Page 2
CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
Page 3
Security Gateway Manual Netgate-8300 This Quick Start Guide covers the first time connection procedures for the Netgate® 8300 Security Gateway and will provide the information needed to keep the appliance up and running. Tip: Before getting started, a good practice is to download the...
Warning: The plastic overwrap must be removed from both the top and bottom of the unit before installing the device in a rack. 1.1.2 Rack Installation The Netgate 8300 is intended to be rack mounted. The best practice is to mount the unit in a rack before connecting it to the network or power. 1.1.3 Connect Network Cables...
Netgate-8300 1.1.4 Connect Power The Netgate 8300 ships with one or two power supplies depending on the specific model or purchased add-ons. Connect power to all installed power supplies before powering on the unit. Note: Though the device can function with only a single power supply connected, the best practice is to always connect power to both power supplies.
Page 6
Connecting to the Console Port. Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also 192.168.1.1/24, disconnect the WAN interface until the LAN interface on the firewall has been renumbered to...
Allow 4 or 5 minutes to boot up completely. Warning: If the ISP Customer Premise Equipment (CPE) on WAN (e.g. Fiber or Cable Router) has a default IP Address of 192.168.1.1, disconnect the Ethernet cable from the P10 port on the Netgate 8300 Security Gateway before proceeding.
Page 9
Fig. 3: Setup Wizard starting page 1. Click Next to start the Setup Wizard. 2. Click Next after reading the information on Netgate Global Support. 3. Use the following items as a guide to configure the options on the General Information page: Hostname Any desired hostname name can be entered to identify the firewall.
Page 11
Plus dashboard, click Finish. Note: This step of the wizard also contains several useful links to Netgate resources and methods of obtaining assistance with the product. Be sure to read through the items on this page before finishing the wizard.
Page 14
® Fig. 8: The pfSense Plus Dashboard Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 ® Identifies what version of pfSense Plus software is installed, and if an update is available.
Click Download configuration as XML and save a copy of the firewall configuration to the computer connected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
1.4 Input and Output Ports 1.4.1 Front Panel The front panel of the Netgate 8300 contains several items of interest for connecting to and managing the device. Fig. 12: Front view of the Netgate 8300 Security Gateway with key items numbered...
Page 18
PSUs connected to line power. The Netgate 8300 BASE unit ships with one power supply, the Netgate 8300 MAX unit ships with dual power supplies. Additional power supplies are available. A second PSU can be added to the BASE model later by removing the blank panel cover.
Page 19
Networking Ports The sections on the front of the device numbered 7, 8, and 9 in Front view of the Netgate 8300 Security Gateway with contain the network interfaces. These ports are labeled P0 through P10 on the device and are key items numbered grouped by speed.
Page 20
WAN, LAN, and other ports being assigned to different physical interfaces. There are two add-on expansion card slots on the Netgate 8300 device and they can both be populated with network cards, for a total of either two or four additional network ports.
1.4.2 Status LEDs The Netgate 8300 has two groups of status LEDs: Three LEDs (including the power button) for the operating system status, and one LED for the baseboard management controller (BMC) status. The Operating System status LEDs are labeled with shapes which correspond to each LED: Green Circle, Blue Square, and Black Diamond.
The rear panel of the device has items which are not meant to be accessed as often as the front, as the device is intended to be mounted in a rack. Fig. 14: Rear view of the Netgate 8300 Security Gateway with key items numbered The items below are marked with numbers on figure...
(UPS) or a combination of those devices. Failure to take such precautions could result in premature failure, and/or damage to your Netgate appliance, which is not covered under the product warranty. Such an event may also present the risk of electric shock, fire, or explosion.
Security Gateway Manual Netgate-8300 1.5.3 FCC Compliance Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1.
