New Shuttle DS67U soho build on 2.3.2-RELEASE
This is to document my new PfSense setup, which is planned to replace a TP-Link 1043 with OpenWRT on it.
I'm going to replace this box for a few reasons:
1. It's starting to die on me, it needs a reboot every 2 weeks or so after about 7 years of loyal service
2. There is a new 500/500 service on my FTTH link, that needs something a bit more beefy
3. I'm going to start using this box as a VPN gateway for my own mobile use, including cell phones, laptops, etc and want some performance
4. My home lab, which is included in several of my customer's POC's is getting a bit annoying to control from a security point of view, so I want to use PfSense to introduce proper VLANing etc.
It has been a few years since I've had any real hands-on experience with PfSense, last time I did anything serious with it was 2011, so I'm using this opportunity to catch up as well ;)
Having said this, this is the configuration the mailman brought in today:
- Shuttle DS67U with:
- Intel Celeron 3855U dual core processor (AES-NI, QuickSync, 32GB RAM max, VT-d onboard)
- Integrated 2x 1Gbit/s LAN (Intel based)
- Integrated WLAN 802.11 b/g/n/ac
- 2x serial port
- M.2 M key 2242
- SD Card reader
- 8GB SO-DIMM DDR3L Crucial memory
- Kingston 120GB SSD (just until I can figure out booting from SDCard)
Right out of the box, the BIOS was outdated, so I updated that to version 1.02 first, it had some fixes for the NICs in them, so it seemed like a sensible thing to do.
I tried the embedded image first on an SD Card, to see what it would do. It would load the bootloader, go on the the kernel, boot it, but unfortunately, the kernel couldn't find a root filesystem. I'm guessing this can be fixed, but I need to do this via serial console probably, since my screen (HDMI) is offset for some reason and missing the first 6 characters of every line.
So, on to the regular installer on a memory stick, and installing on the SSD, which produces the following dmesg, after turning on powerd and aes-ni:
Copyright (c) 1992-2016 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense amd64 FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 CPU: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz (1608.06-MHz K8-class CPU) Origin="GenuineIntel" Id=0x406e3 Family=0x6 Model=0x4e Stepping=3 Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x4ffaebbf <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x121 <lahf,abm,prefetch>Structured Extended Features=0x2942607 <fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace>XSAVE Features=0xf <xsaveopt,xsavec,xinuse,xsaves>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID TSC: P-state invariant, performance statistics real memory = 8589934592 (8192 MB) avail memory = 8107331584 (7731 MB) Event timer "LAPIC" quality 600 ACPI APIC Table: <shuttl shuttle="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs FreeBSD/SMP: 1 package(s) x 2 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 2 random: <software, yarrow="">initialized ioapic0 <version 2.0="">irqs 0-119 on motherboard wlan: mac acl policy registered iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/. iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff80647bf0, 0) error 1 iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/. iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff80647ca0, 0) error 1 iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/. iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80647d50, 0) error 1 netmap: loaded module kbd1 at kbdmux0 cryptosoft0: <software crypto="">on motherboard padlock0: No ACE support. acpi0: <shuttl shuttle="">on motherboard acpi0: Power Button (fixed) cpu0: <acpi cpu="">on acpi0 cpu1: <acpi cpu="">on acpi0 hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0 Timecounter "HPET" frequency 24000000 Hz quality 950 Event timer "HPET" frequency 24000000 Hz quality 550 Event timer "HPET1" frequency 24000000 Hz quality 440 Event timer "HPET2" frequency 24000000 Hz quality 440 Event timer "HPET3" frequency 24000000 Hz quality 440 Event timer "HPET4" frequency 24000000 Hz quality 440 Event timer "HPET5" frequency 24000000 Hz quality 440 Event timer "HPET6" frequency 24000000 Hz quality 440 atrtc0: <at realtime="" clock="">port 