VLANs and Firewall Rules on a SG-2100

I love your videos and on your review of the Netgate SG-2100, I purchased one. I am trying to move from a Netgear Wifi Router running OpenWrt to this new SG-2100. So far, I am loving the SG-2100; however, I am stuck on taking over the internet switch ports and settings up firewall rules; and I am hoping someone here might provide some thoughts…

My configuration is this:

Under the SG-2100’s Interfaces / VLANs menu, I have:

Interface VLAN tag Description
mnneta1 (lan) 4082 LAN Port 2
mnneta1 (lan) 4083 LAN Port 3
mnneta1 (lan) 4084 LAN Port 4

Under the SG-2100’s Interfaces / Interface Assignments menu, I have:

Interface Network
WAN mvneta0
LAN mvneta1
Secure VLAN 4082 on mvneta1 - lan (LAN Port 2)
Insecure VLAN 4083 on mvneta1 - lan (LAN Port 3)
IOIT VLAN 4084 on mnneta1 - lan (LAN Port 4)

Since the SG-2100 has an internal switch built in, under the SG-2100’s Interfaces / Switch / VLANs menu, I have:

VLAN group VLAN tag Members Description
0 1 1,5 Default System VLAN
1 4082 2,5t Secure
2 4083 3,5t Insecure
3 4084 4,5t IOIT

I have under the SG-2100’s Interfaces / Switch / Ports menu, I have:

Port# Port name Port VID
1 LAN 1 1
2 LAN 2 4-82
3 LAN 3 4083
4 LAN 4 4084
5 LAN Uplink 1

And finally, under the SG-2100’s Sevices / DHCP Sever menu, I have DHCP setp for each VLAN (SECURE, INSECURE, and IOIT). DHCP for SECURE is through DHCP for INSECURE is through And DHCP for IOIT is through

In order to test the firewall, I have the following computer setup. I only have 3 computer so I was only able to utilize 3 of the SG-2100’s ports… However, the configuration is pretty similar.

Operating System SG-2100 Port IP Address
Windows 10 1
Ubuntu 2
Raspbian 3

Okay, finally my question. I am not able to get the firewall rules right…

I am able to ping to/from as described below:

To Windows To Ubuntu To Raspbian To Google
From Windows x x x
From Ubuntu x x x
From Raspbian x x x

No matter what I do, I am not able to block INSECURE (Raspbian) from pinging any of the other VLANs. For example, I added a rule to the INSECURE VLAN that blocks ALL traffic to the LAN net destination and it still can ping my Windows machine. I have also tried to add a rule to INSECURE VLAN that blocks ALL traffic to the SECURE net destination and I can still ping my Ubuntu machine.

Any thought are much appreciated!


If they can talk then the firewall rules are allowing it. I have a video on troubleshooting firewall rules.

Many thanks Tom. I will take a look a that video today.

Okay, by reboot all the machines, it magically started working… I hope. More testing is needed.