Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can'y get my 4100 to work!

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rcoleman-netgate Netgate @BartH
      last edited by

      @barth said in Can'y get my 4100 to work!:

      I asked, and was told I could just back up my current configuration and restore it to the 4100, just change the port assignments. That didn't work as after the restore, the only ports that showed were the igb ports from my old machine, and none of the igc or ix ports that are on the new one.

      Have you opened a ticket for support? https://www.netgate.com/tac-support-request It should be a direct conversion but we can give it a look-see to determine if there's something getting in your way.

      Ryan
      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
      Requesting firmware for your Netgate device? https://go.netgate.com
      Switching: Mikrotik, Netgear, Extreme
      Wireless: Aruba, Ubiquiti

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Yup, open a ticket and we can get you going.

        However what I expect to see when you import a config would be something like this:

        Screenshot from 2022-11-15 19-33-45.png

        The defined interfaces from the imported config are listed and the available interfaces from the 4100 re in the dropdown selections. They default to the first interface, igc0, there.

        But you can see that config I imported as a test would not be easy to reassign because I have VLANs and PPPoE interfaces and those are still build on the igb NICs from the previous firewall. In that particular case I would convert the config manually before importing.

        Steve

        BartHB 1 Reply Last reply Reply Quote 1
        • BartHB
          BartH @stephenw10
          last edited by

          @stephenw10
          That's exactly what I saw. The problem I had was that the new, igc ports were just not offered in the pull down lists.

          So, I did a reset and set it up from scratch.

          1 Reply Last reply Reply Quote 0
          • BartHB
            BartH
            last edited by

            Well, I have the 4100 up and running and am using it right now. I do have some specific problems and, when I get my questions down to a manageable level and can ask with reasonable clarity, I'll post here.

            I'm impressed with the number of replies I received and want to thank all who did.

            Bart

            1 Reply Last reply Reply Quote 1
            • BartHB
              BartH
              last edited by

              It has become glaringly obvious that I don't know as much as I think I know, and certainly not as much as I need to know! So, before I get this mess all set up and then learn I should have done it differently, I'd like to run my proposed setup by everyone.

              Form the outside in, I have two ISPs. A cable which is fairly quick but not as reliable as it could be. A DLS line that is rock solid but barely fast enough. I thinking failover.

              As you know, a 4100 router.
              A TP-Link 28 port managed switch (SG3428X)

              Vlan1 with the router and switch
              Vlan10 (General) with my computers (5), printers (3), Synology NAS, and a file / print server. All systems are running openSUSE linux except one Windows laptop.
              Vlan20 (IOT) with 2 security panels, 1 NVR for surveillance and an Apple TV streaming device.
              Vlan 30 (Phones) for wifi access for my phones. They do not need access to my network.

              I have two TP-Link access points that I want to create two separate SSIDs on, one for the phones which need only internet, the other for the laptops which will give access to my network including internet. I have a TP-Link OC200 controller for these APs only I don't want it messing with the switch.

              One of my computers is pretty much dedicated to maintaining the system. Should that go on a maintenance Vlan?
              I have no security considerations from inside my system. No employees or kids here.

              I am a security freak and while I know the only really secure policy is to disconnect from the internet, I would like to make it hard enough that potential attacks will look for an easier target.

              Should be simple, right?

              Bart

              R 1 Reply Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @BartH
                last edited by

                @barth

                @barth said in Can'y get my 4100 to work!:

                I would like to make it hard enough that potential attacks will look for an easier target.

                If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                BartHB 1 Reply Last reply Reply Quote 1
                • BartHB
                  BartH @rcoleman-netgate
                  last edited by

                  @rcoleman-netgate said in Can'y get my 4100 to work!:

                  @barth

                  @barth said in Can'y get my 4100 to work!:

                  I would like to make it hard enough that potential attacks will look for an easier target.

                  If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

                  Is that an absolute statement? My security system seems to use P2P. They won't discuss their system. I guess I can understand that.

                  GertjanG S 2 Replies Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @BartH
                    last edited by

                    @barth said in Can'y get my 4100 to work!:

                    Is that an absolute statement?

                    Every router (firewall) is based on that concept.
                    Take a sub 10$ Tpwhatever device, or a multi million Cisco engine : they are basically doing the same out of the box.
                    Up until today, all goes well ; as long as you have no rules the WAN interfaces, you're fine.

                    Their is still one big danger factor : the user that administrates the router.

                    @barth said in Can'y get my 4100 to work!:

                    My security system seems to use P2P

                    The protocol a LAN device is using isn't important although I would ask myself questions if it was FTP.
                    You do have to trust any device you hook up into your LANs, and if doubt, isolate it on a LAN dedicated for that (these) device(s) and forbid access from this LAN to other LANs, forbid also pfSense (SSH, GUI) access.
                    But, hey, who would buy or use a device that you wouldn't trust ?

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Exactly, that's why you put IoT devices on a separate VLAN and treat them as hostile.

                      You certainly could add an 'admin' VLAN that has access to everything. Then restrict access to the firewall itself to only that. Potentially you could limit access to other device config to that source too.

                      1 Reply Last reply Reply Quote 1
                      • S
                        SteveITS Galactic Empire @BartH
                        last edited by

                        @barth said in Can'y get my 4100 to work!:

                        @rcoleman-netgate said in Can'y get my 4100 to work!:

                        If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

                        Is that an absolute statement? My security system seems to use P2P. They won't discuss their system.

                        Allowing "the Internet" to connect to port 443 (or 80 or 22 or any other port) on your router WAN is not related to your security system. Hackers will happily try to log in to anything they find, all day long, if given the opportunity.

                        The default pfSense configuration is no allowed ports on WAN, so double check your WAN rules.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Indeed, that^.
                          I would not expect anything to require you open ports to allow inbound connections. I would have some serious questions if they do! Usually IoT devices will all open outbound connections and expect to not be filtered that way. And that is fine, it doesn't open the firewall to direct attack by doing that. The risk here is that whatever they connect to is hacked in some way and those devices then pull in some bad code, a firmware update for example, or they are already open to connections from anything they are connected to. Now you have a rogue device that's already behind your firewall. And that is why you treat IoT devices as hostile.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • BartHB
                            BartH
                            last edited by

                            SOLVED!

                            After opening a support contract with Netgate, my problems were solved in short order. They had me send my config file to them and emailed a response with a few minutes.

                            Thanks to all who responded.

                            Bart

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.