Hello, looks like I had to reinstall the OS. Opened a ticket with negate support and they were able to guide me through the procedure. Thank you

@gertjan Thank you. Did the reinstall and now i can login via SSH.

@cyberminion The SG2100: the default configuration all the ports labelled LAN are on the switch. If you don't do anything all the ports are on the LAN segment. The WAN is a distinct device; default mode is like a good old WRT54G: WAN goes to the Internet, all the LAN ports in the back are switched together. If you want to create a LAN and OPT1 (your original picture) you have to do explicit configuration to create VLANs and Tagging for the different ports on the Switch itself. Unit with separate NICs. Hard to say, it may depend on how the separate NIC devices are connected. Easy to see them connected to an unmanaged switch, if there is no explicit configuration, I think again you wind up with the $5 unmanaged switch from the store. I'm currently behind a SG2440 that has distinct NICs for WAN, LAN/OPT1/OPT2 and I am not going to break my configuration to test the theory :) ( wife would get annoyed at me ) Sometimes the switch devices let you have pullup/pulldown resistors on pins to force a configuration after power on. I don't have the Netgate schematics or the datasheets so can't say if anything like this is being done, but most switch devices I've used default to unmanaged mode after a power cycle. If you have the serial console cable if it breaks you should be able to get to a shell and poke around. If I'm recalling correctly, basically look for a 0 byte config.xml and then look for a backup of config.xml that is non-zero length and simply copy that over to fix it.

Yes, rebooting is a good idea before an upgrade to be sure it will return from that. You should not need to power cycle it normally though. This was a bug in the driver that could put the hardware into a condition it could not recover from. That should have been fixed in 21.05 though. The only time I would expect to need a power cycle is after updating uboot/coreboot. Steve

Ah, good to hear.

@stephenw10 Thanks, this is exactly my case. I'll update that come next maintenance period. <interfaces> <wan> <enable></enable> <if>igb0</if> <blockpriv></blockpriv> <blockbogons></blockbogons> <switchif>switch0.port1</switchif> ...

@jchonig said in Netgate SG-3100 LEDs: @renegade Are you using lockf in your cron script? That's supposed to prevent it from consuming resources. I'm pretty sure the root problem is a kernel bug causing the sysctl and gpioctl commands to hang. I need to find the time to do some debugging. This worked for me for about 18 hours but now the system is completely locked up with the same error so lockf doesn’t appear to do the trick. Edit: Here is the command I was using (just for reference)- /usr/bin/lockf /var/run/gw_leds.lock /root/gw_leds -b WAN_DHCP -A 0,0,16 -C 0,0,16

Good news for Snort users on the SG-3100! The Netgate team has pulled the latest Snort fix for the Signal 10 problem into the pfSense+ 21.05.1 branch: https://redmine.pfsense.org/issues/12157#change-55832. So you should see an updated Snort package show up soon.

Suricata should run fine on the SG-2100. Just be sure to set log file size limits including a total size limit. Steve

Ok, if you're doing that I would put the bridge between WAN and OPT and use LAN for management. That removes the switch from the connection.

Thank you stephen. I guess we already talked over e-mail about this issue, i appreciate your answer here too though. I could also add one of the 4 port 1Gbps PCIe NICs that are supported by the 7100U and not being limitied to load balancing laggs only, right? In any case and this is a little bit off-topic but bear with me for a second. I am really interested about the future of pfsense+. Been a long timer user of the community edition and from a business perspective the move to pfsense+ was understandable and probably the right one. Of course i wish that the CE edition will still remain and receives regular updates but i guess that remains to be seen. I am also looking forward to pfsense+ on VMs or 3rd party hardware and i would be very happy to see this come to fruition in 2021. Thanks again. :)

@stephenw10 thanks! that path ultimately lead to a damaged port igd0! remaining ports in good shape, so did a quick right-shift from Interfaces, Assignments...

There's no provision for using multiple drives in pfSense so you would need to boot from m.2 SSD or add your own scripts to enable it. There's a pretty good chance you would fill the drive accidentally and cause problems for the firewall. Hard to recommend doing that. Either way though, the m.2 slot is not NVMe so no PCIe lines. Steve

Thanks for spotting that. I have opened a ticket to get it corrected. https://redmine.pfsense.org/issues/12266 Steve

It shows that because you're on a version that is now several versions old. It needs to update the package that contains the available repos but can't get the latest version of that from the 2.4.4 branch. If you run the update though you will probably go straight to 2.5.2 or 21.05.1 since it will be able to update the repo package as soon as it starts to pull in new packages. Steve

@rico said in upgrade fails: run usbrecovery perfect i resolve the problem. tks

Depending on what packages you have running you may be able to use ram disks. I've yet to see a filesystem problem on any device that has ram disks enabled. You can't really use it with Snort, Suricata or pfBlocker though unless you're very careful with tuning. Steve

@bmeeks said in Prepurchase Question: Suricata on SG-3100 appliances have apparently been solved In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.

Those pics don't seem to have uploaded correctly. I think the reset procedure from the APU was the same. It's been a while though! In which case this applies: https://youtu.be/Cwz7vWu_KO0 Steve