SG-2100 HANGING UNIT
-
Can you connect to the serial console? What does it show from
ifconfigoretherswitchcfg? -
@kevs As @stephenw10 mentioned the first thing you need to do for anything is check the console to find out why. if it is boot looping (my suspicion) this will be of great help: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filesystem-check.html
-
Hi Sir @stephenw10
Yes, I accessed the console but it shows like this:
I tried to reset to factory defaults but it shows like this:
I also do your recommendation and it shows like this:
-
-
Hi @gertjan
How will I fix this? Actually, this is a new device and it was set up last 3 days ago then after a while, I cannot access the webGui, No LAN IP even the WAN.
-
@kevs
Have Netgate support looking into it.Is the device in the close to original state or did you add pfSense packages that eat disk space ?
-
@gertjan it was just a basic setup wizard, no config or packages installed. I do not know what happen to this firewall after a couple of days.
-
Instead of investigating, go for the fast solution :
Get a copy of the firmware https://www.netgate.com/tac-support-request, and re install from scratch. -
Yes, I would open a ticket with us for that.
As @Gertjan said the most common cause of that is a misconfigured package that has filled the drive. However without any additional packages that's very unlikely. You can see errors like that if the OS is unable to write to the drive for some other reason.
Steve
-
Hi @stephenw10
Please see the output I got when I run the shell and enter this command (du -a /var | sort -n -r | head -n 10) from netgate support to know if there is no package installed in the firewall based on the report of the end user. It seems that they had installed the Suricata package if I am not mistaken that's why the drive has been full, does it mean that the SG-2100 BASE or MAX model is not suitable for the Snort and Suricata packages, am I right?
-
@kevs said in SG-2100 HANGING UNIT:
It seems that they had installed the Suricata package
Oh ... lol, that one that is able to fill up any drive in no time.
The thing is : Suricata produces a lot of logs.
Suricata is capable of rotating its own log files, but this should be 'installed' and then double 'checked' if it actually works.
Suricata is a program that has to be baby-sitted : when you get one, you stay on to it just until the end of the contract. No exceptions. No "lets take a 3 days brake" or so.@kevs said in SG-2100 HANGING UNIT:
the SG-2100 BASE or MAX model is not suitable for the Snort and Suricata packages, am I right?
I have a MAX and still wouldn't leave Suricate 'alone'.
And yes, if you opt for that kind op packages, the MAX was invented for these space-eating packages. I would also for for a 4100 or even bigger, processor power isn't optional anymore if throughput is also a criteria.I wouldn't use Suricata as chances are that it finds something is close to zero. It's more like a false security these days. Like 'install a free antivirus and go risk nothing' which is entirely false.
Traffic flowing through pfSense is all TLS encrypted these days, there is no 'http' or clear 'mail' traffic anymore these days. If there was, the 'end user' would have a far bigger problem.
So, if Suricata can't see the traffic, why using it ?Btw : it is possible to use a proxy on pfSEnse, so pfSense becomes the TLS end point. Every device on the network has to use pfSense a its proxy. The thing is : the user who is able to pull this one of knows already that logs should always be inspected and purged daily, so the issue would never happen in the first place.
Anyway : good news : no need to re install pfSense.
Go to this forum : pfSense Packages IDS/IPS and look up the needed details of securicate : the place where you can find the logs.
Probably somewhere in /var/log/ and then a sub directory called Suricate and list whats in there. start wipe some older big logs.edit : you already found it.
Boot into single user mode and to a file check ( !! ) Netgate has a Youtube video (Netgate Youtube video channel ) that shows how to do that.
Then, propose your client to :
a) keep Suricate, and do that that parts that says "know how to use it".
b) remove Suricate. -
You should be able to remove those log files from the console there and that will free enough space to allow it to boot normally.
Yes, if you install Suricata you must enable log rotation and I always set small logs sizes and set a total log folder size.
Both the 2100 MAX and BASE will run Suricata though I would be very careful about running on a BASE model because the logging increases drive writes to the eMMC significantly.Steve
