sprocket i/o

thomas stromberg on technology, nature, and motorcycles

sprocket i/o header image 2

pfSense: The Folger’s Taste Test

January 27th, 2006 · Comments

image

My PC-Engines WRAP taken apart

If you watched American television in the 1980′s, you would have invariably been exposed to the famous Folgers Coffee campaign: The Taste Test. The commercial would take place in a nice restaurant, with a voice over that said “We are here at (insert name of four-star restaurant), where we’ve secretly replaced the fine coffee they usually serve with Folgers Crystals. Let’s see if anyone can tell the difference!”. Of course, no one ever did, in the commercials anyways.

In #atlanta (EFnet) yesterday, I was talking about embedded firewall solutions, in particular m0n0wall and pfSense. I’ve been relying on m0n0wall for a little over a year now, running it on a WRAP 1C-2 device. m0n0wall is by far the cleanest and easiest custom firewall/access point solution I have used yet. It’s performance has been great overall, though lately been more difficult to share bandwidth fairly with some of the “more demanding” visitor’s I’ve had around the house recently.

pfSense is a relative of m0n0wall, but uses cutting-edge networking technologies such as FreeBSD 6.0 and PF. Because of it’s new features, I felt that pfSense may give me some better solutions for bandwidth sharing than m0n0wall did. If nothing else, FreeBSD 6.0 supports the wireless card that I’m using, which I cannot use with m0n0wall since it is based on FreeBSD 4.x. So, I tried to switch out m0n0wall for pfSense to see if the network would just suddenly “work better”.

Installing pfSense from Mac OS X

Installing pfSense was very easy. If you’re using Windows, you can ignore this section and just look at the wonderful pfSense Tutorials. Honestly, I first tried to see if I could simply “upgrade” my m0n0wall to pfSense using the web interface for firmware upgrades. After speaking with the pfSense developers, it seems that m0n0wall does not allow you to upload firmware updates that exceed 8MB, so I was stuck with taking apart the router and using a compactflash reader.

I took the 128MB CompactFlash card out of the WRAP, and placed it in my firewire CompactFlash reader that was hooked up to my PowerMac G5. A window popped up that asked if I would like to initialize the device, so I clicked “Ignore”. I then found the raw disk device by looking which disk device had the most recent modification time:

% ls -la /dev/rdisk* | tail -4
cr--r-----   1 thomas  thomas     14,  15 Jan 27 10:09 /dev/rdisk5
cr--r-----   1 thomas  thomas     14,  16 Jan 27 10:09 /dev/rdisk5s1
cr--r-----   1 thomas  thomas     14,  17 Jan 27 10:09 /dev/rdisk5s2
crw-r-----   1 thomas  operator   14,  18 Jan 27 10:32 /dev/rdisk6

It looks like rdisk6 is it. Lets go ahead and write this compressed image out to the CompactFlash card.

% gzcat pfSense-Embedded-1.0BETA1.img.gz | sudo dd of=/dev/rdisk6

It’s worth noting at this point that the pfSense 1.0b1 image is 59MB uncompressed, which is 8.4X larger than the m0n0wall 1.2 image, which stands at a paltry 7.0MB. We’re now ready to put the card back into the router and get a serial console up and running to it so that we can configure the LAN IP address. My PowerMac has no serial ports, so I ended up using my Keyspan USB PDA Adapter with a null modem cable. I used minicom to access the serial console, but there are other alternatives such as ZTerm.

Once connected via serial, I configured my interfaces, hooked up the ethernet cables, and accessed the pfSense web interface

pfSense Woes

The first thing I noticed was that the pfSense web interface was slower than m0n0wall. Much much slower. The WRAP only has 266MHz, but I’ve run far more complex interfaces on 266MHz machines. My hardware limitation appeared to be memory: I’ve only got 64MB in my router. Under m0n0wall, my memory utilization sits around 39%. Under pfSense, I saw messages in my system logs reporting that processes had to be killed due to lack of memory. Not good.

The next thing I noticed were some minor display bugs, possibly due to out-of-order operations that I did. I’ve reported these bugs to the pfSense developers, since they were pretty trivial to debug.

The next problem that I had was getting pfSense to acquire a DHCP address from the cable modem. At first I thought this was a firewall rule issue (deny all), but the problem persisted even when I added a rule to the WAN interface to allow all from any to any. Looking at my logs, it seems that my WAN interface (sis0) was going online and offline. I couldn’t make heads or tails out of this, so I used the web interface to import my old m0n0wall configuration into pfSense. This worked surprisingly well, and even changed the web interface to use the side-oriented display that m0n0wall uses rather than the awful dropdown menus that pfSense defaults to.

Still, I had no luck, but now I at least saw the interface statistics reference packets coming from the cable modem. I’m not sure what these packets were, since I didn’t know at the time that pfSense comes with tcpdump, unlike m0n0wall. I should have figured that they snuck some extra goodies into the huge image.

Throwing in the towel

In the end, I gave up on pfSense. I put m0n0wall 1.2 back on the CompactFlash card, configured my LAN address, and everything just worked. I didn’t even bother to import my old configuration. I really hated to do this, as pfSense seems to show promise. The beta I tried was a bit buggy, and really did not run all that great with 64MB of RAM. Sadly, my hardware is not upgradeable. I hope the memory footprint of pfSense will be a little smaller in the future, and the bugs worked out. I feel like a bad citizen of the open-source community by not helping the pfSense crew work out these minor issues, but I only have one WRAP that the house depends on to get to the internet.

As far as the Folger’s test goes: I like the house coffee better.

Tags: technology

Viewing 7 Comments

 

Trackbacks

(Trackback URL)

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus