Building A Firewall: pfSense on an ALIX 2D3

With my fascination with FreeBSD and Information Security, it was only natural for me to get excited about pfSense, a “free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.”

After testing it out, I decided to replace the anemic built-in “firewall” on my SoHo Linksys wireless router with pfSense.  This would allow me to run pfSense in a production environment (even if it is just my home network) to get more familiar with it, as well as give me a robust firewall, able to do what I need for my up and coming plans to conquer the world from my home network. (More on this in another post)

So, I could run pfSense on a old box I had laying around, but I got to thinking of the electricity cost if I had this box on 24/7/365–There had to be a more efficient way to run it…

Which is when I stumbled across PC Engines, a Swiss-based engineering company that designs and manufactures hardware for embedded computer systems.  After doing a bit of research, I settled on the Alix 2d3, which gave me a 500MHz AMD Geode LX800. 256 MB RAM, 2x USB ports, and 3x NICs.   I started using this guy’s blog post as a guide to building my embedded PfSense firewall.

To start off with, here was my parts list:

(Costs include shippping)

(And yes, I know I could have gotten the serial cable stuff cheaper)


-1x Alix 2d3 Kit (Board + Power Supply + 1GB CF card + Black Case)  $201.53

-1x USB-to-serial adapter $19.94

-1x Null modem adapter (female to female) $17.13

-1x IDE to CompactFlash adapter  $8.20

Grand Total (with shipping):  $246.80


I went ahead and bought the Alix 2d3 kit from Netgate, and the rest of the parts from other sources.  Here is a photo of everything:

img_3180_1

 

After downloading the latest embedded image from pfSense.com, I needed to write the image to the CF card.  Well, the main OS I run on my laptop is Vista, so I thought I would just do it from there.

Now, I didn’t buy a regular CF Reader, but a CF to PATA converter.  I didn’t think this would be an issue, because I would just hook it up to my IDE to USB adapter and to my machine, like so:

 

img_3181_1

 

Unfortunately, this did not work.  The OS never even recognized that I had something plugged into the USB port.  I have no idea why.  So I went to plan B, and plugged it into an IDE spot on my test machine, and booted it up into FreeBSD.

 

img_3185_1

 

FreeBSD found the card no problem, and using dd, I was able to successfully write the image to the CF card.

Next, I ran through RockPenguin’s directions of applying power to the board, and getting into the bios.  I will quote his directions here, after the photo:

 

img_3192_1

 

——-Start Quote———-

-Connect one end of the null-modem cable to your computer’s serial port and the other end to the serial port on the ALIX.

-Fire up your favorite terminal emulation software such as minicom (or Hyperterminal on Windows) and use the following settings:

Baud rate: 38,400
Data: 8 bit
Parity: None
Stop: 1 bit
Flow control: None
Terminal: ANSI

-Now apply power to the ALIX. If you are connected correctly, you should start to see the ALIX BIOS text.

-While the BIOS is going through the memory test press the “s” key to enter the BIOS setup.

-If have successfully entered the BIOS setup, you should see the text with some different options. Do the following:

Press “9? to set the baud rate at 9600

Press “q” to quit the BIOS setup

Press “y” to save the settings to flash

-If you start seeing gibberish ASCI characters instead of text, then you need to set your terminal emulation software to 9600 baud instead of the 38,400 we set it at earlier.

-Now reboot the ALIX by power cycling the unit (unplug the power, plug it back in).

-With the terminal set to 9600 baud, we should see the boot-up process and if all is well it should look akin to a Free-BSD boot.

——–End Quote——–

 

Fortunately, my bios was already to the latest version, so I did not have to flash it like he did.

After this, I shutdown the device, and put the board into the case, and screwed everything down.

 

img_3195_1

 

I then hooked it up to where I wanted it, and got it connected to the right cables.

Finally, I started it up again, and finished the initial pfSense configuration.

Here is the final product, hooked up, and ready to go:

 

img_3198_1

 

Final Thoughts:

-I actually thought it was going to be alot more difficult–It only took me about 3 hours.

-You want to know what the average wattage for this bad boy is?  5 watts!


So ends my first firewall-building experience.

Josh

Tagged , ,

15 thoughts on “Building A Firewall: pfSense on an ALIX 2D3

  1. […] admin on Apr.14, 2009, under Uncategorized As I alluded to in my previous post, putting in an actual firewall in my home network (instead of the soho linksys […]

    Like

  2. nathan says:

    I just did the same thing. Thanks for the writeup. It was handy to know about the 38400 baud thing.

    And… The alix is fast!

    Like

  3. Umarzuki says:

    Thanks for the tip on changing baud rate to 9600

    Like

  4. David says:

    This very cool man!! excellent. m gonna try

    Like

  5. Giancarlo says:

    Nice.

    Like

  6. fuzz says:

    Informative post. I’ve heard about Alix systems for pfsense, but the photos really helped. I had no idea they were so small. I’d like to do this as well, but the price tag is a lot more than FREE which is what my old Pentium II 233 is. I’ve been wondering how much electricity it draws, but I suspect it’ll take a while to consume $250-worth. I’m tempted to switch from old hdd to CF card, but I’m not sure if it’ll be worth the trouble.

    Like

  7. Lee Hall says:

    Great post, thank you.

    I was about to order from netgate when I came across a prebuild pfsense/alix unit at nw-ds.com for only $140.

    https://nw-ds.com/shop/firewalls/lx700.html

    Do you think it is legit? Seems very cheap.

    Like

    • Josh says:

      Lee,

      It looks legit, but building your own is half the fun!

      :)

      -Josh

      Like

    • They are legit and good people, but they aren’t selling their LX series anymore due to the amount of support required from people that didn’t know how to use a serial port or something like that. I just ordered my first parts to build one myself. It’s basically the same thing you’ll build on your own, plus you get choice of colors, wireless cards and things like that. It’s cool.

      Like

  8. woo says:

    This tutorial is still valid if you want to build your own pfSense router with an ALIX board. I just followed these instructions after I bought an ALIX board from ebay. Installed pfSense 1.2.3, and shortly after that I upgraded pfSense to version 2.0.

    BTW, my ALIX board BIOS was already at the recommended version 0.99h, but I had to check any way.

    Thanks for this very useful post.

    Like

  9. David says:

    Hi there, nice guide! I’d like to read it, but the images in your post seem to be missing.

    Like

  10. Josh says:

    Thanks David for letting me know.

    I have fixed it.

    Like

  11. Ian says:

    Great write-up. Toying with getting one of these myself, but also plan to do more than just basic pf firewalling – QoS/traffic shaping, possibly internal DHCP server, VPN endpoint. What’s the performance of the box like – do you think it would be able to do all that, and still have 14MBps over the WAN (plus LAN/DMZ traffic)?

    Ian

    Like

  12. Lucas says:

    Hello. Nice guide.
    One quetion.. PFSense work fine in 256ram??
    Thanks!!

    Like

  13. shawn says:

    Hi Ian, re performance: I think I read somewhere that the boxes will do something like 30-50Mbps of encrypted traffic. Obviously this would change with crypto settings, but I’m betting this is default ipsec. All crypto is done in the CPU.

    Separately, if you’re doing serious testing through it you’ll have issues with state table size unless you increase it from the default (one of the pauldotcom.com guys covers this)

    I love pfSense on embedded devices, I use one at home and worked for an org which had 100+ deployed happily for over 4 years now.

    Shawn

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s