Installing pfSense on Sophos XG 105 rev. 2

gtj

@stephenw10 said in Installing pfSense on Sophos XG 105 rev. 2:

@gtj said in Installing pfSense on Sophos XG 105 rev. 2:

WAN IP shows 0.0.0.0

Usually that means it's configured as DHCP but cannot pull a lease, is that the case?

What is it connected to? Check the dhcp logs for dhclient entries.

Steve

It is Indeed but so is my Backup configuration I loaded from the man pfsense router. That one connects to the web no problem.

stephenw10

So what is it connected to?

If it's a cable modem is that locked to the MAC of the other pfSense WAN?

gtj

@stephenw10 said in Installing pfSense on Sophos XG 105 rev. 2:

So what is it connected to?

If it's a cable modem is that locked to the MAC of the other pfSense WAN?

It is a cable modem from those all in one devices the ISPs provide. I want to use it as a modem with PPPoE passthrough and use pfsense to handle the routing and WiFi.

stephenw10

Well I would try spoofing the WAN MAC address to the same as the old device then.

You could also connect it to some other device with a DHCP server in it to check it will pull a dhcp lease at all.

CCPFLDN

@gtj Most ISP modems will issue the Public IP to the MAC address of the device that is connected when it is turned on. You can't then swap it for another router because it will have a different MAC, as the Public IP has been issued to that MAC.

On some ISPs (E.g Virgin Media in the UK) it is a simple fix; you just have to restart the modem between switching routers (so the modem doesn't go through it's boot process with the old router connected).

On other ISPs there may be some different processes, e.g notifying them of the MAC address manually. In that case MAC spoofing is your only option.

gtj

Thanks for your invaluable help guys.
I will try either restarting the modem or spoofing the MAC address.

My ISP modem is indeed a Virgin UK superhub but in this instance, I'm trying to prepare a fresh pfsense installation to move it to my parents house in Greece when I go there in July.

From what I gathered the connection there is a 100/10 cable PSTN with a Speedport Entry 2i modem/router .

By spoofing it within the WAN settings of pfsense, do you mean that I have to manually set the MAC address which corresponds to the Sophos Igb0 I have assigned as WAN port?

CCPFLDN

@gtj Well it sounds like the issue you have is that you didn't restart the Virgin Cable Modem when you switched the routers? so you won't need to do any spoofing, but if you did, yes you would be setting the WAN MAC to match the WAN MAC of the router that you swapped out.

gtj

@ccpfldn said in Installing pfSense on Sophos XG 105 rev. 2:

@gtj Well it sounds like the issue you have is that you didn't restart the Virgin Cable Modem when you switched the routers? so you won't need to do any spoofing, but if you did, yes you would be setting the WAN MAC to match the WAN MAC of the router that you swapped out.

No I haven't indeed. So I presume when I revert back to my main APU2C4 pfsense I'll have to restart the modem again prior to connecting the router back?

What baffles me is that in my current main APU pfsense I also can't see the WAN MAC address under WAN settings. The space is empty like it's the case with the Sophos one.

CCPFLDN

@gtj That's correct yes. The Virgin Media Superhub in modem mode can only issue one Public IP at a time to one MAC address at a time, and must be restarted in order to change the connected device.

You will have to follow a process every time you switch between routers or the second one you connect will be unable to obtain an IP, as you have found out.

This has actually been the case for about 20 years with all the previous generations of Ambit Cable modem they provided back when they were NTL/Telewest and it applies to some other ISPs around the world as well.

I go through the process methodically with any ISP provided device, disconnecting the old router, turning the ISP modem off for 10 seconds, then back on and waiting for it to boot up before connecting the new router just to make sure it can't lock to any other device.

gtj

@ccpfldn said in Installing pfSense on Sophos XG 105 rev. 2:

@gtj That's correct yes. The Virgin Media Superhub in modem mode can only issue one Public IP at a time to one MAC address at a time, and must be restarted in order to change the connected device.

You will have to follow a process every time you switch between routers or the second one you connect will be unable to obtain an IP, as you have found out.

This has actually been the case for about 20 years with all the previous generations of Ambit Cable modem they provided back when they were NTL/Telewest and it applies to some other ISPs around the world as well.

I go through the process methodically with any ISP provided device, disconnecting the old router, turning the ISP modem off for 10 seconds, then back on and waiting for it to boot up before connecting the new router just to make sure it can't lock to any other device.

Thank you so much for the detailed and comprehensive response. Much appreciated!

Hope the same will apply to the other modem overseas.

deanfourie

I just got my hands on a Sophos XG106 and looking at getting pfSense installed. I got it for nothing so getting pfSense installed on it would be a great bounus.

First thing i've noticed is, I dont get anything from the HDMI port, no signal whatsoever.

Is it possible to do this entire process via serial?

Thanks

CLEsports

@deanfourie Yes, it's possible to install pfSense using only the serial port. Use 115200 for the speed on the COM port for pfSense. If you want to get into the BIOS on your Sophos box for any reason, use 38400

deanfourie

@clesports Excellent, thanks.

Are there any tricks or catches I should know about.

eg. How to enter BIOS?, if the install hangs etc.

Also, does this work for all sophos models including the XG and XGS models do we know?

Thanks

CLEsports

@deanfourie Don't remember what key off-hand, but it'll say on the screen. Worked on my XG 310. Didn't need to go into the BIOS on mine, but the option was there. As far as I know, it works on all models

dermicha

Just installed pfSense 2.6.0 on Sophos SG 105 Rev 2 Hardware.

Image: pfSense-CE-memstick-serial-2.6.0-RELEASE-amd64.img

Written to memdrive by raspberry pi imager, on Mac OS 13.1.

Disabled the "Port 60/40 emulation" Thing in Bios

Connected to console via USB to Serial Adapter with HPE Serial DB9 cable.

Only thing to do, change com port speed to 115200 to recieve some data.

VGA Image didn't work due to several issues made me curse.

dkzsys

Thanks for the tips here. I managed to install pfSense 2.6.0 on an Sophos XG125w successfully. However, having some challenges with the eth port connections - "no carrier" status for all ports.

Some help/advise would be much appreciated. Details here @ pfSense on Sophos XG125w - "no carrier" on all eth interfaces

Thanks in advance.

Aggregating_Netgator

I wonder if anyone of you champs who has installed pfSense on Sophos XG 105 rev.2, could advise how's the OPEN VPN download speed.

SOPHOS websites indicates it's 360 Megabytes per second, as seen in the below link, but then again it's measured under their own software, and not under pfSense.

https://www.enterpriseav.com.au/XG-Firewall.asp

Thanks!

stephenw10

The Atom E3826 is the same CPU used in the MBT-2220 so you might want to check posts for that too.

xXNorthXX

Another model reference.

The Sophos SG 115w (rev 2) - Intel E3827 (@ 1.74GHz), 4GB DDR3L, and 64GB SSD (SATA 6Gbps).

Bios adjustments

1. change boot order so usb stick is first
2. disable the 60/40 emulation
3. changed the comm port speed to 115200

Installed the pfSense v2.7 CE memstick build without any complaints.

eth0 = wan
eth1 = lan
eth2 = OPT1
eth3 = OPT2
ath0 = Wireless

Only issue I had with the few units was the cmos battery needed to be re-taped down, otherwise no issues.