Installing pfSense on an ALIX board

Thursday, July 8th, 2010

The PC Engines ALIX single-board computers don’t have much in the way of interfaces, just ethernet, USB and a serial port, so if you’re not used to dealing with these things it can seem a little daunting to get an OS installed.

Here’s the procedure I use to get the pfSense firewall OS installed on something like an ALIX 2D3. Note that I’m putting the full live distribution on a CF card, which may not be a good choice for you — CF cards have a limited write lifetime. You’ll need the following equipment :-

  • ALIX system board
  • Power Supply of course
  • CF card, I’m using 1GB
  • CF card reader on your desktop machine
  • Null modem 9DB cable
  • A serial port on your desktop (I use a USB/Serial converter)
  • Serial port communications software (minicom works fine; on Ubuntu remember to make sure you have permission to read the /dev file — you may need to join the dialout group)
  • UTP Ethernet cable

Configure the ALIX board

First, check that your ALIX machine is working and do a little setup. Don’t put the board into its case at this stage, as that usually blocks access to the CF card we’ll be using later. Be careful to keep the board on a non-conductive surface. Connect the serial cable to your PC, get the serial port communications software configured for 38400 baud, 8N1. Power on the ALIX machine and you should see this :-

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 - no drive found !
No boot device available, press Enter to continue.

If you don’t get something like that, look for the green lights on the ALIX board and check your comms settings. Once you get that working, it’s time to reboot the ALIX and change the baud rate. Take out the power (remember that PC Engines don’t recommend un/plugging the PSU connector at their end due to the risk of arcing, so do it at the mains end), and this time as the machine reboots press the “s” key while the memory check is counting up.

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 - no drive found !

BIOS setup:

(9) 9600 baud (2) 19200 baud *3* 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit

Press “9″, then “q”, then “y” to save … at which point you may as well power off again while you change the communication settings on your terminal down to 9600 baud!

*9* 9600 baud (2) 19200 baud (3) 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit

Save changes Y/N ?
Writing setup to flash... OK
x����x<�������x������x������x���x���x

Confirm you can talk to the device once again, then power off and leave it alone for a little while.

Configure the CF card

Now we’re ready to install pfSense onto the CF card. I don’t want to boot my desktop from the pfSense LiveCD, I’m going to do this via a VM under VirtualBox. First, we need to identify how the CF card shows up in your normal desktop machine, so plug it in. If a filesystem is automounted (most CF cards come with a FAT32 filesystem on them by default) then unmount it. Have a look with dmesg to find out which device it has been connected as — mine comes in as /dev/sdc

$ dmesg|tail
[45748.609374] sd 3:0:0:0: [sdb] Attached SCSI removable disk
[45748.610134] sd 3:0:0:1: [sdc] Write Protect is off
[45748.610141] sd 3:0:0:1: [sdc] Mode Sense: 03 00 00 00
[45748.610146] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.613126] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.613136]  sdc: sdc1
[45748.615125]  sdc1: 
[45748.618619] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.618629] sd 3:0:0:1: [sdc] Attached SCSI removable disk

Now you need to create a passthrough disk that will allow a VM guest machine to talk directly to /dev/sdc. This isn’t well covered through Google searches, but it is out there, and it’s in the VirtualBox documentation too …

$ sudo VboxManage internalcommands createrawvmdk \
-filename passthroughsdc.vmdk -rawdisk /dev/sdc -register

Make sure you create that passthroughsdc.vmdk in the correct directory, ~/.VirtualBox/HardDisks on my setup. You need to be root in order to connect to /dev/sdc, but once the disk file has been created you can chown it back to your ownership.

Now set up a VM guest for FreeBSD, giving it the passthroughsdc.vmdk as the hard drive, and the pfSense LiveCD on the CD drive. Start it up. When pfSense boots, select “i” for the Installer, choose “Easy Install” and let it rip through, copying files onto your CF drive. At the end, choose the “Embedded kernel”, and shutdown normally.

Booting pfSense on the ALIX

Now you can take the CF card and install it into the ALIX, carefully. Switch back to the serial console and power up …

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 Master 044A CF 2GB
Phys C/H/S 3933/16/63 Log C/H/S 983/64/63

F1   FreeBSD

Boot:   F1

pfSense should then boot, leaving you with the serial console options :-

Bootup complete

FreeBSD/i386 (pfSense.local) (console)

*** Welcome to pfSense 1.2.3-RELEASE-pfSense on pfSense ***

  LAN                      ->   vr0     ->      192.168.1.1
  WAN                      ->   vr1     ->      NONE(DHCP)

 pfSense console setup
***************************
 0)  Logout (SSH only)
 1)  Assign Interfaces
 2)  Set LAN IP address
 3)  Reset webConfigurator password
 4)  Reset to factory defaults
 5)  Reboot system
 6)  Halt system
 7)  Ping host
 8)  Shell
 9)  PFtop
10)  Filter Logs
11)  Restart webConfigurator
12)  pfSense Developer Shell
13)  Upgrade from console
14)  Enable Secure Shell (sshd)

Enter an option:

Now you should be able to connect a UTP Ethernet cable to the LAN interface (vr0 will probably be the interface closest to the power connector) and the other end to your PC — note that this should provide an address (and default route/DNS config — be careful if you thought your PC was supposed to be working via a different interface at the same time) for you automatically. Point your web browser to http://192.168.1.1 and enjoy your pfSense firewall!

By the way, all my PC Engine hardware comes from Nicegear, NZ’s VoIP and Open Source Hardware specialists.

Posted in Technology | 1 Comment »