Kitz Forum
Computers & Hardware => Networking => Topic started by: Ronski on November 26, 2016, 08:58:22 PM
-
I have for a long time been wanting something with a better firewall than a bog standard router, and having seen Chrysalis build decided to build a Pfsense router myself.
I've decided to use a Qotom QOTOM-Q190G4-S02 Mini PC (http://www.qotom.net/goods-129-QOTOM-Q190G4+4+LAN+Mini+PC.html), which has 4 Intel LAN ports, the S02 version will take a 2.5" SSD, the S01 version is slightly smaller, and only takes an Msata drive
Purchased from Amazon (https://www.amazon.co.uk/dp/B01GBHC62K/ref=pe_385721_37986871_TE_item), cost is £130.90 + £16 shipping
I've also ordered 8GB of memory (https://www.amazon.co.uk/gp/product/B00VMCUAIM/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1), 4 should of been plenty, but at £30 it was not much more than 4GB.
I have a 80GB Intel SSD which is spare, so will be using this as storage.
There's a thread on the PFsense forums (https://forum.pfsense.org/index.php?topic=114202.0) with quite a lot of useful info.
I've never used Unix/Linux before so this might be a bit of a learning curve, hopefully it will all go well.
Edit.
Install guide is here (http://forum.kitz.co.uk/index.php/topic,18987.msg339029.html#msg339029), which I documented as I went along with a lot of help from Chrysalis and others.
When taking the case apart make sure you undo the screws on the base, not the sides. Only minor problems I've noticed is the Sata cable is very tight against the side, and when installing the drive, hopefully it will be OK. I also had to use a USB lead to plug my USB thumb drive into as there are only two ports and they are close together.
Some pictures of the hardware.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi672.photobucket.com%2Falbums%2Fvv87%2FRonskiman%2FComputer%2FPfsense%2FP1030108_zpsjukji6av.jpg&hash=21abf367735ba45338892c6b822d2cde7b41bf1d) (http://s672.photobucket.com/user/Ronskiman/media/Computer/Pfsense/P1030108_zpsjukji6av.jpg.html)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi672.photobucket.com%2Falbums%2Fvv87%2FRonskiman%2FComputer%2FPfsense%2FP1030109_zps3cw31mx5.jpg&hash=c1b7f417670c467f9f24c2405d6def521fbcc816) (http://s672.photobucket.com/user/Ronskiman/media/Computer/Pfsense/P1030109_zps3cw31mx5.jpg.html)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi672.photobucket.com%2Falbums%2Fvv87%2FRonskiman%2FComputer%2FPfsense%2FP1030110_zpsbz3kpa7w.jpg&hash=98d2d43d7aa77215508d695851019387223d7def) (http://s672.photobucket.com/user/Ronskiman/media/Computer/Pfsense/P1030110_zpsbz3kpa7w.jpg.html)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi672.photobucket.com%2Falbums%2Fvv87%2FRonskiman%2FComputer%2FPfsense%2FP1030111_zpsahmeaitv.jpg&hash=e20179187ce8c57bf1e07f5f829487473d099ff4) (http://s672.photobucket.com/user/Ronskiman/media/Computer/Pfsense/P1030111_zpsahmeaitv.jpg.html)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi672.photobucket.com%2Falbums%2Fvv87%2FRonskiman%2FComputer%2FPfsense%2FP1030112_zpsrn7acn0b.jpg&hash=0f545e31a6bbeff48f874a613a2e15ec022d42f6) (http://s672.photobucket.com/user/Ronskiman/media/Computer/Pfsense/P1030112_zpsrn7acn0b.jpg.html)
-
yeah at £30 thats a nice find, mine was £24 and the 8 gig for the same brand was £41, but I think 8 gig for £30 is a good find. :) Rest looks good also. :)
I suggest following what I posted regarding ssd alignment and trim. :)
-
This is cool, I think @Chrysalis and @skyeci have a lot to answer for ...
I like your choice of unit, 4 LAN intel LAN ports, 2Ghz quad core and 8 Gb RAM with only 10W power consumption seems almost too good to be true! I like how it has a VGA out so you don't need to faff around with serial comms like I will with the APU2 I have bought.
Look forward to seeing how you get on, as far as I am concerned the more people using pfSense on here, the more likely I will be able to get some help!
I have never installed the FreeBSD flavour of Unix before either but I have installed Linux on lots of different things and have generally found it to be really easy, easier than Windows even, due to its wide compatibility and tolerance of old / legacy hardware and the abundance of helpful people on forums ;) .
Good luck, keep us posted!
Chunks
-
Is the apu2 serial out only?
Mine has dual hdmi, I never went with the apu2.
In terms of overall value, ronski I would say has picked the best unit tho assuming of course it actually works, on mine I have already removed the wireless card (which by the way is not detected by pfsense), so if I add the intel nic's the mini pcie is already empty ready for use. Also the bios on my unit is enterprise stuff, lots of options I typically only have seen on server motherboards.
If I had found ronski's unit first before finding mine, would have I ordered it? I was specifically looking for a aesni cpu, but given the price and the inclusive 4 intel lan ports I think I would have done. I did a bench on my unit which I posted the results in my thread, and even with aesni disabled its more than a dozen times faster than high end consumer routers on the market, and this unit ronski picked has more raw horsepower than mine.
Both units are significantly faster than the apu2 tho, so I am no longer feeling bad I skipped on the apu2 especially as I can simply add a mini pcie to get native intel ports, as serial access only would bug me.
-
Is the apu2 serial out only?
Yep, so you need to add the cost of a null modem cable / serial interface if you don't have already, plus its faffy
In terms of overall value, ronski I would say has picked the best unit tho assuming of course it actually works, on mine I have already removed the wireless card (which by the way is not detected by pfsense), so if I add the intel nic's the mini pcie is already empty ready for use. Also the bios on my unit is enterprise stuff, lots of options I typically only have seen on server motherboards.
Found this on arstechnica forum (http://arstechnica.com/civis/viewtopic.php?f=2&t=1327591) discussing the QOTOM unit :
Also, I've used the Qotom system mentioned in the article. Specifically, I've used the Qotom Q190G4. Beware that while it's advertised as having a mini PCI-Express on-board expansion slot for a wireless card, it actually has a plain mini PCI slot. Consequently, the Q190G4 is not suitable for use as a high performance wireless router.
If I had found ronski's unit first before finding mine, would have I ordered it? I was specifically looking for a aesni cpu, but given the price and the inclusive 4 intel lan ports I think I would have done. I did a bench on my unit which I posted the results in my thread, and even with aesni disabled its more done a dozen times faster than high end consumer routers on the market, and this unit ronski picked has more raw horsepower than mine.
Both units are significantly faster than the apu2 tho, so I am no longer feeling bad I skipped on the apu2 especially as I can simply add a mini pcie to get native intel ports, as serial access only would bug me.
Yep, when I add the pennies up I think I would have been better getting a QOTOM unit as it seems much more powerful than an APU2 unit and just as power efficient - I am pretty sure the APU2 will more than meet my needs however.
Chunks
-
Serial interface on the apu2 works fine and you only need it on the first install, but handy of course in case something totally fails. I used a £9 cable from amazon. Usb stick serial install etc..
Never seen the cpu more than 23% so far on the odd chance it actually gets any stress ;D
-
Hi
I hope you do not mind, but as we use pfsense along with other firewalls/systems I thought I would show you some stats from 1 of our installations (certain details have been deleted) as below
Many thanks
John
This Month (to date, does not include this hour, starting at day 01):
Bandwidth
In 329490 MBytes
Out 4146200 MBytes
Total 4475690 MBytes
Last Month:
Bandwidth
In 424860 MBytes
Out 5274777 MBytes
Total 5699637 MBytes
-
@Chrysalis I will certainly follow your advice. Hopefully everything will arrive OK, and be OK, always a possibility something may be iffy on these lower than the norm priced items.
I will also do some benchmark tests but you'll have to explain how.
The trouble I've found with Linux, from my Android experience and what my brother says is that it might as well be written in Chinese (commands and string just seem to be random characters), and what people have often written on forums assumes the reader knows what they are on about.
Memory should be here tomorrow, but the PC is estimated to arrive on 9 December, still gives me plenty of time to watch the rest of those videos and read up and get stuff ready.
I'm not planning on putting a wireless card in it, I may just rely on my AC AP which is in the loft or get another AP for downstairs if coverage is not good enough, at the moment my modem/router also has wi-fi so coverage is good.
-
The memory arrived Monday, and the Qotom PC arrived this morning. It was shipped from the Netherlands so no import duty.it looks good and feels solid, and even has a uk power cable.
I'll post some pictures as things progress.
-
@Chrysalis I have PFsense installed and I'm looking at the options screen, the one with options 1 to 16.
ok some information for those using pfsense with an ssd.
The pfsense devs are using an old way to configure partitions, in short they -
dont enable trim
dont align partitions to 4k alignment
and they also enable SUJ which I think is best disabled on an ssd.
to fix the alignment follow this guide https://forum.pfsense.org/index.php?topic=86139.0
if you try to do it all manually pfsense will rewrite the partitions, but I have confirmed the above guide does lead to a 4k aligned partition.
Now this is what I mean about it might as well be in Chinese, you say follow the guide, but all the link basically says is to run a couple of commands, it doesn't say when or where?
Actually it says he did that before using advanced install, which would make sense but not where or how?
Could you perhaps give some clearer instructions for a complete noob to this please and the following, assume I know nothing :)
The commands to enable trime and disable soft updates journaling are. (assuming the ssd is on ada0, which it will be if its the only sata device)
tunefs -t enable /dev/adas0p1
tunefs -j disable /dev/adas0p1
Less important is to have the swap on a swapfile not partition as the partition wont utilise trim, but I think its unlikely a pfsense box with at least 4 gig of ram will even use the swap.
bottom of this page is a couple of commands to make the swapfile http://www.wonkity.com/~wblock/docs/html/ssd.html
so
mkdir /usr/swap (although can be put anywhere you like)
dd if=/dev/zero of=/usr/swap/swap bs=128k count=16384 (2 gig swap)
add these 2 lines to /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
md99 none swap sw,file=/usr/swap/swap,late 0 0
then after run swapon -aL
I will post those pics at some point.
-
ok will do tomorrow.
for the 4k alignment tho you will need to reinstall pfsense, as that has to be done prior to completing the install.
the trim enable can be done anytime but if you dont do it before you reboot after installation to set it requires booting the system up from the rescue disk, as you cannot toggle trim when its mounted.
I also just noticed the fstab is not enough to auto mount the swap file so I need to look into that and will edit the guide.
-
@Chrysalis, Thanks, I'll look forward to it.
I need to update my switch as it only has 16 ports, so have been using the ports on the existing router.
Would the Netgear JGS524E-200EUS (https://www.amazon.co.uk/NETGEAR-JGS524E-200EUS-ProSAFE-Managed-Ethernet/dp/B00GGD10FY/ref=sr_1_2?s=computers&ie=UTF8&qid=1480847991&sr=1-2&keywords=JGS524PE) ProSAFE 24 Port Web Managed (Plus) Gigabit Ethernet Switch be a good choice?
At this moment in time I don't think I need a managed switch, but cost and power usage is not much more than say a Netgear GS324-100EUS (https://www.amazon.co.uk/dp/B01ARQWN6U/ref=twister_B00QYUSXHC?_encoding=UTF8&psc=1) 24-Port Gigabit switch.
When you start looking there are so many model's and choices, and thats just in the Netgear range :-\
-
Sorry got tied up and right now am feeling pretty tired.
Basically when you boot pfsense from the usb stick, choose to boot to single user mode.
After thats done run the commands he provided on the shell.
When the commands have been ran typing exit if I remember correctly will cause it to boot into the installer, but if I dont remember correctly, then just reboot again and boot it normally into the installer, when at the installer you want to choose skip as much as possible on the partitioning questions, eventually you wont be able to skip anymore and then you choose the ssd partition, it will rerun partition commands, but wont completely wipe what has been set and you should end up with a 4k aligned partition.
After the installer has finished, there should be an option where you can exit to the shell, if you do that then you can run the command to enable trim. After thats ran type reboot to reboot.
-
Thanks for the info, how can I check if I have a correctly aligned partition?
Found these links, but not much info
https://forum.pfsense.org/index.php?topic=44955.0
Actually there's some info on the following page, and from that I think I can work out if it's 4k aligned.
https://dan.langille.org/2013/01/25/aligned-versus-not-aligned/
You really would think that the Dev's of Pfsense would build in 4k alignment and have trim enabled, any idea why they haven't?
-
I asked and I got a vague answer telling me to chill its been fixed in the next version of pfsense. :)
pfsense doesnt even use GPT yet either.
