SG-1000 Microfirewall - Cannot reset the microfirewall with console



  • Hello. After over 18 months, having purchased on 2017-08-13 a SG-100 Microfirewall from Netgate, I still feel new to pfSense.

    On 2017-10-26, failing in my attempts to reset the SG-1000 to factory default, I initiated on this forum the thread "SG-1000 Microfirewall - Where is the "Reset" button ?" (https://forum.netgate.com/topic/122021/sg-1000-pfsense-microfirewall-where-is-the-reset-button). At that time, the problem was solved with console access.

    I use a mac under macOS 10.13.6 (latest release). My pfsense SG-1000 was operating under release 2.4.3.

    Yesterday, in an attempt to change the primary network from 192.168.1.0 / 24 to 192.168.101.0 / 24, I inputted the new gateway address in Interfaces / LAN / Static IPv4 configuration and hit "enter". After clicking, I lost access to the WebGUI and have not yet found it after having tried all suggestions of "Locked out of the WebGUI" from PFSenseDocs.

    I have then tried console access, it did not work:

    On Terminal, sudo screen /dev/cu.SLAB_USBtoUART 115200
    and its variants:
    sudo screen -U /dev/cu.SLAB_USBtoUART 115200
    sudo screen /dev/cu.SLAB_USBtoUART 38400

    Password

    Many blanks would appear, parts of the interface would become visible. This time, maybe the driver was at fault.

    I installed on my mac the latest version of silicon Labs CP210x USB-to-UART bridge (there was a new version).

    I tried again console access. It did not work either but the behaviour was very different.

    On Terminal, sudo screen /dev/cu.SLAB_USBtoUART 115200

    Password

    There is serial output. It is not garbled. It does not stop on the first round. If I try further rounds, then it begins experiencing lapses and losses of data. After about 1', I would reach

    "Welcome to pfSense 2.4.3 RELEASE".

    Then it would wait for 15', attempt to boot and return to the "Welcome to pfSense 2.4.3 RELEASE" message. No access to the commands, no access to command 4 "Reset to factory defaults".

    Among all the text that appears on the screen, I found:

    WARNING: / was not properly dismounted
    How can I dismount properly ?

    ** bad device mmc0 **

    What does that mean ?

    What am I doing wrong ? TIA for any suggestion.



  • This is probably why things went wrong :
    @michel-angelo said in SG-1000 Microfirewall - Cannot reset the microfirewall with console:

    ... I inputted the new gateway address in Interfaces / LAN / Static IPv4 configuration and hit "enter"

    But :
    0_1536211768898_19345599-704b-4732-b1db-2ac46cc682e8-image.png

    I read your other thread, and understood why things went bad.
    @ivor is and was right : a working console is very important. Even if you do nothing with the console access, you should try it ones in a while. Because this access is your safety net. People do stupid things, that's ok - I do so all the time.
    The console access contains options for you, so you can undo something horribly bad that lock you out of the GUI.

    As soon as you think your SG-1000 isn't behaving as it should, you should :
    Never ever power-down - power-up as a first repair attempt. The SG-1000 contains a "disk" and disks do not like being treated like that. The file system on the disk goes bad, which includes another layer of troubles.
    This kind of troubles :
    @michel-angelo said in SG-1000 Microfirewall - Cannot reset the microfirewall with console:

    WARNING: / was not properly dismounted
    How can I dismount properly ?
    ** bad device mmc0 **

    This "mmc0" is the disk in your SG-1000. It's probably being considered as "dirty" or non dismounted properly.
    This is why there is a menu option in the GUI that you have to use for a normal a normal shut-down, like you do on a PC or MAC. Never ever use the power button (although, if you locked yourself out, you don't have a choice).

    I don't own a SG-1000, but https://www.netgate.com/docs/pfsense/solutions/sg-1000/faq.html#how-do-i-restore-the-firewall-os-firmware tells me** that you should follow the procedure of reinstalling the OS. You did that ones already I think.

    Don't worry, you will reanimate the thing. You should do it ones, any way, and next time, you'll do it in a snap.

