Installing pfSense on brand new hardware – no drivers?
-
So my little pfSense box that I've been using is no longer fit for use because it only has a single on-board NIC, and thus I've been using a USB NIC for WAN… but that's starting to exhibit strange behavior (randomly dropping WAN IP) that, after searching, appears to be at least somewhat endemic to USB NICs.
I figured I'd build a shiny new box to replace it (this needs to happen sooner rather than later, because my fiancee needs the internet connection to be stable for our VoIP phone so she can make doctors' calls for her brother who was just diagnosed with cancer), but am running into a speed bump that (to me) is about the size of Mount Everest.
After doing some brief research on hardware while I was at work today, I settled on the Gigabyte GA-Z87N-WIFI to serve as the heart of the system. I couldn't find much about the specific chipsets of the NICs, but knew that Intel and Atheros were pretty well-supported in terms of pfSense drivers, and this was the only mini-ITX board with dual NICs that my local Microcenter carried, so it seemed like a decent choice. Unfortunately, now that I'm home and trying to get pfSense running, I'm stuck in a setup loop.
When I fire up pfSense, it tells me
Valid interfaces are: usbus00 (up) usbus10 (up)
before prompting about VLANs. I say no to the VLAN question, and then am asked about my WAN interface. I have tried pfx0, alc0, em0, en0, ue0, and a couple others that I thought might apply to either the Intel or Atheros interface, but none of them work. When I try the auto-detect on either interface, that doesn't work either – "No link-up detected".
Staring intently at the motherboard, I found the Atheros chip, marked "8161-8L3A" -- this seems to indicate the AR8161 chipset. I have also found what I believe to be the Intel chip, marked "WG1217V" -- a Google reveals many non-English pages that have just enough Latin characters to suggest that this is indeed the Intel ethernet chipset. Is there any way to get drivers for this beast, or should I just accept defeat, pack everything back up, and get a "canned" router?
-
Please describe your current pfsense box. It may still be suitable with VLANs if its memory, processor, speed are up to your requirements.
-
Wi-Fi 802.11 b/g/n, supporting 2.4 GHz Single-Band
Bluetooth 4.0, 3.0+HS, 2.1+EDR
Don't expect those to work as advertised.Don't waste your money on USB3 too much either - Its a pain.
I'm also not sure about that Atheros LAN port.
-
Please describe your current pfsense box. It may still be suitable with VLANs if its memory, processor, speed are up to your requirements.
It's an Intel Atom D525 based system, with one built-in ethernet port that uses the ue driver. I think it has 2GB RAM and is running the nanoBSD 4G image.
Wi-Fi 802.11 b/g/n, supporting 2.4 GHz Single-Band
Bluetooth 4.0, 3.0+HS, 2.1+EDR
Don't expect those to work as advertised.Don't waste your money on USB3 too much either - Its a pain.
I'm also not sure about that Atheros LAN port.
I don't care about the BT at all, and as long as I can get 802.11g on the wireless (which is Intel-based) I'm happy. Worst case scenario, I can rip the wireless card out of my current pfSense box and slap it in this one (assuming I get everything else running), as the wireless in this mobo is via mini PCIe.
Most of the specs of the mobo I don't really care about; I just needed SFF (mini-ITX) and dual NIC – this was the only one my local store carried that fit the bill.
-
The best way to get painless out-of-the-box function is to buy a board with with all usb2 and no usb3. Simple SATAII drive interfaces, one or two built-in INTEL NIC ports and then add a 2 port Intel PCIe GB network card to that for cheap.
Then get yourself a nice Wireless AP and plug into the switch on your LAN.
Thats a nice piece of hardware you found, but not for your purposes.
I do like the Ultra Durable line of boards though. Maybe buy an older one (for cheap) on ebay that won't push the limits of pfsense drivers.
-
I just re-read the original post… You have this already?
So, we are in salvage the board mode then?You are doing a full install on HDD or SSD with live CD?
(Since you have this already I think it might be able to be made to work fine with a few settings changes - maybe)
-
Correct – I need to either find a way to make this work, or find a way to make the old box work... or pack everything back up, take it back to the store, and get a vanilla router.
