How to Build Firewall with Zima and 2.5GbE Intel NIC?
Since the release of ZimaBoard, many users have shown great interest in building their own firewall using pfSense. However, although the official pfSense image has been iterated and optimized for rtl8111 driver support, the Realtek network card on the ZimaBoard has not been the best choice for the pfSense and opnsense communities.
Both ZimaBoard and the first product to be launched in 23 years will continue the design of the PCIe expansion interface. This allows you to freely expand several different types of network cards, including different solutions for 10GbE, 2.5GbE, and multi-gigabit.
To make it convenient for all users to use ZimaBoard and Intel NIC PCIe x4, our friend, Bill, has put together a tutorial with text and images during his own construction of a home firewall, hoping to help those who are interested in similar topics.
Build Own Firewall Getting Started Checklist
- 1 – PC or Macintosh Computer
- 1 – Mini DisplayPort to DisplayPort Adapter or Mini DisplayPort to HDMI
- 1 – Monitor with DisplayPort or HDMI
- 1 – Keyboard
- 1 – Ethernet Cable
- 1 – balenaEtcher / Rufus or another disk image creation tool
- 1 – pfSense Image
- 1 – Zimaboard (Model 216/432/832*)
- 1 – USB Flash Drive (at least 1GB)
- 1 – SATA Hard Drive (Optional)
- 1 – Intel NIC PCIe x4 (Optional)
Download pfSense Image
- Image – https://www.pfsense.org/download/
- Architecture: AMD64 (64-Bit) Mirror: Austin, TX USA (Select a location in your region)
- Click on Download
By default, this will be saved to your Downloads folder on Windows or Mac unless implicitly changed by the user
Create a bootable image of pfSense
This step is applicable to all different third-party systems. Please refer to this tutorial to create your bootable pfSense USB drive.https://docs.zimaboard.com/docs/Universal-third-party-system-installation-tutorial.html
Preparation to boot to USB Flash Drive
- Power on Zimaboard during initialization hit the DEL key open the System BIOS. Arrow over to the Boot Page and change Boot #1 to the attached USB Flash Drive.
Arrow over to Save & Exit. Arrow down to Save Changes and Exit.At the confirmation prompt arrow over to Yes.
- pfSense Installation
- Allow the Bootup process to complete undisturbed, a pfSense Boot Menu will appear and lastly, a Copyright and distribution notice will flash on the screen.
Hit Enter to Accept. This will bring up Welcome to pfSense! menu, Click on I, or hit Enter to proceed with the Installation process.
Keymap Selection, the installer will detect and offer an acceptable default selection, i.e. US Keyboard map. Other keymaps can be chosen if desired.
Click Enter to Continue
- Partitioning Auto (ZFS) is the preferred installation method. Click Enter to continue.
Select Pool/Disks, Virtual Device Type
Since pfSense will be installed to the onboard memory on Zimaboard, select Stripe – No Redundancy. Next, we will select where we want to install pfSense, use the arrow key to highlight the correct installation path, and hit the spacebar.
Note: in this example, da0 is the USB Flash Drive. No SATA Hard Drive is connected to the Zimaboard and onboard storage appears as mmcsd0. Arrow down to mmcsd0 hit the spacebar, then arrow down and hit Enter on OK.
- Now we are ready to proceed with the installation process Install (Proceed with Installation) should be highlighted.
Click Enter on Select.
A final warning will appear, do you want to erase (destroy) all contents on the select Disk? Arrow over to Yes to Continue. The pfSense installation will proceed, once the progress bar has reached 100% and the installation is complete.
- Once the installation has been completed, a Manual Configuration prompt appears, stating if you would like to open a shell for any final modifications.
Hit Enter on no to proceed.
- Final Confirmation stating the Installation of pfSense is complete. Options are to reboot or open Shell.
Hit Enter on Reboot
Note: the USB Flash Drive is the first boot device. Need to re-enter the BIOS to change the boot order or the system will resume booting to the Flash Drive
Welcome to pfSense
During the reboot, hit DEL to enter System Bios. On the Boot Tab, change Boot #1 and make sure it is pointed at the internal storage (mmcsd).
Make sure to remove the USB Flash Drive from Zimaboard and plug an Ethernet Cable into the Ethernet Port closest to the mini-display port. Arrow over to Save & Exit and arrow down to Save Changes and Exit. Confirm by arrowing over to Yes.
Zimaboard will now boot into the pfSense Command-Line Interface (CLI), allowing pfSense to fully boot up before proceeding.
Once pfSense has fully booted up one is presented with a myriad of options. Make note of the IP Address next to WAN IPv4, i.e. 192.168.1.xxx.
Open a Web Browser on a PC or Mac, and in the address bar enters the WAN IP Address.
Depending on your browser pop up with a “Warning: Potential Security Risk,” Firefox clicks on Advanced and Accept the Risks and Continue. On Chrome, Advanced, proceed to xxx.xxx.xxx.xxx.
When the pfSense Portal appears, enter the following credentials:
Username: admin Password: pfsense
This will bring you into the pfSense Dashboard.
For those who purchased an Intel i-225-V NIC 2.5gbs available from various resellers and also available from Zimaboard, priced competitively.
The current version of pfSense 2.6.0 does not currently support the Intel i-225-V drivers. However, the drivers are supported by pfSense+, and the next release of Community Edition, 2.7.0.
pfSense+ was made available to bare-metal non-Netgate products, one just needs to purchase the license Free of Charge from Netgate Website.
Find PFSENSE+ HOME or LAB. Note certain features are available only to Paid Licenses.
Scroll down to Register Now. Add the PFSENSE+ Software Subscription for $0.00, and select the appropriate subscription type Home or Lab. Then add to cart. Click on your Cart and proceed to Check Out, place a check next to the Terms and Conditions, EULA, etc. Click on Checkout to create a free Netgate Account or login into an existing account.
Once you successfully complete the purchase, an Activation Token will be emailed to you with instructions on how to activate the license.
Go to System>Register in the large text box enter the Activation Token that was emailed to you and click on Register.
A message along the top will say “Thank you for choosing Netgate pfSense®. Your firewall has been successfully registered On your next visit to the System/Update page, select pfSense® Plus software from the list of repositories.”
Under Branch select pfSense Plus Upgrade
Files will be downloaded [xxx/xxx] in our example 167 files and once fully complete Zimaboard will restart and boot back into the pfSense CLI. The web browser will attempt to log back into the Dashboard.
If you have not already plugged the i-225-V into the PCIe x4 slot from the pfSense+ CLI, select option 6 to Halt the System. The Zimaboard will power down; remove the Power Adapter and securely connect the i-225-V to the PCIe slot.
Reconnect the Power and wait until the pfSense+ CLI Boot Menu Appears. From your Web Browser log back into the pfSense Portal. Once the Dashboard appears, click on Interfaces, this will show all available Interfaces (Ethernet Ports).
By default, only the WAN Interface appears. Click on the Add button until all interfaces are available. If purchased, a 4 Port i-225-V interfaces (igc0, igc1, igc2, igc3) will appear and re1 (2nd Ethernet on Zimaboard).
Click on Save. Now one can change the WAN Interface to any of the 2.5 GB Ports on the Intel i-225-V.Configure pfSense+ to match your existing router settings and now you have a fully featured router firewall/VPN.
Big THANKS to Bill and enjoy your DIY firewall
We would like to express our sincere gratitude to Bill for the time and effort he has put into creating this tutorial. Throughout the process, Bill has updated several versions, always striving to cover all the details and suggestions from his deployment experience as comprehensively as possible. We encourage users with different ways of using Zima to directly contact us via Discord or email through the “Contact Us” option. We would love to hear your thoughts and ideas and share them with the community.
You may also be interested in: