PfSense on Alix: a from-scratch howto
I’m posting this via my new pfSense 2.0 installation running on my alix2d13 board from PCEngines. It’s been a bit of a struggle, so I thought I’d document it.
I bought the machines directly from PC Engines, in Switzerland. I paid $263.40 for two boards and two cases, $43.80 of that was shipping. I did not order a power supply, since I assumed any of the many wall warts I have would do, and there’s no point in shipping one from Europe.
PC Engines take PayPal and have kind of a balky invoice/order process, but my items shipped quickly via Swiss Post. The tracking number they offer only applies inside Switzerland, tho, so once its over the border, it’s anybody’s guess. The package arrived 7 days later, via USPS. It required a signature, so I had to go fetch it from my local USPS office in person, with ID, and sign for it.
The assembly is pretty straightforward. The only annoyance I had was temporarily removing the screws from the serial port to fit it through the case. They screw back in and help secure the board to the case. It also comes with four rubber feet, two rubber plugs to close rear accessory ports and 4 board and 4 case screws.
I opted for a 4g microdrive full installation, rather than a nanobsd image on a CF card. The microdrive wound up shipping from China and actually took almost three weeks. It looks like they’re stripping them out of iPods and selling them on eBay. I got a Hitachi 4g model to work. I tried endlessly to get a 4g Seagate microdrive to work, but could not get past the mount root errors.
The install went like this: I put the microdrive in a CF card reader, plugged it into my laptop and booted up on a pfSense live CD. I let it run through the menus and chose the “i” install option. I picked the “Custom Install” option so that I could specify the microdrive, rather than install on my laptop drive. The other caution: the install wants to make a swap space that will accommodate a memory dump from your laptop – way too much for your 256M memory Alix board. I picked 500M, just to be safe. I also picked the “embedded” version, with no VGA out.
Here’s the tricky part: when the install is finished, I rebooted my PC into the live version of pfSense. I designate a single wan interface and picked out the item that lets me drop to shell. I needed to change the fstab to make the Alix board boot.
At the shell prompt, I created a new directory, mkdir /tmp/mount (h/t to Michael Powell’s guide, http://bit.ly/sfYVQA ) Find your microdrive. fdisk -l wouldn't work, so just I moved over to my /dev directory and looked for da1s1a or da0s1a. The latter was my microdrive. I did “mount /dev/da0s1a /tmp/mount”. I then opened the fstab w/ “ee /tmp/mount/etc/fstab” and changed the device names so that they both began with “ad0”, as in ad-zero. There was a data and a swap partition to change. Saved and moved on.
I shut down my pfSense and powered down my laptop, pulled the microdrive out of the reader and installed it into the Alix board.
Being the paranoid type, I hooked up a standard serial cable to watch the boot up. It went smoothly, and walked me through the setup options. My board has three ethernet ports: vr0 is closest to the power jack, vr2 is beside the serial port and vr1 is the middle.
Since my previous pfSense install was much more complicated, I opted to configure the rest by hand, via the web configurator. It’s well documented elsewhere, so I won’t go into that. I am running snort, with the ac-bnfa option. The dashboard rarely shows CPU use over about 10 percent, or memory over 75%.
I am also buying a couple of Soekris Engineering VPN1411 Mini-PCI cards. They will handle VPN encryption via hardware, and keep the load off my ALIX pcu. They are $65 each, with $13 in shipping. I bought two of these because I’m setting up a VPN link between my house and my parents' home, so I can easily RDP into their machines and stash a backup server over there.
On a final note, I had been running my previous pfSense as a virtual machine on a Citrix Xen server. Their upgrade to 6.0 eliminated automatic startups of VMs, and Xencloud was just more than I cared to deal with anymore, as the admin application was still Citrix and barking at me about licenses, and the VM pfSense interface configuration is like learning Mandarin.
The upshot was that I was running pfSense on a small stand-alone server that was sucking up about 50W of power on average. The 5W Alix board will save me about $40 a year in energy costs. So in four years, it should pay for itself, vs. a dedicated PC.
That’s my story. Good luck to you if you’re thinking about embedded pfSense hardware yourself.
I am also using a 2D13 and tinkering with NetBSD which seems to run fine on it. But am going to put pfSense on it an make it a Firewall/VPN server. Good to hear of your success.
When you get the VPN1411s working will you post the results? I'm just now researching this to see if it might work. One confusing thing are the perf numbers at Soekris when appear to be around an order of magnitude greater than what is posted at netgate.com on the 1411 (eg. ~30Mbps Netgate vs ~250Mbps Soekris).
The 1411 cards work well with ALIX, but depending on bandwidth needs may not be necessary. If you activate the glxsb driver and use AES128, you can reach ~20Mbit/s or so over OpenVPN. With the 1411 you can hit just over 30 with about any Cipher. So they are better for situations where you can't control what encryption settings are being used, or for higher bandwidth locations. Few homes or small businesses would have more than 20Mbit/s of upload capacity, but there are some out there.
You're hitting the limits of the ALIX bus at that point but it does keep the load off the other bits in the hardware. Those cards may be able to reach 250Mbit/s when used on a faster mainboard, but I haven't seen it.
Do you have to configure something special to make that card work or just plug it in the alix box from pc engines ??
I am using a 2 site to site ipsec connections on such a box and the cpu seems still allright
Around 30% sometimes …
To use the built-in glxsb just check the box under System > Advanced on the Misc. tab, to use the 1411 that box should be unchecked (and reboot after unchecking it, if it was checked).
For IPsec, nothing special is needed to activate it, just plug in the card (or enable glxsb). For OpenVPN, you just need to enable cryptodev in the config (it's a drop-down on the screen)
Thanks for the quick reply and happy hollidays