Hardware

Protectli Products

How to Configure pfSense® CE for 4G LTE Failover

phil October 16, 2019

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
Connect the WAN and LAN ports to the devices or ports that they are normally connected to
Connect the OPT1 port to the LAN port of the 4G LTE modem
Browse to the pfSense ® CE GUI and login
Select Interfaces->Interface Assignments
Add OPT1 and select the default Network port (em2 or igb2)
Select “OPT1” to configure the port
Select General Configuration->Enable->Enable interface check box
Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select Status->Dashboard and verify that the Dashboard is displayed
Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

Select System->Routing->Gateways
Verify WAN_DHCP is displayed
Select Edit Icon
Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select System->Routing->Gateways
Select ADD button
Add OPT1 Interface
Verify the Name is OPT1_DHCP
Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

Select System->Routing->Gateway Groups
Select ADD button
Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
Set Edit Gateway Group Entry->Description if desired

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

Select Firewall->Rules->LAN
Select Edit for “Default allow LAN to any rule”
Select ADVANCED button
Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

Select Status->Gateways
Verify WAN_DHCP and OPT1_DHCP Gateways are online

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
Select Dashboard and monitor the Traffic Graphs
Verify the WAN and LAN ports have similar high levels of traffic
Disconnect the WAN port from the Vault
Verify the video continues to play
Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
Reconnect the WAN port to the Vault
Verify the video continues to play
Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com.

How to Use 4G LTE Service with the Vault

phil October 9, 2019

4G LTE Service Overview

4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. 4G LTE Service can be used with the Vault as a backup/failover Internet connection in the event the primary WAN service is down or as the primary WAN interface when a wired Internet connection is unavailable . For any business or operation, a 4G LTE failover solution ensures that Internet connectivity is preserved and eliminates potential loss of sales and loss of productivity. Maintaining a constant Internet connection is particularly crucial these days as so many applications and business functions are in the “cloud” and only accessible via the Internet.

4G LTE Service options are extremely cost effective compared to the loss of business and/or productivity. Baseline pricing is $29.99 per month for 1 Giga Byte (GB) of data or $34.99 per month for 1 GB with a public Static IP address. Additional usage is only $1 per 100 MB for either subscription plan. Protectli 4G LTE Products and Services can be found at this link.

In addition to backup/failover, there are numerous applications that are ideal for a standalone cellular connection. Examples are:

Temporary or short term connections for construction sites, sporting events, concerts, etc.
Permanent retail kiosks that are not close to a wired connection
Remote sensor monitoring
Remote vehicle and storage areas
Many others ……

4G LTE Service Configuration

As noted above, the 4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. The modem and subscription plan are ordered together from Protectli. Protectli will insert a SIM card for the subscription plan and test connectivity to the cellular service. When the modem arrives it is fully functional and no configuration is required on the modem itself. It is required to attach the antennas to the “Main” and “Aux” connectors of the modem to get a good signal. Simply connect the LAN port of modem to one of the Vault’s Ethernet ports using the supplied Ethernet cable. There may need to be configuration of the Vault, depending on the installed operating system (OS). See the Protectli Knowledge Base at this link for articles that are specific to 4G LTE and particular OS.

4G LTE Service Specifications

4G LTE Category 4
Max download data rate up to 150 Mbits/second
Max upload data rate up to 50 Mbits/second
3G Failover
Band 2 (1900 MHz), Band 4 (1700/2100 MHz), Band 5 (850 MHz), Band 17 (700 MHz)

4G LTE Service Documents

Data Sheet, see this link
User Manual, see this link

How to Configure a PXE Server on CentOS 7 with pfSense® CE

Luke Green July 24, 2019

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

FW6C – Hosting a virtual machine of CentOS 7
FW4B – Running pfSense®
FW2B – coreboot flashed for PXE

Prerequisites

For this guide we will assume the following are in place:

PXE enabled client
CentOS 7 Server
pfSense® router with DHCP enabled

Setting Up the PXE Server

Log into the CentOS 7 server
Verify all the packages are updated using the following command

#yum update -y

Install the required packages using the following command

#yum install syslinux xinetd tftp-server vsftpd wget -y

Edit the TFTP configuration file with the vi command

#vi /etc/xinetd.d/tftp

Change disable from yes to no.
Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.

