Hardware

Protectli Products

WiFi on the FW2B

phil September 22, 2020

Overview

Protectli offers an optional WiFi kit that can be used with the Vault. The Product ID for the WiFi Kit is WAP01K. There is an article that explains how to install the kit into the Vault and how to configure it with some of the supported applications.

The Protectli wireless card supports 802.11 B/G/N in the 2.4 GHz band. However, it is non-standard, in that while it utilizes the PCIe physical form factor, the electrical data communication path is via USB. This is because most of the PCIe “lanes” are used for Ethernet ports. The result is that Protectli doesn’t recommend it for heavy duty WiFi applications.

The FW2B is an exception. Due to the fact that there are only 2 Ethernet ports, more PCIe lanes are available for data communication, so the Fw2B is compatible with many standard PCIe WiFi cards that use the PCIe bus for communication.

WiFi card compatibility also requires driver support in the Operating System (OS) that is deployed in the Vault. Common PCIe WiFi vendors that enjoy wide driver support include Atheros and Intel. This article uses an Atheros PCIe WiFi module with the FW2B as an example of a compatible module.

Install the WiFi Kit

The third party WiFi Kits typically contain the same or similar contents as the Protectli WiFi Kit, and they are installed in the same slot of the FW2B. See this Knowledge Base article to install the WiFi Kit into the Vault.

HP 495848-003 with Atheros AR5BHB92-H, pfSense® CE

The Hewlett Packard HP 495848-003 with the Atheros AR5BHB92-H chipset is a WiFi kit that has successfully been tested with the FW2B as a WiFi access point with pfSense® CE v2.4.5. The module is available on Amazon at this link. The module was configured for 802.11an in order to use the 5 GHz band and MIMO technology with 802.11n.

pfSense® CE Configuration for WiFi Access Point

There is another Knowledge Base article that describes how to install pfSense® CE on the Vault at this link. The information below is specifically to enable the WiFi card and assumes that the user has already successfully installed pfSense® CE and the WiFi kit on the FW2B. The example below uses pfSense® CE version 2.4.5 to configure the WiFi interface as an Access Point for 802.11AN.

Verify that pfSense® CE version 2.4.5 and and the WiFi interface have been installed on the FW2B
Browse to the LAN port on the FW2B at 192.168.1.1 in order to access the pfSense® CE Dashboard
Verify the login page is displayed
Login and verify that the dashboard page is displayed
Select Interfaces->Interface Assignments
Select Wireless
Add the WiFi interface
Verify it is “ath0 (Atheros 9280)”
Set Mode to “Access Point”
Add a Description if desired (optional, recommended)
Save
Verify ath0_wlan0 with “Access Point” and Description is displayed
Return to Interfaces->Interface Assignments
Add the WiFi Interface “ath0_wlan0”
Edit the WiFi interface by clicking on the name in the left column (OPT1)
General Configuration
- Enable interface
- Description – Change Description if desired (recommended)
- IPv4 Configuration Type – Static IPv4
Static IPv4 Configuration
- IPv4 Address – Enter the desired IP address for the WiFi network and the subnet mask, this example uses 192.168.99.1 / 24
Common Wireless Configuration
- Standard – 802.11na
- Channel 11a/n – 161 (channel may vary, 161 was used for this example)
Network-Specific Wireless Configuration
- Mode – Access Point
- SSID – Set SSID (case sensitive, this is the ID that other clients will use to connect) “Test99” was used in this example
- Enable WME
WPA
- Enable WPA
- WPA Pre-Shared Key – Set key (essentially SSID password, case sensitive, this is the password that other clients will use to connect)
- WPA Mode – WPA2
Save
Apply Changes
Verify the changes have been applied successfully.

As with any other interface, when using pfSense® CE, Services and Firewall rules must be configured in order to connect and pass traffic on the interface. For this example, DHCP server will be configured for the WiFi interface and all traffic will be allowed to pass. Firewall rules should be edited later for desired security.

Go to Services->DHCP Server and select the WiFi interface
General Options
- Enable DHCP serverS
- Set the DHCP range (192.168.99.10 – 192.168.99.100 in this example)
- Save
Verify the changes have been applied successfully.
Go to Firewall->Rules and select the WiFi interface
Add a Rule to allow all traffic to pass for this test
- Action – Pass
- Protocol – Any
Save
Apply Changes
Verify the changes have been applied successfully.
Verify that the WAN port is connected to the Internet
Verify that another device, such as a PC or laptop can connect to the WiFi network that was just created using the SSID and password for the WiFi network
Verify that the PC can browse out to the Internet

More details regarding WiFi configuration for pfSense® CE can be found at this link.

At this point, the FW2B with pfSense® CE v2.4.5 configured as a WiFi Access Point should be up and running.

As usual, if you have any questions or issues, feel free to contact us at: https://protectli.com/contact/

How to Configure pfSense® CE for 4G LTE Failover

phil October 16, 2019

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
Connect the WAN and LAN ports to the devices or ports that they are normally connected to
Connect the OPT1 port to the LAN port of the 4G LTE modem
Browse to the pfSense ® CE GUI and login
Select Interfaces->Interface Assignments
Add OPT1 and select the default Network port (em2 or igb2)
Select “OPT1” to configure the port
Select General Configuration->Enable->Enable interface check box
Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem

pfSense OPT1 interface — Interfaces->OPT1

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select Status->Dashboard and verify that the Dashboard is displayed
Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

Select System->Routing->Gateways
Verify WAN_DHCP is displayed
Select Edit Icon
Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select System->Routing->Gateways
Select ADD button
Add OPT1 Interface
Verify the Name is OPT1_DHCP
Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up

pfSense routing gateways OPT1_DHCP — OPT1 Gateway

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

Select System->Routing->Gateway Groups
Select ADD button
Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
Set Edit Gateway Group Entry->Description if desired

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

Select Firewall->Rules->LAN
Select Edit for “Default allow LAN to any rule”
Select ADVANCED button
Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above

pfSense firewall rules — LAN Firewall Group

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

Select Status->Gateways
Verify WAN_DHCP and OPT1_DHCP Gateways are online

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
Select Dashboard and monitor the Traffic Graphs
Verify the WAN and LAN ports have similar high levels of traffic
Disconnect the WAN port from the Vault
Verify the video continues to play
Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
Reconnect the WAN port to the Vault
Verify the video continues to play
Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us: You can submit a ticket here, or find more information in our Knowledge Base.

How to Use 4G LTE Service with the Vault

phil October 9, 2019

4G LTE Service Overview

4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. 4G LTE Service can be used with the Vault as a backup/failover Internet connection in the event the primary WAN service is down or as the primary WAN interface when a wired Internet connection is unavailable . For any business or operation, a 4G LTE failover solution ensures that Internet connectivity is preserved and eliminates potential loss of sales and loss of productivity. Maintaining a constant Internet connection is particularly crucial these days as so many applications and business functions are in the “cloud” and only accessible via the Internet.

4G LTE Service options are extremely cost effective compared to the loss of business and/or productivity. Baseline pricing is $29.99 per month for 1 Giga Byte (GB) of data or $34.99 per month for 1 GB with a public Static IP address. Additional usage is only $1 per 100 MB for either subscription plan. Protectli 4G LTE Products and Services can be found at this link.

In addition to backup/failover, there are numerous applications that are ideal for a standalone cellular connection. Examples are:

Temporary or short term connections for construction sites, sporting events, concerts, etc.
Permanent retail kiosks that are not close to a wired connection
Remote sensor monitoring
Remote vehicle and storage areas
Many others ……

4G LTE Service Configuration

As noted above, the 4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. The modem and subscription plan are ordered together from Protectli. Protectli will insert a SIM card for the subscription plan and test connectivity to the cellular service. When the modem arrives it is fully functional and no configuration is required on the modem itself. It is required to attach the antennas to the “Main” and “Aux” connectors of the modem to get a good signal. Simply connect the LAN port of modem to one of the Vault’s Ethernet ports using the supplied Ethernet cable. There may need to be configuration of the Vault, depending on the installed operating system (OS). See the Protectli Knowledge Base at this link for articles that are specific to 4G LTE and particular OS.