However gpart can be used to check if its aligned, here is what mine looks like so you can compare, you basically want to see starting sector of 504 for the partition
[2.3.2-RELEASE][admin@pfSense.localdomain]/usr/local/pkg: gpart show ada0
=> 63 117231345 ada0 MBR (56G)
63 441 - free - (221K)
504 117230904 1 freebsd (56G)
-
OK, just tried to look at the existing alignment - see attached
Would I be correct in saying it is aligned 16 x 512 = 8192 / 4096 = 2
Although that's for ada0s1, not ada0, not quite sure what the s1 is??
Trim is not enabled, as tunefs -p / returns tunefs: trim: (-t) disabled (code for this was found here (https://forum.pfsense.org/index.php?topic=109384.0))
-
no is not aligned, that 16k is from the start of the first slice, but the first slice itself is not aligned.
notice you got no free space as a sandwich on the ada0
-
Just seen your edit to your earlier post and I now appear to have the same as you, with a small bit tagged on the end.
-
Sorry got tied up and right now am feeling pretty tired.
Basically when you boot pfsense from the usb stick, choose to boot to single user mode.
After thats done run the commands he provided on the shell.
When the commands have been ran typing exit if I remember correctly will cause it to boot into the installer, but if I dont remember correctly, then just reboot again and boot it normally into the installer, when at the installer you want to choose skip as much as possible on the partitioning questions, eventually you wont be able to skip anymore and then you choose the ssd partition, it will rerun partition commands, but wont completely wipe what has been set and you should end up with a 4k aligned partition.
After the installer has finished, there should be an option where you can exit to the shell, if you do that then you can run the command to enable trim. After thats ran type reboot to reboot.
I had to type exit twice, did custom install, chose to install bootblocks.
It's now failing at creating the swap file - Failed with a return code of 1
You've put some info here (http://forum.kitz.co.uk/index.php/topic,18944.msg338041.html#msg338041) about the swap file which I'm not sure on.
-
There was some message about sufficient room, so I'm guessing because we created a partition which took up all the space it now can't create the swap file.
So I either need to go back and leave room when I setup the first partition or create both partitions at the start?
-
It's normal in Unix-type systems to use a swap partition, not a swap file. I presume that what you were trying to do was create a swap partition, and there was no free space to do it. But you can optionally use a swap file instead, inside one of the already created partitions. See https://www.freebsd.org/doc/handbook/adding-swap-space.html
-
the swapfile is just so it can utilise trim as trim is not enabled on swap partitions. It doesnt need unpartitioned space, just space on the filesystem, is best to paste the commands you running with the output.
But thats a minor issue as with 8 gig of ram ronski is not going to be using any swap anyway.
Ronski I edited the post to fix errors on the trim and SUJ commands.
-
Thanks, so given I've got 8 gig of ram can I just completely skip the swap file?
Or is it still required even if unlikely to be used?
@Chrysalis It might be a good idea to include in your post when these commands should be carried out.
-
If you have the swap partition made by the installer enabled, then given the hassle you having, just leave it as it is and you will probably find it will never be utilised, but good to have just in case.
-
No swap partition yet, haven't touched it since last night, will have another fiddle tonight, will try and make the swap file. Presume I need to do that at the same time as enabling trim or could it be anytime?
Only having hassle as I'm totally unfamiliar with it, grown up with Windows, and dabbled with Android, but only as far installing Roms.
-
the swapfile should be whilst the system is up and running :)
so trim and disabling SUJ in single user mode
swapfile with system booted up normally
-
Well more hassle :(
So I skipped creating the swap partition, and got to the end of the installer
At end of installer I chose <return to select task>
From there I chose Exit
Had to press Crtl-C to stop it rebooting
Then Enter to get to shell
Trying to apply the commands to enable trim results in an error - see attached :wall:
Edit: Think I just twigged where I went wrong.....actually scrub that, it was still in single user mode
Edit: Well it boots in to Pfsense, but of course trim is not enabled
-
your ada0s1 looks weird
note mine says freebsd-ufs not a !0
[2.3.2-RELEASE][admin@pfSense.localdomain]/root/work: gpart show ada0s1
=> 0 117230904 ada0s1 BSD (56G)
0 16 - free - (8.0K)
16 113036584 1 freebsd-ufs (54G)
113036600 4194304 2 freebsd-swap (2.0G)
the filesystem looks corrupt based on your output.
I left another mistake in my post tho sorry.
tune2fs -p /dev/ada0s1a
should show the partition settings, run that first to verify shows without error.
then if all looks fine run
tune2fs -t enable /dev/ada0s1a
and
tune2fs -j disable /dev/ada0s1a
based on that output of gpart I would start again tho as the !0 isnt a good sign.
sorry
-
I'll start again tomorrow, practice makes perfect :fingers: Chunkers will be glad that we get it all sussed out for him though ;D
On another note, the new switch (http://www.netgear.co.uk/business/products/switches/web-managed/JGS524Ev2.aspx#tab-techspecs) is ordered, and I also have a new access point on the way, a TP Link RE450 (http://www.tp-link.com/en/products/details/cat-10_RE450.html), this will be used in AP mode to serve the side of the house that doesn't get good wi-fi from my main AP.
-
I'll start again tomorrow, practice makes perfect :fingers: Chunkers will be glad that we get it all sussed out for him though ;D
.
Sure will! I'm lurking......
-
The installation of Pfsense is straightforward, it's getting the partition 4k aligned and trim enabled that's proving difficult for me.
-
This may be a bit late, but it would probably be a lot easier to partition the disk using a separate utility, then install Pfsense into the already created partitions. GParted Live is a live CD or USB system which is very easy to use, and includes UFS among its list of supported filesystems.
http://gparted.org/livecd.php
-
eric the installer of pfsense will overwrite the partitions, however it was discovered by that guy on pfsense that a certain specific partition config was honoured by the pfsense installer, which is the link I put on my post.
If you try to e.g. make your own GPT 2 meg aligned partition, it will be ignored and overwritten by pfsense. It is corrected in the next version of pfsense but not in the current.
-
I've been using gpart, the commands to use are shown here.
https://forum.pfsense.org/index.php?topic=86139.0
But it's certainly not a guide - it doesn't tell you where, when or how to issue those commands, although with Chrysalis help I have now worked that out, but something went wrong, so I need to start again. Once I get my head around it I'll write a better guide.
-
yeah sorry for not been clear enough and also for the errors, as both occasions I worked on the guide just before shut eye time.
I suppose the problem that me and the other guy both had is making the assumption everyone already knows when to enter these commands, how to get into single user mode etc. and that's a bad assumption to make.
-
No need to apologise, and that is exactly the problem, when you know something well it's very easy to leave information out that others don't know, which is what I often find with Android. I probably don't have that problem with Windows as I am far more familiar with the way that works and the way things are done.
-
Well I've had another go tonight, and now have trim enabled, SUJ disabled and Pfsense installed, I still need to setup a Swap file though.
I did get an error though after selecting the partitions, the bit where you'd normally create the swap partition (which I deleted from the list) - see attached log photo. I think there is a chunk of log missing, as when I scroll down it goes straight to the bottom and then can't scroll back up again ???
Apart from that everything seems to be installed ok and working, and no funny partition names either.
This is what I've got so far in my comprehensive list of what I did.
Enter into BIOS and make sure it boots from your USB stick
On the options screen select 2 - Boot Single User mode
After a while you will need to press enter to get to the shell
If there are existing partitions on your drive you can use gpart to delete/destroy them http://www.freebsdonline.com/content/view/731/506/
gpart show will display whats setup
To create the partition with the correct offset issue the following two commands
gpart create -s mbr ada0
gpart add -t freebsd -b 504 ada0
Then you can use "Gpart Show ada0"
Your results should look similar to picture SSD Info-1
Now enter Exit, you may have to do this twice
It will then after a short while return to the installer Configure Console
I chose to accept these settings
Choose Custom Install
One the next screen select the disk to install to.
I chose to skip formatting
I chose to skip partitioning
I chose to install bootlocks ????? Presume this is the correct thing to do :fingers:
I selected the primary partition of ada0 - there was only one anyway
Chose OK on the Are You SURE screen!
Got an information message that Primary partition one was formatted
Select Subpartitions - I deleted the swap one, then proceeded to create
Got a warning about not having a swap partition, just OK'd this
At this point I got an error - attached, I think there is a chunk of log missing, as when I scroll down it goes straight to the bottom and then can't scroll back up again.
I chose to skip and the install continued.
Once you get to Reboot you can hot Crtl-C to get back into the shell, pressing Return to fully enter it.
You can use the following to commands to check things look correct
gpart show ada0
tunefs -p /dev/ada0s1a
Then issue the following two commands to enable trim and disable soft updates journaling
tunefs -t enable /dev/ada0s1a
tunefs -j disable /dev/ada0s1a
You can then check the changes have taken affect with the following commands
tunefs -p /dev/ada0s1a
Now type Reboot - you may have to press enter twice.
Now is the time to remove your USB drive, and it will boot into PFsense hopefully!
I still need to setup the swap file!
-
So now I'm trying to do the following:
mkdir /usr/swap (although can be put anywhere you like)
dd if=/dev/zero of=/usr/swap/swap bs=128k count=16384 (2 gig swap)
The above all seemed to go ok.
I then used the command "/etc/fstab" to try to do the below;
add these 2 lines to /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
md99 none swap sw,file=/usr/swap/swap,late 0 0
then after run swapon -aL
Now I'm in EE and it displays the attached, do I just literally type out the above that's enclosed in code quotes, both lines???
-
To add lines to that file, you would most likely have to use an editor such as Nano or Vim. Not a complete expert on this, but from what those instructions are saying, that is what I believe to be the thing needed.
P.S. I have only really used Ubuntu and its derivatives. Just getting into Fedora now and appreciating its improved battery life on my laptop.
-
'ee' will work, but nano is definitely easier, to install nano do 'pkg install nano'. (needs the pfsense box to have working internet access).
Also ronski you will have a much easier time using ssh instead of the console, then you can e.g. copy and paste stuff.
In the pfsense UI you will need to enable the sshd service, then download something like putty to use as ssh client and with that can login using the client on your windows desktop.
If you do ue 'ee' then when you done editing, press ctrl-c, it will show a command prompt, typing 'quit' will discard changes, typing 'exit' will preserve changes.
Strictly speaking only the second md99 line is needed in fstab, the first line is just a commented line used for showing descriptions of each column.
-
Thanks very much Chrysalis, appreciate your help. Any thoughts on the error I got?
-
the output of the tunefs commmands is not an error, a warning at worst just ignore it.
The installer error is that a binary is missing and that is an issue with their installer, although I dont know how you got that screen as I was never presented with an installer log like that when installing pfsense, if pfsense is booting up fine and filesystem is working then ignore both those.
I dont know what atacontrol is supposed to be for as its not a valid binary on my pfsense box, its also not valid on FreeBSD, there is still a manpage for it so conclusion is that it is something that was in older versions of FreeBSD but is now gone.
Indeed there is even a bug report here.
https://redmine.pfsense.org/issues/4533
-
I've added the line, just used ee for now but will setup SSH at some point.
I saved the file, reloaded it just to check, and the extra line is there.
Now when I type swapon -aL it appears I get an error
swapon: mdconfig (attach) error: md99 on file=/usr/swap
Hmmm, I've also now got that !0 showing when I do gpart show ada0s1
-
Pfsense can now access the internet :)
SSH is also working :)
=> 63 156301425 ada0 MBR (75G)
63 441 - free - (221K)
504 156299976 1 freebsd (75G)
156300480 1008 - free - (504K)
=> 0 156299976 ada0s1 BSD (75G)
0 16 - free - (8.0K)
16 156299960 1 !0 (75G)
No idea why that !0 has appeared again, it wasn't there after the install finished ???
Also installed Nano
-
Pfsense can now access the internet :)
SSH is also working :)
GJ! I am interested in what packages you are planning to install, are you going to use snort or any of the caching plugins eg squid?
Glad you got your issues sorted, slightly intimidated by the amount command line stuff you seemed to have to do.
C
-
I'm not yet using it as a router, I've disabled DHCP and added a gateway pointing at my current one, I disabled the other two for good measure. Not sure what packages I will be using yet, I've not looked into them yet, I certainly will be using one to block much of the worlds IP addresses.
All the command line stuff is solely related to making sure that the SSD is 4K aligned, trim is setup, SUJ (I don't even know what that is!) is disabled and a swap file is created. Pfsense would run fine if you just went ahead and did a straight forward install, I'm not sure what the affects would be of not doing the above, reads and writes to the drive would be slower and the drive may wear out quicker, but whether any of that would make a difference given what the drives being used for I doubt it. Any sign of your hardware yet?
