Messages

Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.

I do have servers defined there, but they are ignored, as I have Unbound pointing to servers using DoT. Just to clarify, I have no problem with name resolution on the internet, it's just slow on the local domain.

Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Unbound is not going anywhere as far as i know, so why not migrate to Kea for DHCP ?

Mainly because Kea does not register the DNS names of leases, which is one aspect of ISC DHCP that made for such a seamless UX when combined with Unbound.

Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts on the local domain by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Done.

OPNsense is truly a marvel of engineering and deserves our support.
It is an amazing, high-quality product.
Thank you, devs!

Figured out the bios password:

Code Select Expand

Kilimanjaro1 as per this reference page from STH
Changes I made:
* Disabled the watchdog
* Disabled the virtualization options (intel virtd, VT-d)
* Enabled EIST
* Changed console to 115200

I came across this last night as well!
Thanks for posting. I will update the OP.

Thank you Ground_0, I purchased two new units off eBay and am working to set them up now for purposes of Internet firewall, routing and site-to-site WireGuard VPN between two locations. I have installed OPNsense onto an ORICO 128GB NVMe M.2 drive from Amazon. So far so good.

Regarding the port identification:

OPNsense Device → Label on Unit
igb0 → mgmt0
igb1 → mgmt1
ix0 → lan0
ix1 → wan0
ix2 → lan1
ix3 → wan1

Edit: I now see you listed the port mapping in your initial post, I just glazed over them. Thanks again!

Thank you for your comprehensive, and improved port identification. I have included it in the OP.

Thanks so much! It looks like that M.2 is indeed an pcie 3.0 x4 (currently populated by a samsung ssd?)

Indeed, yes. It's a spare SSD I swapped into it.

This looks amazing! Thank you so much!
Are you sure this is a B+M M.2 slot? it looks like an M key slot.

You are absolutely correct! Updated. Thanks.

Can you do me another favor and run

Code Select Expand

pciconf -lcvto see how many pcie lanes that M.2 slot has?

Done!

Can I request a picture of the board? This device looks very interesting!
Any idea if how many lanes the M.2 PCIe has? Would love to throw some sfp ports on it.
Thanks

It's tricky to upload a hi-res image. I had to compress it so severely that much of the detail has escaped, but I have now included a shot of the board as well as the back side of the unit.

CPU with AES-NI Crypto Capability, (2) USB3 ports, (1) Console port (6) Intel Ethernet Ports; lan0, wan0, lan1, wan1 use the ix Intel 10Gb Ethernet driver.

Excellent, I hope a lot of people see it and get one them, hopefully cheap :)

You could mention the order and the naming of the network ports, in relation to how they are labeled at the front. So that when installing one knows which igb?? or ix?? is referring to which port at the front.

And regarding the CPU crypto, you must mention that the CPU supports QAT :) ... QAT will help accelerate IPsec and OpenVPN when using DCO.

On it.

Code Select Expand

root@EventHorizon:~ # uptime
 9:53AM  up 1 day, 1 min, 1 user, load averages: 0.35, 0.36, 0.31
Still chugging. [SOLVED]

Here is a link to the tutorial.

Code Select Expand

echo 'ichwd_load="YES"' >> /boot/loader.conf.local

I'd recommend using the UI for that instead.

System > Settings > Tunables

Click on the "+" in the upper right corner, then:

Tunable: ichwd_load
Value: YES

This way the setting will be part of a configuration backup and at least sort of documented by being visible in the UI.

Excellent, thank you, Patrick.
I will update the guide to include this.

[TL;DR]

The Silver Peak FWA-ASP1012 EC-XS is a desktop security appliance which can also be rack mounted. These units have an embedded/BIOS controlled watchdog timer which must be circumvented in order to make them useful. Without access to the BIOS password, it took some time to establish a method of procedure to get OPNsense installed, but, with the loading of a single kernel driver, it is quite simple, thanks to patient_0 and his expertise.

