Alix to APU Conversion - pfSense Hangout October 2014

1. ALIX to APU Conversion October 2014 Hangout Jim Pingle

2. What will be covered? ● Project Notes ● Notes about the ALIX ● Notes about the APU ● Assumptions ● Configuration Differences ● Pre-conversion tasks ● Common restore pitfalls ● Restoring configuration ● Deploying the new unit

3. Project Notes ● 2.2-BETA Progressing – XXHASH for pf speed improvements https://blog.pfsense.org/?p=1473 ● POODLE / SSLv3 – Fix is already in the repository for 2.2, not certain yet if there will be a 2.1.6 – Only affects lighttpd in base, sslv3 can be disabled with a patch if needed, howto posted on forum https://forum.pfsense.org/index.php?topic=82914.msg453869#msg453869 – Packages like HAproxy can disable in configuration

4. ALIX Notes ● ALIX board was good for its time, but will be EOL in 2015 ● Passed EOUL (End of Useful Life) a while ago ● 256MB RAM is inadequate for many tasks ● Home Internet connection speeds much higher ● Multiple VPNs can easily run it out of RAM ● Few packages can work on it effectively

5. APU Notes ● Similar form factor to ALIX – Needs new case, different standoff height – Passive cooling, case is used as a heat sink – New PSU required, needs more power ● VK-T40E from pfSense Store ● APU2/APU4 from Netgate ● 2GB or 4GB RAM ● AMD CPU similar to Atom ● SD card (NanoBSD) or mSATA (Full Install) ● 3x Realtek RTL8111E Gigabit Ports – Issues with forcing speed/duplex being investigated

6. Assumptions ● APU already has an installed and working OS – If the device was purchased from pfSense/Netgate, it is already OK – If purchased elsewhere, check the forum for OS installation procedures ● Target unit (APU) is running the most recent firmware image available, currently pfSense 2.1.5 ● Serial port (Hardwired or USB) and Null Modem cable are available

7. Configuration Differences ● ALIX/m1n1wall and APU/VK-T40E interface order is reversed: – External labeling is the same – ALIX ports, left to right are: vr2 (opt1), vr1 (wan), vr0 (lan) – APU ports, left to right are: re0 (opt1), re1 (wan), re2 (lan) – Blame PC Engines for that :-) ● Serial Console Speeds – ALIX/m1n1wall from Netgate/pfSense – 38400 – APU/VK-T40E from Netgate/pfSense – 115200 – Vanilla pfSense install 2.1.x and earlier – 9600 ● Cryptographic Accelerator Setting – ALIX has glxsb onboard, might have a Hifn card, APU has none

8. Pre-conversion tasks ● Adjust serial setting on ALIX to 115200 from System > Advanced, Reboot and test ● For a much smoother transition, note all packages and remove them. Reinstall after. (Optional, but highly recommended) ● Deselect any cryptographic accelerator chosen on System > Advanced, Miscellaneous tab ● Take a new backup from the ALIX – Diagnostics > Backup/Restore – Though it is possible to backup the RRD files and restore them, to make the transition easier, do not include them in the backup ● If the APU is running a newer firmware than the old unit – Review the Upgrade Guide for potential issues – https://doc.pfsense.org/index.php/Upgrade_Guide – Review the release notes for the new version & all between

9. Reset APU ● Use GUI (Diagnostics > Factory Reset), SSH or Serial console option 4 ● Use front panel reset button If purchased from Netgate/pfSense store assembled and imaged (NanoBSD/SD only) – Remove power ● It is preferable to remove power at wall/outlet, not barrel connector. This reduces chances of arc/spark (PC Engines warning) – Insert paper clip or similar into reset button hole on the front, feel it depress – Keep button depressed while restoring power – Continue holding the button for 30-90 seconds, until tones are heard ● A normal boot has rising beeps: 1-2-3-4-5 ● When the reset occurs, the tones descend then rise: 5-4-3-2-1 / 1-2-3-4-5 – Release the reset button – Unplug the device and plug it back in ● Video demonstration of the reset procedure will be available when the hangout is posted to download

10. Common Restore Pitfalls ● Mismatched interfaces – VLANs, Wireless, OpenVPN, GIF, GRE, PPP ● Serial console settings – If the speed was manually set, it is retained in config.xml (e.g. 115200, 38400, 9600) – Ensure config.xml has <enableserial/> tag if using mSATA, NanoBSD+VGA image and/or loading manually ● Packages reinstalled during restore – If there is no Internet connection at reboot post-restore, packages will not be reinstalled and they must be reinstalled manually ● Do NOT plug the WAN of the APU into the LAN of the ALIX, especially if the LAN of the ALIX is still 192.168.1.x – If the same subnet exists on the LAN and WAN of the APU, the GUI will become unreachable, among other ill effects

11. Restoring configuration ● If only normal physical interfaces are assigned, restoring via the GUI directly is easiest – Diagnostics > Backup/Restore – Select and restore the backup file – Select new interface assignments – Click SAVE ● Once Save has been pressed, the system will apply the new interface settings ● The local client IP may need adjusted to reach the firewall again ● If contact is lost with the firewall, power cycle the unit ● If Apply Changes is clicked, the new assignments will not be retained and the device will reboot with incorrect interfaces which must be corrected via the console – The device will reboot with the new configuration – Monitor reboot via serial console if possible

12. Restoring configuration Before – Interface assignments on ALIX After – Interface assignments on APU

13. Restoring configuration (Edits) ● If there are many virtual interface types assigned, it is often easier to edit the config.xml in a text editor first to fix the interfaces – An advanced/programming editor is best (Notepad++, UltraEdit, Kate, vi/emacs, etc.) – Search for the old interfaces (vr0, vr1, vr2) and replace by the new interfaces (re2, re1, re0) but do not auto- replace. Visually inspect all matches to ensure they refer to actual interface references! – After editing, save, and restore as before

14. Restoring configuration (Edits) Example of VLAN and PPP tags inside config.xml that could contain physical interface names to be changed.

15. Pre-Deployment ● Boot the APU after restore and inspect the configuration. Ensure everything looks OK – Confirm issues noted in the upgrade guide have been handled if they apply – Check any assigned virtual interfaces (VLANs, OpenVPN, etc) ● If external connectivity is available, ensure packages have reinstalled properly, have the correct configurations, and so on ● Verify RRD graphs are functional (Status > RRD Graphs) – If not, reset RRD Data from the Settings tab ● Select the “amdtemp” thermal sensor under System > Advanced on the Miscellaneous tab

16. Deployment ● Remove the ALIX and replace with the APU! ● Most common problem will be ARP issues due to the MAC changes – Avoid spoofing MAC addresses if possible – Power off cable modems and power back on – Check managed switches/routers, etc – May need to reboot some gear/workstations, but generally not required ● Check gateway status, should show online ● Check LAN-side connectivity to the Internet ● If the configuration contained packages, ensure they are all present under System > Packages – If they are missing, reinstall them now – Some packages like squid or snort may require an update for rules/lists ● Test port forwards and other remaining services ● Salt to taste and enjoy!