO, Built-in IPFIX Export, and AWS VPC Wizard.
Page 43
2.5.6 Install pfSense Plus Software The installer will automatically launch and present several options. On Netgate appliances, choosing Enter for the default options will complete the installation process in most cases. Tip: There are options on the Welcome screen of the installer which can recover configuration data from a previous installation or from a USB drive.
Page 44
Security Gateway Manual XG-1537 See also: For a complete walkthrough of the installation process, see Installation Walkthrough. When the installation is complete, remove the USB drive from the USB port. Important: If the USB drive remains attached, the device may boot into the installer again.
Page 45
Security Gateway Manual XG-1537 • Setup Policy Routing • Dynamic DNS • VPN Considerations • Testing 2.6.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc). • The WAN configuration type and settings must be known before starting. For example, this might be an IP address, subnet mask, and gateway value for static addresses or credentials for PPPoE.
Page 46
Security Gateway Manual XG-1537 – Configure the gateway as follows: Default Check if this new WAN should be the default gateway. Gateway Name Name it the same as the interface (e.g. WAN2), or a variation thereof. Gateway IPv4 The IPv4 address of the gateway inside the same subnet.
Page 47
Security Gateway Manual XG-1537 Automatic or Hybrid Outbound NAT If the mode is set to Automatic or Hybrid, then this may not need further configuration. Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules.
Page 48
Security Gateway Manual XG-1537 2.6.5 Firewall Rules By default there are no rules on the new interface, so the firewall will block all traffic. This is ideal for a WAN, so is safe to leave as-is. Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis.
Page 49
Security Gateway Manual XG-1537 Note: Rules using this group enable connection-based load balancing, not per-packet load balancing. Rules using this group will also have failover style behavior as WANs which are down are removed from load balancing. • Click Save •...
Page 50
Security Gateway Manual XG-1537 Note: If the gateway drop-down does not appear next to each DNS server, then the firewall does not have more than one gateway configured for any address family. Double check the gateway settings for all WAN interfaces.
Page 51
Security Gateway Manual XG-1537 Destination The other local subnet, VPN network, or an alias of such networks. Description Pass to local and VPN networks Do not set a gateway on this rule. • Click Save • Click Apply Changes 2.6.9 Dynamic DNS Dynamic DNS provides several benefits for multiple WANs, particularly with VPNs.
Page 52
Security Gateway Manual XG-1537 2.7 Configuring an OPT interface as an additional LAN Note: The default configuration has interfaces assigned as OPT ports, but the exact assignments vary based on the presence of expansion cards. See for specific default assignment layouts.
Page 53
Security Gateway Manual XG-1537 Note: As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx. The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.
Page 54
Security Gateway Manual XG-1537 • Configure the Address Pool Range, e.g. from 192.168.2.100 to 192.168.2.199 This sets the lower (From) and upper (To) bound of automatic addresses assigned to clients. • The rest of the settings can be left at defaults •...
Page 55
Security Gateway Manual XG-1537 2.7.6 Firewall Rules By default there are no firewall rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the clients on this LAN will need to contact hosts through the firewall.
Page 56
Security Gateway Manual XG-1537 Create a Private Networks Alias Create an alias using all RFC 1918 networks (listed in the example below) or at least an alias containing the local/private networks on this firewall, such as VPNs. Using all RFC 1918 networks is a safer practice.
Page 57
Security Gateway Manual XG-1537 If clients are configured to query DNS servers other than this firewall, create rules using those as the destination instead. Destination Port Range Select the DNS (53) entry or choose Other and manually enter 53 To allow DNS over TLS, create a separate rule using the DNS over TLS entry or manually enter port 853.
Page 58
Security Gateway Manual XG-1537 Reject Other Firewall-bound Traffic Add rule to reject any other traffic to the firewall to ensure users on this interface cannot connect to management services such as the GUI, SSH, and so on. • Click to add a new rule at the bottom of the list.
Page 59
Security Gateway Manual XG-1537 Allow Other Traffic Add rule to allow traffic from this interface network to any other destination, which enables clients on this interface to reach the Internet and/or other remote public networks. • Click to add a new rule at the bottom of the list.
Page 60
• Consider using captive portal to control access the interface 2.8 Factory Reset Procedure The Netgate 1537 firewall appliance does not have a hardware button to reset the configuration to factory defaults. On this device it is still possible to perform a Factory Reset from GUI or Console.
Page 61
Netgate training has got you covered. https://www.netgate.com/training 3.1.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.1.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, ®...
Page 62
Security Gateway Manual XG-1537 3.2 Warranty and Support • One year manufacturer’s warranty. • Please contact Netgate for warranty information or view the Product Lifecycle page. • All Specifications subject to change without notice For support information, view support plans offered by Netgate.
Need help?
Do you have a question about the XG-1537 and is the answer not in the manual?
Questions and answers