Hard switch off on pfsense box



  • Hi all,

    I just set up an Alix 2D3 with pfsense 1.2.3 (nanobsd, 4GB Kingston CF) in my simple home setup : 1 WAN (ADSL modem), 2 local computers on LAN and OPT1 (bridged to LAN).

    Now I have a very basic question, not strictly limited to hardware, but no other forum seemed to fit :
    I do switch off my computers and ADSL box every night. No use to keep the pfsense box running either, but knowing me I'm not going to log in via the web interface to shut down the box cleanly every evening. Now I have two options :

    1. Just switch off power on the box every night. Very convenient, but I'm unsure whether the box will like that on the long run. I'm thinking that this may not cause file system corruption as the CF card is probably mounted read only (maybe not? - I DO have snort installed if that matters).

    2. Have the pfsense box shut down automatically if there is no activity for extended periods on LAN and OPT1, and wake up on LAN. No clue if that is possible.

    3. Have my computers send a signal on shut down for the pfsense box to shut down, too. Seems like a potential security problem and not straightforward, not knowing which of the computers gets turned off last.

    Any better ideas?

    PS : For now, I'm not considering the option to just leave the pfsense box running 24/24.



  • My  $0.02 - considering how little energy the Alix uses, I would not even be concerned with powering off this unit.  You may save $5 all year by powering it off every night, but you risk corrupting the CF card when you hard-cycle the box.  Just leave it running…



  • I don't think it supports actually shutting down but here's something related to your #1 and #3 options that could work for a simple network.  It should be possible to set up some kind of script to check whether any computers registered on the DHCP server are still pingable (or if everything uses static IP addresses, even hardcoding them into the script would be fine), and go through a shutdown if not.  You could have the script run periodically with a cron job.  After it has been long enough for the script's scheduled run to come up again and enough time to shut down, it would surely be safe to switch off power to the box.



  • @rkelleyrtp:

    … you risk corrupting the CF card when you hard-cycle the box.

    That was one of my questions. I only risk corruption if the card is mounted r/w. Is it mounted r/w by default in the embedded pfsense? Do you have more information on this?
    FYI, my fstab reads:

    /dev/ufs/pfsense0 / ufs ro,sync,noatime 1 1
    /dev/ufs/cf /cf ufs ro,sync,noatime 1 1
    
    

    However, I can create a file in / while the box is running normally (e.g. "touch /dummy"), so it may be remounted rw later. Or else, any changes to files are kept in memory and written on shutdown, a step which a hard cycle would bypass. That would likely not lead to FS corruption but to pfsense "forgetting" stuff.

    @Efonne:

    It should be possible to set up some kind of script to check whether any computers registered on the DHCP server are still pingable (…), and go through a shutdown if not.  You could have the script run periodically with a cron job.

    Thank you, Efonne, that seems feasible. I'll look into this.



  • Just keep in mind that you will still need to power it off afterward if you want it off.

    As far as whether it is mounted read-only or r/w – as far as I know, the embedded and nanobsd versions are supposed to keep it mounted read-only for general usage, only mounting r/w during certain boot processes (possibly), when you change the configuration, and at shutdown when saving certain collected data.  There is a chance certain packages could have an effect on this, but it should be as described if you are not using any.

    Assuming it is working as intended, turning off the power after it is fully started but before it has gone through the shutdown process (which only halts the system at the very end) should only keep it from getting that collected data written to disk.

    While not doing anything that would make it write to the card, the output from the mount command looks like this on mine:

    /dev/ufs/pfsense1 on / (ufs, local, read-only)
    devfs on /dev (devfs, local)
    /dev/md0 on /var/tmp (ufs, local)
    /dev/md1 on /var (ufs, local)
    /dev/ufs/cf on /cf (ufs, local, read-only)
    devfs on /var/dhcpd/dev (devfs, local)
    

    /dev/md devices probably being memory disks and devfs itself not being an actual storage location.  It should basically look like this on yours.



  • Here is the output of the mount command on mine (thanks for the hint, it didn't occur to me to use the mount command without argument to get that info) :

    $ mount
    /dev/ufs/pfsense0 on / (ufs, local)
    devfs on /dev (devfs, local)
    /dev/md0 on /var/tmp (ufs, local)
    /dev/md1 on /var (ufs, local)
    /dev/ufs/cf on /cf (ufs, local)
    devfs on /var/dhcpd/dev (devfs, local)
    
    

    So I guess the snort package I have installed makes the card being mounted rw permanently.

