How long should SG-1100 upgrade take? Update: She dead. Update2: She on life support.
-
@hoopy I usually do that too, but I figured it's Netgate's own hardware with a simple config. Oh well
-
@scurrier my SG-1100 took 12 and a half minutes. With 3 packages installed - Avahi, openvpn-client-export and Status_Traffic_Totals. I uninstalled pfBlockerNG-devel prior to upgrade and then re-installed it.
-
I have a SG-5100 and I had the same issue. Upgrade got to the rebooting part and after several cycles of the website trying to reload I found the unit had as a solid red middle light (which I think indicates a problem.)
I also waited a few hours and then tried power cycling. This didn't work, it always came back red.
I also pressed the recessed button to try to reset the unit. That didn't seem to do anything at the time.
I was without internet and so I had pull all the cables off the unit to reluctantly connect internet directly to my old Netgear WiFi/Router. (After 6 months with pfSense, this didn't feel safe! LOL)
After that, I finally found the console cable and tried connecting with PuTTY while the middle light was still red.
Perhaps coincidence but after getting the menu in the console, the middle light turned green. Again, the middle light had been red and otherwise unresponsive for 2+ hours until I tried the console...
I wasn't able to log back into the web interface initially but I soon found out it was back at the default IP 192.168.1.1. Apparently, the recessed button fully wiped the settings?
So perhaps if the console connect "fixed" it, I didn't need to try the recessed button. In the console, I didn't actually perform any actions. It was my first time using it and I was just happy to have that to explore.
I disconnected the console cable (didn't logout or anything) and went to the totally default-looking 21.02 pfSense. I restored my backed up settings and it seemed like everything was OK except all the packages were gone. This was the first time I ever restored the settings, but I guess this is normal. Also I didn't know if restoring settings across versions (2.24 -> 21.02) would work so I spent a while checking out all the settings I remembered changing to see if it was still there. It seemed fine.
Finally, I re-installed only one package, pfBlocker-ng, and for the most part it's all good again. It's been totally solid for around 24 hours now.
I'm not sure why it froze up like that and it wasn't expected, but at least in my case, I was able to get it back again (perhaps via the console)... ?
-
My SG-1100 took about 20 minutes to do the upgrade after a fresh reboot. The reboot after the upgrade though took about 10 hours before the webGUI was even available, and still required another reboot via SSH before things returned to some normalcy. The upgrade did yank off telegraf with no install candidate, so if you run telegraf don’t upgrade yet. Also expect very long upgrade reboot times that has no traffic passing. And before folks want to go blaming packages and such, the only thing the SG-1100 does is local DHCP and IPSec.
Personally, the SG-1100 has been a disaster for me, woefully underpowered and the lackluster ARM support is rediculous for a consumer supported security product. It seems like the entire ARM based product line is lackluster, which is sad in my opinion for a commercial product. I will be moving off the ARM platform, and go with what has worked for me which is non-NetGate x86 hardware and the CE version of the product. I may try the + version on x86, not sure yet. -
10hours is extreme! Hard to imagine what it was doing for that long.
Telegraf should be there for arm64 but you're right it isn't for some reason. I'm investigating... -
@stephenw10 it’s a remote device so didn’t capture the console output and not sure if dmesg will go back far enough to be useful. While the device is accessible externally I can’t get any traffic to pass and the IPSsec has extreme packet loss so a lot of services are down. Making the two hour drive to get into the console and troubleshoot.
-
There is an upgrade log in /conf you can check. If it was erroring out on something and having to wait for it to fail it should show there.
-
@stephenw10 I do see errors with PHP modules failing to load and some other items, but I think the stuck part was during the reboot itself. Which I woulda thought to dump dmesg somewhere else before rebooting. I feel it may have something to do with the uboot upgrade, just not sure how much of that or any other firmware may have been done too.
