Don't do that, it's a terrible idea!

The interfaces need to match so you would need to create a single interface LAGG in the SG-1100 and move all your VLANs to that.

Those boxes are massively mismatched in just about every other respect. You could easily load the SG-7100 with rulesets that will kill performance on the SG-1100.

The nodes in an HA pair should be as close to identical as possible.

Steve

In general pfSense works better when it's routing between subnets so before you do this be sure you need to configure it as a transparent firewall.

A transparent firewall can be achieved simply by bridging two interfaces. You generally want to filter traffic between them so the bridge sysctls can be left at the default values filtering on the bridge member interfaces.
The biggest issue with configuring it is that if you don't have access via another interface you will almost certainly lock yourself out of the firewall during the setup, it's very easy to do. So the first thing to do here is make sure you have access to the firewall via some other interface.
What are you connecting between? Can you use the SFP interfaces?

Once you have that access simply create a bridge and add the two ports to it.
Be sure to only have an IP address on one of the interfaces (including the bridge if you assign it).
Be aware that firewall rules including system aliases like LANnet may not be valid if the LAN no longer has an IP.

Steve

@noisybloke said in SG-3100 hardware check:

Coming from domestic routers it was a shock when I learnt that it can't handle power interuptions well.

These domestic routers do not have a file system as what you would find on PC or NAS.
pfSense could be run from ROM with minimal dynamic data storage, and some NVRAM for the config, but in that case upgrading would be far more complicated, no more packages, and no more dynamic data views. It would become just another SOHO router.

Rip out the power cable of your PC : after a couple of times your PC will complain, if it still boots.

@noisybloke said in SG-3100 hardware check:

(1 noticeable power cut every few years

You are wired up yourself ? ;)
A blackout that kills all the lights is just one example of a power outage. The oned that 'hurt' a system a far more common.

Btw : still, power issues rarely actually kill a device physically. It's just wrong data getting written on the wrong place or something like that. Rebuilding (reformatting) the disk will take care of things. Just make sure your config is saved regularly. I've one of my PC's running a small program that logs in using SSH, executing the 'Diagnostics > Backup & Restore', retrieve the complete config, save the file and log out. A set it and forget it installation.
Take note of the "Netgate Device ID" and the 'Device key' which is useful to retrieve a backup of what has been send to Netgate's remote backup storage, see Services > Auto Configuration Backup > Restore

@Rico : I did as suggested and everything is working fine now.

Thank you, I will try that.

Between the two test machines directly on the same subnet you should be seeing at or very close to 941Mbps but it looks like you're not. Is there some other restriction there?

You might also try with 2 (or more) Parallel streams -P 2. The SG-1100 has a dual core CPU but is limited by using one NIC which can use only one queue.

Steve

Went down the road of modifying the bxe drivers, taping the SMBus pins on the Broadcom (otherwise would not boot). It worked, but speeds were not there. The challenge is faking this to sync at 2500Mbps properly to match the gpon (which provisions at 1500Mbps down 940 up).

I have purchased an X710 DA2 which I dont really expect to work either, but I will be able to use it elsewhere. Some have reported success at 2500 with an older firmware, so I will explore that briefly.

Lastly -- today I've purchased a Ubiquiti ES-16-XL which I believe is the current and only reliable way to make this work at 2.5Gbps. My gpon will plug into this and then another SFP+ out to the pfsene which SHOULD work... at about double my intended cost... but I'm this far in already and I'd rather keep the 7100 b/c its a nice little unit and pfsense is amazing.

I should have results in a couple weeks.

Glad you have it working now. 👍

-Rico

@Rekoj said in Issues with Suricata and XG-1537:

suricata.log

28/8/2020 -- 09:17:11 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 09:17:11 - <Info> -- CPUs/cores online: 16
28/8/2020 -- 09:17:11 - <Info> -- HTTP memcap: 67108864
28/8/2020 -- 09:17:11 - <Notice> -- using flow hash instead of active packets
28/8/2020 -- 09:17:11 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_igb113615.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb113615.pid. Aborting!

