Skip to content

Instantly share code, notes, and snippets.

@luislobo

luislobo/NETGATE_EERO.md

Last active April 19, 2025 03:36
Show Gist options
  • Save luislobo/bf0cb5b578fd822b49b18342e482a7c1 to your computer and use it in GitHub Desktop.
Save luislobo/bf0cb5b578fd822b49b18342e482a7c1 to your computer and use it in GitHub Desktop.
Download ZIP
NetGate + EERO
Raw
NETGATE_EERO.md

How-To Guide: Setting Up Your Netgate SG-5100 Router with Eero for Optimal Performance (Especially Gaming!)

Hey! So you've got a powerful# How-To Guide: Level Up Your Home Network! Netgate SG-5100 + Eero Setup (Clean Install)

Hey! So you've got a powerful Netgate SG-5100 firewall/router and the Eero mesh system. This guide will walk you through setting up the Netgate as your main router (handling all the internet traffic management, security, and IP addresses) and putting your Eero system into "Bridge Mode" so it just provides excellent Wi-Fi coverage without interfering with the Netgate. We'll start by making sure the Netgate is factory fresh and fully updated for the best, most stable experience.

Why are we doing this?

  1. Performance: The Netgate SG-5100 is a beast designed for high-performance routing and security. Letting it manage the network directly is generally better than relying on simpler consumer routers.
  2. Control: pfSense (the software on the Netgate) gives you way more control over your network settings, security rules, and features compared to standard routers.
  3. Better NAT for Gaming: By having only one device (the Netgate) acting as the router connected to the internet, we eliminate a common problem called "Double NAT". Double NAT often leads to "Strict" or "Moderate" NAT types in games, causing issues with matchmaking, voice chat, and joining parties. This setup aims for an "Open" NAT type.
  4. Stable Wired Connections: Connecting your gaming PC directly to the Netgate's built-in switch ports gives you the lowest latency and most reliable connection possible.

Our Network Plan:

  • Prep: Factory Reset & Update Netgate SG-5100.
  • Internet Connection: Frontier -> Netgate SG-5100 (WAN Port - IGB0)
  • Main Router: Netgate SG-5100 running latest pfSense Plus
  • Local Network IP Range: 172.16.1.0/24 (This means your devices will get IPs like 172.16.1.xxx)
    • Why 172.16.1.x? It's a standard private range, less common than 192.168.1.x, making conflicts with other networks (like VPNs or maybe even the Frontier modem itself) less likely. Your Netgate's address (the gateway) will be 172.16.1.1.
  • Wi-Fi: Eero System (in Bridge Mode) connected to Netgate LAN port (IGB1).
  • Wired Devices: Gaming PC, etc., connected directly to Netgate LAN ports (IX0-IX3).

Let's get started! We'll reset and update the Netgate first, configure it completely, then integrate the Eero.

Phase 0: Clean Slate & Updates (Start Here!)

Before building the new network, let's ensure the Netgate SG-5100 is factory fresh and running the latest software. This prevents unexpected issues from old configurations or bugs.

A. Factory Reset the Netgate SG-5100

This wipes all previous settings and returns the Netgate to its out-of-the-box state (IP 192.168.1.1, user admin, pass pfsense).

  1. Find Reset Button: Locate the small, recessed reset button on the back of the SG-5100 (near the power connector). You'll need a paperclip or a similar tool.

  2. Power Off: Unplug the power adapter from the Netgate. Ensure it's completely off.

  3. Press & Hold Reset: Gently insert the paperclip into the reset hole to press and hold the button. Don't force it.

  4. Apply Power (While Holding): Keep holding the reset button down, and plug the power adapter back into the Netgate.

  5. Keep Holding (Wait!): Continue to hold the reset button firmly for approximately 30 seconds. Watch the status LEDs on the front; you might see them flash differently (like red/green) indicating the reset is starting. After ~30 seconds, release the button.

  6. Reboot & Wait: The Netgate will continue its boot process and should eventually reboot itself into its factory default state. This can take several minutes. Just let it sit until the front lights appear stable (e.g., power light solid, status lights potentially indicating boot complete - refer to manual page 18 for LED patterns if unsure, but usually waiting 5 mins is safe).

