Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrading SG-1100 to SG-2100

    Scheduled Pinned Locked Moved
    Official Netgate® Hardware
    3
    6
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bert 0
      last edited by

      Hello,

      I bought an SG-1100 a while ago and have had it running well since. I decided that I needed a bit more capability so I bought an SG-2100 (don't have it yet) and was wondering if there are any gotchas or preferred methods of replacing the 1100 with the 2100. Can I just back up the 100 and restore that backup on the 2100?

      Also, I have been thinking of changing the physical configuration I have a bit. When I bought the 1100, it was to replace a FortiNet box I had so I have a simple installation:
      (Internet) <---> (SG-1100) <---> (Internal Network)

      Initially, the 2100 will simply replace the 1100 and the physical configuration will remain the same. But, I would like to change things a bit to be:
      (Internet) <---> (SG-2100) <---> (DMZ) <---> (FortiNet) <---> (Internal Network)

      How will that change the config of the 2100? Is it possible to direct all unsolicited traffic to DMZ boxes and the rest to the FortiNet?

      Thanks

      Bert

      S 1 Reply Last reply Reply Quote 0
      • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
      • S
        SteveITS Rebel Alliance @Bert 0
        last edited by

        @bert-0 Since the 1100 uses VLANs you might just open a ticket with Netgate who will convert the file for you, to restore.

        re: DMZ, if you have multiple public IPs you can use 1:1 NAT to forward all traffic for one to the DMZ IP, and NAT rules for other ports to the Fortinet IP. If not, maybe just a "port 1-65535" rule at the bottom to catch anything higher rules don't catch.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yes, usually you could just import the config and reassign the VLAN interfaces to real interfaces. However both the 1100 and 2100 have mvneta interfaces so if you imported it the 2100 would try to use the 1100 config directly without re-assigning which won't work. Some conversion on the config will be required but we can do that for you if you open a ticket:
          https://www.netgate.com/tac-support-request

          Steve

          1 Reply Last reply Reply Quote 1
          • B
            Bert 0
            last edited by

            @steveits @stephenw10 Sorry for the delay. Sick kids at home :-(

            I think I might put the Fortinet idea on the back burner for the time being. I found a document (Security Gateway Manual) that walked me through creating a VLAN port on the 2100 and I think I will go with that until I can figure out exactly what I want to do.

            On the 1:1 NAT, how does the NetGate handle that traffic? Does it behave as a router for that traffic and not inspect any of it or does it do every inspection of that traffic that it does to the traffic not part of the 1:1 NAT?

            On another note, I have a question that I think I know the answer to but, being new(er) to NetGate, it seemed prudent to throw it out here: Is it possible to have the WAN port configured as both a DHCP client and have a static IP address simultaneously? I have never seen that to be possible on any other device, but I wanted to be sure.

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @Bert 0
              last edited by

              @bert-0 1:1 NAT essentially forwards all ports. You can control that with firewall rules on WAN (allow port 443, block all).

              Not sure how it could be possible to use DHCP to have multiple addresses at the same time. Typically multiple IPs is either:

              • use Virtual IPs for instance we have a static IP block in our office with a WAN IP and multiple virtual IPs
              • multiple WAN interfaces (which you can do on a 2100)
              • the ISP/data center routes a subnet to your WAN IP and that subnet is used on an internal interface

              I am not sure if one can use DHCP and virtual IPs to have multiple addresses at the same time. The IPs would need to talk to their gateway so the gateway would presumably also need multiple IPs.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                You can have the WAN as DHCP and add additional static IPs as VIPs.

                You can't have multiple DHCP clients on the same interface/subnet.

                Steve

                1 Reply Last reply Reply Quote 0
                • S SteveITS referenced this topic on
                • S SteveITS referenced this topic on
                • First post
                  Last post