Update : I’ve made a few modifications to the boot flags.
I admit it. I’m a big fan of technology and I have been always fascinated with the FOSS movement. When we renovated the house, I made sure to put Cat6e drops in every room. They terminate in my electrical closet in a Cisco Gigabit switch. The switch is controlled by an old Pentium-M 1.7 GHz laptop that I repurposed as a router using pfSense. My wireless needs are served using a Netgear WDNR3700 router with Gargoyle firmware installed. It has been working well, but the NIC interfaces top out at 100 MBps each and I want to step up my Internet connection to the 150 MBps / 10 MBps connection offered by Teksavvy Inc.
Recently, I’ve been looking at a higher spec’d box for this. I considered 3-choices:
- Option 1: Intel Core 2 Duo / Quad based Small Form Factor PC.
- Option 2: Intel Atom-based mini-itx system
- Option 3: Embedded system
Option 1 is way over spec’d for what I need. I would also need to buy at least 1 other card. Total costs are about $200 CAD for a used unit. They are readily available from many used PC-shops around the area. The power consumption is probably around 40 W/hr. Not great, but not significantly more than what my current setup uses 24 W/hr. They also accept a 2GB+ of RAM.
Option 2 is a completely new build. Atom chips are low-powered, but well spec’d. I can also add as much ram. The power consumption is slightly lower (18 W/hr range) in day-to-day use, but the cost to put one together is much higher $400-$500.
Option 3 was really interesting, but the hardware seemed very esoteric. As it happened, a user was selling such a box, already modified with additional RAM (1GB), an 8GB SSD Disk On Module (DOM), and 2-port Intel Gig-E NIC. All for $60 plus shipping.
All options require a secondary monitor for initial setup. However, once the installation is complete and running, these machines can run headless.
Installing pfSense was no easy matter. Most of these embedded systems run off a Compact Flash-to-IDE adapter…so it’s easy to access the card and copy the raw image through a USB CF reader. In this case the DOM behaves more like a harddrive–moreover, it uses a standard 44-pin IDE connector, so the easiest way is to install using the LiveCD available at pfsense.org.
In addition to that, you’ll need:
- External USB DVD Drive or USB key for the .ISO Live CD
- USB Keyboard
- Connect Monitor, Keyboard, USB DVD Drive.
- Open the BIOS screens to make sure that all options are enabled
- (specifically USB Controller is enabled or your DVD Drive and Keyboard won’t work).
- Boot using the pfSense LiveCD and conduct the standard install.
- NOTE: When asked to partition the disk, choose NOT to create a SWAP drive
In the case of flash media, such as an IDE DOM or CompactFlash card, there is a limited number of writes that each sector can persist. The goal of this installation HOW-TO is to create an embedded install from the LiveCD. This loads pfSense into RAM and turns off local logging.
- Select the standard kernel. (Selecting the embedded kernel does annoying things like turn off VGA, requiring you to access it through the serial console–and who has null-modem cables lying around.
The HP T5720 has a few peculiarities. The BIOS implementation of ACPI doesn’t work which caused errors to fill the console ever 30 seconds. Moreover, the bootloader wouldn’t detect the DOM as a boot drive.
- When prompted by the bootloader, press the <spacebar> to pause the countdown and select the custom boot option (option #7) and enter the following:
$ set hw.ata.ata_dma=0
$ unset acpi_load
$ set hint.acpi.0.disabled=1
$ set hint.apic.0.disabled=1
The system will boot. You can set your VLANs and network interfaces for WAN and LAN. You can even login via the web interface if you want as it starts serving up IPs if another computer is connected.
In order to persist the bootloader, you’ll have to go into shell (option #8) and type:
$ echo "hw.ata.ata_dma=0" >> /boot/loader.conf.local
$ echo "hint.acpi.0.disabled=1" >> /boot/loader.conf.local
$ echo "hint.apic.0.disabled=1" >> /boot/loader.conf.local
You’ll then need to switch the platform type specified in the /etc/platform from “pfsense” to “embedded”. This will boot the embedded kernel, load pfSense pfsense into memory and make the filesystem read-only.
You can choose not to do this, and accept reduced reliability of the DOM device due to frequent writes. Most of the DOM devices sold have wear-levelling built-in and larger DOMs have excess space. You’ve been warned. I would at least turn off or point to an external syslog.d instance if you have one.
Installing Packages and Updating
When you set your “pfsense” install to “embedded” you will need to change the install type if you want to install packages and / or update your installation of pfsense to a newer version. You’ll need to switch the context back to “pfsense” in “/etc/platform”.