In my ongoing search for awesoem hardware to use as a firewall I recently loaded up a Nokia IP690 with pfSense. This was an awesome success and it is running great. Of course it is limited by certain factors and I wanted to see about something less limited. Enter the Checkpoint IP2455.
The Nokia IP690 is a 1u form factor rack mount unit. Aside from that the internal hardware is almost shrouded in secrecy it seems as little is known or published about it on the Internet. I hope to shed a little light on that here…
Having the hardware in house, it was time to load it. I chose pfsense as the starting OS for my IP690 install due quite simply to features. It has everything I wanted to include all of the features that were missing in other firewall distributions I have used in the past.
This may seem like a round-about method. My goal on any install is a clean, direct installation. This method allows the actual install to be done ON the IP690. One could install pfsense in another system and move the drive over, edit a few files and be done. To me the method below is cleaner in terms of final product.
What you will need:
- Hard Drive you want to install to (2 if going to for RAID1)
- USB drive to install with
- RJ-45 Serial Console Cable
- Another PC ( that you can get in to! )
What my IP690 came with:
- Hard Drive (40gb Fujitsu SATA150)
- 128mb CF Card
- 2gb RAM
- Encryption Accelerator Card
- 4 Port 1000BaseTX Card
- 2 Port 1000BaseSX Card
- 2 Port 1000BaseSX Card
- Dual Power Supplies
I replaced the HD with a pair of WD 320 Scorpio Black HDs. RAM was upgraded to the maximum the system would support which is 8gb from ebay for 12$.
On to the real work:
- Download the latest version of pfsense. For this install I used 2.2.2. Key items here are the x86 (32bit version) with serial console. The image was:
- Write the image to your USB drive/stick
- Place the install HD in to the extra PC. Remove any other drive. If going for RAID1, you only need one drive.
- Plug the USB in to the PC and boot from the USB drive.
- Perform an install to the hard drive, accepting all the defaults to speed things along (don’t worry, we get to the fun stuff later)
- Once the install is complete shut down the extra PC. Restore it to the original state as you will need it for the serial console.
- Remove the CF card from the IP690
- Place the loaded hard drive in to the IP690, making sure it is in SLOT A.
- If you are going for RAID1, make sure the second hard drive is blank. Install the second hard drive in to SLOT B
- Cable up to the serial console. Default console is 9600 8N1
- Do NOT plug the USB drive in to the IP690 yet. Doing so will lock the system up during boot!
- Power on the IP690: You should see a short text blurp from the console, then a memory test.
- I have seen two things happen here. The system should boot from the installed hard drive directly in to pfsense. In some cases it would drop down to a console prompt with an error about finding the system/root FS. If it fails to boot with this error proceed to STEP 18
- If the system booted in to pfsense fine you will be presented with the normal console menu. Select 8 to drop to the console/shell
- Now for the part one may find odd, we want to break the install by deleting the root line from fstab. For mine this was:
/dev/mirror/pfSenseMirrors1a / ufs rw 11
- Reboot the IP690
- During the boot process, you will again see the memory test. Once this disappears from the screen plug the USB drive in to the front USB port. NOT BEFORE!
- The system should fail to boot and drop to a console with an error about not being able to find the root FS. This is expected and GOOD!
- Push the system to boot from USB by entering: ufs:/dev/da0 and pressing Enter
- The system should now boot from the USB drive
- Proceed through the process to install as usual. If you are using RAID1, you will be able to see and allocate both drives.
- At the end of the install reboot, making sure to remove the USB
- Enjoy your pfsense install!
First of many, this is the dmesg output from pfsense booting on the Nokia IP690:
EDIT: Seems the CMS in use for the site likes to eat a few characters in certain cases. Just in case, a text version of the dmesg.boot can be found here.
Recently I started looking for a replacement for my EdgeRouter Lite. I wanted a bit more flexibility in my router/firewall as well as capacity. The capacity part pushed me to a new platform, mainly due to the ERL being limited to 3 ports. Its big brother the EdgeRouter Pro has more ports (8 total) with two dual purpose RJ-45/SFP ports, but port speeds are capped to 1gb. I wanted to upgrade to something that could grow beyond that.
Before anyone decides to start flaming, the EdgeRouter series is awesome! It is very affordable, offers very good performance and an awesome feature-set. It simply does not fit my application moving forward. I fully plan to utilize the ERL for other applications moving forward.
Enter the Nokia IP series. These are older devices no longer made by Nokia, in fact the whole line has been bought up by Checkpoint. That said they are very flexible and based on commercial standards for the most part. The IP330 has been hacked up so many ways by DIY firewall & router guys for years. The IP690 is far more modern than the IP330 with expandability.
The end goal for me; an open source firewall/router platform that can grow. The IP690 is a very nice hardware platform, so the only question was software. Can pfsense (or something similar) be loaded on to the platform and run well. The short answer is yes. I will update this post with links to additional posts with details as I get them written.
In a previous post I went over my using nvidia-settings to control the fans on the three Nvidia GTX465 cards I have in my desktop. In the recent drive release (around version 349.12 ~ 349.16) they removed the ability to do this.
More specifically the nvidia-settings variable for “GPUCurrentFanSpeed” is no longer present. It has been replaced by “GPUCurrentFanSpeedRPM”. The main difference is it no longer returns the set percent value for the fan. It instead returns the actual RPM reading. All fine and dandy except this is now READ-ONLY, meaning it can no longer be used to set the desired fan speed.
Unlocking the fan control on my system automatically sends them to 100%. Should keep them cool, but man is it noisy…
There is currently a post in the Nvidia forums tracking the issue: Here
Once it is sorted out I will be updating my script to control the fans and posting it on the site.
