New Shuttle DS67U soho build on 2.3.2-RELEASE

WebSpider

This is to document my new PfSense setup, which is planned to replace a TP-Link 1043 with OpenWRT on it.

I'm going to replace this box for a few reasons:

1. It's starting to die on me, it needs a reboot every 2 weeks or so after about 7 years of loyal service
2. There is a new 500/500 service on my FTTH link, that needs something a bit more beefy
3. I'm going to start using this box as a VPN gateway for my own mobile use, including cell phones, laptops, etc and want some performance
4. My home lab, which is included in several of my customer's POC's is getting a bit annoying to control from a security point of view, so I want to use PfSense to introduce proper VLANing etc.

It has been a few years since I've had any real hands-on experience with PfSense, last time I did anything serious with it was 2011, so I'm using this opportunity to catch up as well ;)

Having said this, this is the configuration the mailman brought in today:

• Shuttle DS67U with:

• Intel Celeron 3855U dual core processor (AES-NI, QuickSync, 32GB RAM max, VT-d onboard)
• Integrated 2x 1Gbit/s LAN (Intel based)
• Integrated WLAN 802.11 b/g/n/ac
• 2x serial port
• M.2 M key 2242
• SD Card reader

• 8GB SO-DIMM DDR3L Crucial memory
• Kingston 120GB SSD (just until I can figure out booting from SDCard)

Right out of the box, the BIOS was outdated, so I updated that to version 1.02 first, it had some fixes for the NICs in them, so it seemed like a sensible thing to do.

I tried the embedded image first on an SD Card, to see what it would do. It would load the bootloader, go on the the kernel, boot it, but unfortunately, the kernel couldn't find a root filesystem. I'm guessing this can be fixed, but I need to do this via serial console probably, since my screen (HDMI) is offset for some reason and missing the first 6 characters of every line.

So, on to the regular installer on a memory stick, and installing on the SSD, which produces the following dmesg, after turning on powerd and aes-ni:

