Write Protect Features for DOM



  • Hello all, I am new to the forum and pfsense but I have been doing a lot of research lately for a new build.  I have found a lot of useful information here.  One of the debates that seems to come up most frequently is what hardware to use.  Specifically, I am interested in what hardware to boot from.  Everyone has their own opinions for a variety of reasons (cost, low power, raid setups - high availability, HDD, SDD, eSATA, eUSB, optical, USB, CF, etc).

    I can appreciate that any flash type of memory has a finite life when writing takes place.  I recently came across the SATA-DOM modules and they seem like a perfect solution for a router setup.  The one I have been looking at is the Innodisk  SATADOM-MV 3ME.  Yes they are a little pricey for the capacity but this will be my primary router and reliability is worth the cost.  Besides, working in the IT world I am a firm believer that your hardware is only as good as your weakest link.  I know there are many people who get by using inexpensive drives of all flavors, if it works for you that's all that matters.  Unfortunately, I travel a lot so stability is extremely important.

    I know there is a lot of discussion on disabling logs and other methods to reduce or "eliminate" writing to drives (particularly flash types), but I am curious why I have not come across more discussion about enabling hardware write protect features.  I think it would be difficult to eliminate all writes by software settings.  The SATADOM module I listed above has a hardware write protect feature, once a baseline was established the module could be write-protected and in theory you would have a very stable read only solid state system.  I assume live changes could still be tested since everything is running in RAM once it has booted.

    From a security standpoint, write-protection seems like a good feature when dealing with your primary network appliance.

    Is anyone else doing this?



  • I think it would be difficult to eliminate all writes by software settings

    This is how the NanoBSD build of pfSense works. It marks the disk Read Only.
    Innodisk makes some of the best SATA-DOM's out there. pfSense runs mostly in memory anyway.



  • Thanks for the info I will do some research on the NanoBSD images.



  • Unfortunately, I travel a lot so stability is extremely important.

    One drop with a hot glue pistol if the DOM is connected to the SATA port and it could not
    jump out during the travel phases.



  • So to install the Embeded version here are the two methods I use:
    1> Put DOM device in another computer and write image to the device.
    2> Burn the pfSense Live Memstick or CD version and do the install from it. It offers the option of the Standard Kernel Install or Embedded Install. You want Embedded install. It uses NanoBSD.



  • I don't think you can have completely write protect on nano or full install.  Maybe running from cd image has no write. Let me explain a bit. I may be wrong because I'm not a pfSense expert. The part that uses the drive is when you make any changes or turn off/ reboot the system. It needs to write logs and configurations to somewhere.

    I'm pretty sure nano pfSense is ran completely from memory, but configuration is written to drive.  The nano version, there are three slices of pfsense on 1 drive. You switches between two slices of pfsense during failure. Configuration is keep on the third slice.

    https://doc.pfsense.org/index.php/NanoBSD_Diagnostics

    Here's the reason why nano pfsense was created with three slices, the third posting by admin jimp:
    https://forum.pfsense.org/index.php?topic=36836.0

    As for the hard drive (regular pfsense) version, it write logs and configuration unto the drive, everything is ran from memory. You choice to install to hard drive because you want " Logs, RRD data, DHCP lease database, etc, all persist across reboots without additional intervention. " All these must be written unto the drive. If you run a large organization, you would want to keep track of all these things, for trouble shooting purposes. Be able to explain why the HR department was suffering the internet so much last month and they got no work done.

    For write protect to disk on memory (DOM), you may as well copy the cd/dvd iso unto the DOM. Definitely the cd image does not write to anything. Your configuration will need to be a separate usb drive.

    Here is the difference between the two:
    https://doc.pfsense.org/index.php/Full_Install_and_NanoBSD_Comparison

    If I were you, I install the full version. Keep a backup in case anything goes wrong. Pfsense has a full backup command and you can restore from full backup. It only takes about 10 to 20minutes to recover, reinstall and load the backup. There are so many options on what you can do for disaster situations. Such as hardware raid 1 with two drive duplication. Or run two pfsense boxes in HA (high availability) mode, when one fails the other takes over like nothing happened.

    I've been running on 4GB SLC SSD drive for over one year with everything turned on, no issue. Because my drive is small I never created a swap partition during installation. As I understand swap is only use when you run out of RAM memory.



  • Alot of the Innodisk DOM's have a 2million MTBF rate. Also note that the MV line is the value line. Still good but slower. It really only affects your bootup time. Speeds are like 25MB/s for the value line.

    I disagree with much of the above post but will digress.


Log in to reply