@Michael-Samer said in SG-3100 openVPN Bridge Configuration:

My ovpn (Server) setup is very straightforward, just as described in the netgate wiki entry

Which page exactly? There are instructions for all the different setup types.

Steve

You can't use the restore during install option in the same way on the ARM firewalls because the recovery image does not actually run an installer. It just copies the image bitwise.
However you can have it recover the config on first boot using the ECL:
https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html#external-configuration-locator-ecl
The fat partition on the recovery image allows you to do that with one USB stick.

Steve

If you opened a ticket asking about switch docs for the 3100, then yeah pointing to the doc would be the correct answer ;)

What part of the documentation are you not not getting and maybe we can solve your problem right here..

Other then maybe you clicking the actual pvid entry in the table vs say an edit button on the entry.. It really is no different than any other switch. You set the port vlan, and then on your uplink (port 5) you tag that vlan..

Once you understand that port 5 is the uplink to the soc, its pretty straight forward.

We are working/making a rackmount/din rail mount SG-1100 bracket.

Hi Steve
Thanks for the feedback.
Of course it turned out to be a simple thing:
Had the rule to do tcp (?) Changed it to “any” and it worked. 😉
John

The SG-1100 is a powerful device, it's not able to fully route/firewall at 1gbps:

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html

3 is the same as 2. You just make a gateway group with Tier 1, 2, and 3 gateways.

Derelict & Rico,

You both called it. I feel dumb now. The netmask on the new interface wasn't set to /24, it was set to /32. Fixed that and of course it's working now. How I made the same mistake on two firewalls, I have no idea!

I appreciate your help, and for telling me to actually check the mask.

Thanks!

-Tim

Looks like its dead.

Ordered a new XG7100

I have updated to the latest version. Thank you very much.

I followed and liked this model for a long time.

Yup, Please open a ticket at https://go.netgate.com our team can look into this for you.

@stephenw10 @Rico thanks will check it out

Thanks for pointing that out. I don't think anything using the VGA memstick image needs the Coreboot updater. I'll see baout removing it.

Steve

I have an XG-7100 connected to a PoE switch, a Brocade ICX-6450-24P. It has never toasted any of the ports and I would not expect it to but your millage may vary. That's the only thing I have tested personally. I certainly wouldn't ever connect it to something non-standard like some of those 24V devices.

Steve

There is perhaps some other issue here.
I have a customer with the SG-1100 and Xfinity/Comcast. I am using a Netgear C7100V in bridge mode. On pfsense I turned on WAN dhcpv6 debug mode, to find out what the system delegation prefix was. The log showed a /60 prefix. I do not think there is any other way in the pfsense ui to see the value of the system delegation prefix.
On the LAN side of pfsense, I set ipv6 to "track interface", ID 0, selected WAN interface to track, left the prefix size at /64.

ipv6 is working OK for all clients

For almost each Netgate hardware there is a tweaked Image you should/need to use.
Which one exactly is in the device documentation.

-Rico

For most installs you should just be able to hit return to agree to the default selections.

If you have two available devices, SSD or eMMC here, you will have to select that. If you choose to use ZFS then you need to go through the installer steps more carefully there.

Coreboot will, by default, boot the SSD in preference to the eMMC. So if you installed to eMMC and rebooted it will just boo the old install on the SSD. You would have to choose to boot eMMC at the console. The boot order can be changed there though.

Steve

@STEAMENGINE said in SG-1100 restore does not succeed:

This is where after a reboot pfsense always wants to know which is the WAN port. if it is a PPPoE service (most are in UK for domestic users). If you choose 'a' for automatic pfsense says that the link is down when you plug it in. Of course if you have not yet provided a USR and PWD to pfsense for the PPPoE WAN it does not hook up. Pfsense in SG-1100 seems not to recognize the port you plugged the WAN into if it is a PPPoE service. This is a deadly loop you can't escape from.

I'm used PPPOE for years also.
Good news : your wrong, it doesn't work like that.
When pfSense boots, the WAN NIC is initialized - you can see for yourself : lights come up on both the pfSense WAN NIC, and the modem's NIC must also be up.
This is the moment when you see a "Link UP" in the dmesg log for the WAN.

The fact that PPPPoE isn't initialzied yet is not important. For pfSEnse, there is a WAN assigned interface, that's all that counts.

Check out for yourself what PPPoE is : it's a (point to point) Protocol over Ethernet. When PPPoE is started, the Ethernet is and must be already up.
So, for pfSense the WAN interface is UP.

If pfSense stops at the end of the boot, to ask to you to assign a WAN, this means the other side isn't UP yet -> your modem ! Solution : boot modem first, have it stabilize, and start the pfSense. This is a know situation and has been seen before. Especially if you have a uncontrolled power down and power up situation.
Normally, xDSL modmes are dumb devices, and start up pretty quickly, faster as pfSense.

You could also have a bas cable : test with another cable.

Again, see the dmesg log for whatever messages related to the WAN NIC driver.
It should show "Link UP" for all NIC's connected at the end of the log.

Btw : I always used and use today an AMD64 version - PPPoE isn't possible anymore for me.