Software

Software that runs on Protectli Hardware

How to Configure pfSense® CE for 4G LTE Failover

phil October 16, 2019

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
Connect the WAN and LAN ports to the devices or ports that they are normally connected to
Connect the OPT1 port to the LAN port of the 4G LTE modem
Browse to the pfSense ® CE GUI and login
Select Interfaces->Interface Assignments
Add OPT1 and select the default Network port (em2 or igb2)
Select “OPT1” to configure the port
Select General Configuration->Enable->Enable interface check box
Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select Status->Dashboard and verify that the Dashboard is displayed
Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

Select System->Routing->Gateways
Verify WAN_DHCP is displayed
Select Edit Icon
Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select System->Routing->Gateways
Select ADD button
Add OPT1 Interface
Verify the Name is OPT1_DHCP
Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

Select System->Routing->Gateway Groups
Select ADD button
Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
Set Edit Gateway Group Entry->Description if desired

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

Select Firewall->Rules->LAN
Select Edit for “Default allow LAN to any rule”
Select ADVANCED button
Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

Select Status->Gateways
Verify WAN_DHCP and OPT1_DHCP Gateways are online

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
Select Dashboard and monitor the Traffic Graphs
Verify the WAN and LAN ports have similar high levels of traffic
Disconnect the WAN port from the Vault
Verify the video continues to play
Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
Reconnect the WAN port to the Vault
Verify the video continues to play
Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com.

How to Setup pfBlockerNG

Luke Green August 23, 2019

Overview

pfBlocker is a very powerful package for pfSense® which provide advertisement, malicious content blocking and geo-blocking.

Installing pfBlockerNG

Access the pfSense WebGUI (default 192.168.1.1)
Click on the System tab, then Package Manager

From the Package Manager menu select the Available Packages tab
Scroll down and find pfBlockerNG-devel and click Install

Verify pfBlockerNG is now installed by going to the Firewall drop down menu
Open the pfBlockerNG menu and start the wizard

At the Component Configuration page of the wizard select the WAN interface for inbound. For outbound typically LAN is used. CTRL+Click any additional interfaces you want included.
Leave the DNSBL default
Click Finish and allow pfBlocker to update
If you would like multiple LAN segments to be included in with DNSBL check the setting Permit Firewall Rules and select the interface (ctrl+click) you would like included.

By Default pfBlockerNG will setup basic advertisement and IP blocking from defaults feeds
We recommend also including the DNSBL feed from BBcan177(creator of pfBlockerNG) as well as the Cryptojackers feed

Add by clicking the + next to the feed name
In the feed configuration click Enable All and change Action to Unbound
Click Save DNSBL Setting

Repeat this process for any other feeds you would like to add

Once the feeds are added, it is important to reload and update

Now browse a few websites and then check the pfSense dashboard to verify the pfBlockerNG widget is showing data

You might come across false positives possibly breaking certain sites. The solution is adding addresses to a Whitelist

To add an item to the whitelist access the pfBlockerNG Reports either by clicking on one of the packet stats (arrow below) or through the pfBlocker menu

pfBlocker also has built in GeoIP blocking. This allows you control over geographic regions connecting to your network. You can find this in the pfBlockerNG menu under IP>GeoIP. Careful blocking too much, websites host content and media on servers around the world. Unintentionally blocking some of these IP addresses could result in broken sites or unavailable downloads.

You should now have network wide advertisement and malicious content blocking. If you need additional assistance, please feel free to reach out: support@protectli.com.

How to Enable LAN Bridge with pfSense®

Luke Green July 17, 2019

Overview

This article covers how to enable a LAN bridge in pfSense®. LAN bridges act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: If the port being used for the web interface is added to the bridge, then physical access to the unit will be necessary.

How to Create a LAN Bridge in pfSense®

In this example we will be assigning the LAN interface to a bridge utilizing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the webGUI. The default IP address: 192.168.1.1, username: admin, password: pfsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc) are assigned with default settings.
To assign simply click Add next to the port you wish to assign. Click Save.

