Can'y get my 4100 to work!

BartH

I've been fighting this thing for a few weeks.

I had a home built computer running pfSense CE and all was well except for some problems with a high load. I think it was the 4 port card.

As I liked pfSense, I decided I should support the company, so I bought this 4100.

I asked, and was told I could just back up my current configuration and restore it to the 4100, just change the port assignments. That didn't work as after the restore, the only ports that showed were the igb ports from my old machine, and none of the igc or ix ports that are on the new one.

So, I set up a 8 port managed switch mirroring the setup on my usual 24 port switch except, of course, fewer ports. I took one of my WAN connections and left the other on my home network. I reset the 4100 to factory and, looking at the pages of my CE system, copied them, one by one, page by page, box by box from the CE to the Pro. Using the new port numbers of course.

When this was done, I just changed the cables, expecting the system would work. Well, it doesn't and I just cannot figure why. From vlan 10 I can ping some of the devices on vlan 20 but not others. I think that has something to do with the DHCP server not giving addresses to devices. Cause, it doesn't. Vlan 10 has internet access, but not vlan 20 or vlan 30 or even vlan 1. Only 10.

I have spent hours and hours and hours watching Youtube videos that don't help as they are mostly recorded when this version wasn't available. I have spent hours pouring through online documentation without success.

I'm sorry this post is so long without a specific question but I have so many and I'm hoping someone who's willing to work with me will reply with questions for me that will help to get this up.

bingo600

@barth
Netgate provides config migration support, if you have Netgate device.

Try to contact their tech support

/Bingo

Gertjan

@barth
You upgrade path is the same one as mine.
I've been using 2.6.0 CE up until last juin on a vanilla PC + Intel Quad NIC, when I got my 4100.

My old system, and the new 4100 are, my point of few, the same. A device with a quad NIC (+2 NICs extra on the 4100) : can't be that hard.
There are no : "this is a 4100 so you need to know special stuff". The 4 (6) ports (NICs) are all individual interfaces. No VLANs stuff is needed.

I didn't insist on re using my existing config.xml by importing it, I used it as a guide line.

VLAN's, or not, ones the physical interfaces are defined (they can differ), everything is the same.
Btw: I'm not using VLANs myself (6 interfaces cover all my needs), and use just dumb switches

rcoleman-netgate

@barth said in Can'y get my 4100 to work!:

I asked, and was told I could just back up my current configuration and restore it to the 4100, just change the port assignments. That didn't work as after the restore, the only ports that showed were the igb ports from my old machine, and none of the igc or ix ports that are on the new one.

Have you opened a ticket for support? https://www.netgate.com/tac-support-request It should be a direct conversion but we can give it a look-see to determine if there's something getting in your way.

stephenw10

Yup, open a ticket and we can get you going.

However what I expect to see when you import a config would be something like this:

Screenshot from 2022-11-15 19-33-45.png

The defined interfaces from the imported config are listed and the available interfaces from the 4100 re in the dropdown selections. They default to the first interface, igc0, there.

But you can see that config I imported as a test would not be easy to reassign because I have VLANs and PPPoE interfaces and those are still build on the igb NICs from the previous firewall. In that particular case I would convert the config manually before importing.

Steve

BartH

@stephenw10
That's exactly what I saw. The problem I had was that the new, igc ports were just not offered in the pull down lists.

So, I did a reset and set it up from scratch.

BartH

Well, I have the 4100 up and running and am using it right now. I do have some specific problems and, when I get my questions down to a manageable level and can ask with reasonable clarity, I'll post here.

I'm impressed with the number of replies I received and want to thank all who did.

Bart

BartH

It has become glaringly obvious that I don't know as much as I think I know, and certainly not as much as I need to know! So, before I get this mess all set up and then learn I should have done it differently, I'd like to run my proposed setup by everyone.

