Creating a Firewall/Router with pfSense Embedded on an ALIX.2D3 Board

testing


pfSense Embedded on a ALIX.2D3 Board

Detailed instructions for setting up a firewall/router with pfSense and the PCEngines ALIX 2D3 product.


Getting Started

Initial Hardware Assembly

Assembling the ALIX board into the case is pretty simple, so here are some photos for the less hardware inclined. It should take about 10 minutes
[Possibly considerably less than 10 minutes.]
to assemble the system.

Note

This board only has a serial interface for the console. There are no video or keyboard interfaces. BIOS setup and all initial communication requires a terminal emulator and null modem cable.

images_hardware/ALIX_case.jpg

Figure 1. ALIX 2D3 case – black

images_hardware/ALIX_case_hw.jpg

Figure 2. Case hardware bag

images_hardware/ALIX_case_hw_expanded.jpg

Figure 3. Contents of hardware bag

images_hardware/ALIX_case_bottom.jpg

Figure 4. Case bottom half

images_hardware/ALIX_board.jpg

Figure 5. ALIX Board

Before you can mount the board, you will need to remove the screws from the serial port on the board. They will be replaced after the board is mounted.

images_hardware/ALIX_serial_port.jpg

Figure 6. ALIX Board serial port

Place the board in the case bottom, lining up the mounting holes. You will need to slide the serial port and LAN hearers into the holes in the case, so raise the board a little to allow it to slide in.

images_hardware/ALIX_in_case.jpg

Figure 7. ALIX Board in case

Attach the board to the case with the four small brass screws.

images_hardware/ALIX_mounting_screw.jpg

Figure 8. ALIX Mounting screw example

Now put the serial port screws back in. You will want them to keep the serial cable from falling out.

images_hardware/ALIX_serial_port_screws.jpg

Figure 9. ALIX Board serial port screws

images_hardware/ALIX_serial_port_screws_2.jpg

Figure 10. ALIX Board serial port screws replaced

Installing the Image

You will need a CF reader. I’m assuming there is not one built in to your computer, so you need to get a USB external CF reader. Any generic multi-reader should suffice. One of mine looks like this:

images_hardware/CF_card_and_reader.jpg

Figure 11. IOGEAR USB multi-card reader/writer

Just connect it and put your CF card in the unit.

images_hardware/CF_card_in_reader.jpg

Figure 12. CF card in the reader/writer

Assuming you have an industrial CF card with a 4GB capacity, download the image from here i366 4GB pfSense image. I happen to use a Mac, so this is for a Unix like system. If you need more information on dumping the image, the pfSense site has a tutorial for you.

4GB CF card written on a mac

root# gzcat pfSense-2.1-RELEASE-4g-i386-nanobsd.img.gz | dd of=/dev/disk5 bs=16k
243528+1 records in
243528+1 records out
3989970432 bytes transferred in 843.781840 secs (4728675 bytes/sec)
root#

If you do not have a Unix type computer system, then there is a windows option. You can use physdiskwrite, located at the M0n0wall site.

CF Card Installation

OK, now you need to install the CF card. The location is fairly obvious, but just in case…

images_hardware/ALIX_CF_slot.jpg

Figure 13. CF card location

At this point, it should look like this.

images_hardware/CF_card_in_ALIX.jpg

Figure 14. ALIX Board with CF card

Testing Before Final Assembly

Now that everything is ready, it is time to do an initial boot and make sure it is all working and ready for configuration.

You will need your console cable and power adapter at this point. Start your terminal emulation software
[You may already have one, however if you need one, I use ZOC on my macbook with a serial-to-usb cable and you can use PuTTY with windows]
and plug in your console cable first, then your power cable.

images_hardware/console_cable_and_power.jpg

Figure 15. Serial and power attached

The initial setup requires a speed of 38400-8-N-1. You will need to change this to 9600 for the pfSense boot. While you are in setup mode, ensure that the had disk is type C,

Here is an example of the console as it boots for the first time:

Initial power up

[SERIAL/DIRECT] CONNECTED TO PORT /dev/cu.usbserial (38400-8N1)

PC Engines ALIX.2 v0.99h      <1>
640 KB Base Memory
261120 KB Extended Memory
  1. Check the firmware revision here.