To enable the each interface, click the on the interface label(OPT1,OPT2,etc) in the left column.
Click Enable, leave all other settings default. Save and Apply Changes

In the Interfaces menu select the Bridges tab and click Add
Select OPT1 and OPT2 using Ctrl+Click. Don’t select the LAN interface. Click Save.

Navigate back to the Interface Assignments tab and change the LAN interface port to BRDIGE0
Note: At this point once the settings are saved the web interface connection will be lost. Swap the Ethernet connection to one of the optional ports(OPT1,OPT2) added into the bridge to regain access

Assign the port previously used as LAN to OPT3 and enable it as done in the steps earlier
Navigate back to the Bridges menu and add(Ctrl+Click) OPT3. Save
Navigate to System > Advanced > System Tunables
Select net.link.bridge.pfil_member and change its value to 0. Save
Select net.link.bridge.pfil_bridge and change its value to 1. Save

Click Apply Changes at the top

Reboot
Verify bridged ports are functioning

At this point you should have a functioning LAN bridge in pfSense®. If you need additional assistance, please feel free to reach out: support@protectli.com.

How to Enable LAN Bridge with OPNsense

Luke Green July 12, 2019

Overview

This article covers how to enable a LAN bridge in OPNsense. LAN bridges act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: This will require physical access to the Vault if the port being used to access the web interface is added into the bridge.

How to Create a LAN Bridge in OPNsense

In this example we will be assigning the LAN interface to a bridge containing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the web interface. The default IP address: 192.168.1.1, username: root, password: opnsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc.) are assigned with default settings. They can be assigned by clicking the ‘+‘ then Save

OPNsense Interface Assignment Menu (FW4A)

Under the Interfaces tree open the OPT1 menu
Check Enable Interface leave all settings default
Click Save then Apply changes a the top
Repeat on additional interfaces to be included in the bridge

Under the Interfaces tree select Other Types, then Bridge
Click Add and select OPT1, OPT2, etc then click Save

Under the Interfaces tree select Assignments
Change the LAN interface to bridge0 and click Save

Note: At this point access to the web interface will be lost. Plug into either port OPT1 or OPT2 to regain access.

In the Assignments menu add the port(em1) which was previously assigned to LAN. Click Save
Verify OPT3 is now assigned
Enable OPT3 with default settings. Save and Apply Changes
Navigate back to the Bridge menu and edit bridge0. Add OPT3 and Save

Verify the LAN port now has web interface access

Navigate to System > Settings > Tunables
Locate net.link.bridge.pfil_member and change its setting from Default to 0. Save and Apply Changes
Locate(directly below the previous setting) net.link.bridge.pfil_bridge and change the setting from Default to 1. Save and Apply Changes

Reboot
Verify bridged ports are functioning

At this point you should now have a functioning LAN bridge in OPNsense. If you need additional assistance, please feel free to reach out: support@protectli.com.

How to Install FreeBSD 12.0 on the Vault

Luke Green July 11, 2019

Overview

As of writing this article FreeBSD 12.0 has a bug affecting the network interfaces on several models of Vaults. Here is a link to the bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235147. The workaround is fairly straightforward and can be done either during install or after.

Note: FreeBSD also inherited a bug from 11.2 which affects the FW1,FW2, and FW4A model Vaults. The workaround is simply changing the BIOS to UEFI. We have an article covering that here.

To Install FreeBSD 12.0 follow the FreeBSD 11.2 install guide (link) with the caveat below.

During a install

At the end of the install a “Manual Configuration” window opens
Select ‘Yes‘
Verify the command line is present
Edit the loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already in place
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type :wq to write the file and quit
Verify the command line prompt is present, then exit

# exit

Reboot the Vault
Verify the system boots into FreeBSD and the network interfaces now function as they should

Post-install

Verify FreeBSD boots and login
Verify the command line is present
Edit loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already there
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type ‘:wq‘ to write the file and quit
Verify the command line prompt is displayed and reboot

# reboot

Verify the system boots into FreeBSD and the network interfaces now function as they should

If you experience any issues, please feel free to reach out to us at: support@protectli.com.

pfSense® Optional Port Configuration

Luke Green June 18, 2019

Overview

This article covers how to activate the Vaults optional ports in pfSense® with our supplied configuration files. We have included configuration files in the table at the bottom of the page. These configuration files have the ports assigned and functioning with default firewall rules and DHCP enabled.

Note: These configuration files have the default admin password retained. The additional ports assigned use default firewall rules, same as what pfSense® configures for the LAN port.

How to Restore a Config File

Verify pfSense® has been installed correctly
Verify the correct configuration file has been downloaded from the table below and pfSense® will be able to access it
Log into the WebGUI. This is 192.168.1.1 by default.
The default pfSense® login user is ‘admin’ and password is ‘pfsense’
Verify the Setup Wizard is displayed
Click Diagnostics on the top of the GUI
From the drop-down menu click Backup & Restore

Click Choose File
Select the appropriate config, click open
Click Restore Configuration

Verify the Vault reboots
Log back into the WebGUI with the default credentials
Verify OPT1 and OPT2 (OPT3 /OPT4 additionally on the FW6x) now appear on the Interfaces widget

It is now recommended to change the default ‘admin’ password
Verify the newly assigned ports are functioning and DHCP is handing out IP addresses

If you experience any issues, please feel free to reach out: support@protectli.com.

Configuration Files

Model	pfSense® Version	Notes	Download	Release
FW1	2.4.4	Enabled: OPT1, OPT2 DHCP Thermal Monitoring Default Firewall Rules	config-pfSense.Basic-FW1-190614.xml	June 14th, 2019
FW4A	2.4.4	Enabled: OPT1, OPT2 DHCP Thermal Monitoring AES-NI Default Firewall Rules	config-pfSense.Basic-FW4A-190614.xml	June 14th, 2019
FW4B	2.4.4	Enabled: OPT1, OPT2 DHCP Thermal Monitoring AES-NI Default Firewall Rules	config-pfSense.Basic-FW4B-190614.xml	June 14th, 2019
FW6(A,B,C)	2.4.4	Enabled: OPT1, OPT2, OPT3, OPT4 DHCP Thermal Monitoring AES-NI Default Firewall Rules	config-pfSense.Basic-FW6-190614.xml	June 14th, 2019

How to Rescue ClearOS and CentOS

Luke Green May 16, 2019

Rescue Procedure Overview

There is a documented bug in CentOS 7-1804 and ClearOS 7 that causes a kernel panic (crash) on some systems at reboot. I Information and a workaround are available at: https://bugs.centos.org/view.php?id=14779 . This bug affects the FW1, FW2, and FW4A versions of The Vault. If the newly installed CentOS or ClearOS is affected by the known issue, it can be “rescued”. “Rescue” means that the new installation can be configured to avoid this bug. See the section below for instructions to alleviate the issue.

Performing rescue on ClearOS and CentOS

Follow the instructions below to rescue the system from the known issue with ClearOS 7 and CentOS 7

Reboot the system from the Installation USB
Select Troubleshooting
Select Rescue ClearOS
Verify the system boots up
Verify the rescue options are displayed
Select “1” to continue
Verify the system is mounted at /mnt/sysimage
Hit Enter to get a shell
Verify the shell is at the prompt sh-4.2#
Use the the following command to change directory to /mnt/sysimage/etc/modprobe.d
sh-4.2# cd /mnt/sysimage/etc/modprobe.d/
Edit/Create the file snd.conf
Add the following line to snd.conf “blacklist snd-hdmi-lpe-audio”
Save the file
Verify the new config file with the following command:
sh-4.2# more snd.conf
Reboot the system with the following command
sh-4.2# reboot
Verify the system boots from the mSATA
Verify the system boots successfully
Continue the installation from the point of the failure and verify it completes successfully

If you experience any issues, please feel free to reach out: support@protectli.com.

