Unsupported packages on unsupported architectures



  • Hi all!,

    Recently I've been using Netgate ALIX2D3 desktop kits to deploy IPSec capable pfSense 2.0.1 firewalls out to remotes offices with fewer than 20 users in them. These work wonderfully for our purposes and I'm quite happy with them as a product, except for the fact that Lightsquid is not a supported package on ALIX/nanoBSD processors.

    This is the case because the compact flash card cannot handle the volume of writes that would occur when lightsquid parses the squid access logs, which is understandable. But the ALIX boards have USB ports on the back of them, and if I plug in a thumb drive or other similar flash drive, I can see the drive and theoretically mount it. So if I could mount it as /var/lightsquid, I would be able to write the lightsquid output there and not affect the stability of my firewall…. So here's some thoughts pursuant to that line of thought:

    • I've seen other posts where folks have mounted a variety of drives within the pfSense shell. In fact here's a guy asking about it now. It seems to me that you could perfect this and then define it as a <shellcmd>so it would mount every time the firewall started.</shellcmd>

    • Once the above was accomplished and it mounts itself as /var/lightsquid, Lightsquid writing a file every half hour or so wouldn't be an issue. Even if the thumb drive ran out of space, it would not affect the stability of the firewall. This would eliminate the reason for not having lightsquid available as a package on the nanoBSD architectures.

    • Of course, since the above concept is theoretically sound but lightsquid is still not available as a package to install because of the architecture, I can't test it. With that in mind it would be nice if there was a very hard-to-navigate-to checkbox in the WebGUI or variable in a config file I could edit somewhere so I could gain access these unsupported packages… with the obvious understanding that if I break or brick my firewall it's my own stupid fault.

    Make sense? Thoughts?

    Thanks!
    -Anomaly0617



  • USB flash has the same write limits as CF. The only option would be to add an external hard drive for such storage, which is difficult and not supported for a variety of reasons, primarily because the partitions can't easily be split up in the fashion that would be required.



  • @cmb:

    USB flash has the same write limits as CF.

    Agreed, however if the USB flash drive exceeds the max. number of writes that it can handle, it will crash and burn without crashing the entire firewall in the process. At worst it would stop showing up as a drive, and pfSense could fall back to using the flash RAM to store the files. In theory, that is. :-)

    @cmb:

    The only option would be to add an external hard drive for such storage, which is difficult and not supported for a variety of reasons, primarily because the partitions can't easily be split up in the fashion that would be required.

    Hmm.. I'm interested in the background on why external drives aren't supported, but I have a feeling that goes outside the scope of this post. If you're so inclined, PM me with the details. If not, I certainly understand.

    For the sake of argument, let's forget about external storage entirely. What about network-based storage? For instance, what if I could hypothetically mount a NFS or SMB share from pfSense to a NAS device, like FreeNAS? In that scenario the amount of storage would be virtually limitless since squidguard/squid log files are not large in the grand scheme of file storage.

    As you can see, the gears in my head are turning. These devices are incredibly useful. pfSense is incredibly useful. If there's any way to overcome the finer points of using the appliance instead of a PC, I'm all about it.

    Thanks (as always) in advance!


Log in to reply