💾 Archived View for gemini.circumlunar.space › users › kraileth › neunix › eerie › 2017 › building_a… captured on 2024-05-10 at 12:54:09. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-05)
-=-=-=-=-=-=-
Here I'm republishing an old blog post of mine originally from June 2017. The article has been slightly improved.
Part 1 of this article series was about why you want to build your own router, and how to assemble the APU2 that I chose as the hardware to build this on. Part 2 gave some Unix history and explained what a serial console is. Part 3 demonstrated serial access to the APU and showed how to update its firmware. The previous article detailed installing pfSense.
Building a BSD home router (pt. 1): Hardware (PC Engines APU2)
Building a BSD home router (pt. 2): The serial console (excursion)
Building a BSD home router (pt. 3): Serial access and flashing the firmware
Building a BSD home router (pt. 4): Installing pfSense
This post will show how to install OPNsense, a great alternative to pfSense.
OPNsense was forked from pfSense (more on than in the next post) and thus you will find lots of similarities if you have read the post on installing pfSense. The OPNsense team decided to move forward more quickly and did lots of interesting but invasive changes. One strong point for example is that it is already based on FreeBSD 11.0. There is one drawback to this, however: a problem with the XHCI (USB3) driver can lead to the installation media not being able to mount the filesystem and boot up. This makes installing OPNsense a little bit more complicated since the APU2 only has UBS3 ports.
Well, the board _does_ have an internal USB2 controller, too. Therefore I suggest getting a cable that allows connecting USB devices to it. If this is not for you, take a look at the end of the post, I've prepared a section "alternative installation methods" there.
First download an image (select amd64 + serial). Then __dd__ it onto an unused memstick and prepare the serial connection (take a look at the previous posts if you need help with dd’ing or attaching the serial console).
Part 3 covers attaching the serial console
As you can see on the following picture, I've attached a memstick (with the OPNsense install image on it) via USB2 and made a serial connection. That way the installation works just fine.
Open APU2 box with serial connection and memstick attached to the internal USB2 controller (PNG)
Hit F10 to go to the boot menu as soon as SeaBIOS offers it.
Boot menu to select which device to boot off of (PNG)
Since we've attached the memstick over USB2, the internal drive would take precedence over it in the default boot order. So in this case I have to select 2 to boot off of the memstick.
The OPNsense boot loader (PNG)
The OPNsense boot loader looks fine. If you're installing 17.1 using USB2 you don't need to do anything here.
Nice feature: Early configuration importer (PNG)
One notable difference from pfSense is the early configuration importer. If you have a saved configuration XML file, you can put e.g. a UFS2 filesystem on a memstick, create a directory _conf_ on it and copy config.xml there. That makes it available in the importer.
Then you have the option to assign roles to your interfaces (like WAN and LAN).
Logging into the installer (PNG)
OPNsense gives you the choice to start the installer or to use a live system. Log in as user _installer_ to perform an installation or as _root_ in the other case. The password for both users is _opnsense_.
Greeting screen of the installer on the serial console (PNG)
The OPNsense installer is black and white only when using the console. But that's fine. The installer greets you with the welcome message.
Console configuration menu (PNG)
The next screen lets you customize the console. You probably don't need to do that.
Selecting the installation type (PNG)
Then you need to select the installation type. You could do advanced partitioning here or setup a softraid (gmirror). We're going with the simple installation for this post.
Choosing the drive to install on (PNG)
Now you need to choose where to install to. The mSATA drive is _ada0_ whereas the memstick is _da0_.
Selecting the partition scheme to use (PNG)
OPNsense also lets you choose which partition scheme to use. In case of our router this is not terribly important, especially not with our sample installation that puts everything in one partition. But since stone age is over, you might as well choose _GPT_ anyway.
Progress bar for the installation (PNG)
While the progress meter was broken with pfSense, this has obviously been fixed for OPNsense. Not that you should reinstall all that often, but still...
Installation done: Reboot! (PNG)
Once the installation is finished, you of course want to reboot to your new system.
Displaying some information before rebooting (PNG)
Before rebooting, OPNsense tells you how to access the Web GUI. However the IP address that it uses by default is already taken by my ISP's modem/router box. We're going to change that next.
When the system has started up, you are prompted to log in. This is the default behavior which can be changed to allow unprotected login over the console like with pfSense. But in general I like that bit of extra security.
OPNsense's text-mode configuration menu (PNG)
The text-mode configuration menu looks much like that of pfSense.
Configuring the LAN interface (PNG)
And the interface configuration works right the same.
Setting up DHCP on the LAN interface (PNG)
As does the DHCP configuration.
Logging out and disconnecting the serial console (PNG)
Since OPNsense required a login, you can also log out when you're done. Now disconnect the serial console - we're done with it.
Just like pfSense, OPNsense offers a nice Web GUI to configure all the settings. Fire up your browser on a PC that is in the same subnet (or got its IP address via DHCP from the new router) and enter the router's LAN IP address in the URL bar.
Self-signed certificate warning (PNG)
OPNsense uses https to create a secure connection, too. Of course a self-signed certificate is used which is not trusted by my Firefox. Therefore a permanent exception needs to be made.
OPNsense Web GUI login screen (PNG)
Once you have confirmed the exception, you will see the login screen. Log in as _root_ with the password _opnsense_.
The configuration wizard (PNG)
On the first login you will be greeted by the configuration wizard. It will present you about the same choices as pfSense does (without the advertizing of the commercial version, of course).
Configuring general settings (PNG)
First it's some general information like hostname and DNS. What OPNsense offers over pfSense is i18n options: Chances are that you can configure the Web GUI to speak your language! That's pretty nice.
Configuring time-server settings (PNG)
Time server settings are just like those from pfSense.
Configuring the WAN interface (PNG)
WAN configuration offers you a lot of options. Take a close look at those. Fortunately you very likely don't need most of what is there.
Configuring the LAN interface (PNG)
Same thing for the LAN configuration: You know that from pfSense.
Setting a new password for the Web GUI (PNG)
Also with the password changing part there's no surprise here.
All done. Reload the config! (PNG)
That's it. Reload the config now and you're done with the wizard. OPNsense now has a basic configuration and is ready to be used.
OK, you don't have a cable to connect to the USB2 pins but you want OPNsense? There are several things that you can try. I've documented my attempts (including several solutions) on the OPNsense forums in case anybody needs them.
Here are a few things that you can try:
Should you install __16.7 using a USB3 port__, press _ESC_ before the loader countdown runs out. This will drop you to the loader prompt. Then enter the following:
set kern.cam.boot_delay=10000
boot
That did the trick and made the system boot up for me. The actual installation is quite similar to what I covered above.
You could also use a USB cdrom to boot the installation - of course use the OPNsense cdrom ISO in this case! However the cdrom image does not have the serial console enabled by default. So escape to the loader prompt, set some variables to enable the serial console and boot:
set boot_multicons=YES
set boot_serial=YES
set comconsole_speed=115200
set console=comconsole,vidconsole
This will work, too. But there's one little problem with that: The TTYs are configured on their own using a configuration file - and they are not ready for serial connection! Since this is a CD, we cannot really do much about that. What we can do, however, is using the configuration importer. To follow this path, install OPNsense in a VM and prepare a basic configuration xml to use with the actual installation on the APU.
The next post will be _pfSense vs. OPNsense_! It will discuss some of the notable differences and when to use which one.