I was recently toying with an old Nokia IP120 firewall and discovered that pfSense would run quite well on this old hardware.
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
The Nokia IP120 is a firewall/VPN security platform, wrapped up in a nice little desktop package. It’s been EoL/EoS for several years, but it would still make a perfect candidate for running pfSense.
The IP120 has a 266 MHz CPU, 128 MB of RAM, 3×10/100 NICs, and this particular unit had a 10GB HDD. Those specs are nothing by today’s standards, but it has plenty enough horsepower to push some packets around.
A few weeks ago, I used a LiveCD to install pfSense 1.2.3, by taking out the HDD and putting it in an old laptop I had sitting around. It worked great, except I noticed that it wouldn’t reboot properly. When going through the reboot process, it got to “Rebooting…” and just hung. I could power cycle it and it would be fine, but that just wouldn’t work for me.
I ran into Jim Pingle, co-author of “pfSense: The Definitive Guide” and one of the guys working on pfSense, on IRC. He encouraged me to do an online update to the 2.0 beta series to see if that would fix it. I went ahead with the upgrade, but I got nothing on the console of the IP120 after it rebooted. Presumably, the “embedded” kernel wasn’t installed and since the IP120 has no VGA built-in… well, you get it.
Fast forward to a day or two ago, when I decided to try it again. I took the 10GB HDD and put it back in the laptop, and began downloading the latest pfSense 2.0 snapshot to another server I have here at home:
$ fetch http://snapshots.pfsense.org/FreeBSD/RELENG_8_1/i386/... pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img100% of 107 MB 285 kBps 00m00s
Next, I put a Gentoo LiveCD I had laying around into the laptop, plugged the laptop into my wired network, and booted Gentoo with a few extra parameters:
boot: gentoo nox dosshd passwd=gentoo42
This told it to not start the X Window System, do start up the SSH daemon, and to set the root password to “gentoo42″.
Once it was up and running, I needed to know what IP address it had acquired from my DHCP server:
livecd root # ifconfig eth0 | grep Bcast inet addr:203.0.113.143 Bcast:203.0.113.255 Mask:255.255.255.0
Okay, so the laptop was using the IP address 203.0.113.143. Duly noted.
Now, I could go back to my primary workstation and do the rest from there. First, I had to SSH into the laptop, however:
$ ssh firstname.lastname@example.org The authenticity of host '203.0.113.143 (203.0.113.143)' can't be established. RSA key fingerprint is cf:e1:e0:74:64:e8:92:7f:da:6d:5f:30:26:96:f5:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '203.0.113.143' (RSA) to the list of known hosts. Password: Welcome to the Gentoo Linux LiveCD! ...
Once SSH’d into the laptop, I needed to transfer the pfSense 2.0 beta image over to the laptop and write it to the 10GB HDD. I decided just to do it all in one fell swoop, since I’m a lazy bastard.
On the laptop, I started up a netcat listener:
livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda
Next, I went over to my FreeBSD server and started dumping the pfSense disk image out over the wire:
$ dd if=pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img.gz | nc 203.0.113.143 4242 220658+1 records in 220658+1 records out 112977011 bytes transferred in 652.244121 secs (173213 bytes/sec)
As you can see, it took almost 11 minutes to complete. This is because the laptop was receiving the data over TCP, decompressing it, then writing it out to the hard drive. The bottleneck in this case was definitely the old 10 GB HDD. Once that finished, I went back over to the laptop side and killed the netcat listener.
livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda 7827687+0 records in 7827687+0 records out 4007775744 bytes (4.0 GB) copied, 698.246 seconds, 5.7 MB/s dd: closing input file `standard input': Bad file descriptor livecd ~ #
pfSense was installed on the HDD at this point. I shut down the laptop, transferred the HDD back into the IP120, hooked it’s serial port up to my console server, connected to it, powered up the IP120 and watched it boot up and begin the “first time setup” process:
1 pfSense 2 pfSense F6 PXE Boot: 1 /boot.config: -h Consoles: serial port BIOS drive C: is disk0 BIOS 639kB/130048kB available memory FreeBSD/i386 bootstrap loader, Revision 1.1 (sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org, Sat Aug 28 00:11:26 EDT 2010) Loading /boot/defaults/loader.conf /boot/kernel/kernel text=0x859d8c data=0x3c73d4+0x818e0 \ / Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... Copyright (c) 1992-2010 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.1-RELEASE #0: Sat Aug 28 00:39:10 EDT 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Geode(TM) Integrated Processor by National Semi (266.68-MHz 586-class CPU) Origin = "Geode by NSC" Id = 0x540 Family = 5 Model = 4 Stepping = 0 Features=0x808131 real memory = 138936320 (132 MB) avail memory = 113254400 (108 MB) wlan: mac acl policy registered ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_bss_fw, 0xc06f5f30, 0) error 1 ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc06f5fd0, 0) error 1 ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc06f6070, 0) error 1 wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/. wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (wpi_fw, 0xc0852810, 0) error 1 ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support. cryptosoft0: on motherboard padlock0: No ACE support. pcib0: pcibus 0 on motherboard pir0: on motherboard pci0: on pcib0 fxp0: port 0x8000-0x803f mem 0x80000000-0x80000fff,0x80100000-0x8011ffff irq 11 at