pfSense installed on Cisco ASA 5512-x

disi1

I want to share my experience so far and also provide some picture of the BIOS.

You will need a 16pin female to 15pin male VGA adapter and a USB keyboard.
The BIOS has an option do disable/enable the ROMMON Boot and then you can add a USB stick as first boot media.

What works:
All interfaces, including management port. em0-6 (em6 being the MGMT port)
Memory is detected and works fine.
The extra SSD is detected and can be installed to.
SpeedStep works for the Intel Pentium CPU.

The hardware crypto module is not supported (CE), showing as inactive on the dashboard.
PowerD detects two C-States 1 and 2, but scales the frequencies well.
The Fan speed cannot be controlled, not in the BIOS and even ipmi cannot change this -> no writable.

Since the CPU is mostly in C1, running at 1.1Ghz and under ~30C, I will see if I can hardware slow down the fans to spin at 3000 RPM instead of 6000 RPM. I want to add a cable in between to reduce the voltage going to the fans.

p.s. and you need a 60" television :D

stephenw10

@disi1 said in pfSense installed on Cisco ASA 5512-x:

The hardware crypto module is not supported (CE), showing as inactive on the dashboard.

You mean AES-NI? Probably just needs to be enabled in Sys > Adv > Misc.

Steve

disi1

@stephenw10 It is enabled AES-NI and BSD Crypto, but shows inactive on the dashboard.
A Cavium device shows on PCI17

em5@pci0:15:0:0:        class=0x020000 rev=0x00 hdr=0x00 vendor=0x8086 device=0x10d3 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = '82574L Gigabit Network Connection'
    class      = network
    subclass   = ethernet
none1@pci0:17:0:0:      class=0x100000 rev=0x01 hdr=0x00 vendor=0x177d device=0x0010 subvendor=0x177d subdevice=0x0001
    vendor     = 'Cavium, Inc.'
    device     = 'CN15XX/CN16XX [Nitrox PX]'
    class      = encrypt/decrypt
    subclass   = network/computer crypto

I get this during boot for PCI17:

pcib17: <ACPI PCI-PCI bridge> irq 17 at device 28.0 on pci0
pci15: <ACPI PCI bus> on pcib17
pci15: <encrypt/decrypt, network/computer crypto> at device 0.0 (no driver attached)
pcib18: <ACPI PCI-PCI bridge> irq 17 at device 28.4 on pci0
pci16: <ACPI PCI bus> on pcib18
em6: <Intel(R) Gigabit CT 82574L> port 0xe000-0xe01f mem 0xfba00000-0xfba1ffff,0xfba20000-0xfba23fff irq 16 at device 0.0 on pci16
em6: EEPROM V2.1-0
em6: Using 1024 TX descriptors and 1024 RX descriptors
em6: Using 2 RX queues 2 TX queues
em6: Using MSI-X interrupts with 3 vectors
em6: Ethernet address: ac:f2:c5:ed:6e:27
em6: netmap queues/slots: TX 2/1024, RX 2/1024
pcib19: <ACPI PCI-PCI bridge> irq 16 at device 28.5 on pci0
pci17: <ACPI PCI bus> on pcib19
pcib20: <PCI-PCI bridge> irq 17 at device 0.0 on pci17

Here the lscpu:

Architecture:            amd64
Byte Order:              Little Endian
Total CPU(s):            2
Thread(s) per core:      1
Core(s) per socket:      2
Socket(s):               1
Vendor:                  GenuineIntel
CPU family:              6
Model:                   37
Model name:              Intel(R) Pentium(R) CPU        G6950  @ 2.80GHz
Stepping:                5
L1d cache:               32K
L1i cache:               32K
L3 cache:                3M
Flags:                   fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 cflsh ds acpi mmx fxsr sse sse2 ss htt tm pbe sse3 dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid popcnt syscall nx rdtscp lm lahf_lm

stephenw10

Ah, OK. Yes that's an older Pentium, no AES-NI. And there's no driver for the those Cavium crypto chips AFAIK. They never made it open source. A while back I spent some time looking into it but it seems impractical.
You could probably swap out that CPU for one that does have AES-NI if you find you need more crypto capability. The i5-650 is basically scrap gold cost at this point.

disi1

@stephenw10 It is fine for my home network ;)
It is good experience and maybe helps other to decide if it makes sense to install pfSense (or freeBSD) onto this hardware.

disi1

@stephenw10 said in pfSense installed on Cisco ASA 5512-x:

You could probably swap out that CPU for one that does have AES-NI if you find you need more crypto capability. The i5-650 is basically scrap gold cost at this point.

"Your order’s confirmed for I5 650 Intel Core i5 Dual Core 3.20GHz 2.50GT/s DMI 4MB Cache LGA 1156 Processor" £3.99 it should use the same socket, I think.

stephenw10

Yup should do. Fun!

disi1

@stephenw10 Thank you for the tip :)
It's in and working perfect...

stephenw10

Nice

JonathanLee

Did it work are you now a Cisco Certified Netgate Associate ... jk. like Cisco's CCNA CCIE and CCNP certifications