Official Netgate® Hardware

• 

  New Hardware Comparison Chart For Netgate Appliances
  • dennis_s  

  1
  6
  Votes
  1
  Posts
  1703
  Views

  No one has replied

• 

  Useful resources for new appliance owners
  • chrismacmahon  

  1
  0
  Votes
  1
  Posts
  1933
  Views

  No one has replied

• 

  PfSense virtual appliances for Cloud - AWS and Azure
  • ivor  

  1
  0
  Votes
  1
  Posts
  3425
  Views

  No one has replied

• 

  Official pfSense hardware customer photos / network pics porn!
  • ivor  

  38
  0
  Votes
  38
  Posts
  12990
  Views

  S

  SG-3100
• M

  SG-3100 Internet Throughput Issue
  • m_schmtt  

  5
  0
  Votes
  5
  Posts
  75
  Views

  M

  Hi, I've just run into a similar issue today. I've also been using an SG3100 for quite a few years with Virgin Media's 350Mbps/35Mbps service and it's worked very well. I also upgraded my service and have gone for 1Gbit/50Mbps and I'm finding that the SG3100 is bottling out at about 425Mbps down but OK up. It's hitting over 90% CPU utilisation testing downlink. I'm not doing anything very clever with mine - switching both pfblocker and DNSBL off hasn't helped. What does confuse me is that someone else within these forums has managed to get the SG3100 running at Gbit line speed but didn't share the configuration. I think the fault he reported was a wonky Gbit switch that wasn't performing under load. I guess you have iperfed the links.... Cheers, Richard
• V

  Telegraf for ARM systems? (e.g. Netgate SG-3100).
  • victorhooi  

  49
  1
  Votes
  49
  Posts
  1891
  Views

  T

  Is there any update on this please?
• S

  Suboptimal routing troughput, debugging options ?
  • SGMC  

  8
  0
  Votes
  8
  Posts
  41
  Views

  

  Hmm. Can you try adding the OPT port as an interface on a different subnet and testing from there? It should be identical to the LAN but....
• A

  Unable to change from 192.168.1.1 to 192.168.8.1 on LAN interface
  • alfaro  

  7
  0
  Votes
  7
  Posts
  45
  Views

  A

  @johnpoz Thank you. This was so obvious but because I was only looking for DHCP server V6 I did not see it listed with a slight difference as it had something else. Thanks, it worked and I am happily using my new subnet.
• U

  SG-1100 reinstall - blocked user on support ticket submission
  • user382927  

  4
  0
  Votes
  4
  Posts
  20
  Views

  

  No problem. Let us know if you have any problems restoring that. Steve
• V

  XG-7100 - no internet connectivity on latest 2.5.0 builds?
  • victorhooi  

  6
  0
  Votes
  6
  Posts
  44
  Views

  

  Maybe your rules aren't loading? https://redmine.pfsense.org/issues/10861
• C

  SG-3100 Console Issue
  • ckcoder  

  7
  0
  Votes
  7
  Posts
  1091
  Views

  S

  @ckcoder Thank you, two used cables gave me the same error which left me frustrated, and your reply drove me to open a package with a new cable which worked.
• B

  SG-3100 LAN1 port as trunk help
  • brfrankl  

  3
  0
  Votes
  3
  Posts
  24
  Views

  B

  So, I turned on DHCP and low and behold, that worked. So I went back and put a static in and now that works. Rebooted a couple times to make sure it stayed working and it did. Have no idea what was hung. But thanks for verifying I had everything above correct. Hopefully someone else can use it for configuring it themselves. The documentation out there is good, but not great for a more top to bottom of the type I needed... Anyway, thanks for the help....
• K

  SG-5100 CPU usage consistently at 70 to 80%
  • klubar  

  6
  0
  Votes
  6
  Posts
  44
  Views

  K

  On Netgate's advice I rebooted the device and the CPU usage dropped back to less than 10% The only thing I can think of is that I leave the bandwidth monitor up all the time and that somehow created rogue processes. I guess I will not do that now. I also updated the software to the latest version (2.4.5-RELEASE-p1) from 2.4.4p3 but I don't think that was the issue. Thanks for everyone's help.
• P

  New XG-7100 owner confused
  lag vlan4090 vlan4091 • • ParanoidDuck  

  9
  0
  Votes
  9
  Posts
  39
  Views

  P

  I think I figured it out. Using VLAN probably is the best way to do it. Only thing is that the firewall makes it confusing with the 4090 and 4091.
• P