In the coming days I am expecting to post a large amount of technical data on the Nokia IP690. The information on this unit seems to be for the most part rather sparse. The reason I will be doing this is because I purchased one to take up the post of firewall/router for my home.
An upgrade was needed since there are two potential providers coming to my area for Internet speeds my current router may be at limits with. Google has announced they are going to be offering their fiber in the Atlanta area soon. Comcast did not want to let the area go, so they are also going to be offering fiber in the area soon. Google is coming to the table with 1gb while Comcast is trying to one-up the competition with 2gb. My little ERL will do 1gb natively however 2gb is a little beyond its reach.
At any rate, more to come when the hardware arrives. Should be here Friday!
It has come time to upgrade the family computer. The outgoing system is a Shuttle SN21G50, wieghing in with the following specs:
- Athlon 64 CPU
- 2gb RAM
- 120gb WD IDE Hard Drive
- DVD-RW Optical Drive
- Windows XP
All this wrapped up in a Mini-ITX desktop case.
Needless to say the system is rather aged. It is far beyond its time as a primary desktop system. Its primary use is web access and basic document creation & editing, all for school.
The incoming system packs a good bit more power in a much smaller platform. Based on usage expectations the following was selected:
- Intel NUC5i3RYK
- Intel 4th Gen Core i3 @ 2.1GHz Dual Core
- Intel AC-7265 Dual Band Wireless
- Gigabit Ethernet
- 4 USB 3.0 Ports
- 8gb Crucial DDR3L 1600
- 250gb Crucial MX200 M.SATA SSD
- Windows 7 Home Premium
- Office 2013 Home & Student
All in the nice little Intel NUC form factor which is small.
Overall I am rather impressed with the NUC. It is very well done in everything. The BIOS, build quality, components and such are all high quality. I would highly recommend the unit to anyone looking to build a PC with similar specs whether they are looking to save space or not.
Now the kids and everyone else should be able to enjoy their facebook and youtube without waiting forever…
Android is a fairly nice OS for mobile devices. While I think parts of the OS itself are a mess, it does it’s job and does it well. Even looks good for the most part.
My biggest problem with android, it is a data collection point for Google, and they push this to the extreme. Information collection is their business, make no mistake. I have for you today a simple example of this.
If you use google maps, the application wants you to enable what Google calls “High Accuracy” mode. This allows the device to use GPS, cellular signal and WiFi signal to determine your location. This of course requires that the device ask someone what cell towers and WiFi APs are where. Google happily keeps a database of this information, and when you allow the service to run it adds what it sees I am sure.
Position can be most accurately derived in mobile devices using GPS. There are of course exceptions to this in such cases where say GPS does not work (indoors, a basement), the GPS is junk (Galaxy S, ala Vibrant) or the device simply does not have a GPS. Aside from that, GPS is the best and most accurate method. So if I have a valid 3D fix from my GPS why use the other data? Because they can’t collect it if you don’t, you are the collection point. The only other means of gathering this data for them is the Street View cars which collects it along with other data (shame on them by the way…).
To encourage users to participate, they break things, warn users and whatever else to get you to turn it on. As a simple example try the following (based on Android 5.0.2):
- Go to “Settings”
- Scroll down to “Location” and select it
- Tap on “Mode” and select “Device only”
- Exit from settings
- Start Google “Maps”
- It should center on your current location. This confirms your device has a good position fix.
- Zoon out, and move away from your present position
- Press the icon to center on your position :
- You should be presented with a dialog similar to the one below, asking you to enable the “High Accuracy” mode:
- Click cancel and enjoy the app not moving to your current position
At this point we know the position data is valid and the device knows where it is. This is just another move by Google to ensure you are giving them what they want, what they designed android to get for them. An easy step to re-validate things is exit (fully) maps and start it back up, it should again move to your current position. Best of all, note the second statement under “Learn more”.
I like most people in to tech have a few arduino boards lying around. They are fun to play with and can on occasion be used to do some really useful and/or creative stuff. I recently reinstalled Gentoo on my desktop to move the system to encrypted drives, so of course setting up the arduino IDE was a task to be completed.
These are my notes:
- Install layman. This is required for the local build tools and such:
emerge -aq layman
- Step 2) Edit “/etc/portage/make.conf” to use layman accordingly by adding:
- Step 3) Install arduino:
emerge -aq arduino
- Step 4) Build the tool chain. This hit a glitch due to a bug related to the “sanitize” use flag. The command below sets an ENV variable to override this:
USE="-sanitize" crossdev -t avr
Assuing the bug is fixed it should work with just:
crossdev -t avr
- Link to the linker scripts. NOTE: the 2.25 is dependant on the actual version present in “/usr/lib/binutils/avr”
ln -s /usr/lib/binutils/avr/2.25/ldscripts /usr/avr/lib/ldscripts
- The java rxtx wants to create a lock file in “/var/lock”. This is a symlink to “/run/lock”. On my system it was owned by root:root, and of course we don’t want to add users to the group “root” just to use serial ports. Also the permissions on “/run/lock” were set to 755 which would not allow a group member to write to it. Change the group and set the required permissions:
chown -R root:lock /run/lock
chown -R root:lock /var/lock
chmod -R 775 /run/lock
- Add the user to the needed groups. The -aG works out to -a = append to supplementary groups and -G list of groups separated by commas:
usermod -aG uucp,lock andarius
At this point I could fire up the arduino IDE, compile a sketch (horrible name…) and upload it to my OSEPP Pro.