How to Install ESXi on the Vault

phil April 24, 2019

ESXi Overview

ESXi is the VMware hypervisor for deploying multiple virtual machines on capable barebone hardware. This article describes how to install ESXi 6.7 on the Vault. The specific version used in this test is 6.7 Update 1. ESXi 6.7 has been successfully installed on all of the Vault platforms. The FW1, FW2 and FW4A require a workaround during installation. See the table at the bottom of this article for more details and a link to the workaround instructions. There is another article for previous versions of ESXi available at this link.

Verify Hardware Recommendations

VMware recommends a minimum of 4 GB of RAM. Our test installation used 8 GB. Additional ESXi 6.7 Hardware Requirements can be found at this link.

Install ESXi

Obtain the Installation Image

To gain access you will need to register with VMware. ESXi can be downloaded for free here https://my.vmware.com/web/vmware/evalcenter?p=free-esxi6.

As of writing this article, The Vault has been tested with version 6.7. Unless advised to the contrary, we recommend downloading the latest available version.

Burn the Installation image to a USB Drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Apple OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Note: If using the Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and the USB keyboard with a plug that is relatively skinny. The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Install the Operating System on the Vault

Verify the Vault is powered down
Verify the monitor is connected
Verify the USB keyboard is plugged in (you can skip this spet if you are using the serial installer)
Verify the USB drive is plugged into the Vault
Connect the Vault to the network via the WAN port that is connected to a DHCP enabled switch
Power on and verify the Vault boots to the USB
Follow the on screen installation instructions
When installation is complete, the Vault will reboot and the IP address will be displayed on the ESXi console
To access the ESXi management console, browse to “http://<IP address>/ui” Example http://192.168.1.107/ui
Login with User: root and Password: created during installation
Verify the ESXi dashboard is displayed

At this point, ESXi 6.7 is up and running on the Vault. It must now be configured for the specific Virtual Machines as desired for deployment. As always, if you experience any issues, please feel free to reach out to support@protectli.com.

Optional SSD on the FW6 Vault

The FW6 series of the Vault ships with a SATA cable, SATA power cable, and 2.5″ drive mount to support an optional SSD drive (we recommend using an SSD drive, not a spinning hard drive). Adding an optional 2.5″ drive requires no software or BIOS modifications. See the screenshot below for an example of an additional 250GB drive that has been added to a FW6 with ESXi 6.7 installed.

BIOS Compatibility

The table below shows the compatibility of tested releases of ESXi and BIOS on each of the Vaults.

Vault	ESXi Version	BIOS - Legacy	BIOS - UEFI	BIOS - coreboot
FW1	6.7	Workaround	Not tested	N/A
FW2	6.7	Workaround	Not tested	N/A
FW2B	6.7	Tested	Tested	Tested
FW4A	6.7	Workaround	Not tested	N/A
FW4B	6.7	Tested	Tested	Tested
FW6A	6.7	Tested	Tested	N/A
FW6B	6.7	Tested	Tested	N/A
FW6C	6.7	Tested	Tested	N/A

How to Install pfSense® CE 2.4 on the Vault

phil January 10, 2019

pfSense® CE Overview

Note: pfSense® CE is open source software developed for the benefit of the community. If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Note: pfSense® CE will require hardware encryption support, specifically Intel AES-NI, starting with version 2.5. This was announced at https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html. Subsequently, there was an announcement that AES-NI will NOT be a requirement in version 2.5 https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html However, it may be a requirement in the future. The Vault FW1 and FW2 (J1800 based CPU) series DO NOT support AES-NI. The Vault FW2B, FW4A, FW4B and FW6 series DO support AES-NI.

Note: pfSense® CE version 2.4.4 is now available. A previous article was published at this link regarding an important issue and workaround in pfSense® CE version 2.4.4 due to the fact that it is based on FreeBSD 11.2 . Both of these issues can be resolved by setting BIOS to UEFI mode on the Vault. This article supersedes that one and following the instructions below eliminates the need to refer to the previous article. See the BIOS Compatibility table at the bottom of this article for more information.

Verify Hardware Recommendations

pfSense® CE has good documentation regarding hardware recommendations on their web site. See https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html to verify that the proper memory and storage is available for the intended application.

Install pfSense® CE

Obtain the Installation Image and Uncompress it

There are two ways to install pfSense® CE on the Vault. Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more ‘traditional’ way by using a VGA or HDMI monitor, along with a USB keyboard.

The easiest way to install pfSense® CE that is most likely to be error-free is with a VGA (FW1, FW2, FW4A series) or HDMI (FW2B, FW4B, FW6 series) monitor and a USB keyboard, using the VGA version of the installer
If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer.
If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you’re using the correct version of the pfSense® CE installer with your chosen installation method.

The pfSense® CE installation image (IMG) can be downloaded from https://www.pfsense.org/download/. The same image can be used to install pfSense® CE on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Version”, “Architecture”, “Installer”, and “Console.” The proper selections are as follows for installing the Vault using a VGA monitor and USB Keyboard:

Version: The latest available (2.4.4 as of this edit)

Architecture: AMD64 (64 bit)

Console: VGA or Serial as needed (see note above; VGA or HDMI monitor = VGA installer; COM port = serial installer)

Installer: USB Memstick Installer

Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: pfSense-CE-memstick-2.4.4-RELEASE-amd64.img.gz) downloaded that is ~800MB in size.

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file. The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Burn the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Mac OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Note: If installing using a VGA monitor and USB keyboard on a Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and a USB keyboard with a plug that is relatively skinny. The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Verify the BIOS mode

Note: There is an important issue and workaround in pfSense® CE version 2.4.4 due to the fact that it is based on FreeBSD 11.2. See this link. The issue affects the FW1, FW2, and FW4A platforms. See the BIOS Compatibility table at the bottom of this article. If UEFI is required, follow the steps below to set UEFI mode.

Verify the Vault is powered down
Verify the monitor is connected
Verify the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.

Select “Advanced” tab

Select “CSM Configuration”

Select “Boot option filter”

Select “UEFI only”
Press RETURN then “F4” to save and exit the BIOS
Power off the unit

Install the Operating System on the Vault

Insert the USB installation drive into the USB port on the Vault
While powering up the Vault, press “F11” key and verify that it boots to the BIOS boot options screen.

NOTE: If using the serial installer, F11 commonly will not show the boot options menu. In this case, use the “DEL” key to enter the BIOS. In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.

Select the USB drive UEFI partition to boot from if UEFI was configured, else just select the USB drive
Verify the Vault boots and begins the installation process
Follow the on screen installation prompts to install pfSense® CE

For detailed installation information, see the procedures presented on the pfSense® CE website at this link.

pfSense® CE Dashboard

For more detailed configuration instructions, the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

Once rebooted, the Vault should be up and running. Follow any on screen instructions for logging in to pfSense® CE.

If you experience any issues, please feel free to reach out: support@protectli.com.

BIOS Compatibility

The table below shows the compatibility of tested releases of pfSense® CE and BIOS on each of the Vaults.

Vault	pfSense® CE Version	BIOS - Legacy	BIOS - UEFI	BIOS - coreboot
FW1	2.4.4	Fail, Use UEFI	Tested	N/A
FW2	2.4.4	Fail, Use UEFI	Tested	N/A
FW2B	2.4.4	Tested	Tested	Tested
FW4A	2.4.4	Fail, Use UEFI	Tested	N/A
FW4B	2.4.4	Tested	Tested	Tested
FW6A	2.4.4	Tested	Tested	Tested
FW6B	2.4.4	Tested	Tested	Tested
FW6C	2.4.4	Tested	Tested	Tested
FW1	2.4.3	Tested	Tested	N/A
FW2	2.4.3	Tested	Tested	N/A
FW2B	2.4.3	Tested	Tested	Tested
FW4A	2.4.3	Tested	Tested	N/A
FW4B	2.4.3	Tested	Tested	Tested
FW6A	2.4.3	Tested	Tested	Tested
FW6B	2.4.3	Tested	Tested	Tested
FW6C	2.4.3	Tested	Tested	Tested

How to Install FreeBSD 11.2 on The Vault

phil September 18, 2018

FreeBSD 11.2 Overview

FreeBSD is an open source Linux operating system that has been successfully installed on all of the Vault platforms. The FreeBSD home page is at www.freebsd.org This article will describe installation of a recent version.

FreeBSD 11.2 Issues

With the release of FreeBSD 11.2, one of the kernel defaults was changed such that some of the Vaults do not automatically boot up correctly during installation via USB and also after subsequent bootups from mSATA. This issue is described exactly in the FreeBSD forum at this link: https://forums.freebsd.org/threads/install-freezes-at-consoles-efi-consoles.61243

The symptom of the affected Vaults is that during boot, the console will freeze at a “Booting” message and never get any further. The system is actually booting, but there is no console I/O.

A bug has been filed regarding this issue at this link: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230172 and it includes a workaround, specifically Comment 10 in the bug.

The FreeBSD bug affects the FW1, FW2, and FW4A platforms, but not the FW2B, FW4B, and FW6 platforms.

When this article was originally written, the workaround instructions were described below in “FreeBSD 11.2 Console Instructions”. However, a simpler solution has been found and tested. Following the instructions linked in “Verify the BIOS mode” will solve the issue and it is not required to follow “FreeBSD 11.2 Console Instructions” at the bottom of the page.

Verify Hardware Recommendations

FreeBSD has minimal hardware requirements for basic system. Refer to this link for hardware compatibility. https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/hardware.html

Install FreeBSD 11.2

Obtain the Installation Image and Uncompress it

The FreeBSD installation image can be downloaded from https://www.freebsd.org/where.html. It is important to make sure the correct image file for USB memory stick is selected as shown in the image below.

Version: 11.2

Architecture: AMD64 (64-bit)

Install type: “memstick.img”

Burn the installation image to a USB drive

Verify the BIOS mode

As mentioned above there is a simple fix to the bug introduced in 11.2. By changing the BIOS mode to UEFI the issue is resolved. See the Knowledge Base article which gives step by step instructions linked here.

Install the Operating System on The Vault

Once the FreeBSD installation image is properly copied to the USB drive, it is ready to be installed on the Vault.

Verify the Vault is powered down.
Verify the monitor is connected.
Verify the USB keyboard is plugged in.
Verify an Ethernet connection is in the “WAN” port that is connected to a DHCP server.
Insert the USB install drive into the other USB port on the Vault.
While powering up the Vault, press “F11” key and hold it down until it boots to the BIOS and you see the boot options screen.
Select the USB drive to boot from.
Verify the Vault boots to the FreeBSD installation
Select “Install” and answer prompts for “Keyboard Mapping” and “Hostname”
When prompted for system options, leave defaults
Configure networking to get files from the internet. Recommend “em0”, “IPv4”, and “DHCP”.
Select FreeBSD site for download
Select ZFS (Auto) for the filesystem
Select “Install”, “Stripe”, “ada0” (with space bar).
Continue the installation and when prompted set “Password”, “Timezone”, “Date”, and “Time”.
When prompted for “Services” and “Security”, recommend the defaults.
When prompted for “Users”, add additional users if desired.
Continue the installation and verify that it completes successfully.
Reboot the system and verify the it boots to FreeBSD

FreeBSD has a “Handbook” which covers this and much more in-depth at this link https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/

At this point, FreeBSD should be up and running on The Vault. However, If you experience any issues, please feel free to reach out to us at: support@protectli.com.

FreeBSD 11.2 Console Bug Instructions

If UEFI is not an option, the bug workaround is summarized below.

Download the FreeBSD 11.2 installer (amd64, memstick) image
Create a bootable USB as described at this link
Install the image from the USB
Verify the FreeBSD installation menu appears
Select the space bar to pause the boot
Select “3” to go to the Loader prompt
Verify the prompt “OK” appears
Type “set kern.vty=sc”, RET
Type “boot”
Verify the system continues to boot up normally
Install FreeBSD as described at the link above

At this point, FreeBSD has been installed on the mSATA. However, the same issue regarding the console with the USB boot will be present now that the system is booting from the mSATA.

Select “Reboot” and verify the system boots from the mSATA drive with the new installation
Follow the same instructions above to set the console parameter
Verify the FreeBSD boot menu appears
Select the space bar to pause the boot
Select “3” to go to the Loader prompt
Verify the prompt “OK” appears
Type “set kern.vty=sc”, RET
Type “boot”
Verify the system continues to boot up normally to FreeBSD
Login as “root” with the “password” that was set during installation

At this point, FreeBSD is available for use during this session. However, we want to configure the system to permanently fix the console issue so that manual intervention is not required every time it boots.

Change Directory to /boot, type “cd /boot”
Verify the file “loader.conf” is present, type “ls loader.conf”
For safety sake, copy “loader.conf” to another file for backup, type “cp loader.conf loader.conf.orig”
Edit loader.conf using a text editor such as “vi”
Add the following line in loader.conf, kern.vty=”sc”, enclosing quotes around “sc”
Save the file and exit
Type “reboot”
Verify the system reboots successfully without hanging at the console

FreeBSD BIOS Compatibility

The table below shows the compatibility of tested releases of FreeBSD and BIOS on each of the Vaults.

Vault	FreeBSD Version	BIOS - Legacy	BIOS - UEFI	BIOS - coreboot
FW1	11.2	Fail, Use UEFI	Tested	N/A
FW2	11.2	Fail, Use UEFI	Tested	N/A
FW2B	11.2	Tested	Tested	Not Tested
FW4A	11.2	Fail, Use UEFI	Tested	N/A
FW4B	11.2	Tested	Tested	Not Tested
FW6A	11.2	Tested	Tested	N/A
FW6B	11.2	Tested	Tested	N/A
FW6C	11.2	Tested	Tested	N/A

Software

Overview

Enable Interfaces

Configure Gateways

Configure Gateway Groups

Configure LAN Firewall

Verify Gateway Status

Verify 4G LTE Failover

Overview

Installing pfBlockerNG

Overview

How to Create a LAN Bridge in pfSense®

Overview

How to Create a LAN Bridge in OPNsense

Overview

During a install

Post-install

Overview

How to Restore a Config File

Configuration Files

Rescue Procedure Overview

Performing rescue on ClearOS and CentOS

ESXi Overview

Verify Hardware Recommendations

Install ESXi

Obtain the Installation Image

Burn the Installation image to a USB Drive

Install the Operating System on the Vault

Optional SSD on the FW6 Vault

BIOS Compatibility

pfSense® CE Overview

Verify Hardware Recommendations

Install pfSense® CE

Obtain the Installation Image and Uncompress it

Burn the installation image to a USB drive

Verify the BIOS mode

Install the Operating System on the Vault

BIOS Compatibility

FreeBSD 11.2 Overview

FreeBSD 11.2 Issues

Verify Hardware Recommendations

Install FreeBSD 11.2

Obtain the Installation Image and Uncompress it

Burn the installation image to a USB drive

Verify the BIOS mode

Install the Operating System on The Vault

FreeBSD 11.2 Console Bug Instructions

FreeBSD BIOS Compatibility

Added to Cart