Project Steelwall – pfSense on a Steelhead

I acquired for a reasonable price an old Riverbed Steelhead SHA-250. These are no longer supported by Riverbed, so they can be fairly inexpensive second hand.

The Steelheads all seem to be x86 based, which makes them a great appliance for pfSense. With just a little bit of work, it is easy to turn one of these appliances into a great firewall.

The SHA-250 I have has the following specs:

  • Intel Celeron-M 1.66GHz Processor
  • 1GB DDR2 RAM
  • 120GB SATA hard drive
  • 2GB flash drive, connected to an internal USB header
  • 4x Intel Gigabit Ethernet ports (*bypass pair not working in pfSense)
  • 2x External USB 2.0 ports
  • 1x DB-9 Serial Port for console

Since this will be used for my firewall at home, I removed the hard drive to conserve power and installed pfSense on the internal flash drive. Also, I can only get two of the four network ports working. The bypass pair seem to be missing some software component for them to work.

Photos can be found at the bottom of the post.

Installing pfSense

I installed it using a PC running Windows. You can install it running another OS, you’ll just need to use dd and screen instead of physdiskwrite and PuTTY.

You’ll need the following:

  • Serial port, or USB -> Serial adapter
  • PC with Internal USB header (see below)
  • For Windows, you’ll need 7-Zip, physdiskwrite and PuTTY.

Prepare the drive

First, remove the internal flash storage and plug it into your PC. The drive is secured by a screw, and has a Riverbed logo on it with the size (2GB) marked. The storage chip is plugged into a very standard USB header on the main board. Most PCs, including proprietary ones, have one of these standard USB headers. For example, I plugged it into my Dell Inspiron.

Next, you’ll need to remove the existing partitions from the drive before physdiskwrite will allow you to write the image. This can done via Disk Management or with diskpart. Take note of the disk number, as you will use this value with physdiskwrite.

Write the image to the disk

From pfSense’s website, download the latest 2g-i386-nanobsd image file. The one I downloaded is ‘pfSense-2.1-RELEASE-2g-i386-nanobsd.img.gz’.

The image is compressed using gzip, so using 7-zip or another utility, decompress the image.

Copy both the image and the physdiskwrite executable to the same location. Open a command prompt as administrator, and ‘cd’ to the folder the files are in. Execute the following command:

physdiskwrite -d # <image file>

Replace the ‘#’ sign with the number of the disk from disk management or diskpart. Replace <image file> with the name of the image you downloaded.

Boot the Steelhead

Remove the flash drive from your PC and replace it in the Steelhead. Connect your console cable. You may or may not need a null connector, depending on the type of cable you have.

Open PuTTY, change connection type to Serial. Change Serial Line to the serial port you have the device plugged into. COM1 is typical for on-board ports, and COM3 is typical for USB adapters. Ensure the Speed is 9600. Click Open to start the session.

Connect power to the Steelhead, and you should start seeing output in the PuTTY session. pfSense will most likely not detect the USB drive without a minor tweak.

Wait for the line ‘Hit [Enter] to boot immediately, or any other key for command prompt.‘ to appear, then press any key.

Execute the following at the ‘OK’ prompt:

set kern.cam.boot_delay=10000
boot

The device should boot completely and go through the initial setup.

Once you are at the pfSense menu, we need to update /boot/loader.conf in order for it to continue to boot correctly.

Use option 8 and drop into the shell. Execute the following at the shell prompt:

/etc/rc.conf_mount_rw
echo "kern.cam.boot_delay=10000" >> /boot/loader.conf.local
/etc/rc.conf_mount_ro

Congratulations! You now have a steelhead running pfSense!

Notes

em0 and em1 are the LAN and WAN ports. I do not know how to get them to work. I suspect it is due to the bypass functionality. A post on the pfSense forums hints at that, however, the original poster resolves it with leaving few hints behind.

It is probably possible to install it to the hard drive. Last time I tried, pfSense gave a bunch of UDMA errors with two different hard drives. Disabling DMA would likely work, however, I’m not sure what the performance ramifications to that might be.

Click to share: Share on FacebookShare on Google+Share on RedditTweet about this on TwitterPin on Pinterest

10 thoughts on “Project Steelwall – pfSense on a Steelhead”

  1. Open up the river bed there should be a jumper header next to the bank of relays. you need to put a jumper on that header. If you do this while the power is on you should hear a click. Any Questions hit me up on email.

  2. hi Mike

    i get same of this Riverbed 00150/ 00250 /00500/00550 Servers. I try to get them running with a Debian Linux booting form the 2 GB SSD . I would like to use them as a cool WebCam System .

    But there are same problems with all kind of Serial numbers and codes witch need´s to build each unit diverend ! my Programmer friend has same problem´s to get into the System .

    Do you know a way to make it more simple= just to boot a Debian Linux = made for the Riverbed Hardware form the SDD ? Or is there a way to make Linux Boot SSD´s incl all Serial Numbers & codes more simple for each Riverbed unit ?

    If you can help me with that , i can send you same brand new Riverbed Steelhead unit´s

    if possibel please call me back Tel +49 521 986878

    best regards

    Andreas Budde

    1. The 2GB drive built into the Riverbeds isn’t what I would call an SSD. It appears to be nothing more than a regular flash drive.

      If you insist on installing Debian on the 2GB drive, which isn’t too bad of an idea, you’ll need to make it read only root, otherwise, Debian would kill the flash drive relatively quickly.

      If you’re not going to use the Riverbed software, I see no reason why you should need to mess with the licenses at all.

      Here’s what I would do in your situation:

      1. Remove the 2GB flash. Again, unless you make it read only root, you’ll run into problems.
      2. Create a “LiveUSB” stick of Debian.
      3. If the included SATA disk is large enough, use it, otherwise, install a larger one
      4. Boot the riverbed off the USB stick and install Debian onto the SATA disk.

      I can get into the BIOS on mine by pressing the -Delete- key during startup through the console. Should be able to modify the BIOS boot order there.

      Feel free to e-mail me, mike@shouptech.com if you have further questions, or you can always reply on this post.

  3. I can not install pfsense from flash drive, or directly by cfcard on my x86 appliance via serial console! 4 days we have been trying and I can not! When will the USB to go ahead, but inexplicably hangs in the middle of the process.

    1. Post for help on the pfSense forums. Make sure you note what output messages you receive on the console. I’m not that much of a pfSense expert, so I can’t help a lot.

  4. You can disable the bypass port pair with a jumper setting on the main board, effectually it just keeps power to the relays. It’s normally located close to the relays. I know on the SHA200 with board SBC8A805 its JP3 see in the photo http://imgur.com/dbfM4RT

  5. Hi there,

    is it possibvle to boot the riverbed box from USB-Stick or USB-CDROM? If it is possible, what are the correct things to change in the BIOS?

    The Aim is not to use the 2GB-Flash-Drive. I installed a SATA-Drive and would like to install direcetly to it.

    plase help.
    thanx

    1. I don’t have one around anymore, so I don’t have the answers for you, however, I imagine it will easily boot off of a USB stick. The internal flash drive is simply a 2GB USB drive. If you remove that, and stick in some other USB drive, it should work. Keep in mind you’ll need an image already setup with a serial console.

Leave a Reply

Your email address will not be published. Required fields are marked *