Hello,
I love your videos and on your review of the Netgate SG-2100, I purchased one. I am trying to move from a Netgear Wifi Router running OpenWrt to this new SG-2100. So far, I am loving the SG-2100; however, I am stuck on taking over the internet switch ports and settings up firewall rules; and I am hoping someone here might provide some thoughts…
My configuration is this:
Under the SG-2100’s Interfaces / VLANs menu, I have:
Interface | VLAN tag | Description |
---|---|---|
mnneta1 (lan) | 4082 | LAN Port 2 |
mnneta1 (lan) | 4083 | LAN Port 3 |
mnneta1 (lan) | 4084 | LAN Port 4 |
Under the SG-2100’s Interfaces / Interface Assignments menu, I have:
Interface | Network |
---|---|
WAN | mvneta0 |
LAN | mvneta1 |
Secure | VLAN 4082 on mvneta1 - lan (LAN Port 2) |
Insecure | VLAN 4083 on mvneta1 - lan (LAN Port 3) |
IOIT | VLAN 4084 on mnneta1 - lan (LAN Port 4) |
Since the SG-2100 has an internal switch built in, under the SG-2100’s Interfaces / Switch / VLANs menu, I have:
VLAN group | VLAN tag | Members | Description |
---|---|---|---|
0 | 1 | 1,5 | Default System VLAN |
1 | 4082 | 2,5t | Secure |
2 | 4083 | 3,5t | Insecure |
3 | 4084 | 4,5t | IOIT |
I have under the SG-2100’s Interfaces / Switch / Ports menu, I have:
Port# | Port name | Port VID |
---|---|---|
1 | LAN 1 | 1 |
2 | LAN 2 | 4-82 |
3 | LAN 3 | 4083 |
4 | LAN 4 | 4084 |
5 | LAN Uplink | 1 |
And finally, under the SG-2100’s Sevices / DHCP Sever menu, I have DHCP setp for each VLAN (SECURE, INSECURE, and IOIT). DHCP for SECURE is 192.168.20.100 through 192.168.20.200. DHCP for INSECURE is 192.168.30.100 through 192.168.30.200. And DHCP for IOIT is 192.168.40.100 through 192.168.40.200.
In order to test the firewall, I have the following computer setup. I only have 3 computer so I was only able to utilize 3 of the SG-2100’s ports… However, the configuration is pretty similar.
Operating System | SG-2100 Port | IP Address |
---|---|---|
Windows 10 | 1 | 192.168.1.136 |
Ubuntu | 2 | 192.168.20.100 |
Raspbian | 3 | 192.168.30.100 |
Okay, finally my question. I am not able to get the firewall rules right…
I am able to ping to/from as described below:
To Windows | To Ubuntu | To Raspbian | To Google | |
---|---|---|---|---|
From Windows | x | x | x | |
From Ubuntu | x | x | x | |
From Raspbian | x | x | x |
No matter what I do, I am not able to block INSECURE (Raspbian) from pinging any of the other VLANs. For example, I added a rule to the INSECURE VLAN that blocks ALL traffic to the LAN net destination and it still can ping my Windows machine. I have also tried to add a rule to INSECURE VLAN that blocks ALL traffic to the SECURE net destination and I can still ping my Ubuntu machine.
Any thought are much appreciated!
Thanks,