  SG-3100: Upgrade stopped part way through due to network dropout
  • PaulRAU  

  4
  0
  Votes
  4
  Posts
  30
  Views

  

  You can certainly try that. Installing clean is a relatively quick and easy process if you have access to the serial console. I would probably go straight to that to be sure. https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/connect-to-console.html Steve
• R

  SG-3100 Configuring the Switch Ports via VPN
  • rpsmith  

  11
  0
  Votes
  11
  Posts
  66
  Views

  R

  @Rico - Thanks for all your help and the link Rico! Regards, Roy...
• B

  Would like to have failover...not sure what options are
  • bhjitsense  

  3
  0
  Votes
  3
  Posts
  28
  Views

  

  Don't do that, it's a terrible idea! The interfaces need to match so you would need to create a single interface LAGG in the SG-1100 and move all your VLANs to that. Those boxes are massively mismatched in just about every other respect. You could easily load the SG-7100 with rulesets that will kill performance on the SG-1100. The nodes in an HA pair should be as close to identical as possible. Steve
• K

  This topic is deleted!
  • kwessel  

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• L

  SG-3100 Less Throughput on tagged VLANs
  • lnguyen  

  1
  0
  Votes
  1
  Posts
  25
  Views

  No one has replied

• H

  XG-7100 transparent firewall
  • hamidjutt97  

  2
  0
  Votes
  2
  Posts
  9
  Views

  

  In general pfSense works better when it's routing between subnets so before you do this be sure you need to configure it as a transparent firewall. A transparent firewall can be achieved simply by bridging two interfaces. You generally want to filter traffic between them so the bridge sysctls can be left at the default values filtering on the bridge member interfaces. The biggest issue with configuring it is that if you don't have access via another interface you will almost certainly lock yourself out of the firewall during the setup, it's very easy to do. So the first thing to do here is make sure you have access to the firewall via some other interface. What are you connecting between? Can you use the SFP interfaces? Once you have that access simply create a bridge and add the two ports to it. Be sure to only have an IP address on one of the interfaces (including the bridge if you assign it). Be aware that firewall rules including system aliases like LANnet may not be valid if the LAN no longer has an IP. Steve
• N

  SG-3100 hardware check
  • noisybloke  

  8
  0
  Votes
  8
  Posts
  69
  Views

  

  @noisybloke said in SG-3100 hardware check: Coming from domestic routers it was a shock when I learnt that it can't handle power interuptions well. These domestic routers do not have a file system as what you would find on PC or NAS. pfSense could be run from ROM with minimal dynamic data storage, and some NVRAM for the config, but in that case upgrading would be far more complicated, no more packages, and no more dynamic data views. It would become just another SOHO router. Rip out the power cable of your PC : after a couple of times your PC will complain, if it still boots. @noisybloke said in SG-3100 hardware check: (1 noticeable power cut every few years You are wired up yourself ? ;) A blackout that kills all the lights is just one example of a power outage. The oned that 'hurt' a system a far more common. Btw : still, power issues rarely actually kill a device physically. It's just wrong data getting written on the wrong place or something like that. Rebuilding (reformatting) the disk will take care of things. Just make sure your config is saved regularly. I've one of my PC's running a small program that logs in using SSH, executing the 'Diagnostics > Backup & Restore', retrieve the complete config, save the file and log out. A set it and forget it installation. Take note of the "Netgate Device ID" and the 'Device key' which is useful to retrieve a backup of what has been send to Netgate's remote backup storage, see Services > Auto Configuration Backup > Restore
• J

  SG-3100 console stop "Bootup complete", no web gui
  • JRent  

  3
  0
  Votes
  3
  Posts
  19
  Views

  J

  @Rico : I did as suggested and everything is working fine now.
• R

  SG-1000 to SG-1100
  • rustydusty1717  

  4
  0
  Votes
  4
  Posts
  29
  Views

  

  You need to include the <vlans> section in the config to be imported otherwise the interface defined will not exist. You need to retain the <switch> config from the SG-1100 so those VLANs are connected to the correct ports. Steve
• J

  Dashboard Performance Slow On A New XG-7100
  • jefstrongman  

  5
  0
  Votes
  5
  Posts
  45
  Views

  J

  Thank you, I will try that.
• A

  SG-1100E LAN on iperf3 only 368 Mb/s
  • aselle  

  4
  0
  Votes
  4
  Posts
  46
  Views

  

