The SG-2220 does not have an RTC clock battery so if it's been off for some time it may revert to the initial time/date.
If you do not have at least one NTP server defined by IP and you have DNSSec enabled in Unbound and no other DNS servers set then you have a chicken/egg situation. The firewall cannot recolve any time servers because DNS doesn't work when the clock is wrong!

Setting either a fixed NTP server or an alternative DNS server will prevent that.

Steve

Yeah subnet conflict is most likely there. If the both have the same LAN subnet the 5100 would end up with the same subnet on WAN and LAN creating a conflict.

Steve

@jbgdev said in SG3100 - Frequent Internet Drops:

I finally worked with Netgate Sales, suppose would have been a good place to start.

Yup, I never doubted it 😉

I think the forum is always a good start and it's also Netgate anyway, but I'm glad you did it on your own.

BTW:
I never doubted it @jbgdev " Advanced Configuration"
but I'm glad you did it on your own....

DHCP fine-tune on WAN intf. f.e.: Protocol Timing:

As if someone had said it before....😉

391fcabd-2f96-4f27-b610-668494ccd5b3-image.png

Just for anyone reading if you do connect to the console during an upgrade, or initiate it from there, you will see a bunch of php errors if the update includes a php version change. And 2.4.5 to 21.05 does.
But it should complete anyway, if you reach a prompt that isn't the normal console menu something has not completed correctly.

Steve

That is still the expected date as far as I know. (but I have no particular insight there).

All the interfaces are discrete NICs and can be assigned and used however you want. The labels on the back are just there for identification.
The 2 NICs labeled WAN 2/3 are both combo ports with both SFP and RJ-45 ports but only one can be used at a time on each NIC.

Steve

@luketa said in SG3100 limitations:

@stephenw10
tried everything to work snort, it really won't.

I installed Suricata and it's running 100% on version 21.05

thank you all.

Glad Suricata is working well for you. The Snort problem is a tough one to solve. Understanding the root cause of the error requires being skilled in the art of assembly language level programming in the ARM CPUs. It has to do with the specific CPU opcodes the compiler chooses to employ when converting certain memory operations coded in C into the binary CPU opcode equivalents.

So, quick update. It turned out that the user menu was appearing. But it was among a lot of garbled characters. And it wasn't pausing for a response. So I tried frantically pressing '2' when I got to that part of the reboot and finally got the prompt I needed to get a shell and run fsck (several times). That sorted the problem.

However, in the meantime I'd opened a ticket with Netgate. I got a response within minutes and soon had a link to download the firmware, which I did as a backup. I mention this just to say that I'm very impressed with Netgate's support.

No problem. It made sense to continue the discussion there. I got the problem sorted in the end. I'll post what happened over there.

I really wish I could edit the old posts.

Just wanted to give an update. We have come up with our work around. Not sure it is the proper or most clean way to make this work. But we have gotten the desired outcome.

Rather than a direct link between the router and paired firewall we added a vlan to the existing ixl0 on the router for firewall communication and then plugged the firewall ix0 into an aggregate switch port on that vlan. Now if either router, firewall, or aggregate switch fail the backup(s) kick on depending the need.. Thank you to anyone who may have read this and was thinking of a solution yet had not posted. Did not want to leave anyone else hanging. I'll keep this up in case someone else shares our mistaken design ideas. :P!

Network Plan.png

@ashlm Following on...
top -aSH shows mvnet02 (WAN) hitting over 98% utilisation of CPU core, bufferbloat kicks in after around 30 seconds of load and packets start being dropped. 665Mb peak downloading a Steam game (interface dropped completely and failed over once during 5 minutes download).

You should be able to re-install clean if you can access uboot still.
Open a ticket with us to get the recovery image if you haven't already:
https://go.netgate.com/

Steve

@mackeyuk

I don't like following directions. Maybe this will help

bridge.PNG
interfaces.PNG
sg.PNG

There should be no problem importing the full config there beyond the expected complication of the switch config. Certs, users etc will all import.
If you're having any issue with that please open a ticket with us: https://go.netgate.com/
We can convert your existing config so it imports directly.

Steve

@stephenw10 no m.2/eMMC option when showing available boot devices. I opened a ticket.

Thanks

Ok, then you can configure them however you want. Whatever is more convenient for what you're trying to connect.

You can configure two of the switch ports as a load-balance type LAGG, yes.

Just edit the lagg number on the ports tab. For example:
Screenshot from 2021-07-19 11-42-45.png

It can only use LAGG type load-balance though, it doesn't support LACP.

Steve

The 6100 does not have any DIMM slots. the 8GB RAM is all on-board so it's not expandable.

Steve

If you have more than one gateway defined make sure the default gateway is set to the specific gateway in question. If it's still set to automatic in System > Routing > Gateways it's probably switching to the other gateway and not switching back.

Steve

@noexit said in Which Netgate to get?:

My current router is an old Dell Dimension E310 PC (Intel(R) Pentium(R) 4 CPU 2.80GHz) with 1GB of RAM and 1000baseT 3com NICs running pfSense 2.3.4.

Gah!
Yeah, that's an actual P4, 32bit only, so upgrade time for sure!

The SG-2100 would be fine for those speeds and, as mentioned, the 4GB RAM leaves plenty of headroom for Snort, ntopng etc.
It won't pass full Gigabit line rate though if that's likely to be something you need anytime soon.

Steve