-
OK - You said you had it up to the part where you needed to assign interfaces. Can you get it to that point again? Then get yourself a piece of paper and a pen.
While its sitting there asking you which interfaces you need to set up, you need to plug a cat5 port into your existing router or switch. Then plug the cable into each port on the new machine also, one at a time. Watch the screen on pfsense. It will tell you which interface name went up and then down. Those are the two ports interface names to use. Keep track of which one you want to be LAN and WAN also.
Let me know when you are done there.
-
I tried that – I plugged and unplugged back and forth between both ports, and it just sits at the "Enter the WAN interface name or 'a' for auto-detection" prompt. Similarly, when I try auto-detection (leaving cables unplugged until prompted), it doesn't detect any link up event.
-
I'd box it up send it back if possible. If not, there is further checking that can be done in the BIOS.
I'd go into the bios and check the advanced setting and the onboard devices (Every bios is slightly different)
I'd deactivate USB3 if possible. Default to SATAII if possible. Also make sure the network cards are turned on.
I've had several instances where boards ship with most features turned off.
Let me know how that goes. Also, you are using version 2.1 right?
-
Looks like I might be boxing it up…
I can't disable USB3 or change the SATA mode (only enable/disable each port; I have all the unused ports disabled). I've tried turning on EVERYTHING remotely network-related in the peripherals section, which is resulting in a ludicrously slow boot time because now it's trying to boot on PXE (and timing out of course). We'll see what road this leads down...
-
Can you open your current D525 box and post a pic here of the board in the case its sitting in. I want to know if there is space for add-on NIC in either a PCI or PCIe slot and if the case will accommodate it. A D525 is a nice bit of kit and is very capable as a pfsense router/firewall.
-
No dice on the boot with options, still doesn't detect any link state change. The NIC status LEDs blink periodically, so there's at least a physical connection… but can't get much beyond that.
http://imgur.com/bbjmjH6.jpg for my Atom box -- don't see any room for a second NIC in there :(
-
Thats completely OK - I already know the best way to deal with this, but question… What kind of throughput do you need? How fast is your internet?
Also, what kind of packages do you need to run?
(I like that box - Its really nice - How is that kingspec SSD working out for you?)
-
I think our internet connection is 50mbit down/15mbit up, though we're considering upgrading in the (nearish) future.
As far as packages, I'm running pretty near stock. The main features of pfSense I'm concerned with are OpenVPN, and I also run a guest AP (which I throttle, to discourage freeloading neighbors from torrenting etc while allowing legit houseguests to check their e-mail or surf the web). The only package I've actually installed is the File Manager, more out of personal curiosity than anything else.
The Kingspec SSD has been running quite well – on this box I'm running the nanobsd 1g image, so theoretically there's ~15GB of space for the SSD to use for wear-leveling :D
-
OK - Your current box is very nice and more than you need for your application. I notice you have wireless on that box. Does that work well for you?
As far as getting you a wired LAN and WAN, all you need is a small managed VLAN capable switch and you will be all set. Then you will have LAN and WAN ports to spare (-; How fast is your port on the box? Is is GB or 10/100?
-
Gigabyte GA-Z87N-WIFI :
Uh, that's an Intel i217v which isn't supported.
I don't believe that Atheros chip is supported either. They're both really new relatively speaking.afaik nobody has the i2xx series working yet. If you're deadset on using that GB board, just stick a ~20$ nc360t in it until the appropriate drivers are ready.
-
Yeah - But returning the mobo and just buying a vlan switch is so cost effective and flexible… Will work sooooooo well also.
-
It's GigE… would this switch do? http://www.microcenter.com/product/393070/JetStream_8-Port_10-100-1000_Gigabit_Managed_Ethernet_Switch_with_2_SFP_Slots
The wireless has worked fine for me... we don't do a whole lot on wireless (mostly web surfing and e-mail... our most demanding application is probably YouTube), and the guest AP thing is nice to have.
afaik nobody has the i2xx series working yet. If you're deadset on using that GB board, just stick a ~20$ nc360t in it until the appropriate drivers are ready.