    Yes, I'll need to power off after shutdown. I'll think a bit more about that, but that should be doable.



  • Have you rebooted the system at all after setting up pfSense or installing snort?  I'm not really familiar with the snort package for pfSense, so I'm unsure of whether this is normal behavior or just a temporary condition from an installer bug, if you haven't restarted yet.



  • Yes, I have restarted the box since. From what I read on the forums, snort does require quite a lot of memory and ample space for logfiles so this is no surprise. However, I have not found an explicit information on the behavior of snort wrt mounting disks. I've actually asked that question here: http://forum.pfsense.org/index.php/topic,23154.msg119193.html#msg119193.


  • Rebel Alliance Developer Netgate

    You can trigger a remote shutdown from Windows like so:

    http://forum.pfsense.org/index.php/topic,14310.msg78215.html#msg78215

    Or from UNIX using a similar ssh command.

    However, that will not power off the ALIX, only halt the OS. Any automated task will do the same. Only pulling the plug will make it stop drawing power. The ALIX doesn't have a "power switch", it's always on.

    Given the low power consumption of the ALIX, and also the long boot time, it isn't worth the trouble to shut it off, IMHO.

    You'd probably save more electricity by unplugging your TV at night so it isn't drawing standby power. :)

    That said, it should be mounted RO all the time. I'm not sure what happened to the snort package since I first made it work on nanobsd, but it didn't used to keep things RW.



  • @jimp:

    You can trigger a remote shutdown from Windows like so:

    http://forum.pfsense.org/index.php/topic,14310.msg78215.html#msg78215

    Or from UNIX using a similar ssh command.

    Thank you! I guess I should have been able to work that out… I'll enable ssh login (only using the web interface so far) and play with it.

    @jimp:

    However, that will not power off the ALIX, only halt the OS. Any automated task will do the same. Only pulling the plug will make it stop drawing power.

    Yes, but I think I should be able to issue a command to the UPS from the pfsense's shutdown scripts to power off the UPS after some delay (enough to let the Alix finish shutdown). Just installed the NUT package. Actually that is the whole point: It's not only the Alix draining power, it's also the ADSL modem, the UPS itself (5W for just being plugged in and doing nothing :o) power adapters for external hard drives etc. So I'd like to shut off all that stuff in one go. And as I'd like to have the Alix on the UPS, it'll need to be switched off with the rest.

    @jimp:

    You'd probably save more electricity by unplugging your TV at night so it isn't drawing standby power. :)

    Probably not, I don't have a TV  ;D

    @jimp:

    That said, it should be mounted RO all the time. I'm not sure what happened to the snort package since I first made it work on nanobsd, but it didn't used to keep things RW.

    That's interesting. I'll reboot the box and check again just in case something went wrong on the last reboot.



  • I just faced the same situation that I really had to shut down a pfsense box. It is located in a production truck where the power is not always connected. I first ran it without shutting it down correct (just unplugged the cable) but just recently the filesystem crashed…

    I just thought I post my solution if somebody else has the same need.

    What I did was to modify the file: /etc/devd.conf

    and added the following lines of code:

    attach 10 {
    match "product" "your USB stick product ID";
    action "halt";
    };

    This way I have a special USB key that I just stick in to the alix box, and the system will halt.
    If you want to use any usb key, just replace the match line with: device-name "(umass|umass0)";

    With this command you can see what product ID your USB key has:
    sysctl -a | grep dev.umass.0

    Here is a link to other variables you can use:
    http://leaf.dragonflybsd.org/cgi/web-man?command=devd.conf§ion=5

    The best would have been to use the serial, but I didn't get it to work.



  • on your USB key do you have an actual fild saved on it that the system looks for or is it just looking for a device named "USB key" (or what ever your device is called)? how did you set it up, this sounds like it would be something I would like. Or do I just need to edit that one conf. file and tell it the USB device name (example: "USB keyboard 1", or "untitled USB stick") and then when the device is detected it just halts/turns off?


  • Rebel Alliance Developer Netgate

    If I were doing something like this, I would not key it on attach, I'd key it on detach.

    That way if you still need to get a file onto your ALIX via USB key, it won't shut down every time you try :)

    jaime - no, no file, it's triggered by the detection process when the USB key is plugged in.



  • sweet! defiantly somthing I am gonna look into my self!


Log in to reply