Installing pfSense 2.6 on ZimaBoard

I backed the ZimaBoard Single Board Server project on Kickstarter in early 2021, a couple of months ago it finally arrived and the first project on the todo list was to try this as a replacement for my overkill pfSense server (Dell R210 II Server) which consumed ~100W compared to ~6W of the Zimabaord, a cost reduction of over £200 per year in electricity costs too. The ZimaBoard comes pre-installed with Casa OS on the onboard 32GB eMMC storage, but that can be overwritten with whatever software we want.

ZimaBoard 432 with an additional 2.5Gbps NIC installed

When I backed the project, I also bought an extra NIC as I needed 3 connections if I was going to have a backup WAN link, however, there isn’t a way to mount the PCIe Network Card into the ZimaBoard and keep it secured. The usual riser bracket also has to be removed as it would otherwise foul the case.

Note: This isn’t the setup I finally ended up running, but this is the journey I went on.

Installing pfSense

Here are the steps I followed to get pfSense 2.6.0 up and running on the ZimaBoard:

  • Download the latest pfSense USB Image from: https://www.pfsense.org/download/
    • Architecture: AMD64
    • Installer: USB Memstick Installer
    • Console: VGA
  • Write the USB Image to a USB Flash drive using Balena Etcher (or similar)
  • Attach a display and keyboard to the ZimaBoard
  • Insert USB Flash drive now containing pfSense installing image
  • Boot the ZimaBoard and follow the wizard to install pfSense, selecting the eMMC storage#
    • The ZimaBoard supports up to 2 x SATA drives, depending on the features planned to be used on pfSense, consideration should be given to using a SATA SSD or HDD.
  • After installation completes I had to enter the BIOS and change the Boot option to MMC.

Realtek Network Drivers

The two onboard NICs are identified as Realtek PCIe GbE Family Controller and worked out of the box, though FreeBSD 12 which pfSense 2.6 is built on doesn’t include the latest drivers. The left hand NIC was re0 and the other re1

The 2.5GbE network card (Realtek RTL8125B) wasn’t detected after installation and required updated Realtek drivers to be installed. To install the updated drivers:

  • fetch -v https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/realtek-re-kmod-196.04.txz
  • pkg install -f -y realtek-re-kmod-196.04.txz
  • If not present add the following configuration items to /boot/loader.conf
if_re_load="YES"
if_re_name="/boot/modules/if_re.ko"
  • Reboot pfSense
  • After booting back up the additional NIC is detected, but re0 was the 2.5GbE NIC, re1 the left hand onboard NIC and re2 the rightmost NIC.

Configuration Tweaks for pfSense

If you are planning on using pfSense as a basic firewall/router you should consider minimising the writes to the eMMC storage, though if you are planning on using additional packages like ntopng it will need more space than can be provided by a RAM Disk

  • System -> Advanced -> Miscellaneous -> RAM Disk Settings:
    • Check Use RAM Disks
    • Reboot pfSense.

Enable capabilities of the CPU (Intel Celeron N3450)

  • System -> Advanced -> Miscellaneous -> Cryptographic & Thermal Hardware:
    • Cryptographic Hardware: AES-NI CPU-based Acceleration
    • Thermal Sensors: Intel Core* CPU on-die thermal sensor

It’s unclear if pfSense is correctly supporting the CPU clock boost capabilities of the CPU, as it shows the clock speed as 1.1GHz. However, to give it a chance of working:

  • System -> Advanced -> Miscellaneous -> Power Savings:
    • Check: Enable PowerD
    • Set the policies to: Hiadaptive

Problems

Networking Issues

I ran this configuration for several weeks and noticed I was having problems with my backup network connection (via Starlink) going offline, sometimes disabling and re-enabling the interface fixed it, sometimes a reboot of Starlink would fix it, sometime pfSense had to be rebooted. dmesg filled upa with a stream of errors:

arpresolve: can't allocate llinfo for 100.64.0.1 on re1

Where re1 is the onboard GbE NICs connected to the Starlink, not the 2.5GbE NIC.

DNS errors from unbound were also being constantly logged to /var/log/resolver.log

May 25 22:26:18 pfsense-zimaboard unbound[75327]: [75327:3] error: recvfrom 26 failed: Protocol not available
May 25 22:26:18 pfsense-zimaboard unbound[75327]: [75327:1] error: recvfrom 24 failed: Protocol not available

Given the move from the Dell R210 II server to the ZimaBoard was both a hardware move and an upgrade from pfSense 2.4 to 2.6, it’s unclear if one or the other was the cause of the problems.

Solution

I decided to stop using any of the Realtek NICs and instead take the Intel Quad port NIC (Intel(R) PRO/1000 ET 82576 (Quad Copper) I had in the Dell server and use that. The card is significantly larger and so I also created a new wall mount to allow the Intel NIC to be secured.

Since switching to the Intel quad port NIC, I’ve not experienced any of the issues above.

ZimaBoard and Intel quad port NIC
ZimaBoard 432 with an additional Intel quad port NIC installed

BIOS & CPU Issues

pfSense System Information
  • BIOS version information is corrupted
  • DMI table is broken (possible cause of BIOS version info)
dmidecode -t processor -t cache
# dmidecode 3.3
Scanning /dev/mem for entry point.
SMBIOS 3.0.0 present.
Invalid entry length (0). DMI table is broken! Stop.
  • The Intel N3450 CPU has a base clock frequency of 1.1GHz with a burst frequency of 2.2GHz. However, pfSense only shows the clock running at 1.1GHz, it’s unclear if this is just cosmetic or if it really isn’t bursting.
  • The speed issue seems similar to a post here on Reddit from 2019
  • The supported CPU speeds listed are:
sysctl dev.cpu.0.freq_levels
dev.cpu.0.freq_levels: 1101/0 1100/0 1000/0 900/0 800/0

Parts

2 thoughts on “Installing pfSense 2.6 on ZimaBoard

  • 5th July 2022 at 5:24 pm
    Permalink

    Thank you for sharing your work. I have always read that the intel nic’s are preferable to the cheaper Realtek ones. Curious if your setup will route your fully allocated wan download speed, and if you have a gigabit connection. Thanks Again

    Reply
    • 5th July 2022 at 5:44 pm
      Permalink

      Hi,
      My broadband speed is only ~500Mbps via my Cable provider (Virgin Media) and the backup, StarLink connection runs between 200-400Mbps. My setup has no issue running at those speeds. Obviously, there are some plugins to pfSense which can add significant extra load, but the ZimaBoard seems to have more than enough capacity.

      Since moving to the Intel Pro 1000 NIC I’ve had less frequent issues with StarLink, but it still sometimes shows the gateway status as Pending but disabling and re-enabling the interface has “fixed” it each time it occurs. I suspect both the onboard Realtek NICs and the 2.5Gbps external NIC would work fine with the latest drivers, the only issue I had was the odd behaviour with StarLink.

      In the near future I may go back and try the RealTek based solution again to see if I can narrow down the cause of the odity.

      Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.