Netgate SG-3100 - Can it host multiple internal LANs (NOT vlans)



  • As the question asks. A little background.

    My company needs to provide networking hardware to support a phone system upgrade we are performing for a partner. The chief requirements are 1) that the replacement router we provide can provide two internal LANs (not vlans) and 2) that it support site to site VPN.

    I'm pretty certain the SG-3100 provides on #2. My big question is about #1. The need here is that one of the phone system devices we are installing will have two NICs. One of these NICs will be on the main internal LAN, and the other will be in a different network that will accept traffic from outside. The outwardly facing NIC can be in a DMZ with a publicly routable IP address, or it can be behind a NAT. Either of those work fine, however, what it CAN'T be is inside the same LAN as the internal NIC.

    In case it matters, the phone equipment we are deploying is going to be deployed mostly as virtual machines running on a VMWare host. Every component except the physical interface between the PBX and the T-1 handoff from the telco will be virtualized, including the device I listed above that requires a private and public facing NIC.

    I am not strictly against doing VLANs for this, but I prefer to avoid it if possible. We have not needed to use VLANs up to this point, and I don't want to introduce any unknown elements to a new deployment that needs to go well.

    Edit: from my previous reading about the SG-3100, my perception is that the device only has three actual NICs. One for the WAN port, one for the OPT port, and one attached to a switch that provides the four "LAN" ports. That makes me think this should be possible. That is one port for WAN, one of the four switchports for the regular internal LAN, and the OPT port for a separate LAN to serve the needs of our dual NIC'd PBX device (in case it matters to the question, I would not be doing a public IP assignment here; I will be NATing traffic associated with the aforementioned device into the secondary LAN). I just want to make sure this is actually correct before buying anything.


  • Netgate

    You can but you will still be using VLANs internally because you are putting the switch ports on separate broadcast domains. Nothing outside the SG-3100 would know VLANs were involved though. They would just see untagged traffic.

    I would put it like this:

    If you want a device with two router ports and a four-port switch, I would get the SG-3100.

    If you want a device with six discrete router ports I would get the SG-5100.

    If all you need is one WAN and two LANs, though, you can use the SG-3100 and put WAN on WAN, LAN on LAN, and LAN2 on OPT1 without messing much with how it comes out of the box. All you would have to do is configure the OPT1 interface.



  • @derelict

    Hi Derelict,

    I believe your response pretty much answered my question. Just to confirm, the SG-3100 in addition to a 4-port switch, offers two logical ports, which each could have its own interface within pfSense. But, the SG-5100 has 6 logical ports, which enables you to assign either a WAN or LAN interface to each one separately?

    Essentially, I have 4 WANs (different ISPs - for multiwan and failover), and two LANs (different subnets). Should I go with the SG-5100 or the SG-3100 does the job as well? Thanks.


  • Netgate

    Yes. SG-3100 has two router ports and a trunk port to a 4-port switch. You can make multiple "interfaces" there using VLANs just like you can on any managed switch.

    SG-5100 has 6 router ports.



  • @derelict Thank you. That could be a candidate for the fastest response time in the year 2018.