That is the plan when the timing is right. Won't be the next version of pfSense (Plus or CE), but soon.

Lose that how? If CARP is functioning correctly you might lose, for example, a single ping during the failover. For pings with a 1s period that is. Steve

You can only choose a switch port on one interface as you found. If you leave unset it will use the actual VLAN status which takes it's state from the parent interface. In this case though that's the in internal port which is always UP. No, there's no private VLAN type function. That would need to be on a switch where hosts are connected directly. Steve

Hmm. Re-running the Setup Wizard would re-apply the interface settings on WAN and LAN. Something there must have been lost somehow. Losing the default route when the gateway is set as auto is probably most common but I have sometimes seen other things remove the default route. Hard to say without data from the time. Steve

@stephenw10 Alright, thank you Steve.

Yup we will always help you recover by re-installing if you need to, you don't need support for that. Just open a ticket if you haven't already: https://go.netgate.com/ Steve

@stephenw10 said in SG-4860 risk of failure again?: It would depend exactly when it was replaced. Do you have a ticket number I can check? Steve (Sent via PM)

@stephenw10 thanks for that. Now registered and will raise a ticket. Appreciate the support.

@aznricebox Update: issue resolved. Found that it was my anti-virus causing the issue. Once I put an exception for the IP of the SG-1100 I was able to get to the page and log in. Probably due to the cert that is automatically generated by pfsense that my anti-virus didn't like.

@f1d094 said in Swapfile on SG-1100 running 21.05?: were so laden with adware and trackers that I said "tough cookies" Ha, sounds fair. I mean, yeah, it looks like it's definitely working for you. Steve

The SG-2220 does not have an RTC clock battery so if it's been off for some time it may revert to the initial time/date. If you do not have at least one NTP server defined by IP and you have DNSSec enabled in Unbound and no other DNS servers set then you have a chicken/egg situation. The firewall cannot recolve any time servers because DNS doesn't work when the clock is wrong! Setting either a fixed NTP server or an alternative DNS server will prevent that. Steve

Yeah subnet conflict is most likely there. If the both have the same LAN subnet the 5100 would end up with the same subnet on WAN and LAN creating a conflict. Steve

@jbgdev said in SG3100 - Frequent Internet Drops: I finally worked with Netgate Sales, suppose would have been a good place to start. Yup, I never doubted it I think the forum is always a good start and it's also Netgate anyway, but I'm glad you did it on your own. BTW: I never doubted it @jbgdev " Advanced Configuration" but I'm glad you did it on your own.... DHCP fine-tune on WAN intf. f.e.: Protocol Timing: As if someone had said it before.... [image: 1627574327505-391fcabd-2f96-4f27-b610-668494ccd5b3-image.png]

Just for anyone reading if you do connect to the console during an upgrade, or initiate it from there, you will see a bunch of php errors if the update includes a php version change. And 2.4.5 to 21.05 does. But it should complete anyway, if you reach a prompt that isn't the normal console menu something has not completed correctly. Steve

That is still the expected date as far as I know. (but I have no particular insight there). All the interfaces are discrete NICs and can be assigned and used however you want. The labels on the back are just there for identification. The 2 NICs labeled WAN 2/3 are both combo ports with both SFP and RJ-45 ports but only one can be used at a time on each NIC. Steve

@luketa said in SG3100 limitations: @stephenw10 tried everything to work snort, it really won't. I installed Suricata and it's running 100% on version 21.05 thank you all. Glad Suricata is working well for you. The Snort problem is a tough one to solve. Understanding the root cause of the error requires being skilled in the art of assembly language level programming in the ARM CPUs. It has to do with the specific CPU opcodes the compiler chooses to employ when converting certain memory operations coded in C into the binary CPU opcode equivalents.

So, quick update. It turned out that the user menu was appearing. But it was among a lot of garbled characters. And it wasn't pausing for a response. So I tried frantically pressing '2' when I got to that part of the reboot and finally got the prompt I needed to get a shell and run fsck (several times). That sorted the problem. However, in the meantime I'd opened a ticket with Netgate. I got a response within minutes and soon had a link to download the firmware, which I did as a backup. I mention this just to say that I'm very impressed with Netgate's support.

No problem. It made sense to continue the discussion there. I got the problem sorted in the end. I'll post what happened over there.

I really wish I could edit the old posts. Just wanted to give an update. We have come up with our work around. Not sure it is the proper or most clean way to make this work. But we have gotten the desired outcome. Rather than a direct link between the router and paired firewall we added a vlan to the existing ixl0 on the router for firewall communication and then plugged the firewall ix0 into an aggregate switch port on that vlan. Now if either router, firewall, or aggregate switch fail the backup(s) kick on depending the need.. Thank you to anyone who may have read this and was thinking of a solution yet had not posted. Did not want to leave anyone else hanging. I'll keep this up in case someone else shares our mistaken design ideas. :P! Network Plan.png

@ashlm Following on... top -aSH shows mvnet02 (WAN) hitting over 98% utilisation of CPU core, bufferbloat kicks in after around 30 seconds of load and packets start being dropped. 665Mb peak downloading a Steam game (interface dropped completely and failed over once during 5 minutes download).