Tips & Tricks

How to Build Firewall with Zima and 2.5GbE Intel NIC?

Since the release of ZimaBoard, many users have shown great interest in building their own firewall using pfSense. However, although the official pfSense image has been iterated and optimized for rtl8111 driver support, the Realtek network card on the ZimaBoard has not been the best choice for the pfSense and opnsense communities.

Both ZimaBoard and the first product to be launched in 23 years will continue the design of the PCIe expansion interface. This allows you to freely expand several different types of network cards, including different solutions for 10GbE, 2.5GbE, and multi-gigabit.

To make it convenient for all users to use ZimaBoard and Intel NIC PCIe x4, our friend, Bill, has put together a tutorial with text and images during his own construction of a home firewall, hoping to help those who are interested in similar topics.

ZimaBoard and Intel NIC PCIe x4

Build Own Firewall Getting Started Checklist

  • 1 – PC or Macintosh Computer
  • 1 – Mini DisplayPort to DisplayPort Adapter or Mini DisplayPort to HDMI
  • 1 – Monitor with DisplayPort or HDMI
  • 1 – Keyboard
  • 1 – Ethernet Cable
  • 1 – balenaEtcher / Rufus or another disk image creation tool
  • 1 – pfSense Image
  • 1 – Zimaboard (Model 216/432/832*)
  • 1 – USB Flash Drive (at least 1GB)
  • 1 – SATA Hard Drive (Optional)
  • 1 – Intel NIC PCIe x4 (Optional)

Download pfSense Image

  • Image – https://www.pfsense.org/download/
  • Architecture: AMD64 (64-Bit) Mirror: Austin, TX USA (Select a location in your region)
  • Click on Download

By default, this will be saved to your Downloads folder on Windows or Mac unless implicitly changed by the user

Create a bootable image of pfSense

This step is applicable to all different third-party systems. Please refer to this tutorial to create your bootable pfSense USB drive.https://docs.zimaboard.com/docs/Universal-third-party-system-installation-tutorial.html

Preparation to boot to USB Flash Drive

  1. Power on Zimaboard during initialization hit the DEL key open the System BIOS. Arrow over to the Boot Page and change Boot #1 to the attached USB Flash Drive.
USB Flash Drive

Arrow over to Save & Exit. Arrow down to Save Changes and Exit.At the confirmation prompt arrow over to Yes.

  1. pfSense Installation
pfSense Installation
  1. Allow the Bootup process to complete undisturbed, a pfSense Boot Menu will appear and lastly, a Copyright and distribution notice will flash on the screen.
pfSense Boot Menu

Hit Enter to Accept. This will bring up Welcome to pfSense! menu, Click on I, or hit Enter to proceed with the Installation process.

Installation process

Keymap Selection, the installer will detect and offer an acceptable default selection, i.e. US Keyboard map. Other keymaps can be chosen if desired.

Keymap Selection

Click Enter to Continue

  1. Partitioning Auto (ZFS) is the preferred installation method. Click Enter to continue.
Auto (ZFS) installation method

ZFS Configuration

Select Pool/Disks, Virtual Device Type

Virtual Device Type

Since pfSense will be installed to the onboard memory on Zimaboard, select Stripe – No Redundancy. Next, we will select where we want to install pfSense, use the arrow key to highlight the correct installation path, and hit the spacebar.

Stripe - No Redundancy

Note: in this example, da0 is the USB Flash Drive. No SATA Hard Drive is connected to the Zimaboard and onboard storage appears as mmcsd0. Arrow down to mmcsd0 hit the spacebar, then arrow down and hit Enter on OK.

ZFS Configuration
  1. Now we are ready to proceed with the installation process Install (Proceed with Installation) should be highlighted.

Click Enter on Select.

Proceed with NFS Installation

A final warning will appear, do you want to erase (destroy) all contents on the select Disk? Arrow over to Yes to Continue. The pfSense installation will proceed, once the progress bar has reached 100% and the installation is complete.

ZFS Manual Configuration
  1. Once the installation has been completed, a Manual Configuration prompt appears, stating if you would like to open a shell for any final modifications.

Hit Enter on noto proceed.

pfSense Installer
  1. Final Confirmation stating the Installation of pfSense is complete. Options are to reboot or open Shell.