4G LTE Service Specifications

4G LTE Category 4
Max download data rate up to 150 Mbits/second
Max upload data rate up to 50 Mbits/second
3G Failover
Band 2 (1900 MHz), Band 4 (1700/2100 MHz), Band 5 (850 MHz), Band 17 (700 MHz)

4G LTE Service Documents

Data Sheet, see this link
User Manual, see this link

If you need additional assistance, please feel free to reach out to us at support@protectli.com. You can also find more information in our Knowledge Base.

How to Configure a PXE Server on CentOS 7 with pfSense® CE

Luke Green July 24, 2019

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

FW6C – Hosting a virtual machine of CentOS 7
FW4B – Running pfSense®
FW2B – coreboot flashed for PXE

Prerequisites

For this guide we will assume the following are in place:

PXE enabled client
CentOS 7 Server
pfSense® router with DHCP enabled

Setting Up the PXE Server

Log into the CentOS 7 server
Verify all the packages are updated using the following command

#yum update -y

Install the required packages using the following command

#yum install syslinux xinetd tftp-server vsftpd wget -y

Edit the TFTP configuration file with the vi command

#vi /etc/xinetd.d/tftp

Change disable from yes to no.
Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.

Change directory to syslinux and copy the necessary files to the TFTP

#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot

Make and change to the tmp directory.
Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version

#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso

While in tmp mount the downloaded image and copy the files to the FTP directory

#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/

Make a directory for the image files and copy them over

#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7

Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img

#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7

Create a PXE configuration file that points to the correct files

#mkdir /var/lib/tftpboot/pxelinux.cfg

Make note of the IP address for the next steps. Use the following command to show IP address

#ip a

Open the PXE configuration file with the vi editor

#vi /var/lib/tftpboot/pxelinux.cfg/default

Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.

default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7

use ‘:wq’ to save and exit the editor

Enable and start the TFTP and FTP services

#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service

Add firewall rules for the TFTP and FTP servers

#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload

Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab

pfSense DHCP server — pfSense® DHCP Server

Scroll down to “Other Options” and fill in the TFTP server IP address
Verify the “Enables network booting” box is ticked
Enter the IP address of the Next Server (same as TFTP)
For “Default BIOS file name” enter pxelinux.0

Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions.

Created OnAugust 8, 2018

Last Updated OnMarch 27, 2020

byphil

Overview

Depending on individual use cases, different hardware firewalls may be useful for different types of network applications and as such, Protectli offers different hardware with varying capabilities. Frequently, it is useful for a customer to know the performance characteristics of specific hardware before making a decision to purchase. This article aims to provide a baseline of IPSec performance for several different Vaults, as tested in a lab environment, so the customer can make an informed decision as to what products best suit their needs.

Basic Performance

In a basic setup, The Vault is capable of routing/switching packets at wire speed on all ports for all models. For a 1 Gbps ethernet interface, the actual throughput is ~940 Mbps due to overhead in an IP packet. The test network consists of 2 computers running Ubuntu 18.04 version of Linux and 2 Vaults running pfSense® CE version 2.4.3. One of the Ubuntu computers is running iperf3 as a server, the other is running iperf3 as a client.

IP LAN diagram

IP LAN

IPsec

IPsec is a set of protocols that is used to authenticate and encrypt/decrypt packets to provide secure transport of packets through the network. An IPsec “tunnel” encrypts the entire packet, not just the payload, and is commonly used to create Virtual Private Networks (VPN).

Configuring IPsec

When configuring IPsec tunnels (and other secure connections) multiple parameters must be configured. The set of parameters is known as a “cipher suite”. The parameters consist of a Key Exchange method, an Encryption method and a Message Authentication method. The configuration must be identical at each end of the tunnel in order to make a connection. An operating system or IPsec implementation will typically support multiple ciphers for each of Key Exchange, Encryption, and Message Authentication that can be combined to form many different cipher suites.