-
@jlw52761 this is off topic but..
a disaster for me, woefully underpowered<<
sounds like you under spec'd based on your needs. That's your fault not a product fault. The IMIX Traffic/performance info is on the appliances product page.
lackluster ARM support is ridiculous<<
what does that mean? You want an ARM CE version so you can run it on Raspberry Pi, etc?
entire ARM based product line is lackluster<<
if you want to make a value/price argument on the ARM product line do that
-
@jlw52761 Hmm, you shouldn't have seen a uboot update there unless you were somehow on a very old version. There has not been a uboot update for the SG-1100 in some time.
Steve
-
@jlw52761 Mine lost the GUI too. Hopefully overnight it'll come back, as yours did?
Ugh this sucks.
-
It can take a significantly long time to come back after it reboots, the upgrade to 2.5 is a large change. Most of the upgrade takes place after the reboot. But check the console to know for sure.
Steve
-
Update2 from me, the OP, here. I got remote access to a computer connected to the SG-1100 lan port. Turns out, she's not dead, she's just having some WAN issues. I can't figure it out. I can ping the upstream WAN gateway, but nothing beyond it. An ICMP traceroute to an internet address strangely returns only repetitions of the SG-1100's own LAN gateway IP.
-
@scurrier Got it working again, although I still don't know exactly what went wrong. Turns out the default gateway was set to automatic (as expected), but this was no longer automatically selecting the correct standard WAN_DHCP gateway. I changed the setting pictured and now everything seems to be working. What the heck? This is so basic.
-
If you have an internal gateway like that you should always set the default to be the WAN.
When it's on automatic if the WAN gateway goes down it will choose the next available gateway and you don't ever want it to do that where you have a LAN gateway.
Steve
-
@scurrier Only strange thing left at this point is the NTP server is down and won't start.
-
@scurrier NTP server is magically back up today. Not sure what was going on with that.
So far, so good after fixing the default gateway problem.
-
NTP can take a while to sync upstream and then start serving data. That's not entirely unexpected.
Steve
-
I'm down again. Not responding to pings and the downstream network operator messeged me that my internal traffic from behind the firewall is leaking onto their network.
-
@ahking19 said in How long should SG-1100 upgrade take? Update: She dead. Update2: She on life support.:
@jlw52761 this is off topic but..
a disaster for me, woefully underpowered<<
sounds like you under spec'd based on your needs. That's your fault not a product fault. The IMIX Traffic/performance info is on the appliances product page.
The site has 25Mbps down and 5Mbps up, only Site2Site IPSec, and DHCP/DNS. Hardly what one would expect to overload the SG-1100, even stripping all this back, the packet forwarding really is not good on the hardware due to the way the Marvell switch is implemented, IMHO The SG-1100 is really only good for the most basic of items, that a Walmart router at half the cost can do. The SG-1100 should really not be a product and I regret spending the $$$'s on it. I spent only slightly more on a x86 board and installed CE on it and that guy does all the heavy lifting such as pfBlocker, IPSec, OpenVPN, WireGuard, PBF/PBR, DNS, Snort, and absolutely takes all that without much more than a brief puff of hot air.
lackluster ARM support is ridiculous<<
what does that mean? You want an ARM CE version so you can run it on Raspberry Pi, etc?
Well, I wouldn't be opposed to a CE version, I get better support from the community to be honest. I had a problem with the SG-1100 that required a reflash as the device was good and well FUBAR'd, and it took almost two days to "prove" to support that I have a valid device and support on said device, even after providing the serial#, Netgate Device ID, and the Netgate Crypto ID. Once the person was "convinced" I had a supported device, it took another couple of days for the support person to figure out how to help me and eventually got ahold of an engineer that was able to provide the IMG file for relfashing. So yeah, lackluster to say the least.
A CE version would enable broader ARM support, possibly on something like an Odroid or LattePanda. There are a number of ARM based SoC's out there with multiple PHY's, which would be perfect.entire ARM based product line is lackluster<<
if you want to make a value/price argument on the ARM product line do that
Just look at the forums, there are a ton of issues around the ARM platform, and these are supposed to fully supported and have no CE version, only a Plus version, so having to turn to the forums for support is really lackluster IMHO. For the price, one can get COTS x86 hardware and go to town.
You are correct, it is off topic, more of a "Here we go again with ARM" rant.