Quick Setup of pfSense on an ALIX board

I have been hearing a lot about an Open Source Firewall/Router/VPN software package based on FreeBSD from @buraglio called pfSense.  The more and more I heard about it the more interested I became.  Some other guys I worked with have deployed pfSense boxes for other uses and seemed pleased, so 2 weeks ago I took the plunge.

I knew that I didn’t want to run a full-tower system with multiple NIC cards… I have done it and am over it; call it being fugal, saving space, “going green” or what ever you want… I knew I was going to use a single board computer.  I was recommended the ALIX boards and found one that I liked at netgate.com.  I went with the ALIX.2D3 Kit, which has the ALIX.2D13 system board, a 2GB Compact Flash (CF) Card, the case/enclosure, and the 18W power supply.

Once I got it in the mail it didn’t take too long to get it built and loaded with software (1.2.3).  I was aiming to use this as the router/firewall/VPN-Terminator for my home network.  So I thought that I would do a write-up what I did to get this all setup and some of my thoughts or opinions of that process.

Disclaimer: This is what I did to get this to work; this may or may not work for you.  Follow this at your own risk.

Building the Kit:

First I got all of the pieces out and placed the board into the bottom part of the kit enclosure.  I didn’t screw it in to the enclosure because I still needed to add the CF card.  I recommend leaving that board loose until you are sure that you have a working copy of the OS on the CF card.  That takes us to the next step grabbing the code from the website.  That will give you a .gz file.

Prior to being able to write to the CF card I needed to eject the Volume (not unmount the disk) that was automatically mounted when the CF card was attached.  On my Mac I was able to do this by opening Disk Utility and select the Volume to be unmounted (not the disk) and click the unmount button in the top menu.  After that was unmounted I was able to write this to the CF card by using the following command from the terminal on my Mac OSX machine:

gzcat pfSense-1.2.3-RELEASE-2g-nanobsd.img.gz | dd of=/dev/disk1 bs=16k

Please make sure that /dev/disk1 is in fact the disk that you want to write to, you will/can overwrite your hard drive if you choose incorrectly. You can type:

diskutil list

into the terminal to get a list of the drives that are available and their paths.  /dev/disk1 was conveniently the only 2GB disk attached to my machine so it was easy to determine.  This write will take a bit of time so just let it run.  You will get your prompt back when it finished.

Take the card and slap it in the board, plug in your serial cable to the serial port on the front, and fire up your favorite terminal/console software (minicom, ZTerm, etc…).  You will need to set the console settings 9600 Data Rate, 8 Bits,  No Parity, and 1 Stop Bit (9600 8N1) and if all went well you will see this:

FreeBSD/i386 (pfSense.local) (console)

*** Welcome to pfSense 1.2.3-RELEASE-nanobsd on pfSense ***

LAN                      ->   vr0     ->      192.168.1.1

WAN                      ->   vr1     ->      NONE(DHCP)

pfSense console setup

***************************

0)  Logout (SSH only)

1)  Assign Interfaces

2)  Set LAN IP address

3)  Reset webConfigurator password

4)  Reset to factory defaults

5)  Reboot system

6)  Halt system

7)  Ping host

8)  Shell

9)  PFtop

10)  Filter Logs

11)  Restart webConfigurator

12)  pfSense Developer Shell

13)  Upgrade from console

14)  Enable Secure Shell (sshd)

Enter an option:

If not then go back and try your write to CF again, or check your Terminal/Console Settings.   If it did work then you will want to setup your LAN IP address, option 2 and follow the prompts that looked like this:

Enter the new LAN IP address: 192.168.20.1

Subnet masks are entered as bit counts (as in CIDR notation) in pfSense.

e.g. 255.255.255.0 = 24

255.255.0.0   = 16

255.0.0.0     = 8

Enter the new LAN subnet bit count: 24

Do you want to enable the DHCP server on LAN [y|n]?  y

Enter the start address of the client address range: 192.168.20.100

Enter the end address of the client address range: 192.168.20.200

The LAN IP address has been set to 192.168.20.1/24.

You can now access the webGUI by opening the following URL

in your web browser:

http://192.168.20.1/

Press ENTER to continue.

Now you are all ready to connect to the LAN interface to configure everything from the web browser. I will explain how in the next section.  Go ahead and power the box down and finish screwing the board into the enclosure to finalize the kit build.

Configuring from the Web:

These are the things that were configured in my setup: Connection to AT&T DSL, “white-listing” a couple hosts in the firewall rules, setting up PPTP VPN Termination, setting up dynamic dns with zoneedit.com (for free) and adding a second routed interface for open wireless (Will be using captive portal when I get the time to set that up too, not currently included in this write-up).

