SOLVED Problems with embedded installation

[huub]

I used m0n0wall for years and earlier this year switched to t1n1wall.
What I am missing is an installation manual.

I used the m0n0wall recipe, but that got me only so far.
The recipe I refer to:

Installation on an embedded PC requires the following steps:

    download the raw CF image (generic-pc-serial)
    write the image to a CF card (>= 32 MB), either with dd under FreeBSD/Linux or under Windows with physdiskwrite
        FreeBSD:
        gzcat generic-pc-serial-xxx.img | dd of=/dev/rad[n] bs=16k
        where n = the ad device number of your CF card (check dmesg)
        (ignore the warning about trailing garbage - it's because of the digital signature)
        Linux:
        gunzip -c generic-pc-serial-xxx.img | dd of=/dev/hdX bs=16k
        where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX) - some adapters, particularly USB, may show up under SCSI emulation as /dev/sdX
        (ignore the warning about trailing garbage - it's because of the digital signature)
        Mac OS X:
        gzcat generic-pc-serial-xxx.img | sudo dd of=/dev/rdisk[n] bs=64k
        where n = the disk device number of your CF card (check Disk Utility)
        (ignore the warning about trailing garbage - it's because of the digital signature)
        Windows:
        physdiskwrite generic-pc-serial-xxx.img
    plug the CF card into the board
    plug the box into the network (LAN/WAN/...)
    power it up
    make sure that your console speed matches the setting in the BIOS; m0n0wall will use the same speed as the BIOS
    assign functions (LAN/WAN/OPT) to your interfaces
    change the LAN IP address over the serial console, or use the default (192.168.1.1; m0n0wall acts as a DHCP server by default)
    access the webGUI (user: 'admin', default password: 'mono')
    make the necessary changes to the default configuration

With the 1.8 version this mostly works, until I try to change the webgui to HTTPS with a diffferent port number. Then I get locked out.
This means that a restore of my old backup does not work. It's a nagging problem but I can work around it.

I ran into problems with the VPN as well, elsewhere on this forum I found that that problem could be caused by the 1.8.x firmware. By switching to 1.10bX I should be able to get a working VPN. Here the trouble begins.

After a clean install I get a prompt on the serial console for 1.8, but not for 1.10. Is there a fix for that behaviour?
Editing the image is unfortunately not an option since I don't have a native FreeBSD system. Therefore I can't change the configuration on the image.
I use an old PC Engines ALIX system (embedded pc, with a serial console for installation).

[andywhite]

Hi.  I haven't heard of the https problem. Easy to test. I'll take a look

What's the type of vpn your setting up and what problem are you experiencing  with it on 1.8

Lastly, what 1.10 image are you using, I'm guessing the serial. Have you tried the non serial image ? Once it's booted can you ping the 192.168.1.1 from an attached pc ? I can take a look at this too later in the week


BTW,  you can upgrade from 1.8 to 1.10 with re installing

[huub]

I'll try to test later, but that probably won't be before X-mas.

For configuration perhaps 169.254.1.1 might be an option instead of 192.168.1.1 (link-local address, perhaps with an option to disable it when all configuration has been done).

The first installation I tried from t1n1wall was 1.10, but I did not see how to get it working. The only reason to try 1.8 again.

As for the VPN, I think it is a IPsec connection similar to the one used in m0n0wall/t1n1wall, but the other side is a Linux-based router.
Again, I need some time to test which I don't have currently. I did read on this forum that VPN's do work better with 1.10 therefore I was hoping to install 1.10 before trying to get the VPN to work.

Currently my shortlists contains:
- getting 1.10 to work
- getting HTTPS to work for the configuration
- getting the VPN to work
And probably in this order...

[huub]

Finally been able to test.
Tested generic-pc-1.10b75.img and generic-pc-serlial-1.10b76.img.

A ping to 192.168.1.1 is not working and there is no response on web access on port 192.168.1.1.
Having no installation manual makes me wonder if I'm doing something wrong.
Not seeing what's happening is not encouraging.

