Sophos has great networking equipment. Also, Sophos actively encourages their customers to upgrade to newer models. Older models, while still serviceable, periodically go out of support. Specifically, XG 85, SG 105, and XG 105 (and their wireless counterparts) went out of support in August 2022. All other XG and SG models technically remain in support until March 2025, but Sophos still encourages upgrades to the newer XGS family models. So the secondary market is seeing quite an influx of commercial-grade equipment capable of running OpenWrt, OPNsense, or pfSense.

OpenWrt installs without a problem on any Sophos SG or XG device. pfSense and OPNsense generally install without a hitch, but there are two models that are sort of cursed. They are SG 105 and SG 115 (we've also seen it on some XG 105 units, so it's possible it exists on some XG 115 units as well). Revisions 1 and 2 of both models simply freeze in early stages of installation. So we were genuinely stoked when we discovered a fix for this seemingly insurmountable problem. Here's how it works when installing pfSense using the VGA installer (i.e., with monitor and keyboard attached to the router); there might be minor variations if using the console installer.

Start by connecting installation media (usually, a USB stick) to the router while it's powered off. Turn the router on and repeatedly press Del on the keyboard to enter the BIOS (when using console, Tab or Esc may work better for this purpose). In BIOS, navigate to Advanced >> USB Configuration and set Port 60/64 emulation to Disable. Then save and exit by pressing F4 (if using console, you may have to use menus instead). The router will proceed to the boot sequence.

When you see the initial pfSense installation screen (the one that says Welcome to pfSense and has numerical menu entries, see image above), press 3 to escape to the bootloader's command prompt. At the command prompt, enter two commands:

set kern.vty="sc" 
boot

pfSense will install normally. At the end of installation, as usual, there will be the Manual Configuration dialog. When you see it, choose Yes to get command prompt.

At the prompt, run:

vi /boot/loader.conf 

This will open the bootloader configuration file for editing. When the file opens, press i to go into the editing (or insert, hence, i) mode and add a new line to the end of the file:

kern.vty="sc" 

(Here, we're saving for future use the configuration directive we used at installation.)

Save and exit (press Esc to return to the read-only mode, then type :x). If you want to make sure your edits were saved, output the bootloader configuration file to screen and see if they are present:

cat /boot/loader.conf

Halt the router by issuing the halt command, unplug the device from power, remove the installation media, and plug the router back in. pfSense should start normally and proceed to the standard first boot sequence.

But why?

Here's the best after-the-fact explanation of the problem we could think of.

Both parts of this fix have to do with human interface. Port 60/64 emulation is used to trick the system into thinking it has PS/2 keyboard and mouse connected, even though keyboard and mouse are actually USB. Setting kern.vty="sc" tells the system to use the BIOS-specific input-output console (the default is the UEFI console, or kern.vty="vt"). So unless port 60/64 emulation is disabled and kern.vty="sc" is set, something breaks in how pfSense interacts with the system's BIOS (we noticed that the problem seems confined to units that have BIOS version 2.16), and pfSense freezes. BIOS version 2.17 and newer seems to be free from this problem, but SG (revisions 1 and 2) models have never received this BIOS update. This is why we see this problem on SG series all the time, but only sometimes on XG models; those can have BIOS updated to 2.17 or 2.18...

A few months later...

After pfSense 2.7 was released, we were able to confirm that the manual edits to /boot/loader.conf have survived the version upgrade. At the same time, new installation of pfSense 2.7 requited a slight modification to the installation procedure. Apparently, pfSense 2.7 keeps /boot/loader.conf read-only during installation, so edits to it made during installation cannot be saved. Not a huge problem; the edits can be made after the first boot. To get through the first boot, however, boot configuration directives entered manually at installation must be entered again at the first boot. We cover the revised installation procedure in a separate note.