Image of Cortney & Jeremy

Installing pfSense on a Nokia IP120 firewall

by Jeremy L. Gaddis on August 30, 2010 · 8 comments

in Networking

I was recently toying with an old Nokia IP120 firewall and discovered that pfSense would run quite well on this old hardware.

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

The Nokia IP120 is a firewall/VPN security platform, wrapped up in a nice little desktop package. It’s been EoL/EoS for several years, but it would still make a perfect candidate for running pfSense.

The IP120 has a 266 MHz CPU, 128 MB of RAM, 3×10/100 NICs, and this particular unit had a 10GB HDD. Those specs are nothing by today’s standards, but it has plenty enough horsepower to push some packets around.

A few weeks ago, I used a LiveCD to install pfSense 1.2.3, by taking out the HDD and putting it in an old laptop I had sitting around. It worked great, except I noticed that it wouldn’t reboot properly. When going through the reboot process, it got to “Rebooting…” and just hung. I could power cycle it and it would be fine, but that just wouldn’t work for me.

I ran into Jim Pingle, co-author of “pfSense: The Definitive Guide” and one of the guys working on pfSense, on IRC. He encouraged me to do an online update to the 2.0 beta series to see if that would fix it. I went ahead with the upgrade, but I got nothing on the console of the IP120 after it rebooted. Presumably, the “embedded” kernel wasn’t installed and since the IP120 has no VGA built-in… well, you get it.

Fast forward to a day or two ago, when I decided to try it again. I took the 10GB HDD and put it back in the laptop, and began downloading the latest pfSense 2.0 snapshot to another server I have here at home:

$ fetch http://snapshots.pfsense.org/FreeBSD/RELENG_8_1/i386/...
pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img100% of  107 MB  285 kBps 00m00s

Next, I put a Gentoo LiveCD I had laying around into the laptop, plugged the laptop into my wired network, and booted Gentoo with a few extra parameters:

boot: gentoo nox dosshd passwd=gentoo42

This told it to not start the X Window System, do start up the SSH daemon, and to set the root password to “gentoo42″.

Once it was up and running, I needed to know what IP address it had acquired from my DHCP server:

livecd root # ifconfig eth0 | grep Bcast
          inet addr:203.0.113.143  Bcast:203.0.113.255  Mask:255.255.255.0

Okay, so the laptop was using the IP address 203.0.113.143. Duly noted.

Now, I could go back to my primary workstation and do the rest from there. First, I had to SSH into the laptop, however:

$ ssh root@203.0.113.143
The authenticity of host '203.0.113.143 (203.0.113.143)' can't be established.
RSA key fingerprint is cf:e1:e0:74:64:e8:92:7f:da:6d:5f:30:26:96:f5:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '203.0.113.143' (RSA) to the list of known hosts.
Password:
Welcome to the Gentoo Linux LiveCD!

...

Once SSH’d into the laptop, I needed to transfer the pfSense 2.0 beta image over to the laptop and write it to the 10GB HDD. I decided just to do it all in one fell swoop, since I’m a lazy bastard.

On the laptop, I started up a netcat listener:

livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda

Next, I went over to my FreeBSD server and started dumping the pfSense disk image out over the wire:

$ dd if=pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img.gz | nc 203.0.113.143 4242
220658+1 records in
220658+1 records out
112977011 bytes transferred in 652.244121 secs (173213 bytes/sec)

As you can see, it took almost 11 minutes to complete. This is because the laptop was receiving the data over TCP, decompressing it, then writing it out to the hard drive. The bottleneck in this case was definitely the old 10 GB HDD. Once that finished, I went back over to the laptop side and killed the netcat listener.

livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda
7827687+0 records in
7827687+0 records out
4007775744 bytes (4.0 GB) copied, 698.246 seconds, 5.7 MB/s
dd: closing input file `standard input': Bad file descriptor
livecd ~ #

pfSense was installed on the HDD at this point. I shut down the laptop, transferred the HDD back into the IP120, hooked it’s serial port up to my console server, connected to it, powered up the IP120 and watched it boot up and begin the “first time setup” process:

1  pfSense
2  pfSense

F6 PXE
Boot:  1
/boot.config: -h
Consoles: serial port
BIOS drive C: is disk0
BIOS 639kB/130048kB available memory

