[talk] some pfSense, APU notes

George Rosamond george at ceetonetechnology.com
Fri Sep 19 23:38:47 EDT 2014


Posting here someone on talk@ or via a search engine, might find it useful.

The APU is PCEngines most recent board, replacing those well-loved Alix
boards.  They are 64-bit, and have either 2G or 4G of RAM.  mSATA SDD,
SD Card storage.

http://pcengines.ch/apu.htm

Since the APUs run hot, mounting the heat sink pad is critical.  Rumor
has it there's a few degree cooler on the mobo if you use the black case
as opposed to the other ones.

When flashing to the newest and latest BIOS, USB sticks were
unsuccessful.  I used an SD card with syslinux from gooze.eu, and
replaced the ROM file as per the most recent at the particular APU
product description page.

The PCEngines support forum (http://www.pcengines.info/) can seem more
like an ugly bar fight, but hold your nose and peruse and you may find
something useful.

For pfSense on the APU with SD cards, I'm using the amd64-nanobsd version.

Over serial, pfSense needs cu/tip/minicom speed at 9600, while the APU
is set for 115200.  Setting the speed to 9600 means the BIOS information
is missed.  Setting the speed to 115200 means pfSense seems to hang at
the "choose a slice" stage, when it actually isn't.  On pfSense, console
speed can be tinkered under the System tab, then Advanced, and scroll
down to "Serial Communications."

The usual "mount root" error can be resolved by manually mounting the
two slices on the SD card, and adding the following to
/boot/loader.conf.local (preferable over /boot/loader.conf)

kern.cam.boot_delay=10000

I recommend making sure both slices boot.  This can be done manually
during the boot process, but can also be done through the "Diagnostics"
tab, then "NanoBSD" in the first "Bootup Information" section.

I'm guessing that recent pfSense upgrade problems I've been having on a
variety of devices with flash media storage has to do with this.

One (seemingly) stupid consideration for all devices requiring logins:
change the default login name.  Always.  Brute forcing passwords is more
difficult when the adversary is using the default login.

HTH.

g


More information about the talk mailing list