@RobbieTT Thanks for your input. I'll leave it as is then (QAT Crypto enabled, others disabled). Ted

@chrysmon said in Netgate hardware: @bmeeks Yes, The last log entry in the STATUS > SYSTEM LOGS is: suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1. This is from the suricata.log: [107176 - Suricata-Main] 2023-11-25 12:48:26 Notice: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: cpu: CPUs/cores online: 12 [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: suricata: Setting engine mode to IDS mode by default [107176 - Suricata-Main] 2023-11-25 12:48:26 Info: app-layer-htp-mem: HTTP memcap: 671088640 [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Creating automatic firewall interface IP address Pass List. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: alert-pf output device (regular) initialized: block.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_5401_igb0/passlist. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_5401_igb0/passlist processed: Total entries parsed: 20, IP addresses/netblocks/aliases added to No Block list: 18, IP addresses/netblocks ignored because they were covered by existing entries: 2. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=src kill-state=yes block-drops-only=yes passlist-debugging=no [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: fast output device (regular) initialized: alerts.log [209444 - ] 2023-11-25 12:48:26 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: http-log output device (regular) initialized: http.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: stats output device (regular) initialized: stats.log [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: alert-syslog: Syslog output initialized [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: logopenfile: eve-log output device (regular) initialized: eve.json [100456 - Suricata-Main] 2023-11-25 12:48:26 Warning: output-json-alert: HTTP body logging has been configured, however, metadata logging has not been enabled. HTTP body logging will be disabled. [100456 - Suricata-Main] 2023-11-25 12:48:26 Info: output-json-email-common: Going to log the md5 sum of email subject [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 2 rule files processed. 44008 rules successfully loaded, 0 rules failed [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: threshold-config: Threshold config parsed: 0 rule(s) found [100456 - Suricata-Main] 2023-11-25 12:48:43 Info: detect: 44017 signatures processed. 1282 are IP-only rules, 6728 are inspecting packet payload, 35719 inspect application layer, 109 are decoder event only [100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs [100456 - Suricata-Main] 2023-11-25 12:48:43 Warning: detect-flowbits: flowbit 'is_ssh_client_kex' is checked but not set. Checked in 2001977 and 1 other sigs [100456 - Suricata-Main] 2023-11-25 12:49:09 Info: runmodes: Using 1 live device(s). [209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [209486 - RX#01-igb0] 2023-11-25 12:49:09 Info: pcap: igb0: snaplen set to 14180 [100456 - Suricata-Main] 2023-11-25 12:49:10 Notice: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. [209486 - RX#01-igb0] 2023-11-25 12:49:14 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used [209498 - W#12] 2023-11-25 20:21:08 Error: spm-hs: Hyperscan returned fatal error -1. I'm running Suricata only on the WAN interface, in IPS Mode (Legacy), the Pattern Matcher Algorithm set to Auto. Do you need any other information about configuration? Maybe the part from the backup file? No, this is obviously the HyperScan issue described in the thread I linked. It's right here in the log: suricata 17648 [209498] <Error> -- Hyperscan returned fatal error -1. But I was wanting information about this bug posted in the other thread I linked so that there aren't half a dozen other threads scattered around the forum about the same issue. It makes it hard for me to track who has what problem and what shared information they might have if there are lots of different threads all about the same basic issue. Much easier to keep track when all the comments and reports about a given issue are in the same thread. Please post anything else you have about this issue in the thread I linked earlier. Here is the direct link again: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem.

LRO and TSO should work fine with the NICs in the 6100. But they are disabled by default so far less tested. If there is a bug there it may not have been discovered because the vast majority of users are not running that. So for stability I would leave them disabled. Also the performance benefits they bring to a router is pretty minimal. Steve

Yes, the ports can be assigned and used however you wish. They are just labelled WANx LANx on the enclosure. Steve

It's likely that something went wrong during the upgrade (e.g. ran out of memory/storage space). Open a ticket with TAC and they'll help get it running again: https://www.netgate.com/tac-support-request

UPDATE: Well, it looks like this issue is the ISP's (Optimum internet of California) fault. The signal sending from the modem wasn't strong enough to send more than a few KB back per minute. The issue is completely on their system's end, as we are using a brand new DOCSIS 3.1 Netgear modem.

@dch22023 I use to get denial of service attacks non stop at home do to what I did for work. I couldn't even watch a steaming video. That on top of working 16s in Chicago would drive me bonkers. Fast forward to today I have a SG2100 and I never have issues anymore the firewall takes care of all of it. I run mine on a DSL line it's fine for what I need.

@admin please move thread to official hardware board.

Yup the switch support is only in Plus. Install 23.09 clean and you should be good to go. Steve

All Netgate appliances come with at least a basic level of support. Open a ticket with TAC and they'll be able to help get it running again: https://www.netgate.com/tac-support-request

@stephenw10 Got it, saving all this this time, so I stop asking and can keep them straight. :) We'll have several client 3100s to move to 2100s or 4100s.

You can still reinstall to the eMMC if you needed to. When you run 'usbrecovery' it erases the eMMC to prevent the filesystem conflicting with the new install. It is possible to install to the eMMC if, for example, you use UFS there to prevent a conflict. But you would need to override the boot device in uboot to boot it. Sytebe

@stephenw10 It didn't take long for sure. Thank you to everyone here who assisted. I GREATLY appreciate it. I downloaded the image, followed the instructions (there were some subtle differences), but ultimately it worked. The Netgate has been swapped back over as of yesterday morning and working flawlessly. I appreciate everyone's help.

What sort of m.2 slots? What do you need to use them for? What sort of throughput do you need? What is the available WAN bandwidth?

@mer said in Netgate 8200 - Thermals: @tsmialek Interesting. Is that the same direction as stock? I wonder where all that exhausts. I would be inclined to "pull" air from the heat sink and make sure the intake side of equation has enough holes. Notice the first picture in this thread. The heatsink has a very clever airducting design, and the chassis is not really closed as such. Those airducts on the heatsink leads to exit vents in the chassis, so it’s very cleverly designed to actually blow air onto - which is a LOT more effective in this case.

Update: I thought I needed a paid subscription to get non-community support. Having learnt that this is not the case with Netgate hardware, I have raised a case with the support team.

Mmm, most likely scenario here is that the LAN subnet changed and you need to reconnect the client so it pulls a new lease in the new subnet.

@stephenw10 said in SIMCom SIM7906 LTE modem disconnecting/detaching on SG-3100: Can you test the modem in something else? I'll do it, when I get back to the office after the weekend.

@SteveITS Thank you, that was it!

@johnpoz Yes it got fixed, 23.09 shows up in drop down. Thanks