[Work In Progress] OPNsense Ported into ARM Devices

[chemlud]

I importet a config.xml to the raspi and forgot that it has enabled a somewhat... extensive ... rule set for suricata. Suricata dies on boot, but I can't change anything in the suricata config, e.g. if I try to disable it and press apply, nothing happenz (the worm on the Apply button cycling for more than an hour...).

Any way to disable suricata from the command line? :-)

[chemlud]

Ok, I managed to disable IDS in my default config.xml which I use for "standard starting setup" (users, unbound, etc.). Some observations:

- Via the HDMI console the output during boot stops at "smsc0: chip..." and after a LONG break you get the login prompt from opnsense. On the serial console you can monitor the whole boot process (starting services etc.) and in the end you get the login prompt as well.

- Without WAN attached I could not reach the GUI with Firefox (60.x ESR 32 bit), as the request to the https GUI timed out. With Konqueror I could reach the GUI and restore my default config.xml. But the Dashbord is significantly impaired in Konqueror (doing fine in FF, however, only with WAN interface up).

The throughput for a single host is nice (WAN is a 10/100 Mbit USB-RJ45), will have to try the config with UMTS-stick and wifi stick soon... :-)

Would be fun to see an image for Raspi 3 with the built-in wifi as WAN.

[nekoprog]

I'd like to thank nekoprog for the work done with the ARM ports. Very useful and robust now. :)

Next step is actually the long-promised BPI image and then come 20.1 we'll have to see what we can do when i386 is being dropped from our supported list...


Cheers,
Franco

I have a Banana Pi board lying around here, if you are looking for someone to test the new image please let me know.

Regards,
Bobby Thomas

Hi, I'm currently compiling images for RPi2/3, Banana Pi and Orange Pi PC2 for OPNsense 19.1.6. Will let you know when the images are ready.  :)

Ok, I managed to disable IDS in my default config.xml which I use for "standard starting setup" (users, unbound, etc.). Some observations:

- Via the HDMI console the output during boot stops at "smsc0: chip..." and after a LONG break you get the login prompt from opnsense. On the serial console you can monitor the whole boot process (starting services etc.) and in the end you get the login prompt as well.

- Without WAN attached I could not reach the GUI with Firefox (60.x ESR 32 bit), as the request to the https GUI timed out. With Konqueror I could reach the GUI and restore my default config.xml. But the Dashbord is significantly impaired in Konqueror (doing fine in FF, however, only with WAN interface up).

The throughput for a single host is nice (WAN is a 10/100 Mbit USB-RJ45), will have to try the config with UMTS-stick and wifi stick soon... :-)

Would be fun to see an image for Raspi 3 with the built-in wifi as WAN.

Hi, great that you found the solution, sorry I couldn't help, quite busy lately and got little time to check the forum. RPI3 image is compiling, will let you know when it's ready. RPI2 updates for 19.1.6 is online if you like to update. Just need to edit /usr/local/etc/pkg/repos/OPNsense.conf like I mentioned before.

[bobbythomas]

I'd like to thank nekoprog for the work done with the ARM ports. Very useful and robust now. :)

Next step is actually the long-promised BPI image and then come 20.1 we'll have to see what we can do when i386 is being dropped from our supported list...


Cheers,
Franco

I have a Banana Pi board lying around here, if you are looking for someone to test the new image please let me know.

Regards,
Bobby Thomas

Hi, I'm currently compiling images for RPi2/3, Banana Pi and Orange Pi PC2 for OPNsense 19.1.6. Will let you know when the images are ready.  :)

Ok, I managed to disable IDS in my default config.xml which I use for "standard starting setup" (users, unbound, etc.). Some observations:

- Via the HDMI console the output during boot stops at "smsc0: chip..." and after a LONG break you get the login prompt from opnsense. On the serial console you can monitor the whole boot process (starting services etc.) and in the end you get the login prompt as well.

- Without WAN attached I could not reach the GUI with Firefox (60.x ESR 32 bit), as the request to the https GUI timed out. With Konqueror I could reach the GUI and restore my default config.xml. But the Dashbord is significantly impaired in Konqueror (doing fine in FF, however, only with WAN interface up).

