Home > Tech > Full pfSense on Embedded Hardware

Full pfSense on Embedded Hardware

I was up on the pfSense firewall site the other day. I was really intrigued by two features it offered. The first was the ability to run Snort directly on the firewall. The other was that it supported several embedded/small footprint platforms.

As an infosec professional, being able to run Snort at home without spinning up another machine seemed to have some obvious benefits. Running on an imbedded platform also drew me in, since my home firewall had been a home license of Astaro running on relatively loud, hot, and large standard PC hardware.

It seemed like pfSense was going to be a really neat system to check out, but there was one problem. The option to run on an embedded platform isn’t compatible with running Snort. Snort generates so much write activity that it will kill an embedded system’s flash card quite quickly, so the Snort package is disabled for the imbedded install.

I was all set for disappointment until I heard Carlos Perez mention on an episode of Pauldotcom Security Weekly that he was running the full non-embedded pfSense on an Alix board (embedded platform) by using a Microdrive (basically a hard drive that plugs in to a Compact Flash interface). With that glimmer of hope, I decided to order up the hardware and give it a shot myself. I’m happy to say that I my home firewall is now running the full non-embedded pfSense distribution on an embedded hardware platform. The better news (for you) is that I’ve decided to write up a little tutorial to help others do the same.

For hardware you will need a system board, a Microdrive, an enclosure and a power supply. I chose an Alix 2D13 for my system board. It has three ethernet interfaces and a miniPCI slot to add wifi. You can get this as a kit with an enclosure (in black, silver, red or blue), CF card (which will go unused in this tutorial) and power supply from Netgate for just under $200. The Netgate enclosure is very nice. I highly recommend them. This covers everything but the Microdrive.

For the Microdrive, you will need a CF-compatible Microdrive and a USB Compact Flash reader. This one is a little tougher. Many people are selling PATA/IDE Microdrives through eBay and other online outlets. The issue with those drives is that they use the physical layout of a CF card. Even though they will physically plug in to a CF slot, the data is being transmitted using PATA/IDE protocol. These drives are used in devices like iPods. Make sure the drive you get is a true CF. I ordered one from Amazon for about $30, but they are starting to get rare. As for the reader, if you don’t have one already, your local big box store probably has a 12-in-1 media reader for $15 that will work.

For software, download and burn the latest version 2.0 .iso of the i386 architecture from pfSense, currently named pfSense-2.0-RC3-i386-2011062101650.iso.gz. Ignore all of the nanobsd and memstick files, those are for embedded systems.

Now for the tricky bit, the installation. Plug your microdrive into your CF reader and make sure you can read it with your regular OS. Then insert the CD you burned, restart your computer and boot off of the pfSense CD. The pfSense CD is a combination live CD and installer. Make your way through the installer and install pfSense to whatever device is assigned to your Microdrive. In my case, it was device da1. I created a 500 Mb swap partition and allocated the rest to data. I wasn’t sure how much swap pfSense might need, so I pretty much guessed.

If you have an issue where pfSense won’t get past the interface assignment stage because you don’t have a separate interfaces for the LAN and WAN, tell it you want to set up VLANs and create two VLAN interfaces.

After completing the install, restart your system and boot back into pfSense off of the CD. This time, instead of choosing to install the system, choose the option to drop into a console. At this point, you will be at a standard *nix shell prompt.

The last step is to correct for the fact that the Alix system will assign a different device name to the Microdrive than your PC does. Create a temporary directory (I did “mkdir /tmp/mount”) and mount the data partition off of your Microdrive (“mount /dev/da1s1a /tmp/mount” for me). I used the /tmp directory because many directories are read-only because of running from the CD. Edit the fstab file from the Microdrive (“vi /tmp/mount/etc/fstab”) and change the device names to match the format of ad0s1a (that’s a zero after the d). Since I had a data and a swap partition that were listed as da1s1a and da1s1b in my fstab, I changed them to ad0s1a and ad0s1b.

Shut down the system, pull the Microdrive, install it into the Alix board, and apply power. If everything goes well, after about 20 seconds you should see the three LEDs on the front panel do their best Cylon imitation. Once that show is over, hook a PC up to the LAN port, assign an address in the 192.168.1.x range, and you should be able to pull up the web interface at 192.168.1.1.

About these ads
Categories: Tech Tags: , , ,
  1. kumar
    July 20, 2011 at 7:21 PM

    Thats a very nice attempt. I use pfsense 1.2.3 on an old discarded pc. Just curious did you try the LAGG functionality for link aggregation that is out on 2.x RC releases
    Regards
    Kumar

    • July 21, 2011 at 7:41 AM

      I haven’t used LAGG, but I’m starting to think about it. I am having some throughput and latency issues with my current provider, but it is very cheap and reliable. I’m thinking about looking for a second connection that might let me try out both another provider and the LAGG functionality.