Anyway I've written a step by step guide to help you and as a record for myself.
A some point Pfsense will install aligned and enable Trim on SSD's, I've no idea when though, Chrysalis said he'd been told in the next release, that could well mean the next major release rather than minor incremental releases.
I still don't have the swap file enabled, although I probably will never need it with 8GB ram, and I still have that strange name in gpart show, but it doesn't look like that's causing any problems.
-
Hi ronski
I would check your fstab, as I think you have not added or added wrongly
I could be wrong so apologies in advance
Many thanks
John
-
yes is next major release not maintenance releases.
you can use pfsense using its built in functions without touching the command line, the only initial bit would be when booting up the first time and telling it which ports to use for lan.
Asuswrt is similar, it has command line but a gui frontend, you can use with just the UI only but of course UI only means you not utilising the full potential, but the UI has a lot of core functions in place.
PFsense is definitely UI focused, you can add plugins via the UI and those almost all have UI elements.
There is cli packages but none are required for core operation, they just useful for nix fluent users who want specific tools for advanced stuff.
If you leave the ssd misaligned and with trim disabled, the affects are lower performance (but the performance would still be fine for typical router use) and faster wear on the flash storage.
An example of what can only be done via cli is enabling checksum offloading on a per device basis, the UI lets you turn it on and off but the setting applies to all nic ports, whilst in the CLI it can be toggled per port. However for the majority of situations the UI on/off globally is enough.
I have applied various tweaks to loader.conf and sysctl.conf but this is from my knowledge of FreeBSD, some of these tweaks are configurable in the UI tho as well so can be done via point and click.
Ronski now pfsense is installed, another suggestion.
In the GUI you should find reference to powerd, you will want to enable that to allow the cpu to fluctuate its clock speed for better temps and power consumption, also select either adaptive or hiadaptive mode. hiadaptive is adaptive but will increase the clock speed with less load than adaptive and also take longer to reduce clock speed when idle. There is also options to enable advanced temp sensors so can monitor temp of each cpu core.
SUJ is soft updates journaling, soft updates itself is complex and not a great system, SUJ adds some journaling to the soft updates but its not the same as traditional journaling as seen in ext3/4 and gjournal, SUJ adds extra writes to the ssd, and the track record of SUJ is also not great in terms of filesystem stability. Its main purpose is to try and avoid long fsck after a improper shutdown, but fsck is very fast on ssd's anyway and not to mention the filesystem usage on a router will be very small so the benefits of skipping fsck is minimal.
-
@John, you was not wrong, I deleted the line and pasted it in as per Chrysalis example and this time it worked, thanks very much. Much easier via Putty.
@Chrysalis Made the adjustments you suggested, thanks.
-
Well here's my step by step guide of what I've done so far (with a lot of help - thanks)
You can download the latest version of Pfsense from https://www.pfsense.org/download/
See this link https://doc.pfsense.org/index.php/Writing_Disk_Images to create a bootable USB drive - I used Rufus
The following install guide includes correct 4K alignment for an SSD, enabling Trim, create a Swap File instead of Swap Partition, disabling SUJ.
In the future some of the above may not be required as Pfsense will support SSD's properly, so these steps could be skipped.
Enter into BIOS and make sure it boots from your USB stick
On the options screen select 2 - Boot Single User mode
After a while you will need to press enter to get to the shell
If there are existing partitions on your drive you can use gpart to delete/destroy them http://www.freebsdonline.com/content/view/731/506/
The command "gpart show" will display whats setup
To create the partition with the correct offset issue the following two commands
gpart create -s mbr ada0
gpart add -t freebsd -b 504 ada0
Then you can use "gpart show ada0"
Your results should look similar to picture SSD Info-1
Now enter Exit, you may have to do this twice
It will then after a short while return to the installers Configure Console
I chose to accept these settings
Choose Custom Install
One the next screen select the disk to install to.
I chose to skip formatting
I chose to skip partitioning
I chose to install bootblocks
I selected the primary partition of ada0 - there was only one anyway
Choose OK on the Are You SURE screen!
Got an information message that Primary partition one was formatted
Select Subpartitions - I deleted the swap one, then proceeded to create
Got a warning about not having a swap partition, just OK'd this
At this point I got an error.
I chose to skip and the install continued.
Once you get to Reboot you can hit Crtl-C to get back into the shell, pressing Return to fully enter it.
You can use the following two commands to check things look correct
gpart show ada0
tunefs -p /dev/ada0s1a
Then issue the following two commands to enable trim and disable soft updates journaling
tunefs -t enable /dev/ada0s1a
tunefs -j disable /dev/ada0s1a
You can then check the changes have taken affect with the following commands
tunefs -p /dev/ada0s1a
Now type Reboot - you may have to press enter twice.
Now is the time to remove your USB drive, and it will boot into PFsense hopefully!
After reboot
At this point you can change the LAN IP of the router using option 2 to set the interface IP
I set it up as an address on my local network and disabled DHCP.
I then logged into the Pfsense web interface, doing as little as possible through the setup Wizard
I added a Gateway (System > routing) which pointed to my current router, and disabled any other gateways whilst fiddling - you'll need to change this back when using as a router.
I also checked that DHCP was disabled.
Pfsense should now have internet access.
Now to enable SSH so you can telnet in using something like Putty
This can be done via the GUI or via console - see https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access
Now on to making the swap file - this needs to be done from the console, so telnet in from your PC using port 22 unless you've changed it.
If using Putty you can paste with a right mouse click, don't forget to press enter when pasting passwords like I did!
Chose option 8 from the console menu, to enter the shell
Now enter the following commands
mkdir /usr/swap
I got no confirmation, just another line
Now enter the following command for a 2Gig swap file
dd if=/dev/zero of=/usr/swap/swap bs=128k count=16384
After a long pause I got some info displayed as follows
16384+0 records in
16384+0 records out
2147483648 bytes transferred in 25.284832 secs (84931695 bytes/sec)
I then entered the following command
ee /etc/fstab
and added the following line (use copy and paste), I also inserted a carriage return (enter) at the end so the cursor dropped down the next line
md99 none swap sw,file=/usr/swap/swap,late 0 0
When you've added the above hit Ctrl C and type exit to save the changes
Then enter the following command
swapon -aL
If you get an error check you've entered the line correctly in fstab
If that all went well, you can now Exit back to the console menu and get on with exploring!
Settings that you may want to make from the GUI.
Setup PowerD, Thermal Sensors and Cryptographic hardware if applicable, all of which are located in System - Advanced - Miscellaneous
Hopefully I've documented it fairly accurately, if there are any mistakes please let me know.
-
Added some pictures to the first post.
-
Have now got my Pfsense box running live ;D
Have switched to using the HG612 as my modem, rather than the Zyxel, I've lost 7.2Mbps on the downstream (attainable was slightly lower than the sync on the Zyxel), but have gained 2Mbps on the upstream (attainable was pretty much the same as the sync). I shall probably stick to using the HG612 given the boost in upstream, and it makes for a tidier set up.
I still have a lot of work to do, have setup some port forwards to cover my extremly basic website, and WHS2011 access. Have also set up a firewall rule so that only pings from TBB ping monitor are responded to.
Currently I can't access my website from within my own network, which also means update checks for the GUI fail, which is not a problem but I would like to fix it. I roughly know whats wrong (https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks) but I'm not sure how to fix it.
-
Hi ronski
Sounds good, well done
I would use dns to allow access and the link you posted tells you how to do this, split dns
In simple terms, you have dns for external WAN side and internal LAN side dns
If you still have not managed it, I'll see if I can post a pic tommorow from one of our pfsense firewalls for you
Many thanks
John
-
Thanks John, was in a bit of a rush yesterday and should have mentioned that the website runs on a non standad port.
The link says that Method 2: Split DNS is the more elegant solution, but that gives no option to enter port numbers, perhaps nat reflection is the way to go.
I'll take a look later when my heads a bit clearer from last night's Christmas works do.
-
Hi ronski
Many thanks, were you at elland road football stadium. It was our works do last night and had a 1920 theme
The split dns does not need port setup. If using different ports, you input this into your browser as normal. Split dns just resolves the URL to either external or internal, so that gives you as an example
Mydomain.url:8080 - external 5.5.5.5
Mydomain.url:8080 - internal 192.168.1.1
Obviously the above is an example using made up information, so it's easier to understand
If it helps, the only dns records which use ports, are srv records
I hope that helps a little
Many thanks
John
-
Winter Gardens Margate - Winter Wonderland theme, very nice but far too much to eat.
Just looking into this now, it seems that DNS Resolver is the replacement for DNS Forwarder, although the latter is still present, but disabled.
Not sure what you mean by If using different ports, you input this into your browser as normal, I just enter www.ronski.me.uk into my browser, my domain name provider has a redirect which then incorperates the port number IIRC.
-
Hi ronski
Sounds good, the food this year was not as good as last year I'm sorry to say.
The dns hosting records for a domain.url cannot have port numbers attached, i.e. Cname, A or AAA records. I would guess they have a php or Java script in place
You could do the same on your hosting platform (IIS or Apache or whatever your platform is) and the above would work or you can just add the port to the domain.url in your browser.
I hope that explains it more, as I said, only SRV records allow a port to be assigned to the records
Many thanks
John
-
Thanks John, I opted to use Nat Reflection, and have enabled the options as per this link (https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks) and it now all works, the website is of no real use, it just something I played about with, but it also incorperates the updates for the HG612 stats GUI so I do need it to work for testing that.
My domain host just forwards to my IP address and port number.
-
Hi Ronski
Glad you resolved it, and either would work.
Here is a pic for dns in pfsense, to help others if needed, and also, a link to a site to explain over DNS and port numbers better (though a quick google brings many sites up to explain).
Many thanks and wishing everyone a lovely Christmas, and happy New Year
John
http://support.simpledns.com/kb/a35/can-i-specify-a-tcp-ip-port-number-for-my-web-server-in-dns-other-than-the-standard-port-80.aspx
-
Is it possible to name devices that are attached, I can look in Status / DHCP Leases or Diagnostic / ARP Table and see whats attached, but many have meaningless host names such as android-23bb9a0efce1a2dc. In my old router I could assign names and it was easy to then see what was on my network.
I can enter a description for devices which are issued a static address, but I dont want to give everything a static address.
Perhaps there's a plug in that could do this, it would just need to keep a record of the MAC address and corresponding name of the device? It could even email me when a new device appears thats not in the list, kind of like an alarm system.
-
Hi ronski
In essence, yes, you can but with provisos that the attaching devices uses the pfsense for dhcp, or device dns set to pfsense
It's easier if using dhcp, as pfsense takes care of much of this for you, just as your old router would have
Many thanks
John
-
Thanks John, but how do I do it?
-
Hi ronski
Sorry, just heading out but I think it's services, dhcp and set dhcp as you need it
As I'm not sure where your current dhcp is assigned, I would turn this dhcp off, so you only then have the pfsense dhcp running
If you want, when I'm back later tonight, I'll take some screen shots for you
Many thanks
John
-
Hi Ronski
Please see pics for DHCP in pfsense. If you add a static, and do not set an IPV4 address, it will autoassign from DHCP and keep track of it for DNS, so you could reference using its URL of device
Please note you have to click the LAN tab as you would not normally use DHCP on WAN for live CIDR ranges, unless you were using IPV6
ALso, please see this link for any bootp/dhcp advanced options, which you may or usually may not need to use
I hope that helps
Many thanks
John
http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
-
Thanks very much John, I'll take a look when I've got a bit more time
-
Thanks John, I already have the DHCP server set up, and have added a couple of Static IP's but didn't realise you could leave the IP blank, that's useful to know - I can then add a meaningful name/description but without the need for a static IP
Edit. When I do that it doesn't show what IP address the device has in the DHCP leases list - the IP is blank, surely it should show the IP it's issued???
-
With my 'Smoothwall' install I download and burn a live cd, check it's 'checksum' and install, configure with a GUI, use it 30minutes later. ;)
http://www.smoothwall.org/
-
If I didn't bother with the SSD tweaks I could probably do it in 15 minutes or less, 30 minutes with the tweaks now I know what I'm doing :P
-
What version are you using? - I am on 2.4.0.b.20161222.0709 . Thanks to some excellent work (not by me) the fixes are coming into snapshots for sky ipv6 tweaks such as "Do not allow PD/Address release" - already on the latest snapshot & just waiting for the "use fixed DUID" option to go live.
-
I'm using 2.3.2-RELEASE-p1. No idea what those things mean though ???
I'm still watching those video's someone linked to - they are so long.
