💾 Archived View for gemini.circumlunar.space › users › kraileth › neunix › eerie › 2017 › building_a… captured on 2023-04-26 at 14:25:47. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-05)
-=-=-=-=-=-=-
Here I'm republishing an old blog post of mine originally from June 2017. The article has been slightly improved.
Part 1 of this article series was about why you want to build your own router, and how to assemble the APU2 that I chose as the hardware to build this on. Part 2 gave some Unix history and explained what a serial console is. Part 3 demonstrated serial access to the APU and showed how to update its firmware.
Building a BSD home router (pt. 1): Hardware (PC Engines APU2)
Building a BSD home router (pt. 2): The serial console (excursion)
Building a BSD home router (pt. 3): Serial access and flashing the firmware
This post is about the serial installation of _pfSense_, one of two FreeBSD-based router/firewall operating systems that we're going to explore in this series (the other being _OPNsense_). As pfSense is the older and more established product, we're beginning with that one.
We're just doing the installation here. A closer look at using pfSense or a comparison with OPNsense will be another post. Getting pfSense up and running is really easy, even when you're using the serial console. The first step is the actual installation. In a second step you need to configure the LAN interface and then you can use the WebGUI to do the final setup.
The first thing to do, however, is getting preparing an installation medium. Head over to pfSense's Download site. What you want is an _install image_ for _amd64_. Then select _USB Memstick Installer_ which let's you choose the console type - obviously get the _serial_ one!
Then get a USB stick that you can spare and _dd_ the image on it. Once you have that ready, plug it into the APU. Next attach the serial cable to your APU and to another computer. Then connect to the console (how to do that was described in the previous post). Now power on the APU.
Even if there's already an OS installed on your mSATA drive, the memstick should take precedence when it comes to boot order. So you can probably just wait until the installer comes up.
pfSense's loader menu: screwed up over the serial console... (PNG)
Don't be scared when you see garbage displayed on the screen. This is just the bootloader that's screwed up badly when used over a serial connection (they've already fixed that in the beta version for the upcoming pfSense 2.4). Either just wait 10 seconds for it to boot automatically or press enter to boot right now (if you need any other options, you might want to get an ISO for pfSense, too, and test it in a VM or get a VGA image, put that on a stick and try it out on hardware that provides a local console over a screen and keyboard).
...but once the kernel loads, text output is fine (PNG)
As you can see, it's only the loader. As soon as the kernel takes over, the text is displayed correctly. That means you can actually read the messages in case anything goes wrong here. If you don't do anything, the installer will eventually come up automatically.
First screen of the installer (PNG)
In the first screen of the installer you can configure the console. Most likely the defaults will be fine, though.
Selecting the installation method (PNG)
Then you need to choose the installation method. We will do a _quick installation_ but you could also do a custom installation or setup gmirror (mirrored software RAID).
The usual "this will erase your data" warning (PNG)
Since installing pfSense means destroying any data that might currently be on the drive, the installer warns you that it will erase it.
Installation progress bar (PNG)
If you confirmed the warning, the actual installation starts (but the progress meter is kind of useless as it seems... It remained at 5% for a while and then jumped to 100% for me).
The next thing to do is to select the right kernel. Since our APU2 is a headless device, make sure that you select the _embedded kernel_! Otherwise you won't be able to use the serial console with it (without having to change settings in the loader).
After the kernel is installed, the installer runs a script to do some final tasks.
When all is done, it's time to reboot the system.
pfSense rebooting after installation (PNG)
Just before it reboots, pfSense prints some important information on the screen, telling how to log into the WebGUI. Remove the memstick now or the APU will boot off of it once more an you'll just see the installer again.
The OS has been successfully installed, but leave your serial console attached for now.
pfSense's text mode management menu (PNG)
Once the system has booted, you will see the management menu. It offers a lot of tools including going to a shell (option 8) and doing everything you like. We want to configure the IP address for our LAN interface (option 2):
Configuring the LAN interface (PNG)
I'm assigning 192.168.2.1 since my modem/router (yes, I'm not replacing it just yet and will operate the new router between that box and my actual network for now) has already taken 192.168.1.1. It's not like I need a full /24 subnet for my network, but I go with that common subnet mask for now.
Configuring a DHCP service for the LAN interface (PNG)
Since I intend to use DHCP for my network, I enable a DHCP server for the LAN interface. The range of DHCP addresses that I use here is just an example for this test installation. I will cut it down to about 10 when I do my final setup. The reserved addresses before the DHCP range serve a purpose, though - more on that in a separate future post.
As soon as everything is ready, you can now end the serial connection and remove the cable. We have a valid IP address on the LAN interface now after all.
So now we can access the WebGUI simply by entering the IP address in the URL bar of any browser. Of course the computer that runs the browser needs to have an IP address that is on the same subnet. So you might want to change your address if that is not the case - or fire up the dhclient, as it should get an address in the range that you specified (or simply reboot if your computer is configured for DHCP).
Self-signed certification warning (PNG)
It's a good thing that pfSense uses TLS so you can access the router securely via HTTPS. However the certificate it uses is self-signed and thus unknown to your browser which will display a warning. That doesn't mean that it's useless. In our case it's just necessary to create an exception to accept that cert permanently.
Logging into pfSense's WebGUI (PNG)
You'll then see the login screen. Use the username _admin_ and the initial password _pfsense_ to log in.
Running the configuration wizard (PNG)
Once you're logged in, pfSense suggests that you run the configuration wizard - and that makes sense.
A little advertising for pfSense Gold (PNG)
The first screen of the wizard is an advertisement for the commercial version of pfSense called _pfSense Gold_. If you are working for a company looking for more than the free "Community Edition" of pfSense will give you, have a look at this service. Maybe it's for you.
General information configuration (PNG)
First you configure some general settings like the hostname, domain, etc.
Time Server configuration (PNG)
Next is the configuration of the time zone and NTP daemon.
Then the WAN interface needs to be configured. There are a lot of settings there and very likely you don't need all of them.
After that comes the LAN interface. Here you can only configure the IP address and subnet mask (which we already did in text mode).
Changing the password for the WebGUI (PNG)
Finally we're prompted to change the password which is a good idea of course. Even if the WebGUI is only accessible from the LAN interface by default, it's a matter of principle.
Configuration done: Reload! (PNG)
That's it, the wizard is finished. Time to reload the configuration.
All done, pfSense is ready (PNG)
We're done here, pfSense is installed and the basic configuration has been applied. There's another little advertising here which is legit for a free product, I guess. We're going to take a look at the main WebGUI and its many, many options in another post.
The next blog post will detail the installation of OPNsense, another excellent option for your router.