SG-2100 port configuration, active connection, how to?
-
Hi, got a new SG-2100, pfsense 23.09.1. I am used to my SG-1100, which has separate ports WAN/LAN/OPT. With the 2100, I discovered it is WAN and then a four-port LAN switch -- I want four distinct ports on different networks. So I found chapter 10 in the "Security Gateway Manual, Netgate SG-2100" and followed that VLAN guide for ports 2-4, this works. But my https and ssh connection from my Mac goes into port 1 to get to 192.168.1.1 and I read someplace that you cannot reconfigure an active port. So how to get port 1 configured with 802.1q VLANS like the other ports, from port 2?
I plugged a second laptop into port 2, wrote a "pass all and log" firewall rule in LAN to allow ipv4 tcp+udp traffic in from LAN2 (subnet 192.168.2.1/24, aka port 2), then tried to ssh or https from 192.168.2.10 to 192.168.1.1 -- nada. No fw rule traffic logged, no access.
I'm stumped. I don't want to mess with LAN, 192.168.1.1/24 until I can get to 192.168.1.1 from a different port. I've already locked myself out once and had to do a factory reset, and I don't want to repeat this.
Right now my like so:
I want to create a LAN1 interface, VLAN 4091, network 192.168.1.1/24. How to do this?
Netgate 1100 and Netgate 2100, latest pfsense+ version
-
@beerguzzle said in SG-2100 port configuration, active connection, how to?:
So I found chapter 10 in the "Security Gateway Manual, Netgate SG-2100" and followed that VLAN guide for ports 2-4, this works.
@beerguzzle said in SG-2100 port configuration, active connection, how to?:
I plugged a second laptop into port 2, wrote a "pass all and log" firewall rule in LAN to allow ipv4 tcp+udp traffic in from LAN2 (subnet 192.168.2.1/24, aka port 2), then tried to ssh or https from 192.168.2.10 to 192.168.1.1 -- nada. No fw rule traffic logged, no access.
If ports 2-4 work as expected after following the guide you should be able connect from LAN2 to LAN if firewall rules exist.
Are you able to reach other external sites from LAN2?
You're correct that you should not try to reconfigure the LAN whilst connected to it. It's _very_easy to lock yourself out in that situation. But it's absolutely possible to add port 1 as a VLAN like the other ports. Just do it whilst connected via a different port.
Steve
-
@beerguzzle is there a benefit though? Isn’t port 1 the only remaining port on LAN…?
-
I would choose to put all ports on a VLAN given a choice there. My preference is always to avoid having tagged and untagged traffic on the same link if possible. Here that's the internal link. The reason is that if, for some reason traffic that should be tagged gets untagged it will end up on the LAN rather than just being dropped by pfSense. That's less of an issue here since there are only 4 ports and you're unlikely to be making frequent changes. But I have seen exactly that with more complex networks with multiple manged switches etc.
Steve
-
All things considered, I would like to have a "LAN1" tagged VLAN 4091, network 192.168.1.1/24 in place, like I did with LAN2-4, following chapter 10 of the guide.
Then I would have firewall rules to determine which ports can talk to each other.I probably f'ed up my LAN<->LAN2 rule to allow me to plug into LAN2 and get to 192.168.1.1. I will stare at it some more.
BTW, on my 1100 all three ports use VLANs, see below. I don't remember any major pain setting this up and my notes don't give any of the details about doing it. I didn't have to move wires around to configure the LAN interface as a VLAN. But that's different hardware.
-
@beerguzzle The 1100 has only one interface which is a 3 port switch, so the VLANs there are the default configuration.
You should be able to do it just fine, just connect using one of the other ports and then configure your last port.
@stephenw10 Ah. So in this case since all ports are untagged, doing so would prevent the case where someone unconfigures port 4 and drops it back to LAN? In essence then, LAN still exists but none of the ports are using it. One could just create block rules on LAN then...?
-
If you have the pfSense interface only accept tagged traffic then it doesn't matter if someone accidentally connects directly to the trunk or a downstream switch forgets it's config and starts passing all traffic untagged. pfSense will just drop it.
-
All, I had to give up and open a TAC-lite support case to get some clues as to how to do this. Short story: reconfigure your WAN interface to be a local interface, Static IP, 192.16.x.1/24. Then add a fw rule to allow this network to get to 192.168.1.1. Then plug into the WAN port and configure the LAN ports. Then undo your WAN configuration; change it back to DHCP/DHCP6 like it was. Attached are my detailed step-by-step notes on how I did it and what I ended up with.
note-to-netgate.txt