Copyright (c) 1992-2016 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016
    root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense amd64
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
CPU: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz (1608.06-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x406e3  Family=0x6  Model=0x4e  Stepping=3
  Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x4ffaebbf <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x121 <lahf,abm,prefetch>Structured Extended Features=0x2942607 <fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace>XSAVE Features=0xf <xsaveopt,xsavec,xinuse,xsaves>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics
real memory  = 8589934592 (8192 MB)
avail memory = 8107331584 (7731 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <shuttl shuttle="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  2
random: <software, yarrow="">initialized
ioapic0 <version 2.0="">irqs 0-119 on motherboard
wlan: mac acl policy registered
iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff80647bf0, 0) error 1
iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff80647ca0, 0) error 1
iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80647d50, 0) error 1
netmap: loaded module
kbd1 at kbdmux0
cryptosoft0: <software crypto="">on motherboard
padlock0: No ACE support.
acpi0: <shuttl shuttle="">on motherboard
acpi0: Power Button (fixed)
cpu0: <acpi cpu="">on acpi0
cpu1: <acpi cpu="">on acpi0
hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 24000000 Hz quality 950
Event timer "HPET" frequency 24000000 Hz quality 550
Event timer "HPET1" frequency 24000000 Hz quality 440
Event timer "HPET2" frequency 24000000 Hz quality 440
Event timer "HPET3" frequency 24000000 Hz quality 440
Event timer "HPET4" frequency 24000000 Hz quality 440
Event timer "HPET5" frequency 24000000 Hz quality 440
Event timer "HPET6" frequency 24000000 Hz quality 440
atrtc0: <at realtime="" clock="">port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <at timer="">port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
pci0: <acpi pci="" bus="">on pcib0
vgapci0: <vga-compatible display="">port 0xf000-0xf03f mem 0xde000000-0xdeffffff,0xc0000000-0xcfffffff irq 16 at device 2.0 on pci0
vgapci0: Boot video device
xhci0: <xhci (generic)="" usb="" 3.0="" controller="">mem 0xdf220000-0xdf22ffff irq 16 at device 20.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0: waiting for BIOS to give up control
usbus0 on xhci0
pci0: <simple comms="">at device 22.0 (no driver attached)
ahci0: <ahci sata="" controller="">port 0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xdf234000-0xdf235fff,0xdf238000-0xdf2380ff,0xdf237000-0xdf2377ff irq 16 at device 23.0 on pci0
ahci0: AHCI v1.31 with 2 6Gbps ports, Port Multiplier not supported
ahcich0: <ahci channel="">at channel 0 on ahci0
ahcich1: <ahci channel="">at channel 1 on ahci0
pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0
pci1: <acpi pci="" bus="">on pcib1
pci1: <network>at device 0.0 (no driver attached)
pcib2: <acpi pci-pci="" bridge="">irq 16 at device 29.0 on pci0
pci2: <acpi pci="" bus="">on pcib2
igb0: <intel(r) 1000="" pro="" network="" connection,="" version="" -="" 2.5.3-k="">port 0xd000-0xd01f mem 0xdf000000-0xdf01ffff,0xdf020000-0xdf023fff irq 16 at device 0.0 on pci2
igb0: Using MSIX interrupts with 3 vectors
igb0: Ethernet address: 80:ee:73:bd:b7:53
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: netmap queues/slots: TX 2/1024, RX 2/1024
isab0: <pci-isa bridge="">at device 31.0 on pci0
isa0: <isa bus="">on isab0
pci0: <memory>at device 31.2 (no driver attached)
em0: <intel(r) 1000="" pro="" network="" connection="" 7.6.1-k="">mem 0xdf200000-0xdf21ffff irq 16 at device 31.6 on pci0
em0: Using an MSI interrupt
em0: Ethernet address: 80:ee:73:bd:b7:52
em0: netmap queues/slots: TX 1/1024, RX 1/1024
acpi_button0: <sleep button="">on acpi0
acpi_button1: <power button="">on acpi0
acpi_tz0: <thermal zone="">on acpi0
acpi_tz1: <thermal zone="">on acpi0
sc0: <system console="">at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 on isa0
atkbd0: <at keyboard="">irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
ppc0: cannot reserve I/O port range
est0: <enhanced speedstep="" frequency="" control="">on cpu0
est1: <enhanced speedstep="" frequency="" control="">on cpu1
Timecounters tick every 1.000 msec
random: unblocking device.
usbus0: 5.0Gbps Super Speed USB v3.0
ugen0.1: <0x8086> at usbus0
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
uhub0: 16 ports with 16 removable, self powered
ugen0.2: <dell>at usbus0
ukbd0: <dell 0="" 1="" dell="" usb="" keyboard,="" class="" 0,="" rev="" 1.10="" 3.06,="" addr="">on usbus0
kbd2 at ukbd0
ugen0.3: <generic>at usbus0
ugen0.4: <realtek>at usbus0
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <kingston suv400s37120g="" 0c3fd6sd="">ACS-4 ATA SATA 3.x device
ada0: Serial Number 50026B766502B75B
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 114473MB (234441648 512 byte sectors)
ada0: Previously was known as ad4
SMP: AP CPU #1 Launched!
Timecounter "TSC" frequency 1608062001 Hz quality 1000
Trying to mount root from ufs:/dev/ufsid/5797fe7b7c2ff707 [rw]...
padlock0: No ACE support.
aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
pflog0: promiscuous mode enabled
igb0: link state changed to UP</aes-cbc,aes-xts,aes-gcm,aes-icm></kingston></realtek></generic></dell></dell></enhanced></enhanced></at></keyboard></generic></system></thermal></thermal></power></sleep></intel(r)></memory></isa></pci-isa></intel(r)></acpi></acpi></network></acpi></acpi></ahci></ahci></ahci></simple></xhci></vga-compatible></acpi></acpi></at></at></high></acpi></acpi></shuttl></software></version></software,></shuttl></xsaveopt,xsavec,xinuse,xsaves></fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace></lahf,abm,prefetch></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe> 

So, as you can see from pciconf -lv, the WLAN chip is seen, but no device driver seems to attach.

