-
It is not a secret anymore: Sophos UTM SG and XG sucks! I won't continue with that "technology"!
My support is about to end with Sophos and I have 2 SG330 and 2 SG550 which is fairly good hardware.Did anyone ever successfully installed PFSense on those type of Sophos appliances ? I can't try yet since there are online, and I need to know if it's possible before I get my management agree to abandon Sophos.
It would be awesome to recycle those to PFSense ! :)Thanks.
-
As it is over a year ago you asked, you are probarbly allready up and running ;-)
I have a Sophos SG 125 box, running the newest pfSense - It works GREAT.Only problem is that half of my ports reports it is "ten gigabit" ports.. The other half is working fine..
-
Are they using the ix driver? Where are you seeing that reported?
If you run
ifconfig -vmdo they actually show 10G as a media option?Steve
-
@stephenw10
Hi Steve, thanks for your interest.
The first 4 ports are reported as Intel 10G media ports, in the initial/config console (and are not working).
The next 4 ports are reported as Intel Gigabit ports (em) and works fine. Besides that pfSense works great on the Sophus SG 125 box. About 300MB/s on a OpenVPN.Not sure which driver is used, but I will do a "ifconfig -vm", when i get home to the box.
k.r. Niels
-
@oz9els said in Install PFSense on a Sophos SG appliance:
About 300MB/s on a OpenVPN.
Nice. What CPU does it use?
If it reports 10G NICs they will be ix which is interesting to find next to em NICs.Steve
-
The CPU is:
CPU Type Intel(R) Atom(TM) CPU C3508 @ 1.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICMThe box has 8 ethernet ports (4 reported as 10Gb), one SFP port, a serial-console and 2 usb and include a dual external PSU - Quite a nice box, and only uses arround 12w in idle mode.
I will make some photos of the inside..With a ifconfig -vm i get the same for all interfaces ibg1-ibg4 (marked Eth4-Eth8 on the box):
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=753fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f8
hwaddr 7c:5a:1c:78:41:f8
inet6 fe80::7e5a:1cff:fe78:41f8%igb0 prefixlen 64 scopeid 0x1
inet 192.168.64.130 netmask 0xffffff00 broadcast 192.168.64.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTPThese interfaces work well at 1 Gb.
The interfaces marked Eth0->Eth3 all look like this:
ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f4
hwaddr 7c:5a:1c:78:41:f4
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
supported media:
media autoselect
media 10baseT/UTP
media 100baseTX
media 1000baseTI also have one more:
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc -
enc0 is the IPSec interface, it's created even if you don't have any IPSec tunnels.
Those ix NICs are exactly what I would expect for a C3K Atom. The driver might show as 'TenGigabit' in the boot log but they have 1G PHYs so are limited to 1G. Since the interfaces are created that looks good. Do they work as expected at 1Gbps?
Steve
-
Initially I could not get them to work (just after the installation) Tried to use them as WAN and LAN - They got link, but no traffic.
Did some testing tonight, and then it looked like they worked just fine.. I will test a bit more..
Will also try to scratch the config and start over, just to be sure - Perhaps the problem was elsewhere ;-).k.r. Niels
-
BTW, I have taken some pictures of the SG 125 inside, if anyone is interested
-
Hi, in the pics I saw the that the appliance is a V3 version which has the C3000 CPU.
I think versions prior to V3 still have the Atom C2000. -
@gcu_greyarea Think you are right.. I also stumbled over that fact somewhere.. ;-)
-
People in AU have often complained about the cost of purchasing a Netgate appliance, despite wanting to support the project...
E.g. a 5100 will cost between 1100-1200$ AU delivered. Purchasing from local resellers/distributors will often come at the same or higher price.
You can buy a brand new SG125v3 for around 850$AU, but it’ll come with a lower clock speed (C3508 vs C3558)
I’d love to purchase a 5100 for home use but right now cannot afford it. Obviously for a business 1200$ for a 5100 is a good price when compared to other vendors.
Also - i know I’m looking at hardware prices only... i also understand that pfSense’s value is in the software and community - which isn’t reflected in the hardware price....
I wish there was a more cost effective method for purchasing netgate appliances in AU. Maybe with the arrival of Amazon in AU there could be local stock and more competitive pricing, considering the presence of chinese mini PC’s... -
Hi,
I just installed PFsense 2.4.4 on my 2 Sophos SG330 and everything works great with the exception of the LCD.
I installed LCD Proc but I do not know which driver to choose. I tried almost all possible combinations without luck.
If anybody knows what I should choose, I would be grateful for any help.
Also, do I need to reboot for every driver change in order to make the new LCD driver active?Thank you in advance,
Mike -
@mickesanda said in Install PFSense on a Sophos SG appliance:
Sophos SG330
Depends which hardware revision, I think. It's probably the EZIO driver if it's the Portwell box.
You have a picture?
Steve
-
Hi Steve and thank you for replying.
I opened the box and it is obvious that the LCD is connected to a COM-port, it says RS232 on the circuit board. Attached i have serial number and revision. So, when I read the documentation, Portwell Ezio means I have to choose "HD44780 and compatible", but after that, I'm lost......
There are a few chioces under the "com port" and a few other choices under "Connection type"
All suggestions are greatly appreciated.
Thx, Mike!
If i google "GFC1602AI" as it says on the sticker I find this manufacturer:
GIFAR Technologyhere is the tech spec for GFC1602AI from the manufacturer.PDF
-
After a few combinations, I succeeded to achieve this:
With these settings. Any ideas on what needs to be changed?
-
Ok yeah that is the EZIO display. The driver itself should be in LCDproc but I don't think the option to select is in the package yet. You will probably have to start it separately until it is added. See: https://forum.netgate.com/post/795491
Steve
-
@stephenw10 Thank you, I already read that post like 3 times and I think I understand what needs to be done. If I understand correctly, the driver is already in the package, I need to create a file called LCDd.conf under root.
Unfortunately, as the other guy in the thread, I am quite novice at that(Unix, Linux, BSD). I'll try and fix it somehow.
Do I need to uncheck "Enable LCDproc at startup" or just choose default settings? -
Yes disable it in the package and use a shellcmd to start it instead so you can use a custom lcdd.conf file.
-
@stephenw10 I'll give it a try. I purchased 2 X XG-1537 HA for 1 month ago as a replacement for the Sophos SG330. They are way faster and better than Sophos.
So far I'm happy with my choice. So these old Sophos machines are in no way in production, just my curiosity that needs to be satisfied.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.