@stephenw10 said in Proper steps for ZFS pave & (re)install on 6100: The biggest advantage is that ZFS is a more robust file system. If you are installing somewhere that power cannot be guaranteed you are far less likely to have file system damage issues caused by outages. Steve Sounds good. I guess it'll be the first thing I'll do after receiving my unit.

The 3100 cannot run ZFS usefully, it's not available in any current installer. Is that unit somehow actually running ZFS? If so you should definitely re-install 21.05.2 clean. Or wait for 22.01. Steve

I have some generic LC BiDi modules I use for testing that work in the 6100. In the combo port the PHY is wired to be 1G only so they don't show as fibre: [22.01-RC][admin@6100-2.stevew.lan]/root: ifconfig -vvm ix2 ix2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN2 options=8138b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER> capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6> ether 90:ec:77:0f:74:44 inet6 fe80::92ec:77ff:fe0f:7444%ix2 prefixlen 64 scopeid 0x7 media: Ethernet autoselect (1000baseT <full-duplex,rxpause,txpause>) status: active supported media: media autoselect media 10baseT/UTP media 100baseTX media 1000baseT nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> In the 10G SPF port it shows as: [22.01-RC][admin@6100.stevew.lan]/root: ifconfig -vvm ix1 ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: IX1 options=8138b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER> capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:08:a2:12:17:7f inet6 fe80::208:a2ff:fe12:177f%ix1 prefixlen 64 scopeid 0x6 inet 192.168.79.2 netmask 0xffffff00 broadcast 192.168.79.255 media: Ethernet autoselect (Unknown <rxpause,txpause>) status: active supported media: media autoselect nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> plugged: SFP/SFP+/SFP28 1000BASE-LX (LC) vendor: OEM PN: SFP-GE-BX03-U SN: NV20200713016 DATE: 2020-07-14 module temperature: 29.84 C Voltage: 3.32 Volts RX: 0.17 mW (-7.60 dBm) TX: 0.08 mW (-10.57 dBm) Steve

@keyser said in Symmetrical gigabit and performance of the Netgate 6100: I upgraded to 1000/1000 and the SG-2100 topped out at about 640'ish Mbps (no inspection/monitoring). So I have just upgraded to a SG-6100 and it handles the 1000/1000 effortless with thousands of sessions, suricata (lot of rules) and ntopNG running. There is definitely room for a lot more throughput in it. My guess is it would handle 2.5Gbit under these circumstances as well. Superb. Exactly what I was looking for. Thank you!

@styxl As always you can simply import your config, follow the guide and reassign your logical interfaces (WAN. LAN, OP1, OPT2) to the desired physical interfaces in the SG-6100 (Igc0-3 and ix0-3)

Indeed there is no switch in the 6100 all it's interfaces are discrete NICs. The additional LAN interfaces should already be assigned so just enable them and assign a static IP/subnet. Then enable dhcp on the interface if you need it and add firewall rules to pass traffic as required. Steve

@gertjan That's quite a reply! Thanks about it! So far I thought IDS is simply alerting suspicious traffic, while IPS does on top of that - adding firewall rule to block it. I tough simply this is perform while doing checks against IPS databases such as snort and there is no need to open the packets. Because like you said if I would like to have TLS open I need to have my router CA installed on trust stores on all my end pcs. which is too much and eventually if my CA is corrupt all goes shit. So is not IPS still on the table those days?!

Yeah...I just saw this post...didn't see it in my search of the forum before: https://forum.netgate.com/topic/147330/how-to-tag-interface-sfp-ix0-on-an-xg-7100/8 hmmm, I see what you are saying they route between the interfaces. In our small network, we have those vlans listed above with end devices spread out on different switches. I have the Eth 2, and 4 used to ensure routing. Yeah I should have the switches connected but they are not top of the line, and with the costs and this being a nonprofit it is hard to spend that money and even to get the money. I was hoping to utilize the SFP+ ports like I did on the Ubiquity UDM Pro of which we replaced. I like this unit Netgate, so much better, though...I am now recommending this to everyone.

Is this something that just started? Was the PWR button working as expected previously? If this is in warranty you should open a ticket with us: https://www.netgate.com/tac-support-request Steve

@akuma1x I just installed the 512GB M.2 SATA and reinstalled pfSense using ZFS and it appears to work just fine and all of the storage is available. I don't know why I bought such a large drive. I guess price point stupidity. But this thing boots so much faster now I love it.

ix3 is the WAN1 port but I assume you meant that since it's showing the copper link? Try it in the WAN3 port (ix0). That should at least show you the module info if it can detect it. For example: [22.01-RC][admin@6100-2.stevew.lan]/root: ifconfig -vvvm ix0 ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN3 options=8138b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER> capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6> ether 90:ec:77:0f:74:45 inet6 fe80::92ec:77ff:fe0f:7445%ix0 prefixlen 64 scopeid 0x5 media: Ethernet autoselect status: no carrier supported media: media autoselect media 10Gbase-Twinax nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> plugged: SFP/SFP+/SFP28 1X Copper Active (Copper pigtail) vendor: BROCADE PN: 58-1000027-01 SN: CBMB11110040HR8 DATE: 2011-03-31 SFF8472 DUMP (0xA0 0..127 range): 03 04 21 02 00 00 04 41 88 80 D5 00 67 00 00 00 00 00 03 00 42 52 4F 43 41 44 45 20 20 20 20 20 20 20 20 20 00 00 05 1E 35 38 2D 31 30 30 30 30 32 37 2D 30 31 20 20 20 41 20 20 20 0C 00 00 78 00 12 00 00 43 42 4D 42 31 31 31 31 30 30 34 30 48 52 38 20 31 31 30 33 33 31 20 20 00 00 00 09 35 37 39 38 39 30 30 30 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 42 20 20 20 Steve

Thanks @mer and @akuma1x for lighting fast replies! Ok then I am good to go.

@chudak see https://forum.netgate.com/post/1019967

@keyser I have 1Gbps fiber at home too, and agree that there's a gap to be filled. Right now I'm using a 6100 and while I agree that it's a bit pricey for a home router, when you spread it out over the likely 5+ year lifespan of the device it really doesn't matter that much. A 4100 is coming "real soon now" and will likely be that goldilocks device you've been waiting for. I'm sure it would have been here by now if it weren't for the supply chain nonsense.

@stephenw10 The original pfsense device had multiple IP addresses on the WAN interface. When I migrated to the SG-3100, rather that using the primary public IP address, it was using one of the other IP addresses on the WAN interface. Once I realized this, I modified the WAN interface, then the clients were able to connect again. The SG-3100 in now in place and all is well. Thanks for your assistance.

I can confirm this issue, I restored my SG2100 and first up I did change to http and port 8081. I was not able to login using Brave. I was however able to login via ssh. I changed browser to Midori (doing this on a Manjaro Linux install) then I was able to login and I got a log entry on my ssh session stating that a successful login was made. Now I tried to switch back to Brave, I try to login, I do see the same message in the ssh session that a successful login was made but the browser blinks and empties the login fields and does not login. Starting a private window and trying to login succeeds. So this has to be some kind of caching issue. I can confirm that it is a caching issue, deleting the browser cache does do the trick. After that I am able to login in again.

@blackh0le

I would only expect to see that if there are no IPSec tunnels enabled. What have you tried so far? How is it failing? Can we see any screenshots? Logs? Steve

Log lines indicate the exact moment of the events : @leonroy said in Unbound was killed: out of swap space: Jan 11 13:01:33 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0. and while it's starting - 15 seconds later : @leonroy said in Unbound was killed: out of swap space: Jan 11 13:01:48 unbound 63374 [63374:0] info: service stopped (unbound 1.12.0). and a small instance (< 1 second) : Jan 11 13:01:48 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0. To make a long story, go to the Unbound / Resolver settings page and uncheck this : [image: 1641975254934-ffec4b58-bccf-4e36-8b6e-dc41c1cea202-image.png] Stick a post-it on the pfSense box that says : "Check the resolver logs again after 48 hours and see how many stops/restarts happened the last 48 hours". If you find "a couple" or even less : issue solved.

There isnt much practical use in combining them because of different speeds. Even with weights, still when one hits the 30Mbit will take notice, especially if downloading something. Of course If you are a caffee with casual users it wont matter. You can always configure the slower line as a backup, only. While doing this you can use the slower line for eg iot, or other "batch" uses like backup syncs etc.