VLANs and Firewall Rules on a SG-2100

Networking & Firewalls
1

Hello,
I love your videos and on your review of the Netgate SG-2100, I purchased one. I am trying to move from a Netgear Wifi Router running OpenWrt to this new SG-2100. So far, I am loving the SG-2100; however, I am stuck on taking over the internet switch ports and settings up firewall rules; and I am hoping someone here might provide some thoughts…

My configuration is this:

Under the SG-2100’s Interfaces / VLANs menu, I have:

Interface VLAN tag Description
mnneta1 (lan) 4082 LAN Port 2
mnneta1 (lan) 4083 LAN Port 3
mnneta1 (lan) 4084 LAN Port 4

Under the SG-2100’s Interfaces / Interface Assignments menu, I have:

Interface Network
WAN mvneta0
LAN mvneta1
Secure VLAN 4082 on mvneta1 - lan (LAN Port 2)
Insecure VLAN 4083 on mvneta1 - lan (LAN Port 3)
IOIT VLAN 4084 on mnneta1 - lan (LAN Port 4)

Since the SG-2100 has an internal switch built in, under the SG-2100’s Interfaces / Switch / VLANs menu, I have:

VLAN group VLAN tag Members Description
0 1 1,5 Default System VLAN
1 4082 2,5t Secure
2 4083 3,5t Insecure
3 4084 4,5t IOIT

I have under the SG-2100’s Interfaces / Switch / Ports menu, I have:

Port# Port name Port VID
1 LAN 1 1
2 LAN 2 4-82
3 LAN 3 4083
4 LAN 4 4084
5 LAN Uplink 1

And finally, under the SG-2100’s Sevices / DHCP Sever menu, I have DHCP setp for each VLAN (SECURE, INSECURE, and IOIT). DHCP for SECURE is 192.168.20.100 through 192.168.20.200. DHCP for INSECURE is 192.168.30.100 through 192.168.30.200. And DHCP for IOIT is 192.168.40.100 through 192.168.40.200.

In order to test the firewall, I have the following computer setup. I only have 3 computer so I was only able to utilize 3 of the SG-2100’s ports… However, the configuration is pretty similar.

Operating System SG-2100 Port IP Address
Windows 10 1 192.168.1.136
Ubuntu 2 192.168.20.100
Raspbian 3 192.168.30.100

Okay, finally my question. I am not able to get the firewall rules right…

I am able to ping to/from as described below:

To Windows To Ubuntu To Raspbian To Google
From Windows x x x
From Ubuntu x x x
From Raspbian x x x

No matter what I do, I am not able to block INSECURE (Raspbian) from pinging any of the other VLANs. For example, I added a rule to the INSECURE VLAN that blocks ALL traffic to the LAN net destination and it still can ping my Windows machine. I have also tried to add a rule to INSECURE VLAN that blocks ALL traffic to the SECURE net destination and I can still ping my Ubuntu machine.

Any thought are much appreciated!

Thanks,

2

If they can talk then the firewall rules are allowing it. I have a video on troubleshooting firewall rules.

3

Many thanks Tom. I will take a look a that video today.

4

Okay, by reboot all the machines, it magically started working… I hope. More testing is needed.

5

I realize this is an old post and was already resolved but I wanted to add my question as it looks like I encountered similar issues.

I just setup my SG-2100 and when looking to follow video tutorials like these great ones by Tom, it seems that the Netgate systems are unique in having the ports in “Port VLAN Mode” and to put these into what a standard home-build pfsense router would have, we should change it to 802.1q VLAN Mode, is this correct?

I see this here Netgate 2100 Security Gateway Manual — Switch Overview | Netgate Documentation

And then tried to setup just the 4th port to be a separate LAN as shown in their guide, I got it all working (DHCP and Firewall done) but could not even ping the gateway address of 192.168.100.1 from my laptop on that port. Not sure what I did wrong.
Here is the the guide from the Netgate documentation on that: Netgate 2100 Security Gateway Manual — Configuring the Switch Ports | Netgate Documentation

Noting that I was able to reverse my changes and I currently have everything back to the out-of-the-box “Port VLAN Mode” on all the ports of the box.