0x70-0x77 irq 8 on acpi0 atrtc0: Warning: Couldn't map I/O. Event timer "RTC" frequency 32768 Hz quality 0 attimer0: <at timer="">port 0x40-0x43,0x50-0x53 irq 0 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0 pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0 pci0: <acpi pci="" bus="">on pcib0 vgapci0: <vga-compatible display="">port 0xf000-0xf03f mem 0xde000000-0xdeffffff,0xc0000000-0xcfffffff irq 16 at device 2.0 on pci0 vgapci0: Boot video device xhci0: <xhci (generic)="" usb="" 3.0="" controller="">mem 0xdf220000-0xdf22ffff irq 16 at device 20.0 on pci0 xhci0: 32 bytes context size, 64-bit DMA usbus0: waiting for BIOS to give up control usbus0 on xhci0 pci0: <simple comms="">at device 22.0 (no driver attached) ahci0: <ahci sata="" controller="">port 0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xdf234000-0xdf235fff,0xdf238000-0xdf2380ff,0xdf237000-0xdf2377ff irq 16 at device 23.0 on pci0 ahci0: AHCI v1.31 with 2 6Gbps ports, Port Multiplier not supported ahcich0: <ahci channel="">at channel 0 on ahci0 ahcich1: <ahci channel="">at channel 1 on ahci0 pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0 pci1: <acpi pci="" bus="">on pcib1 pci1: <network>at device 0.0 (no driver attached) pcib2: <acpi pci-pci="" bridge="">irq 16 at device 29.0 on pci0 pci2: <acpi pci="" bus="">on pcib2 igb0: <intel(r) 1000="" pro="" network="" connection,="" version="" -="" 2.5.3-k="">port 0xd000-0xd01f mem 0xdf000000-0xdf01ffff,0xdf020000-0xdf023fff irq 16 at device 0.0 on pci2 igb0: Using MSIX interrupts with 3 vectors igb0: Ethernet address: 80:ee:73:bd:b7:53 igb0: Bound queue 0 to cpu 0 igb0: Bound queue 1 to cpu 1 igb0: netmap queues/slots: TX 2/1024, RX 2/1024 isab0: <pci-isa bridge="">at device 31.0 on pci0 isa0: <isa bus="">on isab0 pci0: <memory>at device 31.2 (no driver attached) em0: <intel(r) 1000="" pro="" network="" connection="" 7.6.1-k="">mem 0xdf200000-0xdf21ffff irq 16 at device 31.6 on pci0 em0: Using an MSI interrupt em0: Ethernet address: 80:ee:73:bd:b7:52 em0: netmap queues/slots: TX 1/1024, RX 1/1024 acpi_button0: <sleep button="">on acpi0 acpi_button1: <power button="">on acpi0 acpi_tz0: <thermal zone="">on acpi0 acpi_tz1: <thermal zone="">on acpi0 sc0: <system console="">at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 on isa0 atkbd0: <at keyboard="">irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] ppc0: cannot reserve I/O port range est0: <enhanced speedstep="" frequency="" control="">on cpu0 est1: <enhanced speedstep="" frequency="" control="">on cpu1 Timecounters tick every 1.000 msec random: unblocking device. usbus0: 5.0Gbps Super Speed USB v3.0 ugen0.1: <0x8086> at usbus0 uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0 uhub0: 16 ports with 16 removable, self powered ugen0.2: <dell>at usbus0 ukbd0: <dell 0="" 1="" dell="" usb="" keyboard,="" class="" 0,="" rev="" 1.10="" 3.06,="" addr="">on usbus0 kbd2 at ukbd0 ugen0.3: <generic>at usbus0 ugen0.4: <realtek>at usbus0 ada0 at ahcich0 bus 0 scbus0 target 0 lun 0 ada0: <kingston suv400s37120g="" 0c3fd6sd="">ACS-4 ATA SATA 3.x device ada0: Serial Number 50026B766502B75B ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes) ada0: Command Queueing enabled ada0: 114473MB (234441648 512 byte sectors) ada0: Previously was known as ad4 SMP: AP CPU #1 Launched! Timecounter "TSC" frequency 1608062001 Hz quality 1000 Trying to mount root from ufs:/dev/ufsid/5797fe7b7c2ff707 [rw]... padlock0: No ACE support. aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard pflog0: promiscuous mode enabled igb0: link state changed to UP</aes-cbc,aes-xts,aes-gcm,aes-icm></kingston></realtek></generic></dell></dell></enhanced></enhanced></at></keyboard></generic></system></thermal></thermal></power></sleep></intel(r)></memory></isa></pci-isa></intel(r)></acpi></acpi></network></acpi></acpi></ahci></ahci></ahci></simple></xhci></vga-compatible></acpi></acpi></at></at></high></acpi></acpi></shuttl></software></version></software,></shuttl></xsaveopt,xsavec,xinuse,xsaves></fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace></lahf,abm,prefetch></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
So, as you can see from pciconf -lv, the WLAN chip is seen, but no device driver seems to attach.
