SG3100 limitations
-
@stephenw10 said in SG3100 limitations:
You can configure the on-board switch on the 3100 to separate a port as a discrete interface via internal VLANs.
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html
Steve
Yep! Forgot about that little tidbit of the SG-3100's capabilities.
-
That guide was very helpful. I got the interface setup as its own VLAN and was able to setup the DHCP server on it as well. Should the firewall rules for the interface be the same setup as LAN?
-
@Burner27 said in SG3100 limitations:
That guide was very helpful. I got the interface setup as its own VLAN and was able to setup the DHCP server on it as well. Should the firewall rules for the interface be the same setup as LAN?
I would not expect them to be the exact same. The ideal goal would be for the Minecraft server to be completely cut-off from your LAN. But since I suspect you want to be able to play from a client device on your LAN, then you will need some rules on your LAN side to enable access to the DMZ side. Remember that in pfSense you put firewall rules on the ingress interface (so something like "source = LAN, dest = DMZ, allow" on LAN interface). In reality it would be best to lock that down to certain ports and protocols and even certain IP addresses if feasible.
On the DMZ side, you would want to generally block all unsolicited inbound access from the DMZ into your LAN. But I'm not familiar with Minecraft operation, so you may not be able to do that 100% (but I suspect you could). So something like this for 100% isolation: "source = DMZ, dest = LAN, deny" on DMZ interface.
To set your way of thinking, consider that DMZ and all servers in it to be the same as the Internet. In other words, the wild-west and evil and infected. Then base your firewall rules on the DMZ and LAN interfaces accordingly. Of course you still need the game server to function, so some amount of communications will have to be allowed. A fair amount of experimentation may be required to find the magical combination of maximum security and full functionality.
-
@bmeeks I had the random reboots running Snort on my SG-3100. About weekly, and generally during heavy activity (you know, right when you don't need a random reboot). Nothing in the logs, no panic, no crash, just a sudden and unexplained restart. I suspected overheat, but support said my 70°C temperature readings were fine and normal. That seems kind of high, especially since I had the thing isolated and ventilated pretty well.
I honestly don't think the hardware is up to the task, and even Netgate support... they didn't come right out and say that, but they did suggest that I try Suricata instead as it is much more CPU efficient than Snort.
I replaced my SG-3100 with a SG-5100 and the performance difference is significant, to say the least! I'm realizing that the divide between a plastic toy and a machine made of metal is right here between these two devices. I couldn't even get line speed transfers on SG-3100, and now I'm consistently able to get 920/920 speed test (nice low latency too 3ms/4ms unloaded/loaded) on my 1000/1000 fiber connection.... On the SG-3100 speed tests were coming up more like 650/650 and latency around 4ms/10ms. Maybe better right after a fresh reboot, but not for long after.
I think the advice for a SG-3100 user is to run as vanilla a config as you can, and no unnecessary packages... I was running some accounting/reporting packages at first (ntopng, darkstat, bandwidthd) and I think even just that was putting too much load on.
SG-5100 is a big step up in price, but I think it's reflective of the performance increase.
Cheers.
-
@tjcooks4829. I have to agree with you about the SG3100 not being up to the task. Am glad I’m not the only one experiencing those random reboots while running snort. I had the same issues running Suricata, so I would have to go up to the SG5100 as well to resolve my issue. Although I did speak with bmeeks in this thread and we agreed there is no need to run snort or suricata unless I am hosting thing behind it. Right now I am only running pfblockerNG-dev to block ads and geoip which seems to have minimal impact on the hardware. My average ping is 13ms whereas the previous device I was using was always sub 10ms using the same connection. I am very tempted to repurpose an old haswell-ep machine for pfsense.
-
@Burner27 I'm not sure I agree that there's no reason for a home user to run IDS/IPS. The main use case being it will detect (and block, if so configured) outbound traffic from a compromised machine on your network.
One more layer of protection -- definitely a layer of last resort, but really useful. Ransomware is really rampant and on the rise, and running frequently updated signatures on Snort can catch emergent threats, whether or not your family has turned off their annoying virus protection. ;-). Cheers.
-
@Burner27 I have an SG3100 running pfBlocker with GEO IP + Snort on the 2 WAN and I have 4 separate VPNs, on average I get 12 users connected simultaneously.
Until it slows down, but between 3 to 8 days it restarts, like @Burner27 commented, I realized that when I used it without pbfblocker and snort, it never restarted.
I thought it was temperature as @tjcooks4829 also commented, but it's not, because he's in a UPS and a room with reduced air conditioning, I believe it's a lot for his own capacity.
I'm on version 2.4.1-p1, when it came out to 21.01 I researched it and found that there were a lot of errors I ended up leaving. I saw that it's already at version 21.05 I'm working up the courage to update.
in summary I think the SG3100 is pretty overloaded for what I use, but unfortunately now I can't buy an SG5100.greetings
-
removed auto update from snort and pfblcoker. I will monitor if without autoupdate the reboot will stop
-
I am not sure where a i read it, but it was mentioned the code for pfSense is 64bit and running it on a 32bit CPU like the SG3100 has inside it has been 'challenging'. I have since moved away from my SG3100 in favor of a device that is more robust. Not saying I dont have any issues, but I have fewer issues running it now on the new hardware.
-
@burner27 I intend to switch to the SG5100 in the future
-
@luketa I didnt go that route.
-
for knowledge, i updated SG 3100 to version 21.05, updated successfully, no errors, but snort does not start.
-
If you are running pfBlocker, Snort or Suricata in 21.05 you will be hitting this bug on the 3100:
https://redmine.pfsense.org/issues/11466You should apply the patch listed there:
https://redmine.pfsense.org/attachments/download/3707/patch-disable-pcrejit-arm.diffI would also recommend running Suricata instead of Snort right now. I'm running that here without issue.
Steve
-
@stephenw10 I applied the patch, I have 2 WAN.
WAN2 started the snort service,
WAN1 is processing and does not start.
Would you have something to do to normalize?I would like to continue with snort.
thanks
-
Check the Snort logs for ruleset errors.
Usually (on other platforms!) if it doesn't start like that it's because you are loading signatures for a pre-processor that isn't enabled. The logs are pretty clear when that happens.
Steve
-
@stephenw10
tried everything to work snort, it really won't.I installed Suricata and it's running 100% on version 21.05
thank you all.
-
Yeah, I would use Suricata at least until this is resolved.
I opened a separate bug for the Snort issue as people were confusing it with the PHP issue and it's not the same problem at all: https://redmine.pfsense.org/issues/12157
Steve
-
@luketa said in SG3100 limitations:
@stephenw10
tried everything to work snort, it really won't.I installed Suricata and it's running 100% on version 21.05
thank you all.
Glad Suricata is working well for you. The Snort problem is a tough one to solve. Understanding the root cause of the error requires being skilled in the art of assembly language level programming in the ARM CPUs. It has to do with the specific CPU opcodes the compiler chooses to employ when converting certain memory operations coded in C into the binary CPU opcode equivalents.