Unfortunately said NIC is not available locally, and I need a solution ASAP (see OP). The cheapest equivalent @ Microcenter is $156, and that's on top of the ~$250 I've already spent on this new hardware.
-
TL-SG3210 - Ohhhhhh yeah. That will do it. Looks like a nice small switch.
I'm sure you can conquer VLANs in a a hour or two then you will be all set.
-
if you need a new system right away: go old.
8111E's should work fine and were/are on a ton of consumer matx to full atx boards. not pretty, but you could just lay the hardware out on boxes and whatnot just to have it function
Or, find older generation Supermicro/Tyan server boards (Ivy Bridge or older), for which the newest Intel NIC should be the 82574.w.r.t. your current board: you may or may not be able to find an mPCIE ethernet card. it'd be a horribly ugly hack but it could work. they're also painfully rare.
w.r.t. an nc360t: have you tried looking through whatever classifieds are popular locally? the nc360t just seems to be the most popular card I've noticed with the 82571.
-
So, you now have a working more than sufficiently powerful, low wattage pfsense box and will soon have all the WAN and LAN you need via VLAN… Problems solved.
Maybe you can keep and eye on that SSD of yours and post back letting people know how well and reliable it works over the life of your box. Those are very inexpensive SSDs and finding any rating on them is difficult. If it keeps working well for you it might make for a nice cheap option for people in the future.
-
So, you now have a working more than sufficiently powerful, low wattage pfsense box and will soon have all the WAN and LAN you need via VLAN… Problems solved.
Maybe you can keep and eye on that SSD of yours and post back letting people know how well and reliable it works over the life of your box. Those are very inexpensive SSDs and finding any rating on them is difficult. If it keeps working well for you it might make for a nice cheap option for people in the future.
Well the SSD has been running in that box 24/7 since May 2012 (actually, the end of April), and still seems to be doing fine. Here's the SMART status from it:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE 12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 13 9 Power_On_Hours 0x0032 100 100 000 Old_age Always - 0 194 Temperature_Celsius 0x0007 032 100 000 Pre-fail Always - 0 229 Unknown_Attribute 0x0002 100 000 000 Old_age Always - 589585213484 232 Available_Reservd_Space 0x0002 100 049 000 Old_age Always - 4626505281584 233 Media_Wearout_Indicator 0x0002 100 000 000 Old_age Always - 0 234 Unknown_Attribute 0x0002 100 000 000 Old_age Always - 94489281280 235 Unknown_Attribute 0x0002 100 000 000 Old_age Always - 4127259151
(I'm amused that 32C is considered "pre-fail")
-
SMART is pretty worthless for knowing the true health and true remaining life of SSDs. I call SSDs either working or not and pretty much ignore the smart reports. That switch is also pretty much unrated but seems like it will be very nice. Thats something else you might make posts about once you get its VLANs configured and get the pfsense VLANs working with it. Its a solid looking piece of hardware.
I'm running one of these in my old home box:
=== START OF INFORMATION SECTION ===
Device Model: SAMSUNG MCCOE64G5MPP-0VA
Serial Number: SE816A2746SMART Attributes Data Structure revision number: 1
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
9 Power_On_Hours 0x0032 097 097 000 Old_age Always - 10711
12 Power_Cycle_Count 0x0032 097 097 000 Old_age Always - 2045
175 Program_Fail_Count_Chip 0x0032 100 100 011 Old_age Always - 0
176 Erase_Fail_Count_Chip 0x0032 100 100 011 Old_age Always - 0
177 Wear_Leveling_Count 0x0013 099 099 023 Pre-fail Always - 15
178 Used_Rsvd_Blk_Cnt_Chip 0x0013 087 087 011 Pre-fail Always - 21
179 Used_Rsvd_Blk_Cnt_Tot 0x0013 094 094 010 Pre-fail Always - 315
180 Unused_Rsvd_Blk_Cnt_Tot 0x0013 094 094 010 Pre-fail Always - 4901
181 Program_Fail_Cnt_Total 0x0032 100 100 010 Old_age Always - 0
182 Erase_Fail_Count_Total 0x0032 100 100 010 Old_age Always - 0
183 Runtime_Bad_Block 0x0013 100 100 010 Pre-fail Always - 0
187 Reported_Uncorrect 0x0033 099 099 000 Pre-fail Always - 4
195 Hardware_ECC_Recovered 0x001a 199 199 000 Old_age Always - 4
198 Offline_Uncorrectable 0x0030 100 100 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x003e 253 253 000 Old_age Always - 2 -
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
-
GA-H77N-WIFI will work with 2.1 but I think the wifi will not. That board has been tried out here before. I spent some time in a thread with a different guy with that board. All running except the wifi if I remember correctly.
