Install PFSense on a Sophos SG appliance
-
It is not a secret anymore: Sophos UTM SG and XG sucks! I won't continue with that "technology"!
My support is about to end with Sophos and I have 2 SG330 and 2 SG550 which is fairly good hardware.Did anyone ever successfully installed PFSense on those type of Sophos appliances ? I can't try yet since there are online, and I need to know if it's possible before I get my management agree to abandon Sophos.
It would be awesome to recycle those to PFSense ! :)Thanks.
-
As it is over a year ago you asked, you are probarbly allready up and running ;-)
I have a Sophos SG 125 box, running the newest pfSense - It works GREAT.Only problem is that half of my ports reports it is "ten gigabit" ports.. The other half is working fine..
-
Are they using the ix driver? Where are you seeing that reported?
If you run
ifconfig -vmdo they actually show 10G as a media option?Steve
-
@stephenw10
Hi Steve, thanks for your interest.
The first 4 ports are reported as Intel 10G media ports, in the initial/config console (and are not working).
The next 4 ports are reported as Intel Gigabit ports (em) and works fine. Besides that pfSense works great on the Sophus SG 125 box. About 300MB/s on a OpenVPN.Not sure which driver is used, but I will do a "ifconfig -vm", when i get home to the box.
k.r. Niels
-
@oz9els said in Install PFSense on a Sophos SG appliance:
About 300MB/s on a OpenVPN.
Nice. What CPU does it use?
If it reports 10G NICs they will be ix which is interesting to find next to em NICs.Steve
-
The CPU is:
CPU Type Intel(R) Atom(TM) CPU C3508 @ 1.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICMThe box has 8 ethernet ports (4 reported as 10Gb), one SFP port, a serial-console and 2 usb and include a dual external PSU - Quite a nice box, and only uses arround 12w in idle mode.
I will make some photos of the inside..With a ifconfig -vm i get the same for all interfaces ibg1-ibg4 (marked Eth4-Eth8 on the box):
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=753fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f8
hwaddr 7c:5a:1c:78:41:f8
inet6 fe80::7e5a:1cff:fe78:41f8%igb0 prefixlen 64 scopeid 0x1
inet 192.168.64.130 netmask 0xffffff00 broadcast 192.168.64.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTPThese interfaces work well at 1 Gb.
The interfaces marked Eth0->Eth3 all look like this:
ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
capabilities=f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether 7c:5a:1c:78:41:f4
hwaddr 7c:5a:1c:78:41:f4
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
supported media:
media autoselect
media 10baseT/UTP
media 100baseTX
media 1000baseTI also have one more:
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc -
enc0 is the IPSec interface, it's created even if you don't have any IPSec tunnels.
Those ix NICs are exactly what I would expect for a C3K Atom. The driver might show as 'TenGigabit' in the boot log but they have 1G PHYs so are limited to 1G. Since the interfaces are created that looks good. Do they work as expected at 1Gbps?
Steve
-
Initially I could not get them to work (just after the installation) Tried to use them as WAN and LAN - They got link, but no traffic.
Did some testing tonight, and then it looked like they worked just fine.. I will test a bit more..
Will also try to scratch the config and start over, just to be sure - Perhaps the problem was elsewhere ;-).k.r. Niels
-
BTW, I have taken some pictures of the SG 125 inside, if anyone is interested
-
Hi, in the pics I saw the that the appliance is a V3 version which has the C3000 CPU.
I think versions prior to V3 still have the Atom C2000. -
@gcu_greyarea Think you are right.. I also stumbled over that fact somewhere.. ;-)
-
People in AU have often complained about the cost of purchasing a Netgate appliance, despite wanting to support the project...
E.g. a 5100 will cost between 1100-1200$ AU delivered. Purchasing from local resellers/distributors will often come at the same or higher price.
You can buy a brand new SG125v3 for around 850$AU, but it’ll come with a lower clock speed (C3508 vs C3558)
I’d love to purchase a 5100 for home use but right now cannot afford it. Obviously for a business 1200$ for a 5100 is a good price when compared to other vendors.
Also - i know I’m looking at hardware prices only... i also understand that pfSense’s value is in the software and community - which isn’t reflected in the hardware price....
I wish there was a more cost effective method for purchasing netgate appliances in AU. Maybe with the arrival of Amazon in AU there could be local stock and more competitive pricing, considering the presence of chinese mini PC’s... -
Hi,
I just installed PFsense 2.4.4 on my 2 Sophos SG330 and everything works great with the exception of the LCD.
I installed LCD Proc but I do not know which driver to choose. I tried almost all possible combinations without luck.
If anybody knows what I should choose, I would be grateful for any help.
Also, do I need to reboot for every driver change in order to make the new LCD driver active?Thank you in advance,
Mike -
@mickesanda said in Install PFSense on a Sophos SG appliance:
Sophos SG330
Depends which hardware revision, I think. It's probably the EZIO driver if it's the Portwell box.
You have a picture?
Steve
-
Hi Steve and thank you for replying.
I opened the box and it is obvious that the LCD is connected to a COM-port, it says RS232 on the circuit board. Attached i have serial number and revision. So, when I read the documentation, Portwell Ezio means I have to choose "HD44780 and compatible", but after that, I'm lost......
There are a few chioces under the "com port" and a few other choices under "Connection type"
All suggestions are greatly appreciated.
Thx, Mike!