OpenSSL, which is an open source software library, provides a large number of ciphers. The list of ciphers supported can be displayed with the command “openssl ciphers –v”. The cipher suite is described by combining the methods together into a single string. For example, the cipher DH-RSA-AES256-SHA256 indicates:

Diffie-Hellman (DH) Key Exchange using a Rivest, Shamir, Adelman key (RSA) with 
Advanced Encryption Standard 256 bit (AES256) encryption 
and Secure Hash Algorithm 256 bit (SHA256) message authentication.

There are various standards and recommendations that dictate the required cipher suite for different applications that is beyond the scope of this article.

The diagram below shows an IPsec tunnel. The difference between the LAN example above and the IPsec tunnel is that the entire packet is encrypted “end-to-end” between the Vault/Firewalls and the data can travel through the network securely.

IPSec diagram

IPsec Tunnel

IPsec Performance

Adding an IPSec tunnel introduces “overhead” which is added when a packet enters a tunnel and stripped off when a packet leaves the tunnel. This process adds additional data to each packet, but is not part of the payload. Therefore, when running performance measurement tests, the indicated traffic throughput will be less than throughput achieved without an IPSec encrypted tunnel.

In addition to the pure impact on the payload due to additional overhead, the device that adds the overhead must also encrypt the data. Similarly, the device at the other end of the tunnel receiving the packet must decrypt the data before sending it onward. Encryption and decryption of the packet requires significant processing power and affects the throughput of the devices. The latest versions of The Vault include Intel’s AES-NI hardware support which facilitates faster encryption/decryption with less impact on CPU performance.

The performance varies depending on the parameters of the many different cipher suites. For example, a cipher suite that uses AES128 may perform better than AES256 due to easier encryption/decryption. It would be difficult if not impossible to test all possible cipher suites.

In order to test performance, pfSense® CE 2.4.3 was installed on the Vaults and IPsec tunnels were configured with the following cipher suite:

Diffie Hellman (DH) Key Exchange using Pre-Shared Key (PSK)
AES256 bit encryption algorithm with 128 bit blocks using the Galois/Counter Mode (GCM) operation
Secure Hash Algorithm (SHA) 256 bit Message Authentication

The configuration pages at VPN->IPsec->Tunnels are shown below.

pfSense IPSec tunnels

IPsec Tunnel Configuration

IPsec Tunnel Configuration

IPsec Tunnel Configuration (Remote End)

In this example, data from LAN network 192.168.10.0 is “tunneled” to LAN network 192.168.20.0 over the WAN interface. In the reverse direction, data from LAN network 192.168.20.0 is “tunneled” to LAN network 192.168.10.0 over the WAN interface.

The max throughput as tested over the IPsec tunnel for a 1 Gbps Ethernet interface is ~880 Mbps, which is expected due to the overhead added by the IPsec configuration. The results of performance tests run on the Vaults that contain AES-NI hardware support are shown in the table below.

Edit
Vault Model	Unencrypted LAN (Mbps)	Encrypted IPsec AES-256-GCM/SHA256 (Mbps)	Encrypted OpenVPN AES-256-CBC/SHA256 (Mbps)
FW2B	940	240	110
FW4B	940	250	115
FW4A	940	280	120
FW6A	940	880	380
FW6B	940	880	550
FW6C	940	880	580

Conclusions on IPSec Performance

IPsec is a critical set of protocols used to provide secure communication through the Internet. There are many different cipher suites that can be used depending on the requirements of the user. The configuration used may impact the performance and therefore the throughput of the devices in the network. This tutorial is an aid to selecting the best Vault for your application.

If you experience any issues, feel free to reach out to us: You can submit a ticket here, find more information in our Knowledge Base, or visit the official pages at pfSense.org as reference.

How to configure UEFI on the Vault

Luke Green May 16, 2019

UEFI Overview

UEFI is an acronym for Unified Extensible Firmware Interface. It is a specification that defines a new model for the interface between operating systems (OS) and platform firmware. It is a replacement for legacy BIOS. More information may be found on the UEFI Forum website at: https://uefi.org/

Recent updates to some OS software have introduced incompatibility between the default installation of the OS with some of the Vault hardware platforms. Setting the BIOS mode on the Vault to UEFI eliminates some of these issues. The article below will detail how to set the BIOS mode to UEFI.

Changing BIOS mode to UEFI

Verify that the Vault is powered down
Verify that the monitor is connected
Verify that the USB keyboard is connected
While powering up the Vault, press “DEL” key
Verify that the system boots into the BIOS

Select the “Advanced” tab

Select “CSM Configuration”

Select “Boot option filter”

Verify the Boot option filter menu is displayed
Select “UEFI only”
Press Return(Enter)
Press “F4” to save and exit the BIOS
Power off the Vault

At this point UEFI mode is enabled. See the specific installation guide for the desired OS.

If you experience any issues, please feel free to reach out to: support@protectli.com.

How to Customize the Boot Splash Screen

phil September 11, 2018

Overview

The “Splash Screen” is the graphical image or logo that is briefly displayed at boot up of the system. The splash screen for the Vault can be customized to enhance the brand awareness of the product and/or solution. Protectli provides a Windows tool that can be used to change the BIOS and customize the splash screen.

Splash Screen File

The splash screen file is a “bitmap” file with an extension of “.bmp” in Windows. The bitmap file used for the splash screen must have maximum dimensions of 800 x 600 and be less than 1.4 MB. If there is already a logo file in “.jpg” or “.png” format, that file can be converted to a bitmap file using the Windows Paint program or other tools.

Verify the Desired Splash Screen File

On Windows, right click the desired file
Select Properties
Verify “Type of File” is BMP file
Select the Details tab
Verify the Dimensions are 800 x 600 or less
Verify the Size is 1.4 MB or less

Convert the Desired Splash Screen File

If the desired file is in JPG or PNG format, it can be converted to Bitmap using the Windows Paint program. This procedure is only necessary if the desired file is not already in Bitmap format.

On Windows, right click the desired file
Select Edit
Verify the Paint program starts and the graphical image is displayed
Select File->Save As->Save as type:
Verify the dropdown menu that contains these bitmap options is displayed
- Monochrome Bitmap
- 16 Color Bitmap
- 24 Color Bitmap
- 24-bit Bitmap
Select the desired bitmap format
Note that the formats listed in the dropdown are in increasing order of quality and increasing order of size
Select Save
Right click on the newly created bitmap and verify that it is less than 1.4 MB
If greater than 1.4 MB, repeat this procedure with a lesser quality bitmap format

Download the BIOS

The BIOS folder for each specific model of the Vault is available at this link. Be very sure when downloading and installing the BIOS that it is the correct BIOS for the specific Vault. Installing incorrect BIOS may result in an inoperable system.

Download the BIOS zip file for the model of the Vault from the link above
Verify the BIOS zip file is downloaded
Unzip the file and verify the BIOS folder is downloaded

Download the BIOS Logo Tool

There are two BIOS logo tools. One is for the FW1, FW2, and FW4 models of the Vault. The other is for the FW6 models of the Vault. The FW1, FW2, and FW4 tool is at this link. The FW6 tool is at this link.

Download the BIOS logo tool zip file for the model of the Vault from the link above
Verify the proper BIOS logo tool zip file is downloaded
Unzip the BIOS logo tool

Use the BIOS Logo Tool to Change the Splash Screen

Double click on the BIOS Logo executable file
Verify the “Change Logo” application appears on the screen

Change Logo Application

Select the “Load Image” button

Load Image Button

Verify navigator window is displayed

Navigator Window

Verify/Select “Files of type:” All Files
Navigate to the BIOS folder
Select the .bin file
Select “Open”

.bin File

Verify the .bin file is displayed in the proper folder in the “Aptio Image” Box

Aptio Image Box

Select Browse Button

Browse to find Bitmap File

Verify the navigator window is displayed
Select files of type “BMP Files (*bmp)
Navigate to the desired bitmap file
Select the .bmp file
Select Open
Verify the desired bitmap file is displayed in the “Select BMP file” box

