"how to" install, other then Ubuntu, (PFSense/FreeBSD)?

Stino
Stino New Member Posts: 7
I've had a few go's at trying to install a PFsense (FreeBSD based) image. (using the Up Squared as a FW/Router, was the reason I backed the Kickstarter)

I'm not totally clear on what's going on, if it's a stripped down BOIS that doesn't allow any other boot options.

I've tried several images with Rufus, which should have be UEFI compatible. In Shell I see the USB device has a MBR, but the BIOS doesn't recognises it as a bootable device and I can't see any files on it with LS.., which is strange (I've tried different file systems like FAT32, exFAT & NTFS)

If someone would know a howto to get me started or have some tips of pointers, I'd be gratefull.

Comments

  • Mialaret
    Mialaret New Member Posts: 33
    I should get my power supply tomorrow evening and could look into it.

    In the meantime did you enter in the bios (DEL or whathever) to disable potential security check?
    If so maybe try win32diskimager.
  • DCleri
    DCleri Administrator, AAEON Posts: 1,213 admin
    Hello,

    The BIOS is UEFI only.
    Rufus does not give you UEFI compatibility but it is required that your image/OS is UEFI compatible.

    As you can see from this topic (2016) PFSense 2.3 does not support UEFI: https://forum.pfsense.org/index.php?topic=111226.0
  • Andy Nicholson
    Andy Nicholson New Member Posts: 60
    I was hoping to run Unraid either from USB or the onboard storage (the setup recognizes a serial and completes so why not?) or PfSense too but it doesn't seem to work at the moment - not sure what's going on but still looking into it.
  • Stino
    Stino New Member Posts: 7
    edited June 2017
    Thanks, UEFI support is being mentioned as a feature in the Beta version PFSense 2.4.

    This half-house UEFI BIOS implementation, neither nor, is a bit weird.

    I got a little bit further with an Untangle version 13.0.0 (img image) (Debian based), this appears as a boot option in the BIOS. However boot-up claps-out (might be due to my PSU being undersized, so not representative)
  • Andy Nicholson
    Andy Nicholson New Member Posts: 60
    Just posted in another part of the forum but I guess it's relevant here too,.

    What about running an ESXi hypervisor then running the pfSense in a VM on top of that?

    When I get my unit back I'm going to try this out.
  • Stino
    Stino New Member Posts: 7
    edited June 2017
    Made some progress.

    Got this BETA "installer" image: pfSense-CE-memstick-2.4.0-BETA-amd64-latest.img

    (No embedded image for this beta available yet)

    From:

    https://snapshots.pfsense.org/amd64/pfSense_master/installer/?C=M;O=D

    Which booted. Got several errors (+/- 10x):" sdhci_pci0-slot0: Controller Timeout" (seems to be a known FreeBSD bug)

    Eventually: PFSense Installer.

    As it's the "installer" image, you need to have two disks attached, one with the image above and one to install onto.

    Still testing, but seems to be working.
  • Stino
    Stino New Member Posts: 7
    @dcleri, would you have an idea, why I'm getting the error above. Does it have something to do with the MME0?

    Otherwise this PFSense 2.4.0 Beta version seems pretty stable bar the Reaal NIC chipset not working great under FreeBSD. Up2 crashes when hot swapping cables, just something to be aware of.

    Performance wise it's not braking a sweat yet, whith blocklists, IPSEC, Proxy and anti virus/IDS installed, which is very promising.
  • Bernard
    Bernard New Member Posts: 12
    @New user
    I had similar issue trying install firewall Linux software on UP Squared bord from bootable USB stick.
    See this post
    In my case change in UFI configuration helped.
    I set Boot option filter = legacy only
    Main/CRB Setup/CRB Advanced/CSMConfiguration/Boot option filter -legacy only
    Regards, bern
  • andy
    andy New Member Posts: 4
    I've been looking at this board as a PFsense solution too, nearly invested until I saw the network controllers were Realtek ones.