If i google "GFC1602AI" as it says on the sticker I find this manufacturer:
GIFAR Technologyhere is the tech spec for GFC1602AI from the manufacturer.PDF
-
After a few combinations, I succeeded to achieve this:
With these settings. Any ideas on what needs to be changed?
-
Ok yeah that is the EZIO display. The driver itself should be in LCDproc but I don't think the option to select is in the package yet. You will probably have to start it separately until it is added. See: https://forum.netgate.com/post/795491
Steve
-
@stephenw10 Thank you, I already read that post like 3 times and I think I understand what needs to be done. If I understand correctly, the driver is already in the package, I need to create a file called LCDd.conf under root.
Unfortunately, as the other guy in the thread, I am quite novice at that(Unix, Linux, BSD). I'll try and fix it somehow.
Do I need to uncheck "Enable LCDproc at startup" or just choose default settings? -
Yes disable it in the package and use a shellcmd to start it instead so you can use a custom lcdd.conf file.
-
@stephenw10 I'll give it a try. I purchased 2 X XG-1537 HA for 1 month ago as a replacement for the Sophos SG330. They are way faster and better than Sophos.
So far I'm happy with my choice. So these old Sophos machines are in no way in production, just my curiosity that needs to be satisfied. -
Reuse beats Recycling IMO.
-
@stephenw10 I created LCDd.conf under root.
This is the content:
[server]
DriverPath=/usr/local/lib/lcdproc/
Driver=hd44780
Bind=127.0.0.1
Port=13666
ReportLevel=3
ReportToSyslog=yes
User=nobody
Foreground=no
ServerScreen=no
GoodBye="Thanks for using"
GoodBye=" pfSense "
WaitTime=5
ToggleRotateKey=Enter
PrevScreenKey=Left
NextScreenKey=Right
ScrollUpKey=Up
ScrollDownKey=Down
[menu]
MenuKey=Escape
EnterKey=Enter
UpKey=Up
DownKey=Down
[hd44780]
driverpath=/usr/local/lib/lcdproc/
ConnectionType=ezio
Device=/dev/cuau1
Keypad=yes
Size=16x2
KeyMatrix_4_1=Enter
KeyMatrix_4_2=Up
KeyMatrix_4_3=Down
KeyMatrix_4_4=EscapeI also added 2 shellcmd with this content:
1: /usr/bin/nice-20/usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &
2: /usr/bin/nice-20/usr/local/bin/lcdproc C T U &Not sure about the punctuation though, can you please check if there is a space too many or something similar?
I get sh: /usr/bin/nice-20/usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf not found
and one more similar line -
Yes. 'nice' is a separate command so the shellcmds should be:
/usr/bin/nice -20 /usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &
/usr/bin/nice -20 /usr/local/bin/lcdproc C T U &Steve
-
@stephenw10
I still get:
sh: /usr/bin/nice-20 not found twiceThe "Enable LCDproc package at start" is unchecked.
I used the "Edit file" option found under diagnostic to create the LCDd.conf under the catalog root.
-
Hmm, this is the actual code from the config.xml file from that box:
<shellcmd>/usr/bin/nice -20 /usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &</shellcmd> <shellcmd>/usr/bin/nice -20 /usr/local/bin/lcdproc C T U &</shellcmd>Ah! The space between nice and -20 is not clear.
Steve
-
@stephenw10
Progress is being made :-) For a short while I saw readable text, Hd44780 and Thank you for using pfSense and a serial number.
But as soon as the boot sequence was finished everything is garbled again.
Starting package LCDproc...done. That works now.
Starting package Shellcmd...done -
Sounds like the lcdproc package is still starting stuff separately. Make sure you have disabled the server and set the com port to 'none' and have unselected any screens in the gui.
Steve
-
@stephenw10
Happy dance :-)
Thank you Steve, I knew that choosing pfSense was the best way to go because of the support and community.
-
Nice!
Though when you see that it means the LCDd daemon is running but no clients are connecting to it.
With the second shellcmd you should see the three output screens for CPU usage, Time and Uptime.Do the buttons work?
Steve
-
@stephenw10
Hmm..., no the buttons don't work:
The shellcommands are as follows:- /usr/bin/nice -20 /usr/local/sbin/LCDd -r 0 -c /root/LCDd.conf > /dev/null &
- /usr/bin/nice -20 /usr/local/bin/lcdproc C T U &
-
Hmm, potentially some timing issue. Try running the client command from the command line, see if it attaches to the server then.
Check the system logs after booting you may well see the server and/or client being started/stopped several times.Steve
-
is there a step by step howto install on a sophos SG appliance and what about the UTM appliances ?
-
@randy_srs Hi Randy, I cannot say for other Sophos appliances, but for SG330, I created a bootable USB stick with Rufus and the installation is very easy.
I could only auto identify one ethernet card. The rest were found automatically when the installation was finished. Other than the issue with the display, everything went smoothly.
/Mike -
@mickesanda thanks for the info . i figured . i think there is a workaround for the LCD display . ill have to play around with them
-
Thx Mike, without messing in .conf file, all from GUI, was able to manage this on SG 450 platorm :)
Cheers
-
I have SG 125 - SG 230 installed with PFSense and they work fine. The cost for a unit off ebay is way cheaper then buying a dual port and the only thing you need to concern about is the internal SSD, but that is a quick swap for a new one.
