Aaron N. Tubbs bio photo

Aaron N. Tubbs

Dragon chaser.

Twitter Facebook Google+ LinkedIn Github

I’ve been running m0n0wall on a soekris net5501 literally without issue or reboot for several years. Prior to that I was operating in a similar configuration, but with a net4801. While that configuration was fantastic, the net4801 could relatively easily reach CPU saturation under heavy concurrent flows or when routing several streams over 30Mbps (my Internet, while not fantastic, can pretty consistently deliver 60Mbps downstream and 8Mbit/s upstream).

I had only two problems, then. The first was that I needed a project. The second was that the net5501 has interfaces at 100Mbps, and I frequently wanted to do inter-port transmissions through the router (for various reasons) that I did not want to run only through the switch. Additionally, there were several features that I wanted to experiment with that would be easier to accomplish with a slightly heavier-weight software package (one that I felt would perhaps struggle on the net5501).

So, I picked up a soekris net6501. This hardware is moderately more powerful (running an Intel Atom instead of an AMD Geode). It has more than double the RAM, uses Intel gigabit NICs, and trivially supports mSSD storage instead of Compact Flash.

I picked up a 20GB Intel SLC mSSD for about a dollar a gigabyte, which seemed like a steal. In addition to being safe to write to regularly (unlike CF, which limited logging and required spooling most things to RAM to avoid destroying the card), it’s absurdly faster.

I selected pfsense as the software stack, having all of the features I’d come to know and love from m0n0wall, but with some extras.

Getting pfsense installed was a bit of a hassle, as I didn’t want to use an embedded image (which foregoes the aforementioned use of the mSSD for bidirectional IO), despite the embedded hardware. The easiest approach ended up being installing the mSSD unformatted, writing a USB key with the live image, and then installing to the SSD from the stick via the serial console.

The serial console was a bit fun because I didn’t have a null modem cable and while the soekris boots at 19200, the live image boots at 9600. This was relatively trivial to work around, but required digging up things I’d forgotten about in the 15 years or so since I’ve used a modem.

After that, things went pretty smoothly. pfsense has a lot of nice convenience features that m0n0wall lacked, and it was pretty straightforward to reinstate all of the previous functionality, along with a few nice changes (such as switching to IPsec from PPTP for iOS VPN tunneling). All told, it seems to be pretty great so far. I suppose I could repurpose the net5501 to be a hot failover CARP, but given its reliability, for my purposes I suspect something else in the current network stack is far more likely to fail before that point.

The only remaining piece in this project, then, is upgrading the switching fabric to something that will support single-switch VLANs, but that should be pretty straightforward.