Recently I got my hands on a Monowall Appliance box that’s basically a PC Engines ALIX2 series board with the matching PC Engines case. In my case specifically is a “alix2d13“. This is a small board featuring 3 network ports with a AMD Geode CPU which makes a perfect small home router device. This post will explain how to install OPNSense (a fork of pfSense) on the device. We’ll use OPNSense as it has a way better and much more clear interface (based on Bootstrap) which makes managing the appliance so much easier and more intuitive with almost the same extensive options that pfSense offers.
Specifications:
The specifications for the device are as follows:
CPU: AMD Geode LX800 running at 500MHz (32-bit)
RAM: 256MB DDR
LAN: 3x VIA VT6105M 10/100 RJ-45
USB: 2x USB2 connectors
HDD: Internal CF-card slot
Other: Has serial port for management and installation. Has a free internal USB, I2C, COM and LPC header on-board. Also has a mini-PCI connector for Wi-Fi cards.
A picture of the PCB can be found here.
Prerequisites:
For this post to complete you’ll need some tools and cables, like:
– A compactflash card and capable reader. For the OPNSense image we are using a 4GB CF card is a minimum requirement.
– The OPNsense image. You can download the correct image from this location and will need the nano-i386 version (this is a pre-installed image).
– 2 network cables. One for the LAN and one for the WAN-part.
Connect a network cable to the middle network port as this is the WAN-port to a switch/modem that is able to deliver internet to the device (for updates etc). Connect the 2nd cable to the left port (as seen from the device facing forwards) and connect it to a normal switch or regular PC for managing the Webgui.
Optional:
– A DB-9 serial cable. For communicating with the OPNSense installation a serial cable is needed (not perse). Anything from DB-9 to whatever serial device you have may work. I assume a DB-9 to DB-9 cable will work if you have a PC with a DB-9 connector
Writing the image to the CF-card:
After you’ve downloaded the nano-i386 image we need to extract it, in my case this was:
bzip2 -d OPNsense-16.1-OpenSSL-nano-i386.img.bz2
Now connect your CF-card to your cardreader and look up the device name. On my reader it was the next disk in line: /dev/sdb
We have to write the image using the commandline to the CF-card:
dd if=OPNsense-16.1-OpenSSL-nano-i386.img of=/dev/sdb bs=1M
This may take several minutes to complete and nearly took 10 minutes on my old CF-card. After it’s done writing the image, eject it.
Place the CF-card in your appliance:
Now you have to open up the appliance to install the newly created CF-card. Remove the 2 screws on both sides and lift up the cover. Now remove the 4 screws of the PCB in every corner and lift the mainboard facing the front side up. Remove any installed CF-card and insert the new one. Place the PCB back in it’s casing and place back the screws in the corners. You may also put back the cover and screw the housing screws back again.
Optional: Connect the serial cable:
You may want to connect a serial cable to the appliance in order to see the boot process and be able to log in using the local console. A note on the baud settings for the device is:
BIOS mode: 38400 8N1
Bootloader mode: 9600 8N1
OPNSense/OS mode: 115200 8N1
My best experience was using minicom (freely available) and defaulting the serial settings to 115200 8N1. After that you can change the serial port setup to 9600 8N1 for just that session. If you’ve set this up power up the appliance and some junk (because of a different baudrate of the bios) and soon a bootloader menu will appear with 2 options. Both are OPNSense but I noticed that the default “1” won’t boot on my box and had to choose “2” and press enter. Some junk will appear again. After about 30 seconds exit minicom (Control + A -> Q) and reopen minicom again and press enter. A spinning cursor should appear stating that the device is now actually booting!
The console for booting will look something like below (like was on my box):
data=0x787de8+0x190b08 syms=[0x4+0xfbcc0+0x4+0x19395f]
Booting...
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2015 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.2-RELEASE-p11 #0 82ad3de(stable/16.1): Thu Jan 28 12:52:30 CET 2016
root@sensey32:/usr/obj/usr/src/sys/SMP i386
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
CPU: Geode(TM) Integrated Processor by AMD PCS (498.06-MHz 586-class CPU)
Origin="AuthenticAMD" Id=0x5a2 Family=0x5 Model=0xa Stepping=2
Features=0x88a93d
AMD Features=0xc0400000
real memory = 268435456 (256 MB)
avail memory = 226594816 (216 MB)
pnpbios: Bad PnP BIOS data checksum
random device not loaded; using insecure entropy
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc080aaa0, 0) error 1
wlan: mac acl policy registered
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc080a940, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc080a9f0, 0) error 1
netmap: loaded module
random:
kbd0 at kbdmux0
module_register_init: MOD_LOAD (vesa, 0xc11d4a10, 0) error 19
K6-family MTRR support enabled (2 registers)
ACPI BIOS Error (bug): A valid RSDP was not found (20150515/tbxfroot-258)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0:
padlock0: No ACE support.
pcib0 pcibus 0 on motherboard
pci0:
pci0:
vr0:
vr0: Quirks: 0x2
vr0: Revision: 0x96
miibus0:
ukphy0:
ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr0: Ethernet address: 00:0d:b9:1d:36:c4
vr1:
vr1: Quirks: 0x2
vr1: Revision: 0x96
miibus1:
ukphy1:
ukphy1: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr1: Ethernet address: 00:0d:b9:1d:36:c5
vr2:
vr2: Quirks: 0x2
vr2: Revision: 0x96
miibus2:
ukphy2:
ukphy2: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr2: Ethernet address: 00:0d:b9:1d:36:c6
isab0:
isa0:
atapci0:
ata0:
ata1:
ohci0:
usbus0 on ohci0
ehci0:
usbus1: EHCI version 1.0
usbus1 on ehci0
cpu0 on motherboard
pmtimer0 on isa0
orm0:
atrtc0:
Event timer "RTC" frequency 32768 Hz quality 0
attimer0:
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
ppc0: parallel port not found.
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1:
uhub0:
ugen1.1:
uhub1:
ada0 at ata0 bus 0 scbus0 target 0 lun 0
ada0:
ada0: Serial Number 7DF70706170700203379
ada0: 100.000MB/s transfers (UDMA5, PIO 512bytes)
ada0: 3811MB (7806960 512 byte sectors: 16H 63S/T 7745C)
ada0: Previously was known as ad0
GEOM_PART: integrity check failed (ada0, MBR)
GEOM_PART: integrity check failed (diskid/DISK-7DF70706170700203379, MBR)
random: unblocking device.
Timecounter "TSC" frequency 498061374 Hz quality 800
Root mount waiting for: usbus1 usbus0
uhub0: 4 ports with 4 removable, self powered
Root mount waiting for: usbus1
uhub1: 4 ports with 4 removable, self powered
Trying to mount root from ufs:/dev/ufs/OPNsense0 [rw,async,noatime]...
WARNING: /tmp/nanobsd.94731 was not properly dismounted
Mounting filesystems...
tunefs: soft updates remains unchanged as enabled
GEOM_PART: integrity check failed (diskid/DISK-7DF70706170700203379, MBR)
tunefs: file system reloaded
camcontrol: subcommand "identify" requires a valid device identifier
WARNING: /tmp/nanobsd.94731 was not properly dismounted
ldconfig: Cannot mmap "/var/run/ld-elf.so.hints": Invalid argument
Updating motd:.
Configuring crash dump device: /dev/null
Setting up memory disks...done.
..ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/libnet11
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
done.
Starting configd.
Launching the init system... done.
Initializing................... done.
Starting device manager (devd)...done.
Loading configuration...done.
Setting up extended sysctls...done.
Setting timezone...done.
Configuring loopback interface...done.
Starting syslog...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Configuring firewall.....done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting DNS forwarder...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Configuring firewall.....done.
Generating RRD graphs...done.
Starting syslog...done.
Starting CRON... done.
*** Welcome to OPNsense 16.1 (i386/OpenSSL) on OPNsense ***
WAN (vr1) -> v4/DHCP4: 10.90.90.140/24
LAN (vr0) -> v4: 192.168.1.1/24
FreeBSD/i386 (OPNsense.localdomain) (ttyu0)
login:
You may login with username “root” and password “opnsense”. If you succeed a menu will be showed:
FreeBSD 10.2-RELEASE-p11 (SMP) #0 82ad3de(stable/16.1): Thu Jan 28 12:52:30 CET 2016
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
0) Logout 7) Ping host
1) Assign Interfaces 8) Shell
2) Set interface(s) IP address 9) pfTop
3) Reset the root password 10) Filter Logs
4) Reset to factory defaults 11) Restart web interface
5) Halt system 12) Upgrade from console
6) Reboot system 13) Restore a configuration
Enter an option:
It’s best to change the root password first by selecting option 8 and issue “passwd”. Enter the new password twice and press Control + D to exit to the menu.
Now we want to update the software to make sure the firewall is up-to-date choose option 12:
Enter an option: 12
This will automatically fetch all available updates, apply them,
and reboot if necessary. Proceed with this action? [y/N]: y
Updating OPNsense repository catalogue...
Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01
Fetching packagesite.txz: 100% 69 KiB 70.7kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 233 packages processed.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
pkg: 1.6.2 -> 1.6.4_2
The process will require 15 KiB more space.
2 MiB to be downloaded.
Fetching pkg-1.6.4_2.txz: 100% 2 MiB 2.5MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.6.2 to 1.6.4_2...
[1/1] Extracting pkg-1.6.4_2: 100%
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (91 candidates): 100%
Processing candidates (91 candidates): 100%
The following 67 package(s) will be affected (of 0 checked):
A long list of updates will be applied and may take up to 2 hours to complete (on my box). The device will reboot once the update has finished as there is a kernel update applied as well. After that reboot the firewall is up-to-date and the console is not needed anymore.
Updates may also be applied using the web interface and are not bound to the console!
Connecting to the Webgui:
If you’ve connected a network cable to the left port and into a regular PC you should have gotten a DHCP address from the OPNSense box and should be able to browse to “https://192.168.1.1”. The credentials by default are “root” for the username and “opnsense” for the password. The GUI is based on bootstrap and is very responsive and intuitive to use. Screenshots can be found here.
You’ll start the setup wizard if you log in for the first time, it’s best to walk through the steps so you can choose a password, hostname etcetera, this part is done in 2 minutes at most.
Updating using the WebGUI:
If you log in you’ll be left at the Dashboard which gives a small overview on the network status and from there you can check for updates as well. If updates are found you’ll see it there and may click on the link that will appear to update. Mostly it’s first “pkg” whereafter you need to check for updates again as there will be a longer list available. Apply the updates using the “Apply updates” button. You may check the live status for the upgrade in your browser but you may not close the tab or go to a different part of the interface as the update will halt!
Now that updating is finished the appliance is up-to-date and may be used to set up the firewall further.
There are a lot of possibilities with this image as it comes with built-in VPN server support etcetera. One of the nice features is that it can use the cryptoengine that is present in the Geode LX processors. If you login on the Web GUI you may go to “General” -> “Settings” to select the cryptoengine in the dropdown menu for this Geode CPU. The only cipher it accelerates is AES-128CBC and offers a true RNG device for hardware number generating. The cryptoengine can then be used for the OpenVPN server setup if you let it communicate using the AES-128CBC cipher and will decrease the load on the CPU significantly.