hostb0@pci0:0:0:0:      class=0x060000 card=0x40371297 chip=0x19048086 rev=0x08 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Sky Lake Host Bridge/DRAM Registers'
    class      = bridge
    subclass   = HOST-PCI
vgapci0@pci0:0:2:0:     class=0x030000 card=0x40371297 chip=0x19068086 rev=0x07 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = display
    subclass   = VGA
xhci0@pci0:0:20:0:      class=0x0c0330 card=0x40371297 chip=0x9d2f8086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = serial bus
    subclass   = USB
none0@pci0:0:22:0:      class=0x078000 card=0x40371297 chip=0x9d3a8086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = simple comms
ahci0@pci0:0:23:0:      class=0x010601 card=0x40371297 chip=0x9d038086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = mass storage
    subclass   = SATA
pcib1@pci0:0:28:0:      class=0x060400 card=0x40371297 chip=0x9d148086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    class      = bridge
    subclass   = PCI-PCI
pcib2@pci0:0:29:0:      class=0x060400 card=0x40371297 chip=0x9d188086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    class      = bridge
    subclass   = PCI-PCI
isab0@pci0:0:31:0:      class=0x060100 card=0x40371297 chip=0x9d438086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = bridge
    subclass   = PCI-ISA
none1@pci0:0:31:2:      class=0x058000 card=0x40371297 chip=0x9d218086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = memory
none2@pci0:0:31:4:      class=0x0c0500 card=0x40371297 chip=0x9d238086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    class      = serial bus
    subclass   = SMBus
em0@pci0:0:31:6:        class=0x020000 card=0x00008086 chip=0x156f8086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection I219-LM'
    class      = network
    subclass   = ethernet
none3@pci0:1:0:0:       class=0x028000 card=0x882110ec chip=0x882110ec rev=0x00 hdr=0x00
    vendor     = 'Realtek Semiconductor Co., Ltd.'
    device     = 'RTL8821AE 802.11ac PCIe Wireless Network Adapter'
    class      = network
igb0@pci0:2:0:0:        class=0x020000 card=0x40371297 chip=0x15398086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet

It's an RTL8821AE, so I wasn't getting my hopes up. If someone has an RTL8821 working, it would be great to learn how you did it.

Also, I still need to enable things like TRIM, and do performance measurements to and through the device, and offcourse power measurements .. I won't be bored anytime soon :)

Update: TRIM done!

WebSpider

Just did the OpenVPN timing estimations:

[2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-256-cbc
17.835u 0.779s 0:18.71 99.4%    742+178k 0+0io 0pf+0w

( 3200 / 18.71 ) => 171Mbps OpenVPN performance (estimated)

[2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-128-cbc
17.767u 0.684s 0:18.47 99.8%    742+178k 0+0io 0pf+0w

( 3200 / 18.47 ) =>  173Mbps OpenVPN performance (estimated)

mauroman33

Congrats, it seems an interesting device.
May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.

WebSpider

@mauroman33:

May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.

Absolutely, I'll add it to my list :)

lansmurf

@WebSpider:
Absolutely, I'll add it to my list :)

What is the status of your DS67U? Have you made the temp measurements?
I'm also interested in the  Shuttle DS67U since I think it's a good alternative for the Zotac CI325 which has Realtek nics. The CPU's on both devices are more / less equivalent.

headhunter_unit23

Hi lansmurf,

I purchased a DS67U3 4 days ago for one of my customers. The temperature thing interested me too.

Config:

• DS67U3 (i3-6100U)
• 1x 8GB RAM module
• 1x 1TB 2.5 HDD
• aw-cb209nf wifi
• 2x intel nics
  -      BIOS: 1.03

I used Knoppix Live CD and ran a few commands to read the CPU temp while a few loops were pushing the CPU cores to the max.

Testing environment: SOHO room, 25 degrees celcius, DS67U3 not under direct sunlight

CPU temp while idle in BIOS: 39 to 41 degrees Celsius

CPU under heavy load: 49 to 53 degrees Celsius stabilizing around 51 – 52 degrees Celsius after 2 minutes.

Sadly I cannot give you temperatures while running pfSense with some OpenVPN site-to-site connections as the computer is running esxi 6.5 standalone and it’s unable to return sensors data.

PROs: the perfect SOHO firewall appliance, vtx, vt-d, intel nics, powerful, silent, compact, cool.
CONs: no IPMI, aw-cb209nf not recognized by pfSense