Change directory to syslinux and copy the necessary files to the TFTP

#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot

Make and change to the tmp directory.
Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version

#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso

While in tmp mount the downloaded image and copy the files to the FTP directory

#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/

Make a directory for the image files and copy them over

#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7

Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img

#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7

Create a PXE configuration file that points to the correct files

#mkdir /var/lib/tftpboot/pxelinux.cfg

Make note of the IP address for the next steps. Use the following command to show IP address

#ip a

Open the PXE configuration file with the vi editor

#vi /var/lib/tftpboot/pxelinux.cfg/default

Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.

default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7

use ‘:wq’ to save and exit the editor

Enable and start the TFTP and FTP services

#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service

Add firewall rules for the TFTP and FTP servers

#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload

Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab

Scroll down to “Other Options” and fill in the TFTP server IP address
Verify the “Enables network booting” box is ticked
Enter the IP address of the Next Server (same as TFTP)
For “Default BIOS file name” enter pxelinux.0

Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions. If you experience any issues, please feel free to reach out to us at: support@protectli.com

How to configure UEFI on the Vault

Luke Green May 16, 2019

UEFI Overview

UEFI is an acronym for Unified Extensible Firmware Interface. It is a specification that defines a new model for the interface between operating systems (OS) and platform firmware. It is a replacement for legacy BIOS. More information may be found on the UEFI Forum website at: https://uefi.org/

Recent updates to some OS software have introduced incompatibility between the default installation of the OS with some of the Vault hardware platforms. Setting the BIOS mode on the Vault to UEFI eliminates some of these issues. The article below will detail how to set the BIOS mode to UEFI.

Changing BIOS mode to UEFI

Verify that the Vault is powered down
Verify that the monitor is connected
Verify that the USB keyboard is connected
While powering up the Vault, press “DEL” key
Verify that the system boots into the BIOS

Select the “Advanced” tab

Select “CSM Configuration”

Select “Boot option filter”

Verify the Boot option filter menu is displayed
Select “UEFI only”
Press Return(Enter)
Press “F4” to save and exit the BIOS
Power off the Vault

At this point UEFI mode is enabled. See the specific installation guide for the desired OS.

If you experience any issues, please feel free to reach out to: support@protectli.com.

coreboot on the Vault

phil April 16, 2019

coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.

coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:

Fast Boot – Minimal image, removes legacy bloat
Open Source – The source code is available and can be built without any cost or license
Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
Support for modern HW and Intel CPUs

The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.

coreboot is available on the FW2B, FW4B and FW6 series Protectli platforms as an alternative to traditional BIOS.

Please see the compatibility table below for software which has been tested with coreboot for full functionality

coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for field installation.

Boot Menu

When coreboot is installed and the system boots, it will first attempt to boot from the internal mSATA. If there is no bootable OS on the mSATA, it will then attempt to boot from any USB that it discovers. If it is desired to boot from a USB rather than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed then selecting the desired boot device. Note that with coreboot, there is no way to “get into” the BIOS to set individual parameters as there is with traditional BIOS.

Installation Instructions

Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.

Note: coreboot utilizes Legacy BIOS. If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive.

coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 19.10 (see this link for guidance on installing Ubuntu on the Vault). It is important to use Ubuntu 19.10 because previous versions of Ubuntu used a previous version of flashrom that did not support the FW6. While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu 19.10 to upgrade your Vault to coreboot.

In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.

If not using Ubuntu on the Vault, remove the existing mSATA and replace it with the dedicated mSATA for the coreboot installation process
Install Ubuntu desktop version on the Vault to the dedicated mSATA per the link above (we recommend the “Minimal” version for this task)
Verify that Ubuntu desktop version is installed and reboot the system
Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
Open a terminal window in Ubuntu. (Applications->Terminal)
Verify the terminal opens and change directory to “Downloads” using the following command:

#cd Downloads

Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

Download the appropriate SHA256 checksum file per the table below
Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:

#unzip filename.rom.zip
#unzip filename.rom.sha256.zip

Run the SHA256 program on the filename.rom file using the following command:

#sha256sum filename.rom

Verify the SHA256 output is the same as the contents of the filename.rom.sha file using the following command:

#cat filename.rom.sha

Verify the “flashrom” program is present in Ubuntu using the following command:

#which flashrom

If flashrom is not present, get it from the network and install it in Ubuntu using the following command:

#sudo apt install flashrom

Verify flashrom is installed on the system

Flash the coreboot image to the system.