Changing the old 32MB CF-card to a newer 2GB card with generic-pc-serlial-1.10b76.img did not change anything.

[andywhite]

r77 should resolve the https issue.

There are some very sparse docs here for install http://sourceforge.net/p/t1n1wall/wikidocs/Install/

smallwall (and m0n0wall) docs are the same instructions, http://smallwall.org/install.html

When you boot from 1.10.x , what console messages do you get after you BIOS messages ? ALIX is a popular board, and there aren't reports of this problem,  I have used 1.10 on APU and ALIX 2d3  , and I know some users are using ALIX without this issue.

There is one open bug where an ALIX system is having a boot problem for 1.10.x here http://sourceforge.net/p/t1n1wall/bugs/18/  , but I need to see your console logs to know where your problem might be.

[huub]

I followed the link. The 1.10 image stops with uhub1 like the other alix.

Below messages are from the startup-messages indicate the ACPI is a problem:
ACPI BIOS Error (bug): A valid RSDP was not found (20150515/tbxfroot-258)       
ACPI: Table initialisation failed: AE_NOT_FOUND                                 
ACPI: Try disabling either ACPI or apic support.

As for the system (an alix 2d3):
PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

I see there is an v0.99m available at the pc-engines site, but the updates do not mention any ACPI fixes (unless the ifdef fixes):
- Add support for SST49LF080 flash.
- Add support for TPM module on LPC bus.
- Fixed COM2 output enable.
- Add quick memory test option to setup (this also skips timer / RTC test, which can take up to one second).
- Attack overgrown ifdefs with a machete.
- Fix PCI bridge enumeration.
- Remove MFGPT workaround.
- Enable ROM access FExx'xxxx .. , make it read / write to allow TPM access.

I'll try to find some time to update.
I also saw some ATA errors. The old CF-card I used might be EOL, and I do like using a spare CF to be able to restore fast.
To be continued...

One other question a little off-topic:
I tried using pfsense to test some settings for ipv6 since I had a tutorial for IPv6 based on pfsense (using pfsense is not an option for me).
Are there known issues with IPv6 and DHCP-PD with t1n1wall version 1.8? (An answer yes or no would here be sufficient)

I tried configuring that with t1n1wall 1.8 and at one point got a valid address only to forget it after some time.
Never got a working IPv6 connection though. The IPv6 issues can wait until after I upgrade to 1.10.

[andywhite]

Are there known issues with IPv6 and DHCP-PD with t1n1wall version 1.8? (An answer yes or no would here be sufficient)

No, there are people using this feature AFAIK.  Sounds like it worked for you but didn't renew ?

[andywhite]

can you try b86, see if you systems boots 1.10 ?

[huub]

My router looks like:
LAN vr0 192.168.10.1
WAN vlan on vr2 DHCP
OPT1 vlan on vr1 192.168.20.1
OPT2 vlan on vr1 192.168.30.1

What I tried:
starting the last image of t1n1wall (version 1.10.2b89)
changing the IP-address from the LAN, OK
changing the webgui to https, OK
adding vlans, OK
adding OPT1 and OPT2, OK
activating OPT1 and assigning an IP-address, FAIL

The router fails like the network becomes unreachable on all interfaces!
both workstation->router and router -> workstation (ping from serial console).

I can mail you the startup log including the 0.99m BIOS from the ALIX. After 3 attempts I'm not going to try to post it here again.
One minor annoyance is a long timeout druing the boot at "ada0: Previously was known as ad0", which gets more annoying with each reboot and factory reset.

Unfortunately the 1.10 image is not useable for my router. I'm back to 1.8.

[andywhite]

thanks for the details, this is fixed in b90 now

[huub]

OK, this image seems to work (generic-pc-serial-1.10.2b90.img).
I tested the basic functionality and am currently busy filling in the firewall rules for IPv4 to begin with.

Thanks for your fast reply :-)