    • Why Factory Reset? This step is crucial to guarantee there are no leftover settings, firewall rules, IP address configurations, or user accounts from any previous use (or even initial factory testing) that could conflict with our new setup. It ensures we start from a known, clean baseline.

B. Update Netgate Firmware (pfSense Plus)

Running the latest software is vital for security, stability, and features. The Netgate needs an internet connection for this.

  1. Temporary Internet Setup:

    • Connect an Ethernet cable from your Frontier ONT/Modem's LAN port directly to the Netgate WAN port (IGB0).
    • Connect an Ethernet cable from your Computer's Ethernet port directly to a Netgate LAN port (IGB1 or any IX0-IX3 port).
    • Power ON the ONT (wait 1-2 min for it to fully connect to the internet), then Power ON the Netgate (wait 1-2 min for it to boot), then Power ON your Computer.

  2. Access Netgate (Default State):

    • On your computer, open a web browser and navigate to the Netgate's factory default address: http://192.168.1.1.
    • You'll see a security warning ("Your connection is not private"). Click Advanced, then Proceed to 192.168.1.1 (unsafe). This is normal for the default certificate.
    • Login with default credentials: Username admin, Password pfsense.

  3. Skip Initial Wizard (Temporarily): The Setup Wizard might launch automatically. For now, click the pfSense logo at the top left or navigate to the Dashboard via the top menu (Status > Dashboard). We want to update before running the wizard.

  4. Check for Updates:

    • Go to the top menu: System > Update.
    • On the "System Update" page, ensure the "Branch" dropdown shows the latest stable version (it usually defaults to the correct one).
    • The page will automatically contact Netgate servers to check for updates. It will display your "Current base system version" and the "Latest base system version".

  5. Perform Update (If Needed):

    • If the "Latest" version is newer than your "Current" version, a Confirm button (or similar, like Download and Install Updates) will appear below the version information. Click it.
    • IMPORTANT - BE PATIENT: The Netgate will now download the update package, verify it, install it, and then automatically reboot. This process can take 10-20 minutes or even longer depending on the update size and device speed.
    • DO NOT unplug power or interrupt the device during the update. The web interface will become unresponsive. You can monitor the device's LEDs; it will eventually reboot.

  6. Verify Update Completion: Once the Netgate has fully rebooted (give it a few minutes after the lights stabilize), try accessing http://192.168.1.1 again.

    • Login (admin/pfsense - the password resets to default after an update from factory state typically, though sometimes it might retain it if only pfSense updated, not the base OS. Try pfsense first).
    • Go back to System > Update. Verify that the "Current base system version" now matches the "Latest base system version" and it says "Status: Up to date."

  7. Power Down: Shut down the Netgate and your computer. Disconnect the temporary cables.

    • Why Update First? This ensures you configure your network on the most secure and stable version of the pfSense Plus software, avoiding potential bugs from older versions and benefiting from the latest performance improvements and features right from the start.

Phase 1: Prep Work (Post-Reset/Update)

Alright, the Netgate is clean, updated, and ready for configuration!

  1. Internet Type: DHCP from Frontier.
  2. Wi-Fi Credentials: Eero SSID and password handy.
  3. IP Plan Reiteration: We're configuring Netgate LAN for 172.16.1.1/24.
  4. Setup Computer: Still need that computer with an Ethernet port.

Phase 2: Netgate Initial Setup (Configuring the Router)

Let's set up the Netgate as the core of your network.