Form the outside in, I have two ISPs. A cable which is fairly quick but not as reliable as it could be. A DLS line that is rock solid but barely fast enough. I thinking failover.

As you know, a 4100 router.
A TP-Link 28 port managed switch (SG3428X)

Vlan1 with the router and switch
Vlan10 (General) with my computers (5), printers (3), Synology NAS, and a file / print server. All systems are running openSUSE linux except one Windows laptop.
Vlan20 (IOT) with 2 security panels, 1 NVR for surveillance and an Apple TV streaming device.
Vlan 30 (Phones) for wifi access for my phones. They do not need access to my network.

I have two TP-Link access points that I want to create two separate SSIDs on, one for the phones which need only internet, the other for the laptops which will give access to my network including internet. I have a TP-Link OC200 controller for these APs only I don't want it messing with the switch.

One of my computers is pretty much dedicated to maintaining the system. Should that go on a maintenance Vlan?
I have no security considerations from inside my system. No employees or kids here.

I am a security freak and while I know the only really secure policy is to disconnect from the internet, I would like to make it hard enough that potential attacks will look for an easier target.

Should be simple, right?

Bart

rcoleman-netgate

@barth

@barth said in Can'y get my 4100 to work!:

I would like to make it hard enough that potential attacks will look for an easier target.

If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

BartH

@rcoleman-netgate said in Can'y get my 4100 to work!:

@barth

@barth said in Can'y get my 4100 to work!:

I would like to make it hard enough that potential attacks will look for an easier target.

If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

Is that an absolute statement? My security system seems to use P2P. They won't discuss their system. I guess I can understand that.

Gertjan

@barth said in Can'y get my 4100 to work!:

Is that an absolute statement?

Every router (firewall) is based on that concept.
Take a sub 10$ Tpwhatever device, or a multi million Cisco engine : they are basically doing the same out of the box.
Up until today, all goes well ; as long as you have no rules the WAN interfaces, you're fine.

Their is still one big danger factor : the user that administrates the router.

@barth said in Can'y get my 4100 to work!:

My security system seems to use P2P

The protocol a LAN device is using isn't important although I would ask myself questions if it was FTP.
You do have to trust any device you hook up into your LANs, and if doubt, isolate it on a LAN dedicated for that (these) device(s) and forbid access from this LAN to other LANs, forbid also pfSense (SSH, GUI) access.
But, hey, who would buy or use a device that you wouldn't trust ?

stephenw10

Exactly, that's why you put IoT devices on a separate VLAN and treat them as hostile.

You certainly could add an 'admin' VLAN that has access to everything. Then restrict access to the firewall itself to only that. Potentially you could limit access to other device config to that source too.

SteveITS

@barth said in Can'y get my 4100 to work!:

@rcoleman-netgate said in Can'y get my 4100 to work!:

If you don't open ports on WAN you won't have anyone coming in without going through something else (like a computer that was compromised).

Is that an absolute statement? My security system seems to use P2P. They won't discuss their system.

Allowing "the Internet" to connect to port 443 (or 80 or 22 or any other port) on your router WAN is not related to your security system. Hackers will happily try to log in to anything they find, all day long, if given the opportunity.

The default pfSense configuration is no allowed ports on WAN, so double check your WAN rules.

stephenw10

Indeed, that^.
I would not expect anything to require you open ports to allow inbound connections. I would have some serious questions if they do! Usually IoT devices will all open outbound connections and expect to not be filtered that way. And that is fine, it doesn't open the firewall to direct attack by doing that. The risk here is that whatever they connect to is hacked in some way and those devices then pull in some bad code, a firmware update for example, or they are already open to connections from anything they are connected to. Now you have a rogue device that's already behind your firewall. And that is why you treat IoT devices as hostile.

Steve

BartH

SOLVED!

After opening a support contract with Netgate, my problems were solved in short order. They had me send my config file to them and emailed a response with a few minutes.

Thanks to all who responded.

Bart