The throughput for a single host is nice (WAN is a 10/100 Mbit USB-RJ45), will have to try the config with UMTS-stick and wifi stick soon... :-)

Would be fun to see an image for Raspi 3 with the built-in wifi as WAN.

Hi, great that you found the solution, sorry I couldn't help, quite busy lately and got little time to check the forum. RPI3 image is compiling, will let you know when it's ready. RPI2 updates for 19.1.6 is online if you like to update. Just need to edit /usr/local/etc/pkg/repos/OPNsense.conf like I mentioned before.

Great news, let me know if you want to test your images.

Thank you,
Regards,
Bobby Thomas

[nekoprog]

Banana Pi image is ready for download and test. Link for download on first post.

[daquirm]

Hi, as for road warrior application I was really thinking about nanopi neo 2:
https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=180
Maybe in this kit and small external dongle:
https://www.friendlyarm.com/index.php?route=product/product&path=93&product_id=189
Or nanopi neo 2 plus with inbuilt wifi in this case:
https://www.friendlyarm.com/index.php?route=product/product&path=93&product_id=203
What needs to be done to make it work with opnsense? I know it's kind of lame question, but there is nothing smaller with that performance :)
For home use I would consider even ESPRESSObin, it has enough ports/performance that Netgate uses that hw:
http://espressobin.net/
Just making my wishlist public :D

[Antaris]

Also look at NanoPi R1 :)
https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=248

For 39$ is complete with 2 LANs, WiFi, case, 1GB RAM and 8GB emmc

[daquirm]

R1 would perfect fit as well but it has 32bit CPU only, so there's probably no future for it with Opnsense...but it could run openwrt for sure...in the past I had raspberryPi 3 with DietPi OS, as it has ready made installer for hot spot and I could make it work as openVPN gateway...but opnsense would be so much better...

[nekoprog]

Most of Nano Pi products already have it's uboot supported by FreeBSD. In case you would like to help, try looking in FreeBSD/ports/sysutils/Makefile, look for u-boot, if it's there, it should be able to install OPNsense. If it's not there, try opening new issue or you could try create uboot slave file for that device and make a pull request. Any help would be appreciated in porting OPNsense into arm devices.

UPDATE: I have made a wishlist on first page, complete with defconfig and dtb name. It should help other contributors who would like to write uboot slave file and make PR on FreeBSD Ports.

[daquirm]

I see in the list the first version of NEO, which was build on 32bit H3 chip...NEO 2 is build on 64bit H5...I don't have the device yet and I don't have coding skills...could I contribute somehow just by buing it and testing your build?

[tsgan]

OPNsense on NanoPI R1 works.

[nekoprog]

I see in the list the first version of NEO, which was build on 32bit H3 chip...NEO 2 is build on 64bit H5...I don't have the device yet and I don't have coding skills...could I contribute somehow just by buing it and testing your build?

Don't buy it yet, because i don't have a working image for it at the moment.

OPNsense on NanoPI R1 works.

Nice. Can you share your configs and make a pull request on tools.git so everyone with nanopi r1 can use it?

[tsgan]

I just built the image with some local changes. And IIRC OPNsense doesn't support yet FreeBSD 12.x and FreeBSD 13.0-CURRENT, there are some changes needed for ure(4) to work correctly (only current has the changes) as well as for emmc (small fix is needed for now for aw_mmc driver).
OPNsense should also correctly handle https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224740 bug when cross compiling, otherwise it fails for number of ports.
Also OPNsense should fix ifinfo when showing statistics, it needs patch.

[nekoprog]

Raspberry Pi3 and OrangePi PC2 image is ready for download. Need tester to test this image able to boot or not. Download link on first page.

There's a great chance that OrangePi PC2 image will not boot. Need to implement some of these codes into OPNsense/tools/build/arm.sh

[chemlud]

Downloaded raspi 3 image and checked SHA256 on .img (!, not .xz), was OK.

Burned image with

Code Select Expand

dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k

but on boot I get the infamous rainbow screen and green LED blinking seven times, which means:

Code Select Expand

7 flashes: kernel.img not found

https://elinux.org/R-Pi_Troubleshooting#Green_LED_blinks_in_a_specific_pattern

...tbc...