1. Manuals
  2. Brands
  3. Rubicon Manuals
  4. Gateway
  5. Netgate SG-5100
  6. Manual

Rubicon netgate SG-5100 Manual

Security gateway
Hide thumbs Also See for netgate SG-5100:
Table of Contents

Advertisement

Quick Links

Download this manual
Security Gateway Manual
SG-5100
© Copyright 2024 Rubicon Communications LLC
Jul 17, 2024

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the netgate SG-5100 and is the answer not in the manual?

Questions and answers

Related Manuals for Rubicon netgate SG-5100

Summary of Contents for Rubicon netgate SG-5100

  • Page 1 Security Gateway Manual SG-5100 © Copyright 2024 Rubicon Communications LLC Jul 17, 2024...
  • Page 2 CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
  • Page 3 Tip: Before getting started, a good practice is to download the PDF version of the Product Manual and the PDF version of the pfSense Documentation in case Internet access is not available during setup. © Copyright 2024 Rubicon Communications LLC...

  • Page 4: Getting Started

    CHAPTER OUT OF THE BOX 1.1 Getting Started The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance should be unplugged at this time. Connect one end of an Ethernet cable to the WAN port (shown in the section) of the Netgate Input and Output Ports appliance.
  • Page 5 GUI, go through the Setup Wizard (opens at first boot, also found at System > Setup Wizard) and change the IP address on Step 5. Complete the Wizard and save the changes. © Copyright 2024 Rubicon Communications LLC...

  • Page 6: Initial Configuration

    Note: Ignore the warning at the top of each wizard page about resetting the admin account password. One of the steps in the Setup Wizard is to change the default password, but the new password is not applied until the end of the wizard. © Copyright 2024 Rubicon Communications LLC...
  • Page 7 Security Gateway Manual SG-5100 Fig. 2: Example certificate warning message © Copyright 2024 Rubicon Communications LLC...
  • Page 8 Time Server Hostname Use the default time server address. The default hostname is suitable for both IPv4 and IPv6 NTP clients. Timezone Select a geographically named time zone for the location of the firewall. © Copyright 2024 Rubicon Communications LLC...
  • Page 9 Security Gateway Manual SG-5100 Fig. 4: General Information page in the Setup Wizard © Copyright 2024 Rubicon Communications LLC...
  • Page 10 Note: This step of the wizard also contains several useful links to Netgate resources and methods of obtaining assistance with the product. Be sure to read through the items on this page before finishing the wizard. © Copyright 2024 Rubicon Communications LLC...
  • Page 11 Read and click Accept to continue to the dashboard. If the Ethernet cable was unplugged at the beginning of this configuration, reconnect it to the IGB0 port now. This completes the basic configuration for the Netgate appliance. © Copyright 2024 Rubicon Communications LLC...
  • Page 12 Security Gateway Manual SG-5100 Fig. 7: Copyright and Trademark Notices © Copyright 2024 Rubicon Communications LLC...
  • Page 13 Plus software is installed, and if an update is available. Section 3 Describes Netgate Service and Support. Section 4 Shows the various menu headings. Each menu heading has drop-down options for a wide range of configuration choices. © Copyright 2024 Rubicon Communications LLC...

  • Page 14: Backup And Restore

    Note: Auto Config Backup is a built-in service located at Services > Auto Config Backup. This service will save up to 100 encrypted backup files automatically, any time a change to the configuration has been made. Visit the Auto Config Backup page for more information. © Copyright 2024 Rubicon Communications LLC...
  • Page 15 Security Gateway Manual SG-5100 Fig. 10: Backup & Restore Fig. 11: Click Download configuration as XML © Copyright 2024 Rubicon Communications LLC...

  • Page 16: Connecting To The Console

    1.4 Input and Output Ports 1.4.1 Front Side Fig. 12: Front view of the Netgate 5100 Firewall Appliance The items in this image are described by entries in Ethernet Ports Other Ports and Indicators. © Copyright 2024 Rubicon Communications LLC...

  • Page 17: Ethernet Ports

    Note: All Ethernet ports of the Netgate® appliance support auto-MDIX and are capable of utilizing either straight- through or crossover Ethernet cables. Other Ports and Indicators • Mini-USB Serial Console • Status LEDs • 2x USB 3.0 Ports © Copyright 2024 Rubicon Communications LLC...

  • Page 18: Rear Side

    1. Recessed Reset Button (performs a reset to factory default) 2. Power Button (powers system on, performs graceful shutdown) 3. Power • 12VDC with threaded locking connector • Power Consumption 7W (idle) Center Pin Positive © Copyright 2024 Rubicon Communications LLC...

  • Page 19: Safety And Legal

    Protective grounding/earthing is provided by Listed AC adapter. Building installation shall provide appro- priate short-circuit backup protection. e) Protective bonding must be installed in accordance with local national wiring rules and regulations. © Copyright 2024 Rubicon Communications LLC...

  • Page 20: Fcc Compliance

    Recyceln trägt dazu bei, potentielle negative Folgen für Umwelt und die menschliche Gesundheit zu vermeiden. Wenn Sie weitere Informationen zur Entsorgung Ihrer Altgeräte benötigen, wenden Sie sich bitte an die örtlichen Behörden oder städtischen Entsorgungsdienste oder an den Händler, bei dem Sie das Produkt erworben haben. © Copyright 2024 Rubicon Communications LLC...
  • Page 21 NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF. © Copyright 2024 Rubicon Communications LLC...
  • Page 22 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. © Copyright 2024 Rubicon Communications LLC...
  • Page 23 övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG. Español [Spanish] Por medio de la presente NETGATE declara que el NETGATE device, cumple con los requisitos esenciales y cua- lesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. © Copyright 2024 Rubicon Communications LLC...

  • Page 24: Polski [Polish]

    We each agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated or representative action. We also both agree that you or we may bring suit in court to enjoin infringement or other misuse of intellectual property rights. © Copyright 2024 Rubicon Communications LLC...

  • Page 25: Applicable Law

    LESS OTHERWISE SPECIFIED IN WRITING. YOU EXPRESSLY AGREE THAT YOUR USE OF THE PROD- UCTS/SERVICES IS AT YOUR SOLE RISK. TO THE FULL EXTENT PERMISSIBLE BY APPLICABLE LAW, RUBICON COMMUNICATIONS, LLC (RCL) AND ELECTRIC SHEEP FENCING (ESF) DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUD- ING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR- TICULAR PURPOSE.
  • Page 26 CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES OR THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE DISCLAIMERS, EXCLUSIONS, OR LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE AD- DITIONAL RIGHTS. © Copyright 2024 Rubicon Communications LLC...

  • Page 27: How-To Guides

    CHAPTER HOW-TO GUIDES 2.1 Connecting to the USB Console Port This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration. There are times when directly accessing the console is required. Perhaps GUI or SSH access has been locked out, or the password has been lost or forgotten.

  • Page 28: Connect A Usb Cable

    “COMX” where X is a decimal digit (e.g. COM3), that value is what would be used as the port in the terminal program. macOS The device associated with the system console is likely to show up as, or start with, /dev/cu.usbserial-<id>. © Copyright 2024 Rubicon Communications LLC...
  • Page 29 • Open PuTTY and select Session under Category on the left hand side. • Set the Connection type to Serial • Set Serial line to the console port determined previously • Set the Speed to 115200 bits per second. © Copyright 2024 Rubicon Communications LLC...
  • Page 30 Note: The sudo command will prompt for the local workstation password of the current account. • Set the Connection type to Serial • Set Serial line to /dev/ttyUSB0 • Set the Speed to 115200 bits per second • Click the Open button PuTTY will then display the console. © Copyright 2024 Rubicon Communications LLC...
  • Page 31 If portions of the text are unreadable but appear to be properly formatted, the most likely culprit is a character encoding mismatch in the terminal. Adding the -U parameter to the screen command line arguments forces it to use UTF-8 for character encoding: sudo screen -U <console-port> 115200 © Copyright 2024 Rubicon Communications LLC...

  • Page 32: Terminal Settings

    In Putty this is under Terminal > Keyboard and is labeled The Function Keys and Keypad. Font For the best experience, use a modern monospace unicode font such as Deja Vu Sans Mono, Liber- ation Mono, Monaco, Consolas, Fira Code, or similar. © Copyright 2024 Rubicon Communications LLC...

  • Page 33: What's Next

    In some cases there may be multiple serial devices available. Ensure the one used by the serial client is the correct one. Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output. © Copyright 2024 Rubicon Communications LLC...
  • Page 34 Ensure the terminal program is configured for the correct speed. (See No Serial Output) Character Encoding Ensure the terminal program is configured for the proper character encoding, such as UTF-8 or Latin-1, depend- ing on the operating system. (See Screen) © Copyright 2024 Rubicon Communications LLC...
  • Page 35 2.2.2 Prepare Installation Media Next, write the installation image to a USB memstick. See also: Locating the image and writing it to a USB memstick is covered in detail under Writing Flash Drives. © Copyright 2024 Rubicon Communications LLC...

  • Page 36: Connect To The Console

    In some cases it is possible to adjust the BIOS boot order to prefer the new disk, but the best practice is to wipe the old disk to remove any chance of the previous installation causing boot issues or conflicts. © Copyright 2024 Rubicon Communications LLC...

  • Page 37: Sata Installation

    6. Insert the M.2 SATA drive into the slot at about a 30° angle. Warning: The M.2 SATA card is keyed. Do not force it into the slot. 7. Gently push down the M.2 SATA card and place the screw into the standoff. © Copyright 2024 Rubicon Communications LLC...
  • Page 38 Security Gateway Manual SG-5100 Fig. 3: M.2 SATA Location Fig. 4: Remove Three (3) Case Screws from Both Sides © Copyright 2024 Rubicon Communications LLC...
  • Page 39 Security Gateway Manual SG-5100 Fig. 5: Remove the Bottom Screws Fig. 6: Remove the Heatsink Screws © Copyright 2024 Rubicon Communications LLC...
  • Page 40 Security Gateway Manual SG-5100 Fig. 7: Note the Memory Thermal Transfer Pad Fig. 8: Note the Chassis Thermal Transfer Pad © Copyright 2024 Rubicon Communications LLC...
  • Page 41 Security Gateway Manual SG-5100 Fig. 9: Insert the M.2 SATA Drive at about a 30° Angle © Copyright 2024 Rubicon Communications LLC...
  • Page 42 Security Gateway Manual SG-5100 Fig. 10: Secure the M.2 SATA Drive © Copyright 2024 Rubicon Communications LLC...
  • Page 43 14. Replace the system cover and screws. ® 15. Reinstall the pfSense Plus software on the new M.2 SATA drive. See also: Reinstalling pfSense Plus Software 1. Restore the configuration backup if one is available. © Copyright 2024 Rubicon Communications LLC...
  • Page 44 Security Gateway Manual SG-5100 Fig. 12: Both Sides of the Thermal Pads Fig. 13: Thermal Pads that come with the SG-5100 © Copyright 2024 Rubicon Communications LLC...
  • Page 45 Security Gateway Manual SG-5100 Fig. 14: Stick the Thermal Pad to the Heatsink © Copyright 2024 Rubicon Communications LLC...
  • Page 46 Security Gateway Manual SG-5100 Fig. 15: Stick the Thermal Pad to the Heatsink © Copyright 2024 Rubicon Communications LLC...
  • Page 47 Security Gateway Manual SG-5100 Fig. 16: Replace the Heatsink © Copyright 2024 Rubicon Communications LLC...
  • Page 48 Interface Configuration • Outbound NAT – Automatic or Hybrid Outbound NAT – Manual Outbound NAT • Firewall Rules • Gateway Groups • • Setup Policy Routing • Dynamic DNS • VPN Considerations • Testing © Copyright 2024 Rubicon Communications LLC...

  • Page 49: Interface Configuration

    Add a New Gateway – Configure the gateway as follows: Default Check if this new WAN should be the default gateway. Gateway Name Name it the same as the interface (e.g. WAN2), or a variation thereof. © Copyright 2024 Rubicon Communications LLC...
  • Page 50 Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules. © Copyright 2024 Rubicon Communications LLC...