    Had it used something like Intel's I211-AT chips then that would've sealed the deal for me, hopefully a future SKU or board ditches the Realtek garbage .
  • Aling
    Aling Guest Posts: 561 admin
    Our maker Eric tweaked pfSense installation a little bit.
    Soon he will share his experience about how to make pfSense on UP Squared.
    Here is live-demo at Maker Faire New York.
    https://youtu.be/bZiWFF-E0RI
  • eduncan911
    eduncan911 Administrator, Moderator Posts: 157 admin
    edited September 2017
    AlingWu wrote:
    Our maker Eric tweaked pfSense installation a little bit.
    Soon he will share his experience about how to make pfSense on UP Squared.
    Here is live-demo at Maker Faire New York.

    Hehe, that was fun.

    A few details I didn't get to share in that video.

    pfSense 2.4+ is required because of the UP board's EFI bios.

    What wasn't shown yet is the bandwidth.



    Above you can see an HTTP binary download test I was performing from one UP board, through the UP^2 running pfSense, to another UP board. So not only does the UP^2 support ~900 Mbps in and out across both NICs, so does the standard UP boards as well.

    I too was concerned about the Reltek NICs but honestly in my experience unless you are setting up this device for 500 people, Reltek is just fine.

    I couldn't finish the OpenVPN demo in time from one UP board to another through the UP^2. But initial AES-256-CBC benchmarks look very promising for speed. I'd also like to turn on some PI and really bog down the CPU, while measuring AMPs from the wall, to see if I can choke the CPU. :)

    I'll try to copy-n-paste the OpenSSL AES-256-CBC performance benchmarks later in the week. It was several several times faster when enabled.

    FreeBSD Drivers are pretty far behind

    From my research, FreeBSD 11 does not completely support the Intel Apollo Lake chipset. Well, the only component I found not working the eMMC 5.0 component - aka, the onboard storage. FreeBSD 11 attempts to probe and error out, with the error posted earlier in this thread.

    Therefore, by proxy, pfSense does not either (pfSense 2.4 is based on FreeBSD 11. pfSense 2.5 was just announced, and it will be FreeBSD 12 sometime next year).

    For me, I'm fine with the wait as I have several spare SSDs and SATADOMs I can use in the meantime. The SATADOM though does not fit the all-metal chassis though. I'll try out the plastic chassis in a bit because if it doesn't fit the plastic, I can easily Dremel-out a hole for it. LOL.

    I also just disable eMMC in the bios because probing and erroring takes a very long time (5+ minutes?) so that it would boot faster from the SATADOM module I had in the SATA port.

    So basically, there are a few solutions to get pfSense going asap:

    Solution 1: use your own SATA, mSATA or USB device, which I did in the video above. It was a Supermicro SATADOM SSD module that can be self-powered from supported SATADOM SATA ports (the UP^2 does not have have a SATADOM SATA port - only a standard 6 Gbps/SATA3 port).

    Solution 2: Install pfSense inside of a Hypervisor that supports Intel Apollo Lake (e.g. Xen on whatever linux kernel you have); or, install it inside VirtualBox of a full install of a Ubilinux if you really want plug-n-play (at the loss of performance). Now, this comes with its own set of complications though. Most notably, does NIC offloading work with the latest Linux kernel on Xen with RelTek. I haven't been able to answer that question yet.

    I originally installed Ubilinux 4.0 RC 2 (not the 4.0 release that is out now) and tried to get Xen working. The default package wouldn't work with EFI. I did build my own Xen version on Ubilinux with EFI for the board and got it booting; but, ran out of time to fix the display issues - so I just installed pfSense on a SATADOM I had laying around. My next objective is to install the latest Ubilinux and see if the Xen package works out of the box. If not, I'll install ArchLinux and try Xen out of the box once more before move onto compiling Xen. It's easy to compile Xen, just I'd rather write up instructions for something that is easy for people to do instead of building custom versions of Xen with custom options.

    Lastly under pfSense and FreeBSD 11, I did confirm that the M.2 and mPCIe slots are seen and the devices I had installed in the demo are registered on FreeBSD 11/pfSense 2.4 RC's startup. I had the Wifi/Bluetooth kit for the UP^2 in the M.2 slot and the 3G Model w/SIM card in the mPCIe slot that are available from the UP Store. Unfortunately, FreeBSD 11 (and pfSense by proxy) does not have drivers for these, or any other M.2 wifi and another LTE/4G mPCIe modem I have here. I tried hacking up a COM driver for the modem; but, I couldn't find a compatible AT command set from one of the built in ones.