  Between the two test machines directly on the same subnet you should be seeing at or very close to 941Mbps but it looks like you're not. Is there some other restriction there? You might also try with 2 (or more) Parallel streams -P 2. The SG-1100 has a dual core CPU but is limited by using one NIC which can use only one queue. Steve
• M

  XG-7100 Slow WAN w/ Bell Five (LAN is okay)
  • moofone  

  11
  0
  Votes
  11
  Posts
  43
  Views

  M

  Went down the road of modifying the bxe drivers, taping the SMBus pins on the Broadcom (otherwise would not boot). It worked, but speeds were not there. The challenge is faking this to sync at 2500Mbps properly to match the gpon (which provisions at 1500Mbps down 940 up). I have purchased an X710 DA2 which I dont really expect to work either, but I will be able to use it elsewhere. Some have reported success at 2500 with an older firmware, so I will explore that briefly. Lastly -- today I've purchased a Ubiquiti ES-16-XL which I believe is the current and only reliable way to make this work at 2.5Gbps. My gpon will plug into this and then another SFP+ out to the pfsene which SHOULD work... at about double my intended cost... but I'm this far in already and I'd rather keep the 7100 b/c its a nice little unit and pfsense is amazing. I should have results in a couple weeks.
• F

  SG-1100 reinstall fails
  • Fred H  

  9
  0
  Votes
  9
  Posts
  65
  Views

  

  Glad you have it working now. -Rico
• R

  Issues with Suricata and XG-1537
  • Rekoj  

  4
  0
  Votes
  4
  Posts
  19
  Views

  

  @Rekoj said in Issues with Suricata and XG-1537: suricata.log 28/8/2020 -- 09:17:11 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode 28/8/2020 -- 09:17:11 - <Info> -- CPUs/cores online: 16 28/8/2020 -- 09:17:11 - <Info> -- HTTP memcap: 67108864 28/8/2020 -- 09:17:11 - <Notice> -- using flow hash instead of active packets 28/8/2020 -- 09:17:11 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_igb113615.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb113615.pid. Aborting! You have two problems. The immediate problem is that Suricata began to start and then crashed leaving a stale PID file in the location given. You will need to manually delete that file before it will start. However, the other problem, and the likely root cause of the original crash that left the stale PID file, is the move to a 16-core CPU. That hardware needs a ton more TCP Stream Memory. You will need to go to the FLOW/STREAM tab and greatly increase the Stream Memcap value. Start with 256 MB and go up if necessary. You can Google that term or search for it here on the Netgate forums. Here is one example post from the forums: https://forum.netgate.com/topic/139580/suricata-failing-to-start-interface.
• D

  User blocked! No more tickets allowed for this user - SG-1000 firmware request
  • darkside  

  7
  0
  Votes
  7
  Posts
  98
  Views

  

  Errors like that are expected during an upgrade from a significantly older version. In this case because php was upgraded from 5.2 to 7 and during that time the old libraries are switched out. That's one of the reasons a clean install is often better when coming from an old version. If you're not seeing errors after the upgrade is complete though it's probably fine. Steve
• A

  Migrating from custom hw to XG-7100
  • axonsoft  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  Open a ticket with us: https://go.netgate.com/ We can convert that config for you so you can import it directly in almost every case. Steve
• C

  SG-8860 vs newer appliances
  • clugo633  

  6
  0
  Votes
  6
  Posts
  56
  Views

  C

  @stephenw10 thanks. I’ll instead purchase a new model. Now debating between sg-3100 vs 5100. Thanks.
• S

  SG-3100 Reboots after FW Rule hits 1TB
  • styxl  

  17
  0
  Votes
  17
  Posts
  104
  Views

  B

  Whenever I had Snort installed on my SG 3100, it would always cause spontaneous reboots no matter what package version I used. Not sure if it was the way I had it configured, but even with basic rule sets, it would still crash. I have since removed it and have no further issues with reboots.
• L

  SG-1100 LTE USB-Modem
  • Legolars99  

  7
  0
  Votes
  7
  Posts
  44
  Views

  L

  yes, under 12 it still creates the ue0 interface
• D

  DNS resolver "fails" but forwarding "resolves"
  • DrPhil  

  10
  0
  Votes
  10
  Posts
  54
  Views

  

