Hi. Just as an FYI, I have multiple XTM 5 units and love them but there appears to be some kind of an issue on 2.5.1 specific to these models that IPSEC suddenly stops responding. If anyone else out there has some experience on this and can provide feedback. 2.4.5p1 works fine on that hardware.

@bubbadestroy I already tried 2 different msata drives where did you connected yours? bottom or the small in the top?

Regards,

Diogo

That device is now supported in FreeBSD head:
https://github.com/freebsd/freebsd-src/blob/main/sys/dev/e1000/e1000_hw.h#L167

Part of this commit which doesn't look to be anything too complex. Though it may significantly far from 12-stable.

Steve

No. The M470, and the M370/M570/M670, use a different board.

Steve

Ha, that'll do it. 😉

Was it still running the default config? Pretty much has to be hardware if so.

Mmm, disabling MSIX globally for all PCI devices should really be a last resort option anyway.

@EveningStarNM

After my upgrade to 2.5.1 I also was faceing some "strange" issues with my broadcom nics, too (I can remember, i several problems some years ago...)

However:
Given a special situation my broadcom nics started to change states from up to down and vice-versa. Was well documented in my logs.
I started searching and stumbled about several threads and blogposts pointing me to the drivers for broadcom nics.

https://www.it-react.com/index.php/2021/03/08/pfsense-re0-watchdog-timeout-error/

https://forums.serverbuilds.net/t/guide-resolve-realtek-nic-stability-issues-on-freebsd-pfsense-2-4-4-2-4-5-2-5-0-opnsense-use-2-5gb-realtek/3555

The blog-post gives a brief introduktion to the problem and solution. I went with the now already availeable package through pkg.

Solved my problem and as it seems the day to day performance seems to be better as well. Might be worth to take a look into.

@stephenw10 Thanks. Seeing the traces were so identical, I checked twice: no confusion, those were two true distinct crashes/reboots.
I had fully removed the good-old trafic shaper right after my last post.
Seeing no new issues for more than 12 hours, I started rebuilding a new shaper configuration. Looks stable for now
Thanks.

@mloiterman I would be interested in the compile instructions as well as I have the same issue you have although I did manage a work around with the old firmware 8.10. I updated the firmware to 8.30 :-( . I could reverse the firmware update but I figured I would move forward through this problem :-) . Something is seriously wrong with this card and PFsense at the moment and I hope netgate finds the time to fix it. Thanks

Just be aware that you must unassign the interface again before you stop tethering. If you leave it assigned the firewall will fail to boot the next time it is rebooted.

Steve

@stephenw10 ok, a bit more complicated than I thought then...

If anyone have any idea what might help I`m open earl! Or else there seams to be more work to getting this to function than it is worth it..

They are still driven with an AC signal, you can change the tone of the beep. I'd be amased it didn't work when connected the other way. But anyway I don't believe that is the issue here, more that the device is not presented to the OS in a way that FreeBSD/pfSense can use as /dev/speaker.

Steve

I assume you want to run the card as an access point? Most of the Intel driver do not support hostap mode so cannot be an access point.
No, there is nothing significantly newer than the Atheros AR9380 that is supported. Yet.

Steve

@stephenw10 I receive 2 news servers on Monday, I will do test with FreeBSD.

Hmm, interesting.
We don't build that module though it is in our ports tree.

You might be able to load the package from FreeBSD 12.2 stable directly.

Steve

That indicates the system does not have an interface with a subnet covering that IP for the kernel add it to.
Usually it means the WAN has gone down and that IP is the WAN gateway.

Steve

No new information there I'm afraid.

Mmm, I can see no reason why it would not be unless you using some unusual connection method. Like maybe fiber directly. Or something similar to pfatt.

Steve

You will be seeing two issues here.

The firewall still boots because lagg is a subinterface excluded from the check. So even though it boors without issue the defined lagg will still be re NICs and hence invalid.

When you add a 4 port Intel NIC it it's using the igb driver the WAN and LAN ports will probably have moved onto the card. The ports are numbered in the order they are detected and the expansion card is usually parsed first.
See: https://docs.netgate.com/pfsense/en/latest/solutions/xg-1537/io-ports.html#optional-intel-1-gbps-expansion-card-ports

Steve

If you just change the NIC type in Hyper-V I would expect pfSense to fail to boot because the assigned ix NICs would no longer be present. It would stop in the console and you would have to re-assign the interfaces there to the new ixv NICs.

Steve

@stephenw10,

Thank you for the quick reply. Sorry it has taken me so long to get back to you. I finally had some time yesterday to take another look. Turns out I had a bad vLAN setting on my lab switch. I now have access to PFSense from the web interface and SSH. I still need to figure out how access the other network interfaces but for now I have the primary and aux interfaces working.

B/R.
Mike

@stephenw10 Thank you. I'll keep an eye on future updates.