    Therefore, if you want pfSense (like me!), just install it on a 8/16/32GB SSD connected to the SATA port. Or, a SATADOM (notice some will be too tall for the UP chassis). Or a small USB stick. And whatever mPCIe devices you use, make sure to find old hardware that is supported under FreeBSD kernels. I haven't found many M.2 devices support at all in FreeBSD 11 (at least, from what I have laying around here).

    With pfSense 2.4, they also got rid of the USB thumbstick version. For me, I went into the options and moved the /logs and /tmp folders to RAM - to spare the SSD that heartache. With that said, you can even use a cheap 8 GB USB stick and install pfSense on it - and move things to RAM so you won't kill the USB stick.

    GPIO on FreeBSD/pfSense

    The GPIO on the UP boards requires an additional kernel driver that needs to be included on compilation of the kernel itself. You can see some details on the updated wiki:

    https://up-community.org/wiki/Compile_ubilinux_kernel_from_source

    But at this time, there is no custom kernel for BSD - and therefore, no GPIO support on FreeBSD and none on pfSense by proxy either.

    I am going to dig into this after I make some progress with some HAT verifications to see if there are other options; because, frankly we all can't expect to run a custom kernel at all times - especially on Arch with its rolling releases.

    For me that's a bummer as I have an RaspBee module (see the video for it sitting on the GPIO) and several XBee devices around the house. I want to move all of this processing to the UP^2 - except my logging and metrics. I want them sent to a secure server I have with redundancy in case the pfSense gets hacked - so that the logs are archived off the machine immediately and not able to be deleted.

    Solution? There's only one for now: install Xen or another hypervisor on a Linux kernel that has a custom Ubuntu kernel available (Ubilinux, Ubuntu, Debian - if you view the github repo for instructions, ArchLinux, etc). Then you can run pfSense within Xen, and hopefully not have to disable the NIC offloading option (seems we don't have to with newer Xen versions).


    Ps, the "hacker" was simply Go app trying to open ports TCP 22, 21, 80, 443, 1433, 3306 and UDP 53, 3478-3481, etc with various delays between attempts. It was also running a simple nmap port scan against the firewall in bash script loop. I didn't have it running over the weekend though as I forgot to some some code over before I left home.

    Eric Duncan - UP Evangelist - My thoughts are of my own free will

    Answered? Please remember to mark the posted answered to highlight it for future visitors!

  • WereCatf
    WereCatf New Member Posts: 201
    Does power-management work with pfsense, like e.g. does it clock the CPU down when there's no need for it to run at full blow?
  • andy
    andy New Member Posts: 4
    I've recently built a PFSense machine from regular off the shelf components, the CPU information on the dashboard shows the "Current speed" as always at 3300mhz (i.e. stock). So there doesn't appear to be any downclocking. Other parts of the dashboard are able to dynamically change so I assume if the CPU clock was constantly changing then the dashboard would dynamically show that as well.
  • WereCatf
    WereCatf New Member Posts: 201
    Ah, I see. Well, that seems stupid, IMHO. There is very rarely a need to run the CPU at 100% clockspeeds 24/7/365, one could save a lot of power with dynamic scaling. Pfsense does look interesting, though -- maybe there is a way of enabling dynamic scaling of CPU-frequency.
  • andy
    andy New Member Posts: 4
    indeed, seems like something they should implement ASAP if it's not present already. That said, stuff like Wireless is still lacking when it comes to certain feature support too. Lack of dev time I guess.
  • eduncan911
    eduncan911 Administrator, Moderator Posts: 157 admin
    edited September 2017
    WereCatf wrote:
    Does power-management work with pfsense, like e.g. does it clock the CPU down when there's no need for it to run at full blow?

    Seems that Intel SpeedStep is detected and available for use with PowerD, yes.
    # grep -i speedstep /var/run/dmesg.boot
    est0: <Enhanced SpeedStep Frequency Control> on cpu0
    est1: <Enhanced SpeedStep Frequency Control> on cpu1
    est2: <Enhanced SpeedStep Frequency Control> on cpu2
    est3: <Enhanced SpeedStep Frequency Control> on cpu3
    
    # sysctl dev.cpu | grep freq
    dev.cpu.0.freq_levels: 1101/0 1100/0 1000/0 900/0 800/0
    dev.cpu.0.freq: 1100
    

    A few notes about this data.

    The Intel Pentium N4200 is a 1.1 Ghz CPU. It can "turbo boost" to up to 2.5 Ghz if certain conditions are met. Most Intel SoC CPUs with turbo are like this: low base clock, with a high turbo boost for brief period of time.

    https://ark.intel.com/products/95592/Intel-Pentium-Processor-N4200-2M-Cache-up-to-2_5-GHz

    Under Linux and BSD kernels, this is governed by the kernel themselves. pfSense 2.4 is a branch from FreeBSD 11. Therefore, the same controls for Power are required. I had a difficult time finding the correct settings for BSD's /boot/loader.conf. In the end, I reverted everything and left it alone.

    That is the output you see above.

    Also, the
    dev.cpu.0.freq_levels: 1101/0 1100/0 1000/0 900/0 800/0
    
    bit is a reflection of the C states the CPU supports. By default, it will operate in C1 (1100 Mhz) unless the operating system supports C2, C3, C5, etc - aka, "downclocking". This CPU can downclock from 1100 Mhz to 800 Mhz (not a major difference; but, I am sure cooler!).

    Notice the first one there though, 1101. Whenever you see the "1" suffix in these clocks, that means the CPU has Turbo enabled in the BIOS.

    The dashboard confirms this as well by showing:
    Intel(R) Pentium(R) CPU N4200 @ 1.10GHz
    Current: 1100 MHz, Max: 1101 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)
    

    For more information, see pfSense: https://forum.pfsense.org/index.php?topic=128821.0


    In summary, by all accounts pfSense does enable Intel's SpeedStep on the Pentium N4200 Apollo Lake of the UP Squared. Now it's all a matter of how you configure it for your needs for downclocking.

    Eric Duncan - UP Evangelist - My thoughts are of my own free will

    Answered? Please remember to mark the posted answered to highlight it for future visitors!

  • andy
    andy New Member Posts: 4
    edited September 2017
    Just a heads up in response to the previous reply, I found the powerD setting and enabled. CPU frequency is now scaling with usage (hanging around the 800mhz-1200mhz when idle) rather than full blown stock speed.

    Now I just got to find out how to get the CPU fan to ramp down accordingly.
  • WereCatf
    WereCatf New Member Posts: 201
    edited September 2017
    yourma2000 wrote:
    Now I just got to find out how to get the CPU fan to ramp down accordingly.

    You'll need an external circuit for that, the board doesn't have the circuitry to control the fan. You could use e.g. a thermistor or a thermal switch (e.g. eBay-link ) to adjust fan-speed in a passive way, or you could use a transistor or MOSFET connected to the PWM-pin. I made a custom HAT for myself for this purpose.
  • eduncan911
    eduncan911 Administrator, Moderator Posts: 157 admin
    WereCatf wrote:
    yourma2000 wrote:
    Now I just got to find out how to get the CPU fan to ramp down accordingly.

    You'll need an external circuit for that, the board doesn't have the circuitry to control the fan. You could use e.g. a thermistor or a thermal switch (e.g. eBay-link ) to adjust fan-speed in a passive way, or you could use a transistor or MOSFET connected to the PWM-pin. I made a custom HAT for myself for this purpose.

    One could add a thermistor in a small circuit to measure the heatsink's temp and switch the fan on and off. There is no shortest of links. For example:

    https://www.youtube.com/watch?v=2dx6udCz30s

    https://www.google.com/search?q=build+a+thermistor+transistor+switch+for+fan&num=50&safe=active&tbm=isch&tbo=u&source=univ&sa=X&ved=0ahUKEwiEvdbtmt3WAhVm6oMKHWj_AOUQsAQIMA&biw=1536&bih=882

    Eric Duncan - UP Evangelist - My thoughts are of my own free will

    Answered? Please remember to mark the posted answered to highlight it for future visitors!