Select BMP File

Select the Replace Logo button

Replace Logo

Verify the “Save Image As” button is now not grayed out

Save Image As Button

Select the “Save Image As” button
Verify the navigator window is displayed
Navigate to the BIOS folder, this is where the new BIOS file will be placed
Manually enter the name of the original .bin file, note that it must be exactly the same name

BIN File

Select Save button
Verify the Success message is displayed in the lower left of the tool

Success Message

Create Bootable USB Drive and Install New BIOS

Now that the new bitmap file has been created, the BIOS folder must be transferred to a USB drive and then used to update the BIOS on the Vault. Follow the instructions at this link to create a bootable USB drive, transfer the new BIOS folder to the USB drive, and install the new BIOS on the Vault.

Verify the splash screen has the new logo or image during initial boot
Verify the system boots

At this point, the new splash screen should be installed on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com. For more information, visit our Knowledge Base.

Verify Intel Spectre and Meltdown Vulnerabilities

phil August 9, 2018

Overview

There are known security vulnerabilities with Intel processors that are named “Spectre” and “Meltdown”. These vulnerabilities are documented at this link. There is a Windows based tool that can analyze the the system to determine if it is vulnerable to Spectre or Meltdown. This document describes how to use that tool to assess the vulnerability of the Vault. Information regarding specific BIOS updates to the different Vault platforms can be found from links on the product pages.

On a Windows computer,

Browse to InSpectre homepage at https://www.grc.com/inspectre.htm
Scroll down to Download Button and download InSpectre application from this link.
Verify that the file/application “InSpectre.exe” is downloaded to the Windows computer
Run InSpectre (double-click) and verify the application pops up

inspectre

InSpectre & Meltdown Vulnerability Status – Not Protected

Verify that both Meltdown and Spectre vulnerabilites are protected.

If not, update the Vault to the appropriate BIOS that addresses the vulnerabilities. See the latest BIOS at this link.

Update BIOS on the Vault
Rerun the InSpectre application
Verify vulnerabilities are protected

inspectre

InSpectre & Meltdown Vulnerability Status – Protected

At this point the Vault should be protected from the Spectre and Meltdown vulnerabilities. However, if there are any issues, feel free to reach out to us at support@protectli.com or find more information in our Knowledge Base.

FW2B FW4B Series Hardware Overview

phil August 8, 2018

As with all Protectli Vault hardware, the FW2B and FW4B series need only RAM (memory) and mSATA (storage) added in order to have a fully functional hardware system. In addition, an optional WiFi module can be installed as well. For more information on HW compatibility, see this link.

The FW2B and FW4B series hardware are slightly different, but the chassis form factor, general board layout, and placement of components is largely the same. The FW2B and FW4B vary mainly in the type of CPU they have and the number of network ports. For a full comparison among different models, please see this page.

The annotated photo below shows the location of the various sockets. The FW2B is pictured. Note that the memory socket is underneath the mSATA and WiFi sockets.

vault motherboard

CPU

The FW2B series uses an Intel J3060 processor and the FW4B series uses an Intel J3160 processor. Both of these CPUs have built in suport for Intel’s AES-NI hardware encryption.

Memory

There is a single SODIMM socket for memory. Additional information on compatible memory modules can be found in the Hardware Compatibility page. The maximum supported memory size is 8GB of DDR3L (1.35V).

mSATA

The FW2B, and FW4B series come with a single mSATA socket. This socket is capable of holding any logical size mSATA.

WiFi

The WiFi module socket is a mini PCIe form factor socket on the FW2B and the FW4B, however, there are important differences in the connectivity of this slot. The FW2B can accommodate a standard (PCIe connected) mini PCIe WiFi module. The FW4B, while mini PCIe in form factor, is USB connected, limiting functionality and throughput as compared to PCIe modules. Protectli sells a USB connected mini PCIe form factor WiFi module that is available here. Instructions for installation of the WiFi module can be found here. The FW2B can also accommodate the USB connected, Protectli mini PCIe/USB WiFi module.

vault ports

Port Connectivity

The ‘Front’ of the FW4B Vault is pictured above. The FW2 is different, as it only has 2 network ports (WAN and LAN) but an additional 4 USB 2.0 ports.

