[HOWTO] Install OPNsense 25.1 on Silver Peak FWA-ASP1012 EC-XS-Security Appliance

[Ground_0]

The Silver Peak FWA-ASP1012 EC-XS is a desktop security appliance which can also be rack mounted. These units have an embedded/BIOS controlled watchdog timer which must be circumvented in order to make them useful. Without access to the BIOS password, it took some time to establish a method of procedure to get OPNsense installed, but, with the loading of a single kernel driver, it is quite simple, thanks to patient_0 and his expertise.

EDIT: A user on STH managed to dump the BIOS and retrieve the password: Kilimanjaro1
With a serial console, connect at 9600 baud, press [Del] and the watchdog timer can be deactivated from the BIOS. You may also want to set the console to 115200 and customize other settings to your liking.

Pros: These little x86 devices are heavy as cinder blocks; built like tanks; enterprise-grade, silent, relatively hackable, powerful, and quite affordable. They will run circles around many desktop appliances rated at 1Gb/s for a fraction of the cost, and they run OPNsense perfectly. (I have also successfully installed RHEL 9.5 on it, which runs perfectly as well!) They can be found on the web in used and new-old-stock condition. I would recommend getting a new unit; they are cheap and plentiful on eBay as of this writing, and, there's nothing like *new*.  All 6 ports are Intel-based and fully functional through OPNsense. The unit is set to power on automatically after a power failure- perfect for a router/firewall.

SPECS:
120GB M.2 B+M SATA SSD* (2280), 16GB ECC RAM, Quad Core Intel Atom C3558 2.20 GHz CPU with QAT, AES-NI Crypto Capability, (2) USB3 ports, (1) Console port (6) Intel Ethernet Ports-

lan0, wan0, lan1, wan1 ports use the ix Intel 10Gb Ethernet driver. OPNsense reports these as Intel(R) X553 (1GbE)

mgmt0 and mgmt1 ports use igb Intel(R) PRO/1000 PCI Express Gigabit Ethernet adapter driver, reported as Intel(R) I210 (Copper)

Regarding the port identification:

OPNsense Device → Label on Unit
igb0    →  mgmt0
igb1      →  mgmt1
ix0        →  lan0
ix1        →  wan0
ix2        →  lan1
ix3        →  wan1

The unit employs 2 x 40mm Sunon case fans which are completely silent.
The unit consumes 20W at idle, 23W at full 1Gb/s.

* The unit has an M keyed slot which is PCI-e Gen 3X4, but also SATA compatible. 5 out of the 6 NvME 2280 drives I have tried work perfectly and all were Gen 3 x 4.

Cons: 1Gb/s might be a deal breaker for some. BIOS is password protected from factory, (although it is not necessary to access it at all for this tutorial). OPNsense installer does not recognize the installed SSD (I include 2 easy and simple workarounds for this), likely due to a BIOS setting for the SATA controller.
*Also*. If you don't have a spare laying around, I would recommend picking up a ~120GB Gen 3x4 M.2 NvME drive- they are less than $20 delivered on Amazon.

Code Select Expand

root@EventHorizon:~ # pciconf -lcv
hostb0@pci0:0:0:0:      class=0x060000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x1980 subvendor=0x8086 subdevice=0x1999
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series System Agent'
    class      = bridge
    subclass  = HOST-PCI
hostb1@pci0:0:4:0:      class=0x060000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19a1 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Error Registers'
    class      = bridge
    subclass  = HOST-PCI
    cap 10[40] = PCI-Express 2 root endpoint max data 256(256)
                max read 128
none0@pci0:0:5:0:      class=0x080700 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19a2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Root Complex Event Collector'
    class      = base peripheral
    subclass  = Root Complex Event Collector
    cap 10[40] = PCI-Express 2 event collector max data 256(256)
                max read 128
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 1 non-fatal 1 corrected
    ecap 0007[150] = Root Complex Event Collector ASsociation 1
pcib1@pci0:0:6:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a3 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated QAT Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
pcib2@pci0:0:12:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a7 subvendor=0x8086 subdevice=0x19a7
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x2(x2) speed 8.0(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19a7
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib3@pci0:0:15:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19a9 subvendor=0x8086 subdevice=0x19a9
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x0(x1) speed 0.0(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19a9
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib4@pci0:0:16:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19aa subvendor=0x8086 subdevice=0x19aa
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x1(x1) speed 2.5(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19aa
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
pcib5@pci0:0:17:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19ab subvendor=0x8086 subdevice=0x19ab
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series PCI Express Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 256(256) ARI disabled
                max read 128
                link x1(x1) speed 2.5(8.0)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x19ab
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
    ecap 0012[150] = Multicast 1
    ecap 000b[180] = Vendor [1] ID 0003 Rev 0 Length 10
    ecap 001d[190] = Downstream Port Containment 1
    ecap 001e[1d0] = L1 PM Substates 1
    ecap 0019[200] = PCIe Sec 1 lane errors 0
none1@pci0:0:18:0:      class=0x088000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19ac subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SMBus Contoller - Host'
    class      = base peripheral
    cap 10[40] = PCI-Express 2 root endpoint max data 256(256) FLR NS
                max read 128
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 05[8c] = MSI supports 1 message, 64 bit, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
ahci0@pci0:0:19:0:      class=0x010601 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19b2 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SATA Controller 0'
    class      = mass storage
    subclass  = SATA
    cap 05[80] = MSI supports 1 message
    cap 01[70] = powerspec 3  supports D0 D3  current D0
    cap 12[a8] = SATA Index-Data Pair
    cap 11[d0] = MSI-X supports 8 messages, enabled
                Table in map 0x10[0x0], PBA in map 0x14[0x0]
xhci0@pci0:0:21:0:      class=0x0c0330 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19d0 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series USB 3.0 xHCI Controller'
    class      = serial bus
    subclass  = USB
    cap 01[70] = powerspec 2  supports D0 D3  current D0
    cap 05[80] = MSI supports 8 messages, 64 bit enabled with 1 message
pcib6@pci0:0:22:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19d1 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated LAN Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
pcib7@pci0:0:23:0:      class=0x060400 rev=0x11 hdr=0x01 vendor=0x8086 device=0x19d2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Integrated LAN Root Port'
    class      = bridge
    subclass  = PCI-PCI
    cap 10[40] = PCI-Express 2 root port max data 128(128) ARI enabled
                max read 128
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 0d[88] = PCI Bridge subvendor=0x8086 subdevice=0x0000
    cap 05[90] = MSI supports 1 message, vector masks
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected
    ecap 000d[138] = ACS 1 Source Validation disabled, Translation Blocking disabled
                    P2P Req Redirect disabled, P2P Cmpl Redirect disabled
                    P2P Upstream Forwarding disabled, P2P Egress Control unavailable
                    P2P Direct Translated disabled, Enhanced Capability unavailable
none2@pci0:0:24:0:      class=0x078000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19d3 subvendor=0x8086 subdevice=0x19d3
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series ME HECI 1'
    class      = simple comms
    cap 01[50] = powerspec 3  supports D0 D3  current D0
    cap 05[8c] = MSI supports 1 message, 64 bit
sdhci_pci0@pci0:0:28:0: class=0x080501 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19db subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SD Host Controller'
    class      = base peripheral
    subclass  = SD host controller
    cap 01[80] = powerspec 3  supports D0 D3  current D0
    cap 09[90] = vendor (length 20) Intel cap 15 version 0
isab0@pci0:0:31:0:      class=0x060100 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19dc subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series LPC or eSPI'
    class      = bridge
    subclass  = PCI-ISA
none3@pci0:0:31:2:      class=0x058000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19de subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series Power Management Controller'
    class      = memory
ichsmb0@pci0:0:31:4:    class=0x0c0500 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19df subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SMBus controller'
    class      = serial bus
    subclass  = SMBus
none4@pci0:0:31:5:      class=0x0c8000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19e0 subvendor=0x8086 subdevice=0x7270
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series SPI Controller'
    class      = serial bus
qat0@pci0:1:0:0:        class=0x0b4000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x19e2 subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Atom Processor C3000 Series QuickAssist Technology'
    class      = processor
    cap 05[b0] = MSI supports 1 message, 64 bit, vector masks
    cap 11[60] = MSI-X supports 17 messages, enabled
                Table in map 0x18[0x3b000], PBA in map 0x18[0x3b800]
    cap 01[6c] = powerspec 3  supports D0 D3  current D0
    cap 10[74] = PCI-Express 2 endpoint max data 256(16384) FLR RO NS
                max read 1024
                link x16(x16) speed 5.0(5.0) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 0 corrected
    ecap 000e[138] = ARI 1
    ecap 0010[140] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 16 supported
                    First VF RID Offset 0x0008, VF RID Stride 0x0001
                    VF Device ID 0x19e3
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
nvme0@pci0:2:0:0:      class=0x010802 rev=0x00 hdr=0x00 vendor=0x144d device=0xa808 subvendor=0x144d subdevice=0xa801
    vendor    = 'Samsung Electronics Co Ltd'
    device    = 'NVMe SSD Controller SM981/PM981/PM983'
    class      = mass storage
    subclass  = NVM
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 32 messages, 64 bit
    cap 10[70] = PCI-Express 2 endpoint max data 256(256) FLR RO NS
                max read 512
                link x2(x4) speed 8.0(8.0) ASPM disabled(L1) ClockPM disabled
    cap 11[b0] = MSI-X supports 33 messages, enabled
                Table in map 0x10[0x3000], PBA in map 0x10[0x2000]
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[148] = Serial 1 0000000000000000
    ecap 0004[158] = Power Budgeting 1
    ecap 0019[168] = PCIe Sec 1 lane errors 0
    ecap 0018[188] = LTR 1
    ecap 001e[190] = L1 PM Substates 1
igb0@pci0:4:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1533 subvendor=0x13fe subdevice=0x301c
    vendor    = 'Intel Corporation'
    device    = 'I210 Gigabit Network Connection'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 74fe48ffff6e2443
    ecap 0017[1a0] = TPH Requester 1
igb1@pci0:5:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1533 subvendor=0x13fe subdevice=0x301c
    vendor    = 'Intel Corporation'
    device    = 'I210 Gigabit Network Connection'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    cap 03[e0] = VPD
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 74fe48ffff6e2444
    ecap 0017[1a0] = TPH Requester 1
ix0@pci0:6:0:0: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e4 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0000c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix1@pci0:6:0:1: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e4 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0000c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix2@pci0:7:0:0: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e5 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0100c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
ix3@pci0:7:0:1: class=0x020000 rev=0x11 hdr=0x00 vendor=0x8086 device=0x15e5 subvendor=0x13fe subdevice=0x301b
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Connection X553 1GbE'
    class      = network
    subclass  = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 64 messages, enabled
                Table in map 0x20[0x0], PBA in map 0x20[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(128) FLR RO
                max read 512
                link x1(x1) speed 2.5(2.5) ASPM disabled(L0s/L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 0100c9ffff000000
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                    0 VFs configured out of 64 supported
                    First VF RID Offset 0x0180, VF RID Stride 0x0002
                    VF Device ID 0x15c5
                    Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304
    ecap 000d[1b0] = ACS 1 Source Validation unavailable, Translation Blocking unavailable
                    P2P Req Redirect unavailable, P2P Cmpl Redirect unavailable
                    P2P Upstream Forwarding unavailable, P2P Egress Control unavailable
                    P2P Direct Translated unavailable, Enhanced Capability unavailable
root@EventHorizon:~ #
 
