OPNsense Forum
English Forums => Hardware and Performance => Topic started by: crankypants on January 25, 2018, 01:05:04 am
-
After reading today about the various shenanigans with Netgate and pfSense, which until today I was completely oblivious to, I'm looking to move away from the pfSense platform. This has led me here. I'm not interested in purchasing new hardware right now and have largely been unsuccessful in determining if OPNsense can be installed on the SG-4860 or if this is even recommended.
I'm handy with the command line with plenty of *nix experience so a bit of effort isn't a problem.
-
Hi crankypants,
the SG-4860 works perfect for me (with opnsense). It could be a little bit tricky to configure the serial port. If i'am remember right the tips for OPNsense at netgate homepage worked only until v16.x .
After some trials i found a way for me to get the "lights on":
1. Create a USB-stick with OPNsense serial (amd64)
2. Mount this USB stick on any other running FreeBSD device and navigate into /boot on USB-stick
3. Edit or create (if not there) a file "loader.conf.local" and put the following lines in it:
hint.uart.0.flags=0x0
hint.uart.1.flags=0x10
comconsole_speed="115200"
comconsole_port="0x2F8"
console="comconsole"
kern.cam.boot_delay="10000"
3. Save file and unmount USB stick
4. Put USB stick in your Netgate SG-4860 and boot - et voila....
The SG-4860 is running without issues/problems for over 1,5 years now.
have fun,
regards pylox
-
There are more defectors every day because of their 'shenanigans'. And OPNsense is getting better everyday. In my opinion, OPNsense is a superior product anyway. You made a wise decision.
-
@pylox - Thanks! I'm completely migrated to OPSsense
17.7.517.7.12.
-
@pylox
Thank you for your instructions; I was able to convert my SG-2440 pfSense 2.4.2 to OPNsense 18.1 without issues!
-
I have just joined opnsense too, and like you I was looking at the SG-4860 but at $700+ it seemed expensive (and its also a netgate product, and those are the last people I wanted to give my money too lol)
if you look around you find supermicro servers or perhaps even build your own mini itx box with this:
https://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2558F.cfm
Im in the UK and I could only find the 8core version (c2758) but I found it at half the price of the SG-4860.
-
I use a Supermicro 5018A-FTN4 that has a A1SRI-2758F motherboard for one of my OPNsense boxes, in dev now. Seems to be a very stable choice with 8 cores @2.40Ghz and ECC memory. Also I like the short profile for a smaller rack. Has 4 igb NIC ports plus one IPMI NIC port and one PCIe slot. Personally I prefer IPMI over a serial console although there is a serial port on the unit. Unit also has two USB 3.0 and two USB 2.0 ports and one VGA plus status lights. I can testify that this box works great with OPNsense.
You can use the PCI-e slot to add 4 more NICs with an i350-T4, or do what I did and use a PCIe removable disk caddie so I can replace the SSD drive without opening the cabinet.
Suggestion if you get this unit. Buy the memory on eBay. Can be quite expensive elsewhere. Uses SO-DIMM PC3L-12800 ECC unregistered/unbuffered. Bought two 8GB Kingston KVR16LSE11 for $100 on eBay.
MT18KSF1G72HZ-1G6 is also tested by me to work which I saw for $65 each on eBay.
Also does NOT come with a disk mounting bracket. Which you can get on Amazon or cheaper on eBay.
For single drive height, part # MCP-220-00051-0N
For double drive height, part # MCP-220-00044-0N
Be advised that this unit will take some time to boot up for the first time. Be patient. I think it is testing ECC memory. Subsequent boots are faster.
And the best part is, for under $700 no Netgate.
-
IPMI is not exactly what I would want to have on a perimeter firewall
https://www.itworld.com/article/2708437/security/ipmi--the-most-dangerous-protocol-you-ve-never-heard-of.html
Or am I missing something?
-
I would never suggest opening up IPMI or SSH to the world. I have specific rules in place so only certain IP's have access. No back doors. That report was intended for people who let IPMI security slip by them.
-
Sorry, not intended to hijack this thread, but this IPMI reminds me of the Intel Management Engine /Trusted stuff which Google and friends is trying to rip out of their machines as they don't trust them a single millimetre...
Do you think you can control this kind of weird networking stuff?
-
How is IPMI weird? It's just another NIC port that you have full control over how you use it. If you leave it open, shame on you. The benefits of a properly setup IPMI far outweigh any risks. That article really spooked you.
-
[UPDATE]
If you obtain any system that uses an Atom C2000 series processor, including the Supermicro 5018A-FTN4, be advised there is a bug in the Intel CPU that may render the unit inoperable after 18 months of use. This is known as the AVR54 Errata and is fixed in stepping C0 of the processor. So just make sure either you are getting a unit with the fix or the manufacturer has a policy to repair it. With Supermicro, anything shipped after the spring of 2017 should be ok and you can RMA anything prior to to this. But if you buy used, just be advised.
See here https://www.servethehome.com/intel-atom-c2000-series-bug-quiet/ (https://www.servethehome.com/intel-atom-c2000-series-bug-quiet/)
I have checked with Supermicro on my two 5018A-FTN4's and they both have the AVR54 fix.
Supermicro has released 5019A-FTN4 which uses Atom C3728, has an M.2 SSD socket and uses standard DDR4 ECC/Non-ECC DIMM's up to 128GB. Not that you need that much memory for an OPNsense box.
