Monday, February 13, 2012

HOWTO Install pfSense

Contents

Downloading pfSense

You can obtain the ISOs from any mirror.
If you plan on installing pfSense on Compact Flash (CF) or other flash media please only use the embedded image (pfSense-Embedded.img.gz). It has been optimized to perform minimal writes to disk, as CF cards have limited write cycles.
The pfSense-LiveCD.iso can be used for running pfSense from CD or installation onto a hard disk. It is recommended that running pfSense from a CD is only used for trial purposes - for any production installations, the install to hard drive option should be used.
Please also download the matching .md5 file to verify that your downloads did not get corrupted or otherwise unusuable.

Standard (ISO) Installation

  • Restart your computer and enter your BIOS configuration screen.
  • Find and turn off the Plug-and-Play OS, and any ACPI/APM options. Disable any unnecessary onboard devices, such as sound cards, parallel ports and internal modems.
  • Change the primary boot device to your CD-ROM drive, insert the pfSense Live CD and restart your computer, saving the BIOS changes.

Embedded (Compact Flash) Installation

Windows

NOTE: We have a (possibly outdated) video-tutorial showing the process of installing pfSense on a CF card of 128 MB
NOTE: Embedded by default boots on the 1st serial port at 9600 8N1.
WARNING: There is a possibility to overwrite the wrong drive/device if you input the wrong number when prompted for what drive to write to. Read this tutorial carefully and only proceed if you are sure of what you are doing. (On the contrary physdiskwrite will not write to disks of more than 2 GB size, if you only have larger harddrives it is pretty safe to use!)
You will need Manuel Kasper's phydiskwrite to write the image to the CF card. Download it and put it in the same folder you stored the pfSense-Embedded.img.gz, we'll assume this is C:\pfsense.
  • Open a command prompt (Start -> Run... -> cmd) and 'cd' to C:\pfsense: 
C:\> cd C:\pfSense
  • Make sure your CF card is not attached to your computer, run 'physdiskwrite a' and note the output which will look similar to this: 
C:\pfSense>physdiskwrite a 
physdiskwrite v0.5 by Manuel Kasper 
    
Searching for physical drives...
     
Information for \\.\PhysicalDrive0:
  Windows:       cyl: 14596
                 tpc: 255
                 spt: 63
  C/H/S:         16383/16/63
  Model:         SAMSUNG SP1203N
  Serial number: S00QJ10W504631
  Firmware rev.: SN100-20

Which disk do you want to write? (0..0)
  • Abort physdiskwrite (press ctrl+c) and attach your CF media. Run 'physdiskwrite' again, this time specifing the image: 
C:\pfSense>physdiskwrite pfSense-Embedded.img.gz
  • Compare the output to the former. You will notice that a new physical drive appeared, which will most likely be your CF media. When prompted, input the right number and watch physdiskwrite writing the image to your CF media. After physdiskwrite exits you can disconnect your CF card and put it into your pfSense box.

Linux

Use this command: 
zcat pfsense-embedded.img.gz | dd of=/dev/sd[a] bs=16k
NB: a = device letter such as /dev/sda /dev/sdb

FreeBSD

Use this command: 
gzip -dc pfsense-embedded.img.gz | dd of=/dev/da[n] obs=64k
NB: n = the ad device number of your CF card (check dmesg)

Mac OS X

Tested on 10.3.9 and later. It is recommended that you disconnect all disks except for your startup disk before carrying out this procedure, as an error in specifying the drive to be written to could cause data loss.
  • Plug in your CF reader with CF card inserted
  • If OS X pops up a message saying that the card could not be read, click Ignore.
  • Open Disk Utility
  • Select any Partitions of your CF Card that are mounted, and click the unmount button. The partitions should now appear greyed out.
  • Select your CF Card Reader in the left-hand column, and click the Info button
  • Note the 'Disk Identifier': e.g. 'disk1'
  • Open Terminal
  • cd to the directory containing the pfSense image
  • Use this command: 
gzcat pfsense-embedded.img.gz | dd of=/dev/disk[n] bs=16k
NB: disk[n] is the Disk Identifier found above
Or an alternative to do it entirely from command line. 
$ diskutil list
/dev/disk0
  #:                       TYPE NAME                    SIZE       IDENTIFIER 
  0:      GUID_partition_scheme                        *298.1 Gi   disk0
  1:                        EFI                         200.0 Mi   disk0s1
  2:                  Apple_HFS Macintosh HD            297.8 Gi   disk0s2
/dev/disk1
  #:                       TYPE NAME                    SIZE       IDENTIFIER
  0:        CD_partition_scheme 30 Days To Great French *521.4 Mi   disk1
  1:                      CD_DA                         7.8 Mi     disk1s1
  2:                      CD_DA                         7.8 Mi     disk1s2
  3:                      CD_DA                         18.2 Mi    disk1s3
  4:                      CD_DA                         13.8 Mi    disk1s4
  5:                      CD_DA                         14.0 Mi    disk1s5
  6:                      CD_DA                         12.1 Mi    disk1s6
  7:                      CD_DA                         14.2 Mi    disk1s7
  8:                      CD_DA                         21.5 Mi    disk1s8
  9:                      CD_DA                         16.6 Mi    disk1s9
 10:                      CD_DA                         14.7 Mi    disk1s10
 11:                      CD_DA                         24.3 Mi    disk1s11
 12:                      CD_DA                         16.6 Mi    disk1s12
 13:                      CD_DA                         22.4 Mi    disk1s13
 14:                      CD_DA                         14.7 Mi    disk1s14
 15:                      CD_DA                         20.5 Mi    disk1s15
 16:                      CD_DA                         19.4 Mi    disk1s16
 17:                      CD_DA                         15.3 Mi    disk1s17
 18:                      CD_DA                         17.9 Mi    disk1s18
 19:                      CD_DA                         18.2 Mi    disk1s19
 20:                      CD_DA                         16.0 Mi    disk1s20
 21:                      CD_DA                         26.8 Mi    disk1s21
 22:                      CD_DA                         18.8 Mi    disk1s22
 23:                      CD_DA                         21.7 Mi    disk1s23
 24:                      CD_DA                         14.5 Mi    disk1s24
 25:                      CD_DA                         22.2 Mi    disk1s25
 26:                      CD_DA                         16.7 Mi    disk1s26
 27:                      CD_DA                         20.9 Mi    disk1s27
 28:                      CD_DA                         16.0 Mi    disk1s28
 29:                      CD_DA                         20.8 Mi    disk1s29
 30:                      CD_DA                         17.1 Mi    disk1s30
/dev/disk2
  #:                       TYPE NAME                    SIZE       IDENTIFIER
  0:      GUID_partition_scheme                        *90.0 Mi    disk2
  1:                  Apple_HFS Processing              90.0 Mi    disk2s1
/dev/disk3
  #:                       TYPE NAME                    SIZE       IDENTIFIER
  0:     FDisk_partition_scheme                        *978.5 Mi   disk3
  1:                 DOS_FAT_32 UNTITLED                978.4 Mi   disk3s1
$ diskutil umount disk3
$ gzcat pfsense-embedded.img.gz | dd of=/dev/disk3 bs=16k
7665+1 records in
7665+1 records out
125587456 bytes transferred in 188.525272 secs (666157 bytes/sec)

Notes on installation to specific hardware

If you are trying to install pfSense to an embedded platform other than a PC-Engines WRAP or a Soekris 45XX/48XX, the pfSense wiki may have instructions or tips to help you.
Also see Microdrive embedded installations.

Embedded (Compact Flash) Upgrade

Alternative way to upgrade without having to use serial console, initially configure and upload .xml file. Intended for those too lazy to connect the serialcable and configure NICs at boot like me. It works by mounting the embedded image file and overwriting the conf/config.xml file. I managed to do it in FreeBSD (*BSD i guess), and using a stunt in Mac OS X.

FreeBSD native or Windows, Linux using VMware

  • Prerequisites: VMware Player, downloaded pfSense-*-Embedded.img.gz, config.xml from running pfSense (download in WebGUI: Diagnostics-Backup/Restore)
  • Example, upgrade from pfSense BETA4 to 1.0.1 
 1. BSD users jump to step 3
    get FreeBSD 6.1 vmware player image from
    http://www.thoughtpolice.co.uk/vmware/#freebsd6.1
 2. read howto guide (use dhcp for network, and install openssh to copy files)
    http://www.thoughtpolice.co.uk/vmware/howto/1-minute-guide.html#freebsd6.1
 3. copy and mount the unpacked images configuration partition
    # scp user@hostname:pfSense-*-Embedded.img.gz pfsense.img.gz
    # gunzip pfsense.img.gz
    # mkdir /mnt/pfsense
    # mdconfig -a -t vnode -f pfsense.img -u 0
    # mount /dev/md0d /mnt/pfsense
 4. copy backup.xml over existing config.xml
    # scp user@hostname:backup.xml /mnt/pfsense/conf/config.xml
 5. unmount
    # umount /mnt/pfsense
 6. detach and free ressources of md0
    # mdconfig -d -u 0
 7. pack it
    # bzip2 -k pfsense.img
 8. copy to windows/linux and write to CF
    # scp pfsense.img.bz2 user@hostname:
    # dd if=pfsense.img of=/dev/sdc bs=16k
 9. put new CF card into WRAP board and boot

Mac OS X together with qemu

  • Please NOTE: This is a stunt you can perform on a Mac OS X box, definitely not for the light hearted.
  • Prerequisites: Q from http://www.kju-app.org/kju/ (this is an awesome adopted version of qemu for mac, it has opengl support for example), the config.xml from running pfSense renamed to config.xml.img and find out its filesize in bytes 
 1. configure the qemu environment like this:
    hardware tab:
    platform: x86 PC
    Hard Disk: choose the pfSense-*-Embedded.img file
    Network card: DO NOT choose rtl8139 (networking doesn't work anyways, but this will crash pfSense on boot)
    Advanced tab:
    Harddisk 2: choose config.xml.img
    QEMU arguments: -serial telnet::7890,server,nowait
 2. start pfSense in Q and connect to "serial console" by doing this in Terminal.app
    # telnet localhost 7890
 3. wait for the boot stuff to finish and enter the shell (menu 8)
    - mount read/write
    # mount -u /cf
    # cd /conf
 4. "copy" the xml 
    - copy to temporary file first (read from disk only works with blocksize>=512)
    - NOTE: count = ceil(<.xml file size in bytes> / 512)
    # dd if=/dev/ad1 count=95 > config2.xml
    - copy to targetfile
    - NOTE: count = <.xml file size in bytes>
    # dd if=config2.xml of=config.xml bs=1 count=48277
 5. exit shell, reboot pfSense in Q and watch output if config.xml can be read
 6. halt pfSense and exit Q "without saving PC"
 7. write image to CF card
  • Linux native: Linux mounts UFS read-only, no idea howto do it. Using vmware player in linux as shown above should work quite nice though.

Connecting to pfSense on a WRAP or Soekris board for the first time

Connecting to pfSense for the first time will need to be done via minicom in Linux or Hyperterminal from Windows.
Terminal settings for the wrap are 9600 8 N 1, while the Soekris defaults to 19200 8 N 1.

You will need to configure your LAN Interface with an IP address. The LAN interface is the one next to the power cable.
You may then connect via the web interface and continue configuration of pfSense.
First connection via SSH If you would like to connect to your firewall with an SSH shell then you will need to enable SSH in the Web Gui under the System tab Advanced.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)