Page 26
Security Gateway Manual Netgate-8300 Deutsch Die Europäische Richtlinie 2002/96/EC verlangt, dass technische Ausrüstung, die direkt am Gerät und/oder an der Verpackung mit diesem Symbol versehen ist, nicht zusammen mit unsortiertem Gemeindeabfall entsorgt werden darf. Das Symbol weist darauf hin, dass das Produkt von regulärem Haushaltmüll getrennt entsorgt werden sollte. Es liegt in Ihrer Verantwortung, dieses Gerät und andere elektrische und elektronische Geräte über die dafür zuständigen und von...
Page 27
Netgate-8300 1.5.8 Declaration of Conformity Česky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
Page 28
Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
Page 29
Security Gateway Manual Netgate-8300 Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG.
Security Gateway Manual Netgate-8300 Austin, Texas 78728 legal@netgate.com The arbitration will be conducted by the American Arbitration Association (AAA) under its rules. The AAA’s rules are available at www.adr.org. Payment of all filing, administration and arbitrator fees will be governed by the AAA’s rules.
Security Gateway Manual Netgate-8300 1.5.13 Limited Warranty DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUD- ING SOFTWARE) AND OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY US ON AN “AS IS” AND “AS AVAILABLE” BA- SIS, UNLESS OTHERWISE SPECIFIED IN WRITING.
2.1.1 Connecting to IPMI Web Browser Serial Console The IPMI interface on the Netgate 8300 contains a web-based serial console accessible via browser. This client is HTML-based and does not require extra software, only a current web browser.
Page 33
A separate adapter is required to make a connection between a computer and the firewall using the RJ45 serial port. The Netgate 8300 device ships with a USB A to RJ45 console cable suitable for this purpose. Fig. 1: Serial cable connected to RJ45 Console Port Any compatible cable may be used instead of the one shipped with the device.
Page 34
Security Gateway Manual Netgate-8300 macOS For macOS the best practice is to run GNU screen, or cu. An example of how to configure GNU screen is below. Linux For Linux the best practices are to run GNU screen, Linux, minicom, or dterm. Examples of how to PuTTY in configure PuTTY and GNU screen are below.
Security Gateway Manual Netgate-8300 Fig. 3: An example of using PuTTY in Linux If portions of the text are unreadable but appear to be properly formatted, the most likely culprit is a character encoding mismatch in the terminal. Adding the -U parameter to the screen command line arguments forces it to use UTF-8 for character encoding: sudo screen -U <console-port>...
Security Gateway Manual Netgate-8300 Warning: Hardware flow control (RTS/CTS) must be disabled. Terminal Optimization Beyond the required settings there are additional options in terminal programs which will help input behavior and output rendering to ensure the best experience. These settings vary location and support by client, and may not be available in all clients or terminals.
Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. Hardware Failure There could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assis- tance. No Serial Output...
Page 39
Security Gateway Manual Netgate-8300 PuTTY has issues with line drawing PuTTY generally handles most cases OK but can have issues with line drawing characters on certain platforms. These settings seem to work best (tested on Windows): Window Columns x Rows 80x24 Window >...
2.2 Intelligent Platform Management Interface (IPMI) The Netgate 8300 appliance includes a baseboard management controller (BMC) for out-of-band (OOB) access via Intelligent Platform Management Interface (IPMI). Administrators can use this interface to control the hardware itself, such as power on/off, access a serial over LAN (SOL) console, mount virtual media for installation, see hardware status events, and more.
Page 41
2.2.2 Default IPMI Credentials The default IPMI username is root and the default password is root. In compliance with privacy legislation, the Username and Password to access the IPMI port on the Netgate 8300 must be changed on first access.
Page 43
Security Gateway Manual Netgate-8300 2.2.4 Changing the IPMI Password The IPMI password for Netgate 8300 appliances can be changed either through the browser-based IPMI console or by using the ipmitool utility directly in pfSense® software. Using IPMI Web Console To change the IPMI password in the web console: •...
Page 44
Security Gateway Manual Netgate-8300 Note: If the username is not known, see the next section for information on how to use ipmitool to view the current user list. • Navigate to Configuration > Users Fig. 6: Configuration > Users • Select the user to modify by clicking on its row in the list This is likely the root user or another user with Administrator privileges, typically the user in the second slot (User ID 2).
Page 45
Security Gateway Manual Netgate-8300 Fig. 7: Modify User User Name Change the username from the default root to a personalized name This is optional, but a best practice. Change Password Click to enable the slider Password Enter the new Password If the password is acceptable, the field will be outlined in green.
Page 47
NO ACCESS Warning: Usernames are case-sensitive. • Reset the password for a user The default root user is User ID 2, and the example below sets the password for this user to NETGATE. ipmitool user password NETGATE Warning: This password is for example purposes only. Use a secure password.
Page 48
• Unload the IPMI kernel module kldunload ipmi 2.2.6 Re-arm the Chassis Intrusion Switch The chassis on Netgate 8300 has an intrusion detection function which can be reset via IPMI. See Re-arm the Chassis for details. Intrusion Switch...
2.3 Updating the Baseboard Management Controller Firmware Occasionally there are updates to the Baseboard Management Controller (BMC) firmware on the Netgate 8300 to address problems or improve features. This firmware can be updated using the web interface on the BMC which also contains Intelligent Platform Management Interface (IPMI) functionality.
Security Gateway Manual Netgate-8300 2.3.4 Update the Firmware • Navigate to Configuration > Firmware Update in the web interface. Fig. 10: Firmware Update menu location • Check Reboot immediately after update. Warning: This reboots the BMC and the operating system.
Page 56
• Change any other settings and make any other customizations as needed. 2.4 Re-arm the Chassis Intrusion Switch The chassis on Netgate 8300 has an intrusion detection function. If the chassis has been opened the intrusion switch will be tripped even if the power was off.
Page 57
Plus software on a Netgate 8300 device. ® Note: pfSense Plus is preinstalled on Netgate appliances. It is optimally tuned for Netgate hardware and contains features that cannot be found elsewhere, such as ZFS Boot Environments, OpenVPN DCO, Built-in IPFIX Export, and AWS VPC Wizard.
Page 58
The most common use case for multiple drives in this device is a ZFS mirror, with both drives selected as targets. 2.5.6 Install pfSense Plus Software The installer will automatically launch and present several options. On Netgate appliances, choosing Enter for the default options will complete the installation process in most cases.
Security Gateway Manual Netgate-8300 • Firewall Rules • Gateway Groups • • Setup Policy Routing • Dynamic DNS • VPN Considerations • Testing 2.6.1 Requirements • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).
Page 60
Security Gateway Manual Netgate-8300 See also: IPv4 Configuration Types • Create a Gateway if this is a static IP address WAN: – Click Add a New Gateway – Configure the gateway as follows: Default Check if this new WAN should be the default gateway.
Page 61
Security Gateway Manual Netgate-8300 2.6.4 Outbound NAT For clients on local interfaces to reach the Internet from private addresses to destinations through this WAN, the firewall must apply Outbound NAT on traffic leaving this new WAN. • Navigate to Firewall > NAT, Outbound tab •...
Security Gateway Manual Netgate-8300 2.6.5 Firewall Rules By default there are no rules on the new interface, so the firewall will block all traffic. This is ideal for a WAN, so is safe to leave as-is. Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis.
Page 63
Security Gateway Manual Netgate-8300 Note: Rules using this group enable connection-based load balancing, not per-packet load balancing. Rules using this group will also have failover style behavior as WANs which are down are removed from load balancing. • Click Save •...
Page 64
Security Gateway Manual Netgate-8300 Note: If the gateway drop-down does not appear next to each DNS server, then the firewall does not have more than one gateway configured for any address family. Double check the gateway settings for all WAN interfaces.
