Soekris Net4801 firewall with OpenBSD


As a going away present, my Lucent coworkers all chipped in and presented me with a load of cash :) It also came with a picture of an iPod mini that said "hint, hint...". However, I spent about a month debating whether or not to get the iPod. I decided to wait.

I had been reading about this new single-board computer (SBC) from a little engineering firm in Cali, and I was intrigued. At the time, I was using an old Pentium 166MHz that I had cobbled together from spare parts. I even used a rubber band to keep the heat sink on the CPU - how ghetto is that? I had (2) 10 Mbit NICs in it, and it was running OpenBSD.

I really like OpenBSD for its philosophy (secure by default), it's slim install requirements, and it's excellent documentation. It turns out that the Soekris boards are designed to work with open source operating systems, and it just so happens that OpenBSD is supported.

So, finally, after a few months of waiting and procrastinating (trying not to spend so much cash), I decide the time is right to go ahead and buy one and put it to work. I also happened to get a great deal on a 512MB compact flash card - $50!

the box arrives...

After some confusion with UPS getting the correct address (the shipper didn't put the second line of my address on the box), I finally received all the components I needed (about 3 days after I was *supposed* to get them - keeping a geek waiting for new toys is not a pretty sight. I'm sure I was looking pretty pathetic.)

preparation and setup (the hard way)

I found many sources of good information on the web for setting up a Soekris box with OpenBSD. I'm using information culled from 4 main sources:

  • Michael Lucas' O'Reilly Net Article that convinced me this whole thing was a good idea
  • Kyle Amon's article that verified that I could do what I thought I needed to do...
  • Will Glozer's CF install how-to
  • last but not least, Chris Cappuccio's very nice flashdist script

I thought I'd use my PowerBook as the configuration machine. I included in my order a PCMCIA to CF adapter ($6). I also have a USB to serial adapter that I use with a null modem cable to configure servers. However, this was not to be.

To successfully set up the system, I need to recompile the kernel. If I use my PB, I'd have to cross-compile for x86. I've never done this, and rather than delay routing nirvana, I just decided to use one of my other OpenBSD boxes as the host instead. I will still use the PB to load the image on the CF card, though, since I don't have any other device that could write to CF.

I looked through the flashdist script's code, to see if it would create the virtual device. It requires a device as a target. "Hmmmm, there must be a way to create a virtual device and write to it, right?", I thought. Yes, there is! After a quick google for virtual devices under OpenBSD, I found the vnconfig() command. I went through a lot of hardship for then next hour or so, thinking I needed to create my own device image, do the disklabel() myself as well as the fdisk().

After getting a few things right and a whole lot of things wrong, it hit me that all I had to do was create the virtual device, and associate it with a node, then the flashdist script would take it from there. *sigh*, I guess that's how one learns.

the steps - the easy way (non-geeks can stop reading here, if you haven't already)

You, gentle reader, shall not suffer the same fate! I have summarized what I did for your benefit (as well as mine - I'm a terminal amnesiac.). I recommend reading the above links to get a feel for what's happening here. I won't be comprehensive, since the other articles lay out a lot of the details. NOTE: commands that need to be executed are in <tt>. I've also put <ENTER> at the appropriate places so that the line breaks of my layout don't confuse you (Printing this page should also solve the problem). Okay, let's review my setup:

  • Soekris box connected via null modem cable to...
  • a PC running OpenBSD 3.5, with flashdist untar'd. This is the bootstrap machine.
  • a PowerBook running OSX 10.3 Panther to write the OS image to...
  • the 512MB compact flash card that is attached to the PB via...
  • a PCMCIA CF adapter

create and configure the virtual device

First things first, you'll need some vital info about your flash card. You'll need the Cylinders/Heads/Sectors info (CHS) from your card so that you know how to create your virtual device. You can accomplish this by putting the CF card into the Soekris and booting it up (I added a bit of tape to my CF card, because the CF slot on the Soekris is a little cramped, and getting the card in and out can be daunting). The BIOS reports the parameters that it sees, as well as the manufacturer. I also need to know what device the PowerBook sees the CF card as. This parameter is passed to DD when the image is written to the card. OSX reported the device as /dev/disk2s1. Truncate the "s1" as that is a specific partition, and DD needs to write to the entire device.

You are now ready to create a virtual disk. Login to the OpenBSD bootstrap machine and create an empty file with the parameters given to you from the Soekris' BIOS. Cylinders = cylinders, Heads = tracks/cylinder, and Sectors = sectors/track. So for the "512MB" card, what we really get is...

999 * 16 * 63 = 1006992 total Sectors
1006992 * 512 (bytes/sector) = 515579904 Bytes
(515579904 / 1024)/1024 = 491.6953125 = 491 MB

So, the actual size of the disk is 491MB. Note: I used 512B/Sector. This is standard for hard disks (the Soekris addresses the CF card as though it were a hard disk). Now, to create the empty file using dd:

dd if=/dev/zero of=/path/to/target/file bs=512 count 1006992 <ENTER>

where /path/to/target/file is, well... uh, the path to the target output file. Now, associate the file with a virtual node:

vnconfig -cv svnd0 /path/to/target/file<ENTER>

create a custom kernel with flashdist

Now, build your new kernel via the steps in Michael Lucas' article. I had to download the source .tar.gz's. If you purchased the distribution CDs, then you don't need to. Otherwise, the .tar.gz's can be found here. The 2 files you want are "src.tar.gz" and "sys.tar.gz". Once the kernel is compiled, the rest is pretty easy.

create the OS image with flashdist

With the new kernel built, and the virtual device created, all that's left in the basic setup is to run flashdist. In Lucas' article, the assumption is that you have the CF card mounted on the bootstrap machine. Since mine isn't, I'll need to use the virtual device. However, if I run flashdist with the "-d" option and the parameters I got from the BIOS, disklabel(8) fails. The solution is to leave out the "-d" option as follows:

./flashdist.Sh svnd0 flashsmall.txt ./NET4801-bsd /<ENTER> (prompts for CHS)

write the OS image to the CF card

At last! I can write the image to the CF card and boot up the Soekris to see what treasures await!. I FTP the target output file to the PowerBook. Then, from Terminal:

sudo dd if=/path/to/file of=/dev/disk2 bs=512<ENTER>

On my machine, it takes about 13 min. to write the entire image, so go do something more constructive, like laundry, while you wait.

boot the Soekris with the new CF card image

If you were doing laundry, make sure you discharge before continuing. ESD could shorten the life of your Soekris box, the CF card, or both. That would be a Bad Thing®.

Okay, now that you don't have all those loose electrons all over you, pop the CF card into the Soekris. Booting up should reveal the standard OpenBSD login. At this point go to page 2 of Lucas' article for doing more configuration work.

I hope that I've been clear in laying out the details for my specific setup. If not, please drop me an email, and I'd be happy to answer any questions you have. Good luck, and have fun with your new toy!