-
Running Nano on that SSD it should last forever.
That switch seems expensive compared with, say, this: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122397 which would also do the job. That Netgear might be more difficult to setup though, it requires a Windows only setup program. This one doesn't though and many people are using it: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381
However if that's available today and others aren't it should be fine.
Steve
-
I got the distinct impression that speed of purchase and functionality mattered more than cost to this guy. Thats why I didn't get into the price bit. I don't know though. The TL-SG3210 is advertising alot of function for a sorta not too high price. I'm interested to see how he rates it if he gets it.
-
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
that board will work. no clue about the wifi, I've always ignored pfsense's wifi capabilities.
Realtek NICs are bad in the sense that you're unlikely to get the "full" throughput available to you from the GigE spec and tend to have higher CPU utilization vs Intel NICs. -
Holly crap its almost as if I already just said that… Good god.
-
Thanks for the feedback everyone! I will be taking the hardware back to Microcenter tonight; they have the switch in stock so it shouldn't be too painful to do an exchange – it looks like their return policy is fairly liberal and the only note about CPUs is that they have a shorter return period.
As much as I want to build a new box (I enjoy putting together new computers, and haven't done so in a while), the significant cost savings of slapping in a managed switch vs. building a whole new box can't be overlooked. There's also the time savings (more critical at this point) of being able to drop in something that's almost guaranteed to work and doing a little configuration vs. building another box, setting up pfSense, copying the configuration over, and tweaking/tuning until things work right.
One side note: I assume throughput in this setup is (theoretically) restricted, since both WAN and LAN traffic share the same port on the pfSense box? 99.999% of the time this won't be a problem since the WAN is only 50mbit (100mbit if we upgrade our connection), but just want to make sure I understand the limitations.
-
Correct, all the traffic has to share the one NIC. However most of the time that isn't an issue since if you are downloading a large file, for example, that traffic comes in via the WAN and goes out via the LAN. The NIC should be capable of 1Gbps full duplex, in and out simultaneously. You do have some return traffic but at a much lower level. This will never be an issue for you since an Atom can't get close to saturating a Gigabit link anyway.
Steve
-
Correct, all the traffic has to share the one NIC. However most of the time that isn't an issue since if you are downloading a large file, for example, that traffic comes in via the WAN and goes out via the LAN. The NIC should be capable of 1Gbps full duplex, in and out simultaneously. You do have some return traffic but at a much lower level. This will never be an issue for you since an Atom can't get close to saturating a Gigabit link anyway.
Steve
Hah, good to know >_<
What sort of max throughput should I expect from the Atom (D525)? If it can keep an upgraded 100mbit WAN link saturated, or nearly so, I'll be happy for a year or two more :)
-
~550Mbps. It can vary depending on your NIC. Packages slow that down of course.
Steve
-
The only package I have installed is File Manager, so that shouldn't significantly affect throughput, right? I assume the packages that have a higher impact on throughput would be ones that interactively manage traffic e.g. Squid?
550Mbps should be fine for my needs for the next 2-3 years… and by that time there will be better, cheaper solutions that I can build when I have time to research the hardware (and subsequently employ hardware that can handle my throughput needs).
EDIT: Apologies, my system actually seems to have a D425, not a D525. Does this significantly impact my throughput, or am I still safely above the 400mbit mark?