Note

If the ALIX board does not have revision 0.99h, you will need to update the BIOS. The instructions are here: ALIX BIOS Update 

While the memory is being tested, type an “s” character to go into BIOS setup mode and then type a “9” to set the baud rate.

PC Engines ALIX.
2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 Master 044A CF 4GB
Phys C/H/S 7785/16/63 Log C/H/S 973/128/63

BIOS setup:

(9) 9600 baud (2) 19200 baud *3* 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit

*9* 9600 baud (2) 19200 baud (3) 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit

Save changes Y/N ?
Writing setup to flash... OK
xÇxÇÇxÇxÇÇÇxÇxÇxÇxÇÇÇÇÇÇÇxxÇxÇxÇxÇÇÇÇÇxÇÇÇxÇxÇÇxÇxÇxÇÇxxÇxxxÇxÇÇÇÇÇÇxÇÇxÇÇÇ
ÇxÇÇxÇÇÇÇÇxÇÇÇxÇxÇÇÇÇxÇÇÇxÇÇÇxxÇÇÇÇÇÇÇxxÇxÇÇÇÇÇÇÇÇxxÇÇÇÇÇÇÇxxÇÇÇÇÇÇÇÇÇÇxxÇÇÇÇÇÇÇxÇÇÇxxÇÇxÇÇÇÇÇÇxxÇxÇx
ÇxÇÇÇxÇÇÇxÇxÇxÇÇÇÇxÇÇÇÇÇÇÇÇÇxÇÇÇÇxÇÇÇÇÇÇÇÇÇÇxÇÇÇÇÇxÇxÇÇÇÇÇÇxÇÇxxÇÇÇxÇÇÇxÇxÇxÇÇxxÇxxÇxÇxÇÇ
ÇÇxÇxÇxÇÇÇÇÇÇÇxÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇxÇxxxÇÇxÇxÇxÇÇÇÇxÇxxÇÇÇxÇÇÇÇÇ
ÇÇÇxÇxÇxÇxÇÇÇÇxxÇÇÇÇÇxÇÇÇÇxÇxxÇxxÇÇÇxÇxÇxxÇxxÇxxxÇxÇÇÇÇÇxÇxÇxxÇxxÇxxxÇxÇxÇxÇÇxxxxÇxÇxxxxÇÇÇxÇÇ
xÇxxxxxxxxxxxxxxxxxÇxxxxxxxxÇxÇxÇxÇÇxxxÇx

You will get garbage characters at this point. Change the baud rate of your terminal client to 9600-8-N-1

Closing the case

Now that you are satisfied, you can power off the unit and close the case. Use the remaining four screws to go into the sides of the box. There is one final item to take care of – the antenna holes
[This unit can also do WiFi if you add a WiFi card to the expansion slot. To assist, there are pre-drilled antenna holes on the front of the chassis.]
.

images_hardware/ALIX_antenna_holes.jpg

Figure 16. ALIX case antenna holes

As we will not be using them, you can fill the holes with the provided rubber plugs.

images_hardware/ALIX_antenna_hole_plug.jpg

Figure 17. ALIX case antenna hole and plug

Now that we are fully assembled, you should have something like the following images

images_hardware/assembled_case_1.jpg

Figure 18. System Assembled – top front view

images_hardware/assembled_case_2.jpg

Figure 19. System Assembled – top diagonal view

Optional: Wall mounting the unit

The unit has a wall mount option for the case. It is just two steel bars with holes drilled to match the holes at the bottom of the case. If you have not ordered yet, you can spend the couple of dollars and get them. If you want to roll your own, feel free.

images_hardware/wall_mount.jpg

Figure 20. Wall mounting kit

As you can see, it is a pretty basic configuration. Just line up the holes with the screw holes in the base. The countersunk side should be up.

images_hardware/ALIX_with_wall_mount_hw.jpg

Figure 21. Location for the wall mount kit


Software Configuration

Once you have gotten the system installed, the serial port configured and are ready to go, you need to actually do the configuration of the system. This is a quick run through the options so that you can get to using the web interface. In this example, I ensure the OS is defaulted to factory reset, that the WAN interface will be DHCPing an address, the internal LAN will be static and service addresses for the internal network and that the unit will be using default rules for most things. This can all be changed later, but this will provide a functional and sufficiently secure start so that you can use your internet connection.

