PfSense on a Riverbed Steelhead



  • I successfully installed pfSense on an old Riverbed Steelhead appliance. You can see how, with pictures of the unit, here.

    Unfortunately, I ran into the same problems with the LAN bypass ports from this thread (though mine is a newer model). Of course, the original poster in that thread leaves without specifying how it was fixed.

    Regardless, it is still a useful appliance for pfSense, even with just two ports. It'll even fit on the shelf in my basement better than the Watchguard Firebox I have.



  • The synopsis of the installation is basically:
    1. Remove the flash drive and hard drive from the appliance
    2. Plug the flash drive into a USB header on your PCs motherboard
    3. Write the pfSense image to it
    4. Replace the flash drive, set kern.cam.boot_delay=10000
    5. Enjoy

    em0 and em1 are the bypass ports and don't work. em2 and em3 are the aux/primary ports and do work.


  • Netgate Administrator

    Yes, disappointing he didn't come back. Anyway reading between the lines I would guess he disabled or changed the mode of the LAN-bypass in the BIOS. As I said there you often use the TAB key to enter the BIOS setup via serial console. Can you access the BIOS on your box?

    Steve


  • Netgate Administrator

    You could probably disable the bypass manually with a small program anyway. Is there any evidence that board is made by Axoimtech?

    For example they give source code for their LAN-bypass control for various products:

    /* Use GPIO Control LAN by-pass*/
    /**************************************************************/
    int _8a811_lan_by_pass_enable(void)
    {
    	iopl(3);
    //	_gpio_use_sel(BIT0);
    //	_gp_io_sel(BIT12, GP_IO_SEL_OUT);
    	_gp_lvl(34, Low);	//control by ICH GP34
    	_gp_lvl(23, Low);	//control by ICH GP23
    	return 0;
    }
    /*******************************************/
    int _8a811_lan_by_pass_disable(void)
    {
    	iopl(3);
    //	_gpio_use_sel(BIT0);
    //	_gp_io_sel(BIT12, GP_IO_SEL_OUT);
    	_gp_lvl(34, High);	//control by ICH GP34
    	_gp_lvl(23, High);	//control by ICH GP23
    	return 0;
    }
    
    

    It would be easy to test something similar given sufficient clues.

    Steve



  • I did something stupid somewhere that is keeping from getting back into the BIOS, but when I was able to get into the BIOS, there were no options for LAN bypass.

    I'll have to look on the main board when I get home to see what markings there are and if any indicate what model the board is.



  • The board is a Jabil Circuits MNPBA000698C. I'm not having any luck finding much documentation on the board, but I can buy one for less than $30 on eBay: http://www.ebay.com/itm/JABIL-CIRCUIT-MOTHERBOARD-MAINBOARD-SBC-NEW-/300300470392



  • Yes, those are LAN bypass ports.  Looking at your pics, the 4 big white things on the MB behind the ports are relays; these control if the active lines on each port are connected to the MB or to each other.

    I'm not clear if the GPIO code, like Steve posted or in the bios, will directly control the state (bypassed or not), or if the GPIO simply allows or prevents bypass on power fail.  I suspect the latter.

    If you don't need the bypass feature, you may be able to do some hardware hacking to energize the relays directly from somewhere else on the board.  I see a big 1F supercap there, and there's also an LED on the front panel to indicate bypassed condition that may provide some clues.


  • Netgate Administrator

    The way that LAN bypass usually works is that the relays are powered via the output from a watchdog timer. This can be in the SuperIO chip or in the southbridge chip. The design of the system is such that if the OS crashes and stops resetting the watchdog then the LAN-bypass automatically kicks in. It's usually possible to control the properties of the watchdog by setting various registers in which ever chip is running it. Alternatively it might be possible to drive it via some separate GPIO pins in parallel.

    I see in your photo the board is labelled: ETON ET866 94V-0
    That seems to bring up references to graphics cards though.  :-\ Jabil Circuits seems to be a pcb assembly company rather than a motherboard designer so not much help as you found.

