Rubicon Netgate-8200 User manual
Security Gateway Manual
Netgate-8200
© Copyright 2023 Rubicon Communications LLC
Mar 14, 2023
Security Gateway Manual Netgate-8200
This Quick Start Guide covers the first time connection procedures for the Netgate® 8200 Security Gateway and will
provide the information needed to keep the appliance up and running.
Tip: Before getting started, a good practice is to download the PDF version of the Product Manual and the PDF
version of the pfSense Documentation in case Internet access is not available during setup.
© Copyright 2023 Rubicon Communications LLC 1
CHAPTER
ONE
OUT OF THE BOX
1.1 Hardware Overview
Fig. 1: Netgate 8200 Security Gateway Front Angled View
1.1.1 1U Rack Mount Design
The Netgate 8200 Security Gateway was designed with rack mounting in mind and comes pre-assembled in a 1U rack
mount configuration. The device can safely be mounted directly above another device in a rack, such as for an HA
configuration.
Note: Parts are included in the box to convert it into a desktop configuration, but this guide assumes the device
remains in its rack mount configuration.
2
Security Gateway Manual Netgate-8200
Fig. 2: Netgate 8200 Security Gateway HA Pair – Front View
1.1.2 Active Cooling
The Netgate 8200 Security Gateway has an actively controlled cooling fan integrated into the chassis baseplate. The
fan automatically adjusts its speed based on the temperature of the device, which allows the unit to remain uncharac-
teristically quiet for such a powerful 1U system
Fig. 3: Netgate 8200 Security Gateway – Bottom View
Warning: Do not block the portion of the fan intake under the network ports. The bottom of the unit can be
placed on top of another device so long as the fan intake under the network ports can pull in air unobstructed.
© Copyright 2023 Rubicon Communications LLC 3
Security Gateway Manual Netgate-8200
1.1.3 Available Storage
The Netgate 8200 Security Gateway is available only in a MAX style configuration with an NVMe SSD for storage.
This model does not have built-in eMMC storage.
1.2 Getting Started
The basic firewall configuration begins with connecting the Netgate® appliance to the Internet. The Netgate appliance
should be unplugged at this time.
Connect one end of an Ethernet cable to the WAN port (shown in the Input and Output Ports section) of the Netgate
appliance. The other end of the same cable should be inserted into a LAN port on the ISP CPE device, such as a cable
or fiber modem. If the CPE device provided by the ISP has multiple LAN ports, any LAN port should work in most
circumstances.
Next, connect one end of a second Ethernet cable to the LAN port (shown in the Input and Output Ports section) of
the Netgate appliance. Connect the other end to the computer.
1.2.1 What next?
To connect to the GUI and configure the firewall in a browser, continue on to Initial Configuration.
To connect to the console and make adjustments before connecting to the GUI, see Connecting to the USB Console
Port.
Warning: The default IP Address on the LAN subnet on the Netgate firewall is 192.168.1.1/24. The same
subnet cannot be used on both WAN and LAN, so if the default IP address on the ISP-supplied modem is also
192.168.1.1/24,disconnect the WAN interface until the LAN interface on the firewall has been renumbered
to a different subnet (like 192.168.2.1/24) to avoid an IP Address conflict.
© Copyright 2023 Rubicon Communications LLC 4
Security Gateway Manual Netgate-8200
To change an interface IP address, choose option 2 from the Console Menu and walk through the steps to change
it, or from the GUI, go through the Setup Wizard (opens at first boot, also found at System > Setup Wizard) and
change the IP address on Step 5. Complete the Wizard and save the changes.
1.3 Initial Configuration
Plug the power cable into the power port (shown in the Input and Output Ports section) to turn on the Netgate®
Firewall. Allow 4 or 5 minutes to boot up completely.
Warning: If the CPE on WAN (e.g. DSL or Cable Modem) has a default IP Address of 192.168.1.1,
disconnect the Ethernet cable from the WAN1 port on the Netgate 8200 Security Gateway before proceeding.
Change the default LAN IP Address of the device during a later step in the configuration to avoid having conflicting
subnets on the WAN and LAN.
1. From the computer, log into the web interface
Open a web browser (Google Chrome in this example) and enter 192.168.1.1 in the address bar. Press
Enter.
Fig. 4: Enter the Default LAN IP Address
2. A warning message may appear. If this message or similar message is encountered, it is safe to proceed. Click
the Advanced Button and then click Proceed to 192.168.1.1 (unsafe) to continue.
3. At the Sign In page, enter the default pfSense®Plus username and password and click Next.
• Default Username: admin
• Default Password: pfsense
1.3.1 The Setup Wizard
The following steps will step through the Setup Wizard for the initial configuration of the firewall.
Note: Ignore the warning to reset the ‘admin’ account password. One of the steps in the Setup Wizard is to change
the default password.
1. Click Next to start the Setup Wizard.
2. Click Next after reading the information on Netgate Global Support.
3. On the General Information page, use the following as a guide to configure the firewall.
Hostname Any desired name can be entered. For the purposes of this guide, the default hostname
pfsense is used.
© Copyright 2023 Rubicon Communications LLC 5
Security Gateway Manual Netgate-8200
Fig. 5: Click Advanced and then Proceed to 192.168.1.1 (unsafe)
Fig. 6: Click Next
© Copyright 2023 Rubicon Communications LLC 6
Security Gateway Manual Netgate-8200
Domain The default home.arpa is used for the purposes of this tutorial.
DNS Servers For purposes of this setup guide, use the Google public DNS servers (8.8.8.8 and
8.8.4.4).
Fig. 7: Type in the DNS Server information and Click Next
4. Use the following information for the Time Server Information page.
Time Server Hostname Use the default time server address.
Timezone Select the time zone for the location of the firewall. For this guide, the Timezone will be
set to America/Chicago for US Central time.
5. The WAN interface is the Public IP address the network will use to communicate with the Internet. Use the
following information for the WAN configuration page.
DHCP is the default and is the most common type of interface for home cable modems.
Default settings for the other items on this page should be acceptable for normal home users.
6. Configuring LAN IP Address & Subnet Mask. The default LAN IP address of 192.168.1.1 and subnet mask
of 24 is usually sufficient.
Tip: If the CPE on WAN (e.g. DSL or Cable Modem) has a default IP Address of 192.168.1.1, disconnect
the Ethernet cable from the WAN1 port on the Netgate 8200 Security Gateway before proceeding.
Change the default LAN IP Address of the device during a later step in the configuration to avoid having
conflicting subnets on the WAN and LAN.
7. Change the Admin Password. Enter the same password in both fields.
© Copyright 2023 Rubicon Communications LLC 7
Security Gateway Manual Netgate-8200
Fig. 8: Change the Timezone and Click Next
Fig. 9: Default Settings Should be Acceptable. Click Next
© Copyright 2023 Rubicon Communications LLC 8
Security Gateway Manual Netgate-8200
8. Click Reload to save the configuration.
9. After a few seconds, a message will indicate the Setup Wizard has completed. To proceed to the pfSense®Plus
dashboard, click Finish.
10. A final notification screen will appear with the Copyright and Trademark Notices. Read and click Accept
to continue to the dashboard.
Fig. 10: Read and Click Accept
If the Ethernet cable was unplugged at the beginning of this configuration, reconnect it to the WAN1 port now.
This completes the basic configuration for the Netgate appliance.
© Copyright 2023 Rubicon Communications LLC 9
Security Gateway Manual Netgate-8200
1.4 pfSense Plus Software Overview
This page provides an overview of the pfSense®Plus dashboard and navigation. It also provides information on how to
perform frequent tasks such as backing up the pfSense®Plus software and connecting to the Netgate firewall console.
1.4.1 The Dashboard
pfSense®Plus software is highly configurable, all of which can be done through the dashboard. This orientation will
help to navigate and further configure the firewall.
Fig. 11: The pfSense®Plus Dashboard
Section 1 Important system information such as the model, Serial Number, and Netgate Device ID for this Netgate
firewall.
Section 2 Identifies what version of pfSense®Plus software is installed, and if an update is available.
Section 3 Describes Netgate Service and Support.
Section 4 Shows the various menu headings. Each menu heading has drop-down options for a wide range of config-
uration choices.
© Copyright 2023 Rubicon Communications LLC 10
Security Gateway Manual Netgate-8200
1.4.2 Re-running the Setup Wizard
To re-run the Setup Wizard, navigate to System > Setup Wizard.
Fig. 12: Re-run the Setup Wizard
1.4.3 Backup and Restore
It is important to backup the firewall configuration prior to updating or making any configuration changes. From the
menu at the top of the page, browse to Diagnostics > Backup/Restore.
Click Download configuration as XML and save a copy of the firewall configuration to the computer con-
nected to the Netgate firewall.
This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore
Configuration.
Note: Auto Config Backup is a built-in service located at Services > Auto Config Backup. This service will save
up to 100 encrypted backup files automatically, any time a change to the configuration has been made. Visit the Auto
Config Backup page for more information.
© Copyright 2023 Rubicon Communications LLC 11
Security Gateway Manual Netgate-8200
Fig. 13: Backup & Restore
Fig. 14: Click Download configuration as XML
© Copyright 2023 Rubicon Communications LLC 12
Security Gateway Manual Netgate-8200
1.4.4 Connecting to the Console
There are times when accessing the console is required. Perhaps GUI console access has been locked out, or the
password has been lost or forgotten.
See also:
Connecting to the USB Console Port. Cable is required.
Tip: To learn more about getting the most out of a Netgate appliance, sign up for a pfSense Plus Software Training
course or browse the extensive Resource Library.
1.4.5 Updates
When a new version of pfSense Plus software is available, the device will indicate the availability of the new version
on the System Information dashboard widget. Users can peform a manual check as well by visiting System > Update.
Users can initiate an upgrade from the System > Update page as needed.
For more information, see the Upgrade Guide.
1.5 Input and Output Ports
Fig. 15: Front view of the Netgate 8200 Security Gateway ports
The numbered labels in this image refer to entries in Networking Ports and Non-Networking Ports.
1.5.1 Non-Networking Ports
Port Description
1 Serial Console (USB or RJ45)
6 Power
7 Fan intake (Do not block)
• Clients can access the serial console using the USB Micro-B (5-pin) serial adapter port and a compatible USB
cable or via the RJ45 “Cisco” style port with a separate cable and USB serial adapter or client hardware port.
Note: Only one type of console connection will work at a time and the RJ45 console connection has priority.
If both ports are connected only the RJ45 console port will function.
• The Power connector is 12VDC with threaded locking connector. Power Consumption 20W (idle)
© Copyright 2023 Rubicon Communications LLC 13
Security Gateway Manual Netgate-8200
• The Netgate 8200 Security Gateway is actively cooled by a fan located on the bottom of the device as mentioned
in Active Cooling. The portion of the fan intake under the networking ports is where it draws in air when mounted
against another device. Do not block this part of the air intake.
1.5.2 Networking Ports
The WAN1 and WAN2 Combo-Ports are shared ports. Each has an RJ-45 port and an SFP port. Only the RJ-45 or the
SFP connector can be used each port.
Note: Each port, WAN1 and WAN2, is discrete and individual. It is possible to use the RJ-45 connector on one port
and the SFP connector on the other.
Port Interface Name Port Name Port Type Port Speed
2 WAN1 ix3 RJ-45/SFP 1 Gbps
3 WAN2 ix2 RJ-45/SFP 1 Gbps
4 WAN3 and WAN4 ix0 and ix1 SFP+ 10 Gbps
5 LAN1 - LAN4 igc0 - 3 RJ-45 2.5 Gbps
Note: The default configuration has all ports assigned as WANs and LANs to match the labels on the back of the
device. These are only pre-defined labels; any port can be renamed and configured for any purpose.
Note: The igc(4) and ix(4) network interfaces on this device do not support fixed speed operation. These
interfaces emulate a speed/duplex choice by limiting the values offered during autonegotiation to the speed/duplex
value selected in the GUI.
The other devices connected to these interfaces must be set to autonegotiate, not to a specific speed or duplex value.
SFP+ Ethernet Ports
WAN3 and WAN4 are discrete ports, each with dedicated 10 Gbps back to the Intel SoC.
Warning: The built-in SFP interfaces on C3000 systems do not support modules utilizing copper Ethernet con-
nectors (RJ45). As such, copper SFP/SFP+ modules are not supported on this platform.
Note: Intel notes the following additional limitations on these interfaces:
Devices based on the Intel(R) Ethernet Connection X552 and Intel(R) Ethernet Connection X553 do not support the
following features:
• Energy Efficient Ethernet (EEE)
• Intel PROSet for Windows Device Manager
• Intel ANS teams or VLANs (LBFO is supported)
• Fibre Channel over Ethernet (FCoE)
• Data Center Bridging (DCB)
© Copyright 2023 Rubicon Communications LLC 14
Security Gateway Manual Netgate-8200
• IPSec Offloading
• MACSec Offloading
In addition, SFP+ devices based on the Intel(R) Ethernet Connection X552 and Intel(R) Ethernet Connection X553 do
not support the following features:
• Speed and duplex auto-negotiation.
• Wake on LAN
• 1000BASE-T SFP Modules
Compatible SFP/SFP+ Modules
Below are some general guidelines for compatible SFP/SFP+ modules:
• Intel-branded SFP+ SR/LR Dual Speed (1G/10G) optical modules.
• Intel-branded SFP+ DA twin-ax cables that comply with SFF-8431 v4.1 and SFF-8472 v10.4 specifications.
Note: Limited to 10G link speed (no 1G support).
• Third party SFP+ DA twin-ax cables that comply with SFF-8431 v4.1 and SFF-8472 v10.4 specifications. Note:
Limited to 10G link speed (no 1G support).
• SFP+ AoCs (Active optical Cables). Note: Limited to 10G link speed (no 1G support).
• Third party SFP+ SR/LR dual speed 1G/10G) optical modules
• SFP+ active copper cables
• 1000BASE-SX / 1000BASE-LX optical modules
Specific known-working modules include:
© Copyright 2023 Rubicon Communications LLC 15
Security Gateway Manual Netgate-8200
Model / Part Number Description
Finisar FTLF1318P3BTL
1000BASE-LX and 1G Fibre Channel (1GFC) 10km
Industrial Temperature Gen 3 SFP Optical Transceiver
Finisar FTLX1471D3BCL
10Gb/s 10km Single Mode Datacom SFP+ Transceiver
Intel FTLX8571D3BCV-IT
1G/10G Dual Rate SFP Fiber Optical Transceiver
Module
Finisar FTLX8574D3BCL
10GBASE-SR/SW 400m Multimode Datacom SFP+
Optical
Transceiver
Finisar FTLF8519P3BNL
1000BASE-SX and 2G Fibre Channel (2GFC) 500m
Extended Temperature SFP Optical Transceiver
Note: Links at 1G, 2G is not supported
1.5.3 Rear Side
Fig. 16: Rear view of the Netgate 8200 Security Gateway
© Copyright 2023 Rubicon Communications LLC 16
Security Gateway Manual Netgate-8200
LED Patterns
Description LED Pattern
Standby Circle solid orange
Power On Circle solid blue
Boot in Process All rapidly flash blue
Boot Completed/Ready Diamond slowly flashes blue
Upgrade Available Square slowly flashes orange
Upgrade in Progress All rapidly flash green
Waiting to Reset All solid red
Reset Confirmed All rapidly flash red
1.5.4 Right Side
Fig. 17: Right side view of the Netgate 8200 Security Gateway
The right side panel of the device (when facing the front of the 1U rack mount) contains:
# Description Purpose
1 Reset Button (Recessed) Used when performing a Factory Reset Procedure.
2 Power Button (Protruding) Graceful shutdown (Hold 5s), hard power off (15s), power on (5s)
3 2x USB 3.0 Ports Connect USB devices – Extended to USB ports on the rack mount
USB Ports
Fig. 18: Netgate 8200 Security Gateway Front View – USB Ports on the Right
USB ports on the device can be used for a variety of purposes.
The primary use for the USB ports is to install or reinstall the operating system on the device. Beyond that, there
are numerous USB devices which can expand the base functionality of the hardware, including some supported by
© Copyright 2023 Rubicon Communications LLC 17
Security Gateway Manual Netgate-8200
add-on packages. For example, UPS/Battery Backups, Cellular modems, GPS units, and storage devices. Though the
operating system also supports wired and wireless network devices, these are not ideal and should be avoided.
1.6 Safety and Legal
1.6.1 Safety Notices
1. Read, follow, and keep these instructions.
2. Heed all warnings.
3. Only use attachments/accessories specified by the manufacturer.
Warning: Do not use this product in location that can be submerged by water.
Warning: Do not use this product during an electrical storm to avoid electrical shock.
1.6.2 Electrical Safety Information
1. Compliance is required with respect to voltage, frequency, and current requirements indicated on the manu-
facturer’s label. Connection to a different power source than those specified may result in improper operation,
damage to the equipment or pose a fire hazard if the limitations are not followed.
2. There are no operator serviceable parts inside this equipment. Service should be provided only by a qualified
service technician.
3. This equipment is provided with a detachable power cord which has an integral safety ground wire intended for
connection to a grounded safety outlet.
a) Do not substitute the power cord with one that is not the provided approved type. If a 3 prong plug is
provided, never use an adapter plug to connect to a 2-wire outlet as this will defeat the continuity of the
grounding wire.
b) The equipment requires the use of the ground wire as a part of the safety certification, modification or
misuse can provide a shock hazard that can result in serious injury or death.
c) Contact a qualified electrician or the manufacturer if there are questions about the installation prior to
connecting the equipment.
d) Protective grounding/earthing is provided by Listed AC adapter. Building installation shall provide appro-
priate short-circuit backup protection.
e) Protective bonding must be installed in accordance with local national wiring rules and regulations.
© Copyright 2023 Rubicon Communications LLC 18
Other Rubicon Gateway manuals
