SG-3100 Configuring the Switch Ports via VPN

rpsmith

Well what terrific support from the company who decided to put a VLAN switch in a small office firewall and then not set the default configuration to discrete ports or answer any questions concerning the aforementioned "Official Netgate Hardware".

Rico

Huh.....Roy, this is a forum. Yes you posted into "Official Netgate Hardware"...but this does not imply there is Netgate staff around 24/7 answering questions.
As with any other company I know, if you need support FAST open a ticket with them: https://go.netgate.com

@rpsmith said in SG-3100 Configuring the Switch Ports via VPN:

who decided to put a VLAN switch in a small office firewall and then not set the default configuration to discrete ports

The device is sold with "2x 1 GbE Ports and a 4-Port Marvell Switch" (https://store.netgate.com/SG-3100.aspx) - why should the default config have all switch ports discrete ??? I think most customers are using the switch as a switch if they bought.....a switch.

That said, I'm using 6 SG-3100s myself with all discrete ports.
Assuming your OpenVPN Instance is bound to the WAN Interface I could not think of any problem with changing the switch config. There should be really no difference with configuring the switch via the WAN Interface or via OpenVPN bound to WAN.
I did not try this myself, but it should work! As always, take a backup first. I would probably not try it with a very business critical site hundred miles away!

As alternative...maybe you could have someone on-site connecting something like a jump-box to the OPT port?
You could do the config via OPT then with WAN/OpenVPN as parachute.

-Rico

rpsmith

@Rico - Thanks for the reply Rico! I guess you can tell I'm not a big fan of the built-in VLAN switch and how convoluted it is to configure but it's mostly my fault for not doing my homework before buying the 3100. I ended up deploying it hundreds of miles away and when I needed to add more OPT ports I realized the problem. I'm sure some folks like having a built-in VLAN switch and like the way it's configured by default but it's a pain for me. All the business I support already have external smart switches so I have no need for that functionality in my firewall and even if I did, re-configuring it remotely is a pain in the you know what! Thanks again! Roy...

Rico

Sounds like SG-5100 would be the PERFECT device for you.

-Rico

rpsmith

@Rico - Yes the 5100 really looks good except for the $799.00 Price tag! I've had really good luck with Protectli hardware and their support (online & phone) has been excellent and the price is much more affordable so that's what I'm currently installing. Roy...

Rico

ATM it's $699
I do the math like this: assuming I use the device ~5 years it's rounded up $12 per month. That is NOTHING for business use.
Other Firewall vendors want me to pay like $12 per month per VPN tunnel for example.

-Rico

stephenw10

Yeah, if you're connected via a VPN on WAN then configuring the LAN side switch will not break that.
Configuring the ports for discrete use is in the docs here:
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html

Repeat for other ports as you need them.

Steve

rpsmith

@stephenw10 - Thanks Steve! You just made my day! :o)

Regards, Roy...

Rico

Here is also good official Netgate documentation: https://www.youtube.com/watch?v=NgRy14rYhV8

-Rico

rpsmith

@Rico - Thanks for all your help and the link Rico!

Regards, Roy...