Full pfSense on Embedded Hardware
I was up on the pfSense firewall site the other day. I was really intrigued by two features it offered. The first was the ability to run Snort directly on the firewall. The other was that it supported several embedded/small footprint platforms.
As an infosec professional, being able to run Snort at home without spinning up another machine seemed to have some obvious benefits. Running on an imbedded platform also drew me in, since my home firewall had been a home license of Astaro running on relatively loud, hot, and large standard PC hardware.
It seemed like pfSense was going to be a really neat system to check out, but there was one problem. The option to run on an embedded platform isn’t compatible with running Snort. Snort generates so much write activity that it will kill an embedded system’s flash card quite quickly, so the Snort package is disabled for the imbedded install.
I was all set for disappointment until I heard Carlos Perez mention on an episode of Pauldotcom Security Weekly that he was running the full non-embedded pfSense on an Alix board (embedded platform) by using a Microdrive (basically a hard drive that plugs in to a Compact Flash interface). With that glimmer of hope, I decided to order up the hardware and give it a shot myself. I’m happy to say that I my home firewall is now running the full non-embedded pfSense distribution on an embedded hardware platform. The better news (for you) is that I’ve decided to write up a little tutorial to help others do the same.
For hardware you will need a system board, a Microdrive, an enclosure and a power supply. I chose an Alix 2D13 for my system board. It has three ethernet interfaces and a miniPCI slot to add wifi. You can get this as a kit with an enclosure (in black, silver, red or blue), CF card (which will go unused in this tutorial) and power supply from Netgate for just under $200. The Netgate enclosure is very nice. I highly recommend them. This covers everything but the Microdrive.
For the Microdrive, you will need a CF-compatible Microdrive and a USB Compact Flash reader. This one is a little tougher. Many people are selling PATA/IDE Microdrives through eBay and other online outlets. The issue with those drives is that they use the physical layout of a CF card. Even though they will physically plug in to a CF slot, the data is being transmitted using PATA/IDE protocol. These drives are used in devices like iPods. Make sure the drive you get is a true CF. I ordered one from Amazon for about $30, but they are starting to get rare. As for the reader, if you don’t have one already, your local big box store probably has a 12-in-1 media reader for $15 that will work.
For software, download and burn the latest version 2.0 .iso of the i386 architecture from pfSense, currently named pfSense-2.0-RC3-i386-2011062101650.iso.gz. Ignore all of the nanobsd and memstick files, those are for embedded systems.
Now for the tricky bit, the installation. Plug your microdrive into your CF reader and make sure you can read it with your regular OS. Then insert the CD you burned, restart your computer and boot off of the pfSense CD. The pfSense CD is a combination live CD and installer. Make your way through the installer and install pfSense to whatever device is assigned to your Microdrive. In my case, it was device da1. I created a 500 Mb swap partition and allocated the rest to data. I wasn’t sure how much swap pfSense might need, so I pretty much guessed.
If you have an issue where pfSense won’t get past the interface assignment stage because you don’t have a separate interfaces for the LAN and WAN, tell it you want to set up VLANs and create two VLAN interfaces.
After completing the install, restart your system and boot back into pfSense off of the CD. This time, instead of choosing to install the system, choose the option to drop into a console. At this point, you will be at a standard *nix shell prompt.
The last step is to correct for the fact that the Alix system will assign a different device name to the Microdrive than your PC does. Create a temporary directory (I did “mkdir /tmp/mount”) and mount the data partition off of your Microdrive (“mount /dev/da1s1a /tmp/mount” for me). I used the /tmp directory because many directories are read-only because of running from the CD. Edit the fstab file from the Microdrive (“vi /tmp/mount/etc/fstab”) and change the device names to match the format of ad0s1a (that’s a zero after the d). Since I had a data and a swap partition that were listed as da1s1a and da1s1b in my fstab, I changed them to ad0s1a and ad0s1b.
Shut down the system, pull the Microdrive, install it into the Alix board, and apply power. If everything goes well, after about 20 seconds you should see the three LEDs on the front panel do their best Cylon imitation. Once that show is over, hook a PC up to the LAN port, assign an address in the 192.168.1.x range, and you should be able to pull up the web interface at 192.168.1.1.