-
Hi,
is the SG-2440 still available somewhere?Officially it is end of sale :-(
-
After some trials i found a way for me to get the "lights on":
1. Create a USB-stick with OPNsense serial (amd64)
2. Mount this USB stick on any other running FreeBSD device and navigate into /boot on USB-stick
3. Edit or create (if not there) a file "loader.conf.local" and put the following lines in it:
hint.uart.0.flags=0x0
hint.uart.1.flags=0x10
comconsole_speed="115200"
comconsole_port="0x2F8"
console="comconsole"
kern.cam.boot_delay="10000"
3. Save file and unmount USB stick
4. Put USB stick in your Netgate SG-4860 and boot - et voila....
The SG-4860 is running without issues/problems for over 1,5 years now.
have fun,
regards pylox
Hi... attempting the same with an FW-7541... I'm a debian guy and am having the hardest time trying to figure out how to mount the USB within freeBSD... I have it on my test opnSense box but can't seem to figure out the partition structure of the USB... fdisk /dev/ad0 reports that partitions 1-3 are UNUSED and that partition 4 is used... I try to mount /dev/ad0s4 /mnt/ and it's erroring...
Any pointers?
-
Jump ahead another day...
I've ripped my backup 7541 apart to look for a VGA pinout on the MB (which I found but it's non-standard and the part is apparently discontinued) and to my surprise there are a couple of sata headers. If I pull the drive from the NUC I've been testing opnsense with and throw it in the 7541 what are the odds that the WAN and LANs will actually grab ips from the config when it's totally new hardware and waaaay more NIC ports?
I'll try it and attach a console cable but I wish there was an easy way to mount the USB bootable and edit as listed above...
-
if it gets as far as login, you could always then try logging in as installer....maybe?
Let me modify that as you've got no terminal... ( idiot to self ) :-X
-
if it gets as far as login, you could always then try logging in as installer....maybe?
Let me modify that as you've got no terminal... ( idiot to self ) :-X
So the hard drive freezes during the boot but I did see the ascii art boot options, etc. so I tried the vanilla serial based USB key. Bad news, this box forced the SATA to boot and I can't seem to change the boot order (locked by bios) nor get up a bios boot selector.
Semi decent news, the USB on it's own does not lock and it get's to the installer... Now I've attached a SATA to the second USB port and am walking through a setup... fingers double crossed...
-
Ok... got it.
So with the latest (18.1) serial usb bootable attached to one USB port and a usb to SATA drive on the other so long as I had it in the order where the USB installer was the ZEROth device, it booted and I was able to install to the other USB drive.
After the initial install I removed the USB key and put that SATA drive on the MB Sata port and booted. Trial and error to config the WAN/LAN (I have 6 ports here) and voila...
So I guess the lesson here is that perhaps you no longer need to edit anything on the /boot dir of the serial bootable installer. At least on this particular NETGATE/Lanner hardware I didn't need to.
::thumbs waaay up!::
-
Well done... Do you want to post that on the pf hardware forum just to let people know? 8)
However you are probably in breech of something somewhere,,
-
4. Put USB stick in your Netgate SG-4860 and boot - et voila....
With regards to this step, are you inserting this stick after you have already installed OPNsense on the Negate? I don't understand what inserting this stick with the modified file is actually doing, is it just updating the file already on the Netgate or are you installing OPNsense fresh/again?
-
Hi EMTSU,
these steps are to modify an OPNsense serial image on an USB stick. The modification (loader.conf.local) allow to properly use the NETGATE usb-serial interface. In my case it was a NETGATE SG-4860.
After this you can boot and install OPNsene on NETGATE from prepared image. Like i mentioned in the other thread: the NETGATE SG-5100 is quite very new !
Possible it will work only from FreeBSD 11.2 (OPNsense 19.1) because of some hardware incompatibilities.
regards pylox
-
I was able to get installed on the 2440. I went out on the WayBack Machine and found the old guide. Pretty helpful. https://web.archive.org/web/20160417072530/http://www.netgate.com/docs/rcc-ve-2440/opnsense.html
Was thinking asking if you all would like me to post the process I used. The issue I had with the Serial port is it was locked on the Pfsense device.
from the guide on the WayBack Machine.
Changing the option to enable or disable password protection on the console menu in the OPNsense GUI will not work since this has the effect of altering /etc/ttys for the entries of ttyv0 and ttyu0 when the system console actually runs on ttyu1. Modify the ttys file to enable the correct serial port. In OPNsense, console password protection is enabled by default. Run the appropriate command based on whether password protection enabled or disabled:
mv /etc/ttys /etc/ttys.orig
To disable password protection:
echo 'ttyu1 "/usr/libexec/getty al.115200" vt100 onifconsole secure' > /etc/ttys
-
All:
I am sorry I was rude. I am new here. I am a convert from pfsense. I am nobody special. Just an old nerd from Tennessee. I love packets, shells, and scripts 8) All things tech are my happy place.
I like friendly forums and you all seem great. I have lurked for awhile. I love the direction OPNsense is going. Did not see a intro forum so here as good as any I suppose..
-
Welcome, Brent! <3
PS: /etc/tty overwrites on boot for safety / recovery reasons. Maybe we need to find a more permanent solution.
-
Welcome, Brent! <3
PS: /etc/tty overwrites on boot for safety / recovery reasons. Maybe we need to find a more permanent solution.
Thanks Franco
Looking forward to all of your help and all the future development..