Security Gateway Manual Netgate-8300 Destination The other local subnet, VPN network, or an alias of such networks. Description Pass to local and VPN networks Do not set a gateway on this rule. • Click Save • Click Apply Changes 2.6.9 Dynamic DNS Dynamic DNS provides several benefits for multiple WANs, particularly with VPNs.
Page 66
Security Gateway Manual Netgate-8300 2.7 Configuring an OPT interface as an additional LAN This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more.
Security Gateway Manual Netgate-8300 The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI. 2.7.3 Interface Configuration The new interface must be enabled and configured. • Navigate to Interfaces > OPTx • Check Enable interface •...
Page 68
Security Gateway Manual Netgate-8300 2.7.5 Outbound NAT For clients on this interface to reach the Internet from private addresses, the firewall must apply Outbound NAT for the new subnet. • Navigate to Firewall > NAT, Outbound tab • Check the current outbound NAT mode and follow the section below which matches the mode.
Page 69
Security Gateway Manual Netgate-8300 2.7.6 Firewall Rules By default there are no firewall rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the clients on this LAN will need to contact hosts through the firewall.
Page 70
Security Gateway Manual Netgate-8300 Create a Private Networks Alias Create an alias using all RFC 1918 networks (listed in the example below) or at least an alias containing the local/private networks on this firewall, such as VPNs. Using all RFC 1918 networks is a safer practice.
Page 71
Security Gateway Manual Netgate-8300 If clients are configured to query DNS servers other than this firewall, create rules using those as the destination instead. Destination Port Range Select the DNS (53) entry or choose Other and manually enter 53 To allow DNS over TLS, create a separate rule using the DNS over TLS entry or manually enter port 853.
Page 72
Security Gateway Manual Netgate-8300 Reject Other Firewall-bound Traffic Add rule to reject any other traffic to the firewall to ensure users on this interface cannot connect to management services such as the GUI, SSH, and so on. • Click to add a new rule at the bottom of the list.
Security Gateway Manual Netgate-8300 Allow Other Traffic Add rule to allow traffic from this interface network to any other destination, which enables clients on this interface to reach the Internet and/or other remote public networks. • Click to add a new rule at the bottom of the list.
2.8 Factory Reset Procedure This procedure performs a factory reset using the hardware reset button on the Netgate 8300. This button is located on the rear side of the unit toward the left end, between the power and console connectors and under the power button.
Netgate-8300 2.9 M.2 NVMe SSD Installation The Netgate® 8300 ships with one PCIe-based M.2 NVMe SSD. Optionally, a second PCIe-based M.2 NVMe drive can be installed as an upgrade. Note: This guide assumes a second disk is being added for redundancy via ZFS mirroring.
Installing the SSD requires removing the top of the case to expose the internal components. For safety, before opening the case, the Netgate 8300 must be completely disconnected from everything. This includes power, network cables, USB cables, serial console cables, and any other external cables or devices connected to the Netgate 8300. Danger: Reminder: •...
Security Gateway Manual Netgate-8300 5. Move the Netgate 8300 to a safe work location such as an anti-static mat Removing the Lid The next portion of the procedure involves opening the device and removing the lid. Danger: Reminder: • Anti-static protection must be used throughout this procedure.
Page 84
Security Gateway Manual Netgate-8300 1. Remove the screw retaining the side of the fan duct nearest to the PSU cages using the Phillips head screwdriver. Fig. 27: Screw holding the fan duct in place, indicated with an arrow 2. Gently lift the side of the fan duct up and out of the way...
Security Gateway Manual Netgate-8300 Remove the M.2 NVMe Riser Card The M.2 NVMe drives are located on a riser card near the PSU cages. This card must be removed to safely access the SSDs. Danger: Reminder: • Anti-static protection must be used throughout this procedure.
