netgate 6100 MAX Secure Router User Manual

This Quick Start Guide covers the first time connection procedures for the Netgate 6100 MAX Secure Router and also provides information needed to stay up and running.

GETTING STARTED

Use the following steps to configure the TNSR Secure Router.

To configure the Network Interfaces and gaining access to the Internet, follow the instructions provided in the Zero-to-Ping documentation.
Note: Not all steps in the Zero-to-Ping documentation will be necessary for every configuration scenario.
Once the Host OS is capable of reaching the Internet, check for updates (Updating TNSR) before proceeding. This ensures the security and integrity of the router before TNSR interfaces are exposed to the Internet.

Finally, configure the TNSR instance to meet the specific use case. The topics are listed on the left column of the TNSR Documentation site. There are also TNSR Configuration Example Recipes that might be of assistance when configuring TNSR.

INPUT AND OUTPUT PORTS

The numbered labels in this image refer to entries in Networking Ports and Other Ports.

Networking Ports
The WAN1 and WAN2 Combo-Ports are shared ports. Each has an RJ-45 port and an SFP port. Only the RJ-45 or the SFP connector can be used each port.

Note: Each port, WAN1 and WAN2, is discrete and individual. It is possible to use the RJ-45 connector on one port and the SFP connector on the other.

Table 1: Netgate 6100 Network Interface Layout

Port	Label	Linux Label	TNSR Label	Port Type	Port Speed
2	WAN1	enp2s0f1	GigabitEthernet2/0/1	RJ-45/SFP	1 Gbps
3	WAN2	enp2s0f0	GigabitEthernet2/0/0	RJ-45/SFP	1 Gbps
4	WAN3	enp3s0f0	TenGigabitEthernet3/0/0	SFP	1/10 Gbps
4	WAN4	enp3s0f1	TenGigabitEthernet3/0/1	SFP	1/10 Gbps
5	LAN1	enp4s0	TwoDotFiveGigabitEthernet4/0/0	RJ-45	2.5 Gbps
5	LAN2	enp5s0	TwoDotFiveGigabitEthernet5/0/0	RJ-45	2.5 Gbps
5	LAN3	enp6s0	TwoDotFiveGigabitEthernet6/0/0	RJ-45	2.5 Gbps
5	LAN4	enp7s0	TwoDotFiveGigabitEthernet7/0/0	RJ-45	2.5 Gbps

Note: The default Host OS Interface is enp2s0f0. The Host OS Interface is one network interface that is only available to the host OS and not available in TNSR. Though technically optional, the best practice is to have one for accessing and updating the host OS.

SFP+ Ethernet Ports
WAN3 and WAN4 are discrete ports, each with dedicated 10 Gbps back to the Intel SoC.

Warning: The built-in SFP interfaces on C3000 systems do not support modules utilizing copper Ethernet con-nectors (RJ45). As such, copper SFP/SFP+ modules are not supported on this platform.

Note: Intel notes the following additional limitations on these interfaces:
Devices based on the Intel(R) Ethernet Connection X552 and Intel(R) Ethernet Connection X553 do not support the following features:

Energy Efficient Ethernet (EEE)
Intel PROSet for Windows Device Manager

Intel ANS teams or VLANs (LBFO is supported)
Fibre Channel over Ethernet (FCoE)

Data Center Bridging (DCB)
IPSec Offloading

MACSec Offloading

In addition, SFP+ devices based on the Intel(R) Ethernet Connection X552 and Intel(R) Ethernet Connection X553 do not support the following features:

Speed and duplex auto-negotiation.
Wake on LAN

1000BASE-T SFP Modules

Other Ports

Port	Description
1	Serial Console
6	Power

Clients can access the Serial Console using either the built in serial interface with a Micro-USB B cable or an RJ45 “Cisco” style cable and separate serial adapter.

Note: Only one type of console connection will work at a time and the RJ45 console connection has priority. If both ports are connected only the RJ45 console port will function.

