Thank you I received a new message form netgate support since i created this topic. I will send the unit to Austin for replacement.

@stephenw10: What firewall rules do you have on OPT1? That's pretty much the only thing that might prevent it. Steve Yes that was the issue.  Can access GUI from OPT1 now.  Next step is figuring out how to assign a vlan to physical ports on the box.

Hi, i have the exatly same problem at the moment. I'm switching from a homebuilt (not by me) machine with 2 interfaces (WAN and LAN) to a brand new XG-7100. I tried to restore, but i can only choose between ix0, ix1, ix2, ix3 and ovpns1, none of these are my ETH ports. Is it enough to replace the data in the interfaces section, in the backup file, with the data from the interfaces section from the new firewall? Here are the sections from backup files: Old firewall: <interfaces>- <wan><enable><if>em0</if> <blockpriv><blockbogons>- <alias-address><alias-subnet>32</alias-subnet> <spoofmac><ipaddr>dhcp</ipaddr> <dhcphostname><dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path><ipaddrv6>dhcp6</ipaddrv6> <dhcp6-duid><dhcp6-ia-pd-len>0</dhcp6-ia-pd-len></dhcp6-duid></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></dhcphostname></spoofmac></alias-address></blockbogons></blockpriv></enable></wan> <lan><enable><if>em1</if> <ipaddr>192.168.200.1</ipaddr> <subnet>24</subnet> <spoofmac></spoofmac></enable></lan></interfaces> New firewall: (XG-7100) <interfaces>- <wan><enable><if>lagg0.4090</if> <ipaddr>dhcp</ipaddr> <ipaddrv6>dhcp6</ipaddrv6> <gateway><blockpriv>on</blockpriv> <blockbogons>on</blockbogons> <media><mediaopt><dhcp6-duid><dhcp6-ia-pd-len>0</dhcp6-ia-pd-len></dhcp6-duid></mediaopt></media></gateway></enable></wan> <lan><enable><if>lagg0.4091</if> <ipaddr>192.168.200.1</ipaddr> <subnet>24</subnet> <ipaddrv6>track6</ipaddrv6> <subnetv6>64</subnetv6> <media><mediaopt><track6-interface>wan</track6-interface> <track6-prefix-id>0</track6-prefix-id></mediaopt></media></enable></lan> <opt1><if>ix0</if> -</opt1> <opt2><if>ix1</if> -</opt2></interfaces>

If it hangs at: iPXE (http://ipxe.org) 06:00.1 C200 PCI2.10 PnP PMM 7F67E150 7F5DE150 C200 Press ESC for boot menu. Booting from Hard Disk... harddrive_index=0 / Then you probably have a console speed set in the config you imported that isn't 115200bps. You can check the config file directly or try some likely suspects like 9600 or 38400. Steve

Using dynamic VLANs will require all of those VLANs to be tagged and configured to pfSense. But if that is the case it is likely just a matter of getting the correct RADIUS Reply Attributes from the RADIUS server to the AP and/or Controller software. (not sure what is actually talking to the RADIUS server on the UBNT gear)

On an SG-8860 you need the image with ADI in the name to get the correct console output if you restore it. No menu at the console can be a symptom of filesystem damage where the /etc/ttys file affected. You can try booting to single user mode and manually running fsck a number of times but unless you have good reason not to I recommend re-installing. If you bought that device from us please open a support ticket and we can help you with that: https://go.netgate.com Steve

Bingo! That what I did yesterday. I added the XML elements that did not exist on white box hardware, replaced the <interfaces>element, and added the <switches>element as it did not exist in my CE config. It was kind of a time-consuming pain, but I got it to work.</switches></interfaces>

It depends on whether it is in port or dot1q mode. You can make what amount to "independent" switches with VLAN groups in port mode. But you probably don't want to put more than one group on port 5 if you intend them to be different broadcast domains. You can also make a poor-man's port isolation in a single broadcast domain using something like the attached. In that config all four ports communicate with the "trunk" back to the layer 3 interface in the firewall but do not communicate with each other. In dot1q mode each "group" is the collection of ports that have that VLAN tagged or untagged. [image: 1530386325909-screen-shot-2018-04-03-at-10.08.33-pm-resized.png]

Thank you jahonix and Derelict! I'll purchase and use a cable tester as my next step. I'll reply with my results, likely next week. Ken

Answered my own question.  I was able to obtain closer to 10GBit speeds using jumbo frames: [2.4.3-RELEASE][root@pfSense.localdomain]/root: ifconfig ix1.7 ix1.7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 9000         options=600703 <rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6>ether 00:08:a2:0d:65:f6         inet 10.1.7.8 netmask 0xffffff00 broadcast 10.1.7.255         inet6 fe80::208:a2ff:fe0d:65f6%ix1.7 prefixlen 64 scopeid 0x14         nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (10Gbase-Twinax <full-duplex,rxpause,txpause>)         status: active         vlan: 7 vlanpcp: 0 parent interface: ix1         groups: vlan</full-duplex,rxpause,txpause></performnud,auto_linklocal></rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast> [2.4.3-RELEASE][root@pfSense.localdomain]/root: iperf -s -B 10.1.7.8 ------------------------------------------------------------ Server listening on TCP port 5001 Binding to local address 10.1.7.8 TCP window size: 4.00 MByte (default) ------------------------------------------------------------ [  4] local 10.1.7.8 port 5001 connected with 10.1.7.6 port 56306 [ ID] Interval      Transfer    Bandwidth [  4]  0.0-10.0 sec  9.47 GBytes  8.13 Gbits/sec

@jahonix Follow the link and you will see the Pelican case the customer wanted.. An yes I did Ask – @ivor I will be watching here and in the store..

Please contact our support so they can have a look. https://go.netgate.com/support/login

Just realized that the NAT forwarding rules may not make a difference as I have them set to OPT1 and I have ETH8 assigned to OPT3.

Nice to hear, thank you for your reply :)

The point is to delivered the required security level to our cistomers.

1. Turn on SG1000 2. Connect to computer, get DHCP address automatically 3. Open browser, browse to the Gateway/DHCP server address that you're given via DHCP 4. Defaults credentials are … pfsense/pfsense ... I think. Now you can log in and play. Connect the WAN port to the Internet (aka unsecured upstream network) in whatever way you need (you may need to configure the WAN port for this). Now you should be able to browse the Internet.

Thanks everyone for the replies. I ended up attempting to connect to the SG-1000 via PuTTY from a Windows VM on my Mac. Worked on the first try! :) After that I was able to do the reset/restore from the microSD card. Back in action! (Now I'm really regretting not keeping a backup of my pfSense settings ;) )