Thank you, I will try that.

Between the two test machines directly on the same subnet you should be seeing at or very close to 941Mbps but it looks like you're not. Is there some other restriction there?

You might also try with 2 (or more) Parallel streams -P 2. The SG-1100 has a dual core CPU but is limited by using one NIC which can use only one queue.

Steve

Went down the road of modifying the bxe drivers, taping the SMBus pins on the Broadcom (otherwise would not boot). It worked, but speeds were not there. The challenge is faking this to sync at 2500Mbps properly to match the gpon (which provisions at 1500Mbps down 940 up).

I have purchased an X710 DA2 which I dont really expect to work either, but I will be able to use it elsewhere. Some have reported success at 2500 with an older firmware, so I will explore that briefly.

Lastly -- today I've purchased a Ubiquiti ES-16-XL which I believe is the current and only reliable way to make this work at 2.5Gbps. My gpon will plug into this and then another SFP+ out to the pfsene which SHOULD work... at about double my intended cost... but I'm this far in already and I'd rather keep the 7100 b/c its a nice little unit and pfsense is amazing.

I should have results in a couple weeks.

Glad you have it working now. 👍

-Rico

@Rekoj said in Issues with Suricata and XG-1537:

suricata.log

28/8/2020 -- 09:17:11 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 09:17:11 - <Info> -- CPUs/cores online: 16
28/8/2020 -- 09:17:11 - <Info> -- HTTP memcap: 67108864
28/8/2020 -- 09:17:11 - <Notice> -- using flow hash instead of active packets
28/8/2020 -- 09:17:11 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_igb113615.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb113615.pid. Aborting!

You have two problems. The immediate problem is that Suricata began to start and then crashed leaving a stale PID file in the location given. You will need to manually delete that file before it will start.

However, the other problem, and the likely root cause of the original crash that left the stale PID file, is the move to a 16-core CPU. That hardware needs a ton more TCP Stream Memory. You will need to go to the FLOW/STREAM tab and greatly increase the Stream Memcap value. Start with 256 MB and go up if necessary. You can Google that term or search for it here on the Netgate forums. Here is one example post from the forums: https://forum.netgate.com/topic/139580/suricata-failing-to-start-interface.

Errors like that are expected during an upgrade from a significantly older version. In this case because php was upgraded from 5.2 to 7 and during that time the old libraries are switched out.
That's one of the reasons a clean install is often better when coming from an old version.

If you're not seeing errors after the upgrade is complete though it's probably fine.

Steve

Open a ticket with us: https://go.netgate.com/

We can convert that config for you so you can import it directly in almost every case.

Steve

@stephenw10 thanks. I’ll instead purchase a new model. Now debating between sg-3100 vs 5100.

Thanks.

Whenever I had Snort installed on my SG 3100, it would always cause spontaneous reboots no matter what package version I used. Not sure if it was the way I had it configured, but even with basic rule sets, it would still crash. I have since removed it and have no further issues with reboots.

@DrPhil said in DNS resolver "fails" but forwarding "resolves":

pfSense would not resolve any one of them.

And right now mine is not resolving it either. but it has nothing to do with dnssec, it has to do with there is no entry for nic.in any more. Not from google, not from opendns, not from the SOA even..

; <<>> DiG 9.16.5 <<>> @8.8.8.8 nic.in ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 379 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.in. IN A ;; AUTHORITY SECTION: nic.in. 529 IN SOA nicnet.nic.in. nsadmin.nic.in. 2020082302 1800 600 1209600 14400 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Aug 23 06:04:02 Central Daylight Time 2020 ;; MSG SIZE rcvd: 86

But there is for www.nic.in

$ dig www.nic.in ; <<>> DiG 9.16.5 <<>> www.nic.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20504 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.nic.in. IN A ;; ANSWER SECTION: www.nic.in. 3185 IN CNAME www.nic.in-v1.akamaized.net. www.nic.in-v1.akamaized.net. 21185 IN CNAME a1825.dscd.akamai.net. a1825.dscd.akamai.net. 3185 IN A 24.96.54.98 a1825.dscd.akamai.net. 3185 IN A 24.96.54.97

can you resolve that?

BTW - posts are not always for the OP.. They are for the next guy as well.. The information I posted is basic understanding of how dns works.. Most users won't get it - but users of pfsense are normally not "most" users.. .

@johnpoz I understand... in my case because of the cabling layout I only have 2 Ethernet cables to trunk to the main switch location, so there are two 'spare' ports that I can use for a local AP and backup device.

This lets me clean up my board and avoid yet another device and power supply.

TBH this is 50% a learning exercise - just constructing the bridge has been an education, so it's all good. The next task is to stand up my LTE failover, which will be fun, and then try to figure out how many firewall rules I need to make everything work.

Thanks @akuma1x, @johnpoz and @stephenw10 for the insights.

It's still a floating rule which is applied before all other rules. So even if it set to be added after pfSense floating rules it will still block before the rules on the WAN interface pass it.

You can set the pfBlocker rules not to be on the floating tab. Or you could add your manual rule on the floating tab above them.

Anyway, it's blocked by pfBlocker. Mystery solved at least.

Steve

Hi @trombone,

Sorry to hear your experiencing this. Unfortunately there is no field serviceable component for your SG-2440. As far as outside repair, it may be cheaper to look at a new device with an up to date warranty vs something older, I would defer to one of our sales engineers that could give you a recommendation based on your specific needs.

Ah, OK. The internal layout is described here:
https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html

As requested I will post screenshots, but I think this is still a WIP as some of these rules are set automatically internally, so I could cleanup, and I notice also that I have ALTQ queues defined when ALTQ is off now, but hopefully gives you an idea what I meant.

Managementports alias points to ports 80,443,22 to block ssh, and webui access to firewall.

guest_ntp_dns points to ports 53,123,853 to allow dns/ntp access on firewall.

The nolog rule near bottom is to disable logging for some extra packets that get blocked from the walled garden setup, and were been logged because I decided to log the blocked packets, so that was to disable logging for those packets.

Guest_ports is allowed ports on walled garden, its an expansive list as I include ports for some android and social media apps as well as email. Will attach pic for it also.

Also as has been pointed out, you need to have the ability to have an isolated WAP setup that uses the guest VLAN. Unless you ok with all wifi clients been on the main LAN.

alt text

alt text

Ok, the 3100 is probably ideally suited there then. It will do ~100Mbps OpenVPN and closer to 300Mbps IPSec if required.

Steve

A pair of XG-1537s work fine in an HA setup. CARP is only part of that along with pfSync and config sync. There should be no issues there if they are configured correctly.

I'm not sure what you mean with the port forwards question. A diagram may help here.

You can setup port forwards through an HA pair certainly.

Steve

If you disconnect the LAN port by default the SG-1100 will show the LAN interface, with the IP on it, as down. You can change that in the LAN interfaces setup. Set the Switch port to monitor for state changes to the default value (no port) and LAN will always be up.
However you can also just access the webgui on the OPT interface IP. Or indeed the WAN IP, the webgui listens on all available IPs.

Steve

We are not currently accepting paid development work. However we have an internal ticket open for this already, I'll add your voice there. It would be very nice to have that driver.

umb was ported to NetBSD more recently and the same developer was at one time working on a FreeBSD port but appeared to abandon the effort. He's probably in the best place to port this. I have no idea if he's open to offers.

Steve

There are still supply chain disruptions from COVID-19 happening. They are coming as soon as possible and backorders are filled as soon as new units arrive.