Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mwp821

Pages: [1] 2 3 4
General Questions / Re: Found a bugfix, how to get it added to the wiki?
« on: February 09, 2018, 01:24:05 pm »
It's still in the pfSense book.

I'm having a similar daily kernel panic that I can't solve; maybe I'll try this.

General Questions / Re: System crash on gateway alarm?
« on: January 24, 2018, 01:00:38 pm »
Welp, this is still happening about once a day, and the two things I thought might be responsible turned out to be non-factors (the tso tunable is set to zero and vlanhwtso is left alone and it's still happening). I also no longer believe it has anything to do with the gateway alarm.

I'm looking for any clues as to why this might be happening. I'm going to try to capture the console messages at the time of the crash using ttylog, but I'm not hopeful.

Just to throw another idea out there, why not connect the UniFi Cloud Key directly to an unused interface on the SG-2440 (you may need to use a crossover cable) and bridge the interfaces? It would not be appropriate for high-performance applications, but it should be fine for a management device.

You could also ditch the Cloud Key and run the UniFi Controller directly on pfSense.

Finally, since you're already in the UniFi ecosystem and you have a small PoE+ requirement, maybe consider a US-8-60W (or even a US-8-150W). It's a little pricier than the other options mentioned but it'll integrate nicely and eliminate the need for an injector to feed the AP.

General Questions / System crash on gateway alarm?
« on: January 19, 2018, 12:28:25 am »
Hi folks,

My pfSense system (RCC-VE 2440) has gone offline three times in as many days. It's unpingable on the LAN interface, no services are reachable, and the serial console is blank and unresponsive. I have to power-cycle it to get it back online and everything is fine after that (until the next crash). Here are the last few lines in the system log before the reboot:

Jan 18 23:58:43 cerberus rc.gateway_alarm[71831]: >>> Gateway alarm: WAN_DHCP6 (
Addr:REDACTED Alarm:1 RTT:12894ms RTTsd:3415ms Loss:21%)
Jan 18 23:58:43 cerberus check_reload_status: updating dyndns WAN_DHCP6
Jan 18 23:58:43 cerberus check_reload_status: Restarting ipsec tunnels
Jan 18 23:58:43 cerberus check_reload_status: Restarting OpenVPN tunnels/interfa
Jan 18 23:58:43 cerberus check_reload_status: Reloading filter
Jan 18 23:58:44 cerberus rc.gateway_alarm[72628]: >>> Gateway alarm: WAN_DHCP (A
ddr:REDACTED Alarm:1 RTT:10710ms RTTsd:3043ms Loss:22%)
Jan 18 23:58:44 cerberus check_reload_status: updating dyndns WAN_DHCP
Jan 18 23:58:44 cerberus check_reload_status: Restarting ipsec tunnels
Jan 18 23:58:44 cerberus check_reload_status: Restarting OpenVPN tunnels/interfa
Jan 18 23:58:44 cerberus check_reload_status: Reloading filter

I expect the WAN interface to go offline if there's a connectivity issue, but certainly not the whole system. And the internet connection seems to be fine after a power-cycle, so I'm not convinced there isn't something else going on here.

igb0 is connected to a SB6120 (Comcast). igb1 and igb2 are LAGGed (LACP) to a UniFi managed switch. 2.4.2-RELEASE-p1. Any suggestions?

EDIT: I may need to undo what I did here, or perhaps I need to set the net.inet.tcp.tso tunable to 0. I'll try those one at a time to see if one or the other prevents a fourth or fifth crash.

General Questions / Re: VLAN_HWTSO?
« on: January 16, 2018, 05:17:29 pm »
Thanks heper. I don't need to do -tso, since it's already removed from the interface; and I don't need to do -vlanhwfilter, since the NIC in the 2440 doesn't seem to have a problem with that; so I just did -vlanhwtso.

Official pfSense Hardware / 2440: Update Intel NIC firmware?
« on: January 16, 2018, 05:11:56 pm »
I recently updated the Intel NIC firmware in another FreeBSD machine so I thought I'd do my 2440 as well. So here I am a few hours later, still trying to figure out how to do it. As far as I can tell, there's no way to boot into an EFI shell to run the BootUtil program, which seems to be the only way to apply the firmware update. Thoughts?

General Questions / VLAN_HWTSO?
« on: January 15, 2018, 02:59:04 am »
I've disabled TSO per the network tuning recommendations, but I still see the VLAN_HWTSO option on my physical interfaces in the output of ifconfig. I guess that the "Disable hardware TCP segmentation offload" causes pfSense to do ifconfig -tso on each physical interface, but not ifconfig -vlanhwtso. I suppose I'm wondering why this part of TSO is left enabled and if it makes to disable it as well?

Well this is a long and stupid story but to the best of my understanding the root evil was my new TP-Link AP (AP500). It's noisy and terrible and was causing issues even between wired devices. Changing the wireless settings from Multi-SSID mode to simple AP mode (or disconnecting it entirely) would completely solve the packet loss and latency issues. I should have mentioned that I got a new AP in my original post and didn't, so that's my bad.

