Updating to pfSense® 2.1.2

Printer-friendly versionPDF version

Hacom has discontinued pfHacom and will pre-load the "standard" pfSense® software on our hardware instead.

This article discusses some of the hardware-related issues and provides a procedure to update from pfHacom 2.1 to pfSense® 2.1.2 for our hardware platforms.

The IT-100 is the only one of our systems that is NOT recommended to update to 2.1.2 version.  There is not enough RAM in the IT-100 to run version 2.1 or later. The Heartbleed issue does not affect the IT-100 since it is only a problem for systems running version 2.1 and 2.1.1.

Introduction

Originally, pfHacom was introduced in 2006 to address some of the pfSense® issues in direct support of our hardware platforms:

1.  VGA console for systems running compact flash (CF) or flash-based storage.  Prior to version 1.2.3, we needed to run full pfSense® software on a CF with VGA console. The nanobsd version of pfSense® 1.2.3 was released in 2009 addressed the CF issues, but still did not support the VGA console. It was not until 2011 that the 2.0 nanobsd release supported the VGA console on emebedded platforms.

2. Some of our older motherboards, mainly the CV860A and CV863A, required additional driver support.

It would be easier to concentrate our support of pfHacom and to move quickly to resolve sepcific hardware related issues without affecting the "standard" pfSense® software.

However, two recent events have changed that:

1. We no longer have access to the pfSense® build system starting with version 2.1.1.

2. It would be faster for our customers to get updates directly from pfSense® to fix the Heartbleed bug.

We decided to discontinue pfHacom and will pre-load instead the "standard" pfSense® software on our hardware platform.

Technical issues

Currently, there are two hardware-related and one implemetation issues on some of our hardware platforms that will require special attentions before updating to pfSense® 2.1.2 software.

1. Serial port problem.

2. AHCI support

3. 8GB DOM (Disk-On-Module)

Serial Port problem

FreeBSD seems to have problems with ACPI-based serial ports. It can cause "strange" and seemingly unexplained problems, like kernel panics, disabling both serial and VGA console, etc. Most of our customers have not experienced these issues since our systems are more or less exclusively VGA console.

The way to fix this problem is to tell FreeBSD to ignore the ACPI implementation and to treat serial ports as ISA-based instead. The following line should be added to the /boot/loader.conf.local, depend on the specific motherboards.

For the Mars II D525 1U server , the Mars II Twin Blade and the Mars II OpenBrick-M D525

debug.acpi.avoid="\_SB_.PCI0.SBRG.UAR1 \_SB_.PCI0.SBRG.UAR2"

For the Mars IIB 1U server and the Twitter D525

debug.acpi.avoid="\_SB_.PCI0.PC40.UAR1 \_SB_.PCI0.PC40.UAR2"

For the Jupiter IIIB 1U server

debug.acpi.avoid="\_SB_.PCI0.LPCB.UAR1 \_SB_.PCI0.LPCB.UAR2"

For the Jupiter IV 1U server, the Jupiter IV Twin Blade and The Jupiter IV OpenBrick-M

debug.acpi.avoid="\_SB_.PCI0.LPCB.UR11 \_SB_.PCI0.LPCB.UR12 \_SB_.PCI0.LPCB.UR13 \_SB_.PCI0.LPCB.UR14"

For our other systems, please contact our support@hacom.net.

AHCI Support

AHCI support is required mainly for SSD-based systems. However, we recommend AHCI support for most of our systems. There are a few that cannot do AHCI, for example the Mercury VIA C7 1U Server and the Mars Celeron-M 1U Server.

Following is the procedure to enable AHCI support:

1. In the BIOS, change SATA from IDE to AHCI

2. Add the following line to the /boot/loader.conf.local file

ahci_load="YES"

3. Run /usr/local/sbin/ufslabels.sh. With AHCI enabled, the device for the root filesystem will change from /dev/ad4s1a to /dev/ada0s1a. The ufslabels.sh command makes changes the /etc/fstab file to accomodate the name change and ensure the root filesystem can be mounted upon a reboot. 

8GB DOM (Disk-On-Module)

Recently, we have shipped many systems with 8GB DOM, instead of the 2GB DOM. For these 8GB DOM systems, it will require a complete re-installation of pfSense® 2.1.2 software, because there is NO equivalent 8GB pfSense® 2.1.2 nanonbsd_vga image.

There are two ways to re-install pfSense® 2.1.2 software:

A. To flash with 4GB nanobsd_vga image. Although it wastes 4GB of storage, this will yield the most reliable system, since the root device is mounted read-only. Following is the procedure.