device 14.0 on pci0 miibus0: on fxp0 inphy0: PHY 1 on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: [ITHREAD] fxp1: port 0x8400-0x843f mem 0x80200000-0x80200fff,0x80300000-0x8031ffff irq 10 at device 15.0 on pci0 miibus1: on fxp1 inphy1: PHY 1 on miibus1 inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp1: [ITHREAD] fxp2: port 0x8800-0x883f mem 0x80400000-0x80400fff,0x80500000-0x8051ffff irq 5 at device 16.0 on pci0 miibus2: on fxp2 inphy2: PHY 1 on miibus2 inphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp2: [ITHREAD] isab0: at device 18.0 on pci0 isa0: on isab0 pci0: at device 18.1 (no driver attached) atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 18.2 on pci0 ata0: on atapci0 ata0: [ITHREAD] ata1: on atapci0 ata1: [ITHREAD] pci0: at device 18.3 (no driver attached) cpu0 on motherboard unknown: can't assign resources (memory) unknown: can't assign resources (port) atrtc0: at port 0x70-0x7f irq 8 pnpid PNP0b00 on isa0 uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 pnpid PNP0501 on isa0 uart0: [FILTER] uart0: console (9600,n,8,1) uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 pnpid PNP0501 on isa0 uart1: [FILTER] orm0: at iomem 0xe8000-0xebfff,0xec000-0xeffff pnpid ORM0000 on isa0 ppc0: parallel port not found. unknown: can't assign resources (memory) unknown: can't assign resources (port) driver bug: Unable to set devclass (devname: (null)) Timecounters tick every 10.000 msec IPsec: Initialized Security Association Processing. ad0: 9590MB at ata0-master PIO4 GEOM: ad0s1: geometry does not match label (16h,63s != 15h,63s). GEOM: ad0s2: geometry does not match label (16h,63s != 15h,63s). Trying to mount root from ufs:/dev/ufs/pfsense0 Mounting filesystems... Setting up embedded specific environment... done. ___ ___/ f \ / p \___/ Sense \___/ \ \___/ Welcome to pfSense 2.0-BETA4 ... Creating symlinks......done. Launching the init system... done. Initializing................................ done. Starting device manager (devd)...done. Loading configuration......done. Network interface mismatch -- Running interface assignment option. Valid interfaces are: fxp0 00:a0:8e:21:83:85 (down) Intel 82559ER Embedded 10/100 Ethernet fxp1 00:a0:8e:21:83:86 (down) Intel 82559ER Embedded 10/100 Ethernet fxp2 00:a0:8e:21:83:87 (down) Intel 82559ER Embedded 10/100 Ethernet Do you want to set up VLANs first? If you are not going to use VLANs, or only for optional interfaces, you should say no here and use the webConfigurator to configure VLANs later, if required. Do you want to set up VLANs now [y|n]?
I wasn’t real confident that the 2.0 beta was going to properly reboot the Nokia due to the ACPI errors shown during boot-up:
ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support.
I was going to have to go through the setup process before I could try though. For brevity’s sake, I’ve left out that part. Let’s continue on just past that:
Writing configuration...done. Updating configuration......Loading new configuration...done. Cleaning backup cache...done. Setting up extended sysctls...done. Setting timezone...done. Starting Secure Shell Services...done. Setting up polling defaults...done. Setting up interfaces microcode...done. route: writing to routing socket: File exists Configuring LAGG interfaces...done. Configuring VLAN interfaces...done. Configuring QinQ interfaces...done. Configurifxp2: link state changed to UP ng WAN interface...done. Configuring LAN interface...done. Syncing OpenVPN settings...done. Starting syslog...done. Configuring firewall......done. Starting PFLOG...done. Setting up gateway monitors...done. Synchronizing user settings...done. Starting webConfigurator...Creating SSL Certificate... done. Configuring CRON...done. Starting OpenNTP time client...done. Starting DHCP service...done. Starting DNS forwarder...done. Configuring firewall......done. Generating RRD graphs...done. Starting CRON... done. Executing rc.d items... Starting /usr/local/etc/rc.d/*.sh...done. Bootup complete FreeBSD/i386 (pfSense.localdomain) (console) *** Welcome to pfSense 2.0-BETA4-nanobsd (i386) on pfSense *** WAN (wan) -> fxp2 -> 203.0.113.143 (DHCP) LAN (lan) -> fxp0 -> 192.168.1.1 OPT1 (opt1) -> fxp1 -> NONE pfSense console setup *************************** 0) Logout (SSH only) 1) Assign Interfaces 2) Set interface(s) IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator 12) pfSense Developer Shell 13) Upgrade from console 14) Enable Secure Shell (sshd) Enter an option:
The moment of truth was here. I told it to reboot and waited…
Enter an option: 5 pfSense will reboot. This may take one minute. Do you want to proceed [y|n]? y pfSense is rebooting now. *** FINAL System shutdown message from root@pfSense.localdomain *** System going down IMMEDIATELY pfSense is now shutting down ... Waiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...0 done All buffers synced. Uptime: 8m26s Rebooting...
…and waited. And waited. Unfortunately, the IP120 never actually rebooted. Jim Pingle gave me a few more things to try, but ultimately nothing worked. As before, I can power cycle it and it comes back up just fine, but I’d like the ability to reboot it remotely if the need arises. At this point, that’s pretty much a show-stopper for me. I’ve considered loading JunOS on it but since both pfSense and JunOS are based on FreeBSD, I’m not confident it will reboot correctly under JunOS either.
Regardless, it was a fun experiment. I’m debating getting a Nokia IP330 off of eBay, as I don’t think it is affected by the same bug (from what I’ve read). They’re cheap enough and it has the added advantage that I can mount it in my rack. Thanks again to Jim for his assistance.