I've got 99 problems, but a switch ain't one.

If you’re havin’ loop problems I feel bad for you son, I got 99 problems but a switch ain’t one.

The SoC used for the SG-1000 (also known as “uFW”) includes an on-die 3 port gigabit Ethernet switch. By leveraging VLANs, it’s possible to build a ‘router on a stick’ on one board. In order to make this switch as functional as possible, we decided to leverage the FreeBSD etherswitch(4) framework. Support for the on-die switch on SG-1000 was directly upstreamed to FreeBSD in revision 309113.

Support for this framework then needed to be added to pfSense. First support was added to the PHP module that provides the glue layer between FreeBSD and PHP via a series of commits. Here are two of them: 1 2. Once this was done, we could start designing the components of the web GUI. Switch_system.php shows which switches are attached to the system. It has no controls.

Interfaces > Switch > System

Switch_ports.php show the ports available on the selected switch. Since the SG-1000 only has one switch, the selector that allows you to choose which switch you are looking at is hidden.

Interfaces > Switch > Ports

Multiple switches attached to one firewall causes a selector to appear so you can choose which one to work on. Obviously there is only one switch on the SG-1000, but I’ve faked things here (“cd /dev: ln -s etherswitch0 etherswitch1”) to show the selector, and in order to show that we’re “thinking forward”.

Interfaces > Switch > VLANs (1)

The VLAN page allows you to view/create/edit a VLAN.

Interfaces > Switch > VLANs

Switch_vlans_edit.php allows you to create or edit a VLAN. Clicking on any port in the “Available ports” column adds it to, or deletes it from the “members” list. While we accommodate up to 128 ports, this is a SG-1000, so there are only 3 ports to choose from. There is some pretty fancy jQuery in this page.

Interfaces > Switch > VLANs > Edit

The SG-1000 is not the only product we have coming that has built-in switches. Here is a sneak peek at another.

sneak peak

The systems you see in this photo are a Broadwell-DE with either 6 x 10G on SFP+ on top (bcc-1) or 16x1G on RJ45 (with 2 10Gbps uplinks), plus 4 x 10G on SFP+ on bottom (bcc-0). Both systems additionally have 2 1Gbps Ethernet ports on SFP, as well as redundant power, 2 x M.2, miniPCIe 4 x SATA3 as 2.5” drives, and a PCIe 3.0 x16 slot for expansion. Both of these have QuickAssist cards installed, enabling high-speed encryption and compression, but bypass NICs (for IDS/IPS) will likely prove popular as well.

Both also contain a “uBMC”, which is remarkably similar to the SG-1000, and runs pfSense with support for our coming (but unannounced) remote management product. In fact, the germination of the SG-1000 occurred because of uBMC. We noticed that a lot of people (including us) use pfSense to control access to the IPMI/BMC ports on their servers in colocation, so we thought, “Why not put pfSense in the BMC?”

Of course, since pfSense software is open source, this means that you’re no longer beholden to your IPMI vendor for security patches and updates. More details on those systems, uBMC and the remote management product will be provided in future posts.