New SG-3100. Cannot access Setup Wizard/Web UI

ajtradtech

Hello,

I'm a noob to the Netgate/pfSense universe. I connected the 3100 per the gateway manual.

Arris modem LAN port --> 3100 WAN port
3100 LAN port --> my MBP laptop
Powered up 3100
Boot up complete indicated (slow blue flash)
Update available indicated (slow orange flash)
Arris assigned IP 192.168.1.103 to 3100

When I attempt to access the Setup Wizard at 192.168.1.1 it keeps timing out. I'm using Chrome on my MBP. MBP is directly connected to the 3100. I tried pinging it from the MBP but it just times out as well.

Is it updating itself and I need to wait for it to finish? The orange LED is still flashing and the unit has gotten quite warm.

Thanks in advance for helping me get this unit going.

rpsmith

I would reflash it. I don't think it will do an update on its own.

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html

Roy...

jimp

You don't need to reinstall. The problem is your Arris modem is handing out 192.168.1.x on the WAN side of the SG-3100 and the SG-3100 defaults to 192.168.1.x on the LAN side. You can't have it both places.

So you have three choices:

1. Bridge the Arris modem so it stops handing out private addresses (ideal)
2. Change the LAN subnet on the Arris modem to something else
3. Change the LAN subnet on the SG-3100 console to something else (e.g. 192.168.2.x)

ajtradtech

Thank you, @jimp! I took the 3rd option and voilá, I was able to access the web ui and perform the initial setup. The dashboard is a beautiful sight.

Do you know if it's still possible to obtain 2.4.4p3? I feel I should have that handy before attempting upgrade to 2.4.5.

-Alan

jimp

You can ask via https://go.netgate.com and the support team can see if they can get you the image. Since you are starting fresh that isn't likely to be a concern, though.

ajtradtech

Got it. Thank you.

rpsmith

You really need to get your cable company to put you modem in Bridge Mode. That is the only way to get a public IP on your WAN. Without that you won't be able to forward any ports from the Internet to any of your LAN devices.

Roy...

rpsmith

Good call Jim! I didn't pick up on that.

Roy...

ajtradtech

@rpsmith said in New SG-3100. Cannot access Setup Wizard/Web UI:

You really need to get your cable company to put you modem in Bridge Mode. That is the only way to get a public IP on your WAN. Without that you won't be able to forward any ports from the Internet to any of your LAN devices.

Roy...

Thanks for that tip. Gathering info on how to configure my gateway for IP Passthrough. That's the Arris/AT&T equivalent of bridge mode.

Currently, my SG is connected the gateway, but not to my home network while I get the firewall rules squared away.

-Alan

Gertjan

@ajtradtech said in New SG-3100. Cannot access Setup Wizard/Web UI:

but not to my home network while I get the firewall rules squared away.

If your home network, your LAN, only has devices you trust, you have nothing to do. The default WAN rules, that is no rules at all, and one default pass all rule on LAN, works well.

If you have devices that you don't trust, never forget the most logic action : remove the device from all known networks. Like this, the unknown issue bug will never bite you. This solution is fool proof for live and beyond.
If you have to accept this non trusted device on your network, put it on a dedicated, sedonc (third) network that can only communicate to the Internet, and you decide with rules, for this (these) devices(s) where to, with who, etc. When you make an error, you won't risk much. Never have these devices access your LAN based (trusted) devices.
Using internal networks like this is they way firewalls routers should be used. Always keep it simple (for yourself) and try to make firewall rules that you understand and are able to test. For that matter, don't even trust your own firewall : test what you want to achieve.

rpsmith

@ajtradtech
If you are using u-verse, good luck with getting IP Passthrough to work. Seems like every time I figure out how to enable it, they change the firmware and redo all the menus.

Roy...

ajtradtech

@Gertjan said in New SG-3100. Cannot access Setup Wizard/Web UI:

@ajtradtech said in New SG-3100. Cannot access Setup Wizard/Web UI:

but not to my home network while I get the firewall rules squared away.

If your home network, your LAN, only has devices you trust, you have nothing to do. The default WAN rules, that is no rules at all, and one default pass all rule on LAN, works well.

If you have devices that you don't trust, never forget the most logic action : remove the device from all known networks. Like this, the unknown issue bug will never bite you. This solution is fool proof for live and beyond.
If you have to accept this non trusted device on your network, put it on a dedicated, sedonc (third) network that can only communicate to the Internet, and you decide with rules, for this (these) devices(s) where to, with who, etc. When you make an error, you won't risk much. Never have these devices access your LAN based (trusted) devices.
Using internal networks like this is they way firewalls routers should be used. Always keep it simple (for yourself) and try to make firewall rules that you understand and are able to test. For that matter, don't even trust your own firewall : test what you want to achieve.

Thanks for your advice. It mirrors what I'll be attempting- segregating some IoT devices. I'll start a separate thread for that, though. Looking forward to the community's input there. I've unlocked some interesting opportunities with this pfSense box!