New Shuttle DS67U soho build on 2.3.2-RELEASE

  • This is to document my new PfSense setup, which is planned to replace a TP-Link 1043 with OpenWRT on it.

    I'm going to replace this box for a few reasons:

    1. It's starting to die on me, it needs a reboot every 2 weeks or so after about 7 years of loyal service
    2. There is a new 500/500 service on my FTTH link, that needs something a bit more beefy
    3. I'm going to start using this box as a VPN gateway for my own mobile use, including cell phones, laptops, etc and want some performance
    4. My home lab, which is included in several of my customer's POC's is getting a bit annoying to control from a security point of view, so I want to use PfSense to introduce proper VLANing etc.

    It has been a few years since I've had any real hands-on experience with PfSense, last time I did anything serious with it was 2011, so I'm using this opportunity to catch up as well ;)

    Having said this, this is the configuration the mailman brought in today:

    • Shuttle DS67U with:
    • Intel Celeron 3855U dual core processor (AES-NI, QuickSync, 32GB RAM max, VT-d onboard)
    • Integrated 2x 1Gbit/s LAN (Intel based)
    • Integrated WLAN 802.11 b/g/n/ac
    • 2x serial port
    • M.2 M key 2242
    • SD Card reader
    • 8GB SO-DIMM DDR3L Crucial memory
    • Kingston 120GB SSD (just until I can figure out booting from SDCard)

    Right out of the box, the BIOS was outdated, so I updated that to version 1.02 first, it had some fixes for the NICs in them, so it seemed like a sensible thing to do.

    I tried the embedded image first on an SD Card, to see what it would do. It would load the bootloader, go on the the kernel, boot it, but unfortunately, the kernel couldn't find a root filesystem. I'm guessing this can be fixed, but I need to do this via serial console probably, since my screen (HDMI) is offset for some reason and missing the first 6 characters of every line.

    So, on to the regular installer on a memory stick, and installing on the SSD, which produces the following dmesg, after turning on powerd and aes-ni:

