@nguser6947 said in Procedure to offline update hot spare to latest revision?:

@keyser The only package I'm using is pgblockerng.

That is the best package for pSense - period.
But it is also the worst for what you are looking ti do. Because depending on your setup that will either autocreate and sort your firewall rules or create aliasset that cannot resolve when it’s not installed

@william-mandell said in Unable to upgrade SG-1100 appliance to 23.01 - Kernel panic:

@jimp

No Jim , sorry, but no. Not an older version of pfsense plus at all.

I was on the Newest version of pfSense Plus+ that was the release #, 'freshly' and (*natively) installed before > and updated to 23.01 obviously after 23.01 came out, but before I saw that it was being 'blocked' because of some problems going on.

Those statements are contradictory. Either you installed 23.01 directly or you were on 22.05 and upgraded to 23.01.

That said, I checked around and apparently it's a known issue that the 1100 and 2100 recovery installers are using an older ZFS version in the disk images.

While you could run zpool upgrade -a and let it upgrade that, if it didn't properly update the loader when you updated to 23.01 then it may not boot properly after. If you did reimage it with 23.01 and not an upgrade, then it's safe to run.

How and why would I want to boot it to the older version(s) ZFS boot environment , its has ZFS now. The 'old' environment always said it has an 'error' and shouldnt even running, but TAC said y'all had a special version, so it's fine.

If you upgraded from 22.05 to 23.01 and had a problem on 23.01, you could use the boot environment to boot back into 22.05 without reinstalling.

Can I ask again, how EXACTLY do I run a program that uses your special Chip' on board to verify and authenticate that my system is running authentic pfSense+ software. Does it need to be 'on'? Not sure if it's the same chip but whichever one displays whether it is on or not has always been off. Thought that chip was for VPN? Anyway, the trademarked pc sense chip to verify and authenticate - the software running.

The device that handles the authenticity part is used by the device when accessing the package repositories for packages and updates (all automatic). That is the "thoth" security chip.

VPN acceleration on 1100/2100 is handled by a different function, the SafeXcel cryptographic accelerator, which is unrelated.

@stephenw10 Awesome. Thanks.

Log lines indicate the exact moment of the events :

@leonroy said in Unbound was killed: out of swap space:

Jan 11 13:01:33 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0.

and while it's starting - 15 seconds later :

@leonroy said in Unbound was killed: out of swap space:

Jan 11 13:01:48 unbound 63374 [63374:0] info: service stopped (unbound 1.12.0).

and a small instance (< 1 second) :

Jan 11 13:01:48 unbound 63374 [63374:0] notice: Restart of unbound 1.12.0.

To make a long story, go to the Unbound / Resolver settings page and uncheck this :

ffec4b58-bccf-4e36-8b6e-dc41c1cea202-image.png

Stick a post-it on the pfSense box that says :
"Check the resolver logs again after 48 hours and see how many stops/restarts happened the last 48 hours".
If you find "a couple" or even less : issue solved.

@kiokoman

Thank you for your quick and clear reply!
This helped me out a lot, I didn't realize we could add "Send options" in such a way!

I haven't managed to get a public IP yet but am getting closer and closer :)

Have a great day

@curtisj - does this help you at all - it worked for me (twice recently) https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html

I have around a dozen SG-1100 in production, they tend to arrive to me in two's or three's so I configure, and software upgrade them one after another, and ship them out. This gives me a some sort of impression of how consistently they behave. Anyway, the last three arrived with me just over a month ago, and I performed a vanilla out-of-the-box config on them, and then the upgrade to pFsense Plus. One decided to brick itself rather than take the upgrade (so I used the procedure above to recover it) and the other two took the upgrade just fine via the web ui. And now I'm thinking about it, there was one that I stuck a label-printed note onto the top that I was unable to serial console onto it.... Maybe I'll revisit that unit and use the warranty. As I'm supplying them to technically-capable users, but not neccessarily firewall technically familiar, I perform multiple reboots before shipping them out and always keep a copy of the final config. But again in this most recent batch one decided that it would be a brick after being DHL'd to the user. Used the procedure above, and blasted the config back onto it, and it's been fine since.

@zacaustin

I have a Sony Bravia and a sg3100, it’s on my guest vlan
It works perfectly hardwired.. I have a Ubnt nano mounted directly above it which also works fine..

It works on just the out of box dns resolver for me and also by setting it up with next dns google blocking... where it’s pushed dns servers by pfsense and it blocks google services

@johnpoz I tried accessing web UI from the LAN device to IP 192.168.1.1
I also had tried from a device on the WAN accessing the router assigned IP of 192.168.1.30.

Neither worked.

Hard to see how that could be. The packet is arriving over the IPSec. TCP Syn packets are tiny anyway. But if you've seen something similar before I guess....

But that pass rule should match and clearly isn't. IP Options on it or something odd?

Steve

Indeed, I've never tried it and only recently became aware you could connect directly like that. I could see how it might be possible though.

Steve

Hey @jimp,
For the SG-1100, I know its an Arm box, it one of the reasons I bought it. I said arm64, as that's what bsnmpd reported, instead of Aarch64.

I had a chance to install Net-SNMP on the SG-1100 and it returns ifHCInOctets and ifHCOutOctets:
$ snmpwalk -v2c -c <redacted> 192.168.1.254 | grep -i -e inoctets
IF-MIB::ifInOctets.1 = Counter32: 1066212313
IF-MIB::ifInOctets.6 = Counter32: 0
IF-MIB::ifInOctets.7 = Counter32: 147998
IF-MIB::ifInOctets.8 = Counter32: 0
IF-MIB::ifInOctets.9 = Counter32: 0
IF-MIB::ifInOctets.10 = Counter32: 339689700
IF-MIB::ifInOctets.11 = Counter32: 549481782
IF-MIB::ifInOctets.12 = Counter32: 121263171
IF-MIB::ifHCInOctets.1 = Counter64: 1066384951
IF-MIB::ifHCInOctets.6 = Counter64: 0
IF-MIB::ifHCInOctets.7 = Counter64: 147998
IF-MIB::ifHCInOctets.8 = Counter64: 0
IF-MIB::ifHCInOctets.9 = Counter64: 0
IF-MIB::ifHCInOctets.10 = Counter64: 339693366
IF-MIB::ifHCInOctets.11 = Counter64: 549639578
IF-MIB::ifHCInOctets.12 = Counter64: 121267407

I'll have to keep playing to make sure there is no functionality loss (OIDs returned, etc), but right now I'm happy!

Thanks!
David

No, no reboot required.

https://forum.netgate.com/topic/144636/sg-1100-intermittent-reboots

@muppet said in SG-1100 PPPoE Performance:

@akuma1x Yes it's easy enough to buy some secondhand/commodity hardware.

Anything you can find with enough network ports and an Atom C3XXX, or Intel i3/i5/i7 processors, or even some of the more recent fast Celeron and Xeon processors. Those are all good for a pfsense box. Try to stay away from the laptop-grade mobile processors, and the older Celeron J1900 stuff. Those are going to show their age and weaknesses quicker than the other ones.

HP and Dell made/make some good small form factor stuff. Just make sure you can add at least 1 multi-port INTEL network card in there and you'll be all set with a nice pfsense firewall box.

Jeff

Chris already posted the link https://go.netgate.com/

Everything should be the same as any TAP bridge. You'll just have OPT and LAN on the same switch VLAN.

If you need that to resolve to a private IP you would still need to add that. Or you could disable DNS rebinding protection globally but adding that one domain is preferable.

Steve