The Power connector is 12VDC with threaded locking connector. Power Consumption 20W (idle)

Front Side

LED Patterns

Description	LED Pattern
Standby	Circle solid orange
Power On	Circle solid blue

Left Side

The left side panel of the device (when facing the front) contains:

#	Description	Purpose
1	Reset Button (Recessed)	No function on TNSR at this time
2	Power Button (Protruding)	Short Press (Hold 3-5s) Graceful shutdown, Power on
2	Power Button (Protruding)	Long Press (Hold 7-12s) Hard power cut to CPU
3	2x USB 3.0 Ports	Connect USB Devices

CONNECTING TO THE USB CONSOLE

This guide shows how to access the serial console which can be used for troubleshooting and diagnostics tasks as well as some basic configuration.
There are times when directly accessing the console is required. Perhaps GUI or SSH access has been locked out, or the password has been lost or forgotten.

USB Serial Console Device
This device uses a Silicon Labs CP210x USB-to-UART Bridge which provides access to the console. This device is exposed via the USB Micro-B (5-pin) port on the appliance.

Install the Driver
If needed, install an appropriate Silicon Labs CP210x USB to UART Bridge driver on the workstation used to connect with the device.

Windows
There are drivers available for Windows available for download.
macOS
There are drivers available for macOS available for download.
For macOS, choose the CP210x VCP Mac download.
Linux
There are drivers available for Linux available for download.

FreeBSD
Recent versions of FreeBSD include this driver and will not require manual installation.

Connect a USB Cable
Next, connect to the console port using the cable that has a USB Micro-B (5-pin) connector on one end and a USB Type A plug on the other end.
Gently push the USB Micro-B (5-pin) plug end into the console port on the appliance and connect the USB Type A plug into an available USB port on the workstation.

Tip: Be certain to gently push in the USB Micro-B (5-pin) connector on the device side completely. With most cables there will be a tangible “click”, “snap”, or similar indication when the cable is fully engaged.

Apply Power to the Device
On some hardware, the USB serial console port may not be detected by the client operating system until the device is plugged into a power source.
If the client OS does not detect the USB serial console port, connect the power cord to the device to allow it to start booting.
If the USB serial console port appears without power applied to the device, then the best practice is to wait until the terminal is open and connected to the serial console before powering on the device. That way the client can view the entire boot output.

Locate the Console Port Device
The appropriate console port device that the workstation assigned as the serial port must be located before attempting to connect to the console.

Note: Even if the serial port was assigned in the BIOS, the workstation OS may remap it to a different COM Port.

Windows
To locate the device name on Windows, open Device Manager and expand the section for Ports (COM & LPT). Look for an entry with a title such as Silicon Labs CP210x USB to UART Bridge. If there is a label in the name that contains “COMX” where X is a decimal digit (e.g. COM3), that value is what would be used as the port in the terminal program.

macOS
The device associated with the system console is likely to show up as, or start with, /dev/cu.usbserial-<id>.
Run ls -l /dev/cu.* from a Terminal prompt to see a list of available USB serial devices and locate the appropriate one for the hardware. If there are multiple devices, the correct device is likely the one with the most recent timestamp or highest ID.

Linux
The device associated with the system console is likely to show up as /dev/ttyUSB0. Look for messages about the device attaching in the system log files or by running dmesg.

Note: If the device does not appear in /dev/, see the note above in the driver section about manually loading the Linux driver and then try again.

FreeBSD
The device associated with the system console is likely to show up as /dev/cuaU0. Look for messages about the device attaching in the system log files or by running dmesg.

Note: If the serial device is not present, ensure the device has power and then check again.

Launch a Terminal Program
Use a terminal program to connect to the system console port. Some choices of terminal programs:

Windows
For Windows the best practice is to run PuTTY in Windows or SecureCRT. An example of how to configure PuTTY is below.

Warning: Do not use Hyperterminal.

macOS
For macOS the best practice is to run GNU screen, or cu. An example of how to configure GNU screen is below. Linux
For Linux the best practices are to run GNU screen, PuTTY in Linux, minicom, or dterm. Examples of how to configure PuTTY and GNU screen are below.