EDIT: TL;DR A user on STH managed to dump the BIOS and retrieve the password: Kilimanjaro1

With a serial console, connect at 9600 baud, 8n1.
Enter BIOS by pressing [DEL]
The watchdog timer can be disabled under Hardware/Watchdog Mode/.
You may also want to set the console to 115200 under Platform/Serial Console/Serial Console Speed/, and customize other settings to your liking.

Some recommended settings:
Platform/Platform Management/

Code Select Expand

EIST                    [Enabled]
Turbo                   [Enabled]                
Post & Boot/CSM Parameters:

Code Select Expand

   CSM Support             [Disabled]                |Enable/Disable CSM       |
|  Boot option filter      [UEFI only]               |Support.                 |
|  Network                 [Do not launch]           |                         |
|  Storage                 [UEFI]                    |                         |
|  Video                   [UEFI]                    |                         |
|  Other PCI devices       [UEFI]
Setting the OPNsense USB flash drive to boot under Post & Boot/Boot Option Priorities/, disabling CSM and setting Boot Option Filter to UEFI only and Storage to UEFI should allow you to install to the 120 GB SATA M.2 SSD which should be something like ada0 W6EN120G2TA-PC1AA4-4D2-SP

Pros: These little x86 devices are heavy as cinder blocks; built like tanks; enterprise-grade, silent, relatively hackable, powerful, and quite affordable. They will run circles around many desktop appliances rated at 1Gb/s for a fraction of the cost, and they run OPNsense perfectly. (I have also successfully installed RHEL 9.5 on it, which runs perfectly as well!) They can be found on the web in used and new-old-stock condition. I would recommend getting a new unit; they are cheap and plentiful on eBay as of this writing, and, there's nothing like *new*.  All 6 ports are Intel-based and fully functional through OPNsense. The unit is set to power on automatically after a power failure- perfect for a router/firewall.

SPECS:
120GB M.2 B+M SATA SSD* (2280), 16GB ECC RAM, Quad Core Intel Atom C3558 2.20 GHz CPU with QAT, AES-NI Crypto Capability, (2) USB3 ports, (1) Console port (6) Intel Ethernet Ports-

lan0, wan0, lan1, wan1 ports use the ix Intel 10Gb Ethernet driver. OPNsense reports these as Intel(R) X553 (1GbE)

mgmt0 and mgmt1 ports use igb Intel(R) PRO/1000 PCI Express Gigabit Ethernet adapter driver, reported as Intel(R) I210 (Copper)

Regarding the port identification:

OPNsense Device → Label on Unit
igb0    →  mgmt0
igb1      →  mgmt1
ix0        →  lan0
ix1        →  wan0
ix2        →  lan1
ix3        →  wan1

The unit employs 2 x 40mm Sunon case fans which are completely silent under normal operation (they will rev up on first powerup).
The unit consumes 20W at idle, 23W at full 1Gb/s.

Holding the power button for 4 seconds triggers a soft power-off.

* The unit has an M keyed slot which is PCI-e Gen 3X4, but also SATA compatible. 5 out of the 6 NvME 2280 drives I have tried work perfectly and all were Gen 3 x 4.

Cons: 1Gb/s might be a deal breaker for some. BIOS is password protected from factory, (although it is not necessary to access it at all for this tutorial). The OPNsense installer will not recognize the installed SSD unless the storage controller is set to UEFI in the BIOS. If the Kilimanjaro1 password does not work for you, I include 2 easy and simple workarounds for this.
*Also*. If the BIOS password does not work, and if you don't have a spare laying around, I would recommend picking up a ~120GB Gen 3x4 M.2 NvME drive- they are less than $20 delivered on Amazon.