Hit Enter on Reboot

Note: the USB Flash Drive is the first boot device. Need to re-enter the BIOS to change the boot order or the system will resume booting to the Flash Drive

Welcome to pfSense

During the reboot, hit DELto enter System Bios. On the Boot Tab, change Boot #1 and make sure it is pointed at the internal storage (mmcsd).

Make sure to remove the USB Flash Drive from Zimaboard and plug an Ethernet Cable into the Ethernet Port closest to the mini-display port. Arrow over to Save & Exit and arrow down to Save Changes and Exit. Confirm by arrowing over to Yes.

Zimaboard will now boot into the pfSense Command-Line Interface (CLI), allowing pfSense to fully boot up before proceeding.

pfSense Command-Line Interface (CLI)

Once pfSense has fully booted up one is presented with a myriad of options. Make note of the IP Address next to WAN IPv4, i.e. 192.168.1.xxx.

Open a Web Browser on a PC or Mac, and in the address bar enters the WAN IP Address.

Depending on your browser pop up with a “Warning: Potential Security Risk,” Firefox clicks on Advanced and Accept the Risks and Continue. On Chrome, Advanced, proceed to xxx.xxx.xxx.xxx.

When the pfSense Portal appears, enter the following credentials:

Username: admin Password: pfsense

This will bring you into the pfSense Dashboard.

For those who purchased an Intel i-225-V NIC 2.5gbs available from various resellers and also available from Zimaboard, priced competitively.

The current version of pfSense 2.6.0 does not currently support the Intel i-225-V drivers. However, the drivers are supported by pfSense+, and the next release of Community Edition, 2.7.0.

pfSense+ was made available to bare-metal non-Netgate products, one just needs to purchase the license Free of Charge from Netgate Website.

pfSense+ License

Find PFSENSE+ HOME or LAB. Note certain features are available only to Paid Licenses.

Scroll down to Register Now. Add the PFSENSE+ Software Subscriptionfor $0.00, and select the appropriate subscription type Home or Lab. Then add to cart. Click on your Cart and proceed to Check Out, place a check next to the Terms and Conditions, EULA, etc. Click on Checkout to create a free Netgate Account or login into an existing account.

 PFSENSE+ Software Subscription

Once you successfully complete the purchase, an Activation Token will be emailed to you with instructions on how to activate the license.

Go to System>Register in the large text box enter the Activation Token that was emailed to you and click on Register.

A message along the top will say “Thank you for choosing Netgate pfSense®. Your firewall has been successfully registered On your next visit to the System/Update page, select pfSense® Plus software from the list of repositories.”

Select System>Update

Under Branch select pfSense Plus Upgrade

pfSense Plus Upgrade

Files will be downloaded [xxx/xxx] in our example 167 files and once fully complete Zimaboard will restart and boot back into the pfSense CLI. The web browser will attempt to log back into the Dashboard.

pfSense CLI

If you have not already plugged the i-225-V into the PCIe x4 slot from the pfSense+ CLI, select option 6 to Halt the System. The Zimaboard will power down; remove the Power Adapter and securely connect the i-225-V to the PCIe slot.

Reconnect the Power and wait until the pfSense+ CLI Boot Menu Appears. From your Web Browser log back into the pfSense Portal. Once the Dashboard appears, click on Interfaces, this will show all available Interfaces (Ethernet Ports).

pfSense CLI Interfaces

By default, only the WAN Interface appears. Click on the Addbutton until all interfaces are available. If purchased, a 4 Port i-225-V interfaces (igc0, igc1, igc2, igc3) will appear and re1 (2nd Ethernet on Zimaboard).

WAN Interface

Click on Save. Now one can change the WAN Interface to any of the 2.5 GB Ports on the Intel i-225-V.Configure pfSense+ to match your existing router settings and now you have a fully featured router firewall/VPN.

Big THANKS to Bill and enjoy your DIY firewall

We would like to express our sincere gratitude to Bill for the time and effort he has put into creating this tutorial. Throughout the process, Bill has updated several versions, always striving to cover all the details and suggestions from his deployment experience as comprehensively as possible. We encourage users with different ways of using Zima to directly contact us via Discord or email through the “Contact Us” option. We would love to hear your thoughts and ideas and share them with the community.

Tips & Tricks Total 4 articles