Install PFSense on a Sophos SG appliance

oz9els

@stephenw10
Hi Steve, thanks for your interest.
The first 4 ports are reported as Intel 10G media ports, in the initial/config console (and are not working).
The next 4 ports are reported as Intel Gigabit ports (em) and works fine. Besides that pfSense works great on the Sophus SG 125 box. About 300MB/s on a OpenVPN.

Not sure which driver is used, but I will do a "ifconfig -vm", when i get home to the box.

k.r. Niels

stephenw10

@oz9els said in Install PFSense on a Sophos SG appliance:

About 300MB/s on a OpenVPN.

Nice. What CPU does it use?
If it reports 10G NICs they will be ix which is interesting to find next to em NICs.

Steve

oz9els

The CPU is:
CPU Type Intel(R) Atom(TM) CPU C3508 @ 1.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

The box has 8 ethernet ports (4 reported as 10Gb), one SFP port, a serial-console and 2 usb and include a dual external PSU - Quite a nice box, and only uses arround 12w in idle mode.
I will make some photos of the inside..

With a ifconfig -vm i get the same for all interfaces ibg1-ibg4 (marked Eth4-Eth8 on the box):

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=753fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f8
hwaddr 7c:5a:1c:78:41:f8
inet6 fe80::7e5a:1cff:fe78:41f8%igb0 prefixlen 64 scopeid 0x1
inet 192.168.64.130 netmask 0xffffff00 broadcast 192.168.64.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP

These interfaces work well at 1 Gb.

The interfaces marked Eth0->Eth3 all look like this:

ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f4
hwaddr 7c:5a:1c:78:41:f4
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
supported media:
media autoselect
media 10baseT/UTP
media 100baseTX
media 1000baseT

I also have one more:
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc

stephenw10

enc0 is the IPSec interface, it's created even if you don't have any IPSec tunnels.

Those ix NICs are exactly what I would expect for a C3K Atom. The driver might show as 'TenGigabit' in the boot log but they have 1G PHYs so are limited to 1G. Since the interfaces are created that looks good. Do they work as expected at 1Gbps?

Steve

oz9els

Initially I could not get them to work (just after the installation) Tried to use them as WAN and LAN - They got link, but no traffic.
Did some testing tonight, and then it looked like they worked just fine.. I will test a bit more..
Will also try to scratch the config and start over, just to be sure - Perhaps the problem was elsewhere ;-).

k.r. Niels

oz9els

BTW, I have taken some pictures of the SG 125 inside, if anyone is interested

gcu_greyarea

Hi, in the pics I saw the that the appliance is a V3 version which has the C3000 CPU.
I think versions prior to V3 still have the Atom C2000.

oz9els

@gcu_greyarea Think you are right.. I also stumbled over that fact somewhere.. ;-)

gcu_greyarea

People in AU have often complained about the cost of purchasing a Netgate appliance, despite wanting to support the project...
E.g. a 5100 will cost between 1100-1200$ AU delivered. Purchasing from local resellers/distributors will often come at the same or higher price.
You can buy a brand new SG125v3 for around 850$AU, but it’ll come with a lower clock speed (C3508 vs C3558)
I’d love to purchase a 5100 for home use but right now cannot afford it. Obviously for a business 1200$ for a 5100 is a good price when compared to other vendors.
Also - i know I’m looking at hardware prices only... i also understand that pfSense’s value is in the software and community - which isn’t reflected in the hardware price....
I wish there was a more cost effective method for purchasing netgate appliances in AU. Maybe with the arrival of Amazon in AU there could be local stock and more competitive pricing, considering the presence of chinese mini PC’s...

mickesanda

Hi,
I just installed PFsense 2.4.4 on my 2 Sophos SG330 and everything works great with the exception of the LCD.
I installed LCD Proc but I do not know which driver to choose. I tried almost all possible combinations without luck.
If anybody knows what I should choose, I would be grateful for any help.
Also, do I need to reboot for every driver change in order to make the new LCD driver active?

Thank you in advance,
Mike

stephenw10

@mickesanda said in Install PFSense on a Sophos SG appliance:

Sophos SG330

Depends which hardware revision, I think. It's probably the EZIO driver if it's the Portwell box.

You have a picture?

Steve

mickesanda

Hi Steve and thank you for replying.
I opened the box and it is obvious that the LCD is connected to a COM-port, it says RS232 on the circuit board. Attached i have serial number and revision. So, when I read the documentation, Portwell Ezio means I have to choose "HD44780 and compatible", but after that, I'm lost......
There are a few chioces under the "com port" and a few other choices under "Connection type"
All suggestions are greatly appreciated.
Thx, Mike!

If i google "GFC1602AI" as it says on the sticker I find this manufacturer:
GIFAR Technology

here is the tech spec for GFC1602AI from the manufacturer.PDF

mickesanda

After a few combinations, I succeeded to achieve this:

With these settings. Any ideas on what needs to be changed?

stephenw10

Ok yeah that is the EZIO display. The driver itself should be in LCDproc but I don't think the option to select is in the package yet. You will probably have to start it separately until it is added. See: https://forum.netgate.com/post/795491

Steve

mickesanda

@stephenw10 Thank you, I already read that post like 3 times and I think I understand what needs to be done. If I understand correctly, the driver is already in the package, I need to create a file called LCDd.conf under root.
Unfortunately, as the other guy in the thread, I am quite novice at that(Unix, Linux, BSD). I'll try and fix it somehow.
Do I need to uncheck "Enable LCDproc at startup" or just choose default settings?

stephenw10

Yes disable it in the package and use a shellcmd to start it instead so you can use a custom lcdd.conf file.

mickesanda

@stephenw10 I'll give it a try. I purchased 2 X XG-1537 HA for 1 month ago as a replacement for the Sophos SG330. They are way faster and better than Sophos.
So far I'm happy with my choice. So these old Sophos machines are in no way in production, just my curiosity that needs to be satisfied.

stephenw10

Reuse beats Recycling IMO.

mickesanda

@stephenw10 I created LCDd.conf under root.
This is the content:
[server]
DriverPath=/usr/local/lib/lcdproc/
Driver=hd44780
Bind=127.0.0.1
Port=13666
ReportLevel=3
ReportToSyslog=yes
User=nobody
Foreground=no
ServerScreen=no
GoodBye="Thanks for using"
GoodBye=" pfSense "
WaitTime=5
ToggleRotateKey=Enter
PrevScreenKey=Left
NextScreenKey=Right
ScrollUpKey=Up
ScrollDownKey=Down
[menu]
MenuKey=Escape
EnterKey=Enter
UpKey=Up
DownKey=Down
[hd44780]
driverpath=/usr/local/lib/lcdproc/
ConnectionType=ezio
Device=/dev/cuau1
Keypad=yes
Size=16x2
KeyMatrix_4_1=Enter
KeyMatrix_4_2=Up
KeyMatrix_4_3=Down
KeyMatrix_4_4=Escape

I also added 2 shellcmd with this content:
1: /usr/bin/nice-20/usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &
2: /usr/bin/nice-20/usr/local/bin/lcdproc C T U &

Not sure about the punctuation though, can you please check if there is a space too many or something similar?

I get sh: /usr/bin/nice-20/usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf not found
and one more similar line

stephenw10

Yes. 'nice' is a separate command so the shellcmds should be:
/usr/bin/nice -20 /usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &
/usr/bin/nice -20 /usr/local/bin/lcdproc C T U &

Steve