Code Select Expand

root@EventHorizon:~ # pciconf -lcv
hostb0@pci0:0:0:0:      class=0x060000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x1980 subvendor=0x8086 subdevice=0x1999
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series System Agent'
    class      = bridge
    subclass  = HOST-PCI
hostb1@pci0:0:4:0:      class=0x060000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19a1 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Error Registers'
    class      = bridge
    subclass  = HOST-PCI
    cap 10[40] = PCI-Express 2 root endpoint max data 256(256)
                max read 128
none0@pci0:0:5:0:      class=0x080700 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19a2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Root Complex Event Collector'
    class      = base peripheral
    subclass  = Root Complex Event Collector
    cap 10[40] = PCI-Express 2 event collector max data 256(256)
                max read 128
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 1 non-fatal 1 corrected
    ecap 0007[150] = Root Complex Event Collector ASsociation 1
pcib1@pci0:0:6:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a3 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated QAT Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
pcib2@pci0:0:12:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a7 subvendor=0x8086 subdevice=0x19a7
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x2(x2) speed 8.0(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19a7
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib3@pci0:0:15:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a9 subvendor=0x8086 subdevice=0x19a9
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x0(x1) speed 0.0(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19a9
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib4@pci0:0:16:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19aa subvendor=0x8086 subdevice=0x19aa
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x1(x1) speed 2.5(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19aa
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib5@pci0:0:17:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19ab subvendor=0x8086 subdevice=0x19ab
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x1(x1) speed 2.5(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19ab
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
none1@pci0:0:18:0:      class=0x088000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19ac subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SMBus Contoller - Host'
    class      = base peripheral
    cap 10[40] = PCI-Express 2 root endpoint max data 256(256) FLR NS
                max read 128
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 05[8c] = MSI supports 1 message, 64 bit, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
ahci0@pci0:0:19:0:      class=0x010601 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19b2 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SATA Controller 0'
    class      = mass storage
    subclass  = SATA
    cap 05[80] = MSI supports 1 message
    cap 01[70] = powerspec 3  supports D0 D3  current D0
    cap 12[a8] = SATA Index-Data Pair
    cap 11[d0] = MSI-X supports 8 messages, enabled
                Table in map 0x10[0x0], PBA in map 0x14[0x0]
xhci0@pci0:0:21:0:      class=0x0c0330 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19d0 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series USB 3.0 xHCI Controller'
    class      = serial bus
    subclass  = USB
    cap 01[70] = powerspec 2  supports D0 D3  current D0
    cap 05[80] = MSI supports 8 messages, 64 bit enabled with 1 message
pcib6@pci0:0:22:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19d1 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated LAN Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
pcib7@pci0:0:23:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19d2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated LAN Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
none2@pci0:0:24:0:      class=0x078000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19d3 subvendor=0x8086 subdevice=0x19d3
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series ME HECI 1'
    class      = simple comms
    cap 01[50] = powerspec 3  supports D0 D3  current D0
    cap 05[8c] = MSI supports 1 message, 64 bit
sdhci_pci0@pci0:0:28:0: class=0x080501 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19db subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SD Host Controller'
    class      = base peripheral
    subclass  = SD host controller
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 09[90] = vendor (length 20) Intel cap 15 version 0
isab0@pci0:0:31:0:      class=0x060100 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19dc subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series LPC or eSPI'
    class      = bridge
    subclass  = PCI-ISA
none3@pci0:0:31:2:      class=0x058000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19de subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Power Management Controller'
    class      = memory
ichsmb0@pci0:0:31:4:    class=0x0c0500 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19df subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SMBus controller'
    class      = serial bus
    subclass  = SMBus
none4@pci0:0:31:5:      class=0x0c8000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19e0 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SPI Controller'
    class      = serial bus
qat0@pci0:1:0:0:        class=0x0b4000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19e2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series QuickAssist Technology'
    class      = processor
    cap 05[b0] = MSI supports 1 message, 64 bit, vector masks
    cap 11[60] = MSI-X supports 17 messages, enabled
                Table in map 0x18[0x3b000], PBA in map 0x18[0x3b800]
    cap 01[6c] = powerspec 3  supports D0 D3  current D0
    cap 10[74] = PCI-Express 2 endpoint max data 256(16384) FLR RO NS
                max read 1024
                link x16(x16) speed 5.0(5.0) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000e[138] = ARI 1
    ecap 0010[140] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 16 supported
                    First VF RID Offset 0x0008, VF RID Stride 0x0001
                    VF Device ID 0x19e3
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
nvme0@pci0:2:0:0:      class=0x010802 rev=0x00 hdr=0x00 vendor=0x144d device=0xa808 subvendor=0x144d subdevice=0xa801
    vendor    = 'Samsung Electronics Co Ltd'
    device    = 'NVMe SSD Controller SM981/PM981/PM983'
    class      = mass storage
    subclass  = NVM
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 32 messages, 64 bit
    cap 10[70] = PCI-Express 2 endpoint max data 256(256) FLR RO NS
                max read 512
                link x2(x4) speed 8.0(8.0) ASPM disabled(L1) ClockPM disabled
    cap 11[b0] = MSI-X supports 33 messages, enabled
                Table in map 0x10[0x3000], PBA in map 0x10[0x2000]
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[148] = Serial 1 0000000000000000
    ecap 0004[158] = Power Budgeting 1
    ecap 0019[168] = PCIe Sec 1 lane errors 0
    ecap 0018[188] = LTR 1
    ecap 001e[190] = L1 PM Substates 1
igb0@pci0:4:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1533 subvendor=0x13fe subdevice=0x301c
    vendor    = 'Intel Corporation'
    device    = 'I210 Gigabit Network Connection'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 74fe48ffff6e2443
    ecap 0017[1a0] = TPH Requester 1
igb1@pci0:5:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1533 subvendor=0x13fe subdevice=0x301c
    vendor    = 'Intel Corporation'
    device    = 'I210 Gigabit Network Connection'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 74fe48ffff6e2444
    ecap 0017[1a0] = TPH Requester 1
ix0@pci0:6:0:0: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e4 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0000c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix1@pci0:6:0:1: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e4 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0000c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix2@pci0:7:0:0: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e5 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0100c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix3@pci0:7:0:1: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e5 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0100c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
root@EventHorizon:~ #
 
