@luketa said in SG3100 limitations:

@stephenw10
tried everything to work snort, it really won't.

I installed Suricata and it's running 100% on version 21.05

thank you all.

Glad Suricata is working well for you. The Snort problem is a tough one to solve. Understanding the root cause of the error requires being skilled in the art of assembly language level programming in the ARM CPUs. It has to do with the specific CPU opcodes the compiler chooses to employ when converting certain memory operations coded in C into the binary CPU opcode equivalents.

@gabacho4 said in 21.05 update bricked my 5100:

I didn’t think you could update from 2.4.5 to 21.05

It's fine skipping, I've done it many times including 2.4.5 to 21.05. There is a doc page for that.

@nomadmd Did you find the troubleshooting docs including the /conf/upgrade_log.latest.txt file?

There's no support plan needed to open a ticket to get the 21.05 installer file.

@esogas said in gs348t static IP - no admin page:

o you know why this is and how I can work around it? Steps to reproduce:

Hi,

This is more of a Netgear issue, not pfSense the NGFW DHCP static mapping has nothing to do with it...

I have used thousands of switches with pfS and never experienced this...

BTW (f.e.: as here):
log into the Netgear web interface and enter a fixed MGMT IP - and see what happens this way...

87b68252-4e54-42b7-879c-eb9ef6b96309-image.png

@nick-loenders
I've never worked with a model with the switchport setup. There's a note in the manual about CARP limitations due to the switchport not going down. Do you have the expansion riser? I'd get a couple of quad port intel cards and use those ports.

So, quick update. It turned out that the user menu was appearing. But it was among a lot of garbled characters. And it wasn't pausing for a response. So I tried frantically pressing '2' when I got to that part of the reboot and finally got the prompt I needed to get a shell and run fsck (several times). That sorted the problem.

However, in the meantime I'd opened a ticket with Netgate. I got a response within minutes and soon had a link to download the firmware, which I did as a backup. I mention this just to say that I'm very impressed with Netgate's support.

No problem. It made sense to continue the discussion there. I got the problem sorted in the end. I'll post what happened over there.

Okay the system time/date was totally wrong. :|

I was able to spot it with openssl s_client -connect files01.netgate.com:443 which gave me verify error:num=9:certificate is not yet valid.

Indeed the system date/time was set in 2017.

Looks like it's caused by dns resolution not working hence ntpd failing to sync time since update :(

I really wish I could edit the old posts.

Just wanted to give an update. We have come up with our work around. Not sure it is the proper or most clean way to make this work. But we have gotten the desired outcome.

Rather than a direct link between the router and paired firewall we added a vlan to the existing ixl0 on the router for firewall communication and then plugged the firewall ix0 into an aggregate switch port on that vlan. Now if either router, firewall, or aggregate switch fail the backup(s) kick on depending the need.. Thank you to anyone who may have read this and was thinking of a solution yet had not posted. Did not want to leave anyone else hanging. I'll keep this up in case someone else shares our mistaken design ideas. :P!

Network Plan.png

Yes, try Suricata instead.

Although it may be affected by the same issue I've yet to see it if so. I have had Suricata running on an SG-3100 for some time without issue.

Steve

@ashlm Following on...
top -aSH shows mvnet02 (WAN) hitting over 98% utilisation of CPU core, bufferbloat kicks in after around 30 seconds of load and packets start being dropped. 665Mb peak downloading a Steam game (interface dropped completely and failed over once during 5 minutes download).

You should be able to re-install clean if you can access uboot still.
Open a ticket with us to get the recovery image if you haven't already:
https://go.netgate.com/

Steve

As @stephenw10 mentioned, we now have a native builder for armv7 packages and it was the first step.

Now in order to make Telegraf available we need to have some fixes committed to FreeBSD to make golang to work as expected on arm32 jails running on aarch64 hosts and after it happens we will be able to enable Telegraf building.

You can follow needed changes being reviewed at https://reviews.freebsd.org/D31175

@mackeyuk

I don't like following directions. Maybe this will help

bridge.PNG
interfaces.PNG
sg.PNG

There should be no problem importing the full config there beyond the expected complication of the switch config. Certs, users etc will all import.
If you're having any issue with that please open a ticket with us: https://go.netgate.com/
We can convert your existing config so it imports directly.