-
Ok, you really need to do better research before buying…
After doing some brief research on hardware while I was at work today, I settled on the Gigabyte GA-Z87N-WIFI
Staring intently at the motherboard, I found the Atheros chip, marked "8161-8L3A" – this seems to indicate the AR8161 chipset. I have also found what I believe to be the Intel chip, marked "WG1217V" -- a Google reveals many non-English pages that have just enough Latin characters to suggest that this is indeed the Intel ethernet chipset. Is there any way to get drivers for this beast, or should I just accept defeat, pack everything back up, and get a "canned" router?All Haswell boards with intel nics come with i21x, this is still not supported in 2.1.
Ivy/Sandy bridge boards with intel will have either 82574L, 82579V and/or 82579LM which will work.The atheros is not supported. When people say "buy atheros" they are talking about WLAN, and it really only applies to old PCI chipsets. Until 2.1 zero pci express (aka minicard) were supported, and even now my 9280 which is the first (oldest) one they made isn't quite right still. N isn't supported either, don't even think about AC.
To be perfectly honest, pfsense sucks at wifi because the drivers are way too old and freebsd isn't the greatest at wifi to begin with. Get a nice and/or cheap standalone access point (aka consumer router flashed with better firmware from your choice of _wrt distros) and hang it off another interface.
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
That is a different socket (1155 sandy/ivy vs 1150 haswell), you will need a different CPU. Realtek does suck, and that board might even have the E/F/G or whatever revision isn't supported in 2.1 yet anyways.
Pretty much all your problems would be solved with a cheap 1155 board (like one of those $50 microcenter itx), the $35 celeron and a dual/quad intel nic off fleabay and some $20 router. Don't try to get it all onboard, it doesn't exist.
Don't put trust a single port w/ vlan switch to keep your internet and lan apart.
-
EDIT: Apologies, my system actually seems to have a D425, not a D525. Does this significantly impact my throughput, or am I still safely above the 400mbit mark?
I think the D425 is just a single-core version of the D525. Since pf doesn't support multiple cores, I doubt it would make a measurable difference.
-
Don't put trust a single port w/ vlan switch to keep your internet and lan apart.
Care to elaborate? As long as the switch properly handles VLANs (as opposed to just passing through tagged frames), I don't see how this is any cause for concern!?
-
Ok, you really need to do better research before buying…
Pretty much all your problems would be solved with a cheap 1155 board (like one of those $50 microcenter itx), the $35 celeron and a dual/quad intel nic off fleabay and some $20 router. Don't try to get it all onboard, it doesn't exist.
Except time is of the essence for this – I had a few hours to do my research, and ordering a NIC off eBay is right out (getting any of those overnighted costs a ridiculous amount on top of the price of the card itself). Fortunately I managed to fudge a script that auto-cycles the interface when it detects the IP drop, so I have a little bit of breathing room (VoIP calls cut out for a few seconds, but don't drop entirely). I was trying to get it all onboard because I was building it with off-the-shelf parts I could drive down to the store and pick up.
To be perfectly honest, pfsense sucks at wifi because the drivers are way too old and freebsd isn't the greatest at wifi to begin with. Get a nice and/or cheap standalone access point (aka consumer router flashed with better firmware from your choice of _wrt distros) and hang it off another interface.
The problem with hanging an access point off it is that I would then lose my guest network (unless I hang two off there, maybe?). That's really something I'd rather not lose. pfSense has been doing quite well with wifi on my current Atom box using an Atheros wifi card. Sure it's not blazing fast, but the most demanding thing we do on any of our wireless devices is watch YouTube videos, and we spend most of our time on the wired systems anyways.
-
The problem with hanging an access point off it is that I would then lose my guest network (unless I hang two off there, maybe?). That's really something I'd rather not lose. pfSense has been doing quite well with wifi on my current Atom box using an Atheros wifi card. Sure it's not blazing fast, but the most demanding thing we do on any of our wireless devices is watch YouTube videos, and we spend most of our time on the wired systems anyways.
If you get an access point that supports a guest network (or, more generally, multiple SSIDs), chances are this is exposed as a separate VLAN, which pfSense can easily deal with. Point in case, I have an Airport Extreme attached to my pfSense box, and the built-in guest network feature works just fine once you figure out what VLAN tag it uses.