pfSense SG-4860 User manual
SG-4860 pfSense® SECURITY GATEWAY APPLIANCE
Quick Start Guide
2
Table of Contents
Introduction .............................................................................................................................................................................................. 3
pfSense system ......................................................................................................................................................................................... 3
Hardware Features ........................................................................................................................................................................... ........3
Flexibility built in ....................................................................................................................................................................................... 4
Software Features:.................................................................................................................................................................................... 5
Warranty and Support Information......................................................................................................................................................... 5
I/O Ports.................................................................................................................................................................................................... 6
Initial Configuration .................................................................................................................................................................................. 6
Logging into the web interface ................................................................................................................................................................ 6
Dashboard.................................................................................................................................................................................................7
Configuring Hostname, Domain Name and DNS Servers....................................................................................................................... 8
Hostname.................................................................................................................................................................................................. 8
Domain ...................................................................................................................................................................................................... 8
DNS Servers............................................................................................................................................................................................... 8
Time Server Configuration........................................................................................................................................................................ 9
Time Server Synchronization.................................................................................................................................................................... 9
Configuring Wide Area Network (WAN) Type......................................................................................................................................... 9
MAC address ...........................................................................................................................................................................................10
Configuring MTU and MSS .....................................................................................................................................................................10
Configuring DHCP Hostname .................................................................................................................................................................11
Configuring PPPoE and PPTP Interfaces ................................................................................................................................................ 11
Configuring LAN IP Address & Subnet Mask .........................................................................................................................................12
Change Administrator Password ...........................................................................................................................................................13
Basic Firewall Configuration Complete.................................................................................................................................................. 13
Backing up and restoring........................................................................................................................................................................14
Console Access by Serial Interface.........................................................................................................................................................15
Mini USB Serial Interface........................................................................................................................................................................ 16
Serial Terminal Emulation Client............................................................................................................................................................16
Accessing the Console ............................................................................................................................................................................16
Configuring Serial Terminal Emulator.................................................................................................................................................... 16
Additional Support..................................................................................................................................................................................18
pfSense University ..................................................................................................................................................................................18
Other Support Options........................................................................................................................................................................... 19
Safety Notices ......................................................................................................................................................................................... 19
Electrical Safety Information ..................................................................................................................................................................19
Limited Warranty......................................................................................................................................Error! Bookmark not defined.
FCC Compliance ......................................................................................................................................................................................20
Industry Canada......................................................................................................................................................................................22
Australia and New Zealand..................................................................................................................................................................... 22
CE Marking ..............................................................................................................................................................................................23
RoHS/WEEE Compliance Statement...................................................................................................................................................... 23
English......................................................................................................................................................................................................23
Deutsch....................................................................................................................................................................................................23
Español ....................................................................................................................................................................................................23
Français....................................................................................................................................................................................................24
Italiano.....................................................................................................................................................................................................24
Declaration of Conformity...................................................................................................................................................................... 24
3
Introduction
Thank you for your purchase of the pfSense® SG-4860 Security Gateway Appliance with pfSense ® 2.2. X
The hardware platform in combination with the popular open source pfSense software provides a powerful,
reliable, cost-effective solution for your network security needs.
This Quick Start Guide will assist with the basic configuration of the PfSense SG-4860 system.
The system comes pre-assembled and ready to be configured.
pfSense system
The pfSense SG-4860 Security Gateway Appliance is a pfSense system, featuring the flexibility of pfSense
software as a firewall, LAN or WAN router, VPN router, DHCP Server, DNS Server, or other special purpose
Appliance.
This purchase goes directly to support pfSense development. By choosing a pfSense ® system you financially
support open source software and gain peace of mind that your system has been vetted and tested by the
pfSense core team at Netgate.
One common barrier to choosing and implementing open source software is the availability of prompt,
professional support from knowledgeable individuals. We eliminate that barrier for pfSense users by
providing paid support, consulting and development services to the open source community. Free support is
also available on the forums hosted at https://forum.pfsense.org
Hardware Features
pfSense SG-4860 mini-ITX NFV / Communications Board
with 4 core Intel® Atom™ C2558 CPU, 8GB memory, 4GB flash, and 6 GbE Intel Ethernet Ports
Overview
Designed to serve as your modern low-cost, low-power production platform of choice for cost-sensitive
edge and communication appliances. The SG-4860 works as the core for your intelligent CPE, VoIP PBX,
Internet Gateway, firewall, VPN router or layered security appliance. This fanless Intel Atom (Rangeley)
based advanced communication platform is designed with low power requirements for long life and solid
reliability.
The quad core Intel® C2558 processor sports six 10/100/1000 Mb Intel Ethernet ports, 8 GB of DDR3L
memory, and 4 GB of onboard eMMC flash memory for program storage. You can expand this system with
additional program and data storage through the mSATA or SATA II port. Additional communications
options are possible with miniPCIe slots for WiFi or 3G/4G/LTE cellular cards.
The rear panel offers easy access to all interfaces as well as providing 5 SMA/RP-SMA sized antenna cutouts
4
Flexibility built in
The base price includes the pfSense SG- 4860 system board preloaded with pfSense software version 2.2.1.
Enhance your system to suit your specific needs with:
mSATA SSD
Wireless cards, pigtails and antennas
Cellular modem
Other miniPCIe and USB cards
5
Software Features:
pfSense is an, open source full featured firewall and router platform based on FreeBSD 10.1.
Arrives pre-loaded with pfSense software
IPv6 –support for IPv6 connectivity
Captive portal –allows for a splash page to all users upon connecting to your network, optionally
with authentication. This is commonly used with wireless hot spots, or as an additional layer of
protection for wireless networks with authentication against a local user database, or external
RADIUS server such as Microsoft Active Directory.
VPN –Three types of VPNs are supported, IPsec, OpenVPN and PPTP. You can use these options to
connect roaming users for remote access, or site to site connectivity to connect multiple locations.
Multi-WAN –multiple Internet connections with failover and load balancing are supported. In
combination with a VLAN capable switch, you can connect numerous Internet connections over a
single physical interface on the firewall.
Dynamic DNS –if your public IP is dynamic, you may want to sign up with a dynamic DNS provider
and use the Dynamic DNS client to keep your hostname updated. This is especially helpful if you
want to access services like VPN remotely.
In-place upgrades. No need to disassemble system to upgrade, patch or add packages.
pfSense provides a software packaging system which allows for the extension of functionality
beyond its extensive core feature set.
Core features include:
Stateful firewall based on FreeBSD packet filter
RADIUS support
NAT support
Load balancing
VPN: IPsec, OpenVPN, PPTP
Dynamic DNS client
DHCP Server and Relay functions
PPPoE Server
Reporting and monitoring features with real time information
Warranty and Support Information
Need current Support Statement
One year manufacturer’s hardware warranty.
Free support for all pfSense questions is available by pfsense free forum or mailing list.
Standard 30 day return policy
6
All Specifications subject to change without notice.
I/O Ports
Figure 1
Initial Configuration
Connect an Ethernet cable to port 5as shown in Figure 1 above. Do not use any other port for initial web
configuration. Connect the other end to the Ethernet cable to the computer you will be performing the
initial configuration from. Make certain the network interface card on the PC is configured for DHCP in
order to access the web configurator upon initial setup.
Connect the WAN interface from ISP/Modem to port 4shown in Figure 1. Static IP configurations such as
PPPoE or PPPT are configured later.
Connect the power cable to port 11 shown in Figure 1 of the unit, insert the power adapter connector to a
power source and power the unit up. The pfSense SG-4860 will boot and be ready for the initial
configuration after approximately two minutes.
Once the system is booted, the attached computer should receive a 192.1.68.1 IP address from the DHCP
server that is active on the pfSense appliance.
Logging into the web interface
Browse to https://192.168.1.1 to access the web interface. In some instances, the browser will respond with
a message indicating a problem with an untrusted certificate. This is normal as the pfSense system issues a
self-signed certificate. Figure 2 is a typical example from Google Chrome. If this message or similar
messages are encountered, it is safe to proceed.
Figure 2
1 Mini-USB Serial Port
7 Opt2 –IGB3
2 USB0 (USB 2.0)
8 Opt3 –IGB4
3 USB1 (USB 2.0)
9 OPT4 –IGB5
4 WAN - IGB0
10 SATA Activity /Power Indicator
5 LAN - IGB1
11 Power Input
6 Opt1 –IGB2
12 Reset Button
Sure.
7
Login Procedure
The login appears as depicted in Figure 3
Figure 3
Enter the following default username and password
Username: admin
Password: pfsense
Select LOGIN to continue
Dashboard
Upon successful login, the following is displayed as shown in Figure 4
Figure 4
8
Configuring Hostname, Domain Name and DNS Servers
Figure 5
Hostname
For hostname, you may enter anything as it does not affect functionality of the firewall. Assigning a
hostname to the firewall will allow you to access the GUI console by hostname as well as IP address.
For the purposes of this guide, we will use pfsense for the Hostname as shown in Figure 5
The default hostname, pfsense may be left unchanged.
Once saved in the configuration, console access can be reached by entering http://pfsense as well as
http://192.168.1.1
Domain
If you have an existing DNS domain in use within your network (such as a Microsoft Active Directory
domain), use that domain here. This is the domain suffix assigned to DHCP clients, which you will want to
match your internal network.
For networks without any internal DNS domains, you can enter anything you want.
We have chosen demodomain for the purposes of this Quick Start Guide.
DNS Servers
The DNS server fields may be left blank if you have a WAN connection using DHCP, PPTP or PPPoE types of
Internet connections and the ISP assigns DNS server IP addresses. When using a static IP on WAN, you must
enter DNS server IP addresses here for name resolution to function. You can specify DNS servers here even if
your ISP assigns different ones. Either enter the IP addresses provided by your ISP, or consider using a
service like OpenDNS (www.opendns.com) whose service which allows for options such as custom filtering
9
and phishing protection. Using Google’s public DNS servers (8.8.8.8, 8.8.4.4) is another popular choice. We
have chosen Google DNS servers for the purpose of this Quick Start Guide. Click “Next” after filling in the
fields as appropriate.
Time Server Configuration
Figure 6
Time Server Synchronization
Setting time server synchronization is quite simple. We recommend using the default pfSense time server as
displayed in Figure 6.
Setting Time Zone
Select the appropriate time zone for your location. For purposes of this manual, the Timezone setting will be
set to US/Central as displayed in Figure 7.
Configuring Wide Area Network (WAN) Type
The WAN interface type is the next to be configured. The IP address assigned to this section becomes the
Public IP address that your network uses to communicate with the Internet.
Figure 7
Figure 7 depicts the 4 possible WAN interface types. Static, DHCP, PPPoE and PPTP. You must select one
from the drop-down list to proceed.
You will need further information from your ISP to proceed when selecting Static, PPPoE and PPTP such as
10
login name and password or as with static addresses, subnet mask and gateway address.
DHCP is the most common type of interface for home cable modems. One dynamic IP address is issued
from the ISP’s DHCP server and will become the public IP address of your network. This address will change
periodically at the discretion of the ISP. Choose DHCP as shown in Figure 8 and proceed to the next section,
MAC Address, MTU and MSS:
Figure 8
MAC address
Figure 9
If replacing an existing firewall, you may want to enter the old firewall’s WAN MAC address here, if you can
easily determine it. This avoids common issues involved in switching out firewalls, such as ARP caches, ISPs
locking to single MAC addresses, etc.
If you are not able to enter the MAC address of your current firewall here, the impact is most likely,
insignificant. Power cycle your router and modem and your new MAC address will usually be able to get
online. For some ISPs, you have to call when switching devices, or go through an activation process.
Configuring MTU and MSS
Figure 10
MTU or Maximum Transmission Unit determines the largest protocol data unit that can be passed onwards.
A 1500-byte packet is the largest packet size allowed by Ethernet at the network layer. Leaving this field
blank allows the system to default to 1500-byte packets. PPPoE packets are slightly smaller at 1492-bytes.
We recommend leaving this blank for a basic configuration. MSS and MTU must be set to the same packet
size if you configure them.
11
Configuring DHCP Hostname
Figure 11
Some ISPs specifically require DHCP Hostname entry. You may leave this blank, otherwise.
Configuring PPPoE and PPTP Interfaces
Figure 12
Information added in these sections are assigned by your ISP. Please populate these fields
according to the information provided by your ISP.
Block Private Networks and Bogons
Figure 13
All private network traffic originating on the Internet is blocked by this rule
12
Private addresses are reserved for use on internal LANS and blocked from outside traffic so these address
ranges may be reused by all private networks.
The following in-bound address Ranges are blocked by this firewall rule
10.0.0.1 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.1 to 192.168.255.255
127.0.0.0/8
fc00::/7
Bogons are IP addresses that are reserved and should not be seen on the Internet. Check Block RFC1918
Private Networks and Block Bogon Networks. Select NEXT to continue
Configuring LAN IP Address & Subnet Mask
Figure 14
A static IP address 192. 168.1.1 and a subnet mask of /24 (255.255.255.0) was chosen for this installation. If
you don’t plan to connect your network to any other network via VPN, the 192.158.1.1 default is sufficient.
Select NEXT to continue.
Note: If you setup a Virtual Private Network (VPN) from remote locations, you should choose a private IP address
range more obscure than the very common 192.168.1.0/24. IP addresses within the 172.2.6.0.0/12 RFC1918 private
address block are least frequently used. We recommend selecting a block of addresses between 172.2.6.x and
172.2.31.x for least likelihood of having VPN connectivity difficulties. An example of a conflict would be If your LAN
is set to 192.168.1.1 and you connect to a wireless hotspot using 192.168.1.1 (very common), you won’t be able to
communicate across the VPN to your local network.
13
Change Administrator Password
Figure 15
Select a new Administrator Password and enter it twice as shown in Figure 15 and select NEXT to continue
Save Changes
Figure 16
Click RELOAD to save the configuration.
Basic Firewall Configuration Complete
Figure 17
14
To proceed to the webConfigurator, make the selection as highlighted in figure 17.
The Dashboard display will follow.
Dashboard
Figure 18
Backing up and restoring
At this point, basic LAN and WAN interface configuration is complete. Before proceeding, you should backup
your configuration. From Dashboard, browse to Diagnostics and select Backup/Restore.
Figure 19
15
Figure 20
Select Download Configuration and save a copy of your configuration.
Figure 21
You can restore this configuration from the same screen by choosing your backup file under Restore
configuration.
Note: pfSense SG-4860 can be configured from iOS devices, however, the webConfigurator may not perform
as described on an iPhone, iPad, or iPod Touch. When browsing from one of these devices, switching to a
different theme will resolve this issue. The default theme functions correctly on an Android browser.
Switching to a more simplistic theme will allow for easier navigation, however.
Console Access by Serial Interface
There are times you may want to access the console through the pfSense SG-4860 serial interface. Perhaps
you have accidentally locked yourself out of the GUI console or you may want to assign a new password. To
do so, serial console access must be gained. A serial terminal emulation program and a Mini-USB cable are
required.
16
Mini USB Serial Interface
The pfSense SG-4680 has an integrated Silicon Labs' EFM32™ USB Microcontrollers that makes it simple to
access the serial console without the requirement of a null modem cables.
Serial Terminal Emulation Client
A serial terminal emulation program is required to access the pfSense SG-4860 console through the mini USB
serial interface. Microsoft Windows no longer includes HyperTerminal in Versions 7 and higher. PuTTY is
free and can be downloaded from:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Accessing the Console
Connect a Mini USB cable to port #1 as shown in Figure 1 on the pfSense SG-4860 and the other to a USB
2.0 port on the computer with a terminal emulation program installed.
Configuring Serial Terminal Emulator
PuTTY must be configured to communicate with the pfSense SG-4860. In order to do so, you must first
know what Com Port your computer has assigned to your serial port. Even if you assigned your serial port to
COM1 in the BIOS, Windows may remap it to a different COM Port. To determine this, you must open
Windows Device Manager and view the COM port assignment.
Figure 22
17
Open PuTTY and locate the Session display as shown in Figure 23. Set the COM Port to that which is
displayed in Windows Device Manager and the Speed to 115200.
Figure 23
Match the COM Port with what was reported in Windows Device Manager. We will use COM3 for this
example. The SG-4860 serial port speed is 115200 bits per second. The speed of the BIOS and the speed of
the console must match so change the speed in PuTTy to 115200bps.
Select Open and strike the enter key several times and following will be displayed.
18
Figure 24
Additional Support
Newly-purchased eligible firewall products come with one year of Per incident support by Netgate, the
company behind the pfSense project. If eligible for support, you will receive a post card sized document
with your device with instructions on activating support. The support provided by Netgate covers questions
or problems you may experience with pfSense or the hardware appliance purchased from pfSense.
Configuration Review and Configuration Assistance
Support does not cover complex tasks such as CARP configuration for redundancy on multiple firewalls
or circuits, network design, and conversion from other firewalls to pfSense. These items are offered as
professional services and can be purchased and scheduled accordingly. Please
see https://www.pfsense.org/our-services/professional-services.html for more details.
pfSense University
pfSense University offers courses for increasing your knowledge of pfSense products and services. Whether
you need to maintain or improve the security skills of your staff or offer highly specialized support and
improve your customer satisfaction; pfSense University has got you covered.
https://www.pfsense.org/university/
19
Other Support Options
https://www.pfsense.org/get-support/#community-support
Additional Documentation
This guide illustrates the basics for getting up and running with your SG-4860.
There is much more that can be accomplished with pfSense software. The best source of information is
the book pfSense 2.2.x: The Definitive Guide available to Gold pfSense subscribers at
https://portal.pfsense.org. Community documentation is freely available from the pfSense site at
https://doc.pfsense.org
Safety Notices
1.Read,follow,andkeeptheseinstructions.
2.Heedallwarnings.
3.Onlyuseattachments/accessoriesspecifiedbythemanufacturer.
WARNING: Do not use this product in location that can be submerged by water.
WARNING: Do not use this product during an electrical storm to avoid electrical shock
Electrical Safety Information
1. Compliance is required with respect to voltage, frequency, and current requirements indicated
on the manufacturer’s label. Connection to a different power source than those specified may
result in improper operation, damage to the equipment or pose a fire hazard if the limitations are
not followed.
2. There are no operator serviceable parts inside this equipment. Service should be provided only
by a qualified service technician.
3. This equipment is provided with a detachable power cord which has an integral safety ground
wire intended for connection to a grounded safety outlet.
a. Do not substitute the power cord with one that is not the provided approved type. Never use an
adapter plug to connect to a 2-wire outlet as this will defeat the continuity of the grounding wire.
b. The equipment requires the use of the ground wire as a part of the safety certification,
modification or misuse can provide a shock hazard that can result in serious injury or death.
20
c. Contact a qualified electrician or the manufacturer if there are questions about the installation
prior to connecting the equipment.
d. Protective grounding/earthing is provided by Listed AC adapter. Building installation shall
provide appropriate short-circuit backup protection.
e. Protective bonding must be installed in accordance with local national wiring rules and
regulations.
Limited Warranty
DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY
THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) AND OTHER
SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY
US ON AN “AS IS” AND “AS AVAILABLE” BASIS, UNLESS OTHERWISE SPECIFIED IN WRITING. WE MAKE NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THE
PRODUCTS/SERVICES, OR THE INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER
SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES, UNLESS
OTHERWISE SPECIFIED IN WRITING. YOU EXPRESSLY AGREE THAT YOUR USE OF THE PRODUCTS/SERVICES IS AT YOUR SOLE
RISK.
TO THE FULL EXTENT PERMISSIBLE BY APPLICABLE LAW, RUBICON COMMUNICATIONS, LLC (RCL) AND ELECTRIC SHEEP
FENCING (ESF) DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. RCL AND ESF DO NOT WARRANT THAT THE
PRODUCTS/SERVICES, INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES
INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES, RCL’S OR ESF’S SERVERS OR
ELECTRONIC COMMUNICATIONS SENT FROM RCL OR ESF ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. RCL
AND ESF WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF ANY PRODUCTS/SERVICES, OR
FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES INCLUDED ON
OR OTHERWISE MADE AVAILABLE TO YOU THROUGH ANY PRODUCTS/SERVICES, INCLUDING, BUT NOT LIMITED TO DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING.
IN NO EVENT WILL RCL’S OR ESF’S LIABILITY TO YOU EXCEED THE PURCHASE PRICE PAID FOR THE PRODUCT OR SERVICE
THAT IS THE BASIS OF THE CLAIM.
CERTAIN STATE LAWS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES OR THE EXCLUSION OR LIMITATION OF
CERTAIN DAMAGES. IF THESE LAWS APPLY TO YOU, SOME OR ALL OF THE ABOVE DISCLAIMERS, EXCLUSIONS, OR
LIMITATIONS MAY NOT APPLY TO YOU, AND YOU MIGHT HAVE ADDITIONAL RIGHTS.
DISPUTES
ANY DISPUTE OR CLAIM RELATING IN ANY WAY TO YOUR USE OF ANY PRODUCTS/SERVICES, OR TO ANY
PRODUCTS OR SERVICES SOLD OR DISTRIBUTED BY RCL OR ESF WILL BE RESOLVED BY BINDING ARBITRATION
IN AUSTIN, TEXAS, RATHER THAN IN COURT. The Federal Arbitration Act and federal arbitration law apply to
this agreement.
Table of contents
Popular Gateway manuals by other brands
TELUS
TELUS Actiontec Series Quick install guide
ZyXEL Communications
ZyXEL Communications UAG4100 Deployment guide
Keysight Technologies
Keysight Technologies E5810 Installation notes
Linksys
Linksys WCG200 - Wireless-G Cable Gateway Wireless... user guide
ZyXEL Communications
ZyXEL Communications VMG9827-B50A user guide
AudioCodes
AudioCodes MP-5 Series Configuration guide
