Success installing on Netgate SG-4860?

[crankypants]

After reading today about the various shenanigans with Netgate and pfSense, which until today I was completely oblivious to, I'm looking to move away from the pfSense platform. This has led me here. I'm not interested in purchasing new hardware right now and have largely been unsuccessful in determining if OPNsense can be installed on the SG-4860 or if this is even recommended.

I'm handy with the command line with plenty of *nix experience so a bit of effort isn't a problem.

[pylox]

Hi crankypants,

the SG-4860 works perfect for me (with opnsense). It could be a little bit tricky to configure the serial port. If i'am remember right the tips for OPNsense at netgate homepage worked only until v16.x .

After some trials i found a way for me to get the "lights on":

1. Create a USB-stick with OPNsense serial (amd64)
2. Mount this USB stick on any other running FreeBSD device and navigate into /boot on USB-stick
3. Edit or create (if not there) a file "loader.conf.local" and put the following lines in it:

Code Select Expand


hint.uart.0.flags=0x0
hint.uart.1.flags=0x10
comconsole_speed="115200"
comconsole_port="0x2F8"
console="comconsole"
kern.cam.boot_delay="10000"


3. Save file and unmount USB stick
4. Put USB stick in your Netgate SG-4860 and boot - et voila....

The SG-4860 is running without issues/problems for over 1,5 years now.

have fun,
regards pylox

[dcol]

There are more defectors every day because of their 'shenanigans'. And OPNsense is getting better everyday. In my opinion, OPNsense is a superior product anyway. You made a wise decision.

[crankypants]

@pylox - Thanks! I'm completely migrated to OPSsense 17.7.517.7.12.

[bhsense]

@pylox
Thank you for your instructions; I was able to convert my SG-2440 pfSense 2.4.2 to OPNsense 18.1 without issues!

[nitro]

I have just joined opnsense too, and like you I was looking at the SG-4860 but at $700+ it seemed expensive (and its also a netgate product, and those are the last people I wanted to give my money too lol)

if you look around you find supermicro servers or perhaps even build your own mini itx box with this:

https://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2558F.cfm

Im in the UK and I could only find the 8core version (c2758) but I found it at half the price of the SG-4860.

[dcol]

I use a Supermicro 5018A-FTN4 that has a A1SRI-2758F motherboard for one of my OPNsense boxes, in dev now. Seems to be a very stable choice with 8 cores @2.40Ghz and ECC memory. Also I like the short profile for a smaller rack. Has 4 igb NIC ports plus one IPMI NIC port and one PCIe slot. Personally I prefer IPMI over a serial console although there is a serial port on the unit. Unit also has two USB 3.0 and two USB 2.0 ports and one VGA plus status lights. I can testify that this box works great with OPNsense.

You can use the PCI-e slot to add 4 more NICs with an i350-T4, or do what I did and use a PCIe removable disk caddie so I can replace the SSD drive without opening the cabinet.

Suggestion if you get this unit. Buy the memory on eBay. Can be quite expensive elsewhere. Uses SO-DIMM PC3L-12800 ECC unregistered/unbuffered. Bought two 8GB Kingston KVR16LSE11 for $100 on eBay.
MT18KSF1G72HZ-1G6 is also tested by me to work which I saw for $65 each on eBay.
Also does NOT come with a disk mounting bracket. Which you can get on Amazon or cheaper on eBay.
For single drive height, part # MCP-220-00051-0N
For double drive height, part # MCP-220-00044-0N

Be advised that this unit will take some time to boot up for the first time. Be patient. I think it is testing ECC memory. Subsequent boots are faster.

And the best part is, for under $700 no Netgate.

[chemlud]

IPMI is not exactly what I would want to have on a perimeter firewall

https://www.itworld.com/article/2708437/security/ipmi--the-most-dangerous-protocol-you-ve-never-heard-of.html

Or am I missing something?

[dcol]

I would never suggest opening up IPMI or SSH to the world. I have specific rules in place so only certain IP's have access. No back doors. That report was intended for people who let IPMI security slip by them.

[chemlud]

Sorry, not intended to hijack this thread, but this IPMI reminds me of the Intel Management Engine /Trusted stuff which Google and friends is trying to rip out of their machines as they don't trust them a single millimetre...

Do you think you can control this kind of weird networking stuff?

[dcol]

How is IPMI weird? It's just another NIC port that you have full control over how you use it. If you leave it open, shame on you. The benefits of a properly setup IPMI far outweigh any risks. That article really spooked you.

[dcol]

[UPDATE]
If you obtain any system that uses an Atom C2000 series processor, including the Supermicro 5018A-FTN4, be advised there is a bug in the Intel CPU that may render the unit inoperable after 18 months of use. This is known as the AVR54 Errata and is fixed in stepping C0 of the processor. So just make sure either you are getting a unit with the fix or the manufacturer has a policy to repair it. With Supermicro, anything shipped after the spring of 2017 should be ok and you can RMA anything prior to to this. But if you buy used, just be advised.
See here https://www.servethehome.com/intel-atom-c2000-series-bug-quiet/

I have checked with Supermicro on my two 5018A-FTN4's and they both have the AVR54 fix.

Supermicro has released 5019A-FTN4 which uses Atom C3728, has an M.2 SSD socket and uses standard DDR4 ECC/Non-ECC DIMM's up to 128GB. Not that you need that much memory for an OPNsense box.

[mr.sarge]

Hi,

is the SG-2440 still available somewhere?Officially it is end of sale :-(

[kkoh]

After some trials i found a way for me to get the "lights on":

1. Create a USB-stick with OPNsense serial (amd64)
2. Mount this USB stick on any other running FreeBSD device and navigate into /boot on USB-stick
3. Edit or create (if not there) a file "loader.conf.local" and put the following lines in it:

Code Select Expand


hint.uart.0.flags=0x0
hint.uart.1.flags=0x10
comconsole_speed="115200"
comconsole_port="0x2F8"
console="comconsole"
kern.cam.boot_delay="10000"


3. Save file and unmount USB stick
4. Put USB stick in your Netgate SG-4860 and boot - et voila....

The SG-4860 is running without issues/problems for over 1,5 years now.

have fun,
regards pylox

Hi... attempting the same with an FW-7541... I'm a debian guy and am having the hardest time trying to figure out how to mount the USB within freeBSD... I have it on my test opnSense box but can't seem to figure out the partition structure of the USB... fdisk /dev/ad0 reports that partitions 1-3 are UNUSED and that partition 4 is used... I try to mount /dev/ad0s4 /mnt/ and it's erroring...

Any pointers?

[kkoh]

Jump ahead another day...
I've ripped my backup 7541 apart to look for a VGA pinout on the MB (which I found but it's non-standard and the part is apparently discontinued) and to my surprise there are a couple of sata headers. If I pull the drive from the NUC I've been testing opnsense with and throw it in the 7541 what are the odds that the WAN and LANs will actually grab ips from the config when it's totally new hardware and waaaay more NIC ports?
I'll try it and attach a console cable but I wish there was an easy way to mount the USB bootable and edit as listed above...