  • Page 51: Firewall Rules

    Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis. Warning: Do not add any blanket “allow all” style rules on any WAN. © Copyright 2024 Rubicon Communications LLC...

  • Page 52: Gateway Groups

    Rules using this group will also have failover style behavior as WANs which are down are removed from load balancing. • Click Save • Click Apply Changes Now set the default gateway to a failover group: © Copyright 2024 Rubicon Communications LLC...
  • Page 53 This will tell the firewall to use the DNS servers entered on this page and to ignore servers provided by dynamic WANs such as DHCP or PPPoE. Occasionally these providers may push conflicting DNS server information so the best practice is to assign the DNS servers manually. © Copyright 2024 Rubicon Communications LLC...
  • Page 54 The other local subnet, VPN network, or an alias of such networks. Description Pass to local and VPN networks Do not set a gateway on this rule. • Click Save • Click Apply Changes © Copyright 2024 Rubicon Communications LLC...

  • Page 55: Dynamic Dns

    This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more. Configuring an additional LAN • Requirements • Assign the Interface • Interface Configuration © Copyright 2024 Rubicon Communications LLC...
  • Page 56 Note: As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx. The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI. © Copyright 2024 Rubicon Communications LLC...

  • Page 57: Dhcp Server

    • Configure the Address Pool Range, e.g. from 192.168.2.100 to 192.168.2.199 This sets the lower (From) and upper (To) bound of automatic addresses assigned to clients. • The rest of the settings can be left at defaults • Click Save © Copyright 2024 Rubicon Communications LLC...
  • Page 58 WAN Address (or the customized name matching the WAN/egress interface) Description Text describing the rule, e.g. Guest LAN outbound on WAN • Click Save • Click Apply Changes Alternately, clone existing NAT rules and adjust as needed to match the new LAN. © Copyright 2024 Rubicon Communications LLC...
  • Page 59 Guest/BYOD networks, and other similar scenarios. Warning: A full set of reject rules as described in this example is the best practice. Do not rely on shortcuts such as using policy routing to isolate clients. © Copyright 2024 Rubicon Communications LLC...
  • Page 60 • Configure the rule as follows: Action Pass Interface OPTx (or the custom name) Protocol TCP/UDP Source OPTx subnets (or the custom name) Destination This Firewall (self) © Copyright 2024 Rubicon Communications LLC...
  • Page 61 Echo Request only. This allows devices to use ICMP ping for diagnostic purposes, but no other types of ICMP traffic. Source OPTx subnets (or the custom name) Destination This Firewall (self) Description Allow client ICMP to the firewall • Click Save © Copyright 2024 Rubicon Communications LLC...
  • Page 62 • Configure the rule as follows: Action Reject Interface OPTx (or the custom name) Protocol Source Destination Address or Alias, PrivateNets (the alias created earlier) Description Reject all other traffic to private networks • Click Save © Copyright 2024 Rubicon Communications LLC...

  • Page 63: Apply Changes

    With the rules all in place, click Apply Changes to finish and activate the new rules. The rules should look similar to the following figure: Fig. 17: Example firewall rules for isolated LAN type segment Tip: Rule separators are useful for documenting a ruleset in place. © Copyright 2024 Rubicon Communications LLC...

  • Page 64: Other Services

    When the device boots again, it will be at its factory default settings and accessible from the LAN at https://192. 168.1.1. If this procedure fails, and perform a factory reset there. connect to the console © Copyright 2024 Rubicon Communications LLC...

  • Page 65: Additional Resources

    CHAPTER THREE REFERENCES 3.1 Additional Resources 3.1.1 Netgate Training ® Netgate training offers training courses for increasing your knowledge of pfSense Plus products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction;...

  • Page 66: Warranty And Support

    • All Specifications subject to change without notice For support information, view support plans offered by Netgate. See also: ® For more information on how to use pfSense Plus software, see the pfSense Documentation Resource Library. © Copyright 2024 Rubicon Communications LLC...

Table of Contents