Configuring the system for web access

Make sure you are back in your terminal emulator and power up the system. If you did not correct the baud rate, you will see something like the following on your screen

Incorrect baud rate after initial install

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 Master 044A CF 4GB
Phys C/H/S 7785/16/63 Log C/H/S 973/128/63
xÇxxÇÇÇxÇxÇxxÇxxÇxxxÇxÇÇÇÇÇxÇxÇxxÇxxÇxxxÇxÇxÇxÇÇxxxxÇxÇxxxxÇÇÇxÇÇxÇxxxxxxxxxxxxxxxxxÇxxxxxxxxÇxÇxÇx
ÇÇxxxÇxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxÇxx
xxxÇxÇÇÇxxxÇxÇxxxÇxxÇxxÇÇxÇxÇxÇÇxÇxÇxÇÇxÇxÇxxxxÇxÇÇxxÇxÇÇxÇxÇxxxÇxÇxÇxÇÇxÇxÇxÇÇÇÇÇxxxxÇÇÇÇÇxÇxÇÇÇÇÇxxxÇxx
xxÇxxxxxxxÇxxxxxxÇxÇxÇxxÇxÇxÇxxxxxxÇxxxxÇÇÇÇÇxxxxÇxxÇxxxÇxxxÇxxxÇxxÇÇÇxxÇxxÇxÇxÇxxxÇxÇÇxxÇxÇxxÇÇxxx
xxÇxxxxÇxxxxÇxxÇxÇÇxxxxÇÇÇÇÇÇxÇxxxÇxxÇxxxÇxÇxxxÇxÇxxxxÇxxxxxÇxÇxxÇxxxxÇxÇÇxxÇxxÇxÇxÇÇxÇÇÇÇxÇxÇÇÇÇxÇÇxxx
xxÇÇÇÇÇxÇÇÇxxxÇxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxÇxxx
ÇxÇxxÇxÇxÇxxxxxÇxxxÇxxxxxxÇxxxxxÇxxxÇxxxxxÇxÇxÇxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Fix the baud rate and try again. You should see something more in line with the following

Full system boot

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 Master 044A CF 4GB
Phys C/H/S 7785/16/63 Log C/H/S 973/128/63

1  pfSense
2  pfSense

F6 PXE
Boot:  1
/boot/config: -h
Consoles: serial port
BIOS drive C: is disk0
BIOS 640kB/261120kB available memory

FreeBSD/x86 bootstrap loader, Revision 1.1
(root@snapshots-8_3-i386.builders.pfsense.org, Wed Sep 11 18:59:49 EDT 2013)
Loading /boot/defaults/loader.conf
/boot/kernel/kernel data=0x9162bc data=0x51d734+0x9e0c4 syms=[0x4+0x9aa90+0x4+0xd51ab]
-
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel]...
Copyright (c) 1992-2012 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013
    root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU)
  Origin = "AuthenticAMD"  Id = 0x5a2  Family = 5  Model = a  Stepping = 2
  Features=0x88a93d<FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX>
  AMD Features=0xc0400000<MMX+,3DNow!+,3DNow!>
real memory  = 268435456 (256 MB)
avail memory = 239239168 (228 MB)
pnpbios: Bad PnP BIOS data checksum
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc07330f0, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc0733190, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc0733230, 0) error 1
wlan: mac acl policy registered
K6-family MTRR support enabled (2 registers)
ACPI Error: A valid RSDP was not found (20101013/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0: <software crypto> on motherboard
padlock0: No ACE support.
pcib0: <Host to PCI bridge> pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
Geode LX: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007
pci0: <encrypt/decrypt, entertainment crypto> at device 1.2 (no driver attached)
vr0: <VIA VT6105M Rhine III 10/100BaseTX> port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0
vr0: Quirks: 0x2
vr0: Revision: 0x96
miibus0: <MII bus> on vr0
ukphy0: <Generic IEEE 802.3u media interface> PHY 1 on miibus0
ukphy0:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr0: [ITHREAD]
vr1: <VIA VT6105M Rhine III 10/100BaseTX> port 0x1400-0x14ff mem 0xe0040000-0xe00400ff irq 11 at device 10.0 on pci0
vr1: Quirks: 0x2
vr1: Revision: 0x96
miibus1: <MII bus> on vr1
ukphy1: <Generic IEEE 802.3u media interface> PHY 1 on miibus1
ukphy1:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr1: [ITHREAD]
vr2: <VIA VT6105M Rhine III 10/100BaseTX> port 0x1800-0x18ff mem 0xe0080000-0xe00800ff irq 15 at device 11.0 on pci0
vr2: Quirks: 0x2
vr2: Revision: 0x96
miibus2: <MII bus> on vr2
ukphy2: <Generic IEEE 802.3u media interface> PHY 1 on miibus2
ukphy2:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr2: [ITHREAD]
isab0: <PCI-ISA bridge> port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <AMD CS5536 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0
ata0: <ATA channel> at channel 0 on atapci0
ata0: [ITHREAD]
ata1: <ATA channel> at channel 1 on atapci0
ata1: [ITHREAD]
ohci0: <OHCI (generic) USB controller> mem 0xefffe000-0xefffefff irq 12 at device 15.4 on pci0
ohci0: [ITHREAD]
usbus0: <OHCI (generic) USB controller> on ohci0
ehci0: <AMD CS5536 (Geode) USB 2.0 controller> mem 0xefffd000-0xefffdfff irq 12 at device 15.5 on pci0
ehci0: [ITHREAD]
usbus1: EHCI version 1.0
usbus1: <AMD CS5536 (Geode) USB 2.0 controller> on ehci0
cpu0 on motherboard
orm0: <ISA Option ROM> at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0
atrtc0: <AT Real Time Clock> at port 0x70 irq 8 on isa0
ppc0: parallel port not found.
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: [FILTER]
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
uart1: [FILTER]
RTC BIOS diagnostic error 80<clock_battery>
Timecounter "TSC" frequency 498052662 Hz quality 800
Timecounters tick every 10.000 msec
IPsec: Initialized Security Association Processing.
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: <AMD> at usbus0
uhub0: <AMD OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <AMD> at usbus1
uhub1: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
ad0: 3831MB <CF 4GB 20110221> at ata0-master PIO4
Root mount waiting for: usbus1 usbus0
uhub0: 4 ports with 4 removable, self powered
Root mount waiting for: usbus1
uhub1: 4 ports with 4 removable, self powered
Trying to mount root from ufs:/dev/ufs/pfsense0
Configuring crash dumps...
Mounting filesystems...
Setting up memory disks... done.
Disabling APM on /dev/ad0

     ___
 ___/ f \
/ p \___/ Sense
\___/   \
    \___/

Welcome to pfSense 2.1-RELEASE  ...

Creating symlinks......done.
>>> Under 512 megabytes of ram detected.  Not enabling APC.
External config loader 1.0 is now starting... ad0s3
Launching the init system... done.
Initializing............................. done.
Starting device manager (devd)...done.
Loading configuration......done.
Updating configuration...done.
Cleaning backup cache....done.
Setting up extended sysctls...done.
Setting timezone...done.
Configuring loopback interface...done.
Starting syslog...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting DNS forwarder...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Configuring firewall......done.
Generating RRD graphs...done.
Starting syslog...done.
Starting CRON... done.
Bootup complete

FreeBSD/i386 (pfSense.localdomain) (console)

*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on pfSense ***

 WAN (wan)       -> vr1        ->
 LAN (lan)       -> vr0        -> v4: 192.168.1.1/24

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Enable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option:

It is very detailed, but it provides a lot of information for debugging any isues. In pretty much all cases, you can ignore the barrage of information. You are interested in the last portion, the console menu.

Console menu

FreeBSD/i386 (gateway.internal) (console)

*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on gateway ***

 WAN (wan)       -> vr0        -> v4/DHCP4: 10.9.8.181/24
 LAN (lan)       -> vr1        -> v4: 192.168.99.1/24
 DMZ (opt1)      -> vr2        -> v4: 192.168.98.1/24

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Disable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option:

We are getting close. You want to reset to factory defaults to make sure the system provides a functional working service before you decide to strike out on your own. At the prompt, type a 4 and press Enter. You will reboot after this.

Reset to factory defaults

FreeBSD/i386 (gateway.internal) (console)

*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on gateway ***

 WAN (wan)       -> vr0        -> v4/DHCP4: 10.9.8.181/24
 LAN (lan)       -> vr1        -> v4: 192.168.99.1/24
 DMZ (opt1)      -> vr2        -> v4: 192.168.98.1/24

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Disable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option: 4


You are about to reset the firewall to factory defaults.
The firewall will reboot after resetting the configuration.

Do you want to proceed [y|n]?y

pfSense is rebooting now.

*** FINAL System shutdown message from root@gateway.internal ***

System going down IMMEDIATELY


*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on gateway ***

 WAN (wan)       -> vr0        -> v4/DHCP4: 10.9.8.181/24
 LAN (lan)       -> vr1        -> v4: 192.168.99.1/24
 DMZ (opt1)      -> vr2        -> v4: 192.168.98.1/24

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Disable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option:
pfSense is now shutting down ...

Dec 31 19:06:16 lighttpd[29214]: (server.c.1546) server stopped by UID = 0 PID =Waiting (max 60 seconds) for system process
 `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 done
All buffers synced.
Uptime: 5m54s
vr0: vr_stop: Rx shutdown error
usbus0: Controller shutdown
uhub0: at usbus0, port 1, addr 1 (disconnected)
usbus0: Controller shutdown complete
usbus1: Controller shutdown
uhub1: at usbus1, port 1, addr 1 (disconnected)
usbus1: Controller shutdown complete
Rebooting...
PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

01F0 Master 044A CF 4GB
Phys C/H/S 7785/16/63 Log C/H/S 973/128/63

1  pfSense
2  pfSense

F6 PXE
Boot:  1
/boot/config: -h
Consoles: serial port
BIOS drive C: is disk0
BIOS 640kB/261120kB available memory

FreeBSD/x86 bootstrap loader, Revision 1.1
         .
         .
  lots of messages
         .
         .
Trying to mount root from ufs:/dev/ufs/pfsense0
Configuring crash dumps...
Mounting filesystems...
Setting up memory disks... done.
Disabling APM on /dev/ad0

     ___
 ___/ f \
/ p \___/ Sense
\___/   \
    \___/

Welcome to pfSense 2.1-RELEASE  ...

Creating symlinks......done.
         .
         .
  lots more messages
         .
         .
Configuring firewall......done.
Generating RRD graphs...done.
Starting syslog...done.
Starting CRON... done.
Bootup complete

Now you need to configure your interfaces. Select 1 and press enter. The next part is a walkthrough. Follow it and you will be ready for the web configuration.

Configuration walkthrough

FreeBSD/i386 (pfSense.localdomain) (console)

*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on pfSense ***

 WAN (wan)       -> vr1        ->
 LAN (lan)       -> vr0        -> v4: 192.168.1.1/24

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Enable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option: 1


Valid interfaces are:

vr0   00:0d:b9:23:5f:38   (up) VIA VT6105M Rhine III 10/100BaseTX
vr1   00:0d:b9:23:5f:39   (up) VIA VT6105M Rhine III 10/100BaseTX
vr2   00:0d:b9:23:5f:3a (down) VIA VT6105M Rhine III 10/100BaseTX

Do you want to set up VLANs first?

If you are not going to use VLANs, or only for optional interfaces, you should
say no here and use the webConfigurator to configure VLANs later, if required.

Do you want to set up VLANs now [y|n]? n

*NOTE*  pfSense requires *AT LEAST* 1 assigned interface(s) to function.
        If you do not have *AT LEAST* 1 interfaces you CANNOT continue.

        If you do not have at least 1 *REAL* network interface card(s)
        or one interface with multiple VLANs then pfSense
        *WILL NOT* function correctly.

If you do not know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces now before
hitting 'a' to initiate auto detection.

Enter the WAN interface name or 'a' for auto-detection: vr0

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished): vr1

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished): vr2

Enter the Optional 2 interface name or 'a' for auto-detection
(or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> vr0
LAN  -> vr1
OPT1 -> vr2

Do you want to proceed [y|n]?y

Writing configuration...done.
One moment while we reload the settings... done!
*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on pfSense ***

 WAN (wan)       -> vr0        ->
 LAN (lan)       -> vr1        -> v4: 192.168.1.1/24
 OPT1 (opt1)     -> vr2        ->

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Enable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option: 2

Available interfaces:

1 - WAN (vr0 - dhcp, dhcp6)
2 - LAN (vr1 - static)
3 - OPT1 (vr2)

Enter the number of the interface you wish to configure: 1
Configure IPv4 address WAN interface via DHCP?  [y|n]
> y
Configure IPv6 address WAN interface via DHCP6?  [y|n]
> n

Enter the new WAN IPv6 address.  Press <ENTER> for none:
>
Disabling DHCPD...Done!
Disabling DHCPD...Done!

Do you want to revert to HTTP as the webConfigurator protocol? (y/n) y

Please wait while the changes are saved to WAN... Reloading filter...
 DHCPD... restarting webConfigurator...

The IPv4 WAN address has been set to dhcp
You can now access the webConfigurator by opening the following URL in your web browser:
                http://dhcp/

Press <ENTER> to continue.
*** Welcome to pfSense 2.1-RELEASE-nanobsd (i386) on pfSense ***

 WAN (wan)       -> vr0        -> v4/DHCP4: 10.9.8.181/24
 LAN (lan)       -> vr1        -> v4: 192.168.1.1/24
 OPT1 (opt1)     -> vr2        ->

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Enable Secure Shell (sshd)
 7) Ping host                         15) Restore recent configuration


Enter an option:

You have completed the console portion of the configuration. You can now move on to the web configuration.

Web Configuration

As this is a basic configuration, we will just go the screen capture route. The config is pretty simple, just follow the prompts after the initial login. The defaults are mostly correct, you will want to adjust your LAN interface to manage the network you will be using internally. All of this is shown below.

The default username is admin and the default password is pfsense. You will be prompted to change the password during configuration.

images_screen/SS01.jpg

Figure 22. Login screen

images_screen/SS02.jpg

Figure 23. Configuration wizard screen

images_screen/SS03.jpg

Figure 24. General parameters screen

images_screen/SS04.jpg

Figure 25. Date and time screen

images_screen/SS05-1.jpg

Figure 26. WAN configuration screen (top portion)

images_screen/SS05-2.jpg

Figure 27. WAN configuration screen (bottom portion)

images_screen/SS06.jpg

Figure 28. LAN configuration screen

images_screen/SS07.jpg

Figure 29. Admin password change screen

images_screen/SS08.jpg

Figure 30. Reboot to complete screen

images_screen/SS10.jpg

Figure 31. Login screen

images_screen/SS11.jpg

Figure 32. Status screen

Once you are here, in the top left is a ison with a “+” character in the bottom corner. You can add status items to this screen from that menu. Here is an example with a couple of extra information boxes.

images_screen/SS12.jpg

Figure 33. Enhanced status screen

Congratulations, you are done. Happy surfing!


Final Case Picture

I thought I’d add a picture with the interfaces, etc. labelled. It is amazing how often you end up wondering which interface is which.

images_hardware/ALIX_with_labels.jpg

Figure 34. Labelled case


Parts List

This is the list of parts from PCEngines. My experiences with them have been very good and shipping to Canada seems to be cheaper than getting goods from the U.S. It also seems to arrive faster.