  1. Connections (Setup Mode):

    • Connect Ethernet: [Frontier ONT] ---> [Netgate IGB0 (WAN)]
    • Connect Ethernet: [Computer] ---> [Netgate IGB1 (LAN)] (or IX0-3) 
      [Frontier ONT] <--- Ethernet ---> [Netgate IGB0 (WAN)]

[Computer]     <--- Ethernet ---> [Netgate IGB1 (LAN)]

  2. Power Up Sequence: Power ON ONT (wait 1-2 min) -> Power ON Netgate (wait 1-2 min) -> Power ON Computer.

  3. Access Netgate (Default IP Again): Browser to http://192.168.1.1. Accept warning.

  4. Login: admin / pfsense (Should be the default after reset/update).

  5. Setup Wizard (For Real This Time): Let's configure the basics.

    • Step 1 (Support): Click Next.
    • Step 2 (General Info):
      • Hostname/Domain: pfSense/home.arpa are fine, or customize if you like.
      • DNS Servers: Leave blank to use Frontier's, or enter public ones (e.g., 1.1.1.1, 8.8.8.8).
      • Override DNS: Ensure this is UNCHECKED. Why? We want the router itself to use reliable DNS, not necessarily force clients to use specific ones via DHCP if we don't set that up later.
      • Click Next.
    • Step 3 (Time): Select your correct Timezone. Why? Accurate time is crucial for logs, scheduled rules, and certificate validation. Click Next.
    • Step 4 (WAN Config):
      • SelectedType: Set to DHCP (most likely for Frontier Fiber).
      • Scroll Down: UNCHECK Block private networks... and UNCHECK Block bogon networks. Why uncheck now? While generally good security, these can sometimes interfere with initial setup or specific ISP configurations. They can be re-enabled later under Interfaces > WAN if desired and tested.
      • Click Next.
    • Step 5 (LAN Config): <<< This is the critical IP change! >>>
      • LAN IP Address: Change from 192.168.1.1 to 172.16.1.1.
      • Subnet Mask: Select 24 from the dropdown (255.255.255.0).
      • Click Next.
    • Step 6 (Admin Password): Enter a NEW, STRONG password. Confirm it. DO NOT USE pfsense! Why? The default password is publicly known; changing it is your first line of security. Click Next.
    • Step 7 (Reload): Click the Reload button. Wait about a minute. The Netgate applies changes and your connection to 192.168.1.1 will drop. This is expected.

  6. Reconnect (New IP):

    • Your computer needs a new IP address from the 172.16.1.x network. It should get one automatically via DHCP. (If not, wait a bit, or renew the lease: ipconfig /release then ipconfig /renew on Windows; Renew DHCP Lease on Mac).
    • Go to the browser and navigate to the new address: http://172.16.1.1.
    • Login with admin and your new strong password.

  7. Configure DHCP Server (Essential Step): Now that the Netgate has its LAN IP, we MUST configure the range of addresses it will give out before we connect the Eero or other devices.

    • Go to Services > DHCP Server.
    • Make sure the LAN tab is selected.
    • CHECK the box for Enable DHCP server on LAN interface.
    • Scroll down to the Range setting.
      • From: 172.16.1.100
      • To: 172.16.1.200
      • Why this range? Provides 101 addresses for devices, leaving lower numbers (.2 to .99) free if you ever want to assign permanent (static) IPs to servers, printers, or even your gaming PC. You can adjust this range later if needed.
    • Scroll to the bottom and click Save.

  8. Verify Isolated Setup:

    • Check the Dashboard (Status > Dashboard): Does the WAN interface show a public IP from Frontier? Does the LAN interface show 172.16.1.1?
    • Test internet access: Can the computer directly connected browse websites?

  9. Power Down: Shut down the Netgate and your computer. Disconnect the computer from the Netgate for now.

    • Why verify now? Confirms the Netgate is correctly configured as the router, has internet access, and is ready to serve IPs before we complicate things by adding the Eero system.

Phase 3: Configure Eero & Final Connections

Now, let's get the Eero system talking to the Netgate and set up the final wiring.

