Netgate SG-4860 User manual
Security Gateway Manual
SG-4860
© Copyright 2002 - 2019 Rubicon Communications LLC
Dec 06, 2019
CHAPTER
ONE
GETTING STARTED
The basic firewall configuration begins with connecting the pfSense® appliance to the Internet. Neither the modem
nor the pfSense appliance should be powered on at this time.
Establishing a connection to an Internet Service Provider (ISP) starts with connecting one end of an Ethernet cable to
the WAN port (shown in the Input and Output Ports section) of the pfSense appliance.
Warning: The default LAN subnet on the firewall is 192.168.1.0/24. The same subnet cannot be used on
both WAN and LAN, so if the subnet on the WAN side of the firewall is also 192.168.1.0/24,disconnect the
WAN interface until the LAN interface has been renumbered to a different subnet.
The opposite end of the same Ethernet cable should be inserted in to the LAN port of the ISP-supplied modem. The
modem provided by the ISP might have multiple LAN ports. If so, they are usually numbered. For the purpose of this
installation, please select port 1.
The next step is to connect the LAN port (shown in the Input and Output Ports section) of the pfSense appliance to
the computer which will be used to access the firewall console.
Connect one end of the second Ethernet cable to the LAN port (shown in the Input and Output Ports section) of the
pfSense appliance. Connect the other end to the network connection on the computer. In order to access the web
configurator, the PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet
with a subnet mask of 255.255.255.0. Do not use 192.168.1.1, as this is the address of the firewall, and will
cause an IP conflict.
1.1 Initial Setup
The next step is to power up the modem and the firewall. Plug in the power supply to the power port (shown in the
Input and Output Ports section).
Once the modem and pfSense appliance are powered up, the next step is to power up the computer.
Once the pfSense appliance is booted, the attached computer should receive a 192.168.1.x IP address via DHCP
from the pfSense appliance.
1.2 Logging Into the Web Interface
Browse to https://192.168.1.1 to access the web interface. In some instances, the browser may respond with a message
indicating a problem with website security. Below is a typical example in Google Chrome. If this message or similar
message is encountered, it is safe to proceed.
2
Security Gateway Manual SG-4860
At the login page enter the default pfSense password and username:
Username admin
Password pfsense
Click Login to continue
1.3 Wizard
Upon successful login, the following is displayed.
© Copyright 2002 - 2019 Rubicon Communications LLC 3
Security Gateway Manual SG-4860
1.4 Configuring Hostname, Domain Name and DNS Servers
1.5 Hostname
For Hostname, any desired name can be entered as it does not affect functionality of the firewall. Assigning a hostname
to the firewall will allow the GUI to be accessed by hostname as well as IP address.
For the purposes of this guide, use pfsense for the hostname. The default hostname, pfsense may be left un-
changed.
Once saved in the configuration, the GUI may be accessed by entering http://pfsense as well as http://192.168.1.1
1.6 Domain
If an existing DNS domain is in use within the local network (such as a Microsoft Active Directory domain), use that
domain here. This is the domain suffix assigned to DHCP clients, which should match the internal network.
For networks without any internal DNS domains, enter any desired domain name. The default localdomain is used
for the purposes of this tutorial.
1.7 DNS Servers
The DNS server fields can be left blank if the DNS Resolver is used in non- forwarding mode, which is the default
behavior. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet
© Copyright 2002 - 2019 Rubicon Communications LLC 4
Security Gateway Manual SG-4860
connections and the ISP automatically assigns DNS server IP addresses. When using a static IP on WAN, DNS server
IP addresses must be entered here for name resolution to function if the default DNS Resolver settings are not used.
DNS servers can be specified here even if they differ from the servers assigned by the ISP. Either enter the IP addresses
provided by the ISP, or consider using Google public DNS servers (8.8.8.8,8.8.4.4). Google DNS servers are
used for the purpose of this tutorial. Click Next after filling in the fields as appropriate.
1.8 Time Server Configuration
1.9 Time Server Synchronization
Setting time server synchronization is quite simple. We recommend using the default pfSense time server address,
which will randomly select an NTP server from a pool.
1.10 Setting Time Zone
Select an appropriate time zone for the location of the firewall. For purposes of this manual, the Timezone setting will
be set to America/Chicago for US Central time.
1.11 Configuring Wide Area Network (WAN) Type
The WAN interface type is the next to be configured. The IP address assigned to this section becomes the Public IP
address that this network will use to communicate with the Internet.
© Copyright 2002 - 2019 Rubicon Communications LLC 5
Security Gateway Manual SG-4860
This depicts the four possible WAN interface types. Static, DHCP, PPPoE and PPTP. One must be selected from the
drop-down list.
Further information from the ISP is required to proceed when selecting Static,PPPoE and PPTP such as login name
and password or as with static addresses, an IP address, subnet mask and gateway address.
DHCP is the most common type of interface for home cable modems. One dynamic IP address is issued from the
ISP DHCP server and will become the public IP address of the network behind this firewall. This address will change
periodically at the discretion of the ISP. Select DHCP as shown and proceed to the next section.
1.12 MAC Address
If replacing an existing firewall, the WAN MAC address of the old firewall may be entered here, if it can be determined.
This can help avoid issues involved in switching out firewalls, such as ARP caches, ISPs locking to single MAC
addresses, etc.
If the MAC address of the old firewall cannot be located, the impact is most likely insignificant. Power cycle the ISP
router and modem and the new MAC address will usually be able to get online. For some ISPs, it may be necessary to
call them when switching devices, or an activation process may be required.
1.13 Configuring MTU and MSS
MTU or Maximum Transmission Unit determines the largest protocol data unit that can be passed onwards. A 1500-
byte packet is the largest packet size allowed by Ethernet at the network layer and for the most part, the Internet so
leaving this field blank allows the system to default to 1500-byte packets. PPPoE is slightly smaller at 1492-bytes.
Leave this blank for a basic configuration.
© Copyright 2002 - 2019 Rubicon Communications LLC 6
Security Gateway Manual SG-4860
1.14 Configuring DHCP Hostname
Some ISPs specifically require a DHCP Hostname entry. Unless the ISP requires the setting, leave it blank.
1.15 Configuring PPPoE and PPTP Interfaces
Information added in these sections is assigned by the ISP. Configure these settings as directed by the ISP
© Copyright 2002 - 2019 Rubicon Communications LLC 7
Security Gateway Manual SG-4860
1.16 Block Private Networks and Bogons
When enabled, all private network traffic originating on the internet is blocked.
Private addresses are reserved for use on internal LANs and blocked from outside traffic so these address ranges may
be reused by all private networks.
The following inbound address Ranges are blocked by this firewall rule:
•10.0.0.1 to 10.255.255.255
•172.16.0.1 to 172.31.255.254
•192.168.0.1 to 192.168.255.254
•127.0.0.0/8
•100.64.0.0/10
•fc00::/7
Bogons are public IP addresses that have not yet been allocated, so they may typically also be safely blocked as they
should not be in active use.
Check Block RFC1918 Private Networks and Block Bogon Networks.
Click Next to continue.
© Copyright 2002 - 2019 Rubicon Communications LLC 8
Security Gateway Manual SG-4860
1.17 Configuring LAN IP Address & Subnet Mask
A static IP address of 192.168.1.1 and a subnet mask (CIDR) of 24 was chosen for this installation. If there are
no plans to connect this network to any other network via VPN, the 192.168.1.x default is sufficient.
Click Next to continue.
Note: If a Virtual Private Network (VPN) is configured to remote locations, choose a private IP address range more
obscure than the very common 192.168.1.0/24. IP addresses within the 172.16.0.0/12 RFC1918 private
address block are the least frequently used. We recommend selecting a block of addresses between 172.16.x.x
and 172.31.x.x for least likelihood of having VPN connectivity difficulties. An example of a conflict would be If
the local LAN is set to 192.168.1.x and a remote user is connected to a wireless hotspot using 192.168.1.x
(very common), the remote client won’t be able to communicate across the VPN to the local network.
1.18 Change Administrator Password
Select a new Administrator Password and enter it twice, then click Next to continue.
© Copyright 2002 - 2019 Rubicon Communications LLC 9
Security Gateway Manual SG-4860
1.19 Save Changes
Click Reload to save configuration.