Steve

@stephenw10 no m.2/eMMC option when showing available boot devices. I opened a ticket.

Thanks

Ok, then you can configure them however you want. Whatever is more convenient for what you're trying to connect.

You can configure two of the switch ports as a load-balance type LAGG, yes.

Just edit the lagg number on the ports tab. For example:
Screenshot from 2021-07-19 11-42-45.png

It can only use LAGG type load-balance though, it doesn't support LACP.

Steve

The 6100 does not have any DIMM slots. the 8GB RAM is all on-board so it's not expandable.

Steve

If you have more than one gateway defined make sure the default gateway is set to the specific gateway in question. If it's still set to automatic in System > Routing > Gateways it's probably switching to the other gateway and not switching back.

Steve

@noexit said in Which Netgate to get?:

My current router is an old Dell Dimension E310 PC (Intel(R) Pentium(R) 4 CPU 2.80GHz) with 1GB of RAM and 1000baseT 3com NICs running pfSense 2.3.4.

Gah!
Yeah, that's an actual P4, 32bit only, so upgrade time for sure!

The SG-2100 would be fine for those speeds and, as mentioned, the 4GB RAM leaves plenty of headroom for Snort, ntopng etc.
It won't pass full Gigabit line rate though if that's likely to be something you need anytime soon.

Steve

So you just see no available configs to export? No users listed?

Did you create user certs against the new CA?

Steve

Beyond the switch config detailed here you only need to create the VLAN interfaces on mvneta1 and apply firewall rules as required.
Are you seeing any particular problem?

Steve

@bkseitz 2.5.2 is the numbering used for Community Edition (CE). Since you have a Netgate appliance, you are being migrated to pfSense Plus which is currently at 21.05. Plus is the same as CE with a few minor additions.

Announcing pfSense Plus

I swapped cables, swapped the firewall for a white box pfSense, swapped the firewall with a UniFi USG, placed a switch in between the firewall and the ISP, and the interface was still flapping. The ISP is a WISP. They supposedly swapped out the radio on top of the roof, but it was still flapping. I wanted them to replace the cable and the PoE injector, but they didn't. We ended up hard setting the speed/duplex to 100 FDX and the connection is better, but still not perfect. The customer is going to be changing ISPs.

EDIT: Managed to solve this via Support. Needed to reinstall PFSense via the 'run recovery' command. Hit a snag with one of my USB drives, but the 'reset usb' command (x3) , as well as a different drive fixed the issue.

Great, and super timely support from Netgate!

We have now had our 4th one fail. Worst power supply on planet earth.

@truckin

You can only assign interfaces to a LAGG that are not already assigned somewhere else.

Add them to the LAGG and then assign the LAGG as an interface itself.

In fact you should be able to assign the LAGG with only the one interface assigned to it to free up the other if needed.

Go here and create a ticket: https://go.netgate.com/. You can use the Sign-Up link under "Your Tickets" to create an account if you don't already have one. There is no charge for providing a Netgate appliance image. You will need to have, and provide, the Netgate ID and Serial Number of your appliance, though.

@jimp It's a netgate (Super Micro C2758), probably 4-5 years old? We are ordering a new (7100?) pair to replace these, but I was hoping to check which hardware fault it might be.

I can't reproduce any problem like that here, where I could easily reproduce the error before.

If you haven't yet, after you have updated miniupnpd manually as described above, reboot the router to ensure the correct copy is the only one being used.

It's also possible there is a lot of local traffic hitting UPnP/NAT-PMP and it's just busy at the time you noticed it.

Hmm, OK. Well glad you were able to connect.

The putty interface can be confusing at times. It's all too easy to think you're opening a serial connection when in fact it's just showing you the serial settings and the session is still set as SSH.

Steve

It probably is fixed by https://redmine.pfsense.org/issues/11748 which means it would be OK on the latest version of pfSense Plus on the 3100. Is it running 21.05 or something older?

@gertjan I have not tried this as the eMMC is not even supposed to be in-use. I'll have to schedule time for a reboot + check. Even though the log is being spammed with errors, the SG-5100 is working and many people need the VPN gateway to work remotely