Power should be supplied by the included power supply, which is rated for 12V at 3.3A.

The Power LED, which lights up green when power is applied, indicates that the Vault has power applied. It does not indicate the status for the operating system

The Drive Activity LED will blink, according to mSATA drive activity. Usually, the user will see the most activity as the unit is booting, or if the unit is under heavy load. For most operating systems, this indicator will not be on and only blink occasionally under most conditions.

The Network ports are each independently connected to the CPU via a PCIe connection. A table that shows port numbering can be found below.

Vault Model	Port 6	Port 5	Port 4	Port 3	Port 2	Port 1
FW1x	-	-	OPT2	OPT1	LAN	WAN
FW2x	-	-	-	-	LAN	WAN
FW4x	-	-	OPT2	OPT1	LAN	WAN
FW6x	OPT4	OPT3	OPT2	OPT1	LAN	WAN
FreeBSD (pfSense) Labeling (in software)	em5	em4	em3	em2	em1	em0
Windows 10 (in software)	Ethernet 5	Ethernet 4	Ethernet 3	Ethernet 2	Ethernet	Ethernet 1

Data Sheets

The FW2B data sheet can be found at this link. The FW4B data sheet can be found at this link. If you have any questions, feel to reach out to us at support@protectli.com, or find more information in our Knowledge Base.

BIOS Versions for the Vault

phil June 19, 2018

Note: The FW2B and the FW4B had an issue such that they would not work with HDMI displays with a resolution of 1440p (2560×1440). That issue has been resolved using the latest BIOS, version BSW4L009. See the table below to download the latest versions.

Note: Intel has recently announced a security vulnerability that is described at:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

The FW1, FW2, FW4A and FW6 Vaults may be affected by this vulnerability. The FW2B and FW4B are not affected. Protectli understands the urgency of this issue and we are working with our partners to generate BIOS updates to address the issue. We will post the updated BIOS and/or timelines for updated BIOS on this page shortly.

BIOS

BIOS is the abbreviation for Basic Input Output System. It is a small program that is stored on non-volatile memory that is used to initialize the system hardware during the boot process. BIOS is installed on every system when it ships, but occasionally there are upgrades to the BIOS to address various issues. This page has a table with all of the current versions of BIOS for the Vault. BIOS can be downloaded from this table by clicking on the “Download Link” entry and used to upgrade the BIOS on the Vault.

The currently installed BIOS version can be found on the main BIOS page, as seen in the example screenshot below (circled in red):

Vault BIOS ID

BIOS Main Tab

See this link for instructions on how to install BIOS on the Vault.

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2	2-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4A	4A190619	E38L4A12	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2B	2B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW4B	4B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW6A	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6B	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6C	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
RM8	R8191008	RM8 V1.2	Initial Released Version	October 8, 2019

Notes

Some older versions of the FW1 and FW2 Vaults do not have a COM port. These units are still compatible with the FW1 and FW2 BIOS listed above.

Some older versions of FW1 and FW2 Vaults do not automatically update the new Boot Order with version BTL4A012. If this occurs, follow the steps below to set the Boot Order:

Power off the unit
Reboot the unit and hit the DEL key to enter BIOS
Select the Boot Tab
Select “F3” to Load Optimized Defaults
Verify the proper Boot order of 1) UEFI mSATA 2) UEFI USB 3) Legacy mSATA 4) Legacy USB
Select “F4” to Save and Exit
Verify the system boots correctly

Previous Versions

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-181025	BTL4A010	Intel Spectre and Meltdown fixes	October 25, 2018
FW2	2-180706	BTL4A008	Intel Spectre and Meltdown fixes	July 6, 2018
FW4A	4A180804	E38L4A05 V1.03	Intel Spectre and Meltdown fixes, COM port fix	August 4, 2018
FW2B	2B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4B	4B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6A	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6B	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6C	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018

As always, if there are any questions, feel free to reach out to us at: support@protectli.com

How to perform a BIOS update

phil May 15, 2018

This article will explain how to create a bootable FreeDOS USB drive and prepare the drive with the appropriate BIOS update files for installation on a Protectli Vault. FreeDOS is a free DOS application that is compatible with Intel based computers, such as the Vault. The Vault uses FreeDOS to install BIOS updates to the Vault.

