The fastest way back from there is to reinstall 23.09 clean. Open a ticket to get the recovery image: https://www.netgate.com/tac-support-request Steve

I expect any of those would work but pfSense doesn't need anything like that size and smaller drives have seen more testing.

If you have a backup config I would just re-install to 23.09 clean and restore it. It's failing to find even the FreeBSD loader there which implies some catastrophic filesystem damage. It could be a failed or failing eMMC in a 4860 that will be of some age at this point. Steve

@FreeYourMind said in NetGate 4100 + No IPv6 on WAN :(: @bmeeks thanks you bmeeks, for giving a bit more background information about this. But lets stick with your example for a moment and lets say the VPN is not running behind your pfsense, but instead running on the firewall itself, which is a common configuration, right? So lets assume i wanna connect with my remote laptop to OpenVPN running on pfsense, how would i do that, if we stick with the example you were talking about? I might overlook something but i obviously can't connect to the CGNAT IPv4 from the outside and given the fact that WAN doesn't have its own IPv6 address, i can't do that either. So instead of binding OpenVPN to my WAN address which is usually something you would do with NAT in IPv4, you would now just bind OpenVPN to one of your lan interfaces instead? "Yes" is the short answer as @stephenw10 has already described. Your "destination address" for the outside client attempting to connect back in would be the LAN interface's IPv6 address on your firewall. But you would still need the correct rules on your WAN to allow that traffic to pass through, because it will be coming in from your default gateway's link-local IPv6 address to the link-local IPv6 address on your WAN interface. Your WAN link-local address is just a "transit network" between your delegated /56 prefix and the ISP's network core.

@dennypage Nice speeds. I'm hoping fiber will give me 1GB up and Down

@stephenw10 said in SG3100 keeps locking up after latest update: never been anything logged for devices hitting this That doesn't surprise me, we see it every 3-6 months or so across multiple clients. So even if one person noticed it might happen every 12-36 months and they just assume a power outage and move on. It didn't really dawn on me to connect them all until this thread. And that's assuming they're connected and not power related etc. Partners might notice but I'd think not all partners are MSPs and closely monitor sold devices. This one does not have a RAM disk though and I see nothing about the hardware watchdog logged there. Upon reflection, I am not sure any have occurred during the workday. Possibly just coincidence. Haven't been tracking them. I think I have successfully hijacked the thread, sorry.

It will save the package config but not the packages themselves. When you restore the config into the new version it will try to reinstall and packages and apply the config to them.

@RobbieTT Thanks for your input. I'll leave it as is then (QAT Crypto enabled, others disabled). Ted

@chrysmon said in Netgate hardware: @bmeeks Yes, The last log entry in the STATUS > SYSTEM LOGS is: suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1. This is from the suricata.log: [107176 - Suricata-Main] 2023-11-25 12:48:26 Notice: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: cpu: CPUs/cores online: 12 [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: suricata: Setting engine mode to IDS mode by default [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: app-layer-htp-mem: HTTP memcap: 671088640 [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Creating automatic firewall interface IP address Pass List. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: alert-pf output device (regular) initialized: block.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_5401_igb0/passlist. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_5401_igb0/passlist processed: Total entries parsed: 20, IP addresses/netblocks/aliases added to No Block list: 18, IP addresses/netblocks ignored because they were covered by existing entries: 2. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=src kill-state=yes block-drops-only=yes passlist-debugging=no [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: fast output device (regular) initialized: alerts.log [209444 - ] 2023-11-25 12:48:26 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: http-log output device (regular) initialized: http.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: stats output device (regular) initialized: stats.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-syslog: Syslog output initialized [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: eve-log output device (regular) initialized: eve.json [100456 - Suricata-Main] 2023-11-25 12:48:26 Warning: output-json-alert: HTTP body logging has been configured, however, metadata logging has not been enabled. HTTP body logging will be disabled. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: output-json-email-common: Going to log the md5 sum of email subject [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 2 rule files processed. 44008 rules successfully loaded, 0 rules failed [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: threshold-config: Threshold config parsed: 0 rule(s) found [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 44017 signatures processed. 1282 are IP-only rules, 6728 are inspecting packet payload, 35719 inspect application layer, 109 are decoder event only [100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs [100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'is_ssh_client_kex' is checked but not set. Checked in 2001977 and 1 other sigs [100456 - Suricata-Main] 2023-11-25 12:49:09 Info: runmodes: Using 1 live device(s). [209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: snaplen set to 14180 [100456 - Suricata-Main] 2023-11-25 12:49:10 Notice: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. [209486 - RX#01-igb0] 2023-11-25 12:49:14 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used [209498 - W#12] 2023-11-25 20:21:08 Error: spm-hs: Hyperscan returned fatal error -1. I'm running Suricata only on the WAN interface, in IPS Mode (Legacy), the Pattern Matcher Algorithm set to Auto. Do you need any other information about configuration? Maybe the part from the backup file? No, this is obviously the HyperScan issue described in the thread I linked. It's right here in the log: suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1. But I was wanting information about this bug posted in the other thread I linked so that there aren't half a dozen other threads scattered around the forum about the same issue. It makes it hard for me to track who has what problem and what shared information they might have if there are lots of different threads all about the same basic issue. Much easier to keep track when all the comments and reports about a given issue are in the same thread. Please post anything else you have about this issue in the thread I linked earlier. Here is the direct link again: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem.

LRO and TSO should work fine with the NICs in the 6100. But they are disabled by default so far less tested. If there is a bug there it may not have been discovered because the vast majority of users are not running that. So for stability I would leave them disabled. Also the performance benefits they bring to a router is pretty minimal. Steve

Yes, the ports can be assigned and used however you wish. They are just labelled WANx LANx on the enclosure. Steve

It's likely that something went wrong during the upgrade (e.g. ran out of memory/storage space). Open a ticket with TAC and they'll help get it running again: https://www.netgate.com/tac-support-request

UPDATE: Well, it looks like this issue is the ISP's (Optimum internet of California) fault. The signal sending from the modem wasn't strong enough to send more than a few KB back per minute. The issue is completely on their system's end, as we are using a brand new DOCSIS 3.1 Netgear modem.

@dch22023 I use to get denial of service attacks non stop at home do to what I did for work. I couldn't even watch a steaming video. That on top of working 16s in Chicago would drive me bonkers. Fast forward to today I have a SG2100 and I never have issues anymore the firewall takes care of all of it. I run mine on a DSL line it's fine for what I need.

@admin please move thread to official hardware board.

Yup the switch support is only in Plus. Install 23.09 clean and you should be good to go. Steve

All Netgate appliances come with at least a basic level of support. Open a ticket with TAC and they'll be able to help get it running again: https://www.netgate.com/tac-support-request

@stephenw10 Got it, saving all this this time, so I stop asking and can keep them straight. :) We'll have several client 3100s to move to 2100s or 4100s.

You can still reinstall to the eMMC if you needed to. When you run 'usbrecovery' it erases the eMMC to prevent the filesystem conflicting with the new install. It is possible to install to the eMMC if, for example, you use UFS there to prevent a conflict. But you would need to override the boot device in uboot to boot it. Sytebe

@stephenw10 It didn't take long for sure. Thank you to everyone here who assisted. I GREATLY appreciate it. I downloaded the image, followed the instructions (there were some subtle differences), but ultimately it worked. The Netgate has been swapped back over as of yesterday morning and working flawlessly. I appreciate everyone's help.