    Btw : You actually have a SG-1000 so you are pretty aware of the size of it. Impossible to put a VGA chip in there. The box would double in size, and triple in power consumption. Most - if not all our "ISP boxes' Access Points, etc etc don't have VGA chips,

    ** an SG-1000 user or expert should confirm me.



  • Gertjan, your assessment was 100% correct. Thanks a lot and congratulation. I did, as you suggested, reinstall the OS using a new micro-SD card loaded with the most recent OS, as per the applicable notices. It was stressful enough but went faster than the first time one year ago. After that reinstall, indeed, the console worked again, without any defects. I then restored the firewall to its most recent saved configuration and plugged everything to normal config (first LAN is my Zyxel modem-router at 192.168.0.0 / 24, second LAN is this firewall primary LAN at 192.168.1.0 / 24 third LAN (guests) is 192.168.2.0 / 24. It is now up and running.

    I understand I should shut-down the firewall prior to unplugging it. I should use Diagnostic / Halt System on the WebGUI (I had never found it and believed it did not exists, as is customary in commercial modem-routers). I should use 6 on Console. I never did that and always unplugged the firewall without halting the system whenever I needed doing it. Now, I know this can be damaging.

    I further understand that whenever the OS becomes shaky, this can be verified by attempting to connect via console, which I have never done.

    Maybe connecting to console via SSH from my desk upstairs would be easier that running to the basement with a computer and a cable to connect face-to-face with the firewall. According to the pfSense definitive guide (4.6 Console Menu Basics), this is a feasible option. I looked in the documentation and found nothing to help me doing such a connection. Maybe I did no look carefully enough. Is there such a guide somewhere ?

    Back to step one, I am not done yet.

    I wanted to configure the firewall on the 192.168.101.1 address, away from 192.168.0.1 and 192.168.1.1, which I reserve for my or my ISP's modem-router (Zyxel, Airties, Orange's, whatever). I can do that with the configuration wizard, which forces me to input again all other configuration specifics. Is there a shorter route from my current configuration ? TIA in advance.



  • @michel-angelo said in SG-1000 Microfirewall - Cannot reset the microfirewall with console:

    I wanted to configure the firewall on the 192.168.101.1 address, away from 192.168.0.1 and 192.168.1.1

    This can be done in the GUI of course.
    Keep in mind : just change the LAN IP of the LAN interface, keep the mask at /24 - do not touch the Gateway ^^
    As soon as you validate, you'll be loosing connection. Actually quiet normal.
    If you were using a static on your PC (MAC), it's time to change this one accordingly now and your done.
    If not, and your PC (MAC° is obtaining an IP from pfSense by DHCP, (which is normally the case) switch temporarily to a static IP on your PC (MAC° anyway.
    Like IP = 192.168.101.2 masque 24 - DNS == Gateway == 192.168.101.1
    As a result, you should be able to visit the GUI at 192.168.101.1
    Now you have to change (check if needed) the DHCP server settings for LAN -> change the pool and whatever needed.
    Check also if you had any static DHCP MAC leases and change them accordingly.
    Validate.

    Put back the DHCP option on your PC (MAC) : your PC (MAC) should obtain an IP etc from pfSense as before - this time in the 192.168.101.x range (DHCP pool range). GUI access and Internet access should work.

    That's about it.

    Check all packages, Aliases, etc .... everywhere where real LAN IP's could be used.

    (I think I didn't forget anything .... will keep thinking about it).

    Btw : think about hooking up the SG-1000 on an UPS ..... This will bring down crashes from ones every x years to ones in a life time.

    Yes for SSH, it's a must : enable it. It's the next best Console access - I use it all the time, actually every day. Not because I need to 'administrate' my pfSense from SSH or Console, but I tend to test things first before I write forum replies.

    Good that you know know that you should shut down your SG-1000 with a GUI command or console access (or SSH access). Power plug ripping is good for light bulbs only. all other objects should be "shut down properly".

    Great that you managed to re-install quickly. Know you know how to do that - which means that you won't be needing the knowledge ^^ (extension on Murphy 's law). Now you know why you should save your config, "export config", ones in a while.



  • Thanks Gertjan, problem solved.

    Tomorrow, I will change this IP and do subsequent changes afterwards. I will also inquire on mac forums how to set-up SSH access to the console of a pfSense microfirewall on a mac.