@kiokoman thank you! Learned a few things through this process... 1. i have to enable logs to view allows on the firewall rule and 2. the new cloudkey controller update changed some of the ports used for remote gui access on the unifi platform. Thanks for the guidance!

@johnpoz Exactly what I'm thinking. :)

@jknott said in Do software updates require a support package:

What would you recommend.

Like Steve,....minimum 3100 because you love to experiment and this requires a flexible HW.

@brimansd44 said in usage with spectrum biz with both rfc1918 and public IP block:

How far up the Netgate product line do I have to go to get a setup where I can use both networks on one device and not use their router?

There is no difference in the available features here. If you can do this on an XG-1541 you will still be able to do it on an SG-1100. Though I would want to go to at least the SG-2100 for a 400Mbps connection.

Steve

Thank you guys @gabacho4 and @Derelict for the quick support, when I started I had two problems:

I couldn't open a Ticket because I couldn't login into the Support Desktop portal. My SG-1100 wasn't functional and all I saw in the console was "Marvel>>"

At the end of the day both problems got solved:

I had to use a different email account to register in the Support desktop portal, originally I was using my "@protonmail.com" account, I got the registration email but couldn't login. After registering using a "@gmail.com" account I was able to sign in, log in and create a ticket. To fix the SG-1100, once I created the ticket, the Netgate team was very quick to provide me with the SG-1100 image I needed to reinstall pfSense and the instructions to do so. I was successful and now I have a functional device.

The question still remains on why I couldn't loggin using the protonmail account, I was able to place an order with it and register into this forum, but I couldn't sign in for the Support Desktop Portal, privacy was the price to pay this time LOL.

Thanks again for your willingness to help.

@stephenw10 Thanks. I ended up just going with 192.X.X.2 - 192.X.X.199 addresses in the pool, using the RBR50 as an Access Point and assigning some static IPs above the range of the pool.

If you have a "1G" connection you are going to want to step-up to the SG-3100.

With an SG-2100 configured for outbound NAT and firewall like that you will not see 800Mbps when testing to, for example, speedtest .net from a client behind it.

Steve

No, I certainly wouldn't expect to see anything like that.

Do you mean when opening the export page or when downloading the file?
Neither should have any effect on the IPSec tunnel though.

Do the IPSec logs show any reason the tunnel went down?

Are you downloading the file across the IPSec tunnel?

Steve

@nocling Thank you very much really appreciated you made my day have a nice day...

@mwc-0
Resolved. It turns out that there was a stbility issue with the packet stream from the modum. ROKU and Amazon Echos were not sensative enough for the issue to count. No SG 3100 problems once it was getting a decent packet stream.

Or just get a cheap vlan switch to use if you have no more ports..

@stephenw10 said in Multiple IPsec tunnels; first tunnel up fails when the second tunnel connects:

mething is conflicting if that's the case

The all devices are WAN edge devices. I essentially did a stare and compare from a known working config from another set up I had in service. The difference was the hub site was a virtualized pfSense firewall.

In the process I did remove all rules and tunnels and rebuilt them from scratch with bringing up each tunnel individually with success, but came to the same result of the tunnels not being able to pass traffic to the hub with both of them connected. I may play with it again here soon, but I had to get them up since they were in production.
Ended up using one OpenVPN tunnel and one IPSec tunnel successfully on the first attempt.

I looked at this multiple times, even had a second set of eyes go over the tunnels and rules. with breaks in the attempts to reset my thought process to make sure I was not misconfiguring the IPSect tunnels.

Does the WAN show a link to the upstream device? Link LEDs correctly lit? Status > Interfaces showing correct speed and duplex?

What sort of WAN connection is it? DHCP? PPPoE? Is it cable modem, DSL, wireless?

If it's DHCP does it pull an IP of you connect it to some local dhcp server, like another router?

Is it possible there is an IP conflict between the WAN and LAN, or another local subnet?

Steve

@cabledude

Like i said, each person has their own requirements, for me, running it as a VM makes more sense as i have other VMs and containers running anyway, so another VM adds little to nothing to the existing power draw.

While for me personally, looking for the next model up at a higher cost may not yield me much with 200/200, if you upgrade your ISPs package, you may need a higher throughput - you have to ask yourself, is that likely and if so, is it soon, if not, grab one suitable enough for today and the next few years, the prices of the others will come down and you can re-evaluate.

The one you rented should have given you an insight in to if that's enough for your needs or not.

I should have also added, my CPUs are Intel Xeon E5-2650V3 @ 2.3Ghz and my ISP provides me 380/36.

If your not proud and don't mind used or ex-corporate kit, why not see if eBay or other such sites have a higher spec, used device but at a fraction of the cost?

Or ask the rental place if they sell any ex-demo units?

Show run int and sh run po is helpfull.

Show port-channel summery as well.

We use some Installations at work with different Switches and ASAs, there is no problem if you setup the pos correctly.

@stephenw10 Excellent, thanks. I did have a snoop around but was only grepping for the ix* in /etc, knowing /cf is helpful for future.

Board won't soft-reboot without hanging at the code 42 boot code now.

Sending in A1SRI-2558F board for RMA to Supermicro with "C2000 RMA" as the problem description. Seems like it relates to the C2000 clock issues coming back from 2017 to bite upon reboot/hang :(

Luckily I had just rebuilt a pfsense replacement and also had a very recent config backup for testing it, so I was ready to go and swapped it out.

Yes, you can configure one of the LAN ports as a separate interface using VLANs and use that as a second WAN.
It's possible to manually choose the default gateway to select between WANs. Hardly anyone would do that though. Policy routing or auto failover/load-balancing are common deployments.

Steve

@dbinnyc Did you install any packages? If it had a not-the-latest version of pfSense and packages for the latest version were installed (i.e. go to Packages and install anything), that can mess up dependencies. (https://redmine.pfsense.org/issues/10464)

@stephenw10 ok great, I'll have a play as I have a unifi switch here to play with too, I've just got the wan link sorted so now onto playing with the LANs.