-
If you change the update to experimental you can upgrade to 2.4 through the gui....
-
I think given my lack of experience I'll stay with a stable version ;)
-
Been on 2.4 for ages. Really it just works..interface is the same. Takes minutes to update ;D
-
Sky fixes can work on stable just need to be applied manually.
-
I don't seem to be able to access Drop Box from my browser (FF/Chrome/IE), tried to open a shared folder, even just www.dropbox.com and get the attached error.
I can remote into the PC at work and it works fine, so I presuming it's something to do with Pfsense??? I disabled PFBlockerNG, but that made no difference, any ideas?
-
loads fine here ronski.
if you add the pfblockerng widget to the dashboard it will tell you if any hits are on the blocklists.
-
Already got the widget installed, but following your suggestion though I noticed the DNSBL packet count increase each time I tried to access dropbox. Disabling DNSBL cures the problem, any thoughts what could be causing it?
-
It appears to be overriding the Dropbox SSL certificate with its own, causing HSTS to fail and Firefox to block you from reaching the site. Essentially, to ensure that you aren't loading any malware, it is giving encrypted traffic a certificate that it can decode and read, which is causing Firefox to think someone is spying on you.
-
the number is clickable, if you click it then you should see a bit more info including the alias name of the block list with the false positive.
-
Well having enabled DNSBL again links to Dropbox are still working ???
I haven't had any problems connecting to other HTTPS sites.
The only clickable number is the the one for the pfB_Top_v4, the other two aren't clickable?
ETA: Logging is enabled under DNSBL IP Firewall Rule Settings.
-
I am talking about the number in the packets column, thats the hit count.
ahh yeah after a test I see its only clickable on the ip block lists, not domain name one's.
-
Only clickable one is the 5 in the middle - see attached
PS Got to go now - before I get in trouble with the misses
-
ok do this
goto the pfblockerng config screen
at the top area you see sections, last but one is logs, click it.
Then click dnsbl.log in log file/selection
You should see the info you need, e.g. I tested on a domain just now and here it is in that log.
DNSBL Reject,Jan 05 21:47:52,003-pc.ru,192.168.1.124, | / | Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/55.0.2883.87 Safari/537.36
DNSBL Reject,Jan 05 21:47:53,003-pc.ru,192.168.1.124,http://003-pc.ru/ | /favicon.ico | Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/55.0.2883.87 Safari/537.36
it doesnt tell you the dnsbl list tho, which might be why its advisable to split lists into their own dnsbl feed aliases so you know from the counter which list it hits.
I am using malwarepatrol also via dansguardian feed, for that one you definitely be advisable to whitelist alexa top 1k sites.
-
Only entry for Dropbox (which is being blocked again) in the logs is as follows, and lots of them.
DNSBL Reject HTTPS,Jan 05 22:19:41,www.dropbox.com
Only thing Alexa related I can remember is in the DNSBL feeds, where there's an option to Enable Alexa Whitelist, is that what you mean?
Actually after a bit more Googling I've found out there also an Alexa section on the main DNSBL configuration tab, so I just need to enable it here (set to Top 1k) and as per above?
-
yes
yeah it has many hits in the file
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1442112770&product=8&list=dansguardian
the issue is that is a url rather than domain list but pfblockerng just works on the domain, url lists are bound to have false positives when used with the url stripped so if that is to be used then you definitely want to whitelist alexa as otherwise popular file sharing sites will likely keep getting blocked.
for this reason I may disable that list.
-
Having had a look in the list and with what you've written I now understand a bit more about what's happening, but although I believe I've set up Alexa for the top 1k domains Dropbox.com is still being blocked. Will it need the list to be updated before it kicks in - surely Dropbox is in the top 1000?
Perhaps as per your post above I'd be better using other lists.
-
Ok first goto the DNSBL main config page
scroll down and you see black bar that says Alexa Whitelist
Clink the +
Tick the enable box
Select top 1k
Select TLD's to include, or you can leave just on default which includes .com, I added more tho.
Hit save
Next click on dnsbl feeds
Click the edit button for the alias that has malware patrol
Then on the feed alias page tick enable alexa whitelist (so yes has to be enabled in two different places)
Click save
Also click apply on top if box appears.
Now click update
Click update
Click run to force an update of alexa etc.
I suggest you also do this.
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
Otherwise any client on your lan can overide the router dns by directly quering other dns servers.
Note the output below when I tried to do a lookup on google dns with a domain in a DNSBL list.
C:\Windows\system32>nslookup otorola.clever-search771.ru. 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Name: otorola.clever-search771.ru
Address: 10.10.10.1
-
Just got chance to look at this again, or more to the point write it up. I had set up Alexa an run the update, but it still seemed not to work, but tonight it does seem to be working as expected.
I've also just added the DNS port forward rule and that works, thanks.
I've also created a free personal account with OpenDNS, and configured some options of things to block there, although this was set up last night it's not yet showing any traffic stats in my account.
Need to look at adding some other lists as well, still need to set up OpenVPN, and finish watching those videos.....
-
Got up this morning to find I had no internet access, pfSense had some sort of crash, I could still login and use the interface, but CPU temperature was up to 48 degrees (usually 36), CPU activity kept jumping up to 30 to 40%, a reboot cured it. System had been up for 29 days.
How do I go about finding out what the issue was?
-
the answer was to not reboot and login to the terminal. Then you can find if some sort of process was hung or just chewing up extra cpu, now that you have already rebooted its harder. But you can check all the logs to see if anything stands out.
-
Time is short in the morning, so just didn't have time look into things and work out how, and of course the others needed broadband access whilst I'm at work.
I'll have a look at the logs tonight.
-
System had been up for 29 days.
grrrr, only 29 days? lol
-
the answer was to not reboot and login to the terminal. Then you can find if some sort of process was hung or just chewing up extra cpu, now that you have already rebooted its harder. But you can check all the logs to see if anything stands out.
Well looking at the logs tonight I can't see anything untoward*, I suppose http://192.168.0.1/status.php#Processes would have come in very useful this morning.
I have notice (some time ago) my swap file has disappeared, I realise this is unrelated.
*I can see hundreds of these errors bad name in /var/dhcpd/var/db/dhcpd.leases which I think relates to one of my devices which has a host name with () in it, I've no way to change the host name, so not sure how to get aground that - I have posted on a thread on the pfSense forums so I'll see what they suggest.
-
I think a possible solution for the device with the dodgy hostname would be to create a static DHCP entry for it.
From my tinkering with pfSense, the option's under Services > DHCP Server > DHCP Static Mappings for this Interface.
It should be enough to provide the MAC address of the device and a new hostname. If you don't provide an IP address for the mapping, one will be allocated as normal from the pool. Everything else can be left empty. You're simply telling the DHCP server to override the hostname.
-
Thanks Displaced, I did try that exactly as you suggest but it didn't work.
-
Don't give up just yet! The dhcpd.leases file is a little odd. It's not just a record of the current state of the leases -- it's sort of a historic journal. So it could be that your settings change has resolved the issue, but there are still old records in the file which contain the previous bad hostname.
Might be worth trying to clear the leases -- I can't get to my pfSense installation right now, but I'd presume there'll be an option somewhere to clear the file.
Chris
-
My static mapping is still there, I did delete the lease (I no longer have that option), and also restarted the service but alas made no difference.
-
I've been playing around with PFsense again this week, I've had a VPN setup for some time on my Windows Home Server 2011. Whilst Windows laptops connect fine I could not get my Android devices to connect, something to do with GRE I believe, which I couldn't understand.
So I decided to setup Open VPN, I looked around for a guide that seemed to make sense to me and found this.
https://chubbable.com/setup-openvpn-pfsense
Which I followed, and after a bit of trial and error I can finally get my Android phone to connect to my home network through OpenVPN.
But when I turn on tethering on my phone, other devices such as my tablet don't seem to get an IP address, so never connect and I get an error message saying "AP currently not in use. internet connection slow", then it says failed to obtain an IP address. Any idea how to resolve this?
Also having followed the setup guide my phone gets an IP of 10.0.1.2, how can I set it up so that I appear to be on my internal network via the VPN. Not sure if I should just change that to my normal subnet.
-
It seems there is a known bug in Android that stops tethering from working when using OpenVPN.
So I've tried IPSEC using the guides below.
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel#Allow_IPsec_traffic_through_the_firewall
I can connect, but get no internet access on my phone, also my phone's IP address stays the same, which seems odd.
-
There's nothing wrong with that IP address - I believe it has to be outside your LAN for the routing to work.
-
Seems you have done it in an odd way ronski.
The documention for using openvpn on pfsense is a bit confusing and even incomplete.
I cannot remember the exact steps I carried out but mine is setup something like this.
1 - The pfsense unit is the VPN endpoint. So everything LAN/NAT side is same as before.
2 - The VPN is always connected, I actually have 2 VPN's always connected right now.
3 - The routing to the VPN is carried out using firewall rules, so the src ip is the LAN ip of the device and then you route it via the VPN interface.
4 - Each VPN has a gateway device configured in the routing section of pfsense, so I have OPT1 and OPT2 interfaces assigned to my VPN's, these need to be setup so you can route via the firewall.
This basically means your lan device has the same config as before, it will have the same LAN ip address and still have the pfsense unit set as its gateway, so this shouldnt break android phones.
I can change routing for devices etc. on the fly simply by adjusting my firewall rules, I cannot document this soon tho as I got other stuff to work on sadly, but if you still stuck in a few weeks I will try to document what I did.
Also I can ping VPN's from any device e.g. this is a VPN I have hosted in america.
C:\Windows\system32>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=97ms TTL=63
Reply from 192.168.0.1: bytes=32 time=96ms TTL=63
Reply from 192.168.0.1: bytes=32 time=96ms TTL=63
It was definitely a more complicated process to set all this up on my pfsense unit than say asuswrt, but its also a more powerful setup.
-
Seems you have done it in an odd way ronski.
Probably because I don't have much clue as to what I'm doing, there are so many options, and not many explanations that make sense.
All I want to be able to achieve is to VPN in securely with my phone, and then tether other devices to my phone, allowing access to the internet via my home connection and local resources such as my TV Server.
-
Surely there needs to be two ends for a VPN? :-\
If you are defining your Pfsense router to be one end, then where is the other end? ???
-
The other end in this case is my mobile phone, wherever that may be in the world.
-
Right, got that. :)
Now I need to let it ferment . . .
-
The other end in this case is my mobile phone, wherever that may be in the world.
Ahh I misunderstood.
So its so you have a VPN between your phone and home firewall?
Then yeah I probably dont have the answer you need, but I will see if I can find anything out for you.
-
Ahh I misunderstood.
So its so you have a VPN between your phone and home firewall?
That's a relief to know. :)
I was originally getting myself in a convoluted muddle whilst thinking about things.
-
I've been trying to set up my VPN server again, so if I'm using my phone say on a hotels wireless I can connect via VPN to my home network and know my connection is secure.
I did have it working but having changed ISP it stopped working, so following the guide (https://chubbable.com/setup-openvpn-pfsense) I used last time I'm trying to set it all up again, but alas it's not working :wall: :wall: :wall:
I'm currently getting this error notice after I use the wizard.
There were error(s) loading the rules: /tmp/rules.debug:190: unknown protocol udp4 - The line in question reads [190]: pass in quick on $VIRGINMEDIA reply-to ( em2 80.6.28.1 ) inet proto udp4 from any to <<removed my public ip address>> tracker 1525018272 keep state label "USER_RULE: OpenVPN OpenVPN Connection wizard"
Any idea's on what's going wrong???
-
I've actually managed to track down the problem, I disabled any rules for OpenVPN one at a time until the error went away when reloading the filter, that way I identified the rule causing the error.
One of the auto generated rules didn't have the protocol set, once I did that it all started working.
-
from what you posted it would seem to be a bug in pfsense if its the case auto generated rules are using invalid syntax..
-
It certainly seems that way, I may try and post on their forums, but I'm certainly not going try and replicate it.
At one point I had four rules under OpenVPN as when you delete an OpenVPN server it doesn't delete associated rules, which I hadn't realised.
-
That was a bug in Pfsense, it's fixed in the next version.
Having another minor problem. I swapped the patch cable from my router to the modem and I had to reboot Pfsense to get internet on other devices to work, although Pfsense reported the connection as up on the dashboard.
This also happened today when I upgraded to Vivid 350.
Any ideas why I loose internet on all attached devices until a reboot?
-
pfsense can be problematic on things like that, its not completely fluid.
e.g. on a ipv6 prefix change it doesnt auto remove the old prefix leaving all ipv6 connectivity down until the old prefix is manually removed or a device reboot.
Tuning the timeout values in the WAN section may make it behave better.
