OK, now it's better. With AES128-GCM I can hit the speed of 85MB/s and the processor is around 80%. [image: 1606304111127-c8441de3-b38e-41a8-8e0f-348348e7ce9c-image.png] We can imagine firewall will never hit 160MB/s but, it is closer to the performances announced by Netgate. And my internet bandwith is 1Gb/s, so it's really close to the maximum. Thank you for your help. Anthony

That is correct, LAN will be able to ping IOT. IOT will not be able to create connection to ping LAN though which is what you asked about. Steve

It does, and you can use them with a modified config, it requires additional switch config. The expansion card provides separate igb interfaces so if, for example, your existing config only had 4 interfaces from the 8860 assigned you would not require any config changes. To be clear you do not need the expansion card. Steve

Hmm, I would not expect to ever require a power cycle for the switched ports. The only time I have ever seen that is if a bad SFP module is used. It's possible the ix0/1 ports can require a power cycle to clear their state. Anyway glad you found it. Steve

@stephenw10 Sounds great to me, even more so hearing it from an administrator after 4 hours :D

@stephenw10 Of course, that's it. I totally forgot that was the case. I guess it's been too long since I've setup a VLAN. Thank you for the help and have a nice weekend.

JimP /Netgate did a great High Availability Hangout Video: https://www.youtube.com/watch?v=VnBnnh81G7w -Rico

I suspect the OP is using SFP to indicate either SFP or SFP+ here. I would certainly check the link speed though, 900Mbps seems suspiciously like 1G. Also check the flow control settings, they are likely enabled by default and can be a problem in some setups. https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#flow-control Steve

You can't import it directly because of the internal switch differences. If you can send it to us we can convert it for you so you can just import it. https://go.netgate.com/ Otherwise you would need to move the VLAN/LAGG/SWITch config across. Steve

Yup, if you're able to send is your old config just open a ticket with us and let us know which ports on the XG-7100 you would like to use for each defined interface. We can convert it so you can just import it directly. You don't need a support subscription for that. https://go.netgate.com/ Steve

Good day, I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

1: You do not need to contact support to update the firmware. That process is only needed if you need to reflash it from scratch (cleaning the built in flash). It comes with a firmware build onboard, and that will update itself just like you are use to on your server. 2: It does not need internet to be setup. BUT: The GUI is very very slow when no Internet/DNS is available, and if you restore a config to it, no packages are installed automatically from the config. So it’s a tradeoff: You can restore your config “offline” on a very slow GUI, and you’ll have to reinstall any packages (all settings are preserved) once it gets online and have internet access. OR: You can shut down your server, insert the SG-3100 and restore your config.

Mmm, it's hard to compare those directly but I'd guess you might be pushing an XG-7100 with that spike loading. Steve

@stephenw10 OK, will do, once the device arrives. Thanks.

You can recover the config from the pfSense install image as long as the partition is not completely destroyed, it gives you option before you install: https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#recover-config-xml-from-existing-installation Worst case you can cat the recovered config to the console from there and copy it out into a file. Steve

Ok, I figured it out. When configuring the vlan interfaces, at first I hadn't noticed, it was set with a mask of /32. The rules being generated automatically, the NAT was set for the interface, with the same mask but not for the network with the right mask. I fixed the VLAN interface mask a while ago but the NAT was still wrong. Working like a charm now!

There was another post with a different wording , and the name Sara i think. But my thought too. /Bingo

Bridging VLANs like that is generally not recommended. How many internal interfaces do you need configured like that? If it's just one you could try breaking the ix2-3 lagg and reconfiguring the switch to connect Eth8 to ix2 directly and bridge that. Removing the VLAN will probably prevent the loss there. Make sure you have some access to the firewall other than via the switched ports if you try that as it's very easy to get locked out! Do you need to filter traffic across the bridge? If not you would be better off using an external switch to set that up.

Open a ticket with the device details: https://go.netgate.com/ Steve

@snigy bump