For creating a bootable USB with Windows, Protectli recommends a tool called Rufus. The home page for Rufus is https://rufus.akeo.ie. The Windows system requirements are listed on the Rufus homepage.

Create Bootable FreeDOS USB – Windows

Download the Rufus tool from the official page to a Windows computer
Verify an executable file with a name of rufus-2.17 or similar is downloaded (the version you download may have a higher version number than this example)
- Note that rufus is an executable and does not need to be installed.
Select the Rufus application that was downloaded and verify that the main menu pops up (example screenshot below)
Verify that “FreeDOS” is the default selection

Rufus Main Menu

Insert a USB drive into a USB port on the PC
Verify that Rufus recognizes the USB drive

Rufus Detects USB Drive

Select Start
Verify the warning appears and select Ok

Rufus Warning Message

Verify the FreeDOS is created on the USB, application status is “READY” and the green bar is complete

Rufus Ready Message

Download BIOS and Copy BIOS Folder to FreeDOS USB

*** Important ***

Note that the folder, file, and version names in this article are used as an example. The actual folder, file, and version names will vary depending on the model of Vault and the version of BIOS.

Download the BIOS folder to the Windows machine from the Protectli BIOS Version page at this link
The BIOS folder will be a compressed “zip” file. If compressed, uncompress the zip file
Go to “This PC” on the Windows machine and select the USB drive

Select USB Drive on This PC

Drag/copy the BIOS folder to the USB drive
If prompted, check the box to copy all current items to the USB Drive

Copy Prompt

Verify folder copied to the USB Drive

BIOS Folder in USB Drive

Safely remove the USB drive from the Windows computer

BIOS update on the Vault

Note: Freedos will not boot in UEFI BIOS. To successfully complete this procedure make sure the BIOS is set to Legacy. We have a guide covering this here. Using the same steps but switch to “Legacy Only”.

Insert the USB drive into the Vault
Hit the “F11” key repeatedly during boot
Verify the Vault boots to the boot selection menu
Select the USB and verify the Vault boots to the DOS prompt
Type “dir” to see the contents of the USB drive
In this example the folder “4A171114” should appear
Type “cd 4A171114” to change directory to the BIOS folder
Type “update.bat”
Verify that the BIOS installation completes

Verify BIOS ID on the Vault

Reboot the Vault
Hit the “DEL” key repeatedly during boot
Verify the Vault boots to the main BIOS window
Verify the BIOS ID is the correct version

BIOS ID

At this point the new BIOS should be installed. However, if there are any issues, please check our Knowledge Base or submit a ticket.

Hardware

Overview

Install the WiFi Kit

HP 495848-003 with Atheros AR5BHB92-H, pfSense® CE

pfSense® CE Configuration for WiFi Access Point

Overview

Enable Interfaces

Configure Gateways

Configure Gateway Groups

Configure LAN Firewall

Verify Gateway Status

Verify 4G LTE Failover

4G LTE Service Overview

4G LTE Service Configuration

4G LTE Service Specifications

4G LTE Service Documents

Overview

Example Setup

Prerequisites

Setting Up the PXE Server

Overview

Basic Performance

IPsec

Configuring IPsec

IPsec Performance

Conclusions on IPSec Performance

UEFI Overview

Changing BIOS mode to UEFI

Overview

Splash Screen File

Verify the Desired Splash Screen File

Convert the Desired Splash Screen File

Download the BIOS

Download the BIOS Logo Tool

Use the BIOS Logo Tool to Change the Splash Screen

Create Bootable USB Drive and Install New BIOS

Overview

CPU

Memory

mSATA

WiFi

Port Connectivity

Data Sheets

BIOS

Notes

Previous Versions

Create Bootable FreeDOS USB – Windows

Download BIOS and Copy BIOS Folder to FreeDOS USB

BIOS update on the Vault

Verify BIOS ID on the Vault

Added to Cart