@stephenw10 Awesome. Thanks.

Log lines indicate the exact moment of the events :

@leonroy said in Unbound was killed: out of swap space:

Jan 11 13:01:33 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0.

and while it's starting - 15 seconds later :

@leonroy said in Unbound was killed: out of swap space:

Jan 11 13:01:48 unbound 63374 [63374:0] info: service stopped (unbound 1.12.0).

and a small instance (< 1 second) :

Jan 11 13:01:48 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0.

To make a long story, go to the Unbound / Resolver settings page and uncheck this :

ffec4b58-bccf-4e36-8b6e-dc41c1cea202-image.png

Stick a post-it on the pfSense box that says :
"Check the resolver logs again after 48 hours and see how many stops/restarts happened the last 48 hours".
If you find "a couple" or even less : issue solved.

@kiokoman

Thank you for your quick and clear reply!
This helped me out a lot, I didn't realize we could add "Send options" in such a way!

I haven't managed to get a public IP yet but am getting closer and closer :)

Have a great day

@curtisj - does this help you at all - it worked for me (twice recently) https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html

I have around a dozen SG-1100 in production, they tend to arrive to me in two's or three's so I configure, and software upgrade them one after another, and ship them out. This gives me a some sort of impression of how consistently they behave. Anyway, the last three arrived with me just over a month ago, and I performed a vanilla out-of-the-box config on them, and then the upgrade to pFsense Plus. One decided to brick itself rather than take the upgrade (so I used the procedure above to recover it) and the other two took the upgrade just fine via the web ui. And now I'm thinking about it, there was one that I stuck a label-printed note onto the top that I was unable to serial console onto it.... Maybe I'll revisit that unit and use the warranty. As I'm supplying them to technically-capable users, but not neccessarily firewall technically familiar, I perform multiple reboots before shipping them out and always keep a copy of the final config. But again in this most recent batch one decided that it would be a brick after being DHL'd to the user. Used the procedure above, and blasted the config back onto it, and it's been fine since.

@zacaustin

I have a Sony Bravia and a sg3100, it’s on my guest vlan
It works perfectly hardwired.. I have a Ubnt nano mounted directly above it which also works fine..

It works on just the out of box dns resolver for me and also by setting it up with next dns google blocking... where it’s pushed dns servers by pfsense and it blocks google services

@johnpoz I tried accessing web UI from the LAN device to IP 192.168.1.1
I also had tried from a device on the WAN accessing the router assigned IP of 192.168.1.30.

Neither worked.

Hard to see how that could be. The packet is arriving over the IPSec. TCP Syn packets are tiny anyway. But if you've seen something similar before I guess....

But that pass rule should match and clearly isn't. IP Options on it or something odd?

Steve

Indeed, I've never tried it and only recently became aware you could connect directly like that. I could see how it might be possible though.

Steve

Hey @jimp,
For the SG-1100, I know its an Arm box, it one of the reasons I bought it. I said arm64, as that's what bsnmpd reported, instead of Aarch64.

I had a chance to install Net-SNMP on the SG-1100 and it returns ifHCInOctets and ifHCOutOctets:
$ snmpwalk -v2c -c <redacted> 192.168.1.254 | grep -i -e inoctets
IF-MIB::ifInOctets.1 = Counter32: 1066212313
IF-MIB::ifInOctets.6 = Counter32: 0
IF-MIB::ifInOctets.7 = Counter32: 147998
IF-MIB::ifInOctets.8 = Counter32: 0
IF-MIB::ifInOctets.9 = Counter32: 0
IF-MIB::ifInOctets.10 = Counter32: 339689700
IF-MIB::ifInOctets.11 = Counter32: 549481782
IF-MIB::ifInOctets.12 = Counter32: 121263171
IF-MIB::ifHCInOctets.1 = Counter64: 1066384951
IF-MIB::ifHCInOctets.6 = Counter64: 0
IF-MIB::ifHCInOctets.7 = Counter64: 147998
IF-MIB::ifHCInOctets.8 = Counter64: 0
IF-MIB::ifHCInOctets.9 = Counter64: 0
IF-MIB::ifHCInOctets.10 = Counter64: 339693366
IF-MIB::ifHCInOctets.11 = Counter64: 549639578
IF-MIB::ifHCInOctets.12 = Counter64: 121267407

I'll have to keep playing to make sure there is no functionality loss (OIDs returned, etc), but right now I'm happy!

Thanks!
David

No, no reboot required.

https://forum.netgate.com/topic/144636/sg-1100-intermittent-reboots

@muppet said in SG-1100 PPPoE Performance:

@akuma1x Yes it's easy enough to buy some secondhand/commodity hardware.

Anything you can find with enough network ports and an Atom C3XXX, or Intel i3/i5/i7 processors, or even some of the more recent fast Celeron and Xeon processors. Those are all good for a pfsense box. Try to stay away from the laptop-grade mobile processors, and the older Celeron J1900 stuff. Those are going to show their age and weaknesses quicker than the other ones.

HP and Dell made/make some good small form factor stuff. Just make sure you can add at least 1 multi-port INTEL network card in there and you'll be all set with a nice pfsense firewall box.

Jeff

Chris already posted the link https://go.netgate.com/

Everything should be the same as any TAP bridge. You'll just have OPT and LAN on the same switch VLAN.

@sbeeche Thank You! This was my missing piece!