Note: The flashrom command arguments are different for the FW6 series than the FW2B and FW4B series. You must use the correct command for the specific unit. Using the incorrect command could render the unit useless and unable to boot.

flashrom command for FW2B, FW4B:

 #sudo flashrom -p internal -w filename.rom -V -o output-file

where -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output

flashrom command for FW6:

 #sudo flashrom -p internal -w filename.rom --ifd -i bios -V -o output-file

where “–ifd -i bios” is required for the FW6, -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output

Reboot the system
Verify the system boots and displays the coreboot version string on the screen, then the splash screen
Verify the system boots up to Ubuntu desktop
If not using Ubuntu as the OS, power off the system and replace the dedicated Ubuntu mSATA with the mSATA for the desired OS
Reboot the system and verify that it boots to the desired OS

At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.

Flash from Coreboot to Original(AMI) BIOS

In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.

Using the same Ubuntu install as the instructions above;

Verify the correct BIOS is downloaded from here
Unzip the BIOS in the Downloads folder
Open Terminal and change directory to BIOS folder. Examples below.

For the FW4B

#cd Downloads/4B180727

For the FW2B

#cd Downloads/2B180727

For the FW6

#cd Downloads/6-190708

Run the flashrom command, using ‘filename.bin’ for legacy BIOS, instead of ‘filename.rom’ for coreboot

FW4B BIOS file example:

 #sudo flashrom -p internal -w YLBWL412.bin -V -o output-file

FW2B BIOS file example:

 #sudo flashrom -p internal -w YLBWL212.bin -V -o output-file

FW6 BIOS file example: (Note additional command line arguments)

 #sudo flashrom -p internal -w KBU6LA09.bin --ifd -i bios -V -o output-file

After the flash is complete the terminal should output a “VERIFIED” message.
Reboot and verify the legacy BIOS is loaded

coreboot File Table

Vault	coreboot .rom file	SHA256 file
FW2B	fw2b_v4.9.0.1.rom	fw2b_v4.9.0.1.rom.sha
FW4B	fw4b_v4.9.0.1.rom	fw4b_v4.9.0.1.rom.sha
FW6	fw6_v4.9.0.1.rom	fw6_v4.9.0.1.rom.sha

coreboot Compatibility

Vault	pfSense 2.4.3	pfSense 2.4.4	FreeBSD 11.2	OPNsense 19.7	Untangle 14.2.2	Ubuntu 18.04.3	Ubuntu 19.10	ESXi 6.7	Windows 10
FW2B	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW4B	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW6A	Verified	Verified	Verified	Verified	Verified	Verified	Verified		Verified - Use MBR partition scheme
FW6B	Verified	Verified	Verified	Verified	Verified	Verified	Verified		Verified - Use MBR partition scheme
FW6C	Verified	Verified	Verified	Verified	Verified	Verified	Verified		Verified - Use MBR partition scheme

How to Customize the Boot Splash Screen

phil September 11, 2018

Overview

The “Splash Screen” is the graphical image or logo that is briefly displayed at boot up of the system. The splash screen for the Vault can be customized to enhance the brand awareness of the product and/or solution. Protectli provides a Windows tool that can be used to change the BIOS and customize the splash screen.

Splash Screen File

The splash screen file is a “bitmap” file with an extension of “.bmp” in Windows. The bitmap file used for the splash screen must have maximum dimensions of 800 x 600 and be less than 1.4 MB. If there is already a logo file in “.jpg” or “.png” format, that file can be converted to a bitmap file using the Windows Paint program or other tools.

Verify the Desired Splash Screen File

On Windows, right click the desired file
Select Properties
Verify “Type of File” is BMP file
Select the Details tab
Verify the Dimensions are 800 x 600 or less
Verify the Size is 1.4 MB or less

Convert the Desired Splash Screen File

If the desired file is in JPG or PNG format, it can be converted to Bitmap using the Windows Paint program. This procedure is only necessary if the desired file is not already in Bitmap format.

On Windows, right click the desired file
Select Edit
Verify the Paint program starts and the graphical image is displayed
Select File->Save As->Save as type:
Verify the dropdown menu that contains these bitmap options is displayed
- Monochrome Bitmap
- 16 Color Bitmap
- 24 Color Bitmap
- 24-bit Bitmap
Select the desired bitmap format
Note that the formats listed in the dropdown are in increasing order of quality and increasing order of size
Select Save
Right click on the newly created bitmap and verify that it is less than 1.4 MB
If greater than 1.4 MB, repeat this procedure with a lesser quality bitmap format

Download the BIOS

The BIOS folder for each specific model of the Vault is available at this link. Be very sure when downloading and installing the BIOS that it is the correct BIOS for the specific Vault. Installing incorrect BIOS may result in an inoperable system.

Download the BIOS zip file for the model of the Vault from the link above
Verify the BIOS zip file is downloaded
Unzip the file and verify the BIOS folder is downloaded

Download the BIOS Logo Tool

There are two BIOS logo tools. One is for the FW1, FW2, and FW4 models of the Vault. The other is for the FW6 models of the Vault. The FW1, FW2, and FW4 tool is at this link. The FW6 tool is at this link.

Download the BIOS logo tool zip file for the model of the Vault from the link above
Verify the proper BIOS logo tool zip file is downloaded
Unzip the BIOS logo tool

Use the BIOS Logo Tool to Change the Splash Screen

Double click on the BIOS Logo executable file
Verify the “Change Logo” application appears on the screen

Change Logo Application

Select the “Load Image” button

Load Image Button

Verify navigator window is displayed

Navigator Window

Verify/Select “Files of type:” All Files
Navigate to the BIOS folder
Select the .bin file
Select “Open”

.bin File

Verify the .bin file is displayed in the proper folder in the “Aptio Image” Box

Aptio Image Box

Select Browse Button

Browse to find Bitmap File

Verify the navigator window is displayed
Select files of type “BMP Files (*bmp)
Navigate to the desired bitmap file
Select the .bmp file
Select Open
Verify the desired bitmap file is displayed in the “Select BMP file” box

Select BMP File

Select the Replace Logo button

Replace Logo

Verify the “Save Image As” button is now not grayed out

Save Image As Button

Select the “Save Image As” button
Verify the navigator window is displayed
Navigate to the BIOS folder, this is where the new BIOS file will be placed
Manually enter the name of the original .bin file, note that it must be exactly the same name

BIN File

Select Save button
Verify the Success message is displayed in the lower left of the tool

Success Message

Create Bootable USB Drive and Install New BIOS

Now that the new bitmap file has been created, the BIOS folder must be transferred to a USB drive and then used to update the BIOS on the Vault. Follow the instructions at this link to create a bootable USB drive, transfer the new BIOS folder to the USB drive, and install the new BIOS on the Vault.

Verify the splash screen has the new logo or image during initial boot
Verify the system boots

At this point, the new splash screen should be installed on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com.

Verify Intel Spectre and Meltdown Vulnerabilities

phil August 9, 2018

Overview

There are known security vulnerabilities with Intel processors that are named “Spectre” and “Meltdown”. These vulnerabilities are documented at this link. There is a Windows based tool that can analyze the the system to determine if it is vulnerable to Spectre or Meltdown. This document describes how to use that tool to assess the vulnerability of the Vault. Information regarding specific BIOS updates to the different Vault platforms can be found from links on the product pages.

On a Windows computer,

Browse to InSpectre homepage at https://www.grc.com/inspectre.htm
Scroll down to Download Button and download InSpectre application from this link.
Verify that the file/application “InSpectre.exe” is downloaded to the Windows computer
Run InSpectre (double-click) and verify the application pops up

InSpectre & Meltdown Vulnerability Status – Not Protected

Verify that both Meltdown and Spectre vulnerabilites are protected.

If not, update the Vault to the appropriate BIOS that addresses the vulnerabilities. See the latest BIOS at this link.

Update BIOS on the Vault
Rerun the InSpectre application
Verify vulnerabilities are protected

InSpectre & Meltdown Vulnerability Status – Protected

At this point the Vault should be protected from the Spectre and Meltdown vulnerabilities. However, if there are any issues, feel free to reach out to us at:

support@protectli.com

FW2B FW4B Series Hardware Overview

phil August 8, 2018

As with all Protectli Vault hardware, the FW2B and FW4B series need only RAM (memory) and mSATA (storage) added in order to have a fully functional hardware system. In addition, an optional WiFi module can be installed as well. For more information on HW compatibility, see this link.

The FW2B and FW4B series hardware are slightly different, but the chassis form factor, general board layout, and placement of components is largely the same. The FW2B and FW4B vary mainly in the type of CPU they have and the number of network ports. For a full comparison among different models, please see this page.

The annotated photo below shows the location of the various sockets. The FW2B is pictured. Note that the memory socket is underneath the mSATA and WiFi sockets.

CPU

The FW2B series uses an Intel J3060 processor and the FW4B series uses an Intel J3160 processor. Both of these CPUs have built in suport for Intel’s AES-NI hardware encryption.

Memory

There is a single SODIMM socket for memory. Additional information on compatible memory modules can be found in the Hardware Compatibility page. The maximum supported memory size is 8GB of DDR3L (1.35V).

mSATA

The FW2B, and FW4B series come with a single mSATA socket. This socket is capable of holding any logical size mSATA.

WiFi

The WiFi module socket is a PCIe form factor socket. The FW2B can accommodate a standard PCIe WiFi module. The FW4B while PCIe in form factor, operates over USB channel communication, limiting functionality as compared to pure PCIe modules. Protectli sells a compatible WiFi module that is available here. Instructions for installation of the WiFi module can be found here. The FW2B can also accommodate the Protectli PCIe/USB WiFi module.

Port Connectivity

The ‘Front’ of the FW4B Vault is pictured above. The FW2 is different, as it only has 2 network ports (WAN and LAN) but an additional 4 USB 2.0 ports.

Power should be supplied by the included power supply, which is rated for 12V at 3.3A.

The Power LED, which lights up green when power is applied, indicates that the Vault has power applied. It does not indicate the status for the operating system

The Drive Activity LED will blink, according to mSATA drive activity. Usually, the user will see the most activity as the unit is booting, or if the unit is under heavy load. For most operating systems, this indicator will not be on and only blink occasionally under most conditions.

The Network ports are each independenly connected to the CPU via a PCIe connection. A table that shows port numbering can be found below.

Vault Model	Port 6	Port 5	Port 4	Port 3	Port 2	Port 1
FW1x	-	-	OPT2	OPT1	LAN	WAN
FW2x	-	-	-	-	LAN	WAN
FW4x	-	-	OPT2	OPT1	LAN	WAN
FW6x	OPT4	OPT3	OPT2	OPT1	LAN	WAN
FreeBSD (pfSense) Labeling (in software)	em5	em4	em3	em2	em1	em0
Windows 10 (in software)	Ethernet 5	Ethernet 4	Ethernet 3	Ethernet 2	Ethernet	Ethernet 1

Data Sheets

The FW2B data sheet can be found at this link. The FW4B data sheet can be found at this link.

BIOS Versions for the Vault

phil June 19, 2018

Note: The FW2B and the FW4B had an issue such that they would not work with HDMI displays with a resolution of 1440p (2560×1440). That issue has been resolved using the latest BIOS, version BSW4L009. See the table below to download the latest versions.

Note: Intel has recently announced a security vulnerability that is described at:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

The FW1, FW2, FW4A and FW6 Vaults may be affected by this vulnerability. The FW2B and FW4B are not affected. Protectli understands the urgency of this issue and we are working with our partners to generate BIOS updates to address the issue. We will post the updated BIOS and/or timelines for updated BIOS on this page shortly.

BIOS

BIOS is the abbreviation for Basic Input Output System. It is a small program that is stored on non-volatile memory that is used to initialize the system hardware during the boot process. BIOS is installed on every system when it ships, but occasionally there are upgrades to the BIOS to address various issues. This page has a table with all of the current versions of BIOS for the Vault. BIOS can be downloaded from this table by clicking on the “Download Link” entry and used to upgrade the BIOS on the Vault.

The currently installed BIOS version can be found on the main BIOS page, as seen in the example screenshot below (circled in red):

BIOS Main Tab

See this link for instructions on how to install BIOS on the Vault.

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2	2-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4A	4A190619	E38L4A12	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2B	2B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW4B	4B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW6A	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6B	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6C	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
RM8	R8191008	RM8 V1.2	Initial Released Version	October 8, 2019

Notes

Some older versions of the FW1 and FW2 Vaults do not have a COM port. These units are still compatible with the FW1 and FW2 BIOS listed above.

