Install pfSense on Stormshield SN300
-
How to install pfsense 2.4.5p1 without the nanobsd-vga.img?
I tried with pfSense-CE-memstick-2.4.5-RELEASE-p1-amd64.img, but it seems to be a live boot
Booting with pfSense-CE-memstick-2.4.5-RELEASE-p1-amd64.img via a USB key seems impossible.
All configuration is done via the serial console of the switch? in
cu -l cuau1 -s 19200Otherwise, I changed the memory from 1 GB to 2 GB
-
When I installed the U250S I installed pfSense on a different machine and than moved the drive back into it.
I could not make it boot from USB there either it appears to be locked in the BIOS.Yes, all the switch config is done via the internal serial connection. I tried again yesterday out of curiosity and although the switch is able to get an IP and connect on the correct VLAN it does not respond to ssh/telnet/http(s).
I believe the Stormshield/Netasq OS is FreeBSD based and they upstreamed code for the etherswitch framework but sadlu not for this switch for whatever reason.
E.g. https://github.com/pfsense/FreeBSD-src/commit/63843c9be40aba2fb7e803960fb7d4fcee1d3eeb#diff-2c6515420922ed8e8d8f0cf43c645431Steve
-
When I installed the U250S I installed pfSense on a different machine and than moved the drive back into it.I already did and I just did it again.
I connected the 2 GB SSD to a SATA to USB adapter
I start on Pfsense with my Zalman VE300, select the 2GB SSD with partition in MBR, access commands and and I execute the command
poweroffI put the SSD back in the Stormshield, I start it, I have the Stormshield logo, then a black screen with the blinking cursor
_I have nothing via the console port.
I use the file : pfSense-CE-2.4.5-RELEASE-p1-amd64.iso
-
I installed in another device with a serial console using the serial memstick image.
But if you install on something from ISO you would have to first enable the serial console before you swap the SATA module back.Steve
-
Here's a return,
I managed to install pfsense 2.4.5 x64 last night.
The problem probably came from start-up mode (Legacy / UEFI).
On the PC, I forced the start of the installation of pfsense in legacy.
Pfsense has also started and I did a little configuration in
cu -l cuau1 -s 19200SN300:/>port conf Port Configuration: =================== Port State Mode Flow Control MaxFrame Power Excessive Link ---- -------- ----------- ------------ -------- -------- --------- ---- 1 Enabled Auto Enabled 9600 Disabled Discard 1Gfdx 2 Enabled Auto Enabled 9600 Disabled Discard Down 3 Enabled Auto Enabled 9600 Disabled Discard Down 4 Enabled Auto Enabled 9600 Disabled Discard Down 5 Enabled Auto Enabled 9600 Disabled Discard Down 6 Enabled Auto Enabled 9600 Disabled Discard Down 7 Enabled Auto Enabled 9600 Disabled Discard Down 8 Enabled Auto Enabled 9600 Disabled Discard Down 9 Enabled 1Gfdx Disabled 9600 Disabled Discard 1GfdxSN300:/>vlan config VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 1 Untagged Disabled Untag PVID Unaware 2 1 Untagged Disabled Untag PVID Unaware 3 1 Untagged Disabled Untag PVID Unaware 4 1 Untagged Disabled Untag PVID Unaware 5 1 Untagged Disabled Untag PVID Unaware 6 1 Untagged Disabled Untag PVID Unaware 7 1 Untagged Disabled Untag PVID Unaware 8 1 Untagged Disabled Untag PVID Unaware 9 1 Untagged Disabled Untag PVID C-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 default 1-9 VID VLAN Name Ports ---- -------------------------------- ----- VLAN forbidden table is empty[2.4.5-RELEASE][admin@pfsense-SN300A.home]/root: ifconfig -vma em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC> capabilities=15399b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP> ether 00:0d:b4:11:6c:5c hwaddr 00:0d:b4:11:6c:5c inet6 fe80::20d:b4ff:fe11:6c5c%em0 prefixlen 64 scopeid 0x1 inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active supported media: media autoselect media 1000baseT media 1000baseT mediaopt full-duplex media 100baseTX mediaopt full-duplex media 100baseTX media 10baseT/UTP mediaopt full-duplex media 10baseT/UTP lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> capabilities=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo enc0: flags=0<> metric 0 mtu 1536 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: enc pfsync0: flags=0<> metric 0 mtu 1500 groups: pfsync pflog0: flags=100<PROMISC> metric 0 mtu 33160 groups: pflog -
With that config you should be able to connect to pfSense in the one address it has. All 9 ports are in vlan1, it's configured like an unmanaged switch.
But you probably want to configure at least 2 VLANs so you van have, for example, WAN on port1 and LAN on ports 2-8.
Or you could have 8 VLANs with each port configured separately.
Steve
-
I'm back !
I successfully installed the image "pfSense-CE-memstick-2.4.3-RELEASE-amd64.img" with rufus on storage and still have a network port detected
-
I put back the version "pfSense-CE-memstick-2.4.5-RELEASE-p1-amd64.img" however the command "~~" does not work to exit the serial port
-
The escape command is
~~.To escape just the local console session it would be
~.but you are in a session inside that.You really need to be on the current version.
Steve
-
I already tried and it doesn't work
[2.4.5-RELEASE][admin@pfsense-SN300A.home]/root: cu -l cuau1 -s 19200 Stale lock on cuau1 PID=80957... overriding. Connected General Commands: ----------------- Help/?: Get help on a group or a specific command Up : Move one command level up Logout: Exit CLI Command Groups: --------------- System : System settings and reset options IP : IP configuration and Ping Port : Port management MAC : MAC address table VLAN : Virtual LAN PVLAN : Private VLAN Security : Security management STP : Spanning Tree Protocol Aggr : Link Aggregation LACP : Link Aggregation Control Protocol LLDP : Link Layer Discovery Protocol EEE : Energy Efficient Ethernet QoS : Quality of Service Mirror : Port mirroring Config : Load/Save of configuration via TFTP Firmware : Download of firmware via TFTP Loop Protect: Loop Protection IPMC : MLD/IGMP Snooping Debug : Switch debug facilities Type '<group>' to enter command group, e.g. 'port'. Type '<group> ?' to get list of group commands, e.g. 'port ?'. Type '<command> ?' to get help on a command, e.g. 'port mode ?'. Commands may be abbreviated, e.g. 'por co' instead of 'port configuration'. >~~. Invalid command >~~ Invalid command >~. Invalid command -
I said nothing, in copy / paste it works with
~.>~. Invalid command >~ [EOT] [2.4.5-RELEASE][admin@pfsense-SN300A.home]/root: ~. -
Hmm, weird. I will say the terminal only looks for escape characters immediately following a return. I usually hit return a couple of time before ending it to be sure.
Steve
-
I tried to show all interfaces of the SN300 to Pfsense via the
cu -l cuau1 -s 19200and nothing helps.Am I doing it right?
pfSense - Serial: 1530B00379 - Netgate Device ID: 06645fdd1d35deecde91 *** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on pfsense-SN300A *** WAN (wan) -> em0 -> v4/DHCP4: 192.168.1.66/24 v6/DHCP6: 2a01:cb19:8f84:c700:20d:b4ff:fe11:6c5c/64 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 8[2.4.5-RELEASE][admin@pfsense-SN300A.home]/root: cu -l cuau1 -s 19200 ConnectedI have enabled all ports and it is connected to my network through port 1
>port configuration Port Configuration: =================== Port State Mode Flow Control MaxFrame Power Excessive Link ---- -------- ----------- ------------ -------- -------- --------- ---- 1 Enabled Auto Disabled 9600 Disabled Discard 1Gfdx 2 Enabled Auto Disabled 9600 Disabled Discard Down 3 Enabled Auto Disabled 9600 Disabled Discard Down 4 Enabled Auto Disabled 9600 Disabled Discard Down 5 Enabled Auto Disabled 9600 Disabled Discard Down 6 Enabled Auto Disabled 9600 Disabled Discard Down 7 Enabled Auto Disabled 9600 Disabled Discard Down 8 Enabled Auto Disabled 9600 Disabled Discard Down 9 Enabled Auto Disabled 9600 Disabled Discard 1GfdxFor the test, I created one VLAN per interface
VLAN>config VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 1 Untagged Disabled Untag PVID S-Port 2 2 Untagged Disabled Untag PVID S-Port 3 3 Untagged Disabled Untag PVID S-Port 4 4 Untagged Disabled Untag PVID S-Port 5 5 Untagged Disabled Untag PVID S-Port 6 6 Untagged Disabled Untag PVID S-Port 7 7 Untagged Disabled Untag PVID S-Port 8 8 Untagged Disabled Untag PVID S-Port 9 1 Untagged Disabled Untag PVID S-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 port1 1-9 2 port2 2 3 port3 3 4 port4 4 5 port5 5 6 port6 6 7 port7 7 8 port8 8He only sees me as a network interface, even after a full reboot
-
Did you add the VLANs in pfSense on the internal interface?
Never use VLAN 1.