Page 88
Security Gateway Manual Netgate-8300 Note: As mentioned earlier in this document, the Netgate 8300 currently supports M.2 B+M-Key or M-Key PCIe NVMe SSDs in 2280 or 2242 sizes. 2. Move the retainer clip to match the SSD size being installed.
Page 90
Reconnect The device is now ready to be put back into its former location. 1. Mount the Netgate 8300 in the rack 2. Plug in all network cables, USB cables and devices, serial console connections, etc. 3. Insert the USB memstick containing the installation media 4.
Re-arm the Chassis Intrusion Switch sensor. 2.10 Add-On Expansion Card Installation The Netgate® 8300 has two expansion card slots available for additional devices such as 25 Gbit/s or 100 Gbit/s network interface cards. The two expansion card slots have the following capabilities: •...
Page 100
Installing an add-on expansion card requires removing the top of the case to expose the internal components. For safety, before opening the case, the Netgate 8300 must be completely disconnected from everything. This includes power, network cables, USB cables, serial console cables, and any other external cables or devices connected to the Netgate 8300.
Page 103
Security Gateway Manual Netgate-8300 2. Remove the screw from the rear side of the unit at the top left corner using the Phillips head screwdriver. Fig. 46: Screw on the rear side of the unit at the left top corner, indicated with an arrow.
Page 107
Security Gateway Manual Netgate-8300 Note: These screws are captive and will not fully remove from the riser assembly. It is sufficient to loosen the screws until they no longer attach the riser assembly to the motherboard. This may be felt as a soft “click” when the screw is freely rotating and the threads are not engaged.
Page 108
Security Gateway Manual Netgate-8300 Fig. 51: Location of the riser assembly retaining screw on the front of the unit indicated with a red circle Fig. 52: Lift the riser assembly from the rear to remove it from the riser slot on the motherboard...
Page 110
Security Gateway Manual Netgate-8300 Install the Add-on Expansion Card With the riser assembly removed, it is time to install the add-on expansion card. Danger: Reminder: • Anti-static protection must be used throughout this procedure. • Any hardware damage incurred during this procedure is not covered by the hardware warranty.
Page 113
Security Gateway Manual Netgate-8300 Fig. 58: Remove the expansion slot cover once it is free from the expansion slot The rear of the socket has a retention clip to hold the card in place which should be engaged once the card is fully...
Page 119
Security Gateway Manual Netgate-8300 Fig. 64: Re-seat the riser assembly in the the riser slot from the rear of the motherboard in the opposite of the direction indicated by the red arrow Fig. 65: Location of the riser assembly retaining screw on the front of the unit indicated with a red circle...
Page 121
Security Gateway Manual Netgate-8300 Replacing and Fastening the Lid With the internal components all in place, the next step is to replace the lid and all its fasteners. Danger: Reminder: • Anti-static protection must be used throughout this procedure. • Any hardware damage incurred during this procedure is not covered by the hardware warranty.
Page 125
Reconnect The device is now ready to be put back into its former location. 1. Mount the Netgate 8300 in the rack 2. Plug in all network cables, USB cables and devices, serial console connections, etc. 3. Insert the USB memstick containing the installation media 4.
Page 127
Security Gateway Manual Netgate-8300 See also: for details. Networking Ports If the device has an existing configuration which must be adjusted to match the new interface layout, then the ports must be reassigned manually. Since GUI access is likely broken by the interfaces being moved, this may need to be performed at the console.
Netgate training has got you covered. https://www.netgate.com/training 3.1.2 Resource Library To learn more about how to use Netgate appliances and for other helpful resources, make sure to browse the Netgate Resource Library. https://www.netgate.com/resources 3.1.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, ®...
Security Gateway Manual Netgate-8300 3.2 Warranty and Support • One year manufacturer’s warranty. • Please contact Netgate for warranty information or view the Product Lifecycle page. • All Specifications subject to change without notice For support information, view support plans offered by Netgate.
Need help?
Do you have a question about the 8300 and is the answer not in the manual?
Questions and answers