  2. kumar
    July 21, 2011 at 7:50 AM

    Tried installing 2.0 rc in a box but couldnt get past the main menu….ended with system halted message. Trying to investigate why. Basically trying to install through usb install method.

    • July 21, 2011 at 2:04 PM

      You mentioned you were running older hardware. Perhaps support has been dropped for some of your hardware? Maybe you can try installing to a standard IDE or SATA drive to take the USB drive out of the picture?

  3. kumar
    July 21, 2011 at 4:34 PM

    Will try what your suggestion and let you know. Thanks Kumar

  4. kumar
    July 27, 2011 at 4:24 AM

    Hai
    I am able to install to a box now with 2 NICs. It senses the WAN Ip address and is able to run DHCP etc. But the webinterface goes offline randomly. Guess it nedds to be worked on still. I am still testing with various other NICs and newer boxes just to be sure.

    Regards
    Kumar

  5. JN
    July 27, 2011 at 5:14 PM

    Thanks for writing this. This is awesome and is exactly what I have been trying to work out: getting a pfsense device that can also do snort without having it double as an electric space heater. I have a few questions if you don’t mind:

    How is performance? The alix2d13 has 256RAM according to the website, but the pfsense website seems to regard this as the absolute minimum for using snort. Do you notice any latency, and what is your normal throughput?

    If you don’t mind, what is the specific microdrive? I’m seeing lots on ebay but I don’t know how to tell if they are “real” CF or not. And, how big was the microdrive that you used?

    Thanks

    • July 28, 2011 at 10:00 AM

      The microdrive is a Hitachi branded unit. I initially purchased a white-label unit that I suspect came out of a dead iPod and was an IDE unit, not a true CF-compatible one.

      As far as performance, I’m not having any issues, but I’m not pushing very much bandwidth through the unit at this time (less than 1 Mb/second – it is on my home network, not in a production environment).

  6. kumar
    March 10, 2012 at 11:12 PM

    Hi
    How is your box doing? I am planning to order a board without the microdrive and instead go with a regular cf card as I am not sure how I will get replacements for the drive. I work from India and even getting the parts shipped is a major hassle.

    BTW did you check out the LAGG part?

    Regards
    Kumar

    • Vasudevan
      March 26, 2012 at 8:33 AM

      Kumar, You can contact me for the board. We are supplying from India. Vasu

      • mindzen
        March 29, 2012 at 9:21 AM

        whats the price and spec. Please let me know

      • August 26, 2012 at 12:52 AM

        Mr. Vasudevan, need more information on pfsense hardware, could you please share your contact details?

      • Vinod Gupta
        May 24, 2013 at 10:43 PM

        Hi Mr. Vasudevan,
        I am looking for the board for a long time and as you have mentioned above, i am interested in buying one. Could you please send me some information regarding what model off board do you supply and how can i obtain the board from you. Kindly contact me at vinodgupta_9yahoocoin.

        Thanks and regards

      • suresh
        September 21, 2013 at 7:09 AM

        pls send to me a price @suresh@airlinkgroups.com

    • March 29, 2012 at 9:15 AM

      I am quite happy with the system. Unfortunately I haven’t found the time to dig into the LAGG functionality.

  7. CS
    April 19, 2012 at 12:05 PM

    No performance problem having Snort enabled? Really? It is interesting!
    Please give us some feedback regarding the performance.
    What about the size of the microdrive you chose? 4GB?

    • April 23, 2012 at 8:56 AM

      If you enable a reasonably large ruleset in Snort, it will eat your memory quite rapidly. My goal was not to run a full-featured Snort installation, but rather to be able to play with it. With smaller rulesets, it works. It seems the biggest hit is on the memory side, and CPU does ok. For my purposes, it gets the job done.

      I am using a 4 GB microdrive.

  8. Deepak
    January 29, 2013 at 10:50 AM

    Can I ge the contact detials of Mr.Vasu for supply of Alix 2D13 in India

  9. February 7, 2013 at 5:03 PM

    he did not respond to that query last time around. Order it through RS electronics or Allied. They ship worldwide

  10. mindzen
    February 7, 2013 at 5:04 PM

    Try using RS electronics or Allied who ship worldwide

  11. mindzen
    February 7, 2013 at 5:05 PM

    Hi Mike Did you try a Raspberry Pi ?

    • February 7, 2013 at 6:56 PM

      I do have a Raspberry Pi and am interested in projects involving it. Unfortunately it does not appear that pfsense is available on ARM architecture at this time.

  12. February 7, 2013 at 7:37 PM

    FreeBSD doesn’t support ARM processors yet, which Raspberry Pi runs on, so pfSense won’t run. Even if some one ports it, the single network port and no expansion slots is a let down. RPi is not made for this. But personally I so wish it would work.

