2019-01-25 New Firewall
I've just finished installing a new firewall machine for my home network, and
I thought I'd write about it here in the interest of having something to write
about, and because it's useful to talk about how things went so other people
can learn from your experience. So here goes.
The firewall's hardware is an NA204 network server appliance from
Mini-ITX.com, with a Seagate Barracuda 500GB hard
disk. I had the Mini-ITX store build it, which means it comes with a 3-year
warranty - can't argue with that. The NA204 is based on the Jetway JNF9HG-2930
motherboard, which has a quad-core Intel N2930 Celeron processor clocked at
1.83GHz, 4GB of RAM and integrated Intel graphics. In addition to all that,
this unit has a daughterboard with four gigabit Ethernet ports, which makes
it ideal for jobs like this.
Softwarewise, we're running pfsense 2.4.4,
which is based on FreeBSD 11.2. It's
a UNIX, which means I can get into its guts if I need to (though I'm not as
familiar with it as I am with Linux). That became relevant during the
install, as I'll mention later.
The installation process was pretty standard, at first. I burned the pfsense
installer to CD from an ISO image (after checking the checksum), slipped the
disc into a USB optical drive and plugged it into the front panel of the NA204,
along with a monitor and keyboard. The UEFI on the motherboard picked up the
optical drive without any problems, and gave me an option to boot from it (press
F7 during startup to pop up a boot menu), and the installer ... choked. It
gave me the a nice ascii-art welcome screen and started scrawling bootup
information on the screen, and then just stopped.
It turns out that on certain graphics cards, the FreeBSD 11.2 installer is known
to fail to correctly discover the properties of the screen, and it tries to set
the resolution to a size the GPU can't support, and the GPU gives up and dies.
Thankfully, it's an easy problem to fix. As
The Geek Pub's "pfsense-hangs-at-booting"
states, there's a kernel parameter (kern.vty="sc") that will set the resolution
and disable discovery, so I passed that to the installer kernel at boot time
and then dropped the relevant parameter into the bootloader config
(/boot/loader.conf) with vi so that it would always apply in the future.
At that point, the install proceeded to completion and it was on to
configuration, firstly of the interfaces. I thought this was pretty neat. To
tell the machine that a particular interface is the WAN port, for example, you unplug all network cables from the machine and then select "WAN port", "auto" and
plug a network cable that has a device of some kind on the other end. pfsense
will then notice the Link Up event from that cable being plugged in, and
associate the port it came from with that interface. And so on for the other
ports (LAN and WAN are required for obvious reasons, and I assigned the other
two interfaces to WIFI and DMZ for future use). Very neat. A DHCP server came
up automatically on the LAN port, which had set itself to 192.168.1.1 by default.
Unfortunately, my ISP's modem's wifi router was handing out .1.x addresses.
I'd disconnected from the wifi but not diabled the wifi adaptor. This meant
that my wifi card had 192.168.1.1, and was hanging on to it in case it
reconnected. There then followed
a tiresome dance of my plugging a cable between my laptop and the firewall and
trying to go to the firewall's webconfig page to finish setting it up, and my
laptop saying "...there's nothing there." Of course, I pinged it to see if the
web browser was lying, and I got a response! It took a depressingly long time
to work out that the response I was getting was from my own wifi card. Then I
reset the firewall's LAN port and DHCP to 192.168.2.x and everything started
So there you have it: the story of my pfsense install. I'm liking pfsense,
because it's highly configurable and exposes a lot of options. That same option
profusion makes it... probably not ideal for inexperienced users - I've been
maintaining house-LANs for years and I don't understand some of the options yet.
But, if you're looking for a tough, reliable, configurable firewall I'd
recommend pfsense. And if you want a machine to run it on, the NA204 is really
rather nice. The docs are pretty good, too.
2018-10-22 Living in a box
OK, new flat, new start - in theory, at least. It's a month and two days
since I moved in here ("here" being Milton, a couple of miles north of where
I used to be), and everything is still everywhere but things are starting to
get sorted out. The kitchen is usable if I'm willing to shift stuff about to
make room on the worksurfaces, and I can walk into and out of all the rooms
and more or less use them for their assigned purpose. Still need to assemble
the media centre and get the packed clothes off the sofa, but it's not too
bad for somewhere I live.
This is not forever. It's a small flat with a cheap rent and slightly
questionable facilities, on a 12-month contract with the option to extend at
expiry. Long enough to get my feet under me, have a damned good sort-out and
get rid of some stuff I don't need. Long enough to get my head back together
and find somewhere to live longer term.
In other news, hey, glasshalfempty's up again. The new place struggles to
manage 1Mbps, so I'm not hosting the site in my living room any more - we're
coming to you live from a linode in Frankfurt and I upgraded the site to use
Python3 while I was at it. Easier to upgrade now, while there's not much to
2018-07-20 Life in boxes, 2018 edition
An out-of-band update here, to note the following: I've just received two
months' notice on my flat, meaning that the landlord wants to take possession
of it no later than the 20th of September. This kind of thing is why I hate
renting - the lack of control, the lack of warning, the difficulty of planning
anything when you don't know when someone you've never met is going to pull the
rug out from under your feet. It sucks. It happens. Gotta get over it.
So, I've rented a storage unit and ordered in some flatpacked moving boxes, and
I'm going to start looking for another rental in the next few days. I was
planning on trying to buy a place of my own over the coming winter, but that's
out the airlock now: there's no real chance of exchanging, completing and
moving in two months and once I'm moved to a new place I should probably stay
there for at least six months/a year (since that'll be the initial rental
contract). The move, at least, gives me an opportunity to declutter and
reorganise in a way that's difficult when everything is in its familiar place
- I'm aiming to shed up to 20% of my equipment volume, which should make the
second move substantially easier when the time comes.
Let's see what happens. I'm going to a LARP event next weekend and a
convention the weekend after, both booked months ago, so I'll survey the market
and move stuff to storage until after the con, then start looking in earnest.
2018-02-28 Technical Debt
It's been a very long time.
Some of the wait is because I kept being busy, having better, more urgent or somehow more distracting things to do. Some of it is because the feedback loop through the old site is broken (along with the old site), so I don't remember that it's important or interesting to some people. Some of it is because the hardware upgrade stalled amidst a series of sick hard disks a couple of years ago, and I haven't gotten back to it. Doesn't really matter.
I've been drowning in details for the last few years, I think, and hadn't realised until very recently. I don't like putting things online that aren't the best I have: if people are going to have the opportunity to critique something I've made, I'd like it to be as good as I can make it. Less than perfection, say some parts of my mind, is waste. There are at least three versions of New GHE that will never see the light of day, because I abandoned them because they were wrong or incomplete or poorly designed.
I'm going to try not to care about that any more. This is an experiment, but fundamentally I'm an information designer/software engineer/technical author/whatever. I trained as an embedded software developer, and a computer and AI scientist. I never trained as a web designer. I've never claimed that my websites are the best they can be, and chances are that this one won't be. It'll be as secure as I can make it, because that sort of thing matters, but it won't have lots of features or use up-to-the-minute CSS or be perfectly standards compliant at all times.
Here's the very beginning of Glasshalfempty 3.0, or 3.0.0-alpha1, I think we'd call it at work - the first alpha version of 3.0. It's incomplete and probably buggy, there isn't even a blog here yet, just a framework and some HTML and CSS. I'll bring more things online in time.
But I got some queries from old friends recently that made me wonder why it wasn't online, and I found I had no good answer, only excuses. So here we are. Join me round the campfire, I guess in companiable silence for now. Blogging, commenting, all that fun stuff, is in the future, so silence is the only option you have anyway.