-
Tuning the timeout values in the WAN section may make it behave better.
Thanks not sure where that is, had a look and a Google but drawn a blank?
-
its in the WAN settings screen where you set it to DHCP type, then you play around with DHCP timeout values, I have absolutely no idea tho what values might be better.
-
Thanks, found it now, it only shows any timing values once you click Advanced Configuration hence why I couldn't find it.
-
if you have a spare drive etc you could give Opnsense a go. Couple of forum members here use it. I had issues with BT and wan port not re-establishing ppoe but since moving that to Opnsense it's been fine.
-
Thanks for the suggestion, no spare drive at the moment, and too many other things that need doing - the wife's nagging me to get the decking built, which means I need to be designing that.
-
Same here really, I know you guys skyeci and marjohn56 have been bugging me on opnsense, but I just havent found the time to reconfigure my network yet which is what I need to do if I switch over.
I do now have a spare ssd for my old pfsense unit but forgot it needs ram, I plan to configure opnsense on that and then I can hot swap the devices when testing opnsense.
-
Anyone using OPNsense with igmpproxy for BT multicast IPTV? I have it set up fine with pfsense at the moment, but it would be nice to know before having a go with OPNsense, TIA.
-
I fixed the issue with my connection not coming back up, stumbled across the fix by chance trying something after someone replied to my thread on the Pfsense forums.
In the Status>Routing>Gateways>Edit there is an option to make that gateway the default gateway, once I ticked that option it fixed the issue ;D
I've got various gateways set up, but disabled, so don't know if one of those was still set as default or not.
-
ahh so you might have still had the plusnet gateway as default then.
-
Most likely, but it was disabled, quite how a disabled gateway can be the default I don't know ::)
-
Bit of a bump. Are you still using the Qotom for pfsense Ronski? Reason for asking is, what sort of temperature is your Qotom running at? I'm using a Qotom Q355G4 for pfsense. Temps were anywhere between 50-60c at idle. Just changed the thermal paste, using Thermal Grizzly Kryonaut and its now between 33-40c at idle. Tbf, the original thermal paste was absolutely caked all over the die, far too much applied.
-
Thanks for the heads up, mine runs around the 40 degree's mark.
-
Added for my own reference ;)
See https://forum.kitz.co.uk/index.php/topic,24600.msg414602.html#msg414602 for setting up rules to allow only the UK, instead of blocking the whole world.
-
I'd been having a few issues recently but never pieced them all together until last night, thanks to my brother insisting I double check my IP address. Turns out my public IP address changed at some point recently, the main reason I hadn't twigged was because my TBB Ping monitor graph was still working, yes it has showed some downtime in the early hours recently but just assumed it was Virgin. But it transpires that VM has changed my IP and my old IP which someone else now has was still responding from pings.
Another reason I didn't realise is because pfSense hasn't sent a notification email, and I'm not sure why. I have notifications setup and they work, I get notified on a reboot, and if I hit test I get a notification.
Done a bit of Googling this morning, and that research suggests so long as I have notifications setup then I should get one when the WAN IP changes, any ideas why I didn't?
PS. I'd had the same IP address since April 2018, apart from if I use router mode on the SH3 or a different router in modem mode.
-
I dont see an option on pfsense to notify when WAN ip changes, So I have no idea sorry. Although I did find an old post on reddit which says the same, it should happen if you have email notifications setup, I know when I was on sky though when my ipv6 prefix changed I never got notified.
-
Thanks Chrysalis, probably the same post I found. Perhaps I'll have to set something up on my server.
-
My set of IP's are fixed so probably I am not much help. :(
But I did see this,
>System>Advanced>Networking>>
Tick box >Reset All States<
>Reset all states if WAN IP Address changes This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address.<
How do you get it to send email's ?, I am new'ish to pfSence.
-
How do you get it to send email's ?, I am new'ish to pfSence.
Its under System/Advanced/Notifications
-
Thanks.
-
Ronski since pfSense has official cron support, a script could be written that does a lookup on a whats my ip type of site, then if the result changes, it sends an email.
-
That is a very good point, il have to work out how to do that, thanks.
-
I done a quick bash script, you can try in shell, not sure if it will work on the default shell that is included with pfsense, 'pkg install bash', should get you bash though. If you want to the default shell change the first line from bash to sh
#!/usr/bin/env bash
wanif=pppoe0
previousip=`cat /tmp/currentip`
ip=`ifconfig $wanif | grep -w inet | awk '{print $2}'`
echo $ip > /tmp/currentip
if [[ "$ip" == "$previousip" ]]; then
exit 0
else
echo "ip has changed from $previousip to $ip" | /usr/local/bin/mail.php -s"IP changed on pfSense"
fi
run ifconfig first to see which interface has the wan ipv4, set the wanif line to that interface, you then will need to either run the script first to populate the /tmp/currentip file or manually populate it yourself.
I however see no shell command that can be used to send emails hence the commented line, so may need to install a package for that or find a way to use the pfsense mailer system from the cli.
--edit--
I found a way that works, from this post here, so edited the script in post. This method is nice as it uses the pfSense mailer settings, so wont send e.g. if you disable the mailer in the pfSense GUI.
https://forum.netgate.com/topic/103886/solved-sending-mail-with-pfsense/4
-
Thank you very much for doing that, when I get chance I'll give it go.
-
I had completely forgotten about this until this morning.
I done a quick bash script, you can try in shell, not sure if it will work on the default shell that is included with pfsense, 'pkg install bash', should get you bash though. If you want to the default shell change the first line from bash to sh
#!/usr/bin/env bash
wanif=pppoe0
previousip=`cat /tmp/currentip`
ip=`ifconfig $wanif | grep -w inet | awk '{print $2}'`
echo $ip > /tmp/currentip
if [[ "$ip" == "$previousip" ]]; then
exit 0
else
echo "ip has changed from $previousip to $ip" | /usr/local/bin/mail.php -s"IP changed on pfSense"
fi
run ifconfig first to see which interface has the wan ipv4, set the wanif line to that interface, you then will need to either run the script first to populate the /tmp/currentip file or manually populate it yourself.
I however see no shell command that can be used to send emails hence the commented line, so may need to install a package for that or find a way to use the pfsense mailer system from the cli.
--edit--
I found a way that works, from this post here, so edited the script in post. This method is nice as it uses the pfSense mailer settings, so wont send e.g. if you disable the mailer in the pfSense GUI.
https://forum.netgate.com/topic/103886/solved-sending-mail-with-pfsense/4
I'm struggling with this, and not really getting anywhere with Googling.
I've installed Bash
I've worked out that em2 is the interface
I've installed Cron
and this is now where I'm struggling, it would appear that cron just runs a command to run the script, rather than entering the script directly into cron.
How do I create the script, and where do I save it?
Once I've done that what command do I enter into cron to run the script?
How do I access the resultant file?
This is really basic stuff in Windows, but it might as well be in Chinese :wall:
-
I assume this is Linux or similar, so this article https://www.linux-magazine.com/Issues/2019/225/Command-Line-at-cron-anacron (https://www.linux-magazine.com/Issues/2019/225/Command-Line-at-cron-anacron) may help. I'm lazy these days and use a GUI Linux system to run cron jobs ;)
Stuart
-
Thanks Stuart, yes it's Linux :( and unfortunately that doesn't help, that seems to focus more on the actual scheduling, which I have worked out. Its creating the script, where to save it, and the commands required to run it from the cron schedule that has me stumped.
-
Well initially you can store it anywhere, cron jobs can be run as a user or as root if they need system wide access. I would create it in Linux to eliminate possible issues with line endings. Yes cron executes the schedules the script rather than running it so that's why permissions are important.
Stuart
-
install nano if it isnt there (text editor), 'pkg install nano'.
or you can create in windows (make sure unix format for file), and then upload it.
To setup the cron there is a cron package inside the package manager, after that is installed, can add to that.
example line for cron for hourly. (although the ui cron package I think makes this easier). Assuming script is called ipcheck.sh and is located in /root path.
0 * * * * root /root/ipcheck.sh
That line would be pasted in /etc/crontab
However the way I suggest is install the cron package, and then in "services -> cron" menu it is accessible.
in the ui set minute to anything from 0-59 (the time past the hour to run) and in the hour, day, day of week, day of month boxes put * in each one. user as root, and path to script in bottom box.
Also 'chmod 700 /root/ipcheck.sh' to make script executable. That should be fine if it is owned as root, chmod 755 will also work although less secure, but given pfsense is usually not a multiuser system it probably isnt a concern.
-
Thanks Chrysalis, that was so easy, knew it would be just couldn't think how to do it, thank you.
Running the script manually from within pfSense (Diagnostics / Command Prompt) it works perfectly, I've manually edited ipcheck.sh to the wrong IP address and I'll see if it works at 16:00
Thank you again.
-
It didn't work at 16:00, but I think I incorrectly put 'chmod 700 /root/ipcheck.sh' as the command, once changed to '/root/ipcheck.sh' it works fine.
I've no real idea what chmod 700 does, from googling seems to be some sort of file protection options, but I did enter "chmod 700 /root/ipcheck.sh" from Diagnostics / Command Prompt page within pfSense so perhaps that did something first, then when that didn't appear to do anything I'd tried just /root/ipcheck.sh
Anyway all seems to be working now.
-
glad its working :)
unix permission system applies permissions based on the total sum of the digit.
1 execute
2 write
4 read
so 7 is everything, 6 would be read+write, 5 read+execute.
The first digit is for owner of file, second digit is for group owner of file, third digit is for all users (global).
-
After all theses years my Qotom Q190G4-S02 Mini PC seems to be dead.
Had some weird power outage on my UPS last night, batteries had been out of it for weeks as they are subject to warranty claim, and being a APC Smart 1500 UPS it will pass through power. Anyway the UPS shut down, no idea why, got it back up and running, but just couldn't connect to Pfsense, so as it was gone midnight I switched the Virgin hum back to router mode.
I've investigated this morning, and although the Qotom powers up, there is no VGA output, and when I connect a network cable, the laptop shows its connected at 10Mbps, yes ten.
What would be a suitable replacement?
I'd prefer something with 2.5Gbps or faster ports for future proofing, but not totally necessary as those speeds are probably still a long way off.
-
Found this, looks interesting and I think ticks all the boxes, any thoughts please?
Intel Celeron N5105 Soft Router Fanless Mini PC 4x Intel i225/i226 2.5G LAN HDMI DP (https://www.aliexpress.com/item/1005005223986318.html)
Or this newer one, albeit more expensive.
2023 New 2.5G Soft Router 12Th Gen Alder Lake i3 N305 N200 N100 4x Intel i226 Nics Fanless Mini PC Firewall Appliance VPN Server (https://www.aliexpress.com/item/1005005392671390.html)
-
Sounds like the board has had some kind of failure.
I would be inclined to get the beefier model. you dont want to end up CPU bottlenecked with the fast internet connectivity we have now days.
I did suggest this one to a friend. Which is in between. But weaker than my current NUC (on a per core basis)
https://www.aliexpress.com/item/1005005848576712.html
The N100 is easily better than my current CPU, so I think thats a pretty good find, and considering current PC tech inflation isnt a bad price. I am tempted myself, is a good way to upgrade my firewall to 2.5G and power saving and CPU upgrade all at once.
The issue is if you want them to add ram you are forced to take an inclusive SSD as well and 8 gig is the lowest ram on offer, so quite a buff to the price.
-
The N5105 seems to top out on OpenVPN at about 600Mbit but can do 2.5Gbit plain NAT from the reviews I saw.
Never figured out what the PPP overhead is as it shows up oddly in the process list, never seems to use much CPU which can't be right when pulling Gigabit. Then again, they're not exactly slow cores so who knows. Few people review these units, none use PPP that I found.
What's really impressive is it spends most of it times pulling 11W, which is comparable to a consumer router albeit because those have WiFi and the internal switch to power too.
-
Thanks guys, do you think there is any need to go for the i3 N305, its quite a bit more expensive, and I think will use a little more power but not much, but so much more powerful.
https://www.servethehome.com/almost-a-decade-in-the-making-our-fanless-intel-i3-n305-2-5gbe-firewall-review/
-
I checked it, personally dont think its worth the cost difference. A firewall doesnt need 8 threads. Thats my 5 pence on it.
-
Thanks, if I ever switch to 1Gbps internet will the N100 cope with that?
@Chrysalis given you're on 1Gbps Virgin, and you said this is more powerful than what you have I'll assume the answer to the above is yes.
-
The N5105 copes with Gigabit PPPoE without a sweat, I can pull about 1.4Gbit balanced with Smarty 5G (so half PPP and half plain ethernet).
