Software

Software that runs on Protectli Hardware

pfSense®CE Configuration Recommendations

phil May 7, 2020

pfSense® CE Configuration Recommendations

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. An article covering installation can be found at this link. This article offers some basic recommendations to configure pfSense® CE on the Vault. Some of these recommendations had been in other articles, but for ease of use, we are consolidating them here in one article. This article includes the following areas of interest:

Thermal Monitoring
Enable Cryptographic Hardware assist with AES-NI and BDS
Power Management with PowerD
Enable Optional (OPT) ports

At the bottom of this article, there is a table with downloadable configuration files for each of the Vaults that include the settings described below.

Thermal Monitoring

The Vault has a solid state, fanless design. The case is designed to dissipate the heat generated by the unit. Although the case may be warm to the touch, it most likely indicates that the system is functioning correctly. However, Thermal Monitoring can be used to verify the Vault is operating under normal thermal conditions. Intel based CPUs have built in thermal monitoring and pfSense® CE can access it to display temperatures on the dashboard. The following article will describe how to enable and monitor the thermal sensors.

Enable Thermal Monitoring

Enabling Thermal Monitoring is done through the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

Scroll down to “Cryptographic & Thermal Hardware”
Click on “Thermal Sensors.”
From the drop down, choose “Intel Core* CPU…”

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

Click “Save” button at the bottom of the page
Verify success message is displayed at the top of the page
Thermal monitoring of the CPUs is now enabled

Display Thermal Sensors on the Dashboard

The preceding steps enabled thermal monitoring. The following steps will show how to display thermal monitoring on the dashboard.

Select the Dashboard
Click the “+” icon in the upper right corner
Verify the “Available Widgets” box appears
Click the “+” next to Thermal Sensors

pfsense thermal sensors Dashboard->Available Widgets

Verify the Thermal Sensors box is displayed at the bottom of the dashboard

Dashboard with Thermal Monitoring, Idle

The screenshot above shows an example of the FW4B that is essentially idle for over 40 minutes. Note that the core temperatures range from 51 to 53 degrees C. This is well within normal range.

Dashboard with Thermal Monitoring, Iperf 40 Minutes

The screenshot above shows an example of the same FW4B that is running an iperf test at linerate for over 40 minutes. Note that the CPU usage has increased from 3% to 30% and core temperatures range from 55 to 58 degrees C. Although this may seem high, and the case may be warm to the touch, it indicates that the case is functioning correctly and dissipating the heat. The Intel TJmax core temperatures from ark.intel.com for each of the processors is displayed in the table below.

Platform	CPU	TJmax
FW1	J1900	105 C
FW2	J1800	105 C
FW2B	J3060	90 C
FW4A	E3845	110 C
FW4B	J3160	90 C
FW6A	3865U	100 C
FW6B	7100U	100 C
FW6C	7200U	100 C

Cryptographic Hardware Support (AES-NI and BDS)

The FW2B, FW4A, FW4B and FW6 series of the vault have cryptographic hardware support built into the CPU. Cryptographic Hardware support is critical for the performance of VPNs and other features that encrypt and decrypt packets as they traverse the unit. By default, it is not enabled in pfSense® CE.

Enable Cryptographic Hardware Support

Enabling Cryptographic Hardware Support is done through the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

Scroll down to “Cryptographic & Thermal Hardware”
Click on “Cryptographic Hardware.”
From the drop down, choose “Intel Core* CPU…”

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

Click “Save” button at the bottom of the page
Verify success message is displayed at the top of the page

At this point cryptographic hardware support should be enabled.

Power Management with PowerD

All of the Vault series use Intel CPUs that have Power Management features that allow the selection of power management modes. The power management modes trade performance vs. power by adjusting the frequency based on system load. PowerD is a power control utility built into pfSense® CE, which is inherited from the underlying FreeBSD operating system. In this section, we will enable PowerD and select the optimum performance vs. power settings.

Enable PowerD

In this example we will enable PowerD within the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Navigate to the System tab and select Advanced from the drop down menu

pfSense System Advanced - enable PowerD

pfSense® CE Dashboard

Verify the Advanced page is displayed
Select the Miscellaneous tab
Verify the Miscellaneous page is displayed
Scroll down to the section labeled Power Savings
To enable PowerD, check the box next to Enable PowerD
Verify Hiadaptive is selected for the power modes as shown in the image below

pfSense advanced Misc

PowerD Settings

Scroll down to the bottom of the page and click Save
Verify a message stating “The changes have been applied successfully” is displayed at the top of the page.

At this point, PowerD should be enabled for optimum power management.

Configuring Optional Ports

This article covers how to configure the Optional Ports in pfSense® CE. The Optional Ports are labeled “OPTx” on the Vault. The configuration has the same type of default settings as the LAN port. Those settings include:

An IP Address of 192.168.x.1
- OPT1 192.168.2.1
- OPT2 192.168.3.1
- OPT3 192.168.4.1 (FW6 only)
- OPT4 192.168.5.1 (FW6 only)
Enabling the OPT port to be a DHCP Server
Firewall rules to allow “Any” traffic originating on this port to pass without being blocked

Configuring Optional Ports – IP Address

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Navigate to the Interfaces tab and select Assignments from the drop down menu

Interface->Assignments

Verify the Interface Assignments page is displayed and add the next available interface

Interfaces->Interface Assignments

Verify OPT1 is added and Select Save

Interface->Interface Assignments OPT1

Select OPT1

Interfaces->Interface Assignments->OPT1 Select

Verify the OPT1 General Configuration page is displayed and configure as follows:

General Configuration->Enable – Check the box
General Configuration->IPv4 Configuration Type – Select Static IPv4
Static IPv4 Configuration>IPv4 Address – Set 192.168.2.1 /24
Select the Save Button

Interfaces->OPT1 Configure

Verify the OPT1 Configuration has been changed and Apply Changes

Interfaces->OPT1 ApplyChanges

Verify changes have been applied successfully

Interfaces->OPT1 Success

Configuring Optional Ports – DHCP Server

Navigate to the Services tab and select DHCP Server from the drop down menu

Services->DHCP Server

Verify the Services->DHCP Server page is displayed and Select OPT1

Services->DHCP Server Select OPT1

Verify Services->DHCP Server->OPT1 page is displayed and configure as follows:

General Configuration->Enable – Check the box
General Configuration->Range – 192.168.2.100 to 192.168.2.199

Services->DHCP Server Configure OPT1

Select the Save button and verify the changes have been applied successfully

Services->DHCP Server OPT1 Success

Configuring Optional Ports – Firewall Rules

Navigate to the Firewall tab and select Rules from the drop down menu

Select Firewall->Rules

Verify the Firewall Rules page is displayed and Select OPT1

Firewall->Rules Select OPT1

Verify Firewall OPT1 page is displayed and select the Add Button

Firewall->Rules OPT1 Add Rule

Verify Firewall->Rules->Edit for OPT1 page is displayed and configure as follows:

Edit Firewall Rule->Action- Pass
Edit Firewall Rule->Interface- OPT1
Edit Firewall Rule->Address Family – IPv4
Edit Firewall Rule->Protocol – Any
Save the changes

Firewall>Rules Configure OPT1

Verify the configuration and Apply the changes

Firewall->Rules->OPT1 Apply Changes

Verify success message

Firewall->Rules->OPT1 Success

OPT1 has now been configured with static IP address 192.168.2.1, it is a DHCP server, and any traffic coming into this port is allowed to pass.

Configuring Optional Ports – Verify Configuration

OPT1 has been configured so it needs to be tested to verify the configuration changes are correct. Follow the instructions below to test the changes:

Connect a PC to OPT1
Verify the PC gets an IP address in the range of 192.168.2.100-199
From the PC, browse to a site outside of the local network
Verify an external web page is displayed correctly on the PC

At this point OPT1 is up and running. To configure OPT2 repeat the same steps as OPT1, but use IP address 192.168.3.1. For an FW6 with OPT3 and OPT4, repeat the same steps using IP addresses 192.168.4.1 and 192.168.5.1.

Configuration Files

The steps above were described to manually configure the Vault as indicated. It is important to understand the steps required, however, it is very convenient to load a configuration file rather than manually configure each item.

We have included configuration files in the table at the bottom of the page. These configuration files have

Thermal Monitoring Enabled
Cryptographic Hardware Support Enabled
Power Management Enabled
OPT Ports Enabled with Static IP Address, DHCP Server, and Basic Firewall Rule

Note: These configuration files have the default admin password retained. The additional ports assigned use default firewall rules, same as what pfSense® configures for the LAN port.

How to Restore a Config File

Verify pfSense® has been installed correctly
Verify the correct configuration file has been downloaded from the table below and pfSense® will be able to access it
Log into the WebGUI. This is 192.168.1.1 by default.
The default pfSense® login user is ‘admin’ and password is ‘pfsense’
Click Diagnostics on the top of the GUI
From the drop-down menu click Backup & Restore

pfSense backup & restore — pfSense® Setup Wizard page

Click Choose File
Select the appropriate config, click open
Click Restore Configuration

pfSense backup & restore settings — pfSense® Backup & Restore page

Verify the Vault reboots
Log back into the WebGUI with the default credentials
Verify OPT1 and OPT2 (OPT3 /OPT4 additionally on the FW6x) now appear on the Interfaces widget

It is now recommended to change the default ‘admin’ password
Verify the newly assigned ports are functioning and DHCP is handing out IP addresses

If you experience any issues, please feel free to reach out: support@protectli.com. You can find additional information in our Knowledge Base, or reference pfsense.org directly.

Configuration Files

Model	pfSense® Version	Notes	Download	Release
FW1	2.4.5	Enabled: Thermal Monitoring PowerD OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW1-200506.xml	May 6, 2020
FW2	2.4.5	Enabled: Thermal Monitoring PowerD	config-pfSense.Basic-FW2-200506.xml	May 6, 2020
FW4A	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW4A-200506.xml	May 6, 2020
FW2B	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI	config-pfSense.Basic-FW2B-200506.xml	May 6, 2020
FW4B	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW4B-200506.xml	May 6, 2020
FW6(A,B,C)	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2, OPT3, OPT4 DHCP Default Firewall Rules	config-pfSense.Basic-FW6-200506.xml	May 6, 2020

How to Configure pfSense® CE for 4G LTE Failover

phil October 16, 2019

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
Connect the WAN and LAN ports to the devices or ports that they are normally connected to
Connect the OPT1 port to the LAN port of the 4G LTE modem
Browse to the pfSense ® CE GUI and login
Select Interfaces->Interface Assignments
Add OPT1 and select the default Network port (em2 or igb2)
Select “OPT1” to configure the port
Select General Configuration->Enable->Enable interface check box
Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem

pfSense OPT1 interface — Interfaces->OPT1

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select Status->Dashboard and verify that the Dashboard is displayed
Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

Select System->Routing->Gateways
Verify WAN_DHCP is displayed
Select Edit Icon
Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select System->Routing->Gateways
Select ADD button
Add OPT1 Interface
Verify the Name is OPT1_DHCP
Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up

pfSense routing gateways OPT1_DHCP — OPT1 Gateway

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

Select System->Routing->Gateway Groups
Select ADD button
Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
Set Edit Gateway Group Entry->Description if desired

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

Select Firewall->Rules->LAN
Select Edit for “Default allow LAN to any rule”
Select ADVANCED button
Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above

pfSense firewall rules — LAN Firewall Group

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

Select Status->Gateways
Verify WAN_DHCP and OPT1_DHCP Gateways are online

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
Select Dashboard and monitor the Traffic Graphs
Verify the WAN and LAN ports have similar high levels of traffic
Disconnect the WAN port from the Vault
Verify the video continues to play
Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
Reconnect the WAN port to the Vault
Verify the video continues to play
Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us: You can submit a ticket here, or find more information in our Knowledge Base.

How to Setup pfBlockerNG

Luke Green August 23, 2019

Overview

pfBlockerNG is a very powerful package for pfSense® which provide advertisement, malicious content blocking and geo-blocking.

Installing pfBlockerNG

Access the pfSense WebGUI (default 192.168.1.1)
Click on the System tab, then Package Manager

From the Package Manager menu select the Available Packages tab
Scroll down and find pfBlockerNG-devel and click Install

Verify pfBlockerNG is now installed by going to the Firewall drop down menu
Open the pfBlockerNG menu and start the wizard

At the Component Configuration page of the wizard select the WAN interface for inbound. For outbound typically LAN is used. CTRL+Click any additional interfaces you want included.
Leave the DNSBL default
Click Finish and allow pfBlocker to update
If you would like multiple LAN segments to be included in with DNSBL check the setting Permit Firewall Rules and select the interface (ctrl+click) you would like included.

pfSense DNSBL Configuration — DNSBL Configuration

By Default pfBlockerNG will setup basic advertisement and IP blocking from defaults feeds
We recommend also including the DNSBL feed from BBcan177(creator of pfBlockerNG) as well as the Cryptojackers feed

Add by clicking the + next to the feed name
In the feed configuration click Enable All and change Action to Unbound
Click Save DNSBL Setting

pfBlockerNG DNSBL settings — Feed Configuration

Repeat this process for any other feeds you would like to add

pfBlockerNG DNSBL settings continued — Cryptojackers Feed

Once the feeds are added, it is important to reload and update

Now browse a few websites and then check the pfSense dashboard to verify the pfBlockerNG widget is showing data

You might come across false positives possibly breaking certain sites. The solution is adding addresses to a Whitelist

To add an item to the whitelist access the pfBlockerNG Reports either by clicking on one of the packet stats (arrow below) or through the pfBlocker menu

pfBlocker also has built in GeoIP blocking. This allows you control over geographic regions connecting to your network. You can find this in the pfBlockerNG menu under IP>GeoIP. Careful blocking too much, websites host content and media on servers around the world. Unintentionally blocking some of these IP addresses could result in broken sites or unavailable downloads.

pfBlockerNG GeoIP blocking — GeoIP Blocking

You should now have network wide advertisement and malicious content blocking. If you need additional assistance, please feel free to reach out: support@protectli.com. You can find more information about pfSense on the Vault in our Knowledge Base, or at pfSense.org

How to Enable LAN Bridge with pfSense®

Luke Green July 17, 2019

Overview

This article covers how to enable a LAN bridge in pfSense®. LAN bridges act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: If the port being used for the web interface is added to the bridge, then physical access to the unit will be necessary.

How to Create a LAN Bridge in pfSense®

In this example we will be assigning the LAN interface to a bridge utilizing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the webGUI. The default IP address: 192.168.1.1, username: admin, password: pfsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc) are assigned with default settings.
To assign simply click Add next to the port you wish to assign. Click Save.

pfSense LAN Bridge — pfSense® Interface Assignment Menu

To enable the each interface, click the on the interface label(OPT1,OPT2,etc) in the left column.
Click Enable, leave all other settings default. Save and Apply Changes

pfSense LAN Bridge OPT1 — pfSense® Interface Configuration Menu

In the Interfaces menu select the Bridges tab and click Add
Select OPT1 and OPT2 using Ctrl+Click. Don’t select the LAN interface. Click Save.

pfSense LAN Bridge OPT1 OPT2 — Bridge Configuration Menu

Navigate back to the Interface Assignments tab and change the LAN interface port to BRDIGE0
Note: At this point once the settings are saved the web interface connection will be lost. Swap the Ethernet connection to one of the optional ports(OPT1,OPT2) added into the bridge to regain access

pfSense LAN Bridge - interface assignments — Assigning BRIDGE0

Assign the port previously used as LAN to OPT3 and enable it as done in the steps earlier
Navigate back to the Bridges menu and add(Ctrl+Click) OPT3. Save
Navigate to System > Advanced > System Tunables
Select net.link.bridge.pfil_member and change its value to 0. Save
Select net.link.bridge.pfil_bridge and change its value to 1. Save

Click Apply Changes at the top

Reboot
Verify bridged ports are functioning

At this point you should have a functioning LAN bridge in pfSense®. If you need additional assistance, please feel free to reach out: support@protectli.com. You can find more information about pfSense on the Vault in our Knowledge Base, or at pfSense.org

How to Enable LAN Bridge with OPNsense

Luke Green July 12, 2019

Overview

This article covers how to enable a LAN bridge in OPNsense. LAN bridges act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: This will require physical access to the Vault if the port being used to access the web interface is added into the bridge.

How to Create a LAN Bridge in OPNsense

In this example we will be assigning the LAN interface to a bridge containing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the web interface. The default IP address: 192.168.1.1, username: root, password: opnsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc.) are assigned with default settings. They can be assigned by clicking the ‘+‘ then Save

OPNsense interfaces — OPNsense Interface Assignment Menu (FW4A)

Under the Interfaces tree open the OPT1 menu
Check Enable Interface leave all settings default
Click Save then Apply changes a the top
Repeat on additional interfaces to be included in the bridge

OPNsense interfaces OPT1 — OPNsense Interface Menu

Under the Interfaces tree select Other Types, then Bridge
Click Add and select OPT1, OPT2, etc then click Save

OPNsense interfaces bridge — OPNsense Bridge Menu

Under the Interfaces tree select Assignments
Change the LAN interface to bridge0 and click Save

Note: At this point access to the web interface will be lost. Plug into either port OPT1 or OPT2 to regain access.

OPNsense interfaces lan bridge — OPNsense Assignments Menu

In the Assignments menu add the port(em1) which was previously assigned to LAN. Click Save
Verify OPT3 is now assigned
Enable OPT3 with default settings. Save and Apply Changes
Navigate back to the Bridge menu and edit bridge0. Add OPT3 and Save

Verify the LAN port now has web interface access

Navigate to System > Settings > Tunables
Locate net.link.bridge.pfil_member and change its setting from Default to 0. Save and Apply Changes
Locate(directly below the previous setting) net.link.bridge.pfil_bridge and change the setting from Default to 1. Save and Apply Changes

Reboot
Verify bridged ports are functioning

At this point you should now have a functioning LAN bridge in OPNsense. If you need additional assistance, please feel free to reach out: support@protectli.com. You can also find more information in our Knowledge Base. or check the official pages at OPNsense.org.

How to Install FreeBSD 12.0 on the Vault

Luke Green July 11, 2019

Overview

As of writing this article FreeBSD 12.0 has a bug affecting the network interfaces on several models of Vaults. Here is a link to the bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235147. The workaround is fairly straightforward and can be done either during install or after.

Note: FreeBSD also inherited a bug from 11.2 which affects the FW1,FW2, and FW4A model Vaults. The workaround is simply changing the BIOS to UEFI. We have an article covering that here.

To Install FreeBSD 12.0 follow the FreeBSD 11.2 install guide (link) with the caveat below.

During a install

At the end of the install a “Manual Configuration” window opens
Select ‘Yes‘
Verify the command line is present
Edit the loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already in place
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type :wq to write the file and quit
Verify the command line prompt is present, then exit

# exit

Reboot the Vault
Verify the system boots into FreeBSD and the network interfaces now function as they should

Post-install FreeBSD

Verify FreeBSD boots and login
Verify the command line is present
Edit loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already there
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type ‘:wq‘ to write the file and quit
Verify the command line prompt is displayed and reboot

# reboot

Verify the system boots into FreeBSD and the network interfaces now function as they should

If you experience any issues, please feel free to reach out to us at support@protectli.com, or find more information in our Knowledge Base, or reference the official pages at freebsd.org.

How to Rescue ClearOS and CentOS

Luke Green May 16, 2019

Rescue Procedure Overview

There is a documented bug in CentOS 7-1804 and ClearOS 7 that causes a kernel panic (crash) on some systems at reboot. I Information and a workaround are available at: https://bugs.centos.org/view.php?id=14779 . This bug affects the FW1, FW2, and FW4A versions of The Vault. If the newly installed CentOS or ClearOS is affected by the known issue, it can be “rescued”. “Rescue” means that the new installation can be configured to avoid this bug. See the section below for instructions to alleviate the issue.

Performing rescue on ClearOS and CentOS

Follow the instructions below to rescue the system from the known issue with ClearOS 7 and CentOS 7

Reboot the system from the Installation USB
Select Troubleshooting
Select Rescue ClearOS
Verify the system boots up
Verify the rescue options are displayed
Select “1” to continue
Verify the system is mounted at /mnt/sysimage
Hit Enter to get a shell
Verify the shell is at the prompt sh-4.2#
Use the the following command to change directory to /mnt/sysimage/etc/modprobe.d
sh-4.2# cd /mnt/sysimage/etc/modprobe.d/
Edit/Create the file snd.conf
Add the following line to snd.conf “blacklist snd-hdmi-lpe-audio”
Save the file
Verify the new config file with the following command:
sh-4.2# more snd.conf
Reboot the system with the following command
sh-4.2# reboot
Verify the system boots from the mSATA
Verify the system boots successfully
Continue the installation from the point of the failure and verify it completes successfully

If you experience any issues, please feel free to reach out: support@protectli.com or find more information in our Knowledge Base.

How to Install ESXi on the Vault

phil April 24, 2019

ESXi Overview

ESXi is the VMware hypervisor for deploying multiple virtual machines on capable barebone hardware. This article describes how to install ESXi 6.7 on the Vault. The specific version used in this test is 6.7 Update 1. ESXi 6.7 has been successfully installed on all of the Vault platforms. The FW1, FW2 and FW4A require a workaround during installation. See the table at the bottom of this article for more details and a link to the workaround instructions. There is another article for previous versions of ESXi available at this link.

Verify Hardware Recommendations

VMware recommends a minimum of 4 GB of RAM. Our test installation used 8 GB. Additional ESXi 6.7 Hardware Requirements can be found at this link.

Install ESXi

Obtain the Installation Image

To gain access you will need to register with VMware. ESXi can be downloaded for free here https://my.vmware.com/web/vmware/evalcenter?p=free-esxi6.

As of writing this article, The Vault has been tested with version 6.7. Unless advised to the contrary, we recommend downloading the latest available version.

Burn the Installation image to a USB Drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Apple OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Note: If using the Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and the USB keyboard with a plug that is relatively skinny. The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Install the Operating System on the Vault

Verify the Vault is powered down
Verify the monitor is connected
Verify the USB keyboard is plugged in (you can skip this spet if you are using the serial installer)
Verify the USB drive is plugged into the Vault
Connect the Vault to the network via the WAN port that is connected to a DHCP enabled switch
Power on and verify the Vault boots to the USB
Follow the on screen installation instructions
When installation is complete, the Vault will reboot and the IP address will be displayed on the ESXi console
To access the ESXi management console, browse to “http://<IP address>/ui” Example http://192.168.1.107/ui
Login with User: root and Password: created during installation
Verify the ESXi dashboard is displayed

At this point, ESXi 6.7 is up and running on the Vault. It must now be configured for the specific Virtual Machines as desired for deployment. As always, if you experience any issues, please feel free to reach out to support@protectli.com.

Optional SSD on the FW6 Vault

The FW6 series of the Vault ships with a SATA cable, SATA power cable, and 2.5″ drive mount to support an optional SSD drive (we recommend using an SSD drive, not a spinning hard drive). Adding an optional 2.5″ drive requires no software or BIOS modifications. See the screenshot below for an example of an additional 250GB drive that has been added to a FW6 with ESXi 6.7 installed.

vmware esxi vault devices — ESXi with optional 2.5″ SSD

BIOS Compatibility

The table below shows the compatibility of tested releases of ESXi and BIOS on each of the Vaults.

Vault	ESXi Version	BIOS - Legacy	BIOS - UEFI	BIOS - coreboot
FW1	6.7	Workaround	Not tested	N/A
FW2	6.7	Workaround	Not tested	N/A
FW2B	6.7	Tested	Tested	Tested
FW4A	6.7	Workaround	Not tested	N/A
FW4B	6.7	Tested	Tested	Tested
FW6A	6.7	Tested	Tested	Tested
FW6B	6.7	Tested	Tested	Tested
FW6C	6.7	Tested	Tested	Tested

As always, if you need additional assistance, please feel free to reach out at support@protectli.com or find more information in our Knowledge Base.

coreboot on the Vault

phil April 16, 2019

coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.

coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:

Fast Boot – Minimal image, removes legacy bloat
Open Source – The source code is available and can be built without any cost or license
Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
Support for modern HW and Intel CPUs

The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.

coreboot is available on the FW2B, FW4B and FW6 series Protectli platforms as an alternative to traditional BIOS.

Please see the compatibility table below for software which has been tested with coreboot for full functionality

coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for field installation.

Protectli is committed to continuing the development of coreboot on each of our compatible platforms. While coreboot images for the Vault may not be available with every minor coreboot project update, we will work diligently to ensure Vault coreboot updates are available to address any serious vulnerabilities. We will also work to contribute our coreboot updates back into the project master. Protectli contributions can be found here.

coreboot and the Vault

coreboot BIOS Settings

A frequent question that is encountered is “how do I get into the BIOS”. When coreboot is installed on the Vault, there is no way to “get into” the BIOS as there is with traditional BIOS. This is considered a security feature so that there is less possibility to tamper with BIOS settings. The only operation available at boot time is to select the boot device from the Boot Selection Menu. To access the Boot Selection Menu, press the F11 key when the boot splash screen is displayed. Unlike legacy BIOS, selecting the DEL key will not do anything and will not “get into” the BIOS.

Boot Selection Menu

When coreboot is installed on the Vault, the Vault will first attempt to boot from the internal mSATA. If there is no bootable OS on the mSATA, it will then attempt to boot from any USB that it discovers. If it is desired to boot from a USB rather than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed then selecting the desired boot device. Note that with coreboot, there is no way to “get into” the BIOS to set individual parameters as there is with traditional BIOS.

coreboot Hardware Compatibility

There are some coreboot hardware compatibility issues with specific DRAM vendors and/or specific manufacturing lots. See this link for compatibility.

Installation Instructions

Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.

Protectli can not be held responsible for devices that are rendered unusable as a result of flashing the BIOS. If your devices becomes unusable as a result of a BIOS flashing operation, we will help recover the device, but the customer will be responsible for all shipping costs.

Note: coreboot utilizes Legacy BIOS. If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive.

coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 19.10 (see this link for guidance on installing Ubuntu on the Vault). It is important to use Ubuntu 19.10 because previous versions of Ubuntu used a previous version of flashrom that did not support the FW6. While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu 19.10 to upgrade your Vault to coreboot.

In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.

If not using Ubuntu on the Vault, remove the existing mSATA and replace it with the dedicated mSATA for the coreboot installation process
Install Ubuntu desktop version on the Vault to the dedicated mSATA per the link above (we recommend the “Minimal” version for this task)
Verify that Ubuntu desktop version is installed and reboot the system
Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
Open a terminal window in Ubuntu. (Applications->Terminal)
Verify the terminal opens and change directory to “Downloads” using the following command:

#cd Downloads

Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

Download the appropriate SHA256 checksum file per the table below
Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:

#unzip filename.rom.zip
#unzip filename.rom.sha256.zip

Run the SHA256 program on the filename.rom file using the following command:

#sha256sum filename.rom

Verify the SHA256 output is the same as the contents of the filename.rom.sha file using the following command:

#cat filename.rom.sha

Verify the “flashrom” program is present in Ubuntu using the following command:

#which flashrom

If flashrom is not present, get it from the network and install it in Ubuntu using the following command:

#sudo apt install flashrom

Verify flashrom is installed on the system

Flash the coreboot image to the system.

Note: The flashrom command arguments are different for the FW6 series than the FW2B and FW4B series. You must use the correct command for the specific unit. Using the incorrect command could render the unit useless and unable to boot.

flashrom command for FW2B, FW4B:

 #sudo flashrom -p internal -w filename.rom -V -o output-file

where -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output

flashrom command for FW6:

 #sudo flashrom -p internal -w filename.rom --ifd -i bios -V -o output-file

where “–ifd -i bios” is required for the FW6, -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output

Reboot the system
Verify the system boots and displays the coreboot version string on the screen, then the splash screen
Verify the system boots up to Ubuntu desktop
If not using Ubuntu as the OS, power off the system and replace the dedicated Ubuntu mSATA with the mSATA for the desired OS
Reboot the system and verify that it boots to the desired OS

At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.

Flash from Coreboot to Original(AMI) BIOS

In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.

Using the same Ubuntu install as the instructions above;

Verify the correct BIOS is downloaded from here
Unzip the BIOS in the Downloads folder
Open Terminal and change directory to BIOS folder. Examples below.

For the FW4B

#cd Downloads/4B180727

For the FW2B

#cd Downloads/2B180727

For the FW6

#cd Downloads/6-190708

Run the flashrom command, using ‘filename.bin’ for legacy BIOS, instead of ‘filename.rom’ for coreboot

FW4B BIOS file example:

 #sudo flashrom -p internal -w YLBWL412.bin -V -o output-file

FW2B BIOS file example:

 #sudo flashrom -p internal -w YLBWL212.bin -V -o output-file

FW6 BIOS file example: (Note additional command line arguments)

 #sudo flashrom -p internal -w KBU6LA09.bin --ifd -i bios -V -o output-file

After the flash is complete the terminal should output a “VERIFIED” message.
Reboot and verify the legacy BIOS is loaded

coreboot File Table

Vault	coreboot .rom file	SHA256 file
FW2B	fw2b_v4.9.0.1.rom	fw2b_v4.9.0.1.rom.sha
FW4B	fw4b_v4.9.0.1.rom	fw4b_v4.9.0.1.rom.sha
FW6	fw6_v4.9.0.1.rom	fw6_v4.9.0.1.rom.sha

coreboot Compatibility

Vault	pfSense 2.4.5	FreeBSD 11.2	OPNsense 19.7	Untangle 14.2.2	Ubuntu 18.04.3	Ubuntu 19.10	ESXi 6.7	Windows 10
FW2B	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW4B	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW6A	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW6B	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme
FW6C	Verified	Verified	Verified	Verified	Verified	Verified	Verified	Verified - Use MBR partition scheme

If you need additional assistance, please feel free to reach out at support@protectli.com. You can find more information about coreboot on the Vault in our Knowledge Base as well.

How to Install pfSense® CE 2.4 on the Vault

phil January 10, 2019

Overview: Install pfSense® CE

Note: pfSense® CE is open source software developed for the benefit of the community. If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Note: pfSense® CE version 2.4.5 is now available. Protectli recommends using the latest released version.

Verify Hardware Recommendations

pfSense® CE has good documentation regarding general hardware recommendations on their web site. See https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html to verify that the proper memory and storage is available for the intended application.

Install pfSense® CE

Obtain the Installation Image and Uncompress it

There are two ways to install pfSense® CE on the Vault. Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more ‘traditional’ way by using a VGA or HDMI monitor, along with a USB keyboard.

The easiest way to install pfSense® CE that is most likely to be error-free is with a VGA (FW1, FW2, FW4A series) or HDMI (FW2B, FW4B, FW6 series) monitor and a USB keyboard, using the VGA version of the installer
If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer.
If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you’re using the correct version of the pfSense® CE installer with your chosen installation method.

The pfSense® CE installation image (IMG) can be downloaded from https://www.pfsense.org/download/. The same image can be used to install pfSense® CE on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Version”, “Architecture”, “Installer”, and “Console.” The proper selections are as follows for installing the Vault using a VGA monitor and USB Keyboard:

Version: The latest available (2.4.5 as of this edit)

Architecture: AMD64 (64 bit)

Console: VGA or Serial as needed (see note above; VGA or HDMI monitor = VGA installer; COM port = serial installer)

Installer: USB Memstick Installer

install pfSense® USB Memstick Installer — *pfSense® CE* Download Page

Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: pfSense-CE-memstick-2.4.5-RELEASE-amd64.img.gz) downloaded that is ~800MB in size.

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file. The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Burn the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Mac OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Note: If installing using a VGA monitor and USB keyboard on a Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and a USB keyboard with a plug that is relatively skinny. The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Verify the BIOS mode

Note: There is an important issue and workaround in some versions of pfSense® CE version 2.4 due to the fact that it is based on FreeBSD 11.2. See this link. The issue affects the FW1, FW2, and FW4A platforms. See the BIOS Compatibility table at the bottom of this article. If UEFI is required, follow the steps below to set UEFI mode.

Verify the Vault is powered down
Verify the monitor is connected
Verify the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.

Select “Advanced” tab

Select “CSM Configuration”

Com3 PuTTY CSM configuration — Advanced->CSM

Select “Boot option filter”

Com3 PuTTY boot option filter — Boot Option Filter

Select “UEFI only”
Press RETURN then “F4” to save and exit the BIOS
Power off the unit

Install pfSense® Operating System on the Vault

Insert the USB installation drive into the USB port on the Vault
While powering up the Vault, press “F11” key and verify that it boots to the BIOS boot options screen.

NOTE: If using the serial installer, F11 commonly will not show the boot options menu. In this case, use the “DEL” key to enter the BIOS. In the BIOS, a specific boot device can be chosen from the “Save & Exit”, or rightmost tab.

Select the USB drive UEFI partition to boot from if UEFI was configured, else just select the USB drive
Verify the Vault boots and begins the installation process
Follow the on screen installation prompts to install pfSense® CE

For detailed installation information, see the procedures presented on the pfSense® CE website at this link.

pfSense® CE Dashboard

For more detailed configuration instructions, the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

Once rebooted, the Vault should be up and running. Follow any on screen instructions for logging in to pfSense® CE.

If you experience any issues, please feel free to reach out: support@protectli.com.

BIOS Compatibility

The table below shows the compatibility of tested releases of pfSense® CE and BIOS on each of the Vaults.

Vault	pfSense® CE Version	BIOS - Legacy	BIOS - UEFI	BIOS - coreboot
FW1	2.4.5	Fail, Use UEFI	Tested	N/A
FW2	2.4.5	Fail, Use UEFI	Tested	N/A
FW2B	2.4.5	Tested	Tested	Tested
FW4A	2.4.5	Fail, Use UEFI	Tested	N/A
FW4B	2.4.5	Tested	Tested	Tested
FW6A	2.4.5	Tested	Tested	Tested
FW6B	2.4.5	Tested	Tested	Tested
FW6C	2.4.5	Tested	Tested	Tested
FW1	2.4.4	Fail, Use UEFI	Tested	N/A
FW2	2.4.4	Fail, Use UEFI	Tested	N/A
FW2B	2.4.4	Tested	Tested	Tested
FW4A	2.4.4	Fail, Use UEFI	Tested	N/A
FW4B	2.4.4	Tested	Tested	Tested
FW6A	2.4.4	Tested	Tested	Tested
FW6B	2.4.4	Tested	Tested	Tested
FW6C	2.4.4	Tested	Tested	Tested
FW1	2.4.3	Tested	Tested	N/A
FW2	2.4.3	Tested	Tested	N/A
FW2B	2.4.3	Tested	Tested	Tested
FW4A	2.4.3	Tested	Tested	N/A
FW4B	2.4.3	Tested	Tested	Tested
FW6A	2.4.3	Tested	Tested	Tested
FW6B	2.4.3	Tested	Tested	Tested
FW6C	2.4.3	Tested	Tested	Tested

Software

pfSense® CE Configuration Recommendations

Overview

Thermal Monitoring

Enable Thermal Monitoring

Display Thermal Sensors on the Dashboard

Cryptographic Hardware Support (AES-NI and BDS)

Enable Cryptographic Hardware Support

Power Management with PowerD

Enable PowerD

Configuring Optional Ports

Configuring Optional Ports – IP Address

Configuring Optional Ports – DHCP Server

Configuring Optional Ports – Firewall Rules

Configuring Optional Ports – Verify Configuration

Configuration Files

How to Restore a Config File

Configuration Files

Overview

Enable Interfaces

Configure Gateways

Configure Gateway Groups

Configure LAN Firewall

Verify Gateway Status

Verify 4G LTE Failover

Overview

Installing pfBlockerNG

Overview

How to Create a LAN Bridge in pfSense®

Overview

How to Create a LAN Bridge in OPNsense

Overview

During a install

Post-install FreeBSD

Rescue Procedure Overview

Performing rescue on ClearOS and CentOS

ESXi Overview

Verify Hardware Recommendations

Install ESXi

Obtain the Installation Image

Burn the Installation image to a USB Drive

Install the Operating System on the Vault

Optional SSD on the FW6 Vault

BIOS Compatibility

coreboot and the Vault

coreboot BIOS Settings

Boot Selection Menu

coreboot Hardware Compatibility

Installation Instructions

Flash from Coreboot to Original(AMI) BIOS

coreboot File Table

coreboot Compatibility

Overview: Install pfSense® CE

Verify Hardware Recommendations

Install pfSense® CE

Obtain the Installation Image and Uncompress it

Burn the installation image to a USB drive

Verify the BIOS mode

Install pfSense® Operating System on the Vault

BIOS Compatibility

Added to Cart