Installing pfSense on a CF card for Soekris board with linux

user warning: Table './drinking_drpl2/watchdog' is marked as crashed and last (automatic?) repair failed query: INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (0, 'flickr', 'Could not connect to Flickr, Error: Forbidden', 'a:0:{}', 4, '', '', '', '', 1519091049) in /home1/drinking/public_html/rothwerx/modules/dblog/dblog.module on line 146.

Jeremiah - Posted on 17 January 2008

If you're looking for a nice dedicated firewall appliance, you could run out and spend $800+ for a SOHO unit. Or you could spend a few hundred dollars on a Soekris SBC (single board computer) and use the open-source pfSense distribution with its wealth of features.

The pfSense website shows you how to install pfSense on a Compact Flash card with Windows, but what if you're like me and don't have a Windows computer handy? It turns out it's probably easier to install on a linux machine. A BSD machine isn't going to be too much different, but I'm using Ubuntu Server, so that's what my instructions will be for. I'm using a Soekris net4801 with three Ethernet interfaces.

You'll need a CF card reader to load the image to the card. I've got an old, cheap USB reader that worked fine. Before you plug it in, type (all commands as root user):
tail -f /var/log/dmesg

On distributions that don't output dmesg to a file, you might have to plug it in and then read the last output of dmesg:
dmesg | tail

Whichever way you do it, you're just looking for the serial device (sdX) you just plugged in. Mine happened to be /dev/sda.

Once you know which device your USB "drive" is, you can unzip your pfSense image to the card (choose the embedded image for Soekris and WRAP when downloading). To install (make SURE you've got the right disk here, AND your root user. If you're using sudo you're going to have shell redirection problems):
gunzip -c /path/to/pfSense-1.2-RC4-Embedded.img.gz > /dev/sda

Now it's installed! Plug the CF card into the Soekris board and power it up. The LAN interface is the port closest to the serial connection, the WAN interface is the port next to that, and the DMZ is the last port, marked eth2 on a net4801. From here you can pretty much plug into the LAN interface with a computer set for DHCP and point your browser to for the web interface.

In the likely event that you're WAN interface isn't going to be configured by DHCP, leave the cable unplugged until you've had the chance to get to the web configuration tool to set your IP address. If you don't, pfSense will hang while trying to obtain an address. I don't know how long before it times out... I didn't have the patience.

If you want to connect to the console you'll need a console cable and a null modem adapter. I had this laying around the house because I used to do a lot of serial work, but I believe RadioShack still sells null modem adapters and cables.

Then you'll probably need terminal software... I like minicom. On Ubuntu, it's a matter of:
aptitude install minicom

On RH/Fedora/CentOS:
yum install minicom

Then you'll need to configure minicom by typing:
minicom -s

Move down to the "Serial Port Setup", press 'A' to configure your serial interface (i.e. /dev/ttyS0), and then 'E' for your Bps/Par/Bits. Set this to 9600 (menu item E) and 8-N-1 (menu item Q). Make sure hardware flow control is set to yes. You'll probably want to save your setup as the default (df1) as this is a pretty common connection setting. Exit, and viola. You should now be sitting at your pfSense console.

If you've got screen installed, you can also use that, although it's not nearly as elegant or configurable:
screen /dev/ttyS0 9600

A couple things to note about the embedded version of pfSense: your settings will be persistent (a power outage won't make you lose your settings), but you won't be able to install optional packages like FreeRADIUS as you would on a full install. You'll also notice it will be much slower to configure and work with than if you were on a full-blown computer. I haven't played with it enough to see if bandwidth is affected through the Soekris vs. a commodity PC, but when I do some more testing I'll post that info. Without the VPN accelerator card I would imagine VPN access would be painful for more than one person, but again this is yet to be tested (by me).

I'm not ready to replace my Cisco PIX 501, but if my PIX ever dies, I'll probably go with this setup.