You can reinstall from the Marvell prompt:
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/reinstall-pfsense.html

Open a ticket with us to get the recovery image:
https://www.netgate.com/tac-support-request

@stephenw10 thanks

@stephenw10
Let me look into this weekend. I won't have access to the server site until Sunday. Thank you for your attention on this; hopefully can help someone with similar issue who needs more from the 6100 in openvpn.

@Uglybrian Thanks. Yeah that list just consolidates other lists without editing, but that's disappointing. There are a few Closed issues on the Github site for specific IPs but "all of Squarespace" is a pretty big target.

@stephenw10 said in SG-2100 Wish list : sim card slot:

It's hard for us to carry something like that as there are a lot of variants required for different markets and low demand

May be a variant to say this is SG-2100+ with eSim or Sim Card for US market with extra cost? I am sure people like me will be willing to pay the extra money for this functionality

@furom Mine is reporting Life Time Estimation status of 0x0b - the highest.

Could explain issues like DHCP stopping, unable to access web portal, etc. Also does not always boot, jut sits thee with 3 flashing lights,

So thanks for all this, ordering an M.2 drive and the firmware to attempt the reinstall onto an M.2

No it's a bug in flashrom in 23.09(.1).
https://redmine.pfsense.org/issues/11970#note-5

Until that is fixed you would need to temporarily install 23.05.1 to update Coreboot.

You probably don't need to update Coreboot though.

Steve

Either should work fine. It would really only depend on what's more convenient for physically connecting it.

Steve

@aszajlai - I have now been running this for two weeks with zero problems... Below are the stats, etc. Thank you everyone for this thread, now time for upgrading the other one that is no longer supported...

MTU:1500
Media: 10Gbase-SR <full-duplex,rxpause,txpause>
Plugged: SFP/SFP+/SFP28 10G Base-SR (LC)
Vendor:Ubiquiti Inc. PN: OM-MM-10G-D DATE: 2023-07-01
In/out packets: 22331704/27007819 (9.05 GiB/11.63 GiB)
In/out packets (pass): 22331704/27007819 (9.05 GiB/11.63 GiB)
In/out packets (block): 93141/0 (8.54 MiB/0 B)
In/out errors: 0/0
Collisions: 0
Interrupts: 44672451 (42/s)

@Gertjan Yes, the correct img has been supplied by support. My problem trying to assign interfaces from the console was that no matter which option I chose from the menu, it would cycle through the "fatal error" above and return to the menu. I'll try to use the USB boot and report back (I have already downloaded the img and checked the sha256).

Edit: Took me a couple of usb resets but issue has been resolved. Thanks.

The fastest way back from there is to reinstall 23.09 clean. Open a ticket to get the recovery image:
https://www.netgate.com/tac-support-request

Steve

I expect any of those would work but pfSense doesn't need anything like that size and smaller drives have seen more testing.

If you have a backup config I would just re-install to 23.09 clean and restore it. It's failing to find even the FreeBSD loader there which implies some catastrophic filesystem damage.

It could be a failed or failing eMMC in a 4860 that will be of some age at this point.

Steve

@FreeYourMind said in NetGate 4100 + No IPv6 on WAN :(:

@bmeeks

thanks you bmeeks, for giving a bit more background information about this.
But lets stick with your example for a moment and lets say the VPN is not running behind your pfsense, but instead running on the firewall itself, which is a common configuration, right?

So lets assume i wanna connect with my remote laptop to OpenVPN running on pfsense, how would i do that, if we stick with the example you were talking about? I might overlook something but i obviously can't connect to the CGNAT IPv4 from the outside and given the fact that WAN doesn't have its own IPv6 address, i can't do that either.

So instead of binding OpenVPN to my WAN address which is usually something you would do with NAT in IPv4, you would now just bind OpenVPN to one of your lan interfaces instead?

"Yes" is the short answer as @stephenw10 has already described. Your "destination address" for the outside client attempting to connect back in would be the LAN interface's IPv6 address on your firewall. But you would still need the correct rules on your WAN to allow that traffic to pass through, because it will be coming in from your default gateway's link-local IPv6 address to the link-local IPv6 address on your WAN interface. Your WAN link-local address is just a "transit network" between your delegated /56 prefix and the ISP's network core.

@dennypage Nice speeds. I'm hoping fiber will give me 1GB up and Down

@stephenw10 said in SG3100 keeps locking up after latest update:

never been anything logged for devices hitting this

That doesn't surprise me, we see it every 3-6 months or so across multiple clients. So even if one person noticed it might happen every 12-36 months and they just assume a power outage and move on. It didn't really dawn on me to connect them all until this thread. And that's assuming they're connected and not power related etc. Partners might notice but I'd think not all partners are MSPs and closely monitor sold devices.

This one does not have a RAM disk though and I see nothing about the hardware watchdog logged there.

Upon reflection, I am not sure any have occurred during the workday. Possibly just coincidence. Haven't been tracking them.

I think I have successfully hijacked the thread, sorry.

It will save the package config but not the packages themselves. When you restore the config into the new version it will try to reinstall and packages and apply the config to them.

@RobbieTT Thanks for your input. I'll leave it as is then (QAT Crypto enabled, others disabled).

Ted

@chrysmon said in Netgate hardware:

@bmeeks Yes, The last log entry in the STATUS > SYSTEM LOGS is:

suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1.

This is from the suricata.log:

[107176 - Suricata-Main] 2023-11-25 12:48:26 Notice: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode
[107176 - Suricata-Main] 2023-11-25 12:48:26 Info: cpu: CPUs/cores online: 12
[107176 - Suricata-Main] 2023-11-25 12:48:26 Info: suricata: Setting engine mode to IDS mode by default
[107176 - Suricata-Main] 2023-11-25 12:48:26 Info: app-layer-htp-mem: HTTP memcap: 671088640
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Creating automatic firewall interface IP address Pass List.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: alert-pf output device (regular) initialized: block.log
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_5401_igb0/passlist.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_5401_igb0/passlist processed: Total entries parsed: 20, IP addresses/netblocks/aliases added to No Block list: 18, IP addresses/netblocks ignored because they were covered by existing entries: 2.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=src kill-state=yes block-drops-only=yes passlist-debugging=no
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: fast output device (regular) initialized: alerts.log
[209444 - ] 2023-11-25 12:48:26 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: http-log output device (regular) initialized: http.log
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: stats output device (regular) initialized: stats.log
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-syslog: Syslog output initialized
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[100456 - Suricata-Main] 2023-11-25 12:48:26 Warning: output-json-alert: HTTP body logging has been configured, however, metadata logging has not been enabled. HTTP body logging will be disabled.
[100456 - Suricata-Main] 2023-11-25 12:48:26 Info: output-json-email-common: Going to log the md5 sum of email subject
[100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 2 rule files processed. 44008 rules successfully loaded, 0 rules failed
[100456 - Suricata-Main] 2023-11-25 12:48:43 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 44017 signatures processed. 1282 are IP-only rules, 6728 are inspecting packet payload, 35719 inspect application layer, 109 are decoder event only
[100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs
[100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'is_ssh_client_kex' is checked but not set. Checked in 2001977 and 1 other sigs
[100456 - Suricata-Main] 2023-11-25 12:49:09 Info: runmodes: Using 1 live device(s).
[209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets
[209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: snaplen set to 14180
[100456 - Suricata-Main] 2023-11-25 12:49:10 Notice: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started.
[209486 - RX#01-igb0] 2023-11-25 12:49:14 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used
[209498 - W#12] 2023-11-25 20:21:08 Error: spm-hs: Hyperscan returned fatal error -1.

I'm running Suricata only on the WAN interface, in IPS Mode (Legacy), the Pattern Matcher Algorithm set to Auto. Do you need any other information about configuration? Maybe the part from the backup file?

No, this is obviously the HyperScan issue described in the thread I linked. It's right here in the log:

suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1.

But I was wanting information about this bug posted in the other thread I linked so that there aren't half a dozen other threads scattered around the forum about the same issue. It makes it hard for me to track who has what problem and what shared information they might have if there are lots of different threads all about the same basic issue. Much easier to keep track when all the comments and reports about a given issue are in the same thread.

Please post anything else you have about this issue in the thread I linked earlier. Here is the direct link again: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem.

LRO and TSO should work fine with the NICs in the 6100. But they are disabled by default so far less tested. If there is a bug there it may not have been discovered because the vast majority of users are not running that. So for stability I would leave them disabled. Also the performance benefits they bring to a router is pretty minimal.

Steve