    We run it off an instance in VMware ESXi server with 512MB RAM, it runs like a work horse. Yes, when snort is enabled on both external and Internal interface it slows down.

    Have you tried ordering Alix boards directly from the manufacturers – PC Engines? Try http://www.pcengines.ch/alix.htm , When I queried by email, they said they will ship to India. I am not sure what category Indian customs will bring it under – computer peripherals or electronic components. But it will not be more than 10%. Netgate.com also ships to India, but the price is little higher.

    I am also trying to get contact details of Mr. Vasudevan. @mpowell, would it be possible to share his email id collected from the comment registration? I know it isn’t on par with privacy policy, but it would help many of us and also bring good sales to him.

    • February 8, 2013 at 5:09 PM

      I don’t feel that I can post his email. I will contact you directly.

  13. Chris Ahearn
    April 12, 2013 at 3:16 PM

    My pfsense box looks like it is dying mainly because of the old pc hardware I think. I am looking at going on an embedded platform. Does anyone know how OpenVPN will work on pfsense when running on a Netgate or something similar?

    Chris

    • April 12, 2013 at 4:07 PM

      Chris, I use OpenVPN on my system, running the Alix.2d13 board from Netgate. I only have two clients, and rarely have them both connected at the same time, but it seems to handle that without issues. I mostly perform low-bandwidth tasks over that connection (ssh for example), but I have copied files at a rate that seemed in line with what I expect from the bandwidth available.

      • Chris Ahear
        May 1, 2013 at 5:08 PM

        Purchased ALIX 2d3/13 kit from netgate. LOVE IT! OpenVPN working like a champ and was pushing some web apps through it quite nicely. Thanks for the comments/replies. Was very helpful.

      • Chris Ahearn
        May 1, 2013 at 5:10 PM

        Oh yeah. And openvpn working in both tap and tun mode now that there is openvpn for iOS devices.

      • May 1, 2013 at 5:40 PM

        Glad to hear it works so well for you. I too am a big fan of connecting into my various networks from my mobile devices!

  14. April 26, 2013 at 9:48 AM

    When someone writes an post he/she retains the thought of a user in
    his/her mind that how a user can be aware of it. Thus that’s why this post is amazing. Thanks!

  15. Alkyred
    May 2, 2013 at 6:22 AM

    I am looking for the correct Microdrive to replace my CF. This is what I am finding.
    Hitachi Microdrive Type-II CF Card. These are even harder to find now.

    Any help in locating a few would be great.

    • May 2, 2013 at 9:22 AM

      I feel your pain. I tried several used drives only to find they actually had IDE interfaces in a CF-sized pinout, despite the seller’s claims otherwise. The only source I found was on Amazon, selling brand-new drives. It looks like they are going now.

  16. THank
    October 9, 2013 at 5:37 AM

    I have been playing around with most of the hardware listed in this post. When using the Micro drive i find that the performance of the ALIX board is just not enough. I have finally landed on a solution that works great. I have the full version of PFSense running on a FIT-PC. FIT-PC uses real-tech NICs which have been a problem until the latest release of PFSense which supports these NICs. At the time of my post, I see that FIT-PC just released a Multi-LAN version of their hardware. We are using these systems for PFSense, Domain Controllers, and OpenSource Email Servers.

  17. pfSense Lover
    June 18, 2014 at 2:31 PM

    I’ve been running pfSense on an ALIX 2D13 and a 6 GB Hitachi microdrive for a couple of years now. I’ve been using it with Snort and a 25 mbit down/10mbit up Internet connection. No complaints, I get full speed all the time and it works great. However, after just under 2 years the microdrive died so I purchased a couple more. I would not use this setup in a production environment. Instead I would use a server with lots of CPU and mirrored hard drives, possibly with hot spare so that I could easily handle a DDOS attack and drive failures.

  18. pfSense Rocks
    October 22, 2014 at 3:07 PM

    I’ve been running an alix2d3 since about 2007 and also wanted to run snort. Due to only 256mb ram, I setup 2 vlans on the ‘dmz’ interface and connected an old laptop to it, running another copy of pfsense (full install with snort) there. All traffic comes into the alix wan, out the first vlan to the laptop, through snort, back in the 2nd vlan and then through to lan. Recently I’ve installed ddwrt on an old wrt54g to give vlan capability to it. Plan to insert it between the alix and laptop so I can run multiple wifi (home and guests on sep vlans) with all traffic going out via the pfsense snort laptop. Routing is disabled on the wrt and the laptop is the gateway for all vlans, alix is routing and firewall and vpn (IPSec and OpenVPN). Like others in this thread, the alix can deliver full adsl at 25mb/s no problem. pfsense rocks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: