How to install?

[Lambeth]

Hello

I have a "Desktop & Wallmountable" device which I bought from applianceshop.eu some years ago. [applianceshop.eu]

I have never done any update on the device so the firmware/software is pretty old now.  :-[
I want to install the latest OPNsense version on the device (currently v19.1.1)

However, I don't really know well enough how an installation would be performed to do it.
I have read some documentation [link] and I guess maybe it's done by serial, or with an SD-card?

The device has three ports:
A USB type A port
A port labeled "Console" which looks like a mini-usb port
SD-card slot

Could anyone help with detailed information on how an installation could be performed for the type of device I got?

Thanks for your help

[franco]

The process is described here: https://docs.opnsense.org/manual/install.html

[chemlud]

In principle:

-Get a new CF/SD-card (whichever you need, just to keep your old OS and start with a fresh one).

- Get a serial to microUSB adapter for the serial console output. Something like (if your computer has a serial interface, otherwise a microUSB-USB-cable should work)
https://www.amazon.de/uc232-FTDI-RS232-Kabel-DB9-Stecker-Pinbelegung-uc232-us232-Micro-Micro-USB-male-FT232RL-150cm/dp/B078PF1RN1/ref=sr_1_5/257-5113574-8988614?ie=UTF8&qid=1550573797&sr=8-5&keywords=micro+usb+seriell+kabel

- Establish a serial access to your box (putty on windows, e.g. minicom on Linux)

- Backup your config.xml (hopefully you have already opnsense on you device. If it's pfsense you might need to be carefull with installing the config.xml to opnsense. Depending on you setup: start with the basics, interfaces, firewall, DHCP etc)

- Download fresh opnsense that fits your device (nano image, 386/x64)

- Burn image to your fresh card

- Import config.xml

- Boot device with new memory card and see how it does. If problems arise, boot from old card and report here ;-)

[Lambeth]

The process is described here: https://docs.opnsense.org/manual/install.html

I have read that and still it didn't make me fully understand how an installation would be performed on a device which is limited to Console, USB and SD Card for I/O.

In principle:

-Get a new CF/SD-card (whichever you need, just to keep your old OS and start with a fresh one).

- Get a serial to microUSB adapter for the serial console output. Something like (if your computer has a serial interface, otherwise a microUSB-USB-cable should work)
https://www.amazon.de/uc232-FTDI-RS232-Kabel-DB9-Stecker-Pinbelegung-uc232-us232-Micro-Micro-USB-male-FT232RL-150cm/dp/B078PF1RN1/ref=sr_1_5/257-5113574-8988614?ie=UTF8&qid=1550573797&sr=8-5&keywords=micro+usb+seriell+kabel

- Establish a serial access to your box (putty on windows, e.g. minicom on Linux)

- Backup your config.xml (hopefully you have already opnsense on you device. If it's pfsense you might need to be carefull with installing the config.xml to opnsense. Depending on you setup: start with the basics, interfaces, firewall, DHCP etc)

- Download fresh opnsense that fits your device (nano image, 386/x64)

- Burn image to your fresh card

- Import config.xml

- Boot device with new memory card and see how it does. If problems arise, boot from old card and report here ;-)

Thanks for the guidance.
I have done console-connection earlier (with minicom on linux) using a common usb/mini usb-cable, so I know a bit about that.

So I will need an SD-card to perform the installation? It's not possible to do it just using a console connection somehow?

If I want to be safe I should have two sd-cards, one with the old OS (old version of OPNsense) and one card with OPNsense 19.1?

[chemlud]

Yepp, I would keep the old SD-card and start from scratch, import the config.xml after first boot/interface assignement via console/minicom. You will never know how long the SD-cards survive and if yours is older it's the right opportunity to have a new boot medium for your crucial network machine.

If you use the nano image there is no real installation, just dd the image over to your fresh card, insert into the box and boot with console/minicom enabled. After booting, assign the interfaces (write down from your old install which is which), plug in a computer to your LAN and you get an IP, login to sense (192.168.1.1 iirc) with root/opnsense and import config.xml from old card (stored on the computer you log into your sense ;-) ).

Will reboot after importing the config and you should be done...

[Lambeth]

Hello chemlud, I have looked into installation some more.
There are some questions and I wonder if you maybe have misunderstood something in your earlier replies.

I looked at the available installation media OPNsense provides. (here: https://opnsense.org/download/ )
Since my firewall device doesn't have any video output interface (VGA), the installation media I could possibly use should be "serial" or "nano".

https://opnsense.org/download/
serial: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.
nano: a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.

My firewall does have an SSD (that was unclear earlier, I'm sorry), so OPNsense should not run off an SD-card or similar. The OS should be installed on the SSD-disk.
I want to run a fully-featured installation of OPNSense, so I should not use the "nano" image, "serial" looks like it would be the right choice.

The documentation describes that the "serial" install image can be installed by using a usb-memory stick:

https://wiki.opnsense.org/manual/install.html#installation-method
The easiest method of installation is the USB-memstick installer. If your target platform has a serial interface choose the "serial image. 64-bit and 32-bit install images are provided. The following examples apply to both. If you need to know more about using the serial interface, consult the serial access how-to.

Write the image to a USB flash drive (>=1 GB) or an IDE hard disk, either with dd under FreeBSD, HardenedBSD or under Windows with physdiskwrite

From this information I draw the conclusion that it should work fine to use usb-memory sticks for installing OPNsense.
Also, I have a few usb-sticks lying around which is convenient.

...
So installing a new fresh version of OPNsense should be something like:
- Plug-in usb-stick to the device
- Establish serial/console connection
- Reboot the device
- Install OPNsense
(- Get everything working)

Have I gotten it right?

[chemlud]

You have to backup the config.xml, especially if you don't want to use a fresh SSD for the new installation. Otherwise all your configuration is lost, you would have to start from scratch.

You can backup config.xml from the GUI (System -> Configuration -> Backups -> Download). After the first boot of the fresh installation you assign the interfaces via serial console, log into the GUI and restore the config.xml from your old installation ( (System -> Configuration -> Backups -> Restore configuration).

Might be necessary to enter the BIOS of your device to boot from the USB-stick for the installation. Or press a special key while powering up the device to enter a "one-time boot menu" allowing you to choose the USB as the boot device. Have a look into the documentation of the mother board inside you device :-)

If it's for the very first time you try this, I would NOT install to the current SSD, but use an old 2.5" HDD or a fresh SSD, as if you botch your system you have no router anymore. So the old SSD would be your fall-back in case of problems with installing the fresh sense.

[newsense]

If it's an old OPNsense the configuration file might not work. Take screenshots of your rules on the interfaces, NAT or VPN as it may be applicable. Although it would be rather surprising to see more than Allow Any on LAN at this point.

Once OPNsense is installed and running, first thing is to run 12 in the console to fully update 19.1.

You'll need both a new OPNsense _and_ the latest firmware - and if your information is correct and you have the blackbox in the link then the APU 1-5 thread in the Hardware subforum has all the information you need in pages 5-6 to successfully update to v4.9.0.2

[Lambeth]

Thanks for the heads up about firmware, newsense!

It is this thread you are referring to? https://forum.opnsense.org/index.php?topic=4200.0
APU is the bios of the device?

The specific device I've got is this one: [link]
Hardware specs are towards the bottom of the page (but doesn't seem to say much about the board).

[chemlud]

...I would ask the vendor for details on possibility/need to update BIOS and for advice on current opnsense to be used.

[newsense]

Thanks for the heads up about firmware, newsense!

It is this thread you are referring to? https://forum.opnsense.org/index.php?topic=4200.0
APU is the bios of the device?

The specific device I've got is this one: [link]
Hardware specs are towards the bottom of the page (but doesn't seem to say much about the board).

The only "rather old" firewall in your original link was this one:

https://www.applianceshop.eu/security-appliances/security-appliances-desktop-and-wallmountable/opnsense-based-desktop-11/opnsense-small-ghz.html

Any other Deciso appliance is marked as new and your link also points to a newer model and not the PcEngines one above.

chemlud's advice stands, contact the vendor for guidance and support. Proper documentation should already be available.

[Lambeth]

https://opnsense.org/download/
serial: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.

If I test "live system'" and it works, could I draw some conclusions from that?

Should it then be all-clear to install it to the SSD and it will work?

[newsense]

Deciso appliances should work and be fully tested against every version of OPNsense.

While testing with a live stick is definitely an option, it may even be possible to upgrade from major version to major version until you reach current 19.1. Just make a backup of the config and use the console - Option 12 - and follow the steps on the screen until you reach 19.1.2 which is the latest one $Now

[chemlud]

If the live system boots it might be that you can install it on your bios/hardware. For guarantees: Ask your insurance company :-D 

If the opnsense is pre-historic, good chance that at some point in your never ending update cascade the system will fail. My (final and last) advice: Get a new SSD/HDD and start fresh. ;-)

[Lambeth]

Hello

I wanted to report back that installing OPNsense v19.1 went well with no trouble.
I used the "serial" install image on a usb-memstick. I installed according to the description below:

1. Attach prepared usb-memstick to the firewall.
2. From a desktop computer, connect a usb-cable to the firewall, the port labeled "Console" (mini-usb).
3. Establish a serial connection from the PC to the firewall. [link]
4. Reboot the firewall
5. In the boot menu, select boot from usb instead of ssd.

Now the device boots up OPNsense from the usb-stick.
Next you can choose to run OPNsense in live mode from the usb-stick, or do a permanent install to ssd.

I think the installation procedure that followed was easy.
There was an option to choose installation mode between GPT/UEFI or MBR. I selected GPT/UEFI and it went fine, (but keep in mind this options probably depends on what hardware you got!).