  @DrPhil said in DNS resolver "fails" but forwarding "resolves": pfSense would not resolve any one of them. And right now mine is not resolving it either. but it has nothing to do with dnssec, it has to do with there is no entry for nic.in any more. Not from google, not from opendns, not from the SOA even.. ; <<>> DiG 9.16.5 <<>> @8.8.8.8 nic.in ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 379 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.in. IN A ;; AUTHORITY SECTION: nic.in. 529 IN SOA nicnet.nic.in. nsadmin.nic.in. 2020082302 1800 600 1209600 14400 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Aug 23 06:04:02 Central Daylight Time 2020 ;; MSG SIZE rcvd: 86 But there is for www.nic.in $ dig www.nic.in ; <<>> DiG 9.16.5 <<>> www.nic.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20504 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.nic.in. IN A ;; ANSWER SECTION: www.nic.in. 3185 IN CNAME www.nic.in-v1.akamaized.net. www.nic.in-v1.akamaized.net. 21185 IN CNAME a1825.dscd.akamai.net. a1825.dscd.akamai.net. 3185 IN A 24.96.54.98 a1825.dscd.akamai.net. 3185 IN A 24.96.54.97 can you resolve that? BTW - posts are not always for the OP.. They are for the next guy as well.. The information I posted is basic understanding of how dns works.. Most users won't get it - but users of pfsense are normally not "most" users.. .
• B

  XG-7100 1U with WAN failover
  • bhjitsense  

  4
  0
  Votes
  4
  Posts
  53
  Views

  B

  @GeorgeCZ58 I did get this set up and have been happy with the results. It took some Googling, but also using the setup guide for the 7100 was helpful. For the 8 port switch in front, I use port 1 for WAN1 and port 2 for WAN2. This required creating VLANs on the switch itself on the 7100. Then I created the Gateway and Gateway Group under System > Routing. Once WAN 1 experiences significant packet loss, WAN 2 becomes the default gateway. It sounds like in your case you don't want failover, but an "always up" gateway for alerting. In this case, what ever is doing the alerting, you can set a Firewall Rule that would always use WAN2 as the gateway. I used the Pepwave BR1 Mini over the Netgate router due to it being up in my attic for much better cellular signal. These can handle the extreme temps up there. Hope this helps!
• P

  Use SG-5100 OPT ports as LAN switch
  • pf_novice  

  10
  0
  Votes
  10
  Posts
  66
  Views

  P

  @johnpoz I understand... in my case because of the cabling layout I only have 2 Ethernet cables to trunk to the main switch location, so there are two 'spare' ports that I can use for a local AP and backup device. This lets me clean up my board and avoid yet another device and power supply. TBH this is 50% a learning exercise - just constructing the bridge has been an education, so it's all good. The next task is to stand up my LTE failover, which will be fun, and then try to figure out how many firewall rules I need to make everything work. Thanks @akuma1x, @johnpoz and @stephenw10 for the insights.
• A

  Firewall rules require a reboot to apply
  • aasimenator  

  13
  0
  Votes
  13
  Posts
  69
  Views

  

  It's still a floating rule which is applied before all other rules. So even if it set to be added after pfSense floating rules it will still block before the rules on the WAN interface pass it. You can set the pfBlocker rules not to be on the floating tab. Or you could add your manual rule on the floating tab above them. Anyway, it's blocked by pfBlocker. Mystery solved at least. Steve
• T

  Need photo of SG2440 motherboard that has been repaired for C2000 bug
  • trombone  

  2
  0
  Votes
  2
  Posts
  35
  Views

  

  Hi @trombone, Sorry to hear your experiencing this. Unfortunately there is no field serviceable component for your SG-2440. As far as outside repair, it may be cheaper to look at a new device with an up to date warranty vs something older, I would defer to one of our sales engineers that could give you a recommendation based on your specific needs.
• M

  Installing OpenBSD on XG-7100
  • madapter  

  30
  0
  Votes
  30
  Posts
  370
  Views

  

  Ah, OK. The internal layout is described here: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html
• R

  Dual WAN Setup on XG-7100
  • ragnarXYZ  

  35
  0
  Votes
  35
  Posts
  1543
  Views

  

  That's a problem. The VLAN interface inherits it's MAC address from the parent interface and all those VLANs are on the same parent, lagg0. It's possible to separate the lagg interface and usr the two ix NICs are parent to give two MAC addresses. It's a horrible hack but you may be able to create a single interface bridge where you can spoof the MAC to give 3 total. Really though you should have the expansion card to use 4 discrete NICs for that. Steve