1.20 Basic Firewall Configured
To proceed to the webConfigurator, make the selection as highlighted. The Dashboard display will follow.
1.21 Backing Up and Restoring
At this point, basic LAN and WAN interface configuration is complete. Before proceeding, backup the firewall con-
figuration. From the menu at the top of the page, browse to Diagnostics > Backup/Restore.
© Copyright 2002 - 2019 Rubicon Communications LLC 10
Security Gateway Manual SG-4860
Click Download Configuration and save a copy of the firewall configuration.
This configuration can be restored from the same screen by choosing the backup file under Restore configuration.
© Copyright 2002 - 2019 Rubicon Communications LLC 11
Security Gateway Manual SG-4860
1.22 Connecting to the Console
There are times when accessing the console is required. Perhaps GUI console access has been locked out, or the
password has been lost or forgotten.
See also:
Connecting to the Console Port Connect to the console. Cable is required.
Tip: To learn more about getting the most out of your pfSense appliance, sign up for a pfSense Training course or
browse our extensive Resource Library.
© Copyright 2002 - 2019 Rubicon Communications LLC 12
CHAPTER
TWO
INPUT AND OUTPUT PORTS
1) Mini-USB Serial Port 7) OPT2 (igb3)
2) USB0 (USB 2.0) 8) OPT3 (igb4)
3) USB1 (USB 2.0) 9) OPT4 (igb5)
4) WAN (igb1) 10) SATA Activity / Power Indicator
5) LAN (igb0) 11) Power Input
6) OPT1 (igb2) 12) Reset Button
Note: Both the WAN and LAN ports of the pfSense® appliance support auto-MDIX and are capable of utilizing
either straight-through or crossover ethernet cables.
Note: The rubber caps across the top are antenna ports for available wireless options.
The SG-4860 supports six 1000/100/10Base-T Ethernet ports. Two Ethernet ports are connected to the CPU through
an Intel i211 Gbps PCIe MAC/PHY integrated circuit. Four Ethernet ports are connected to the CPU’s on-chip Intel
i354 Gbps MACs through a Marvell 88E1543 quad SGMII/PHY. Each RJ-45 has built-in LEDs with the following
configuration.
Left LED Right LED
Green = Link
Blink = Activity
Amber = 1 Gbps
Green = 100 Mbps
Off = 10 Mbps
13
CHAPTER
THREE
SAFETY AND LEGAL
•Safety Notices
•Electrical Safety Information
•FCC Compliance
•Industry Canada
•Australia and New Zealand
•CE Marking
•RoHS/WEEE Compliance Statement
–English
–Deutsch
–Español
–Français
–Italiano
•Declaration of Conformity
–ˇ
Cesky[Czech]
–Dansk [Danish]
–Nederlands [Dutch]
–English
–Eesti [Estonian]
–Suomi [Finnish]
–Deutsch [German]
–ΕλληνικH [Greek]
–Magyar [Hungarian]
–Íslenska [Icelandic]
–Italiano [Italian]
–Latviski [Latvian]
–Lietuviškai [Lithuanian]
14
Security Gateway Manual SG-4860
–Malti [Maltese]
–Norsk [Norwegian]
–Slovensky [Slovak]
–Svenska [Swedish]
–Español [Spanish]
–Polski [Polish]
–Português [Portuguese]
–Român˘a [Romanian]
•Disputes
•Applicable Law
•Site Policies, Modification, and Severability
•Miscellaneous
•Limited Warranty
3.1 Safety Notices
1. Read, follow, and keep these instructions.
2. Heed all warnings.
3. Only use attachments/accessories specified by the manufacturer
Warning: Do not use this product in location that can be submerged by water.
Warning: Do not use this product during an electrical storm to avoid electrical shock.
3.2 Electrical Safety Information
1. Compliance is required with respect to voltage, frequency, and current requirements indicated on the manu-
facturer’s label. Connection to a different power source than those specified may result in improper operation,
damage to the equipment or pose a fire hazard if the limitations are not followed.
2. There are no operator serviceable parts inside this equipment. Service should be provided only by a qualified
service technician.