1. Please back up the existing config.xml. Also, please have access to the system through a VGA display and a keyboard. The fresh image resets the WAN and LAN to use the default vr1 and vr0, which could disable system.

2. Download the correct image for your compact flash. Most likely it will be the following for amd64 architecture.

http://files.bgn.pfsense.org/mirror/downloads/pfSense-2.1.2-RELEASE-4g-a...

3. Using USB compactflash reader/writer to write the image to the compact flash. For example, use the following command to write the image to a 8GB DOM, or use the M0n0wall's physdiskwrite utility.

gunzip -c pfSense-2.1.2-RELEASE-4g-amd64-nanobsd_vga.img.gz | dd of=/dev/da0 bs=4M; sync; sync

4 After the initial installation, reload the back-up configuration.

B. To treat the 8GB as an SSD. Following is the procedure.

1. Please back up the existing config.xml. Turn on AHCI in the BIOS.

2. Use the memstick image to install "standard" pfSense® software on a hard drive. Don't do automatic installation. Go through the manual hard drive installtion so that the swap partition can be deleted during the disk set up.

3. Make sure that there is no swap partition. Delete the swap partition since there is not enough space on an 8GB DOM. Swap is always a bad idea on a flash-based memory storage.

3a. After the installation, put the following lines in the /boot/loader.conf.local file.

ahci_load="YES"

3b. Also put in the line debug.acpi.avoid line, if the system requires it. See above serial port discussion!

The first line is to load the ahci driver. It will change the root filesystem from /dev/ad4s1a to /dev/ada0s1a when the ahci driver is loaded. Run the command  /usr/local/sbin/ufslabels.sh to fix that problem.

The second line is to fix the serial ports if serial console may be desired.

4. Turn on TRIM. Boot up in single user mode, then run "/sbin/tunefs -t enable /" and "/sbin/reboot".  After reboot, run the command "tunefs -p /" to make sure TRIM is enabled. TRIM is required since the 8GB DOM is a flash-based storage. Without TRIM, it will be corrupted within a few months.

5. Once everything is working, add the following option to the root filesystem: noatime. The "noatime" will minimize unneccessary write to disk storage.

6. Reload the configuration config.xml file. Make sure to check in the System: Advanced: Miscellaneous and enable the /tmp and /var as memory file systems (RAM disk Settings section).

Automatic Update Procedure

Automatic update can be done if updating from version 2.1 to 2.1.2 for a HD-based system. It is also the best since it will detect the correct architecture: amd64 or i386. For systems running version 2.0.3 or earlier, it is better to do the update manually.

The nanobasd version of pfHacom cannot be automatically updated to the "standard" pfSense® software. The main reason is the naming convention. pfHacom is actually the nonobsd_vga, but named as nanobsd. Updating to the "standard" pfSense® nanobsd version will effectively lock out the VGA console.

Make sure the configuration is backed up!

To update to the "standard" pfSense® version, just point the alternate update URL to the following.

http://updates.pfsense.org/_updaters/

Manual Update Procedure

Make sure the configuration is backed up!

For manual updating, we recommend to use the console update although the WebGUI update should also work. With the VGA console, if something goes wrong, it still can be recovered by booting to the second partition.  

The upgrade flash image depends on the architecture and size of the firmware storerage.

For the Mercury VIA C7 1U server, the Mars Celeron-M 1U Server, the OpenBrick-M N270 and the Uno N270, please use the images for i386 architecture:

2GB CF

http://updates.pfsense.org/_updaters/latest-nanobsd-vga-2g.img.gz

4GB CF

http://updates.pfsense.org/_updaters/latest-nanobsd-vga-4g.img.gz

Full HD

http://updates.pfsense.org/_updaters/latest.tgz

For other systems with the AMD64 architecture.

2GB CF and 2GB DOM

http://updates.pfsense.org/_updaters/amd64/latest-nanobsd-vga-2g.img.gz

4GB CF

http://updates.pfsense.org/_updaters/amd64/latest-nanobsd-vga-4g.img.gz

Full HD

http://updates.pfsense.org/_updaters/amd64/latest.tgz

Full SSD systems use the same image as Full HD. Just make sure that TRIM is enabled for better reliability.

For 8GB DOM systems, the "standard" pfSense® software has to be re-installed as either nanobsd or HD/SSD as discussed above.

Following is a tutorial on How to Upgrade a Flash-based System from version 1.2.3 to 2.0. It is still applicable except to download the correct "standard" pfSense® 2.1.2 image based the architecture and firmware storage.

https://www.youtube.com/v/cw8iqWnkM7U

Please contact support@hacom.net if there are questions.

Knowledge Base: