Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-2100 port configuration, active connection, how to?

    General pfSense Questions
    3
    8
    491
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beerguzzleB
      beerguzzle
      last edited by

      Hi, got a new SG-2100, pfsense 23.09.1. I am used to my SG-1100, which has separate ports WAN/LAN/OPT. With the 2100, I discovered it is WAN and then a four-port LAN switch -- I want four distinct ports on different networks. So I found chapter 10 in the "Security Gateway Manual, Netgate SG-2100" and followed that VLAN guide for ports 2-4, this works. But my https and ssh connection from my Mac goes into port 1 to get to 192.168.1.1 and I read someplace that you cannot reconfigure an active port. So how to get port 1 configured with 802.1q VLANS like the other ports, from port 2?

      I plugged a second laptop into port 2, wrote a "pass all and log" firewall rule in LAN to allow ipv4 tcp+udp traffic in from LAN2 (subnet 192.168.2.1/24, aka port 2), then tried to ssh or https from 192.168.2.10 to 192.168.1.1 -- nada. No fw rule traffic logged, no access.

      I'm stumped. I don't want to mess with LAN, 192.168.1.1/24 until I can get to 192.168.1.1 from a different port. I've already locked myself out once and had to do a factory reset, and I don't want to repeat this.

      Right now my like so:
      2100-Interface-Assignments.png

      I want to create a LAN1 interface, VLAN 4091, network 192.168.1.1/24. How to do this?

      Netgate 1100 and Netgate 2100, latest pfsense+ version

      stephenw10S S 2 Replies Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @beerguzzle
        last edited by

        @beerguzzle said in SG-2100 port configuration, active connection, how to?:

        So I found chapter 10 in the "Security Gateway Manual, Netgate SG-2100" and followed that VLAN guide for ports 2-4, this works.

        @beerguzzle said in SG-2100 port configuration, active connection, how to?:

        I plugged a second laptop into port 2, wrote a "pass all and log" firewall rule in LAN to allow ipv4 tcp+udp traffic in from LAN2 (subnet 192.168.2.1/24, aka port 2), then tried to ssh or https from 192.168.2.10 to 192.168.1.1 -- nada. No fw rule traffic logged, no access.

        If ports 2-4 work as expected after following the guide you should be able connect from LAN2 to LAN if firewall rules exist.

        Are you able to reach other external sites from LAN2?

        You're correct that you should not try to reconfigure the LAN whilst connected to it. It's _very_easy to lock yourself out in that situation. But it's absolutely possible to add port 1 as a VLAN like the other ports. Just do it whilst connected via a different port.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @beerguzzle
          last edited by

          @beerguzzle is there a benefit though? Isn’t port 1 the only remaining port on LAN…?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I would choose to put all ports on a VLAN given a choice there. My preference is always to avoid having tagged and untagged traffic on the same link if possible. Here that's the internal link. The reason is that if, for some reason traffic that should be tagged gets untagged it will end up on the LAN rather than just being dropped by pfSense. That's less of an issue here since there are only 4 ports and you're unlikely to be making frequent changes. But I have seen exactly that with more complex networks with multiple manged switches etc.

            Steve

            1 Reply Last reply Reply Quote 0
            • beerguzzleB
              beerguzzle
              last edited by

              All things considered, I would like to have a "LAN1" tagged VLAN 4091, network 192.168.1.1/24 in place, like I did with LAN2-4, following chapter 10 of the guide.
              Then I would have firewall rules to determine which ports can talk to each other.

              I probably f'ed up my LAN<->LAN2 rule to allow me to plug into LAN2 and get to 192.168.1.1. I will stare at it some more.

              BTW, on my 1100 all three ports use VLANs, see below. I don't remember any major pain setting this up and my notes don't give any of the details about doing it. I didn't have to move wires around to configure the LAN interface as a VLAN. But that's different hardware.Screenshot 2024-04-23 at 10.11.06 AM.png

              Netgate 1100 and Netgate 2100, latest pfsense+ version

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @beerguzzle
                last edited by

                @beerguzzle The 1100 has only one interface which is a 3 port switch, so the VLANs there are the default configuration.

                You should be able to do it just fine, just connect using one of the other ports and then configure your last port.

                @stephenw10 Ah. So in this case since all ports are untagged, doing so would prevent the case where someone unconfigures port 4 and drops it back to LAN? In essence then, LAN still exists but none of the ports are using it. One could just create block rules on LAN then...?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  If you have the pfSense interface only accept tagged traffic then it doesn't matter if someone accidentally connects directly to the trunk or a downstream switch forgets it's config and starts passing all traffic untagged. pfSense will just drop it.

                  1 Reply Last reply Reply Quote 0
                  • beerguzzleB
                    beerguzzle
                    last edited by

                    All, I had to give up and open a TAC-lite support case to get some clues as to how to do this. Short story: reconfigure your WAN interface to be a local interface, Static IP, 192.16.x.1/24. Then add a fw rule to allow this network to get to 192.168.1.1. Then plug into the WAN port and configure the LAN ports. Then undo your WAN configuration; change it back to DHCP/DHCP6 like it was. Attached are my detailed step-by-step notes on how I did it and what I ended up with.
                    note-to-netgate.txt

                    Netgate 1100 and Netgate 2100, latest pfsense+ version

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.