Sunday, July 27, 2014

Sun NICS and pfSense 2.1.x (FreeBSD 8.x)

Opening Ramble

I’m doing more and more networking these days. I’ve got some Juniper hardware on order but I’m also futzing around with pfSense running on some old thin clients (builtin crypto hardware FTW!!). Because I don’t have copious free time, I ordered some prebuilt pfSense boxes from ebay. $70 and 4 days later I had a marginally well built box more than suitable for replacing any OpenWRT or DD-WRT box in my place, I have many.

Why get rid of *WRT?

First, I’m not getting rid of all of my *WRT boxes. I’m simply repurposing them in ways that make them less critical to my infrastructure. That said I’m doing so for a number of reasons, any of which would be sufficient grounds IMNSHO for dumping them altogether. 

  1. iptables — I’ve been managing firewalls since 1998 and my blood pressure rises every time I have to deal with that POC masquerading as a firewall solution.
  2. community & support — pfSense is actively maintained but I don’t actually care about that because I know how it’s built. I could build my own starting with NanoBSD. DD-WRT has packages out there for supported routers that haven’t been updated i many years. OpenWRT went through several bouts of inactivity and rapid development. I could learn the tool chain for getting the WRTs built and deployed or I could just use a system I already know and support myself if it ever comes to that
  3. hardware — The *WRTs run on a wide variety of cheap hardware that’s readily available.  Much of that hardware doesn’t have builtin crypto acceleration and isn’t very expandable (if at all). 
  4. commitment & knowledge — The pfSense guys own their project and it’s issues. While they work to keep things in line with FreeBSD they don’t abdicate responsibility for what they ship. They take it upon themselves to patch in new features, retrofit, and push changes upstream.

This really isn’t a comparison of one project versus another. There are places where one may be appropriate and not another. I’m not bashing the *WRTs. I just prefer to have a little linux running on my network as possible. D’oh!!! did I type that out loud?

The arrival

The boxes I’d ordered came with quad-port PCI Sun NICS (hme[0-3]) for a total of 5 ports including the builtin Ethernet port (vr0).  They were pre-installed with pfSense 2.1.4 configured for VGI/DVI output, vr0 set as WAN and hme0 set to LAN. 

I don’t know why it is that people buy used computing devices and use them without doing a full reinstallation to make sure that they have a clean base to start with. When I’d done a new installation I noticed that my Sun NICS were behaving oddly. They’d start up and be “connected” then after just a few seconds they’d show “unconnected”. The link light would intermittently show solid green light then go dark. Turns out this is a known issue and has a pretty simple fix.

If you can get to a shell on the device you simply need to set the media and mediaops flags like so: 

ifconfig hme0 media 100baseTX mediaopt full-duplex

Do this for each interface that’s flapping and you should be good.

Status…so far

So far, things are going smoothly. I’m not seeing any issues that were typical with the *WRT boxes I had. It’s only been two days so who knows? I may do an update after I’ve had time to gather some meaningful data. 


side notes:

My boxes are NeoWare CA22/E140. They include the Via C7 with PadLock Security Engine. These things tend to get warm. That’s the case even when run for their intended purpose.  

1 comment:

  1. Hey, Cliff, I've been using pfSense for years and I love it. I trust BSD a lot more than Linux when it comes to security. It's got a nice DHCP server built in that I use for my LAN. Very handy. I was running it from an old HD, but now I'm running it from a LiveCD with... wait for it... a floppy disk for the config file. I'm running 2.1.4 on an ancient pentium with 128 MEGAbytes (I refuse to use that other word they came up with to replace megabytes. You know, the one with a 'B' in it...) of RAM. I've got about 1.5Mb DSL and it can handle that with no problems at all.
    --Kelly

    ReplyDelete