METHOD AND PROCEDURE:

1.) The case is secured with 6 screws. Disconnect from power, and, after removing the cover, remove the SSD, battery, and clear the CMOS using the 'CLR CMOS' jumper (near the battery and SSD). Leave it in the clear position for about a minute, then return the jumper to its normal position and re-install the battery, but leave the SSD uninstalled.

2.) Restore power. If the front panel power LED flashes amber, remove the battery and clear the BIOS again. You may need to repeat this process until it glows green. When it does, you should hear a relay click. At this point, disconnect power.

*NOTE* The factory SSD appears to be an M.2 2280 SATA with a B+M key and seems undetectable by the OPNsense installer. Using an M.2-USB adapter on Fedora Linux, I found 120GB, 3 partitions, plus a 4th extended partition containing logical partitions 5-11. OPNsense only detects an onboard 8 GB eMMC, which you *can* install to, using UFS, but 8GB seems uncomfortably small to me (perhaps someone with more knowledge can weigh in on this). UFS will work, filling 36% of the eMMC  on a fresh installation, but ZFS will complain about space constraints. For now, I swapped in a spare Samsung M.2 NvME 2280 Gen 3.0 x 4 drive, using ZFS, which works perfectly. If you install to the eMMC and need to upgrade to an SSD in the future, use the OPNsense live environment to format the eMMC, otherwise, the eMMC will remain first in the boot order.


3.) Ensure the SSD is uninstalled, and using the AMD_64 serial image burned to USB and a serial console (like PuTTy) at 115200 baud, insert the USB drive and restore power. The unit will power cycle twice, with long pauses. The PuTTY console will remain dark at this time. The BIOS should eventually find the bootable USB, and the fans should rev up and down. An error will display at the last power cycle:

Code Select Expand

ERROR: Class:3000000; Subclass:60000; Operation: AAfter this message, the machine should power up and boot to the USB drive. If not, and it just sits idle, manually unplug and re-insert the power plug.
(Note that the system BIOS is password protected from the factory and is only available at 9600 baud, but, it should be unnecessary to access.)

4.) Once OPNsense boots from the USB drive to the splash screen, power down again, install an M.2 NvME 2280 SSD (recommended), or, simply leave the M.2 slot vacant if you want to install to the 8GB eMMC, (I would not recommend*) power up, and boot the OPNsense installer as normal.

5) Take the opportunity to utilize the manual interface assignment, (ix0 is port lan0 and ix1 is port wan0).

6.) Login as 'root' (password 'opnsense') through the serial console and enter the shell (option 8).

7.) Note that, at this point, you have less than 10 minutes to complete the next step, but, this will be plenty of time.

Load the  Intel watchdog driver :

Code Select Expand

# kldload ichwd
8.) Logout and log back in as 'installer' (password 'opnsense') and continue the installation as normal.

9.) Reboot. It is safe to pull the USB stick once you see:

Code Select Expand

umass0: detached
uhub0: detached

10.) Once rebooted into the installed system, repeat steps 6 and 7, to reset the watchdog timer and prevent the machine from rebooting.

11.) Login to the WEBUI as 'root' (password 'opnsense').

12.) Configure your system as normal, either manually and/or by utilizing the wizard.

13.) In order to address the embedded watchdog and permanently prevent the unit from rebooting every 10 minutes, configure OPNsense to load the Intel watchdog driver at boot:

System > Settings > Tunables

Click on "+" in the lower right corner, then:

Tunable: ichwd_load
Value: YES

14.) Reboot, continue as normal, and enjoy.


THANK YOU:
Thanks again to patient_0 for his knowledge, expertise and tenacious digging for the watchdog timer solution! He has made it possible for the masses to re-purpose these excellent machines.
Thanks to Patrick M. Hausen for the WEBUI tunable.
Thanks to poningru for his M.2 correction.
Thanks to WarpConduit for his improved port identification table.
Thanks to Justin from velocitytechsolutions for his efforts and patience.

[Patrick M. Hausen]

Code Select Expand

echo 'ichwd_load="YES"' >> /boot/loader.conf.local

I'd recommend using the UI for that instead.

System > Settings > Tunables

Click on the "+" in the upper right corner, then:

Tunable: ichwd_load
Value: YES

This way the setting will be part of a configuration backup and at least sort of documented by being visible in the UI.

[Ground_0]

Code Select Expand

echo 'ichwd_load="YES"' >> /boot/loader.conf.local

I'd recommend using the UI for that instead.

System > Settings > Tunables

Click on the "+" in the upper right corner, then:

Tunable: ichwd_load
Value: YES

This way the setting will be part of a configuration backup and at least sort of documented by being visible in the UI.

Excellent, thank you, Patrick.
I will update the guide to include this.

[patient0]

CPU with AES-NI Crypto Capability, (2) USB3 ports, (1) Console port (6) Intel Ethernet Ports; lan0, wan0, lan1, wan1 use the ix Intel 10Gb Ethernet driver.

Excellent, I hope a lot of people see it and get one them, hopefully cheap :)

You could mention the order and the naming of the network ports, in relation to how they are labeled at the front. So that when installing one knows which igb?? or ix?? is referring to which port at the front.