Here's how I have mine:
>vlan config VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 101 Untagged Disabled Untag All S-Port 2 102 Untagged Disabled Untag All S-Port 3 103 Untagged Disabled Untag All S-Port 4 103 Untagged Disabled Untag All S-Port 5 104 Untagged Disabled Untag All S-Port 6 104 Untagged Disabled Untag All S-Port 7 104 Untagged Disabled Untag All S-Port 8 104 Untagged Disabled Untag All S-Port 9 104 Untagged Disabled Untag All S-Port 10 104 Untagged Disabled Untag All S-Port 11 105 Untagged Disabled Untag All S-Port 12 105 Untagged Disabled Untag All S-Port 13 None Tagged Disabled Tag All C-Port 14 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 101 WAN1 1,13,14 102 WAN2 2,13,14 103 LAN1 3,4,13,14 104 LAN2 5-10,13,14 105 WIFI1 11-14 VID VLAN Name Ports ---- -------------------------------- ----- VLAN forbidden table is emptyThough now I'm looking at it 'Untag PVID' would probably be better there. Hmm, been a long while since I configured that....
Ports 13 and 14 are the internal ports in the u250s. I have them as an LACP lagg.
Steve
-
Ok reviewing the untag all doesn't matter since it only untags member VLANs. In my case I don't have any mixed tagged/untagged ports so I could either.
You need to have port 9 a member of all the VLANs so it carries them tagged to pfSense.
The frame type needs to be 'all' since that port is carrying tagged and untagged traffic.
At least port 9 should be set to c-port or unaware so it tags for vlans.
Steve
-
I only have vlan 1 put on the em0 interface in WAN
On the internal interface? em0?
Internal ports? what does it correspond to?
I have port 9, I tried to put port 9 in "Frame Type : Tagged" and I lost control in ssh.
I didn't understand what "S-Port" and "C-Port" were
-
Yes em0 is the internal port, it's connected to port 9 on the switch.
It's frame type has to be 'all' because it's carrying tagged and untagged traffic in your setup.
Then you need to create the vlan interfaces in pfSense on em0.
Soem0.2em0.3etc.Steve
-
I just reviewed my configuration based on what I planned
VLAN>conf VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 None Tagged Disabled Tag All S-Port 2 None Tagged Disabled Tag All S-Port 3 100 Untagged Disabled Untag PVID S-Port 4 100 Untagged Disabled Untag PVID S-Port 5 100 Untagged Disabled Untag PVID S-Port 6 101 Untagged Disabled Untag PVID S-Port 7 None Tagged Disabled Tag All C-Port 8 None Tagged Disabled Tag All C-Port 9 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 1-9 100 LAN 3-5,7-9 101 DMZ 6-9 832 OrangeDataVoIP 1,2,9 840 OrangeTV 1,2,9 VID VLAN Name Ports ---- -------------------------------- ----- VLAN forbidden table is emptyI just reviewed my configuration according to what I planned
I have :
- ports 1 and 2 in VLAN 832 and 840 for the WAN (in trunk)
Port 1 is the operator WAN
port 2 is a LAN to the operator router WAN- ports 3 to 5 are the LAN - port 6 is for a DMZ (for a server)
- ports 7 and 8 are for a LACP with my manageable switch in trunk
On pfsense, I created VLAN 100, 101, 832 and 840 on em0 and I put em0.100 in WAN port and I connected my local network to one of the LAN ports (vlan 100)
-
Ports 1 and 2 will need to be a C-port or Unaware.
I think S-port is wrong for anything we are doing but on an untagged port it doesn't matter:
https://www.etherwan.com/support/faq/ethernet-switches/what-defines-vlan-trunk-modes-unaware-c-port-s-port-and-s-custom-port
That's probably based on the same switch chip family.That looks correct for LAN. Are you able to connect to pfSense on ports 3, 4 or 5?
Steve
-
I switched ports 1 and 2 to C-port
VLAN>conf VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 None Tagged Disabled Tag All C-Port 2 None Tagged Disabled Tag All C-Port 3 100 Untagged Disabled Untag PVID S-Port 4 100 Untagged Disabled Untag PVID S-Port 5 100 Untagged Disabled Untag PVID S-Port 6 101 Untagged Disabled Untag PVID S-Port 7 None Tagged Disabled Tag All C-Port 8 None Tagged Disabled Tag All C-Port 9 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 1-9 100 LAN 3-5,7-9 101 DMZ 6-9 832 OrangeDataVoIP 1,2,9 840 OrangeTV 1,2,9 VID VLAN Name Ports ---- -------------------------------- -----I put the em0.100 (LAN) interface in WAN port and I connected my local network to one of the LAN ports (port 3)
To explain what I want to do.
The operator network will arrive on port 1 with VLAN 832 (options 60, 77, 90, 125 must be sent by the DHCP client to obtain an IP) and 840 for television.
On port 2, I send the vlan 832 (with option 90, 119, 120, 125 by DHCP server) and 840 on the WAN port on the operator router.
I retrieve the LAN from the operator router (by disabling the DHCP server to use the pfsense DHCP server) to send it to the pfsense LAN ports (on the Stormshield SN300).
I created a network for myself a DMZ.
There will be NAT on port 1