I tried working with TP-Link support to resolve this issue. I also read up on all the issues with TP-Link hardware that people have reported (on this forum and TP-Link's own forum) over the past few years. It would have been smart to do this research before I spent ~$400 on TP-Link smart switches and the AP. ::)

Ultimately, I decided to rip out the AP and replace it with a UniFi AP (AC Pro). It's amazingly awesome—and $10 cheaper than the AP500, so go figure. I have some UniFi switches coming as well. My biggest complaint so far is that nobody seems to keep the 16-port, 150W switch in stock, so I had to pony up some big boy money for the 24-port, 250W model. I've got the controller running on an rpi2 and everything works great!

EDIT: To give some idea of what I was seeing, I had a wireless client on a SSID assigned to VLAN10, pinging the VLAN10 interface on the 2440. Packet captures in pfSense showed ICMP packets hitting the VLAN interface and its parent interface with partial overlap. It was completely bizarre.

General Questions / Re: Packet loss on RCC-VE 2440 after move and reflash?
« on: December 26, 2017, 10:56:34 am »
Probably not pfSense. Look at your layer 2. Packet capture on pfSense and run the same thing. Are the packets arriving?

Okay, I'll give that a try.

Shouldn't this be in "Official Hardware" ?

It's an RCC-VE 2440, not an SG-2440. ;D

Probably nothing hardware-specific there.

I hope this is the case but no other device on my network is experiencing packet loss.

General Questions / Packet loss on RCC-VE 2440 after move and reflash?
« on: December 25, 2017, 02:43:43 pm »
Hi folks,

I have a RCC-VE 2440 that's been quietly humming along running pfSense for a couple years now. We recently moved and I decided to reflash pfSense and start our new home network fresh. I also applied the CoreBoot upgrade (through packages).

Unfortunately, I started experiencing some packet loss around the same time that essentially renders the internet unusable. Even when I ping the unit from the switch it's attached to (see the attached picture). I'm not sure if something got jostled during the move, or if the CoreBoot upgrade changed something, or what. I've tried two different switches and two different network cables.

Any suggestions? I might try seeing if the problem persists after a factory reset.


EDIT: I had been running pfSense 2.3 and I flashed 2.4, so that might have something to do with it as well.

IPsec / Trouble routing traffic for OS X 10.11 IKEv2 client
« on: November 13, 2015, 10:13:07 am »
Hi everyone,

I followed this guide to a "T" (including setting the local network to and configured an OS X 10.11 client. I can connect and everything seems hunky dory but something is amiss with either my routing table or the firewall rules. I can't reach the internet, and connections to intranet hosts seem limited to ports 22 and 80, which leads me to believe that the anti-lockout rule is applying but not the pass-all IPSec rule.

Any suggestions? Thanks in advance. :)

Fixed, sorry for the trouble. Most installs don't pull from there, but fixed for future updates as well for those that do.

No worries, it happens. ;) Should I be using a different URL? I have the RCC-VE 2440.

The upgrade you did to get it back to 64 bit should be fine, you just have to power cycle it afterwards since the 64 bit reboot command can't run on the 32 bit kernel.

Yes, spot on. That's exactly what I had to do. Thank you for confirming my approach!

How is that even possible?

How is what even possible? That someone uploaded the wrong file to an FTP server?

IIRC, the config.xml backup is platform-agnostic.  Do a backup, wipe and install with x64 then restore.

Thanks KOM. I wasn't able to retrieve config.xml and the web console was not usable (it showed the maintenance message). I think I'm all set now.

The 2.2.5 firmware available at is the i386 version. Unfortunately, I found out the hard way:

[2.2.5-RELEASE][mwp@XXXXX]/home/mwp: uname -a
FreeBSD XXXXX 10.1-RELEASE-p24 FreeBSD 10.1-RELEASE-p24 #0 f27a67c(releng/10.1)-dirty: Thu Nov  5 10:59:55 CST 2015  i386

Taking a look at the sha256 sum:

mwp@YYYYY:~$ curl | shasum -a 256
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 94.2M  100 94.2M    0     0   9.7M      0  0:00:09  0:00:09 --:--:-- 10.6M
0a3bf70851de81aa8fae3c91e5ec65884505d503847fe952784bace945902c4d  -
mwp@YYYYY:~$ curl
SHA256 (netgate-2.2.5-RELEASE-Full-Update-i386.tgz) = 0a3bf70851de81aa8fae3c91e5ec65884505d503847fe952784bace945902c4d

I manually applied a full install from and it didn't seem to work, because it didn't auto-reboot and I couldn't run any commands on the command-line. I waited about 30 minutes before forcefully rebooting it, rationalizing that if the firmware upgrade got far enough, there would be a new kernel and userspace binaries and the system would hopefully come back up. Miracle of miracles, it did. I'm reapplying the full install again just to be sure everything is clean and then I'll see what state my config is in. I was able to recover config.xml and all the backups so worst case scenario I can restore to an earlier point in time. Whew!

Pages: [1] 2 3 4