Its only OpenVPN that falls short and I'm not even sure its my-end given the high load is a problem both sides, so could be my VPN providers server is limited (even Wireguard falls short which shouldn't be CPU limited). Frankly being limited over the VPN is not a big deal as 600Mbit is plenty.
The N100 seems like its about 23% faster.
-
Thanks Alex.
I've ordered this one bare bones https://www.aliexpress.com/item/1005005931578327.html N100
-
I was brave and got the N5105 with RAM and SSD, it also cost about 2-3 times what it does now which was cheap for the time. I hadn't realised they'd fallen so much, its amazing they can make anything profitable for those prices.
-
The memory/drives you get seem a bit random going by the Serve The Home reviews.
-
I've ordered
Corsair VENGEANCE DDR5 SODIMM 8GB (1x8GB) DDR5 4800MHz C40 for £27
VIATHAN 256GB M.2 PCIe 3.0 Gen3 NVMe Internal SSD - Up to 1500MB/s for £12
Never heard of Viathan, but it seems to be a UK company, its only a Pfsense router so I'm sure it will be fine.
-
Thanks, if I ever switch to 1Gbps internet will the N100 cope with that?
@Chrysalis given you're on 1Gbps Virgin, and you said this is more powerful than what you have I'll assume the answer to the above is yes.
Yeah I checked the bench data for both CPU's on single threaded, and its comfortably better whilst having a lower TDP, and as a bonus it also has more cores (4 cores 4 threads vs 2 cores 4 threads, I have htt disabled due to the heat it generates so running at 2/2). (N100 vs i5 5250u)
Please let us know how you get on Ronski as I am certainly tempted.
The N100 should have no issue with VM gigabit, my existing CPU handles it and is weaker (that also whilst I dont let it use turbo clocks for power efficiency).
Also just checked, supports AES, VT-x instructions so wont have issues there. As I might use a VM for pfsense if I bother replacing the unit so I get more fuller use out of the hardware.
-
I avoid VMs personally, but that's easy to say when I already have a 12400 server and Mac Mini. I just prefer having zero additional latency and one box going down not taking out everything at the same time.
I'm kinda tempted with the N100 just to have a backup router I can easily swap in should things go pear shaped. Of course because you bought one its done up in price, its weird how Aliexpress does that.
-
Yeah I am not sure on it, that second unit Ronski picked out looks much nicer than the first for external connectivity with no price bump, thanks for sharing it Ronski.
-
I paid £177.03, subject to any import duty.
There were cheaper options, but this looks like it will have better cooling, also 5 ports in case I ever wanted to use it as a switch as well.
I'll let you know how I get on once it arrives, and I may need some help setting it up, hopefully I can just restore my latest backup, and its straight forward.
-
The only issue I can think of is the port assignment, but can just move the cables around until they in right ports in case the port ordering is odd (on my unit they not in order 0-3).
There is a feature where if config is on inserted USB stick then it is auto applied on installation so dont even need to manually restore.
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html
-
Interface names are a pain on pfSense as they are named differently depending on what driver you are using. I think when I moved from Intel Gigabit to Intel 2.5Gbit I had to do a find/replace on the xml file as its such a pain adjusting it via the UI.
-
Ahh so you think they might end up totally unassigned due to the device id change, good tip on the XML then.
Looks like will be igcX instead of igbX.
(https://www.servethehome.com/wp-content/uploads/2023/06/pfSense-CE-2.7.0-Intel-i226-V.jpg)
-
I can't remember if I tried the auto-reassign (from the console after boot), just that it worked out easier editing the config as my LAN was a bridge with VLANs, etc. I don't think it handles that sort of configuration.
-
Yeah edit XML is the way to go for least hassle, reassigning interfaces has always been clunky in my opinion either using the CLI menu or the UI. Its what I will be doing.
-
How about one with 4 x 2.5GbE and 2 x 10GbE ?
https://www.servethehome.com/new-4x-2-5gbe-and-2x-10gbe-intel-core-firewall-and-virtualization-appliance/
-
Shame they borked the CPU cooling.
With these custom appliances I'm kinda disappointed they haven't gone all out and used a switch chip for the slower ports by now, though I have no idea if pfSense supports that, OpenWRT should (though I don't know what bus is used to talk to switch chips).
-
New router arrived today, its heavy, it weighs 1.15kg
Now just need to get it setup, I'll aim to go live at the weekend, when I have more time available.
-
I thought mine had died recently, turns out my shoddy crimping was causing the NIC port to bounce. At least I assume it was that as did the sensible thing and unplugged it, tugged on the cable a bit then plugged it back in. :lol:
Quite impressive given its running over PoE that it didn't just shut down the router entirely.
-
Hopefully goes well Ronski. If its all positive I can see myself grabbing one.
-
One HDMI port doesn't work, it did briefly but a bit fuzzy, so not sure if it's faulty hardware or something else, I think it's the former. Going to install Windows tonight and see what that does.
Don't really need the second port, but it really should be working.
-
There is definitely a hardware issue, possibly a dry joint as wiggling the HDMI cable briefly gets a picture. Tried two different cables, and two different monitors, also installed Window's to be absolutely sure.
I've contacted the seller on AliExpress, lets see how good their support is.
The display port, and the bottom HDMI port both work, just the top one doesn't, given what I'm going to use it for I'd settle for a decent discount, but lets see what they suggest.
-
At least its an obvious issue, one of the boxes I bought randomly locks up and I have no idea why. It did run hot initially so I re-pasted the SoC which brought the temps down dramatically, I could run Folding@Home on it and it would stay within the acceptable operating temperature.
It seem to have nothing to do with load as F@H could run for a week sometimes, but even if I left it running just KTorrent it would lockup. I did provide my own RAM but I think I actually ran MemTest for a few days with no issues there.
I didn't have the energy to deal with trying to return something from China given it would likely cost more than buying a newer box as the cost per CPU performance of these things has been dropping quite rapidly over the last few years as they catch up with newer hardware.
Fortunately the N5105 I bought to use instead (as I had hoped to hack 2.5G to the older box but couldn't get that to work) has been fine.
-
The thermal compound out the factory was poor on my unit, I dropped my temps quite a lot by reapplying it, I posted it on the pfsense forums with pics and a how to, some others did the same with similar results. End of the day they are cheap I suppose so wont be the best quality control.
I expect you will keep the unit and just seeing if a discount is offered?
-
I left it too long before noticing the issue. To be honest it gives you so much control in the BIOS, it could be something is configured wrong or a bad PSU. That's both good and bad in that some of these give you access to all the stuff motherboard vendors usually hard-code in the BIOS.
The N5105 seems to have decent compound installation, given I can see a difference in temperature between having it vertical and horizontal, vertical being cooler due to convection from the relatively tiny fins on the case.
-
This case did get rather toasty after installing Windows, so I expect good thermal coupling between the CPU and the case, hopefully!
I expect you will keep the unit and just seeing if a discount is offered?
Yeah, hopefully they'll offer a partial refund, just don't expect to pay full price and have an HDMI port that doesn't work.
They've suggested I update the Windows drivers, but that's not the issue as it does it in the BIOS as well, and wiggling the cable where it plugs in causes the image to come and go, so either faulty socket or dry joint.
-
They've suggested I update the Windows drivers
I've just sent a portable monitor back to Amazon that I was using on my CCTV DVR as I rebooted the DVR and the screen never came back on. Power cycling it never displayed the splash screen, the panel was just dead. Yet they told me to:
Fix 1: Force restart your computer.
Fix 2: Check if your monitor is working.
Fix 3: Reconnect your monitor to your computer.
Fix 4: Disconnect your peripherals.
Fix 5: Reinstall your RAM.
Fix 6: Reset your BIOS settings to default.
That last one is particularly concerning as anyone who doesn't know what they're doing would likely lead to an unbootable PC.
I said its not connected to a PC as my response, though I had of course already told them before that I had tested it on multiple devices and sound still came through, just no picture.
-
It's rediculous isn't it, and as you say very stupid advice.
The offered me $10 to start with, got (presuming they actually refund it) $20 in the end, couldn't be bothered to push for more.
-
Seems fair considering the profit margin was likely quite low on the unit, they'd be giving it away, maybe they still are as its more economical than a return.
-
Its a 10% discount for a faulty product, not a great discount, but better than sending it back and faffing about.
-
I ended up with just over £14 refund, lets hope the rest of it stays working.
Anyway just found a rather stupid problem with Pfsense, I've got my backup on a USB stick, and it detects it whilst booting, and asks me to enter my encryption password, halfway through typing the password it times out and carries on booting.
How ridiculous is that!!! I'm typing the blooming password!!!
Once I start entering a password it should let me finish, anyway I'll try again and see if I can enter it fast enough!
Wouldn't be so bad if they actually had an option from the shell menu to restore a back up, but no thats too simple you have to watch it like a hawk, and type as quick as possible, my fault for using a password I suppose.
Edit. Managed it that time. Now to swap over from the Virgin router.
-
We're back up and running, packages didn't restore, may be as it wasn't connected to the internet when I booted it up.
So I thought I'd restore just the packages from a backup, but that doesn't seem to work, either that or I never backed up the packages, although I'm sure I did.
Anyway to tell?
-
Edit. Just looked in the logs and have.
Sep 9 11:00:55 php-fpm 380 /rc.update_urltables: : ERROR: could not update pfB_Top_v4 content from http://127.0.0.1:80/pfblockerng/pfblockerng.php?pfb=pfB_Top_v4
Sep 9 11:00:55 php-fpm 380 /rc.update_urltables: Download file failed with status code 404. URL: http://127.0.0.1:80/pfblockerng/pfblockerng.php?pfb=pfB_Top_v4
Sep 9 11:01:03 php-fpm 381 /rc.start_packages: Configuration Change: (system): Removed pfBlockerNG package.
Sep 9 11:01:03 php-fpm 381 /rc.start_packages: The pfBlockerNG package is missing its configuration file and must be reinstalled.
Sep 9 11:01:03 php-fpm 381 /rc.start_packages: Configuration Change: (system): Removed OpenVPN Client Export Utility package.
Sep 9 11:01:03 php-fpm 381 /rc.start_packages: The OpenVPN Client Export Utility package is missing its configuration file and must be reinstalled.
I think the above were the only two packages I had installed, and I can install them manually.
-
Another problem, trying to get OpenVPN working.
I've exported a new client config, and setup the profile on the phone.
If the phone is connected to my local network via wi-fi then the OpenVPN connects, if I'm on mobile data it doesn't.
I'm using dynamic DNS via cloudns which appears to be working and redirecting to my current IP address.
Any idea's please?
Edit. My brother can connect fine, so not sure whats going on with mine. Also do I need to do something to enable hardware encryption? It doesn't seem to be using it.
Edit 2: Fixed my phone, cleared app data and set it up again.
-
System / Advanced / Miscellaneous : Cryptographic & Thermal Hardware: AES-NI CPU-based acceleration.
-
Thanks Alex
-
We're back up and running, packages didn't restore, may be as it wasn't connected to the internet when I booted it up.
So I thought I'd restore just the packages from a backup, but that doesn't seem to work, either that or I never backed up the packages, although I'm sure I did.
Anyway to tell?
I think the packages are marked for restoration rather than being part of the backup, so restores package configuration, marks them for reinstall, and at first chance will restore via internet access. Not sure as never have manually examined a backup. Just had a look they just marked for restore.
Package information can be skipped on backups, hopefully you didnt do that.
The binaries and libraries from packages could be backed up as part of the files/folders backup but personally I wouldnt do that as they wouldnt be in sync with the package database.
-
I've found package restoration is very flaky too on first boot and with it all happening in the background its not at all clear when everything is done.
-
It used to be all done in foreground on console boot with the boot not finishing until they all done, but I think they changed it to make the basic pfsense system come online quicker so now it does some of it in the background after the UI etc. is loaded. Then at that point have to hope it works out ok, I think its the same process as used when doing a in place upgrade which also reinstalls all packages.
I am guessing they did this as was people doing these in place upgrade's without console access and getting impatient waiting for the UI to come back up.
-
I can appreciate it only waiting for so long to enter a password, but once you start typing that time should be extended, rather than timeout half way through typing the password, that's just stupid.
-
Yeah in my opinion thats a bug, I can report it if you want, since I am registered on their redmine page.
Otherwise you can report it here.
https://redmine.pfsense.org/
-
If you would please, thanks.
-
Just to confirm, you installed 2.7.0?
-
Yes, 2.7.0.
-
Ronski was it USB during install or USB during first boot?
They say there is a 30 second timeout on ECL which they can look at, but they want confirmation.
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-using-the-external-configuration-locator-ecl
or
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-configuration-from-usb-during-install
-
It was from USB during boot, not the first boot either.
-
Ok so you installed it normally first, then put the config on a stick for it to be detected during boot?
That does sound like its the ECL then.
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-using-the-external-configuration-locator-ecl
I have fed this back into the bug report and will assume they going to adjust the timeout. The one they found is 30 seconds long.
-
Yes, that's correct.
It could be 30 seconds long, you have tons of text going up the screen, so by the time you notice it's asking you to enter the password some time has elapsed (I was on another computer), then the password was not straight forward.
-
Yeah its deffo too short, especially if a complex password, there is no copy and pasting on there so typing it out.
-
Well they only boosting it to 60 seconds which seems underwhelming, I guess for some reason they hesitant to change it too much or even to remove it.
How are things now?
-
Sixty is better than 30, but the easy answer is to extend the time out each time a key is pressed.
All running ok so far, VPN access works as well. It's a pretty standard install to be fair.
Also sold the old Qotom PC for £20, so that's a bonus.
-
Oh good, my N5105 seems to have suddenly developed coil whine.
-
It's odd, I said to some one about a week before mine packed up that it was six years old, he's said that's doing well, then it died :(
-
It used to be all done in foreground on console boot with the boot not finishing until they all done, but I think they changed it to make the basic pfsense system come online quicker so now it does some of it in the background after the UI etc. is loaded. Then at that point have to hope it works out ok, I think its the same process as used when doing a in place upgrade which also reinstalls all packages.
I am guessing they did this as was people doing these in place upgrade's without console access and getting impatient waiting for the UI to come back up.
I discovered one reason package installation is kinda iffy on my configuration.
I got a backup router and was copying my configuration over while using only 5G (as I can plug two devices into that without disrupting the main router) but because AAISP L2TP is part of my configuration it kept trying to connect which obviously clashed with the existing connection from my main router.
So the firewall kept restarting each time the L2TP connection was rejected, causing package installation to abort. I disabled L2TP and manually installed the packages.
Now I hit a second snag, the N100 seems to have a transient current peak during bootup that overloads my PoE splitter. :( I honestly didn't think this unit would peak over 30W (though some Amazon reviews did say my PoE splitter had problems hitting its rated output) and 60W PoE++ splitters are £170 - that's more than the N100 LOL. Would be cheaper to replace the Gigaset VoIP box with a PoE model to free an AC outlet on the UPS.
On the plus side my N100 came with a Delta Electronics PSU so it might actually be safe to use.
-
How much did you pay for your N100? The Ronski link is currently £234 with SSD and Ram.
-
How would the n100 cope with a 2gb fttp non ppoe type connection? You fibre offering upgrade...
Thanks
-
How much did you pay for your N100? The Ronski link is currently £234 with SSD and Ram.
https://www.aliexpress.com/item/1005004360072281.html
£150.19 with 4GB RAM, 128GB SSD. It came with pfSense 2.7.0 pre-installed (necessary version for the NICs) but I did it fresh anyway.
I paid £162.90 for 16GB RAM with 128GB SSD, its now £168.80 for that. I figured better to have too much RAM than too little given the price difference.
How would the n100 cope with a 2gb fttp non ppoe type connection? You fibre offering upgrade...
Thanks
I think the N5105 would probably have handled 2Gbit tbh (it can NAT at 2.5Gbit easily), although its a confusing one as mpd5 shows as 0% load even when I'm pushing Gigabit, when I don't see how that is possible given all the claims of PPP being CPU intensive.
-
How much did you pay for your N100? The Ronski link is currently £234 with SSD and Ram.
This n100 is £155 at the moment. free shipping with 16gb ram and 256nvme etc.looks the same to me.
https://a.aliexpress.com/_mq2wcm6 (https://a.aliexpress.com/_mq2wcm6)
-
So is options, 128 gig nvme and 8 gig ram is already huge overkill for pfsense though. But I guess overspeccing is useful if ever repurposed.
-
So is options, 128 gig nvme and 8 gig ram is already huge overkill for pfsense though. But I guess overspeccing is useful if ever repurposed.
Especially as these units are powerful enough to virtualise, though I prefer to stick to bare metal.
-
Mooching for something with enough juice to handle 25G, and a half-height PCIE slot.
Any suggestions?
-
Might be beyond what ali sells :)
Looks like 25g cards can be driven by as low as PCIE gen 3.
I think would be a DIY build probably. So pre built with fairly high end chip, then add the networking hardware after.
Might be worth waiting for the next threadripper chips to come out as they will be based on at least zen 4 I think, lots of PCIE connectivity and CPU threads available. Then just buy a system with one of these in, thats as small size as possible whilst having the PCIE connectivity available to support the card.
https://www.tomshardware.com/news/amds-threadripper-7000-cpus-tr5-platform-will-arrive-later-this-year
-
25G throughput really doesn't need much resource as long as it's done right. The killer seems to be interrupts so a many core CPU might not be ideal.
Going to do some testing with a Xeon chip that's had HT disabled and feed it a Mikrotik CHR with fewer cores than I have historically.
-
Ok please let us know how it gets on.
-
I ordered an n100 2.5gb unit from ali express with the idea of upgrading my you fibre to 2gb. About 12 days delivery from order....already have a 2.5gb switch and 2.5 lan cards in pc's...Will be having a play soon
-
I'm impressed. I have tested the n100 over my lan with cat6 and 2.5gb lan & router card's and did some speed tests with my you fibre 1gb/1gb connection. Speed tests are up compared to my normal gigabit setup. I usually get 925-925 up and down but over the 2.5gb lan I am getting 945/950 up and down plus passing through a 2.5gb switch. The n100 seems like a great bit of kit. Just need to negotiate a deal with you fibre if possible to upgrade my link to 2gbps ::)
-
Could always just pay the pretty reasonable list price. You're under contract with them having very recently signed up so not exactly a massive incentive for them to cut you a deal to upgrade you.
Might reach out to the CEO to get his thoughts on this. His pricing is pretty good and handing out discounts isn't a great precedent. You think you can get symmetrical 2 Gbps elsewhere with months/years to go on your YouFibre account go for it: early cancellation fees for doing nothing are always a bonus :)
-
Its always worth a go to negotiate, they can only say no, so apart from a small amount of time to lose it costs nothing to ask. Anyway this is rather off topic.
-
....already have a 2.5gb switch...
Which one is that and where did you buy it?
-
I just dropped £440 on a pair of these bad boys:-
https://mikrotik.com/product/crs310_8g_2s_in
Ready for 10Gbps uplink from downstairs to upstairs, and 2.5Gb all round for desktops/servers and AP's alike...
-
Not sure if any other n100 users were seeing high temps out the box? - running a monitoring tool I was seeing on average 39dc across the 4 cores as an average temp and it felt pretty hot touching the top of the unit. I have since replaced the supplied thermal paste with some NT-H1 - good improvement now - average temps across the 4 cores running at 25-28dc so I think it was worth doing. The top of the unit is now cool to the touch.
On a side note - you fibre coming tuesday to upgrade my ont for 2gb/2gb connection.
-
Yes, but its about the same as the N5105. I don't really want to change the paste as I did that on my previous unit and while it ran cooler for some reason I started having random lock ups. Probably not related (its not like I'm a novice to applying paste), but it makes me nervous.
Replacing the paste making the case cooler doesn't make much sense though, as if the CPU is cooler the case should be hotter.
Given the N100 has a TjMax of 105C, I'm not exactly concerned with mine running 45-50C. I mean its based on Intel 12th Gen Efficiency cores, they're not exactly known to run cool.
-
Replacing the paste making the case cooler doesn't make much sense though, as if the CPU is cooler the case should be hotter.
Exactly what I was thinking. Believe there was an issue with some units where the case didn't properly contact the CPU, so the CPU ran hot.
-
Exactly what I was thinking. Believe there was an issue with some units where the case didn't properly contact the CPU, so the CPU ran hot.
But generally that would mean the case is cooler because its not taking the heat away. The fact the case is hot kinda suggests its doing its job just fine. I believe these units also cool the Intel NICs, which I would be more concerned if they are using heat pads that I might disturb them.
I mean sure its hotter than my 12700F when idle, but that's actively cooled. Its really the load temperatures you want to look at. On the box I re-pasted it would hit 85C under stress testing but when I re-pasted it dropped to about 65C. But under pfSense, I can't do anything to push the N100 past 60C.
Modern CPUs are designed to hit thermal throttling temperatures, keeping them cool is mostly about not cooking everything else inside and not having your router performance suddenly tank. The former I think all bets are off as the case heats the contents.
-
Exactly, if the case is hot, and nothing else is heating it up, then its doing its job.
If the CPU is hot and the case isn't, then its likely hasn't got good heat transfer from the CPU to the case.
Stripping one of these down is easy compared to a 3080, which I re-padded, and it made a lot of difference.
-
I still havent ordered mine, but will do so before Christmas.
On my existing unit I did replace the paste, and might do on the new unit as well. However these new units have a lower TDP and a more powerful chip which shouldnt need to work as hard, so am expecting better temps out the box.
-
Pay no attention to the TDP. The N100 is supposed to be a lower TDP than the N5105 but in practice it boosts higher which caused my PoE splitter (36W) to fall over during boot.
On average, they appear to consume the same which is also reflected in how they run at about the same temperature too.
-
I mount my case on 25mm standoffs on a plywood wall surface so there is a good air flow around the case, the cpu temp = 45c :)
-
Pay no attention to the TDP. The N100 is supposed to be a lower TDP than the N5105 but in practice it boosts higher which caused my PoE splitter (36W) to fall over during boot.
On average, they appear to consume the same which is also reflected in how they run at about the same temperature too.
I will likely disable turbo boosting like on my current unit, I think thats what they base the TDP on. I will share here if I have similar experience to you on the power draw.
-
Turbo boost helps greatly with removing the slight delay when accessing LuCI though.
-
Looks like I cant login to ali to order one, it wants me to verify email to complete login, I am using gmail, but the verification email never arrives, so their verification system is broken.
If they dont fix it I guess I need to make a duplicate account. But I am guessing the email to activate the new account probably wouldnt work either or any order email receipts.
-
Ordered mine now, the email started working.
I can see my past qotom order on there and I paid so much for that, and that was with no drive or ram included as well.
-
Yeah same with my 7200U, though I paid over the odds due to using Amazon as I wasn't convinced of Ali at the time.
Its really quite astonishing what level of CPU power you can get for £200-£300 today, especially given inflation.
-
How long did you guys wait for your delivery?
Mine was ordered 17 November and has a tracking number, but when I click it, it says no information available, and not hit UK customs yet.
-
12 days from order.
-
How long did you guys wait for your delivery?
Mine was ordered 17 November and has a tracking number, but when I click it, it says no information available, and not hit UK customs yet.
AliExpress tracking is very hit and miss.
Try:
https://track24.net/service/aliexp/tracking/
Or
https://parcelsapp.com/en/shops/aliexpress
AliExpress gives a single tracking number which usually only covers a single courier on 1 leg of the journey. Those 2 sites sometimes give alternative/additional tracking numbers.
If Aliexpress gave you an AliExpress Shipping number then 1 of those sites should give the UK courier tracking number.
If Aliexpress gave you a tracking number ending GB then it's Royal Mail and there's not much to track till it clears customs.
A thing I noticed with AliExpress recently was how clever they have got at combining shipping from multiple orders. I ordered 6 very small items from 6 different sellers and they were all shipped from different parts of China, all sent to the same outbound warehouse then all 6 items were put in to a single box and delivered as 1 item.
The 6th item took 8 days to reach the outbound warehouse which meant the other 5 items were held up waiting.
-
Well I got an email today, telling me to check, (not sure why they cant put in email), seems it is out for delivery today. The update skipped all the intermediate steps, so seems like j0hn said its hit and miss.
Also yes it ends in GB, thanks for the insight. :)
--
So aliexpress has "out for delivery"
Parcelforce says its gone to normal royal mail (letters).
Royal mail says it is expected, and have the 28th as the dispatch date. (I guess when handed over to them)
If I go to aliexpress details page I then see they mark it as out for delivery just because the second courier company has the parcel so yeah very misleading, wont be getting it today.
Hopefully will have it by Friday as its the 48 hour service not 24h. So about 14 days.
-
I can't remember if every stage showed up before delivery, but overall I think my experience was different.
(https://csdprojects.co.uk/forums/Aliexpress%20Topton.png)
It was actually much more informative than my Steam Deck which only had to come from the Netherlands, EU stuff is so much slower since Brexit.
-
Oh yeah I dont have anything like that.
:)
There was a china depot thing and UK customs (it was stuck on china depot for 12 days), but they have vanished following today's updates.
-
I now have the customs on there, so may be it will end up looking like yours Alan, just seems to be a much slower delivery. So this wont be here tommorow as Royal mail dont have it yet. Aliexpress still think its out for delivery. :)
-
Time of year I suspect, delivery gets slower.
-
Yeah it will be next week. At least I was able to go out earlier, better to know its not coming than being in the dark.
-
This might not be helping. https://news.sky.com/story/china-suffers-walking-pneumonia-outbreak-as-many-other-countries-see-spike-in-infections-13020285
-
Urrgh what a mess.
Royal mail changed tracking 1.04pm, is out for delivery.
1.05pm then says unable to deliver item (I have no card and no one knocked).
Arrange for redelivery button says "this cant be done for this parcel" and tracker page hasnt been updated to say whats going to happen.
I dont like dealing with these delivery situations so if it isnt here tomorrow and it looks like its lost in the system, will get a refund and see if anyone on here will be willing to order for me and then send to me after they get it.
-
It'll most likely be delivered tomorrow :fingers:
-
It'll most likely be delivered tomorrow :fingers:
Already failed.
Same happened again, Royal mail told me, I cannot pick it up unless a delivery is attempted, I asked what happens if they never attempt delivery, they told me to contact sender, which is what I am doing.
I am also waiting for another tracked 48h parcel which has been looping now for two weeks with the same problem.
-
That's absolutely bizarre.
-
I managed to get it from the depot without a missed delivery card along with the other parcel. Shouldnt have been possible as it was supposedly out for delivery on Friday, :)
At first glance all seems good, testing it with a rii keyboard, but annoyingly this unit beeps on a reboot and I dont see an option in bios to disable it so might need to look for something on the PCB to cut that off.
The bios idle temp is almost 10C lower than the older qotom unit. Even with the cooler CPU temp, case is warmer to touch which suggests better heat transfer.
-
That's good news.
-
I managed to get it from the depot without a missed delivery card along with the other parcel. Shouldnt have been possible as it was supposedly out for delivery on Friday, :)
At first glance all seems good, testing it with a rii keyboard, but annoyingly this unit beeps on a reboot and I dont see an option in bios to disable it so might need to look for something on the PCB to cut that off.
The bios idle temp is almost 10C lower than the older qotom unit. Even with the cooler CPU temp, case is warmer to touch which suggests better heat transfer.
Sounds like your local delivery office are playing silly buggers, to say its out for delivery when its sat in the warehouse is disgusting.
As for temp, yeah mine is too hot to touch for very long, could make a good foot warmer but it runs cooler mounted to the wall so the fins are vertical for maximum convection.
-
Sounds like your local delivery office are playing silly buggers, to say its out for delivery when its sat in the warehouse is disgusting.
Unfortunately not uncommon with Royal Mail.
I currently have a small "package in the system" from an Amazon third party supplier, ie, not dispatched by Amazon, can't fault the supplier, was dispatched to Royal Mail within an hour of the order being placed and Amazon supplied the Royal Mail 24hr delivery tracking reference number.
According to the tracking information, package arrived at my local DO early hours yesterday, Saturday and was shown as out for delivery by 3.00pm, nothing received.
This morning, Sunday Royal Mail tracking still showing the same information ???
I'am reluctant to order anything from Amazon that's not direct supply by them, had no choice with this particular item, have found that Amazon's logistics work and their tracking information is always accurate, never had any issues.
Yet Royal Mail still wonder why their business is struggling ::)
-
I do like the efficiency of this unit, the 6 TDP limit works nice compared to the much higher TDP on the i5-5250U, even at full stress the thing is under 50C passively cooled although as alex said in this circumstance case gets very hot due to the heat transfer. However it should never be under this kind of stress under normal conditions. On Windows even with C states disabled (to emulate pfsense), its normal operating temperature is considerably lower.
Meanwhile on the i5-5250U I can get it over 50C just from loading the dashboard.
The PL2 that enforces the TDP under heavy multi core load will drop the clocks to 2.4ghz and voltage stays at around 0.8v for the chip. On the i5-5250U the behaviour is quite different, once that is allowed to go above 1.6ghz it needs a very high vcore and power/temps jump right up. On the N100 the out of the box behaviour seems great and I dont foresee a need to do any tinkering to tame it.
Deciding whether to install my original kingston m.sata 32 gig SSD and repurpose this 256 gig NVME before installing pfsense, since its probably more useful elsewhere. The PCB itself has a m.sata connector still.
Like the qotom my ethernet ports are in a non linear order, from power input. 1,3,2,4
It is a very tidy design with the LED's even has a i/o LED, and especially like how the power button has its own LED underneath.
-
That's interesting, the ports on all my device as I recall were linear. Just the usual annoyance that they are labelled the reverse to how they are connected to the PCIe bus.
-
I'm currently on 2.7.0, at the weekend I tried to update to 2.7.2 and it never updated, seemed to get stuck but the user interface still worked, so eventually I rebooted.
Tonight it's saying I'm on the latest version, even though its shown as 2.7.0
Any idea's why it no longer showing, 2.7.2 still appears on the website?
-
That's a good question. I'm still on 2.7.0 and have never been offered 2.7.1 or 2.7.2.
-
Under Branch, mines says current stable release (2.7.2), but then says
Current Base System 2.7.0
Latest Base System 2.7.0
Status Up to date.
Odd.
I also read a different article today, but based on this https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/#:~:text=pfSense%20CE%202.7.0%20and,1%20and%20pfSense%20Plus%2023.09.
-
Looking in update for some reason mine was set to Depreciated version 2.7.0, no idea why. Also seems a typo and they meant deprecated?
Switching to 2.7.2 in there allowed me to update to 2.7.2.
2.7.2-RELEASE (amd64)
built on Fri Dec 8 20:55:00 GMT 2023
FreeBSD 14.0-CURRENT
The Update page is lagging horribly though.
They've been playing with how the repos are managed to avoid the long standing issue of it automatically switching to a new version then the user accidentally installing package updates for that version, before upgrading the core OS. So I wonder if they borked something?
-
The other option is the failed update borked something.
-
Worth noting on mine there are no options to switch Branch after the update, there is only 2.7.2 in the list.
I also keep getting "Unable to check for updates" so I do wonder if something is wrong their end.
-
No problems checking update status on mine.
2.7.2-RELEASE (amd64)
built on Fri Dec 8 20:55:00 GMT 2023
FreeBSD 14.0-CURRENT
The system is on the latest version.
Version information updated at Wed Dec 13 20:32:04 GMT 2023
Running a manual update check provides no errors either.
-
Mine still thinks its up to date, on both the auto check and manual check, when its not.
-
Any ideas how to "force" an update??
-
No idea, I was wondering that myself.
-
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html
Of course:
Navigate to System > Updates
Set Branch to Previous stable version
Is about as helpful as a chocolate teapot, given all other branches have disappeared on mine. Of course mine WAS successful so not a problem.
-
I found a similar thread from years ago, where eventually the poster set the branch to development, it then allowed them to update, and then go back to stable, but there are no development options, and changing it to the only other options doesn't work.
This morning I just get unable to check for updates.
If it doesn't sort its self out I guess I'll do a back up and then a fresh install eventually.
-
Run this command on root shell.
'certctl rehash'
Then check again, and it should show 2.7.2.
It is because the pkg system changed and the one they using in 2.7.0 needs updated certificates.
-
Thanks Chrysalis, you're a star, that did the trick. Just issued the command from the diagnostic command in the GUI.
Now to see if the update completes.
-
Its now updated, but it did get stuck at the rebooting stage, had to power cycle it, but luckily it came back up OK.
-
I could not use the dashboard/GUI, ( perhaps my everyday user profile does not have the correct rights)I logged in as an admin via ssh, and run Chris' command.
Updated with no issues.
Ian
-
I updated my backup router without any issues at all, nothing special, just chose the update from console option.
Other than spending way more time than I should have trying to figure out how to make it work without conflicting with the identical configuration on the main router. I usually just plug it into the 5G router to do that, but Three were having a moment.
I was completely unaware how easy it is to share your Internet connection on Linux these days. I just added my on-board NIC to Network Manager (its normally not in use as I have a 10G PCIe NIC) with Method "Shared to other computers" and bam, can use that as the WAN interface with the NAT hiding the main router.
Honestly, half the fight was I constantly kept forgetting I have to connect to the router on the LAN VLAN. I probably wasted an hour wondering why DHCP wasn't working. Then the config file I exported from my main router was corrupt, something is off when you backup RRD data.
-
I have a second unit now.
The first unit, has no hardware p-state support, and I also discovered wont reliably wake from sleep state (S3). If I use hibernate, it also wont wake up, but then after a power cycle it will boot the hibernated state.
The second unit has hardware p-states and sleep works fine.
I found this link from intel alongside dozens of sleep complaints.
Although this is for different hardware, I suspect its a bios issue on the first unit.
https://www.intel.com/content/www/us/en/support/articles/000057914/intel-nuc.html
First will be used with pfSense and will use software p-states for power management, as its always on, sleep doesnt matter. Second will be Windows use to replace my laptop.
-
I'm having an issue with OpenVPN
My brother got an error along the lines of "Connection failed - you are using insecure hash algorithm in ca signature. Please regenerate CA with other hash algorithm"
I wasn't experiencing this error, but it turned out I had Legacy turned on in the advanced settings in my client.
So after some Googling I found I needed to change Auth digest algorithm setting to SHA256, as it was SHA1, I changed this, renewed all the certificates, exported the client config and imported on my phone, but it then never connects.
Change back to SHA1 without altering anything else and it connects.
Any ideas what I'm missing please?
PS. All certificates show they are Signature Digest: RSA-SHA256
-
I dont mind trying to help, but it probably involves enabling more verbose logs, and once we go down that road it might be better dealt with in DM or something.
-
Been working on my first unit, and discovered it has i/o instability, but I am unable to trigger the problem on demand which is really frustrating, likely either RAM or storage, both of which I took as inclusive (my previous NUC's I ordered barebones and used known brands for storage and RAM).
The unit has a internal mPCIE which is pin compatible with mSATA however installing a mSATA drive confirms its not connected to the onboard SATA controller. It has a normal SATA port for standard SATA drives and 2 NVME, one for 2230 and another for 2280.
I got no LPDDR5 or NVME lying around, memory tests come up with nothing, extended SMART tests clean on the storage and has clean SMART stats, file system checks however fix corruption on the drive. The BIOS is the most thread bare BIOS I have ever seen in a NUC, its like a laptop BIOS.
So will chance it and buy a 2230 NVME, as that will work in either NVME slot, so if the NVME slot is duff, it can get round that, or if its the existing NVME it will solve the issue.
Luckily the other NUC I brought bare (after realising the included components were only saving £30).
Also the speaker is soldered directly on to board with no jumper to disable it, there is jumpers to control always on behaviour, pin 1 isnt labelled, so those I will tinker with later as I am curious if will fix the shutdown/sleep issues.
-
Ironically all my boxes bought inclusive work fine, its the one box I bought bare bones that has problems.
It will just randomly lockup, from several times a day to running solid on Folding@Home for months (makes an nice hand warmer), its bizarre. I'm reasonably sure the RAM is fine (pretty sure I ran memtest for a day to check), although its hard to tell given these closed boxes are going to make the RAM run hot.
I even re applied the paste which dramatically brought the temps down, but it still happens.
-
Thought the unit was dead, but got a really quick support reply, flipped battery out and back and its alive again.
-
Ironically all my boxes bought inclusive work fine, its the one box I bought bare bones that has problems.
It will just randomly lockup, from several times a day to running solid on Folding@Home for months (makes an nice hand warmer), its bizarre. I'm reasonably sure the RAM is fine (pretty sure I ran memtest for a day to check), although its hard to tell given these closed boxes are going to make the RAM run hot.
I even re applied the paste which dramatically brought the temps down, but it still happens.
Could be static damage during installing which typically results in strange random errors. Did you wear a grounded wrist strap?
-
re.....Could be static damage during installing which typically results in strange random errors. Did you wear a grounded wrist strap?
All my working years in electronics I never used a wrist strap or did anyone else. :o
-
Neither have I, I simply touch something that is earthed, or if it has a built in power supply I plug the PC in but switch it off at the wall and the power supply, then the case is nicely earthed.
-
Yeah its pretty unlikely. My understanding is grounding is ideal, but any large metal surface will dissipate the charge too. I'm not a nut case like so many YouTubers, grabbing the RAM sticks by the connection pads (which is bad as skin oils can mess up the connection too). Its the heatsink or the edges of the PCB.
In drier weather I will get a shock off none-grounded surfaces quite often, but being Yorkshire humidity is almost always 50-60% so this is rare.