FreeBSD/i386 bootstrap loader, Revision 1.1
(sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org, Sat Aug 28 00:11:26 EDT 2010)
Loading /boot/defaults/loader.conf
/boot/kernel/kernel text=0x859d8c data=0x3c73d4+0x818e0 \
/
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel]...
Copyright (c) 1992-2010 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.1-RELEASE #0: Sat Aug 28 00:39:10 EDT 2010
    sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Geode(TM) Integrated Processor by National Semi (266.68-MHz 586-class CPU)
  Origin = "Geode by NSC"  Id = 0x540  Family = 5  Model = 4  Stepping = 0
  Features=0x808131
real memory  = 138936320 (132 MB)
avail memory = 113254400 (108 MB)
wlan: mac acl policy registered
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc06f5f30, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc06f5fd0, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc06f6070, 0) error 1
wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/.
wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (wpi_fw, 0xc0852810, 0) error 1
ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0:  on motherboard
padlock0: No ACE support.
pcib0:  pcibus 0 on motherboard
pir0:  on motherboard
pci0:  on pcib0
fxp0:  port 0x8000-0x803f mem 0x80000000-0x80000fff,0x80100000-0x8011ffff irq 11 at device 14.0 on pci0
miibus0:  on fxp0
inphy0:  PHY 1 on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: [ITHREAD]
fxp1:  port 0x8400-0x843f mem 0x80200000-0x80200fff,0x80300000-0x8031ffff irq 10 at device 15.0 on pci0
miibus1:  on fxp1
inphy1:  PHY 1 on miibus1
inphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: [ITHREAD]
fxp2:  port 0x8800-0x883f mem 0x80400000-0x80400fff,0x80500000-0x8051ffff irq 5 at device 16.0 on pci0
miibus2:  on fxp2
inphy2:  PHY 1 on miibus2
inphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp2: [ITHREAD]
isab0:  at device 18.0 on pci0
isa0:  on isab0
pci0:  at device 18.1 (no driver attached)
atapci0:  port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 18.2 on pci0
ata0:  on atapci0
ata0: [ITHREAD]
ata1:  on atapci0
ata1: [ITHREAD]
pci0:  at device 18.3 (no driver attached)
cpu0 on motherboard
unknown:  can't assign resources (memory)
unknown:  can't assign resources (port)
atrtc0:  at port 0x70-0x7f irq 8 pnpid PNP0b00 on isa0
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 pnpid PNP0501 on isa0
uart0: [FILTER]
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 pnpid PNP0501 on isa0
uart1: [FILTER]
orm0:  at iomem 0xe8000-0xebfff,0xec000-0xeffff pnpid ORM0000 on isa0
ppc0: parallel port not found.
unknown:  can't assign resources (memory)
unknown:  can't assign resources (port)
driver bug: Unable to set devclass (devname: (null))
Timecounters tick every 10.000 msec
IPsec: Initialized Security Association Processing.
ad0: 9590MB  at ata0-master PIO4
GEOM: ad0s1: geometry does not match label (16h,63s != 15h,63s).
GEOM: ad0s2: geometry does not match label (16h,63s != 15h,63s).
Trying to mount root from ufs:/dev/ufs/pfsense0
Mounting filesystems...
Setting up embedded specific environment... done.

     ___
 ___/ f \
/ p \___/ Sense
\___/   \
    \___/

Welcome to pfSense 2.0-BETA4  ...

Creating symlinks......done.
Launching the init system... done.
Initializing................................ done.
Starting device manager (devd)...done.
Loading configuration......done.

Network interface mismatch -- Running interface assignment option.

Valid interfaces are:

fxp0  00:a0:8e:21:83:85   (down)        Intel 82559ER Embedded 10/100 Ethernet
fxp1  00:a0:8e:21:83:86   (down)        Intel 82559ER Embedded 10/100 Ethernet
fxp2  00:a0:8e:21:83:87   (down)        Intel 82559ER Embedded 10/100 Ethernet

Do you want to set up VLANs first? 

If you are not going to use VLANs, or only for optional interfaces, you should
say no here and use the webConfigurator to configure VLANs later, if required.

Do you want to set up VLANs now [y|n]?

I wasn’t real confident that the 2.0 beta was going to properly reboot the Nokia due to the ACPI errors shown during boot-up:

ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.

