@johnpoz I understand... in my case because of the cabling layout I only have 2 Ethernet cables to trunk to the main switch location, so there are two 'spare' ports that I can use for a local AP and backup device. This lets me clean up my board and avoid yet another device and power supply. TBH this is 50% a learning exercise - just constructing the bridge has been an education, so it's all good. The next task is to stand up my LTE failover, which will be fun, and then try to figure out how many firewall rules I need to make everything work. Thanks @akuma1x, @johnpoz and @stephenw10 for the insights.

It's still a floating rule which is applied before all other rules. So even if it set to be added after pfSense floating rules it will still block before the rules on the WAN interface pass it. You can set the pfBlocker rules not to be on the floating tab. Or you could add your manual rule on the floating tab above them. Anyway, it's blocked by pfBlocker. Mystery solved at least. Steve

Hi @trombone, Sorry to hear your experiencing this. Unfortunately there is no field serviceable component for your SG-2440. As far as outside repair, it may be cheaper to look at a new device with an up to date warranty vs something older, I would defer to one of our sales engineers that could give you a recommendation based on your specific needs.

Ah, OK. The internal layout is described here: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html

As requested I will post screenshots, but I think this is still a WIP as some of these rules are set automatically internally, so I could cleanup, and I notice also that I have ALTQ queues defined when ALTQ is off now, but hopefully gives you an idea what I meant. Managementports alias points to ports 80,443,22 to block ssh, and webui access to firewall. guest_ntp_dns points to ports 53,123,853 to allow dns/ntp access on firewall. The nolog rule near bottom is to disable logging for some extra packets that get blocked from the walled garden setup, and were been logged because I decided to log the blocked packets, so that was to disable logging for those packets. Guest_ports is allowed ports on walled garden, its an expansive list as I include ports for some android and social media apps as well as email. Will attach pic for it also. Also as has been pointed out, you need to have the ability to have an isolated WAP setup that uses the guest VLAN. Unless you ok with all wifi clients been on the main LAN. [image: YC4z9Kb.png] [image: UXa3rjn.png]

Ok, the 3100 is probably ideally suited there then. It will do ~100Mbps OpenVPN and closer to 300Mbps IPSec if required. Steve

A pair of XG-1537s work fine in an HA setup. CARP is only part of that along with pfSync and config sync. There should be no issues there if they are configured correctly. I'm not sure what you mean with the port forwards question. A diagram may help here. You can setup port forwards through an HA pair certainly. Steve

If you disconnect the LAN port by default the SG-1100 will show the LAN interface, with the IP on it, as down. You can change that in the LAN interfaces setup. Set the Switch port to monitor for state changes to the default value (no port) and LAN will always be up. However you can also just access the webgui on the OPT interface IP. Or indeed the WAN IP, the webgui listens on all available IPs. Steve

We are not currently accepting paid development work. However we have an internal ticket open for this already, I'll add your voice there. It would be very nice to have that driver. umb was ported to NetBSD more recently and the same developer was at one time working on a FreeBSD port but appeared to abandon the effort. He's probably in the best place to port this. I have no idea if he's open to offers. Steve

There are still supply chain disruptions from COVID-19 happening. They are coming as soon as possible and backorders are filled as soon as new units arrive.

It should appear imediately below the client config section when you enable advanced config: [image: 1597148491107-selection_880.png] It's normally hidden by client side script. Try a different browser if you don't see it or check your browser plugins, something may be blocking it. Steve

It depends what you're forwarding of course. It's not something I have tested myself (or is often used) but there are some numbers for forwarding only on the product page: https://store.netgate.com/XG-7100.aspx Steve

@stephenw10 sure, will give 400K a try and see. Thanks

I have unblocked that. Please try to open a ticket again if you still need the firmware. Steve

@pi said in SG-1100 always that flaky or I got a dud?: That’s funny. I’m a couple of months into pfSense and I’m still breaking it, probably weekly. Unfortunately, I can't do that anymore because there are a lot of production environments in which we use pfSense. All success can be gained through a lot of experience Go for it...

@dotdash sorry for the late response, and thanks for your reply! I ended up going with an SG-1100, and it seems to be holding up pretty well. I have yet to install pfBlockerNG on it though, so not sure if it will be enough for that. If anyone else is looking at doing this, it was a little tricky getting familiar with the fact that all of the ports belong to an internal switch, but I was able to work through it with a little help from the internet :) Bill

Thank you @stephenw10 and @keyser. @keyser, based on your comment I looked up my Netgear (R7000, I am using the router as a wifi AP). It seems like many people online complain about dropped connections. Based on online advice, I reverted it back to a previous firmware version. If that works, I'll come back and post details so future readers in a similar situation can benefit. For now, fingers crossed.

@digitalvt said in SG-3100 Hangs after internet outage: I couldn't even connect via browser to the pfSense?! When you visit the GUI dashboard, the information isn't all static. Most of it is collected "at the source' and some of that isn't available "on site". Example, package version info is compared with available versions on the 'Netgate' package server. A working connection is needed (read = DNS, amongst other, should work). If the connection is lost, the GUI behaves somewhat like any other web site that is off line. The GUI dashboard will show up, after some (DNS) time outs. Start finding the answer to this question : [image: 1596702816445-cc44ab7e-0d97-4f33-8d28-9734d86217ce-image.png] 0612055684 Why is the Resolver restarting so often ? When it restarts, DNS will be off line for several moments. A reason might be, as you showed : if dpinger 'thinks' restarts the Internet connection is bad (very high latency, or even pings lost) then it restarts the WAN interface - and packages / processes like unbound. Discover why your uplink (ISP) is bad, and you should be close to a solution.

I use a lot of PC Engines APU2D4 which has an AMD GX-412TC 1Ghz CPU, 4GB DDR3-1333 soldered memory, supports AES-NI, (3) I210 ethernet ports. These boxes run notoriously hot. The worst I've seen (hot environment) is it chugging along at 71C (159F?) with no problem. In a cool environment the box still runs at 50C.

@Derelict Now there's wisdom -- would have saved me a lot of time even if the ISP support queues are long, etc.