FreeBSD
For FreeBSD the best practice is to run GNU screen or cu. An example of how to configure GNU screen is below.

Client-Specific Examples
PuTTY in Windows

Open PuTTY and select Session under Category on the left hand side.
Set the Connection type to Serial

Set Serial line to the console port determined previously
Set the Speed to 115200 bits per second.
Click the Open button

PuTTY will then display the console.

PuTTY in Linux
Open PuTTY from a terminal by typing sudo putty

Note: The sudo command will prompt for the local workstation password of the current account.

Set the Connection type to Serial
Set Serial line to /dev/ttyUSB0
Set the Speed to 115200 bits per second

Click the Open button

PuTTY will then display the console.

GNU screen
In many cases screen may be invoked simply by using the proper command line, where <console-port> is the console port that was located above.
$ sudo screen <console-port> 115200

Note: The sudo command will prompt for the local workstation password of the current account.

If portions of the text are unreadable but appear to be properly formatted, the most likely culprit is a character encoding mismatch in the terminal. Adding the -U parameter to the screen command line arguments forces it to use UTF-8 for character encoding:
$ sudo screen -U <console-port> 115200

Terminal Settings
The settings to use within the terminal program are:

Speed
115200 baud, the speed of the BIOS
Data bits
8

Parity
None
Stop bits
1
Flow Control
Off or XON/OFF.

Warning: Hardware flow control (RTS/CTS) must be disabled

Terminal Optimization

Beyond the required settings there are additional options in terminal programs which will help input behavior and output rendering to ensure the best experience. These settings vary location and support by client, and may not be available in all clients or terminals.

These are

Terminal Type
xterm
This setting may be under Terminal, Terminal Emulation, or similar areas.
Color Support
ANSI colors / 256 Color / ANSI with 256 Colors
This setting may be under Terminal Emulation,Window Colors, Text, Advanced Terminfo, or similar areas.
Character Set / Character Encoding
UTF-8
This setting may be under Terminal Appearance, Window Translation, Advanced International, or similar areas. In GNU screen this is activated by passing the -U parameter.

Line Drawing
Look for and enable setting such as “Draw lines graphically”, “Use unicode graphics characters”, and/or “Use Unicode line drawing code points”.
These settings may be under Terminal Appearance, Window Translation, or similar areas.
Function Keys / Keypad
Xterm R6
In Putty this is under Terminal > Keyboard and is labeled The Function Keys and Keypad.
Font
For the best experience, use a modern monospace unicode font such as Deja Vu Sans Mono, Liberation Mono, Monaco, Consolas, Fira Code, or similar.

This setting may be under Terminal Appearance, Window Appearance, Text, or similar areas.

What’s Next?
After connecting a terminal client, it may not immediately see any output. This could be because the device has already finished booting or it may be that the device is waiting for some other input.
If the device does not yet have power applied, plug it in and monitor the terminal output.
If the device is already powered on, try pressing Space. If there is still no output, press Enter. If the device was booted, it should redisplay the login prompt or produce other output indicating its status.

Troubleshooting

Serial Device Missing
With a USB serial console there are a few reasons why the serial port may not be present in the client operating system, including:

No Power
Some models require power before the client can connect to the USB serial console.

USB Cable Not Plugged In
For USB consoles, the USB cable may not be fully engaged on both ends. Gently, but firmly, ensure the cable has a good connection on both sides.

Bad USB Cable
Some USB cables are not suitable for use as data cables. For example, some cables are only capable of delivering power for charging devices and not acting as data cables. Others may be of low quality or have poor or worn connectors.
The ideal cable to use is the one that came with the device. Failing that, ensure the cable is of the correct type and specifications, and try multiple cables.

Wrong Device
In some cases there may be multiple serial devices available. Ensure the one used by the serial client is the correct one. Some devices expose multiple ports, so using the incorrect port may lead to no output or unexpected output.

