I acquired for a reasonable price an old Riverbed Steelhead SHA-250. These are no longer supported by Riverbed, so they can be fairly inexpensive second hand.
The Steelheads all seem to be x86 based, which makes them a great appliance for pfSense. With just a little bit of work, it is easy to turn one of these appliances into a great firewall.
The SHA-250 I have has the following specs:
- Intel Celeron-M 1.66GHz Processor
- 1GB DDR2 RAM
- 120GB SATA hard drive
- 2GB flash drive, connected to an internal USB header
- 4x Intel Gigabit Ethernet ports (*bypass pair not working in pfSense)
- 2x External USB 2.0 ports
- 1x DB-9 Serial Port for console
Since this will be used for my firewall at home, I removed the hard drive to conserve power and installed pfSense on the internal flash drive. Also, I can only get two of the four network ports working. The bypass pair seem to be missing some software component for them to work.
Photos can be found at the bottom of the post.
I installed it using a PC running Windows. You can install it running another OS, you’ll just need to use dd and screen instead of physdiskwrite and PuTTY.
You’ll need the following:
- Serial port, or USB -> Serial adapter
- PC with Internal USB header (see below)
- For Windows, you’ll need 7-Zip, physdiskwrite and PuTTY.
Prepare the drive
First, remove the internal flash storage and plug it into your PC. The drive is secured by a screw, and has a Riverbed logo on it with the size (2GB) marked. The storage chip is plugged into a very standard USB header on the main board. Most PCs, including proprietary ones, have one of these standard USB headers. For example, I plugged it into my Dell Inspiron.
Next, you’ll need to remove the existing partitions from the drive before physdiskwrite will allow you to write the image. This can done via Disk Management or with diskpart. Take note of the disk number, as you will use this value with physdiskwrite.
Write the image to the disk
From pfSense’s website, download the latest 2g-i386-nanobsd image file. The one I downloaded is ‘pfSense-2.1-RELEASE-2g-i386-nanobsd.img.gz’.
The image is compressed using gzip, so using 7-zip or another utility, decompress the image.
Copy both the image and the physdiskwrite executable to the same location. Open a command prompt as administrator, and ‘cd’ to the folder the files are in. Execute the following command:
physdiskwrite -d # <image file>
Replace the ‘#’ sign with the number of the disk from disk management or diskpart. Replace <image file> with the name of the image you downloaded.
Boot the Steelhead
Remove the flash drive from your PC and replace it in the Steelhead. Connect your console cable. You may or may not need a null connector, depending on the type of cable you have.
Open PuTTY, change connection type to Serial. Change Serial Line to the serial port you have the device plugged into. COM1 is typical for on-board ports, and COM3 is typical for USB adapters. Ensure the Speed is 9600. Click Open to start the session.
Connect power to the Steelhead, and you should start seeing output in the PuTTY session. pfSense will most likely not detect the USB drive without a minor tweak.
Wait for the line ‘Hit [Enter] to boot immediately, or any other key for command prompt.‘ to appear, then press any key.
Execute the following at the ‘OK’ prompt:
The device should boot completely and go through the initial setup.
Once you are at the pfSense menu, we need to update /boot/loader.conf in order for it to continue to boot correctly.
Use option 8 and drop into the shell. Execute the following at the shell prompt:
echo "kern.cam.boot_delay=10000" >> /boot/loader.conf.local
Congratulations! You now have a steelhead running pfSense!
em0 and em1 are the LAN and WAN ports. I do not know how to get them to work. I suspect it is due to the bypass functionality. A post on the pfSense forums hints at that, however, the original poster resolves it with leaving few hints behind.
It is probably possible to install it to the hard drive. Last time I tried, pfSense gave a bunch of UDMA errors with two different hard drives. Disabling DMA would likely work, however, I’m not sure what the performance ramifications to that might be.