💾 Archived View for gemini.circumlunar.space › users › kraileth › neunix › eerie › 2017 › building_a… captured on 2022-04-28 at 19:16:06. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-05)
-=-=-=-=-=-=-
Here I'm republishing an old blog post of mine originally from June 2017. The article has been slightly improved.
Most of the advanced installation covered here and in part 8 is obsolete as I revise this article in 2021. While it would still work, there's no need for such a strange setup anymore - OPNsense has been supporting booting off of ZFS for a while now!
Previous parts of this series:
Building a BSD home router (pt. 1): Hardware (PC Engines APU2)
Part 1 discusses why you want to build your own router and how to assemble the APU2
Building a BSD home router (pt. 2): The serial console (excursion)
Part 2 provides some Unix history explanation of what a serial console is
Building a BSD home router (pt. 3): Serial access and flashing the firmware
Part 3 demonstrates serial access to the APU and covers firmware update
Building a BSD home router (pt. 4): Installing pfSense
Part 4 details installing pfSense
Building a BSD home router (pt. 5): Installing OPNsense
Part 5 shows installing OPNsense instead
Building a BSD home router (pt. 6): pfSense vs. OPNsense
Part 6: Comparison of pfSense and OPNsense
In the first post I asked the question "Why would you want to build your own router?" and the answer was "because the stock ones are known to totally suck". I have since stumbled across this news: "Mcafee claims: Every router in the US is compromised".
http://yournewswire.com/john-mcafee-cia-router
Now Mcafee is a rather flamboyant personality and _every_ is a pretty strong statement. But I'm not such a nit-picker and in general he's definitely right. If you have a couple of minutes, read the article and/or watch the short Youtube interview that it has embedded.
If you care about things like privacy at all, we're living in a nightmare already and things keep getting worse. What I have blogged about in this series of posts so far is not really solving any problem. It's just a first step to take back your network. Have you built your own router, too, or are you planning to do so? Just assembling it and installing a firewall OS on it won't do the trick. As a next step you have to learn the basics of networking and firewalling so you can configure your box according to your needs. And even then you have just put your own router behind the modem/router box from your ISP and not replaced that. I'd like to go further and get my own modem, too. But that step requires a lot more reading before I will even attempt to do it.
However this article is about doing a more advanced OPNsense installation that leaves room for customizing things. Let's get to it!
OPNsense Installer: Manual installation (PNG)
In the installer select "manual installation" obviously. This will lead you through a couple of dialog windows that let you customize your partitioning etc.
OPNsense Installer: Format the disk? (PNG)
It seems like OPNsense can be installed on an existing filesystem. There might be people who would want that feature but I don't. I definitely prefer to start fresh as a newly installed OS should be in a clean state in my opinion.
OPNsense installer: Geometry confirmation (PNG)
The installer then gives you the option to change the disk geometry. You almost certainly _don't_ want to do this. If you do need to, you have a strange disk, are aware of its quirks and know geometry matters good enough that you definitely don't need my advice on it.
OPNsense installer: Slice disk? (PNG)
Next you are asked if you want to slice (OPNsense uses the term "partition" to describe MBR partitions which is fine since that's what non-BSD people usually call it). I don't expect to be dual-booting my box or anything, so I could go with just one slice. However I might install and try out some other versions (or take a look at pfSense again when 2.4 is officially out or even something like OpenWRT, just to take a look at it). For that reason I create two slices so I can keep my OS on one and my data on the other.
OPNsense installer: Disk slicing (PNG)
I created a FreeBSD slice and one of type _Plan9_. No, I'm not going to put Plan9 on there. It will be erased and re-purposed anyway. But the installer has this option and Plan9 is cool. 3 GB for OPNsense should be enough and I give the rest to the future data slice.
OPNsense installer: Slice alignment (PNG)
For the advanced installation we're unfortunately stuck with installing on the MBR partitioning scheme. That means (for compatibility's sake) the system enforces the old CHS (Cylinder, Head, Sector) addressing limitations which are almost completely irrelevant today, but meh. The most annoying consequence of this is that "partitions have to end on a cylinder boundary". If you don't know what that means: It's related to the physical geometry of spinning drives that has been of high importance in the olde days(tm) and still haunt us today because operating systems are used to work with it (even though geometry parameters have been lies and lies only for decades now and SSDs don't have spinning parts but claim to have them to make the OS happy...) To comply with this, choose to grow or shrink your slice by a couple of sectors.
OPNsense installer: No bootblock installation (PNG)
If you want to dual-boot (or multi-boot) your box, make sure to install a boot manager now. I don't anticipate to install more than one OS on it at the same time and so I skip this. Oh, and please don't ask me what "packet mode" is! I tried to research it, but all that I found boils down to "if you have problems, try with/without it". I couldn’t really find anything about what that actually does (at least not in a reasonable amount of time). If you know: Please leave me a comment!
OPNsense installer: Slice selection (PNG)
Next is selecting which slice to install to. Why, the FreeBSD one, of course!
OPNsense installer: Adding disklabel partitions (PNG)
Finally the slice needs to be partitioned (or sub-partitioned if you regard the slices as "partitions"). This means that BSD disklabels are created inside the MBR slice to allow for multiple partitions. For the setup that I have in mind, two partitions suffice: One for / and the other for SWAP space. For whatever reason the installer does not directly allow to assign SWAP, so I allocate 2 GB for the root partition and the rest to a second partition that has no mountpoint. That's it, the installation can start now.
Once the installation is complete, follow the steps that I wrote about in the article about the simple installation.
Building a BSD home router (pt. 5): Installing OPNsense
Got the interfaces assigned and the setup wizard run? Good. OPNsense can be administered purely through the Web GUI. However if you're like me, you really prefer some means of direct console access. Sure, we have that over the serial console. While that's fine for the installation, it's a bit cumbersome for daily use. Fortunately there's a better way: Let's just enable SSH access!
OPNsense Web GUI: Creating a user (PNG)
First stop: Creating a user (you wouldn't want to SSH in as root, do you? _Do you?!_ Do this on a production machine like _never_). One thing is important here: Make your new user a membor of the "admin" group or else it won't be terribly useful to you. Also use SSH keys instead of passwords. If you haven't ever used keys, set a couple of minutes aside to do a little reading about what they are. They are much more secure than passwords and you definitely want to use them even if you don't know that just yet (I recommend the article on SSH keys over at the Arch Linux wiki. Unless you're using the original OpenBSD OpenSSH, we're all using the same version of OpenSSH-portable anyway). You must also check the "use scrambled password" checkbox because OPNsense won't let you get away with an empty password.
SSH key generation (Arch Linux wiki)
OPNsense Web GUI: Enabling SSH (PNG)
Then OpenSSH needs to be activated. If - for whatever reason - you cannot use keys, you have to enable the "permit password login" option. Try to avoid that, though. And don't check the "permit root user login" however convenient it might be!
SSH login to the OPNsense box (PNG)
That's it, you can now log into your box using SSH. Use _su -l_ and the root PW to become root. OPNsense will then display the nice menu that you already know from connecting via serial.
Right now we have a lot of disk space wasted and there's other things wrong, too. So after the installation there's some more work to do, some packages to install, filesystems to create, etc. I originally intended to stuff more into this post but it's certainly long enough already. See you in part 8, the last part of the series!