Netgate SG-1000 microFirewall

Author Topic: New SG-3100  (Read 1893 times)

0 Members and 1 Guest are viewing this topic.

Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
New SG-3100
« on: September 14, 2017, 01:02:32 pm »

So I am looking to replace an old Soekris box that is just not handling the new 2.3.4.p1 code. 

https://store.netgate.com/SG-3100.aspx

But I am confused by the wording of the guide a little -  https://www.netgate.com/docs/sg-3100/io-ports.html

Today I have a WAN, LAN (172.16.20.0/24), and two other LAN Networks (DMZ) *172.20.100.0/24 & 172.20.200.0/24) configurations so four total ethernet ports --

Can I do this with the SG-3100 or are the four Switched Ethernet ports ports just a bridged lan.

WAN -- Comcast
OPT1 -- DMZ-1 172/20.100.0/24
Switch (Lan 1 -4 )  -- 172.16.20.1/24
??????   DMZ-2 172.20.200.0/24 

I see I might be able to dump a small netgear switch, but how do I get the second DMZ ?

I also have two VPNs to other sites, but this box looks more than capable of handling this --

TIA on the insight for this new hardware. 

My alternative is the SG-2440 but this 3100 is much better priced and may fit the bill.


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: New SG-3100
« Reply #1 on: September 14, 2017, 01:29:26 pm »
Great question..  I would hope you could vlan the ports off as their own interface(s) so all 4 in one network, or 4 different networks and then vlans on top of those as well just like you could with actual nic interface.

But this is great question, since this is first pfsense device that I am aware of that has a "switch" included.  I did see that the uplink from this switch is 2.5gb to the soc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2403
  • Karma: +144/-14
  • volunteer since 2006
    • View Profile
Re: New SG-3100
« Reply #2 on: September 14, 2017, 01:37:38 pm »
This should be quite similar, even though it's about the smaller SG-1000
https://www.netgate.com/blog/ive-got-99-problems-but-a-switch-aint-one.html
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21300
  • Karma: +1418/-26
    • View Profile
Re: New SG-3100
« Reply #3 on: September 14, 2017, 03:21:41 pm »
It will be possible on there to have port-based VLANs where you segment those ports off into different networks (e.g. making a new VLAN and then setting it untagged on a specific port), just like you would do on a switch.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 545
  • Karma: +73/-4
    • View Profile
Re: New SG-3100
« Reply #4 on: September 14, 2017, 09:46:38 pm »
Just remember that the 4-port switch is linked at 2.5 Gbps to the pfSense LAN interface... so you won't be able to use more than two switch ports to full capacity if you're going to have inter-VLAN routing going on.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: New SG-3100
« Reply #5 on: September 15, 2017, 01:20:11 am »
Yes, but ports on the same VLAN will be handled in the switch without having to be handed off to the SoC. Silly things like bridging interfaces onto one "LAN" should be a thing of the past on the SG-3100.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 545
  • Karma: +73/-4
    • View Profile
Re: New SG-3100
« Reply #6 on: September 15, 2017, 07:56:53 am »
Yes, but ports on the same VLAN will be handled in the switch without having to be handed off to the SoC. Silly things like bridging interfaces onto one "LAN" should be a thing of the past on the SG-3100.

True, though my thought was more if you have one VLAN on one port, another VLAN on another port, then routing between them would be handed back to the SoC, etc. But yes, same VLANs stay within the switch.

Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: New SG-3100
« Reply #7 on: October 13, 2017, 06:26:55 am »

Good Morning,

  Received an email that my order has been delayed due to the need for additional testing of a driver fix.  I have no issue with this and as long as it ships in 2017 I am fine. 

  But for those in the know I am curious, since the note said driver issue, is this something in a FreeBSD module or a custom driver you all did for this device.  If it's a base FreeBSD driver, is there a link to the issue you are addressing available ?

  TIA....


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21300
  • Karma: +1418/-26
    • View Profile
Re: New SG-3100
« Reply #8 on: October 13, 2017, 08:06:19 am »
  Received an email that my order has been delayed due to the need for additional testing of a driver fix.  I have no issue with this and as long as it ships in 2017 I am fine. 

  But for those in the know I am curious, since the note said driver issue, is this something in a FreeBSD module or a custom driver you all did for this device.  If it's a base FreeBSD driver, is there a link to the issue you are addressing available ?

It's due to the length of the network interface driver name, it's causing problems with the way we currently name VLANs. Rather than rename the driver and maintain more technical debt, we are changing how the VLAN interfaces are named so they are not so long they overrun the FreeBSD name limit. That was a bigger change than we felt comfortable making for 2.4-RELEASE, so we're taking a week or so to implement and test that and a few other small fixes to roll into 2.4.1.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: New SG-3100
« Reply #9 on: October 13, 2017, 08:41:46 am »

 :)   Sounds great.   Thank you very much for the information. 

     I am replacing an older Soekris and small Switch. 

     So there is no rush from my side. 

     

Offline gsmornot

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: New SG-3100
« Reply #10 on: October 17, 2017, 12:14:46 pm »
  Received an email that my order has been delayed due to the need for additional testing of a driver fix.  I have no issue with this and as long as it ships in 2017 I am fine. 

  But for those in the know I am curious, since the note said driver issue, is this something in a FreeBSD module or a custom driver you all did for this device.  If it's a base FreeBSD driver, is there a link to the issue you are addressing available ?

It's due to the length of the network interface driver name, it's causing problems with the way we currently name VLANs. Rather than rename the driver and maintain more technical debt, we are changing how the VLAN interfaces are named so they are not so long they overrun the FreeBSD name limit. That was a bigger change than we felt comfortable making for 2.4-RELEASE, so we're taking a week or so to implement and test that and a few other small fixes to roll into 2.4.1.
Do you think the SG-3100 will start shipping Friday as planned? I pre-ordered. My other question is, can I restore my current configuration to the SG-3100? I am currently running on an older small form factor desktop which has been great but looking to move to the new device. Since having this I have it just how I like it.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21300
  • Karma: +1418/-26
    • View Profile
Re: New SG-3100
« Reply #11 on: October 17, 2017, 12:18:09 pm »
Do you think the SG-3100 will start shipping Friday as planned? I pre-ordered.

Unless something else comes up in the meantime, it should still be Friday, or potentially Monday/early next week depending on how large the backorder queue is.

My other question is, can I restore my current configuration to the SG-3100? I am currently running on an older small form factor desktop which has been great but looking to move to the new device. Since having this I have it just how I like it.

Yes, you'll need to point it at the new interface names but otherwise the configuration will carry over fine.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline gsmornot

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: New SG-3100
« Reply #12 on: October 17, 2017, 12:49:15 pm »
Do you think the SG-3100 will start shipping Friday as planned? I pre-ordered.

Unless something else comes up in the meantime, it should still be Friday, or potentially Monday/early next week depending on how large the backorder queue is.

My other question is, can I restore my current configuration to the SG-3100? I am currently running on an older small form factor desktop which has been great but looking to move to the new device. Since having this I have it just how I like it.

Yes, you'll need to point it at the new interface names but otherwise the configuration will carry over fine.
Thank you, understand, and looking forward to it.

Offline gsmornot

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: New SG-3100
« Reply #13 on: October 17, 2017, 02:27:26 pm »
Do you think the SG-3100 will start shipping Friday as planned? I pre-ordered.

Unless something else comes up in the meantime, it should still be Friday, or potentially Monday/early next week depending on how large the backorder queue is.

My other question is, can I restore my current configuration to the SG-3100? I am currently running on an older small form factor desktop which has been great but looking to move to the new device. Since having this I have it just how I like it.

Yes, you'll need to point it at the new interface names but otherwise the configuration will carry over fine.
Maybe this is a dumb question but will I be able to access the web interface after the restore if the interface names are wrong in order to correct them? If not, would it be best to modify the xml to correct the interface names prior to the restore? Hope that makes sense.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21300
  • Karma: +1418/-26
    • View Profile
Re: New SG-3100
« Reply #14 on: October 17, 2017, 02:32:45 pm »
Maybe this is a dumb question but will I be able to access the web interface after the restore if the interface names are wrong in order to correct them? If not, would it be best to modify the xml to correct the interface names prior to the restore? Hope that makes sense.

You can do it either way. After restore it will take you to a page to reassign the interfaces if you want to do it that way. You can edit into the config before restore if you like, too. I prefer to edit them in, but either way works.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!