Hardware FailureThere could be a hardware failure preventing the serial console from working. Contact Netgate TAC for assis-tance.

No Serial Output
If there is no output at all, check the following items:

USB Cable Not Plugged In
For USB consoles, the USB cable may not be fully engaged on both ends. Gently, but firmly, ensure the cable has a good connection on both sides.

Wrong Terminal Settings
Ensure the terminal program is configured for the correct speed. The default BIOS speed is 115200, and many other modern operating systems use that speed as well.
Some older operating systems or custom configurations may use slower speeds such as 9600 or 38400.

Device OS Serial Console Settings
Ensure the operating system is configured for the proper console (e.g. ttyS1 in Linux). Consult the various operating install guides on this site for further information.

PuTTY has issues with line drawing
PuTTY generally handles most cases OK but can have issues with line drawing characters on certain platforms. These settings seem to work best (tested on Windows):

Window
Columns x Rows
80×24
Window > Appearance
Font
Courier New 10pt or Consolas 10pt
Window > Translation
Remote Character Set

Use font encoding or UTF-8
Handling of line drawing characters
Use font in both ANSI and OEM modes or Use Unicode line drawing code points
Window > Colours
Indicate bolded text by changing
The colour

Garbled Serial Output
If the serial output appears to be garbled, missing characters, binary, or random characters check the following items:

Flow Control
In some cases flow control can interfere with serial communication, causing dropped characters or other issues. Disabling flow control in the client can potentially correct this problem.
On PuTTY and other GUI clients there is typically a per-session option to disable flow control. In PuTTY, the Flow Control option is in the settings tree under Connection, then Serial.
To disable flow control in GNU Screen, add the -ixon and/or -ixoff parameters after the serial speed as in the following example:
$ sudo screen <console port> 115200,-ixon

Terminal Speed
Ensure the terminal program is configured for the correct speed. (See No Serial Output)

Character Encoding
Ensure the terminal program is configured for the proper character encoding, such as UTF-8 or Latin-1, depend-ing on the operating system. (See GNU Screen)

Serial Output Stops After the BIOS
If serial output is shown for the BIOS but stops afterward, check the following items:

Terminal Speed
Ensure the terminal program is configured for the correct speed for the installed operating system. (See No Serial Output)

Device OS Serial Console Settings
Ensure the installed operating system is configured to activate the serial console and that it is configured for the proper console (e.g. ttyS1 in Linux). Consult the various operating install guides on this site for further information.

Bootable Media
If booting from a USB flash drive, ensure that the drive was written correctly and contains a bootable operating system image.

ADDITIONAL RESOURCES

Professional Services
Support does not cover more complex tasks such as network design and conversion from other firewalls. These items are offered as professional services and can be purchased and scheduled accordingly.
https://www.netgate.com/our-services/professional-services.html
Netgate Training
Netgate training offers training courses for increasing your knowledge of Netgate products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction; Netgate training has got you covered.
https://www.netgate.com/training/

Resource Library
To learn more about how to use your Netgate appliance and for other helpful resources, make sure to browse our Resource Library.
https://www.netgate.com/resources/

WARRANTY AND SUPPORT

One year manufacturer’s warranty.
Please contact Netgate for warranty information or view the Product Lifecycle page.

All Specifications subject to change without notice.

Enterprise Support is included with an active software subscription, for more information view the Netgate Global Support page.

See also:
For more information on how to use TNSR® software, see the TNSR Documentation and Resource Library.

FAQ

Q: Can I use copper SFP/SFP+ modules on the Netgate 6100 MAX?
A: No, the built-in SFP interfaces do not support copper Ethernet connectors (RJ45).
Q: How do I perform a graceful shutdown on the router?
A: Short press the power button for 3-5 seconds.

Documents / Resources

netgate 6100 MAX Secure Router [pdf] User Manual
6100 MAX Secure Router, 6100 MAX, Secure Router, Router

References

User Manual

netgate 6100 MAX Secure Router