Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - BrianLloyd

#1
I am going to rebuild my system on the 16G miniSD card. This time I am going to create a partition for /var/log to prevent log overflow from killing OPNsense. I am not familiar with how and where filesystems are mounted during the boot process. Could someone give me a pointer?

Yes, I know, I could figure this out for myself after a couple hours of research but I'm feeling time-crunched and I bet someone could tell me in about 30 seconds.

Thanks!
#2
It has been a long time since I was a sysadmin on anything other than MacOS. (SunOS and Solaris mostly in the day.) I notice that Apple has the ability to resize a partition on-the-fly. Not being familiar with the current BSD filesystems, is such a thing possible? That might be nice with the nano format.
#3
Thank you. I presume you are using putty for its ssh capability.

But if OPNsense is intended to be a networking appliance, apparently it needs a bit more work on self-preservation. I can understand trap-door-ing yourself out of the system during configuration, mostly of packet filters, but once a system is running, it should stay running under all conditions until either power or the hardware fails. Reliability is a key watchword for networking appliances. We need to put things in places where we don't have our fingers on the reset button. And I know that getting up a 2AM to drive 100mi to press the reset button on one of my firewalls is not going to leave me in a good mood.  ;)
#4
Thanks. Well, the issue is moot for me at this point. Shortly after writing my original posting the web interface displayed an error message about there not being a config file instead of showing the relevant page. I (stupidly) rebooted the machine. OPNsense did not come back up and the LAN interface never responded to pings. I think I am going to have to rebuild the system. Fortunately for me I was able to fall back to my m0n0wall system and keep my network running.

Clearly there is some kind of problem with something filling up the disk storage. I suspect the right answer is to either run a utility to roll the logs and delete old ones when /var/log gets too full, and/or mount /var/log on a separate partition so that when it gets full, it doesn't clobber the other services writing out their config files and/or backing store for stateful information. I think that the separate-partition-for-/var/log hack will at least partition the problem (pun intended) so that the rest of the machine can keep running and providing services. Either that or I increase the disk capacity to 32G or 64G. But that seems like overkill for a networking appliance. Maybe the logs should be pushed off to syslog running on something else.

Thanks for confirming the problem Aergan.


I know this is a silly question but how are you guys bringing up a shell window? Are you using ssh or connecting to the serial console?
#5
I have begun to have a problem with my WiFi clients not being able to get assigned their configuration with DHCP. It started a couple days ago with my iPhone randomly not being able to access the net because it does not have an assigned IP address. I rebooted last night and everything came back. This evening the problem is back. First thing I noticed was that the FS is full.

/ (ufs): 109% used 14G/14G

WTF? What would be eating that much disk? This is a pretty basic installation. So off to the logs. The system log is full of:

kernel: pid 73581 (dhcpd), uid 136 inumber 1364898 on /mnt: filesystem full

and

kernel: pid 59843 (suricata), uid 0 inumber 1364877 on /mnt: filesystem full

So it stands to reason that dhcpd has a problem not being able to write out the leases. That would answer why the clients aren't getting assigned addresses. But I'm still at a loss as to what would consume all the disk and cause the problem in the first place. how to clear it out again.

Oh, and I stopped intrusion detection just in case. It does seem to be trying to write a lot of stuff to disk.

Help?

#6
Thank you everyone for your help.

I know you guys have spent a lot of time working on this and for that I am grateful. But it did chew up the better part of a day for me, trying to get through stuff that is undoubtedly obvious to you. I really could have used a couple of pages on, "Getting started on various embedded platforms". That would really help people who are migrating from other open router platforms.

If there is an obvious place on the wiki for such a thing, I would be willing to write it. (I was a tech writer who developed user manuals for routers back in a previous life.)

#7
Quote from: jstrebel on November 06, 2015, 08:48:52 AM
Brian,
I do it the following way for the APU.
1) Download the OPNsense-15.7.11-OpenSSL-nano-amd64.img.bz2.
2) Decompress this Image
3) do a "dd" if you use a Unix based PC or phydiskwrite .exe on a windows
4) Insert the Card into the Box


OK, what is the difference between OPNsense-15.7.11-OpenSSL-nano-amd64.img and OPNsense-15.7.11-OpenSSL-amd64.img? I used the latter and it worked fine. What does the "nano" imply in the image? I notice it is a much larger file but other than that I don't know. I do know I want serial console and AMD64 but beyond that, not sure.

FWIW, my APU seems to have full OPNsense running using the non-nano image.

Thank you.
#8
I tried <fn><F10> on the Mac for "F10" but it didn't work, at least not with ZTerm. So you are suggesting <fn><F11> for ansi "F10"? I never would have guessed on that. Alternatively, I can probably try to manually generate the escape sequence <esc>0 for "F10". In any case, I have some things to try but now that I have the new box actually running OPNsense, changing the boot process is of lower priority.

I will shoot you off an email and you can tell me whether it would be better to post my questions on the forum.

Thanks.
#9
Thank you for your response Franco.

I tried pressing the F10 key. Given that there is no standard for what the F10 key would send from an ASCII serial terminal, I have no idea what my F10 key actually sends. Whatever it sends, it is NOT what the BIOS/boot code is expecting. I am using ZTerm on MacOS and I have it configured as an ANSI standard terminal. I have also tried VT100 emulation. Neither works for me. It seems strange to me that they would choose a multi-byte sequence over a single byte given they have to parse a serial data stream.

I did receive a reply from PCEngines this morning but it was not helpful, i.e. "Press F10 and make sure your terminal is working." I have asked them to clarify what character sequence constitutes their interpretation for "F10".

Hmm, maybe I should have plugged a keyboard into the remaining USB connector and just used the serial port for display. But that assumes that the BIOS code would interpret a directly-connected USB keyboard as the console keyboard instead of, or in addition to, the serial port.

In any case, I did get past that point and I now have OPNsense running. I now need to figure out how to make OPNsense replace M0n0wall.

Has anyone written a manual for OPNsense that is similar to the doc that cisco produces for their IOS-based devices? I have poked through the wiki but not found anything like that. But I guess that is for another thread.

Thanks again for the response.
#10
Thanks. It gave me some hints.

I was finally successful by removing the SD card, letting it boot from the USB flash drive, and then reinserting the SD card after the boot was underway. After that installation proceeded normally.

So, to install on a PCEngines APU1D:

1. Copy OPNsense-15.7.11-OpenSSL-serial-amd64.img to a USB flash drive.
2. Boot from the flash drive with no SD card in the APU board.
3. Once booting from the flash drive is underway, insert the SD card.
4. Proceed with the normal installation.

Thanks for your response.
#11
I apologize for asking what has undoubtedly been answered before but after half a day of searching the forum and other resources, I haven't yet found an answer. That having been said ...

I am trying to bootstrap a new, bare PCEngines APU1D4 to run OPNsense. I have equipped the APU with a 16GB SD card and I have copied the installer onto an 8GB USB flash drive and plugged that into the upper USB port. The startup messages show that the BIOS/bootstrap is seeing both drives. In fact, here is the console output:

PC Engines APU BIOS build date: Sep  8 2014
Total memory 4096 MB
AMD G-T40E Processor
CPU MHz=1000
USB MSC blksize=512 sectors=31116288
USB MSC blksize=512 sectors=15240576
Press F10 key now for boot menu:
drive 0x000f2a80: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=31116288
drive 0x000f2ab0: PCHS=0/0/0 translation=lba LCHS=948/255/63 s=15240576
Booting from Hard Disk...

At this point nothing further happens.

Now, part of my problem is with the BIOS/bootstrap. I suspect that pressing the F10 key (what that might correspond to on a serial ASCII terminal keyboard I haven't a clue) might let me select the boot drive. (I have a query in to PCEngines but haven't heard back yet.) It certainly doesn't appear to be finding the install image on the USB flash drive. (OPNsense-15.7.11-OpenSSL-serial-amd64.img)

But it would be helpful if there existed a clearly described path from zero to running OPNsense on a an SBC appliance such as the PCE APU. I know it is possible but, so far, I have been unsuccessful.

Help?

Thanks!
#12
I understand what Lee is saying and I appreciate it. m0n0wall has served me really well in both small business and personal environments for about 10 years now.

But I always wanted something a little more with m0n0wall than I ever quite got. I got the feeling that pfSense might be going in the right direction but it just didn't feel "polished" enough. OPNsense seems like it might be the right vehicle.

The key to serving a wider range is making it modular. OPNsense with modular functionality that you can turn on or off seems like the right answer. Want a bare-bones firewall that will run nicely on a PC-Engines Alix or a Soekris board? Include only the modules you need and use it. Want everything? Throw in the kitchen sink and run a bigger board with more RAM and persistent storage (disk) to hold it all. Having exactly the same code base for both means that you don't spread your development resources quite as thinly. (I think that competing projects that overlap is wasteful. Work together on a common code-base and reap the rewards.)

And WRT hardware, well, hardware doesn't last forever. If you have hardware that has served you for 10 years, you have gotten one hell of a good run out of it. There is no shame in retiring it and moving up. The new PC Engine APU board costs the same as the Alix board and Soekris boards before them. It has a LOT more memory and processing power for that price. It feels OK to me to say, "Time to retire that hardware and move up." After all, you could afford that price point for hardware before. We are not talking about a hardware price going up (unless one goes with a PC mobo).

In the mean time, my home router/firewall just happens to be a PC mobo (Celeron-based) with 512MB RAM and a 4GB CF for booting. I plan to pull out and save the m0n0wall CF and try the i386 version of OPNsense. I can plug in a graphics card and keyboard and load from a USB flashdrive. If it works and I can duplicate my m0n0wall functionality, I have made the initial transition. If not, I just plug the CF with m0n0wall on it back in and I am back up-and-running with m0n0wall. If I *can* make the transition, I will probably get a PC-engines APU board to try to make an OPNsense router/firewall "appliance" and retire my old Celeron-based box. I'm hoping that Franco, et al, will make a bootable version of OPNsense available to facilitate that process.

I'll let you know what happens.
#13
I suspect that if it must compete economically with existing residential or SOHO appliances, you are going to lose anyway. Linksys, Netgear, et al, own that space. A platform that will run OPNsense (as you have described the current platform) is a LOT more expensive. But an appliance such as the PC Engines Alix or APU board puts the system around $200 which competes really well in the space between consumer (e.g. Linksys) and enterprise Cisco/Juniper offerings.

So, we just need a way to get it onto an Alix or APU board and make it run.

Do you need help in acquiring hardware?
#14
Thank you for the reply, Franco. Nice to meet you.

I don't think that install space is the issue. Most of the boards just use CF or SD flash storage. A couple gigs is no issue because CF and SD storage is cheap. RAM is more of an issue because most of the current appliances in the field are 256MB with single-core processors (AMD Geode) and are not upgradable.

I just looked at the PC Engines web site and their AMD G series T40E APU board actually looks like it will meet the current OPNsense requirements, i.e. AMD-64, dual-core, 2GB RAM -- $130 for the board. An extra $20 buys you a 16GB SSD that plugs into one of the mini-PCI express slots. Hmm, and it will boot from USB.

Just no video. So making it initially configurable entirely from a serial port with a shell would be nice as would having a load-image already tweaked for one of these SBCs. That would turn this into an appliance for a lot of people, thus making the transition from m0n0wall to OPNsense pretty straight forward.

FYI: http://www.pcengines.ch/apu.htm
#15
Manuel Kasper, the developer of m0n0wall, has announced that the m0n0wall project has ended and has recommended that everyone using m0n0wall transition to OPNsense. Many people using m0n0wall are using hardware substantially inferior to what is recommended for OPNsense, i.e. single-core 32-bit processors, less RAM, CF or other slower flash media for booting than SSD, etc. Also, many are using SBCs from Alix or PC Engines as network appliances. So this brings up some questions:


  • Can this class of hardware even run the i386 version of OPNsense? Performance may not be up-to-par but will it even work, making transition to OPNsense possible without a fork-lift upgrade of existing hardware. This would allow a two-phase upgrade, i.e. make it run now then make it run better later.
  • If so, can the install i386 images be used as "boot and run" images or are they just installers?
  • if they are only installer images, is there a run image available?

Thank you for your forbearance. There are a lot of us out there running m0n0wall and it looks like we will be coming over here and joining you. I am looking forward to a long and fruitful relationship ... once I manage to make the transition.

Thank you in advance.

Brian Lloyd
brian@lloyd.aero