I was going to have to go through the setup process before I could try though. For brevity’s sake, I’ve left out that part. Let’s continue on just past that:

Writing configuration...done.
Updating configuration......Loading new configuration...done.
Cleaning backup cache...done.
Setting up extended sysctls...done.
Setting timezone...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
route: writing to routing socket: File exists
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configurifxp2: link state changed to UP
ng WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Starting syslog...done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...Creating SSL Certificate... done.
Configuring CRON...done.
Starting OpenNTP time client...done.
Starting DHCP service...done.
Starting DNS forwarder...done.
Configuring firewall......done.
Generating RRD graphs...done.
Starting CRON... done.
Executing rc.d items...
 Starting /usr/local/etc/rc.d/*.sh...done.
Bootup complete

FreeBSD/i386 (pfSense.localdomain) (console)

*** Welcome to pfSense 2.0-BETA4-nanobsd (i386) on pfSense ***

  WAN (wan)                 -> fxp2       -> 203.0.113.143 (DHCP)
  LAN (lan)                 -> fxp0       -> 192.168.1.1
  OPT1 (opt1)               -> fxp1       -> NONE 

 pfSense console setup
***************************
 0)  Logout (SSH only)
 1)  Assign Interfaces
 2)  Set interface(s) IP address
 3)  Reset webConfigurator password
 4)  Reset to factory defaults
 5)  Reboot system
 6)  Halt system
 7)  Ping host
 8)  Shell
 9)  PFtop
10)  Filter Logs
11)  Restart webConfigurator
12)  pfSense Developer Shell
13)  Upgrade from console
14)  Enable Secure Shell (sshd)

Enter an option:

The moment of truth was here. I told it to reboot and waited…

Enter an option: 5

pfSense will reboot. This may take one minute.

Do you want to proceed [y|n]? y

pfSense is rebooting now.

*** FINAL System shutdown message from root@pfSense.localdomain ***
System going down IMMEDIATELY                                                  

pfSense is now shutting down ...

Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 done
All buffers synced.
Uptime: 8m26s
Rebooting...

…and waited. And waited. Unfortunately, the IP120 never actually rebooted. Jim Pingle gave me a few more things to try, but ultimately nothing worked. As before, I can power cycle it and it comes back up just fine, but I’d like the ability to reboot it remotely if the need arises. At this point, that’s pretty much a show-stopper for me. I’ve considered loading JunOS on it but since both pfSense and JunOS are based on FreeBSD, I’m not confident it will reboot correctly under JunOS either.

Regardless, it was a fun experiment. I’m debating getting a Nokia IP330 off of eBay, as I don’t think it is affected by the same bug (from what I’ve read). They’re cheap enough and it has the added advantage that I can mount it in my rack. Thanks again to Jim for his assistance.

{ 7 comments… read them below or add one }

Sevan August 30, 2010 at 12:15 pm

So did you disable ACPI or acpic in the kernel or not?

Reply

Jeremy L. Gaddis August 30, 2010 at 12:24 pm

One of the things Jim asked me to check was if ‘hint.acpi.0.disabled=”1″‘ existed in /boot/device.hints or not. It didn’t so I added it, but still no luck. He had me try at least one other thing as well, though I can’t recall what that was now (I’ll document better, if there is a next time).

Reply

Sevan August 30, 2010 at 12:40 pm

Just had a look at the kernel config on my Alix 2c3 which also exhibits the same error when booting the stock FreeBSD kernel (I’m running FreeBSD 8.0/i386 on mine)
removing:
options SMP
from the kernel config fixes the issue.

Reply

Sevan August 30, 2010 at 12:42 pm

you will need to recompile & install a new kernel of course, not sure how that works on pfsense.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

Reply

Jeremy L. Gaddis August 30, 2010 at 12:58 pm

Yeah, I looked into that, very briefly. It’s just not worth the time & effort. Thanks, though.

Reply

jimp August 30, 2010 at 2:01 pm

SMP isn’t in the pfSense embedded (NanoBSD-based) kernels, so that wouldn’t help in this case.

It reboots fine on an ALIX (and with many other hardware types) so it’s probably a quirk with this particular model, unfortunately.

Reply

Stiltzkin September 2, 2010 at 3:32 am

Hey, I wonder if you could install JUNOS/Olive as someone else did:

http://www.techexams.net/forums/juniper-certifications/46233-1u-olive.html

He used a IP330 though.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: