Building a pfSense firewall from a thin client

Background

Being a fiddler I couldn’t just use the free router that came with my broadband especially after finding that my “Superhub” was actually not worthy of the name it had been given. So I started to mess around with DD-WRT and OpenWrt on a trusty Netgear WNDR3700 (at some point there may be blog posts about this)

After playing with these for a while, and after I had started using a Raspberry Pi as an OpenVPN server, I decided that I liked the idea of having a machine that was powerful enough to cope with being a OpenVPN server and a firewall.

But what to run on this machine, I’ve tried DD-WRT and OpenWrt, why not try something new, ah maybe it’s time for pfSense!

Now pfSense, being based on FreeBSD doesn’t run on arm based devices. A bit of googling suggested that I would probably need to buy an ALIX board if I wanted to build the machine myself. I was just about to do this when I found for sale on eBay a Neoware thin client running pfSense. But a look at the hardware specs of the machine suggested it might be a little under powered. But the idea was sown.

Buying the hardware

After a little visit to this site, I decided that I wanted a HP t5740, there were a few reasons for my choice:

  • The machine is relatively new which means it has a fairly powerful Intel Atom processor (N280)
  • It has two DDR3 ram slots.
  • You can buy an expansion module which allows you to install a full height PCI-E card, important as you will need extra nics.
  • It uses about half as much power (12 watts) as its AMD powered cousin.

t5740

HP 5740 – a tidy little machine (this is without the expansion module fitted)

641854884_tp

Expansion module

I managed to buy one on eBay for £45 and found a Expansion module for £20. I then, after reading up on the subject on the pfSense forums, bought a Intel Pro 1000 PT Dual Port Gigabit PCI-E card which cost me £30. So a total spend of £95. Its important to not scrimp on the network card if you want decent performance, if you are unsure what to get the forums are the best place to head.

Once all the pieces arrived I eagerly put them together, a little too quickly so sorry no pictures of the assembly, but here is the finished product. I also installed an extra stick of ram I had lying around so I now had 2Gb of ram.

image

Bit fatter with the expansion module (sorry no banana for scale)

pfSense installation

Machine specs:

  • 1.66ghz Intel Atom Processor
  • 2 GB DDR3 Ram
  • 1Gb Flash drive
  • 3 Gigabit lan ports (I won’t be using the onboard one)

From what I’ve read a machine of these specs will easily cope with my 60mbit cable connection.

Now since the flash drive in these thin clients has a very limited number of writes you have to install a special embedded version of pfSense. This version is based on nanobsd and once booted only writes to the flash drive when needed and doesn’t use a swap partition. To aid in updating, the drive is spilt into two, with two identical copies of pfSense installed, one on each ‘slice’. Because of this you will need a 1gb or bigger drive. I think it will work on a 512mb, but these drives are so cheap its not worth the faffing about that might happen later with a smaller drive.

The embedded version is not installed from a live cd (the full version is), you download it as an image from the pfSense site and flash it to your flash drive. They have different images for the popular sizes of flash drive. You also have a decision to make. You can install a console version of nanobsd or a vga version. If you install the vga version you will get a system console on the device. If you install the console version you don’t so on first boot you’ll need to connect to the machine via a null modem cable. I felt lazy so I opted for the vga version.

All the guides I had read so far removed the flash drive from the machine and flashed it using a ata to usb cable, the problem with this is you will need a male to male adapter to connect the flash drive to the adapter. I didn’t have one, and the machine was put together so I opted to do it a different way.

First I downloaded a Ubuntu live cd and wrote it to a USB stick (you can find out how to do this here)

Then I booted the thin client from the usb stick and selected try Ubuntu, this booted Ubuntu which helpfully had firefox.

I then download the pfSense image. This is where I ran into a snag, the ram disk that Ubuntu had created wasn’t big enough to expand the image for writing. But I found a solution, you can write the image as its expanded by piping the output straight to dd. Open a terminal and type:
fdisk -l


This will give you a list of drives, find your flash drive and then type:
sudo su
zcat pfsense-embedded.img.gz | dd of=/dev/sd[a] bs=16k

sd[a] is the drive the image will be written to, sda was the name of the drive on my machine but yours could be different. After the writing has completed shutdown the machine, remove the usb stick and turn it back on after a little while, if everything worked pfSense will have booted and you’ll be greeted by this.

Esxi_pfs_4-2a

That’s it for now, when I get some time I’ll writeup my initial setup of pfSense including setting up OpenVPN.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s