SG-1000 pfSense Microfirewall - Where is the "Reset" button ?

  • Hello. I am new to pfSense and have recently purchased a SG-1000 microfirewall. I use it in my home as my primary firewall-router, hence it must not be allowed to stop working. So far, it is happily doing its work and I like it that way. However, this SG-1000 is also a learning tool I use to learn how to use pfSense (I have also purchased the book), mainly for firewalling, VLAN and traffic shaping. In my yesterday's second post of substance <>, I have created a guest network, intended for dumb IoT devices rather than clever guests, and try to prevent guests (or crazy IoT thingies) to ever think of touching the SG-1000 WebGUI. Dangerous stuff in uncertain hands like mine. All my other devices (Airport devices, Zyxel modem) have a nice reset button on the box. I have had use for them in many occasions where I had severely goofed (unintentionally). These reset buttons have saved by bacon many times.

    I looked at the SG-1000 box and have not seen trace of a reset button.

    Is there any ?

    How do I use it ?

    If there is none, what do I do if I lose access to the user interface ?

    Thanks in advance.

  • Galactic Empire

    You can reset it to factory settings from console. Connect to the console and select option 4.

    Here's how to connect to the console

  • Ahem. Thank you for this new, which is bad new to me. Two months ago, shortly after receiving the brand new SG-1000, I have succeeded once a console access. Installing the Macbook Pro at the basement where the SG-1000 hides, I accessed the SG-1000's guts with console through the USB cable (for the avoidance of doubt, I don't do Unix, Linux, FreeBSB or else). I remember it was flaky, slow and quite unreliable (it was after the first upgrade, which had turned sour, maybe that's why), but it seemed proven feasible nevertheless, in times of despair. Still, I regret the absence of a reset button.

    Thanks, again for the information.

  • Galactic Empire

    Console should be reliable, maybe you got a bad cable? Maybe you had wrong console settings? Compare your settings with the guide I linked above. Console is king, I wish all devices had console access! :)

  • I will conduct another test tomorrow morning. Not now. I have just revived my old Airties modem, configured to replace instantly the combination of Zyxel modem and SG-1000 firewall (my current setup) should anything bad happen to my SG-1000 configuration. I plan ahead for the consequences of my own mistakes. I will come back to this tomorrow. Thank you for your wake-up remark.

  • Galactic Empire

    Wait, I made a typo above. I removed the accidental "not". Console IS reliable. You should NOT have issues with it :)

  • Is a vga port really to much to ask? 
    what is the fascination with serial?

  • Galactic Empire


    Is a vga port really to much to ask? 
    what is the fascination with serial?

    Complain to the networking industry ;)

    Try managing multiple VGA devices remotely. Don't say KVM, please.

  • I do manage a ton of vga devices.  Its simple for remote repairs. 
    When everything is 100% broken, for me nothing beats a mouse, keyboard, cheap monitor and some dude on skype.

  • YES, console should be reliable. I must be doing a lot of wrong things to feel otherwise.

    Not being sure about kejianshi's VGA side-question, I revert to my "restore to factory settings" issue where it was yesterday evening.

    I had saved the configuration while the SG-1000 was on line.

    Yesterday evening, I disconnected the SG-1000 and installed my spare internet connection in its stead (my Airties modem-router at I carried the SG-1000 upstairs to the place where the macbook resides, disconnected the mac from the internet and connected the mac to the powered SG-1000 through console cable. (mac OS 10.12.6) I fired up the Terminal application in the mac. Entered in terminal the suggested command ("sudo screen /dev/cu.SLAB_USBtoUART 115200") and gave on demand my admin password to Terminal. There was a lot of work in the terminal window and, finally, the required window listing all available commands appeared.

    So it worked !!!

    All commands I see there have a active purpose. There is no "Exit without doing anything" command. This worried me as I do not like the "Unplug wires" brutal solutions. I tried a harmless "5" to command the SG-1000 to reboot. There, the problems I had witnessed earlier resurfaced. The terminal window would start typing things and have a blank (like a loss of memory) and stop printing. I could help, partially, by hitting the "enter" key. But the process would appear to be stopped, without visible cause. I noted on paper the following messages appearing:

    pkg-static: Repository pfSense-core missing. 'pkg update' required

    Configuring crash dump…
    No suitable dump device found

    Warning: no time of day clock registered
    System time will not be set accurately

    For the avoidance of doubt, no packages are currently installed on my SG-1000, and the standard internet clock is configured, but not active when the SG-1000 is not connected to the internet.