METHOD AND PROCEDURE of WORKAROUND if the Kilimanjaro1 password does not work for you:

1.) The case is secured with 6 screws. Disconnect from power, and, after removing the cover, remove the SSD, battery, and clear the CMOS using the 'CLR CMOS' jumper (near the battery and SSD). Leave it in the clear position for about a minute, then return the jumper to its normal position and re-install the battery, but leave the SSD uninstalled.

2.) Restore power. If the front panel power LED flashes amber, remove the battery and clear the BIOS again. You may need to repeat this process until it glows green. When it does, you should hear a relay click. At this point, disconnect power.

*NOTE* The factory SSD is an M.2 2280 SATA with a B+M key and seems undetectable by the OPNsense installer, unless the storage controller is set to UEFI only mode. Using an M.2-USB adapter on Fedora Linux, I found 120GB, 3 partitions, plus a 4th extended partition containing logical partitions 5-11. Without access to the BIOS storage settings, OPNsense only detects an onboard 8 GB eMMC, which you *can* install to, using UFS, since the offical OPNsense documentation lists 4GB as minimum. UFS will fill 36% of the eMMC  on a fresh installation, but ZFS will complain about space constraints. Without BIOS access, I swapped in a spare Samsung M.2 NvME 2280 Gen 3.0 x 4 drive, using ZFS, which works perfectly. If the Kilimanjaro1 password does not work for you, and you have installed to the eMMC and need to upgrade to an SSD in the future, use the OPNsense live environment to format the eMMC, otherwise, the eMMC will remain first in the boot order.


3.) Ensure the SSD is uninstalled, and using the AMD_64 serial image burned to USB and a serial console (like PuTTy) at 115200 baud, insert the USB drive and restore power. The unit will power cycle twice, with long pauses. The PuTTY console will remain dark at this time. The BIOS should eventually find the bootable USB, and the fans should rev up and down. An error will display at the last power cycle:

Code Select Expand

ERROR: Class:3000000; Subclass:60000; Operation: AAfter this message, the machine should power up and boot to the USB drive. If not, and it just sits idle, manually unplug and re-insert the power plug.
(Note that the system BIOS is password protected from the factory and is only available at 9600 baud, but, it should be unnecessary to access.)

4.) Once OPNsense boots from the USB drive to the splash screen, power down again, install an M.2 NvME 2280 SSD (recommended), or, simply leave the M.2 slot vacant if you want to install to the 8GB eMMC using UFS, power up, and boot the OPNsense installer as normal.

5) Take the opportunity to utilize the manual interface assignment, (ix0 is port lan0 and ix1 is port wan0).

6.) Login as 'root' (password 'opnsense') through the serial console and enter the shell (option 8).

7.) Note that, at this point, you have less than 10 minutes to complete the next step, but, this will be plenty of time.

Load the  Intel watchdog driver :

Code Select Expand

# kldload ichwd
8.) Logout and log back in as 'installer' (password 'opnsense') and continue the installation as normal.

9.) Reboot. It is safe to pull the USB stick once you see:

Code Select Expand

umass0: detached
uhub0: detached

10.) Once rebooted into the installed system, repeat steps 6 and 7, to reset the watchdog timer and prevent the machine from rebooting.

11.) Login to the WEBUI as 'root' (password 'opnsense').

12.) Configure your system as normal, either manually and/or by utilizing the wizard.

13.) In order to address the embedded watchdog and permanently prevent the unit from rebooting every 10 minutes, configure OPNsense to load the Intel watchdog driver at boot:

System > Settings > Tunables

Click on "+" in the lower right corner, then:

Tunable: ichwd_load
Value: YES

14.) Reboot, continue as normal, and enjoy.


THANK YOU:
Thanks again to patient_0 for his knowledge, expertise and tenacious digging for the watchdog timer solution! He has made it possible for the masses to re-purpose these excellent machines.
Thanks to Patrick M. Hausen for the WEBUI tunable.
Thanks to poningru for his M.2 correction.
Thanks to WarpConduit for his improved port identification table.
Thanks to Justin from velocitytechsolutions for his efforts and patience.

So, to answer my own question, I believe that /etc/rc.local  would have been the file to unload the module, after adding the execute bit to it.
However, the machine has been up for 16 minutes now without unloading it.. I will update.
Thank you for ostensibly solving this riddle, Patient_0!
If I can get this thing to stay up for 24 hours, I will post a simple tutorial in this subforum, unless you would like to do so.
These boxes have great specs and can be found for cheap, and getting this information into the hands of others would be great.

Eureka!

Code Select Expand

echo 'ichwd_load="YES"' > /boot/loader.conf.local

Code Select Expand

root@EventHorizon:~ # cat /boot/loader.conf.local
ichwd_load="YES"


Code Select Expand

root@EventHorizon:~ # dmesg | grep -i watchdog
ichwd0: <Intel Atom C3000 watchdog timer> at port 0x400-0x41f iomem 0xfdc6000c-0xfdc6000f on isa0
ichwd0: <Intel Atom C3000 watchdog timer> at port 0x400-0x41f iomem 0xfdc6000c-0xfdc6000f on isa0
ichwd0: <Intel Atom C3000 watchdog timer> at port 0x400-0x41f iomem 0xfdc6000c-0xfdc6000f on isa0
root@EventHorizon:~ # dmesg | grep -i superio
root@EventHorizon:~ # kldunload ichwd
ichwd0: detached
root@EventHorizon:~ # date
Wed Jan  2 10:59:23 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:00:32 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:02:27 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:02:56 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:02:57 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:03:01 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:03:31 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:03:56 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:04:33 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:05:47 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:06:53 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:08:06 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:08:47 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:09:49 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:11:09 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:11:55 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:12:02 EST 2008
root@EventHorizon:~ # date
Wed Jan  2 11:13:30 EST 2008
root@EventHorizon:~ #
(I'll have to fix the date, but we're way beyond the 10 minute mark!!)
Wow....like magic.
2 things come to mind.
1.) I'm going to try and reboot and continue without unloading ichwd and see the results.
2.) If normal functionality is only able to be achieved by unloading it, is there a recommended rc.conf that is run at the end of the FreeBSD boot process where I can place kldunload ichwd in order to automate it?