Pfsense Install on Nokia IP390
-
Hi there.
I recently just bought 2 Nokia IP390 units with a faulty IPSO installation. The units hardware is in perfect working order, but, does not function properly with the incorrect installations.
I would like to install pfsense to these boxes, but, I don't know how. All tutorials I've came across so far assume that you're installing pfsense onto an old computer, not a dedicated firewall :L
I'll give you some info:
The IP390 is a flash-based hardware firewall, and uses a CF card to store the main operating system, and can also support the use of a 2.5" SATA hdd for use in logging, caching etc.
It's factory firmware, IPSO, is based upon FreeBSD (Which I believe pfsense also uses?)
There is no direct way to input to the devices. All interaction must be done through the Console port (An RJ-45 Rollover port, identical to those used on most Cisco units.)Any help would be appreciated!
-
Hmm, details seem a little sparse on the forum. However it is possible because this:
https://www.youtube.com/watch?v=7AZZGem_CgA :)Basically write the NanoBSD image of pfSense onto a suitable CF card, stick it in the box and boot it. Watch the console output to complete the install. See also:
https://doc.pfsense.org/index.php/InstallationGuide#EmbeddedSteve
-
Hmm, details seem a little sparse on the forum. However it is possible because this:
https://www.youtube.com/watch?v=7AZZGem_CgA :)Basically write the NanoBSD image of pfSense onto a suitable CF card, stick it in the box and boot it. Watch the console output to complete the install. See also:
https://doc.pfsense.org/index.php/InstallationGuide#EmbeddedSteve
Thanks!
I'll give that a try when I can get my hands on another CF card, but, one question: Does this overwrite the current BIOS / Bootmanager on the device already? -
It will overwrite everything on the CF card which would include the boot manager if you choose to use the card in the box already (if it's 1GB or bigger). It does nothing to the BIOS which is stored on the motherboard. If in the future you get hold of a working IPSO CF card you can just swap back.
Steve
-
It will overwrite everything on the CF card which would include the boot manager if you choose to use the card in the box already (if it's 1GB or bigger). It does nothing to the BIOS which is stored on the motherboard. If in the future you get hold of a working IPSO CF card you can just swap back.
Steve
Alright, thank you very much. My current plan is to leave the current IPSO cards as they are, and just use a new CF card for pfsense. I'll do some work on the IPSO cards when I have pfsense running, it does seem like an easy fix, but first I would like to get the hardware running!
-
So I've installed pfSense onto a CF card, and got my IP390 to boot to the pfSense config…
That's as far as it got. I skip setting up VLAN interfaces (I currently don't need them to my knowledge),
and it goes on to configure the WAN interface.I press "a" for autodetect, and then it just sends me in a loop of "No link-up detected" and goes back to asking about the WAN interface.
I've tried every port on the damn thing, first the AUX port (The one that is designated for use connecting to the WAN), and ETH-1 through 4 all spew the same message.
pfSense recognises ETH-1 through 4, and presumably the WAN interface although there is no activity lights on the interface to tell. All the NICs on-board are Intel PRO 1000 chipsets.
Can I have some advice? I'm currently connecting the WAN port to my Modem, then through to the internet.
-
According to the manual (http://www.manualowl.com/p/Nokia/IP390/Manual/3822), the AUX port is a secondary serial port, not the WAN connection.
The youtube video link posted by Steve shows the PMC slots populated with the optional 4-port lan card, and later in the video, it shows 4 intel ports in use (em0, em1, em4, and em5). Does pfSense show em0-em3 on your unit?
Can you capture and read through the boot messages from your console? Or post the boot log here. That would tell what nics are detected.
Also, maybe the units were not working due to a hardware issue rather than a faulty IPSO flash?
-
Exactly. The auto detect function doesn't seem to work with all NICs unfortunately. At the config screen it lists all the available interfaces above the first question. I would expect it to list em interfaces something like:
Valid interfaces are: em0 00:00:24:ce:45:74 (up) Intel(R) PRO/1000 Network Connection 7.2.3 em1 00:00:24:ce:45:75 (up) Intel(R) PRO/1000 Network Connection 7.2.3 em2 00:00:24:ce:45:76 (up) Intel(R) PRO/1000 Network Connection 7.2.3 em3 00:00:24:ce:45:77 (up) Intel(R) PRO/1000 Network Connection 7.2.3
Just enter the WAN and LAN interfaces manually. You may have a little fun and games finding out which port on the box is which interface number. The ports are usually detected in some logical order (0-4 left to fight for example) but not always! ;)
Steve
-
According to the manual (http://www.manualowl.com/p/Nokia/IP390/Manual/3822), the AUX port is a secondary serial port, not the WAN connection.
The youtube video link posted by Steve shows the PMC slots populated with the optional 4-port lan card, and later in the video, it shows 4 intel ports in use (em0, em1, em4, and em5). Does pfSense show em0-em3 on your unit?
Can you capture and read through the boot messages from your console? Or post the boot log here. That would tell what nics are detected.
Also, maybe the units were not working due to a hardware issue rather than a faulty IPSO flash?
Hi there – Yeah, thanks, I didn't know that because the manual I have printed incited that the AUX port is the WAN interface -- Silly me!
Yeah, I've ordered 2x Optional 2-port Gigabit PMCs, due to arrive tomorrow -- I probably won't resume work on this until they arrive, simply in the event pfSense doesn't like having new ICs installed after pfSense has configured itself.
I'll do that tomorrow, but the auto detection of NICs is eth0 - 3 of INTEL PRO 1000 Gigabit NIC
Yeah, I did look into that issue, but I found out that the IPSO cards both have faulty file permissions which I might fix at a later date, but the hardware is all in working order. -
Adding NICs after initial config is not normally a problem. One issue than can happen is if you add more em NICs it might offset the existing em NICs. Even so you would still just re-assign the interfaces.
It would be useful to complete the install to test the connectivity of the existing NICs. Embedded boxes like that sometimes have custom options waiting to trip you up. ;) You can always re-image the CF card easily enough.Steve
-
I'll do that tomorrow, but the auto detection of NICs is eth0 - 3 of INTEL PRO 1000 Gigabit NIC
Sure it's not em0 to em3? Coming from linux, it took me a while to get used to NICs being named according to the underlying hardware, like em0 or igb0, rather than being presented as eth0 for any hardware type.
-
Alright, pfSense is now running brilliantly on the IP390!
One thing to add is that under the default interfaces, ETH-1 is actually em0 in pfSense, and ETH-4 is em3.
Also, would it be possible to add another hard drive for use caching and stuff?
-
Nice! :) So relatively logical interface detection then. Just watch out for what I said above if you add more.
You can add a harddrive and use it for caching but there is no system for doing so built into pfSense. Others have done it using some custom scripts etc but it's almost certainly easier to just use the harddrive as the boot device (full install) and forget about the CF card.
See: https://forum.pfsense.org/index.php?topic=67823.0Steve
-
Thanks Steve.
Another quick thing, I just managed to do some data recovery on the IPSO CF card, and have managed to extract the backup IPSO image (Used in case of a critical system failure) and original kernel.
Would it be possible for me to use the original kernel with a pfSense install? If so, how would I go about doing this? (Note that IPSO also runs off freeBSD, so there shouldn't be any compatibility problems)
-
Would it be possible for me to use the original kernel with a pfSense install? If so, how would I go about doing this? (Note that IPSO also runs off freeBSD, so there shouldn't be any compatibility problems)
Almost certainly no, not possible. Why would you want to? If you want to experiment, you could try booting IPSO for a comparison to pfSense.
-
Indeed, pfSense uses a custom kernel and I would expect IPSO does also. The base FreeBSD versions are probably different. I'd be amazed if it was compatible.
Steve
-
Hmm.. Alright. The only reason why I wanted to use the IPSO kernel was because the warning light on the unit remains on which indicates an internal voltage error. The unit runs fine, so I can assume the warning is false, but it would be nice to get that working properly
-
Try booting IPSO: if the LED goes off you're OK, and it's likely a IPSO userland utility that controls it. If it stays on, you have some more investigation to do. Of course, wire cutters or black tape could fix the problem too …
-
Since that same indicator can show over temperature it's probably driven from the board rather than the psu which is good. It's probably driven from the SuperIO chip where the voltage and temperature sensors are connected.
There maybe some options in the BIOS to change the indicator behaviour otherwise you could probably tweak it manually with a utility and a script.Steve
-
Hmm, alright.
Yeah, booting into IPSO turns the warning indicators off, so the unit is fine.
Alright, thank you. I don't think I can actually change the bios settings, or at least not from the console. How would I go about getting a utility / script working?