@bmeeks said in Prepurchase Question:

Suricata on SG-3100 appliances have apparently been solved

In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.

Those pics don't seem to have uploaded correctly.

I think the reset procedure from the APU was the same. It's been a while though!
In which case this applies: https://youtu.be/Cwz7vWu_KO0

Steve

It's a tradeoff for performance and features versus a fully fault-tolerant hardware/software setup that is immune to sudden power failures. The full disk subsystem used in the pfSense appliances allows for better logging and installation and use of third-party packages that need a read-write disk subsystem.

The professional way to deploy these and other pro-level firewall appliances is to power them with a UPS. Can be a relatively small and inexpensive one. Just make sure it offers a USB communications ability to send status info to a monitoring daemon. On pfSense, you then install either the apcupsd or nut package to monitor the UPS and gracefully shutdown the firewall when the UPS signals that power is lost and the battery is almost exhausted.

The ZFS filesystem option is more fault-tolerant, and if you want to perform a complete reinstall, you can enable that option. I think there is a move afoot to make ZFS the default setup in coming future version updates. ZFS is not immune to issues caused by sudden power loss, but it is more resilient to the same as compared to UFS.

Hmm, the only thing I'm aware of that may be related is the additional gpio device that is detected in 21.0X compared with 2.4.X. We had to make some changes to our driver for that I believe. The active device was incremented. That must be working for you though or it wouldn't work at all. Not something that would fail after some time.

Steve

@hebein said in Netgate 5100 - after reboot no config:

old logs from suricata that filled up the filesystem

A couple years ago, give or take, there was an issue where the Suricata GUI would show log rotation was enabled but it actually wasn't by default. That was fixed back then, and I would think if you are on 21.01 you'd have a newer package and this doesn't apply to you. But IIRC the workaround was just to save the Suricata log page settings so it did actually enable. Except for that we haven't had any such issues with its log rotation.

If it's a high traffic site you might consider unchecking "Enable HTTP Log" on the interface.

That level of throttling is almost always something low level like a speed/duplex mismatch or an IP address conflict.

Check Status > Interfaces for errors/collisions especially when using the expansion card.

Check the system logs for any errors shown.

Steve

The anonymous, privacy centric nature of Protonmail is always going to attract spammers unfortunately. And spam filters are far from perfect. That's just the trade-off you make.

Steve

Thanks for the follow up. 👍

I unblocked that email anyway in case you need to use it in future.

Steve

That is the plan when the timing is right. Won't be the next version of pfSense (Plus or CE), but soon.

Lose that how?

If CARP is functioning correctly you might lose, for example, a single ping during the failover. For pings with a 1s period that is.

Steve

You can only choose a switch port on one interface as you found. If you leave unset it will use the actual VLAN status which takes it's state from the parent interface. In this case though that's the in internal port which is always UP.

No, there's no private VLAN type function. That would need to be on a switch where hosts are connected directly.

Steve

Hmm. Re-running the Setup Wizard would re-apply the interface settings on WAN and LAN. Something there must have been lost somehow. Losing the default route when the gateway is set as auto is probably most common but I have sometimes seen other things remove the default route. Hard to say without data from the time.

Steve

@stephenw10

Alright, thank you Steve.

Yup we will always help you recover by re-installing if you need to, you don't need support for that. Just open a ticket if you haven't already:
https://go.netgate.com/

Steve

@stephenw10 said in SG-4860 risk of failure again?:

It would depend exactly when it was replaced. Do you have a ticket number I can check?

Steve

(Sent via PM)

@stephenw10 thanks for that. Now registered and will raise a ticket. Appreciate the support.

@aznricebox Update: issue resolved. Found that it was my anti-virus causing the issue. Once I put an exception for the IP of the SG-1100 I was able to get to the page and log in. Probably due to the cert that is automatically generated by pfsense that my anti-virus didn't like.

@f1d094 said in Swapfile on SG-1100 running 21.05?:

were so laden with adware and trackers that I said "tough cookies"

Ha, sounds fair.
I mean, yeah, it looks like it's definitely working for you.

Steve