3. This equipment is provided with a detachable power cord which has an integral safety ground wire intended for
connection to a grounded safety outlet.
a) Do not substitute the power cord with one that is not the provided approved type. If a 3 prong plug is
provided, never use an adapter plug to connect to a 2-wire outlet as this will defeat the continuity of the
grounding wire.
© Copyright 2002 - 2019 Rubicon Communications LLC 15
Security Gateway Manual SG-4860
b) The equipment requires the use of the ground wire as a part of the safety certification, modification or
misuse can provide a shock hazard that can result in serious injury or death.
c) Contact a qualified electrician or the manufacturer if there are questions about the installation prior to
connecting the equipment.
d) Protective grounding/earthing is provided by Listed AC adapter. Building installation shall provide appro-
priate short-circuit backup protection.
e) Protective bonding must be installed in accordance with local national wiring rules and regulations.
3.3 FCC Compliance
Changes or modifications not expressly approved by the party responsible for compliance could void the user’s au-
thority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the
following two conditions:
1. This device may not cause harmful interference, and
2. This device must accept any interference received, including interference that may cause undesired operation.
Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference
when the equipment is operated in a residential environment.
3.4 Industry Canada
This Class B digital apparatus complies with Canadian ICES-3(B). Cet appareil numérique de la classe B est conforme
à la norme NMB-3(B) Canada.
3.5 Australia and New Zealand
This is a AMC Compliance level 2 product. This product is suitable for domestic environments.
3.6 CE Marking
CE marking on this product represents the product is in compliance with all directives that are applicable to it.
3.7 RoHS/WEEE Compliance Statement
3.7.1 English
European Directive 2002/96/EC requires that the equipment bearing this symbol on the product and/or its packaging
must not be disposed of with unsorted municipal waste. The symbol indicates that this product should be disposed
of separately from regular household waste streams. It is your responsibility to dispose of this and other electric and
electronic equipment via designated collection facilities appointed by the government or local authorities. Correct
© Copyright 2002 - 2019 Rubicon Communications LLC 16
Security Gateway Manual SG-4860
disposal and recycling will help prevent potential negative consequences to the environment and human health. For
more detailed information about the disposal of your old equipment, please contact your local authorities, waste
disposal service, or the shop where you purchased the product.
3.7.2 Deutsch
Die Europäische Richtlinie 2002/96/EC verlangt, dass technische Ausrüstung, die direkt am Gerät und/oder an der
Verpackung mit diesem Symbol versehen ist, nicht zusammen mit unsortiertem Gemeindeabfall entsorgt werden darf.
Das Symbol weist darauf hin, dass das Produkt von regulärem Haushaltmüll getrennt entsorgt werden sollte. Es liegt in
Ihrer Verantwortung, dieses Gerät und andere elektrische und elektronische Geräte über die dafür zuständigen und von
der Regierung oder örtlichen Behörden dazu bestimmten Sammelstellen zu entsorgen. Ordnungsgemäßes Entsorgen
und Recyceln trägt dazu bei, potentielle negative Folgen für Umwelt und die menschliche Gesundheit zu vermeiden.
Wenn Sie weitere Informationen zur Entsorgung Ihrer Altgeräte benötigen, wenden Sie sich bitte an die örtlichen
Behörden oder städtischen Entsorgungsdienste oder an den Händler, bei dem Sie das Produkt erworben haben.
3.7.3 Español
La Directiva 2002/96/CE de la UE exige que los equipos que lleven este símbolo en el propio aparato y/o en su
embalaje no deben eliminarse junto con otros residuos urbanos no seleccionados. El símbolo indica que el producto
en cuestión debe separarse de los residuos domésticos convencionales con vistas a su eliminación. Es responsabilidad
suya desechar este y cualesquiera otros aparatos eléctricos y electrónicos a través de los puntos de recogida que ponen
a su disposición el gobierno y las autoridades locales. Al desechar y reciclar correctamente estos aparatos estará
contribuyendo a evitar posibles consecuencias negativas para el medio ambiente y la salud de las personas. Si desea
obtener información más detallada sobre la eliminación segura de su aparato usado, consulte a las autoridades locales,
al servicio de recogida y eliminación de residuos de su zona o pregunte en la tienda donde adquirió el producto.
3.7.4 Français
La directive européenne 2002/96/CE exige que l’équipement sur lequel est apposé ce symbole sur le produit et/ou son
emballage ne soit pas jeté avec les autres ordures ménagères. Ce symbole indique que le produit doit être éliminé dans
un circuit distinct de celui pour les déchets des ménages. Il est de votre responsabilité de jeter ce matériel ainsi que
tout autre matériel électrique ou électronique par les moyens de collecte indiqués par le gouvernement et les pouvoirs
publics des collectivités territoriales. L’élimination et le recyclage en bonne et due forme ont pour but de lutter contre
l’impact néfaste potentiel de ce type de produits sur l’environnement et la santé publique. Pour plus d’informations
sur le mode d’élimination de votre ancien équipement, veuillez prendre contact avec les pouvoirs publics locaux, le
service de traitement des déchets, ou l’endroit où vous avez acheté le produit.
3.7.5 Italiano
La direttiva europea 2002/96/EC richiede che le apparecchiature contrassegnate con questo simbolo sul prodotto e/o
sull’imballaggio non siano smaltite insieme ai rifiuti urbani non differenziati. Il simbolo indica che questo prodotto
non deve essere smaltito insieme ai normali rifiuti domestici. È responsabilità del proprietario smaltire sia questi
prodotti sia le altre apparecchiature elettriche ed elettroniche mediante le specifiche strutture di raccolta indicate dal
governo o dagli enti pubblici locali. Il corretto smaltimento ed il riciclaggio aiuteranno a prevenire conseguenze
potenzialmente negative per l’ambiente e per la salute dell’essere umano. Per ricevere informazioni più dettagliate
circa lo smaltimento delle vecchie apparecchiature in Vostro possesso, Vi invitiamo a contattare gli enti pubblici di
competenza, il servizio di smaltimento rifiuti o il negozio nel quale avete acquistato il prodotto.
© Copyright 2002 - 2019 Rubicon Communications LLC 17
Security Gateway Manual SG-4860
3.8 Declaration of Conformity
3.8.1 ˇ
Cesky[Czech]
NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi
ustanoveními sm rnice 1999/5/ES.
3.8.2 Dansk [Danish]
Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og
øvrige relevante krav i direktiv 1999/5/EF.
3.8.3 Nederlands [Dutch]
Hierbij verklaart NETGATE dat het toestel NETGATE device, in overeenstemming is met de essentiële eisen en
de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart NETGATE dat deze NETGATE device,
voldoet aan de essentiële eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC.
3.8.4 English
Hereby, NETGATE , declares that this NETGATE device, is in compliance with the essential requirements and other
relevant provisions of Directive 1999/5/EC.
3.8.5 Eesti [Estonian]
Käesolevaga kinnitab NETGATE seadme NETGATE device, vastavust direktiivi 1999/5/EÜ põhinõuetele ja nimetatud
direktiivist tulenevatele teistele asjakohastele sätetele.
3.8.6 Suomi [Finnish]
NETGATE vakuuttaa täten että NETGATE device, tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten
ja sitä koskevien direktiivin muiden ehtojen mukainen. Français [French] Par la présente NETGATE déclare que
l’appareil Netgate, device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive
1999/5/CE.
3.8.7 Deutsch [German]
Hiermit erklärt Netgate, dass sich diese NETGATE device, in Übereinstimmung mit den grundlegenden Anforderun-
gen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet”. (BMWi)
3.8.8 ΕλληνικH [Greek]
ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGATE ΔΗΛΩΝΕΙ ΟΤΙ NETGATE device, ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙ-
ΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1995/5/ΕΚ.
© Copyright 2002 - 2019 Rubicon Communications LLC 18
Table of contents
Other Netgate Gateway manuals
Netgate
Netgate SG-2100 User manual
Netgate
Netgate SG-3100 User manual
Netgate
Netgate Netgate-4100 User manual
Netgate
Netgate Netgate-6100 User manual
Netgate
Netgate Netgate-2100 User manual
Netgate
Netgate XG-1537 User manual
Netgate
Netgate SG-1100 User manual
Netgate
Netgate SG-3100 User manual
Netgate
Netgate SG-5100 User manual
Netgate
Netgate SG-2100 User manual