    Copyright (c) 1992-2016 The FreeBSD Project.
    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
            The Regents of the University of California. All rights reserved.
    FreeBSD is a registered trademark of The FreeBSD Foundation.
    FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016
        root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense amd64
    FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
    CPU: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz (1608.06-MHz K8-class CPU)
      Origin="GenuineIntel"  Id=0x406e3  Family=0x6  Model=0x4e  Stepping=3
      Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x4ffaebbf <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x121 <lahf,abm,prefetch>Structured Extended Features=0x2942607 <fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace>XSAVE Features=0xf <xsaveopt,xsavec,xinuse,xsaves>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
      TSC: P-state invariant, performance statistics
    real memory  = 8589934592 (8192 MB)
    avail memory = 8107331584 (7731 MB)
    Event timer "LAPIC" quality 600
    ACPI APIC Table: <shuttl shuttle="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
    FreeBSD/SMP: 1 package(s) x 2 core(s)
     cpu0 (BSP): APIC ID:  0
     cpu1 (AP): APIC ID:  2
    random: <software, yarrow="">initialized
    ioapic0 <version 2.0="">irqs 0-119 on motherboard
    wlan: mac acl policy registered
    iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
    iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff80647bf0, 0) error 1
    iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
    iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff80647ca0, 0) error 1
    iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi/.
    iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80647d50, 0) error 1
    netmap: loaded module
    kbd1 at kbdmux0
    cryptosoft0: <software crypto="">on motherboard
    padlock0: No ACE support.
    acpi0: <shuttl shuttle="">on motherboard
    acpi0: Power Button (fixed)
    cpu0: <acpi cpu="">on acpi0
    cpu1: <acpi cpu="">on acpi0
    hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
    Timecounter "HPET" frequency 24000000 Hz quality 950
    Event timer "HPET" frequency 24000000 Hz quality 550
    Event timer "HPET1" frequency 24000000 Hz quality 440
    Event timer "HPET2" frequency 24000000 Hz quality 440
    Event timer "HPET3" frequency 24000000 Hz quality 440
    Event timer "HPET4" frequency 24000000 Hz quality 440
    Event timer "HPET5" frequency 24000000 Hz quality 440
    Event timer "HPET6" frequency 24000000 Hz quality 440
    atrtc0: <at realtime="" clock="">port 0x70-0x77 irq 8 on acpi0
    atrtc0: Warning: Couldn't map I/O.
    Event timer "RTC" frequency 32768 Hz quality 0
    attimer0: <at timer="">port 0x40-0x43,0x50-0x53 irq 0 on acpi0
    Timecounter "i8254" frequency 1193182 Hz quality 0
    Event timer "i8254" frequency 1193182 Hz quality 100
    Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
    acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
    pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
    pci0: <acpi pci="" bus="">on pcib0
    vgapci0: <vga-compatible display="">port 0xf000-0xf03f mem 0xde000000-0xdeffffff,0xc0000000-0xcfffffff irq 16 at device 2.0 on pci0
    vgapci0: Boot video device
    xhci0: <xhci (generic)="" usb="" 3.0="" controller="">mem 0xdf220000-0xdf22ffff irq 16 at device 20.0 on pci0
    xhci0: 32 bytes context size, 64-bit DMA
    usbus0: waiting for BIOS to give up control
    usbus0 on xhci0
    pci0: <simple comms="">at device 22.0 (no driver attached)
    ahci0: <ahci sata="" controller="">port 0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xdf234000-0xdf235fff,0xdf238000-0xdf2380ff,0xdf237000-0xdf2377ff irq 16 at device 23.0 on pci0
    ahci0: AHCI v1.31 with 2 6Gbps ports, Port Multiplier not supported
    ahcich0: <ahci channel="">at channel 0 on ahci0
    ahcich1: <ahci channel="">at channel 1 on ahci0
    pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0
    pci1: <acpi pci="" bus="">on pcib1
    pci1: <network>at device 0.0 (no driver attached)
    pcib2: <acpi pci-pci="" bridge="">irq 16 at device 29.0 on pci0
    pci2: <acpi pci="" bus="">on pcib2
    igb0: <intel(r) 1000="" pro="" network="" connection,="" version="" -="" 2.5.3-k="">port 0xd000-0xd01f mem 0xdf000000-0xdf01ffff,0xdf020000-0xdf023fff irq 16 at device 0.0 on pci2
    igb0: Using MSIX interrupts with 3 vectors
    igb0: Ethernet address: 80:ee:73:bd:b7:53
    igb0: Bound queue 0 to cpu 0
    igb0: Bound queue 1 to cpu 1
    igb0: netmap queues/slots: TX 2/1024, RX 2/1024
    isab0: <pci-isa bridge="">at device 31.0 on pci0
    isa0: <isa bus="">on isab0
    pci0: <memory>at device 31.2 (no driver attached)
    em0: <intel(r) 1000="" pro="" network="" connection="" 7.6.1-k="">mem 0xdf200000-0xdf21ffff irq 16 at device 31.6 on pci0
    em0: Using an MSI interrupt
    em0: Ethernet address: 80:ee:73:bd:b7:52
    em0: netmap queues/slots: TX 1/1024, RX 1/1024
    acpi_button0: <sleep button="">on acpi0
    acpi_button1: <power button="">on acpi0
    acpi_tz0: <thermal zone="">on acpi0
    acpi_tz1: <thermal zone="">on acpi0
    sc0: <system console="">at flags 0x100 on isa0
    sc0: VGA <16 virtual consoles, flags=0x300>
    vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
    atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 on isa0
    atkbd0: <at keyboard="">irq 1 on atkbdc0
    kbd0 at atkbd0
    atkbd0: [GIANT-LOCKED]
    ppc0: cannot reserve I/O port range
    est0: <enhanced speedstep="" frequency="" control="">on cpu0
    est1: <enhanced speedstep="" frequency="" control="">on cpu1
    Timecounters tick every 1.000 msec
    random: unblocking device.
    usbus0: 5.0Gbps Super Speed USB v3.0
    ugen0.1: <0x8086> at usbus0
    uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
    uhub0: 16 ports with 16 removable, self powered
    ugen0.2: <dell>at usbus0
    ukbd0: <dell 0="" 1="" dell="" usb="" keyboard,="" class="" 0,="" rev="" 1.10="" 3.06,="" addr="">on usbus0
    kbd2 at ukbd0
    ugen0.3: <generic>at usbus0
    ugen0.4: <realtek>at usbus0
    ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
    ada0: <kingston suv400s37120g="" 0c3fd6sd="">ACS-4 ATA SATA 3.x device
    ada0: Serial Number 50026B766502B75B
    ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
    ada0: Command Queueing enabled
    ada0: 114473MB (234441648 512 byte sectors)
    ada0: Previously was known as ad4
    SMP: AP CPU #1 Launched!
    Timecounter "TSC" frequency 1608062001 Hz quality 1000
    Trying to mount root from ufs:/dev/ufsid/5797fe7b7c2ff707 [rw]...
    padlock0: No ACE support.
    aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
    pflog0: promiscuous mode enabled
    igb0: link state changed to UP</aes-cbc,aes-xts,aes-gcm,aes-icm></kingston></realtek></generic></dell></dell></enhanced></enhanced></at></keyboard></generic></system></thermal></thermal></power></sleep></intel(r)></memory></isa></pci-isa></intel(r)></acpi></acpi></network></acpi></acpi></ahci></ahci></ahci></simple></xhci></vga-compatible></acpi></acpi></at></at></high></acpi></acpi></shuttl></software></version></software,></shuttl></xsaveopt,xsavec,xinuse,xsaves></fsgsbase,tscadj,erms,invpcid,nfpusg,rdseed,smap,clflushopt,proctrace></lahf,abm,prefetch></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,x2apic,movbe,popcnt,tscdlt,aesni,xsave,osxsave,rdrand></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe> 

    So, as you can see from pciconf -lv, the WLAN chip is seen, but no device driver seems to attach.

    hostb0@pci0:0:0:0:      class=0x060000 card=0x40371297 chip=0x19048086 rev=0x08 hdr=0x00
        vendor     = 'Intel Corporation'
        device     = 'Sky Lake Host Bridge/DRAM Registers'
        class      = bridge
        subclass   = HOST-PCI
    vgapci0@pci0:0:2:0:     class=0x030000 card=0x40371297 chip=0x19068086 rev=0x07 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = display
        subclass   = VGA
    xhci0@pci0:0:20:0:      class=0x0c0330 card=0x40371297 chip=0x9d2f8086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = serial bus
        subclass   = USB
    none0@pci0:0:22:0:      class=0x078000 card=0x40371297 chip=0x9d3a8086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = simple comms
    ahci0@pci0:0:23:0:      class=0x010601 card=0x40371297 chip=0x9d038086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = mass storage
        subclass   = SATA
    pcib1@pci0:0:28:0:      class=0x060400 card=0x40371297 chip=0x9d148086 rev=0xf1 hdr=0x01
        vendor     = 'Intel Corporation'
        class      = bridge
        subclass   = PCI-PCI
    pcib2@pci0:0:29:0:      class=0x060400 card=0x40371297 chip=0x9d188086 rev=0xf1 hdr=0x01
        vendor     = 'Intel Corporation'
        class      = bridge
        subclass   = PCI-PCI
    isab0@pci0:0:31:0:      class=0x060100 card=0x40371297 chip=0x9d438086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = bridge
        subclass   = PCI-ISA
    none1@pci0:0:31:2:      class=0x058000 card=0x40371297 chip=0x9d218086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = memory
    none2@pci0:0:31:4:      class=0x0c0500 card=0x40371297 chip=0x9d238086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        class      = serial bus
        subclass   = SMBus
    em0@pci0:0:31:6:        class=0x020000 card=0x00008086 chip=0x156f8086 rev=0x21 hdr=0x00
        vendor     = 'Intel Corporation'
        device     = 'Ethernet Connection I219-LM'
        class      = network
        subclass   = ethernet
    none3@pci0:1:0:0:       class=0x028000 card=0x882110ec chip=0x882110ec rev=0x00 hdr=0x00
        vendor     = 'Realtek Semiconductor Co., Ltd.'
        device     = 'RTL8821AE 802.11ac PCIe Wireless Network Adapter'
        class      = network
    igb0@pci0:2:0:0:        class=0x020000 card=0x40371297 chip=0x15398086 rev=0x03 hdr=0x00
        vendor     = 'Intel Corporation'
        device     = 'I211 Gigabit Network Connection'
        class      = network
        subclass   = ethernet

    It's an RTL8821AE, so I wasn't getting my hopes up. If someone has an RTL8821 working, it would be great to learn how you did it.

    Also, I still need to enable things like TRIM, and do performance measurements to and through the device, and offcourse power measurements .. I won't be bored anytime soon :)

    Update: TRIM done!

  • Just did the OpenVPN timing estimations:

    [2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-256-cbc
    17.835u 0.779s 0:18.71 99.4%    742+178k 0+0io 0pf+0w

    ( 3200 / 18.71 ) => 171Mbps OpenVPN performance (estimated)

    [2.3.2-RELEASE][admin@hostname]/root: time openvpn –test-crypto --secret /tmp/secret --tun-mtu 20000 --verb 0 --cipher aes-128-cbc
    17.767u 0.684s 0:18.47 99.8%    742+178k 0+0io 0pf+0w

    ( 3200 / 18.47 ) =>  173Mbps OpenVPN performance (estimated)

  • Congrats, it seems an interesting device.
    May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.

  • @mauroman33:

    May I ask the CPU temperature at idle and at full load? And of course, the average temperature of the room.

    Absolutely, I'll add it to my list :)

  • @WebSpider:
    Absolutely, I'll add it to my list :)

    What is the status of your DS67U? Have you made the temp measurements?
    I'm also interested in the  Shuttle DS67U since I think it's a good alternative for the Zotac CI325 which has Realtek nics. The CPU's on both devices are more / less equivalent.

  • Hi lansmurf,

    I purchased a DS67U3 4 days ago for one of my customers. The temperature thing interested me too.


    • DS67U3 (i3-6100U)
    • 1x 8GB RAM module
    • 1x 1TB 2.5 HDD
    • aw-cb209nf wifi
    • 2x intel nics
      -      BIOS: 1.03

    I used Knoppix Live CD and ran a few commands to read the CPU temp while a few loops were pushing the CPU cores to the max.

    Testing environment: SOHO room, 25 degrees celcius, DS67U3 not under direct sunlight

    CPU temp while idle in BIOS: 39 to 41 degrees Celsius

    CPU under heavy load: 49 to 53 degrees Celsius stabilizing around 51 – 52 degrees Celsius after 2 minutes.

    Sadly I cannot give you temperatures while running pfSense with some OpenVPN site-to-site connections as the computer is running esxi 6.5 standalone and it’s unable to return sensors data.

    PROs: the perfect SOHO firewall appliance, vtx, vt-d, intel nics, powerful, silent, compact, cool.
    CONs: no IPMI, aw-cb209nf not recognized by pfSense

Log in to reply