The document provides information about converting a firewall configuration from an ALIX board to an APU board. It covers assumptions, differences in hardware specifications and network interface naming, pre-conversion tasks like backing up the configuration and removing packages, restoring the configuration by editing the config.xml file to change interface names, common issues to watch for, and deployment steps after restoring the configuration.

1. ALIX to APU Conversion
October 2014 Hangout
Jim Pingle

2. What will be covered?
● Project Notes
● Notes about the ALIX
● Notes about the APU
● Assumptions
● Configuration Differences
● Pre-conversion tasks
● Common restore pitfalls
● Restoring configuration
● Deploying the new unit

3. Project Notes
● 2.2-BETA Progressing
– XXHASH for pf speed improvements
https://blog.pfsense.org/?p=1473
● POODLE / SSLv3
– Fix is already in the repository for 2.2, not certain yet if
there will be a 2.1.6
– Only affects lighttpd in base, sslv3 can be disabled with
a patch if needed, howto posted on forum
https://forum.pfsense.org/index.php?topic=82914.msg453869#msg453869
– Packages like HAproxy can disable in configuration

4. ALIX Notes
● ALIX board was good for its time, but will be
EOL in 2015
● Passed EOUL (End of Useful Life) a while ago
● 256MB RAM is inadequate for many tasks
● Home Internet connection speeds much higher
● Multiple VPNs can easily run it out of RAM
● Few packages can work on it effectively

5. APU Notes
● Similar form factor to ALIX
– Needs new case, different standoff height
– Passive cooling, case is used as a heat sink
– New PSU required, needs more power
● VK-T40E from pfSense Store
● APU2/APU4 from Netgate
● 2GB or 4GB RAM
● AMD CPU similar to Atom
● SD card (NanoBSD) or mSATA (Full Install)
● 3x Realtek RTL8111E Gigabit Ports
– Issues with forcing speed/duplex being investigated

6. Assumptions
● APU already has an installed and working OS
– If the device was purchased from pfSense/Netgate, it
is already OK
– If purchased elsewhere, check the forum for OS
installation procedures
● Target unit (APU) is running the most recent
firmware image available, currently pfSense 2.1.5
● Serial port (Hardwired or USB) and Null Modem
cable are available

7. Configuration Differences
● ALIX/m1n1wall and APU/VK-T40E interface order is reversed:
– External labeling is the same
– ALIX ports, left to right are: vr2 (opt1), vr1 (wan), vr0 (lan)
– APU ports, left to right are: re0 (opt1), re1 (wan), re2 (lan)
– Blame PC Engines for that :-)
● Serial Console Speeds
– ALIX/m1n1wall from Netgate/pfSense – 38400
– APU/VK-T40E from Netgate/pfSense – 115200
– Vanilla pfSense install 2.1.x and earlier – 9600
● Cryptographic Accelerator Setting
– ALIX has glxsb onboard, might have a Hifn card, APU has none

8. Pre-conversion tasks
● Adjust serial setting on ALIX to 115200 from System > Advanced,
Reboot and test
● For a much smoother transition, note all packages and remove them.
Reinstall after. (Optional, but highly recommended)
● Deselect any cryptographic accelerator chosen on System > Advanced,
Miscellaneous tab
● Take a new backup from the ALIX – Diagnostics > Backup/Restore
– Though it is possible to backup the RRD files and restore them, to make the
transition easier, do not include them in the backup
● If the APU is running a newer firmware than the old unit
– Review the Upgrade Guide for potential issues –
https://doc.pfsense.org/index.php/Upgrade_Guide
– Review the release notes for the new version & all between

9. Reset APU
● Use GUI (Diagnostics > Factory Reset), SSH or Serial console option 4
● Use front panel reset button If purchased from Netgate/pfSense store
assembled and imaged (NanoBSD/SD only)
– Remove power
● It is preferable to remove power at wall/outlet, not barrel connector. This reduces chances of
arc/spark (PC Engines warning)
– Insert paper clip or similar into reset button hole on the front, feel it depress
– Keep button depressed while restoring power
– Continue holding the button for 30-90 seconds, until tones are heard
● A normal boot has rising beeps: 1-2-3-4-5
●
When the reset occurs, the tones descend then rise: 5-4-3-2-1 / 1-2-3-4-5
– Release the reset button
– Unplug the device and plug it back in
● Video demonstration of the reset procedure will be available when the
hangout is posted to download

10. Common Restore Pitfalls
● Mismatched interfaces
– VLANs, Wireless, OpenVPN, GIF, GRE, PPP
● Serial console settings
– If the speed was manually set, it is retained in config.xml (e.g. 115200, 38400,
9600)
– Ensure config.xml has <enableserial/> tag if using mSATA, NanoBSD+VGA image
and/or loading manually
● Packages reinstalled during restore
– If there is no Internet connection at reboot post-restore, packages will not be
reinstalled and they must be reinstalled manually
● Do NOT plug the WAN of the APU into the LAN of the ALIX, especially if
the LAN of the ALIX is still 192.168.1.x
– If the same subnet exists on the LAN and WAN of the APU, the GUI will become
unreachable, among other ill effects

11. Restoring configuration
● If only normal physical interfaces are assigned, restoring via the
GUI directly is easiest
– Diagnostics > Backup/Restore
– Select and restore the backup file
– Select new interface assignments
– Click SAVE
●
Once Save has been pressed, the system will apply the new interface settings
● The local client IP may need adjusted to reach the firewall again
● If contact is lost with the firewall, power cycle the unit
● If Apply Changes is clicked, the new assignments will not be retained and the
device will reboot with incorrect interfaces which must be corrected via the console
– The device will reboot with the new configuration
– Monitor reboot via serial console if possible

12. Restoring configuration
Before – Interface assignments on ALIX
After – Interface assignments on APU

13. Restoring configuration (Edits)
● If there are many virtual interface types assigned,
it is often easier to edit the config.xml in a text
editor first to fix the interfaces
– An advanced/programming editor is best (Notepad++,
UltraEdit, Kate, vi/emacs, etc.)
– Search for the old interfaces (vr0, vr1, vr2) and replace
by the new interfaces (re2, re1, re0) but do not auto-
replace. Visually inspect all matches to ensure they
refer to actual interface references!
– After editing, save, and restore as before

14. Restoring configuration (Edits)
Example of VLAN and PPP tags inside config.xml that could contain physical
interface names to be changed.

15. Pre-Deployment
● Boot the APU after restore and inspect the configuration.
Ensure everything looks OK
– Confirm issues noted in the upgrade guide have been handled if they
apply
– Check any assigned virtual interfaces (VLANs, OpenVPN, etc)
● If external connectivity is available, ensure packages have
reinstalled properly, have the correct configurations, and so on
● Verify RRD graphs are functional (Status > RRD Graphs)
– If not, reset RRD Data from the Settings tab
● Select the “amdtemp” thermal sensor under System >
Advanced on the Miscellaneous tab

16. Deployment
● Remove the ALIX and replace with the APU!
● Most common problem will be ARP issues due to the MAC changes
– Avoid spoofing MAC addresses if possible
– Power off cable modems and power back on
– Check managed switches/routers, etc
– May need to reboot some gear/workstations, but generally not required
● Check gateway status, should show online
● Check LAN-side connectivity to the Internet
● If the configuration contained packages, ensure they are all present under System >
Packages
– If they are missing, reinstall them now
– Some packages like squid or snort may require an update for rules/lists
● Test port forwards and other remaining services
● Salt to taste and enjoy!