    I hit "6" Halt system. Should not do harm. This did not appear to help.

    I stopped the terminal application (which stopped ongoing processes), unplugged all and put the SG-1000 back in operation in my basement. It worked. My congratulations to the SG-1000 and to its genitors. It is a robust device.

    The following day, I did the same as above: (1) remove the SG-1000 from active duty and from any internet connection and replace it by the Airties modem-router; (2) isolate my macbook from the internet and (3) connect the isolated SG-1000 upstairs to the mac in console mode. It worked fine, the first time but, again, stopped working thereafter.

    I then, still upstairs, plugged the SG-1000 LAN port to the mac (WAN disconnected, Console disconnected), accessed to the WebGUI. Initiated a "Restore" by the GUI command. Then I plugged the SG-1000 back to active duty in my basement. It worked, but a message stated that the restore process had been aborted due to lack of an active internet connection.

    OK ! So, leaving the SG-1000 connected to the internet, in its active role, I did a "Restore" (to a back-up of the same configuration). It worked. Logically, nothing was changed.

    Q1: It seems to me that I am doing a lot of mistakes, but something like a buffer seems to act unsatisfactorily. How can I verify that ?

    Q2: Backup and restore need, so it appears, to be done while the SG-1000 is connected to the internet. When I hit "4" reset to factory settings from console, is it also necessary to connect the WAN port of the SG-1000 to an active internet connection ?

    Sorry for the long post. For me, a "Reset" button would be easier. TIA.

  • Today, I performed a reset of the SG-1000 microfirewall to factory default.

    I unplugged the SG-1000 and connected to it via console (terminal).

    I issued "4" command (Reset to factory default)

    It went through, but I saw error messages along the way on the terminal window. One was related to the SG-1000's memory card.

    I issued a "6" command (stop system)

    It went through.

    I plugged again the SG-1000 and powered it on. Then I accessed its webGUI.

    It worked, the SG-1000 was in factory default.

    I restored to its original saved configuration. It worked.

    Where can I find the log file of the Restore to factory default command ? It seems it will contain unusual entries. TIA

  • Galactic Empire

    I would restore pfSense install as it appears you have managed to somehow break it! :) That's the quickest way to set you back up and running:

  • This is going to turn into an intervention with 5 guys trying to explain how to wipe a drive and install firmware from fresh.  Probably about 3 button pushes away at this point.

  • Thanks ivor, I will try do do what you suggest and report below difficulties in doing it.

    BTW, it is almost certain that I managed to somehow break it. However, shortly after receiving the SG-1000, I received on the Dashboard an indication that a new version was available for download. By my sole mistake, I accepted to do this installation and subsequently got the following error message : "Notices > Filter reload > "There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Canot allocate memory - the line in question reads [18]: table <bogonsv6> persist file "/etc/bogonsv6"
    @2017-08-23 11:20:29". Believing there was a flaw in the firmware updater, I inquired from Netgate sales and was, there, instead referred to the forum owing to the fact that I had not purchased an assistance contract with Netgate. Later on, I upgraded to 2.4.0, believing the issue would correct itself. Maybe it did not correct itself automagically.  Maybe that is the cause !

    Indeed, as kejianshi may have assumed, I have almost never wiped out a drive and installed and OS from fresh, and my desire to avoid this pain is the reason why I bought the SG-1000 from Netgate in the first place.

    1 - I received my SG-1000 in August 2017, which was a long time after Dec 29, 2016, so I should assume that the SG-1000 includes a boot environment capable of booting from the USB OTG port. However, I searched everywhere on the web interface the version of U-Boot to check compliance. I found nothing. To take the least risky route without asking from 5 guys how to wipe a drive and install firmware from fresh, I therefore tried the longer route using a  Micro-SD memory card. I found a spare on with maps of France, Australia and New Zeland in my Garmin bike GPS box, saved its content and started to work.

    2 - To verify the downloaded image, I did not use sha256 command, which appeared not to exist on my mac (mac OS 10.12.6). Instead, after some internet search, I used the "shasum -a 256" command.

    3 - I verified the file system of the micro-SD card existing partition, it showed on Disk utilities as: MS-DOS (FAT32). I suppose this does not matter.

    4 - I wrote the image:

    sudo dd if=/Users/xxx/Desktop/pfSense-netgate-uFW-recover-2.4.0-RELEASE-arm.img of=/dev/rdisk3 bs=4m

    I inputted my admin password on demand, the writing failed. Cause: "resource busy". So, after another internet search, I decided to unmount the existing partition from the micro-SD.

    I hit again in Terminal

    sudo dd if=/Users/xxx/Desktop/pfSense-netgate-uFW-recover-2.4.0-RELEASE-arm.img of=/dev/rdisk3 bs=4m

    Nothing happened, so I shut down the terminal window and looked into disk utilities. Suddenly the Micro SD card appeared (mounted) on the desktop with a new name: FATRECOV

    FATRECOV contained three files:

    MLO, u-boot.img and ubldr.bin

    Maybe I had stopped the process and damaged the installer.

    I repeated the same process and it produced, in about 1 minute and a half of complete silence:

    238+1 records in
    238+1 records out
    1000000000 bytes transferred in 94.095442 secs (10627507 bytes/sec)
    [MacBookPro-de-xxx:~] xxx%

    The volume appears as follows in disk utilities:

    FATRECOV:  35.8 Mo

    FreeBSD: 964.1 Mo

    It will call it a success !!! So I have so far completed writing the installer to a micro-SD card without the 5 guys intervention.

    I inserted the micro-SD card into the SG-1000.

    I connected the SG-1000 to console, unplugged to the power cable.

    The rest went as indicated on the SG-1000 FAQ

    After rebooting, I did a second reboot, which went well. I then Halted the system (option 7) and unplugged the SG-1000 from the power cable.

    I went to the basement and plugged again the Zyxel modem and the SG-1000 in operation for my network.

    I came back upstairs to take control of the SG-1000 via the web interface and reset the configuration to its last saved state.

    It worked. Now the console seems to work correctly. Thanks, ivor for telling me how.

    To prevent the reoccurrence of "5 guys trying to explain how to wipe a drive and install firmware from fresh", you may want to clarify the FAQ on the following:

    In: How do I restore the firewall OS? (firmware)

    1 - "This version of U-Boot identified itself as: "–-", it would be best to specify where to look.

    In: Writing an OS Installation Image to Flash Media

    2 - To verify checksum on Mac OS (10.12.6), replace "sha256" command line by "shasum -a 256"

    3 - For the installation media, you may want to specify a partition map scheme. Here, my Micro-USB card was "as purchased" (as needed by Windows machines). Maybe another partition map scheme may fail.

    4 - When writing the image to the Flash Media on Mac OS (10.12.6), you may specify that if the system replies "Resource busy", the existing partition needs to be unmounted for the writing to work.

    5 - Using Terminal is not common to mac users, you would best indicate that, after inputting the administrator password, the writing will proceed, it took 90 seconds for me and absolutely nothing shows that the writing is in progress.

    Thanks ivor for this fascinating learning experiment. kejianshi was right: I had never done such a thing.

    As far as I am concerned, this thread is solved.

  • Actually, that went alot faster than I expected. I find console unfriendly also BTW.

  • Galactic Empire

    I'm glad everything went well. Thanks for the detailed follow up :)

  • Thanks kejianshi, thanks ivor.

    It probably went this way because (1) I was lucky (This was week-end time and I already had at hand a SD-Card adapter for my camera, a micro-SD-Card for my bicycle Garmin GPS device and a screwdriver for no justifiable cause) and (2) I cheated (spend a good part of the night and early morning to get this behind me) . Next time if any will be easier.

    I forgot to ask a key question to spare me the purchase of a new micro-SD card: now that the SG-1000 is configured with the currently available 2.4.0 firmware, could I now restore the firmware OS from a USB Memory stick, in case of need ?

  • I don't think so.  I think you have to do it the way you did it.  However, you could probably boot and run the box off that usb thrumdrive.

    Never seen anyone try.

Log in to reply