@steveits had a quick look but its late and just finished a 12hr work day... but the main difference i spotted between the 2 units isn't black magic but an accelerator card CPIC-8955 that seems to offload the encryption from CPU and " accelerate cryptographic workloads ".

For a " home lab " I cannot justify spending $2650USD or $3150USD and the recurring $500USD yearly subscription when the Asus RS100 listed above set me back $550CAD + 98CAD for CPU + $110 for a 500GB WD SN750 + $140 for 16GB DDR4 2666 ECC RAM which is a hair under $900CAD which at the current exchange rate is roughly 732USD.

Not sure about the forward compatibility of the NETGATE units with other "firewall" software and would suck to get hardware locked after spending such a large amount of money, but for me... leaving the door open to other avenues to be discovered and allows future flexibility in mind is a good thing as now more than ever that is something to keep in mind.

@m4nf47
same here, pkg remove and then install
tho i had to add the following to /boot/loader.conf
if_re_load="YES"
if_re_name="/boot/modules/if_re.ko"

@stephenw10

Many thanks for sharing these simple instructions! I agree this was much easier than messing about with compiling drivers and manually editing boot files. Much appreciated 🙂

pkg install realtek-re-kmod
then
echo 'if_re_load="YES"' >> /boot/loader.conf.local
then
reboot
then check the boot logs for output from the new driver loading using
grep version: /var/log/dmesg.boot
(output to look for is re0: version:1.96.04)
but also the if_re.ko driver is listed for me when I use
kldstat | grep if_re
which shows output ending in 11e230 if_re.ko (when driver loaded)

Source:
https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release/168#

Routing I'm getting about 1712 Mbps avg (Highs in 280s MB/s) but I'm not sure if that is the upper limit or just the limitation of my 2.5Gbps USB NICS. I don't have any 10Gbps Gear other than this firewall and Brocade switches. My Windows 2019 Server is 10Gb as well but I'm thinking that this little box is a winner. I haven't tried NAT performance but I would expect similar results even though NATing I feel like is more resource intensive but this box never gets to 50% utilization. I think the bottle neck is the 2.5Gbps USB NICs or my SK hynix Gold S31 SATA Gen3 2.5 inch SSD or My Samsung 860 Evo SSD, 10 Gb USB NICs are too expensive right now in the neighborhood of $300.

What chipsets do those NICs use? They are probably Realtek or Aquantia. Both have drivers available in 2.5.

Steve

It should be supported by bxe(4). There is no other driver as far as I know.

Steve

@flok No, so far not.

Glad to know this solution confirmed working and is a great hurricane or other disaster back.

@aidanic

I do have this system now: https://www.supermicro.com/products/system/1u/5018/SYS-5018D-FN8T.cfm

Yeah and the fans are noise at full speed. I use Optimal settings on mine.
I was planing to order the Noctua NF-A4x20, but you need to do some "tweak/hack" on the fan speed control using ipmitool.

Using this guide: https://forums.servethehome.com/index.php?resources/supermicro-x9-x10-x11-fan-speed-control.20/

But i decide not to do it yeah. :)

@stephenw10 Thanks for your reply, but I am not sure if this was the case, as I can see in the log that igb0 - igb3 is still same (original) mac address.

I also switched the two Quad NICs in the PCI-E ports. After switching the WebGui and WAN were available again and I was also able to enable to new interfaces. Everything now works.

Still do not understand why just adding new NIC in empty PCI-E didn't work immediately. Adding a new NIC shouldn't require any adjustments or analysis (imo).

@sparky17

No, I have not had any issues with the system. I do not run any third party apps. It works great.

I use a Silverstone Milo 10 Case with a Nocuta Fan on the top blowing cold air. I have it mounted to my wall.

https://www.silverstonetek.com/product.php?pid=923&area=en

I also use a Mini-Box P4-DC jack to enable power with a 60 watt power supply

https://www.mini-box.com/P4-DC-Jack-Cable

https://www.mini-box.com/60w-12v-5A-AC-DC-Power-Adapter

The system runs about 32 to 36 degrees C daily.

Without any outbound NAT only the device with the public IP directly is able to connect out and get replies.
Anything in a private subnet behind that needs to have it's outbound connections translated to the public in order to get replies. That is outbound NAT.

So you need to have some outbound NAT. A lack of it entirely might have fitted your initial symptoms.

It doesn't really matter what you set the NAT on the new device. The best solution would be to pass the public IPO to pfSense and let it handle the NAT but if it's working well as it is I wouldn't worry about it.

Steve

@tenou said in Nexcom LCM with LCDproc:

@stephenw10 it's been a long time, but you were totally right! The display works flawlessly using the "Watchguard Firebox with SDEC" driver with default settings.

NSA5130-OS1.png

How to spot a fake card:

https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/