The 2100 is no different to any other device when setting up Squid/Squidguard. Our own walk-through here would be fine. Steve

@rcoleman-netgate said in Disk space?: @creationguy eMMC storage vs NVMe. Lifespans of eMMC is greatly reduced with heavy log writing from some packages, notably caching and IDS/IPS packages. Agree, mainly lifespan. Equally punishing packages are pfBlockerNG and NtopNG. They can kill the eMMC in less than a year on a internet native family usage level (if not dialed down on logging/datacollecting activity).

Thank you for the help, I have submitted the ticket for support.

@stephenw10 Okay, I will monitor this again when we have higher loads in order to ensure that this is not causing issues. If not, I probably just have to ignore it. Thank you for your support!

@michael-christensen Yes, the SFP interfaces on the 6100 support VLANS. I have one 10Gb interface that runs as VLAN only (no untagged traffic).

@alcroth - just thinking you may want to check back on this post here There are some developments with that link state of "none" you were seeing.

@cloew You're welcome!

You should see the black diamond LED light as well as the green circle: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/io-ports.html#led-patterns Is it actually passing any traffic? Try connecting to the serial console to see if it's booting completely: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/connect-to-console.html Open a ticket with us if you have not already: https://www.netgate.com/tac-support-request Steve

It's very unlikely. There was a much older bug that presented like that: https://redmine.pfsense.org/issues/8047 It was fixed long ago though and showed a different error: Incorrect flash image file size. Failed to update OEM section, exiting ... Steve

Yes, you should upgrade. There's every chance the bug that allowed that invalid ruleset to be created has been fixed in the 4 years since 2.4.4. Along with numerous security fixes! Steve

Yes, it certainly looks like that but those ports don't necessarily indicate it's actually NATing. Having tested it myself numerous times I would be very surprised to see 800Mbps with NAT and filtering enabled. There are a lot of variables but 500Mbps is around what I expect to see in a local iperf3 test between WAN and LAN. Steve

When you use a 10/1G SFP+ module you will see 1G is an available setting: [22.09-DEVELOPMENT][admin@6100.stevew.lan]/root: ifconfig -vm ix1 ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: IX1 options=8138b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER> capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:08:a2:12:17:7f inet6 fe80::208:a2ff:fe12:177f%ix1 prefixlen 64 scopeid 0x6 inet 192.168.79.2 netmask 0xffffff00 broadcast 192.168.79.255 media: Ethernet autoselect status: no carrier supported media: media autoselect media 1000baseSX media 10Gbase-SR nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> plugged: SFP/SFP+/SFP28 10G Base-SR (LC) vendor: FINISAR CORP. PN: FTLX8571D3BCV-CK SN: ANL1C1V DATE: 2012-11-21 module temperature: 40.65 C Voltage: 3.33 Volts RX: 0.01 mW (-17.28 dBm) TX: 0.63 mW (-1.99 dBm) And the speed/duplex field in the gui will reflect that. Steve

@stephenw10 I think you're right. I've set the Firewalll Optimization to normal, which should've set the time out for "FIN WAIT" to 900 seconds, but it still doesn't kill the state. So I guess back to the roots to find out what the problem is. EDIT Well uhm, somehow it solved my problem automatically without restarting the VPN tunnel. I think the Firewall Optimization worked, need to do more testing though.

No, the 6100/4100 are UEFI only. Blinkboot will not boot a legacy image. Steve

Thanks. I apologise it looks like human error. The form was submitted as an SG-1000 but we should have caught that. I have sent you the correct firmware image for the 1100. Steve

@jts2045 There's a patch specifically for the 22.05 issues for DEVEL, no need to downgrade that I am aware of.

Yeah, I would not recommend using RAM disks with Snort/Suricata. It can be made to work but they do not expect to see RAM disks. 4GB is enough to run Snort/Suricata and pfBlocker. Though, as stated, it will reduce the maximum throughput. Steve

You can do it without a reboot: [22.09-DEVELOPMENT][root@2100-2.stevew.lan]/root: ifconfig mvneta0 mvneta0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 00:e0:ed:b6:13:59 inet6 fe80::2e0:edff:feb6:1359%mvneta0 prefixlen 64 scopeid 0x1 inet 172.21.16.220 netmask 0xffffff00 broadcast 172.21.16.255 media: Ethernet autoselect (1000baseSX <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> [22.09-DEVELOPMENT][root@2100-2.stevew.lan]/root: ifconfig mvneta0 mvneta0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 00:e0:ed:b6:13:59 inet6 fe80::2e0:edff:feb6:1359%mvneta0 prefixlen 64 scopeid 0x1 inet 172.21.16.220 netmask 0xffffff00 broadcast 172.21.16.255 media: Ethernet autoselect (none) status: no carrier nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> [22.09-DEVELOPMENT][root@2100-2.stevew.lan]/root: ifconfig mvneta0 mvneta0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 00:e0:ed:b6:13:59 inet6 fe80::2e0:edff:feb6:1359%mvneta0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> [22.09-DEVELOPMENT][root@2100-2.stevew.lan]/root: ifconfig mvneta0 mvneta0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 00:e0:ed:b6:13:59 inet6 fe80::2e0:edff:feb6:1359%mvneta0 prefixlen 64 scopeid 0x1 inet 172.21.16.220 netmask 0xffffff00 broadcast 172.21.16.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> Steve

@senseinyc said in Netgate SG-3100 cannot retrieve packages: it says on latest version (I know it's not). When I try to install new packages Also, don't ever install "current" packages on an older pfSense version, so it doesn't try to, say, upgrade PHP or some other dependency.

@michmoor said in 4100 Max - cpu temps: @keyser Thanks! I appreciate the replies. So basically an inefficient chip as compared to an i3 but still the overall performance should still be solid and temps shouldnt be an issue? I feel more at ease now about it. Well No, not really inefficient. Sure compared to the latest 11th or 12th generation i3, they are less efficient due to Being manufactured on an older silicon die node, But thats evolution for you. Compared to “same age i3’s” i would rather use the Word different. I3’s and higher are made for high single core single performance - achieved by turboing the frequency. This can make cpu performance fairly unpredictable because sometimes its fast, sometimes its in a throttle back State due to heat. The atoms are made for all day predictable performance, and have some optimizations for network/server type workloads that they can do with hardware assist. So they are a fairly good cpu in a “lower power” envelope for this kind of work.