@atteast If you're running WAN with IPv6 and/or have Bogons enabled to block on WAN, the next Bogon List Update (bogonsv6) will probably too large and crash those 200.000 entries. For a clean reload of rules etc. the table needs a size of double the count of entries and with bogonsv6 we are already near/around 100k entries. So that's why you can see the GIT commit to change the default from 200k to 400k in future releases :) But yeah, that's not device specific, all our devices/customers ran into that issue in early May.

edit: my bad, I read 200k, not 2M as you wrote. That of course is more then enough :)

I have a sg4860 and do not have a gig internet to test with... It doesn't even break a sweat in handling my 500/50 connection. I always see 500+ down..

Your bios is bit dated - I would update that.

mine
Vendor: coreboot
Version: ADI_RCCVE-01.00.00.17-nodebug
Release Date: Mon Sep 18 2017

You could try to disable PTI, I don't think it's hit would be that drastic.. But you could try turn it off.

How exactly are you testing your speed?
speedtest

My buddy has sg4860 as well, and he see's 900's on his ATT fiber connection without any issues.

Hi

Please raise a ticket at go.netgate.com so we can help troubleshoot this with you.

Thank you,

-James

Have gone through those steps to disable IPv6, no change in speeds.

And correct, this is just a direct connection to my ISP, no VPN connections.

Yup :)

Several posts with each restricted to a very specific issue is fine IMO. Often easier to diagnose issues like that. Long rambling posts encompassing numerous issues can be hard to follow but do sometimes allow a better overall picture of the issues.

If you're not using those 10GbE ports for anything else eight now I'd pick up a direct attach cable and use that to the switch. Assuming they are physically local. Better total throughput in almost any situation. Only drawback there is no failover if that one connection does fail but there are multiple other single points of failure so it's not really an increased risk.

Steve

Thank you I received a new message form netgate support since i created this topic. I will send the unit to Austin for replacement.

@stephenw10:

What firewall rules do you have on OPT1?

That's pretty much the only thing that might prevent it.

Steve

Yes that was the issue.  Can access GUI from OPT1 now.  Next step is figuring out how to assign a vlan to physical ports on the box.

Hi, i have the exatly same problem at the moment.

I'm switching from a homebuilt (not by me) machine with 2 interfaces (WAN and LAN) to a brand new XG-7100.
I tried to restore, but i can only choose between ix0, ix1, ix2, ix3 and ovpns1, none of these are my ETH ports.

Is it enough to replace the data in the interfaces section, in the backup file, with the data from the interfaces section from the new firewall?

Here are the sections from backup files:

Old firewall:

<interfaces>- <wan><enable><if>em0</if>
<blockpriv><blockbogons>-
<alias-address><alias-subnet>32</alias-subnet>
<spoofmac><ipaddr>dhcp</ipaddr>
<dhcphostname><dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
<adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path><ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-duid><dhcp6-ia-pd-len>0</dhcp6-ia-pd-len></dhcp6-duid></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></dhcphostname></spoofmac></alias-address></blockbogons></blockpriv></enable></wan> <lan><enable><if>em1</if>

<ipaddr>192.168.200.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac></enable></lan></interfaces>

New firewall: (XG-7100)

<interfaces>- <wan><enable><if>lagg0.4090</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway><blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media><mediaopt><dhcp6-duid><dhcp6-ia-pd-len>0</dhcp6-ia-pd-len></dhcp6-duid></mediaopt></media></gateway></enable></wan> <lan><enable><if>lagg0.4091</if>
<ipaddr>192.168.200.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media><mediaopt><track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id></mediaopt></media></enable></lan> <opt1><if>ix0</if>
-</opt1> <opt2><if>ix1</if>
-</opt2></interfaces>

If it hangs at:

iPXE (http://ipxe.org) 06:00.1 C200 PCI2.10 PnP PMM 7F67E150 7F5DE150 C200 Press ESC for boot menu. Booting from Hard Disk... harddrive_index=0 /

Then you probably have a console speed set in the config you imported that isn't 115200bps. You can check the config file directly or try some likely suspects like 9600 or 38400.

Steve

Using dynamic VLANs will require all of those VLANs to be tagged and configured to pfSense.

But if that is the case it is likely just a matter of getting the correct RADIUS Reply Attributes from the RADIUS server to the AP and/or Controller software. (not sure what is actually talking to the RADIUS server on the UBNT gear)

On an SG-8860 you need the image with ADI in the name to get the correct console output if you restore it.

No menu at the console can be a symptom of filesystem damage where the /etc/ttys file affected. You can try booting to single user mode and manually running fsck a number of times but unless you have good reason not to I recommend re-installing.

If you bought that device from us please open a support ticket and we can help you with that: https://go.netgate.com

Steve

Bingo! That what I did yesterday. I added the XML elements that did not exist on white box hardware, replaced the <interfaces>element, and added the <switches>element as it did not exist in my CE config.

It was kind of a time-consuming pain, but I got it to work.</switches></interfaces>

It depends on whether it is in port or dot1q mode.

You can make what amount to "independent" switches with VLAN groups in port mode. But you probably don't want to put more than one group on port 5 if you intend them to be different broadcast domains.

You can also make a poor-man's port isolation in a single broadcast domain using something like the attached. In that config all four ports communicate with the "trunk" back to the layer 3 interface in the firewall but do not communicate with each other.

In dot1q mode each "group" is the collection of ports that have that VLAN tagged or untagged.

0_1530386330098_Screen Shot 2018-04-03 at 10.08.33 PM.png

Thank you jahonix and Derelict! I'll purchase and use a cable tester as my next step. I'll reply with my results, likely next week.

Ken

Answered my own question.  I was able to obtain closer to 10GBit speeds using jumbo frames:

[2.4.3-RELEASE][root@pfSense.localdomain]/root: ifconfig ix1.7 ix1.7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 9000         options=600703 <rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6>ether 00:08:a2:0d:65:f6         inet 10.1.7.8 netmask 0xffffff00 broadcast 10.1.7.255         inet6 fe80::208:a2ff:fe0d:65f6%ix1.7 prefixlen 64 scopeid 0x14         nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (10Gbase-Twinax <full-duplex,rxpause,txpause>)         status: active         vlan: 7 vlanpcp: 0 parent interface: ix1         groups: vlan</full-duplex,rxpause,txpause></performnud,auto_linklocal></rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast> [2.4.3-RELEASE][root@pfSense.localdomain]/root: iperf -s -B 10.1.7.8 ------------------------------------------------------------ Server listening on TCP port 5001 Binding to local address 10.1.7.8 TCP window size: 4.00 MByte (default) ------------------------------------------------------------ [  4] local 10.1.7.8 port 5001 connected with 10.1.7.6 port 56306 [ ID] Interval      Transfer    Bandwidth [  4]  0.0-10.0 sec  9.47 GBytes  8.13 Gbits/sec

@jahonix

Follow the link and you will see the Pelican case the customer wanted..

An yes I did Ask –

@ivor

I will be watching here and in the store..

Please contact our support so they can have a look. https://go.netgate.com/support/login