Thanks for spotting that. I have opened a ticket to get it corrected.
https://redmine.pfsense.org/issues/12266

Steve

It shows that because you're on a version that is now several versions old. It needs to update the package that contains the available repos but can't get the latest version of that from the 2.4.4 branch.
If you run the update though you will probably go straight to 2.5.2 or 21.05.1 since it will be able to update the repo package as soon as it starts to pull in new packages.

Steve

@rico said in upgrade fails:

run usbrecovery

perfect i resolve the problem. tks

Depending on what packages you have running you may be able to use ram disks.
I've yet to see a filesystem problem on any device that has ram disks enabled.
You can't really use it with Snort, Suricata or pfBlocker though unless you're very careful with tuning.

Steve

@bmeeks said in Prepurchase Question:

Suricata on SG-3100 appliances have apparently been solved

In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.

Those pics don't seem to have uploaded correctly.

I think the reset procedure from the APU was the same. It's been a while though!
In which case this applies: https://youtu.be/Cwz7vWu_KO0

Steve

It's a tradeoff for performance and features versus a fully fault-tolerant hardware/software setup that is immune to sudden power failures. The full disk subsystem used in the pfSense appliances allows for better logging and installation and use of third-party packages that need a read-write disk subsystem.

The professional way to deploy these and other pro-level firewall appliances is to power them with a UPS. Can be a relatively small and inexpensive one. Just make sure it offers a USB communications ability to send status info to a monitoring daemon. On pfSense, you then install either the apcupsd or nut package to monitor the UPS and gracefully shutdown the firewall when the UPS signals that power is lost and the battery is almost exhausted.

The ZFS filesystem option is more fault-tolerant, and if you want to perform a complete reinstall, you can enable that option. I think there is a move afoot to make ZFS the default setup in coming future version updates. ZFS is not immune to issues caused by sudden power loss, but it is more resilient to the same as compared to UFS.

Hmm, the only thing I'm aware of that may be related is the additional gpio device that is detected in 21.0X compared with 2.4.X. We had to make some changes to our driver for that I believe. The active device was incremented. That must be working for you though or it wouldn't work at all. Not something that would fail after some time.

Steve

@hebein said in Netgate 5100 - after reboot no config:

old logs from suricata that filled up the filesystem

A couple years ago, give or take, there was an issue where the Suricata GUI would show log rotation was enabled but it actually wasn't by default. That was fixed back then, and I would think if you are on 21.01 you'd have a newer package and this doesn't apply to you. But IIRC the workaround was just to save the Suricata log page settings so it did actually enable. Except for that we haven't had any such issues with its log rotation.

If it's a high traffic site you might consider unchecking "Enable HTTP Log" on the interface.

That level of throttling is almost always something low level like a speed/duplex mismatch or an IP address conflict.

Check Status > Interfaces for errors/collisions especially when using the expansion card.

Check the system logs for any errors shown.

Steve

The anonymous, privacy centric nature of Protonmail is always going to attract spammers unfortunately. And spam filters are far from perfect. That's just the trade-off you make.

Steve

Thanks for the follow up. 👍

I unblocked that email anyway in case you need to use it in future.

Steve

That is the plan when the timing is right. Won't be the next version of pfSense (Plus or CE), but soon.

Lose that how?

If CARP is functioning correctly you might lose, for example, a single ping during the failover. For pings with a 1s period that is.

Steve

You can only choose a switch port on one interface as you found. If you leave unset it will use the actual VLAN status which takes it's state from the parent interface. In this case though that's the in internal port which is always UP.

No, there's no private VLAN type function. That would need to be on a switch where hosts are connected directly.

Steve

Hmm. Re-running the Setup Wizard would re-apply the interface settings on WAN and LAN. Something there must have been lost somehow. Losing the default route when the gateway is set as auto is probably most common but I have sometimes seen other things remove the default route. Hard to say without data from the time.

Steve

@stephenw10

Alright, thank you Steve.