If you plug your computer into the port closest to the power cord you will be able to get an IP address on the LAN and can connect to the pfSense web configuration page via your web browser (by going to 192.168.20.1 in our example).  I didn’t write down what it asked me after I first got my web browser to the config page, but the questions were really straight forward… even for the vaguely technical.  At the end of this you should be online assuming that you plugged your ALIX boxes middle interface (assuming the default config, which would have that interface as your WAN port) into your dsl modem.  If it isn’t working or you need to change your WAN settings you can do that on the Interfaces -> WAN page.

I have a couple machines that I would like to be able to connect to this box from off network (remote locations) to manage it, so I have opened up some ports in the firewall specifically for them.  I did this by going to Firewall -> Rules and added a new rule.  Lets just say that I have a machine with and IP address of 100.200.100.10 that I would like to allow to manage this box.  The rule would be added as follows:

Action = pass, Interface = WAN, Protocol = TCP/UDP, Source Type = Single host or alias  Address= 100.200.219.52, Destination = WAN address, Description = Whitelist Management Machine 100.10

Make sure that machine is secure as you will be opening up possibilities for people to brute force their way into your network.  Then save.  It is that easy.

PPTP termination configuration section coming soon…

To setup DynamicDNS you go to Service -> Dynamic DNS.  With lots of option for services I chose ZoneEdit, where I already have an established account.  Check the box for Enable in the header bar of Dynamic DNS Client.  I added a hostname that I would like this address to be registered as in the hostname field; lets just say it is pfsense.reeleysoft.com.  Placed my ZoneEdit username and password in the respective fields and hit save and it takes care of the rest.  Now if my home DSL IP address changes the pfSense box will register the new IP address with ZoneEdit as pfsense.reeleysoft.com and I will still be able to get to this box for management.

To add another interface you go to Interfaces -> (assign). Click the add interface button in the lower right corner of the table.  It will come up by default as Interface OPT1 and Network Port vr2.  Click save and you have added a new interface to be referenced.  Side Note:  this is where you would also to 802.1q tagging (VLANs) if you are interested in that, I didn’t for this home application.  Now go to Interfaces -> OPT1 to actually configure the new interface.  Since I will be using this exclusively for wireless I changed the name from OPT1 to WLAN and clicked the Enable Interface check box.  I then set the ip address for this to 192.168.30.1/28.  Now you need to allow this to make it out to the internet be changing the firewall rules.  Go to Firewall -> Rules  and then choose the WLAN interface and click the add new rule button.  I made these 3 rules as follows to allow this network open TCP access to the internet:

Action=Reject, Interface = WLAN, Protocol = TCP, Source Type = WLAN subnet, Destination = WAN address, Description = Reject WLAN pfSenseManagement

Action=Reject, Interface = WLAN, Protocol = TCP, Source Type = WLAN subnet, Destination = LAN Subnet, Description = Reject WLAN to LAN access

Action = Pass, Interface = WLAN, Protocol = TCP, Source Type = WLAN subnet, Destination = Any, Description = Allow WLAN TCP:any

Save that, plug an open access point into that interface (the furthest from the power cord) and away you go (you can choose to do DHCP on the AP or on the pfSense box.  The settings for the DHCP server are under Services -> DHCP server -> WLAN tab).

With all of that I am done.  It is extremely easy and there are more interesting things this box can do.  Overall this is a good fit for my needs, probably overkill really.  Some other things that you can do:  Load balance between two Internet connections, VPN tunnel, traffic shaping, SNMP read/trap, Wake On LAN and much more.  They have also been working on the 2.0 code release, which you can download now from their site pfsense.org.  2.0 is still in beta (it would work fine for my configuration, but not for all).  This new code will have OSPF, a slick dashboard, and L2TP (and more I am sure).  They are guessing that this will be fully released “early 2010.”  I hope to be able to help contribute back to the project after I finish up some of my other active coding, one of the great things about OpenSource… if it doesn’t do what you want it to just add it and share it with everyone else.  I hope that this helps someone, I will probably come back with pictures/screenshots to add to this later but this is good for now.

Be Sociable, Share!

3 Comments

  1. jim says:

    I you go into more detail on how you are connecting to the Netage box with your terminal/console software? Are you also using your Mac?

  2. Ian says:

    This blog has been very useful to me since I currently run psfense at home (via VMware) but want to move it to a reliable/small hardware device.
    Regarding the ALIX.2D3 how’s it running psfense? Any issues?
    Have you tried pfsense 2.0 on it yet (that’s the version I use)?
    Also does the board work with a USB keyboard or is a serial connection necessary?
    Regarding the CPU/memory on the ALIX.2D3, how’s that been with psfense? I’m using pfsense for a couple of broadband connections (both a mere 1Mbps).

  3. percetakan says:

    This post is very useful for me.
    Just so you know this post is that I was looking for.

Leave a Reply