Some older versions of FW1 and FW2 Vaults do not automatically update the new Boot Order with version BTL4A012. If this occurs, follow the steps below to set the Boot Order:

Power off the unit
Reboot the unit and hit the DEL key to enter BIOS
Select the Boot Tab
Select “F3” to Load Optimized Defaults
Verify the proper Boot order of 1) UEFI mSATA 2) UEFI USB 3) Legacy mSATA 4) Legacy USB
Select “F4” to Save and Exit
Verify the system boots correctly

Previous Versions

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-181025	BTL4A010	Intel Spectre and Meltdown fixes	October 25, 2018
FW2	2-180706	BTL4A008	Intel Spectre and Meltdown fixes	July 6, 2018
FW4A	4A180804	E38L4A05 V1.03	Intel Spectre and Meltdown fixes, COM port fix	August 4, 2018
FW2B	2B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4B	4B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6A	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6B	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6C	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018

As always, if there are any questions, feel free to reach out to us at:

support@protectli.com

How to perform a BIOS update

phil May 15, 2018

This article will explain how to create a bootable FreeDOS USB drive and prepare the drive with the appropriate BIOS update files for installation on a Protectli Vault. FreeDOS is a free DOS application that is compatible with Intel based computers, such as the Vault. The Vault uses FreeDOS to install BIOS updates to the Vault.

For creating a bootable USB with Windows, Protectli recommends a tool called Rufus. The home page for Rufus is https://rufus.akeo.ie. The Windows system requirements are listed on the Rufus homepage.

Create Bootable FreeDOS USB – Windows

Download the Rufus tool from the home page to a Windows computer
Verify an executable file with a name of rufus-2.17 or similar is downloaded (the version you download may have a higher version number than this example)
- Note that rufus is an executable and does not need to be installed.
Select the Rufus application that was downloaded and verify that the main menu pops up (example screenshot below)
Verify that “FreeDOS” is the default selection

Rufus Main Menu

Insert a USB drive into a USB port on the PC
Verify that Rufus recognizes the USB drive

Rufus Detects USB Drive

Select Start
Verify the warning appears and select Ok

Rufus Warning Message

Verify the FreeDOS is created on the USB, application status is “READY” and the green bar is complete

Rufus Ready Message

Download BIOS and Copy BIOS Folder to FreeDOS USB

*** Important ***

Note that the folder, file, and version names in this article are used as an example. The actual folder, file, and version names will vary depending on the model of Vault and the version of BIOS.

Download the BIOS folder to the Windows machine from the Protectli BIOS Version page at this link
The BIOS folder will be a compressed “zip” file. If compressed, uncompress the zip file
Go to “This PC” on the Windows machine and select the USB drive

Select USB Drive on This PC

Drag/copy the BIOS folder to the USB drive
If prompted, check the box to copy all current items to the USB Drive

Copy Prompt

Verify folder copied to the USB Drive

BIOS Folder in USB Drive

Safely remove the USB drive from the Windows computer

Update BIOS on the Vault

Note: Freedos will not boot in UEFI BIOS. To successfully complete this procedure make sure the BIOS is set to Legacy. We have a guide covering this here. Using the same steps but switch to “Legacy Only”.

Insert the USB drive into the Vault
Hit the “F11” key repeatedly during boot
Verify the Vault boots to the boot selection menu
Select the USB and verify the Vault boots to the DOS prompt
Type “dir” to see the contents of the USB drive
In this example the folder “4A171114” should appear
Type “cd 4A171114” to change directory to the BIOS folder
Type “update.bat”
Verify that the BIOS installation completes

Verify BIOS ID on the Vault

Reboot the Vault
Hit the “DEL” key repeatedly during boot
Verify the Vault boots to the main BIOS window
Verify the BIOS ID is the correct version

BIOS ID

At this point the new BIOS should be installed. However, if there are any issues, feel free to reach out to us at:

support@protectli.com

Hardware

Overview

Enable Interfaces

Configure Gateways

Configure Gateway Groups

Configure LAN Firewall

Verify Gateway Status

Verify 4G LTE Failover

4G LTE Service Overview

4G LTE Service Configuration

4G LTE Service Specifications

4G LTE Service Documents

Overview

Example Setup

Prerequisites

Setting Up the PXE Server

UEFI Overview

Changing BIOS mode to UEFI

Boot Menu

Installation Instructions

Flash from Coreboot to Original(AMI) BIOS

coreboot File Table

coreboot Compatibility

Overview

Splash Screen File

Verify the Desired Splash Screen File

Convert the Desired Splash Screen File

Download the BIOS

Download the BIOS Logo Tool

Use the BIOS Logo Tool to Change the Splash Screen

Create Bootable USB Drive and Install New BIOS

Overview

CPU

Memory

mSATA

WiFi

Port Connectivity

Data Sheets

BIOS

Notes

Previous Versions

Create Bootable FreeDOS USB – Windows

Download BIOS and Copy BIOS Folder to FreeDOS USB

Update BIOS on the Vault

Verify BIOS ID on the Vault

Added to Cart