You have two problems. The immediate problem is that Suricata began to start and then crashed leaving a stale PID file in the location given. You will need to manually delete that file before it will start.

However, the other problem, and the likely root cause of the original crash that left the stale PID file, is the move to a 16-core CPU. That hardware needs a ton more TCP Stream Memory. You will need to go to the FLOW/STREAM tab and greatly increase the Stream Memcap value. Start with 256 MB and go up if necessary. You can Google that term or search for it here on the Netgate forums. Here is one example post from the forums: https://forum.netgate.com/topic/139580/suricata-failing-to-start-interface.

Errors like that are expected during an upgrade from a significantly older version. In this case because php was upgraded from 5.2 to 7 and during that time the old libraries are switched out.
That's one of the reasons a clean install is often better when coming from an old version.

If you're not seeing errors after the upgrade is complete though it's probably fine.

Steve

Open a ticket with us: https://go.netgate.com/

We can convert that config for you so you can import it directly in almost every case.

Steve

@stephenw10 thanks. I’ll instead purchase a new model. Now debating between sg-3100 vs 5100.

Thanks.

Whenever I had Snort installed on my SG 3100, it would always cause spontaneous reboots no matter what package version I used. Not sure if it was the way I had it configured, but even with basic rule sets, it would still crash. I have since removed it and have no further issues with reboots.

@DrPhil said in DNS resolver "fails" but forwarding "resolves":

pfSense would not resolve any one of them.

And right now mine is not resolving it either. but it has nothing to do with dnssec, it has to do with there is no entry for nic.in any more. Not from google, not from opendns, not from the SOA even..

; <<>> DiG 9.16.5 <<>> @8.8.8.8 nic.in ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 379 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.in. IN A ;; AUTHORITY SECTION: nic.in. 529 IN SOA nicnet.nic.in. nsadmin.nic.in. 2020082302 1800 600 1209600 14400 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Aug 23 06:04:02 Central Daylight Time 2020 ;; MSG SIZE rcvd: 86

But there is for www.nic.in

$ dig www.nic.in ; <<>> DiG 9.16.5 <<>> www.nic.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20504 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.nic.in. IN A ;; ANSWER SECTION: www.nic.in. 3185 IN CNAME www.nic.in-v1.akamaized.net. www.nic.in-v1.akamaized.net. 21185 IN CNAME a1825.dscd.akamai.net. a1825.dscd.akamai.net. 3185 IN A 24.96.54.98 a1825.dscd.akamai.net. 3185 IN A 24.96.54.97

can you resolve that?

BTW - posts are not always for the OP.. They are for the next guy as well.. The information I posted is basic understanding of how dns works.. Most users won't get it - but users of pfsense are normally not "most" users.. .

@johnpoz I understand... in my case because of the cabling layout I only have 2 Ethernet cables to trunk to the main switch location, so there are two 'spare' ports that I can use for a local AP and backup device.

This lets me clean up my board and avoid yet another device and power supply.

TBH this is 50% a learning exercise - just constructing the bridge has been an education, so it's all good. The next task is to stand up my LTE failover, which will be fun, and then try to figure out how many firewall rules I need to make everything work.

Thanks @akuma1x, @johnpoz and @stephenw10 for the insights.

It's still a floating rule which is applied before all other rules. So even if it set to be added after pfSense floating rules it will still block before the rules on the WAN interface pass it.

You can set the pfBlocker rules not to be on the floating tab. Or you could add your manual rule on the floating tab above them.

Anyway, it's blocked by pfBlocker. Mystery solved at least.

Steve

Hi @trombone,

Sorry to hear your experiencing this. Unfortunately there is no field serviceable component for your SG-2440. As far as outside repair, it may be cheaper to look at a new device with an up to date warranty vs something older, I would defer to one of our sales engineers that could give you a recommendation based on your specific needs.

Ah, OK. The internal layout is described here:
https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html