And regarding the CPU crypto, you must mention that the CPU supports QAT :) ... QAT will help accelerate IPsec and OpenVPN when using DCO.

[Ground_0]

CPU with AES-NI Crypto Capability, (2) USB3 ports, (1) Console port (6) Intel Ethernet Ports; lan0, wan0, lan1, wan1 use the ix Intel 10Gb Ethernet driver.

Excellent, I hope a lot of people see it and get one them, hopefully cheap :)

You could mention the order and the naming of the network ports, in relation to how they are labeled at the front. So that when installing one knows which igb?? or ix?? is referring to which port at the front.

And regarding the CPU crypto, you must mention that the CPU supports QAT :) ... QAT will help accelerate IPsec and OpenVPN when using DCO.

On it.

[poningru]

Can I request a picture of the board? This device looks very interesting!
Any idea if how many lanes the M.2 PCIe has? Would love to throw some sfp ports on it.
Thanks

[Ground_0]

Can I request a picture of the board? This device looks very interesting!
Any idea if how many lanes the M.2 PCIe has? Would love to throw some sfp ports on it.
Thanks

It's tricky to upload a hi-res image. I had to compress it so severely that much of the detail has escaped, but I have now included a shot of the board as well as the back side of the unit.

[poningru]

Can I request a picture of the board? This device looks very interesting!
Any idea if how many lanes the M.2 PCIe has? Would love to throw some sfp ports on it.
Thanks

It's tricky to upload a hi-res image. I had to compress it so severely that much of the detail has escaped, but I have now included a shot of the board as well as the back side of the unit.

This looks amazing! Thank you so much!
Are you sure this is a B+M M.2 slot? it looks like an M key slot.
Can you do me another favor and run

Code Select Expand

pciconf -lcvto see how many pcie lanes that M.2 slot has?

[Ground_0]

This looks amazing! Thank you so much!
Are you sure this is a B+M M.2 slot? it looks like an M key slot.

You are absolutely correct! Updated. Thanks.

Can you do me another favor and run

Code Select Expand

pciconf -lcvto see how many pcie lanes that M.2 slot has?

Done!

[poningru]

Thanks so much! It looks like that M.2 is indeed an pcie 3.0 x4 (currently populated by a samsung ssd?)

[Ground_0]

Thanks so much! It looks like that M.2 is indeed an pcie 3.0 x4 (currently populated by a samsung ssd?)

Indeed, yes. It's a spare SSD I swapped into it.

[WarpConduit]

Thank you Ground_0, I purchased two new units off eBay and am working to set them up now for purposes of Internet firewall, routing and site-to-site WireGuard VPN between two locations. I have installed OPNsense onto an ORICO 128GB NVMe M.2 drive from Amazon. So far so good.

Regarding the port identification:

OPNsense Device → Label on Unit
igb0 → mgmt0
igb1 → mgmt1
ix0 → lan0
ix1 → wan0
ix2 → lan1
ix3 → wan1

Edit: I now see you listed the port mapping in your initial post, I just glazed over them. Thanks again!

[Ground_0]

Thank you Ground_0, I purchased two new units off eBay and am working to set them up now for purposes of Internet firewall, routing and site-to-site WireGuard VPN between two locations. I have installed OPNsense onto an ORICO 128GB NVMe M.2 drive from Amazon. So far so good.

Regarding the port identification:

OPNsense Device → Label on Unit
igb0 → mgmt0
igb1 → mgmt1
ix0 → lan0
ix1 → wan0
ix2 → lan1
ix3 → wan1

Edit: I now see you listed the port mapping in your initial post, I just glazed over them. Thanks again!

Thank you for your comprehensive, and improved port identification. I have included it in the OP.

[poningru]

Figured out the bios password:

Code Select Expand

Kilimanjaro1 as per this reference page from STH
Changes I made:
* Disabled the watchdog
* Disabled the virtualization options (intel virtd, VT-d)
* Enabled EIST
* Changed console to 115200

[Ground_0]

Figured out the bios password:

Code Select Expand

Kilimanjaro1 as per this reference page from STH
Changes I made:
* Disabled the watchdog
* Disabled the virtualization options (intel virtd, VT-d)
* Enabled EIST
* Changed console to 115200

I came across this last night as well!
Thanks for posting. I will update the OP.