hostb0@pci0:0:0:0: class=0x060000 card=0x40371297 chip=0x19048086 rev=0x08 hdr=0x00 vendor = 'Intel Corporation' device = 'Sky Lake Host Bridge/DRAM Registers' class = bridge subclass = HOST-PCI vgapci0@pci0:0:2:0: class=0x030000 card=0x40371297 chip=0x19068086 rev=0x07 hdr=0x00 vendor = 'Intel Corporation' class = display subclass = VGA xhci0@pci0:0:20:0: class=0x0c0330 card=0x40371297 chip=0x9d2f8086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = serial bus subclass = USB none0@pci0:0:22:0: class=0x078000 card=0x40371297 chip=0x9d3a8086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = simple comms ahci0@pci0:0:23:0: class=0x010601 card=0x40371297 chip=0x9d038086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = mass storage subclass = SATA pcib1@pci0:0:28:0: class=0x060400 card=0x40371297 chip=0x9d148086 rev=0xf1 hdr=0x01 vendor = 'Intel Corporation' class = bridge subclass = PCI-PCI pcib2@pci0:0:29:0: class=0x060400 card=0x40371297 chip=0x9d188086 rev=0xf1 hdr=0x01 vendor = 'Intel Corporation' class = bridge subclass = PCI-PCI isab0@pci0:0:31:0: class=0x060100 card=0x40371297 chip=0x9d438086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = bridge subclass = PCI-ISA none1@pci0:0:31:2: class=0x058000 card=0x40371297 chip=0x9d218086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = memory none2@pci0:0:31:4: class=0x0c0500 card=0x40371297 chip=0x9d238086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' class = serial bus subclass = SMBus em0@pci0:0:31:6: class=0x020000 card=0x00008086 chip=0x156f8086 rev=0x21 hdr=0x00 vendor = 'Intel Corporation' device = 'Ethernet Connection I219-LM' class = network subclass = ethernet none3@pci0:1:0:0: class=0x028000 card=0x882110ec chip=0x882110ec rev=0x00 hdr=0x00 vendor = 'Realtek Semiconductor Co., Ltd.' device = 'RTL8821AE 802.11ac PCIe Wireless Network Adapter' class = network igb0@pci0:2:0:0: class=0x020000 card=0x40371297 chip=0x15398086 rev=0x03 hdr=0x00 vendor = 'Intel Corporation' device = 'I211 Gigabit Network Connection' class = network subclass = ethernet
It's an RTL8821AE, so I wasn't getting my hopes up. If someone has an RTL8821 working, it would be great to learn how you did it.
Also, I still need to enable things like TRIM, and do performance measurements to and through the device, and offcourse power measurements .. I won't be bored anytime soon :)
Update: TRIM done!
Just did the OpenVPN timing estimations:
[2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-256-cbc
17.835u 0.779s 0:18.71 99.4% 742+178k 0+0io 0pf+0w
( 3200 / 18.71 ) => 171Mbps OpenVPN performance (estimated)
[2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-128-cbc
17.767u 0.684s 0:18.47 99.8% 742+178k 0+0io 0pf+0w
( 3200 / 18.47 ) => 173Mbps OpenVPN performance (estimated)
Congrats, it seems an interesting device.
May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.
May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.
Absolutely, I'll add it to my list :)
Absolutely, I'll add it to my list :)
What is the status of your DS67U? Have you made the temp measurements?
I'm also interested in the Shuttle DS67U since I think it's a good alternative for the Zotac CI325 which has Realtek nics. The CPU's on both devices are more / less equivalent.
I purchased a DS67U3 4 days ago for one of my customers. The temperature thing interested me too.
- DS67U3 (i3-6100U)
- 1x 8GB RAM module
- 1x 1TB 2.5 HDD
- aw-cb209nf wifi
- 2x intel nics
- BIOS: 1.03
I used Knoppix Live CD and ran a few commands to read the CPU temp while a few loops were pushing the CPU cores to the max.
Testing environment: SOHO room, 25 degrees celcius, DS67U3 not under direct sunlight
CPU temp while idle in BIOS: 39 to 41 degrees Celsius
CPU under heavy load: 49 to 53 degrees Celsius stabilizing around 51 – 52 degrees Celsius after 2 minutes.
Sadly I cannot give you temperatures while running pfSense with some OpenVPN site-to-site connections as the computer is running esxi 6.5 standalone and it’s unable to return sensors data.
PROs: the perfect SOHO firewall appliance, vtx, vt-d, intel nics, powerful, silent, compact, cool.
CONs: no IPMI, aw-cb209nf not recognized by pfSense