    I notice that the connector in the top right of the photo is labelled J20. This implies there are are more jumpers! Are there any that we can't see in the photo?

    Steve



  • There does not appear to be any other jumpers on the board. I've looked for any other J# labels as well (perhaps the pins were removed) and I don't see any.



  • Where you ever able to recover the bios password? I have the same issue, trying to get into the bios…



  • You could force bypass off permanently by shorting the control pins to either ground or 1v8/3v3/5v


  • Netgate Administrator

    You have identical hardware?
    https://shoup.io/project-steelwall.html

    it's a little out of date these days. No need to mount RW if you're running Nano as it's always mounted RW.

    Always use /boot/loader.conf.local

    That hardware appears to be 32bit which means no 2.4.

    Steve



  • hi

    i also interested to get the two left NICs working.

    someone been successful?

    Thanks


  • Netgate Administrator

    You have access to the BIOS?

    Any lan bypass or watchdog functions available there?

    Otherwise you will need to switch the relays manually by flipping the control registers. Or by changing the circuit that drives them.
    Are you up for a challenge?  ;)

    Steve



  • @stephenw10:

    You have access to the BIOS?

    Any lan bypass or watchdog functions available there?

    Otherwise you will need to switch the relays manually by flipping the control registers. Or by changing the circuit that drives them.
    Are you up for a challenge?  ;)

    Steve

    Unfortunately there is no option in the BIOS to activate the relays manually.

    I read a few posts on other Websites about bridge the relays power feedpin to an Mosfet to power them from boot.

    iam a noob in things like this. But i really want to get it working. do you have some information, maybe some pictures how i had to modify the relais circuit ?

    here is a picture

    thank you so far


  • Netgate Administrator

    Ok, so to be clear there no bypass OR watchdog settings in the BIOS?

    And there are no jumpers on the PCB? I can't make out any from your photo but it's not very high resolution.

    You have two choices. Electrically bridge the relays by powering them from somewhere. Or, more fun IMO, try to find the GPIO that controls the relays and set it in software.

    There will be typically two places that have GPIOs that could have been used, the ICH and the SuperIO chip. They may have used the parallel port but that's crude, unlikely for relays that are on the main board.

    Steve



  • I'd go the fun route. It's way more fun.  ;D


  • Netgate Administrator

    Yup, immensely more satisfying when (if) you get it to work.  ;D

    Steve



  • I took some pictures in better  resolution

    maybe you can see something on it



  • I'm afraid the real tracks are on the other side of the board. On top of that, GPIO control is done in software, so you'd have more luck poking around on the GPIO's on the shell.


  • Netgate Administrator

    Mmm, with no jumpers and nothing in the BIOS it's time to start poking GPIOs.

    You might want to read this thread for some ideas how to do that: https://forum.pfsense.org/index.php?topic=81292.0

    Steve



  • Have anyone enable this bypass ports?



  • @HarryH:

    Have anyone enable this bypass ports?

    Poke the GPIOs and you'll know :-)


  • Netgate Administrator

    Yup, you'll have to start poking GPIO registers. Tedious but fun when it works!

    I can probably offer assistance as time allows.

    Steve



  • @stephenw10

    If you reinstall the original Steelhead code you can toggle the bypass NIC to "fail-to-block" i.e. keep both NICs up all the time. See CLI commands below. The interface name is "inpath0_0". You can do a "show run" CLI command to see all the settings and interface names.

    Once you set "fail-to-block", the HW seems to remember the setting (it must be flipping a hidden BIOS setting) so you can install pfsense and have the additional two NICs.

    Fail-to-Block CLI commands:
    • no interface <interface-name> fail-to-bypass enable: Sets the interface to block when there is a failure.
    • interface <interface-name> fail-to-bypass enable: Sets the interface to bypass when there is a failure.