Tuesday, April 29, 2014

VyOS router/firewall on Alix board / Compact Flash

Lazy, I've been using at home the router which ISP provider gave me and connected to my clients using pptp tunnels. At certain time, I began to think in convert that stupid router in a bridge and use it in a tandem with a professional router which allows me to set permanent tunnels to my clients. I considered an old Cisco 1741, but I hit with a pptp pass-troughs issue. Another alternative was Zyxel USG 20 for about 150 USD, but I thought that could exits any hardware around that price that allows me to run VyOS. Asking in Linked-in, it was recommended PC-Engines.

PC-Engines are fan-less motherboards with a consume of only 5 watts and able to run a large list of Linux distributions, most of the times, firewall flavors. They do not have fans, VGA, PS-2 neither hard drives. For permanent memory is used a compact flash. This is great for home users and even small offices. But how to install VyOS in the compact flash?

That lead me in research and I found this such complete work publish by Jason Antman (using Vyatta instead of VyOS). With the help of the VyOS forum and self same Jason Antman, I got to install it. As reward, I am publishing my experience here in order to help anyone in the future.

ALIX2D13 is a:
  1. 500 MHz (LX800) AMD Geode LX CPU - cache = 64KB instruction + 64KB data + 128KB L2 - integrated crypto accelerator
  2. 256 MB DDR SDRAM (400 MHz clock)
  3. 6”x6"
  4. 3 Ethernet channels (Via VT6105M)
  5. battery, avoiding lost time(recommended get a board with battery)
  6. fan-less, neither no more mechanical parts.
  7. about 5W of 12V DC power

I bought:
  1. the chassis 12.95
  2. power supply 9.95

Total 155.99 USD, shipping and taxes included.

I had:
  1. 4Gb compact flash
  2. usb-serial cable model XS8801 (a real serial port which always works).
  3. Any usb to CF adapter like this
  4. Laptop Lenovo G570 (without intel-VT) with Ubuntu 64 bits 14.04

The procedure is to use a virtual machine to install VyOS in the CF, un-plug the CF and plug it into the ALIX board and turn it on. We'll have to make some changes to avoid writing CF as much as we can in order to preserve the CF's live and due that, it is used ext2 instead of ext4 or ext3. At the end we'll have to minimize the logs writing.

Plug CF into the usb adapter and be sure there is no partition there and is not mounted. Could be necessary to add your self to the disk group (useradd -aG disk <your username>)
Important is no define Ethernet devices in the virtual machine in order to avoid rewriting names when the kernel changes into physical board.

ego@chancleta-PC:~$ sudo kvm-ok
[sudo] password for ego:
INFO: Your CPU does not support KVM extensions
KVM acceleration can NOT be used

Neither kvm nor qemu run on my computer.
VirtualBox run 32-bits vms, but unfortunate did not run vyos-1.0.2-i386.iso. In spite that vyos-1.0.2-i386-virt.iso run pretty well in VirtualBox, we can't use it because is a kernel prepared for virtualization enviroment, not for a real motherboard.
At the end, Vmware player was able to run vyos-1.0.2-i386.iso! (the kernel that must run into physical)

Instead of use a file as storage of the virtual machine, we need replace that file with out CF. Antman explains pretty well how to get it using VirtualBox and for vmWare is explained here.

When VyOS is booted and before install anything, we have to modify the installation script to avoid ext4.

  1. At the prompt after logging in, sudo su -
  2. Edit /opt/vyatta/sbin/install-system (hint: VyOS has nano installed. nano -c filename shows line numbers) and change the ROOT_FSTYPE variable (line 84) from “ext4” to “ext2”.
  3. Run install system. I used all default options (including one partition) and it seemed to work fine.
  4. When system-install finishes and you get the root prompt back, before rebooting, continue with some minor tweaks:
  5. mkdir /mnt/temp
  6. mount /dev/sda1 /mnt/temp
  7. cd /mnt/temp
  8. Edit boot/grub/grub.cfg and change all occurrences of “root=UUID=…” entries for the “linux” lines (lines 13, 18, 23, 28 in my grub.cfg) to “root=/dev/sda1”. My only real reason for this change is so that I can move my altered config files (config.boot, fstab and grub.cfg) with minimal changes when I upgrade or make a different vyatta CF card, without having to update the UUID for the new partition.
  9. Edit etc/fstab and change the “UUID=…” device to ”/dev/sda1”.
  10. shutdown.

Once the VM is stopped, you can remove the CF card from the adapter and plug it into the board.

The PCEngines Alix.2 boards use a default serial console speed of 38400 baud and VyOS uses a default speed of 9600 baud. Once I got the CF card installed in the Alix board and hooked it up to my laptop (null modem cable to the USB to serial adapter, minicom for terminal emulation), I set my terminal emulator to 38400 8N1, powered the board, and then pressed ‘s’ during POST to get into BIOS settings. Option ‘9’ sets the Alix to 9600 baud, ‘Q’ to quit, and ‘Y’ to save changes permanently. The board will reboot, and once the terminal emulator is set back to 9600 baud, serial console should work fine both in BIOS and in the OS.
If all worked well, you should be able to boot into VyOS and login as the default “vyos” user (which you set a password for during the install). Assuming you know your way around VyOS, it’s pretty standard from here, though there are a few things you may want to check or configure right away:

In configuration mode (configure) run show interfaces. All of your physical ethernet interfaces should appear, along with their MAC addresses.
Some changes will reduce the number of log writes to the CF card:

  1. set system syslog console facility all level warning
  2. set system syslog global facility protocols level warning

Configure interfaces. with firewalls, IP addresses or DHCP, etc.
Do whatever other configuration you need for a minimal system - dhcp, dns, nat, etc.

And that’s it - this should give you a working VyOS system on CF on an Alix board.