  1. Bridge the Eero (If Not Already Done):
    • If your Eero system is not yet in Bridge Mode (maybe you skipped Phase 0 or reset it), you need to do it now.
    • Temporarily connect the Main Eero back to the Frontier ONT and power up the Eero system so your phone can connect to its Wi-Fi.
    • Open the Eero App.
    • Navigate: Settings > Network settings > DHCP & NAT.
    • Select Bridge. Confirm and let the Eero network restart.
    • Once restarted, power down the Eero and disconnect it from the ONT.
  2. Power Down Everything: Make sure ONT, Netgate, Eeros, Computers are all powered OFF.
  3. Final Wiring Diagram: 
    [Frontier ONT] <--- Ethernet ---> [Netgate IGB0 (WAN)]

[Netgate IGB1 (LAN)] <--- Ethernet ---> [Main Eero Port]

[Netgate IX0 (LAN)] <--- Ethernet ---> [Gaming PC]
(Use IX1, IX2, IX3 for other wired devices)
  4. Final Power-On Sequence (Order matters for smooth startup):
    • Power ON Frontier ONT. Wait 1-2 minutes for internet light.
    • Power ON Netgate SG-5100. Wait 1-2 minutes for boot.
    • Power ON Eero Units. Wait a few minutes for them to boot and connect (they'll get IPs from the Netgate now).
    • Power ON Computer(s).

Phase 4: Final Verification

Let's confirm the whole system works together.

  1. Check IPs: Connect your gaming PC (wired) and a phone/laptop (via Eero Wi-Fi). Check their network settings. They should receive IP addresses in the 172.16.1.100 - 172.16.1.200 range. The Gateway/Router address should be 172.16.1.1.
  2. Test Internet: Verify internet browsing works correctly on both wired and Wi-Fi devices.
  3. Check Eero App: Open the Eero app. It should show the Eero devices online and correctly report being in Bridge Mode.

Phase 5: Gaming Tuning (Optional - Test First!)

Your NAT type should be much better now. Test your games! If you still need adjustments (e.g., NAT still shows Moderate/Strict):

  1. UPnP (Easy Automatic Ports):

    • Enable: Go to Netgate (http://172.16.1.1) > Services > UPnP & NAT-PMP. Check Enable, Allow UPnP Port Mapping, Allow NAT-PMP Port Mapping.
    • Secure it (Highly Recommended): Check Enable Access Control Lists. Click + Add. Create ACL rules to only allow your trusted devices (gaming PC, consoles) to use UPnP. Use their specific 172.16.1.x IPs. Example for 172.16.1.50: 
      allow 1024-65535 172.16.1.50/32 1024-65535
      (The /32 means only that single IP. Add separate lines for other devices.) Why ACLs? Prevents potentially less secure devices on your network (like IoT gadgets) from opening ports via UPnP.
    • Click Save. Test game again.

  2. Port Forwarding (Manual Specific Ports):

    • Use if: UPnP doesn't work for a specific game, or you prefer explicit control.
    • How: Find the exact ports (TCP/UDP) the game needs. Find your gaming PC's internal IP (e.g., 172.16.1.50 - consider setting a Static DHCP mapping for it in Services > DHCP Server so its IP doesn't change). Go to Netgate > Firewall > NAT > Port Forward tab. Click + Add.
    • Fill details: Interface=WAN, Protocol=TCP/UDP, Dest. Port(s), Redirect IP=Your PC's 172.16.1.x IP, Redirect Port=Same as Dest., Description=Game Port XYZ. Ensure "Filter rule association" is set to create the firewall rule.
    • Click Save, then Apply Changes. Repeat for all required ports.

  3. QoS / Traffic Shaping (Advanced Congestion Fix):

    • Use if: You have limited internet speed and experience lag only when others are heavily using the connection (streaming, downloading).
    • How: Explore Netgate > Firewall > Traffic Shaper > Wizards. This is complex; research pfSense QoS guides thoroughly before attempting. It's easy to misconfigure.

Phase 6: Victory Lap & Backup!

Success! You've set up a robust, high-performance network with the Netgate SG-5100 at the helm and Eero providing seamless Wi-Fi.

CRITICAL FINAL STEP - DON'T SKIP: Go to the Netgate interface (http://172.16.1.1) > Diagnostics > Backup & Restore. Click the Download configuration as XML button. Save this file somewhere very safe (like a USB drive AND cloud storage). If your Netgate ever has issues or needs resetting again, this file contains all your settings (IPs, passwords, firewall rules, DHCP, etc.) and can restore your configuration in minutes. Backup regularly, especially after making big changes!

Enjoy the awesome network!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment