Can'y get my 4100 to work!
-
@stephenw10
That's exactly what I saw. The problem I had was that the new, igc ports were just not offered in the pull down lists.So, I did a reset and set it up from scratch.
-
Well, I have the 4100 up and running and am using it right now. I do have some specific problems and, when I get my questions down to a manageable level and can ask with reasonable clarity, I'll post here.
I'm impressed with the number of replies I received and want to thank all who did.
Bart
-
It has become glaringly obvious that I don't know as much as I think I know, and certainly not as much as I need to know! So, before I get this mess all set up and then learn I should have done it differently, I'd like to run my proposed setup by everyone.
Form the outside in, I have two ISPs. A cable which is fairly quick but not as reliable as it could be. A DLS line that is rock solid but barely fast enough. I thinking failover.
As you know, a 4100 router.
A TP-Link 28 port managed switch (SG3428X)Vlan1 with the router and switch
Vlan10 (General) with my computers (5), printers (3), Synology NAS, and a file / print server. All systems are running openSUSE linux except one Windows laptop.
Vlan20 (IOT) with 2 security panels, 1 NVR for surveillance and an Apple TV streaming device.
Vlan 30 (Phones) for wifi access for my phones. They do not need access to my network.I have two TP-Link access points that I want to create two separate SSIDs on, one for the phones which need only internet, the other for the laptops which will give access to my network including internet. I have a TP-Link OC200 controller for these APs only I don't want it messing with the switch.
One of my computers is pretty much dedicated to maintaining the system. Should that go on a maintenance Vlan?
I have no security considerations from inside my system. No employees or kids here.I am a security freak and while I know the only really secure policy is to disconnect from the internet, I would like to make it hard enough that potential attacks will look for an easier target.
Should be simple, right?
Bart
-
@barth said in Can'y get my 4100 to work!:
I would like to make it hard enough that potential attacks will look for an easier target.
If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@rcoleman-netgate said in Can'y get my 4100 to work!:
@barth said in Can'y get my 4100 to work!:
I would like to make it hard enough that potential attacks will look for an easier target.
If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).
Is that an absolute statement? My security system seems to use P2P. They won't discuss their system. I guess I can understand that.
-
@barth said in Can'y get my 4100 to work!:
Is that an absolute statement?
Every router (firewall) is based on that concept.
Take a sub 10$ Tpwhatever device, or a multi million Cisco engine : they are basically doing the same out of the box.
Up until today, all goes well ; as long as you have no rules the WAN interfaces, you're fine.Their is still one big danger factor : the user that administrates the router.
@barth said in Can'y get my 4100 to work!:
My security system seems to use P2P
The protocol a LAN device is using isn't important although I would ask myself questions if it was FTP.
You do have to trust any device you hook up into your LANs, and if doubt, isolate it on a LAN dedicated for that (these) device(s) and forbid access from this LAN to other LANs, forbid also pfSense (SSH, GUI) access.
But, hey, who would buy or use a device that you wouldn't trust ? -
Exactly, that's why you put IoT devices on a separate VLAN and treat them as hostile.
You certainly could add an 'admin' VLAN that has access to everything. Then restrict access to the firewall itself to only that. Potentially you could limit access to other device config to that source too.
-
@barth said in Can'y get my 4100 to work!:
@rcoleman-netgate said in Can'y get my 4100 to work!:
If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).
Is that an absolute statement? My security system seems to use P2P. They won't discuss their system.
Allowing "the Internet" to connect to port 443 (or 80 or 22 or any other port) on your router WAN is not related to your security system. Hackers will happily try to log in to anything they find, all day long, if given the opportunity.
The default pfSense configuration is no allowed ports on WAN, so double check your WAN rules.
-
Indeed, that^.
I would not expect anything to require you open ports to allow inbound connections. I would have some serious questions if they do! Usually IoT devices will all open outbound connections and expect to not be filtered that way. And that is fine, it doesn't open the firewall to direct attack by doing that. The risk here is that whatever they connect to is hacked in some way and those devices then pull in some bad code, a firmware update for example, or they are already open to connections from anything they are connected to. Now you have a rogue device that's already behind your firewall. And that is why you treat IoT devices as hostile.Steve
-
SOLVED!
After opening a support contract with Netgate, my problems were solved in short order. They had me send my config file to them and emailed a response with a few minutes.
Thanks to all who responded.
Bart
