Main | Alix2c 3 With Debian   

NOTE: If you find you don't like reading amber-on-black, press the print button at the top of this page.

Choosing hardware for making your own firewall/router

   Making your own little firewall that runs Linux doesn't have to be terribly difficult. Most people start off using a low-end PC for the job, but eventually move away from that because that's a power-hungry solution.

   There are several choices, but I recommend one of the Alix boxes such as Alix2d3 ($137) from PC Engines along with a red USB case ($10) and a 1GB Compact Flash card ($10). [Total: ~ $160] These are also available in the US from as are cases and power supplies, but they don't have the red anodized cases.  The Alix2c3 requires only 6 Watts peak of power to run -- approximately 1 Amp of any voltage between 7v and 18v.
   NOTE: if you want a Real Time Clock battery, that must be requested, for an additional $1 charge.

   The pictures below show the Alix2c3 with the optional RTC battery, and housed in a red USB case. As you can see in the pictures, the 500 MHz AMD Geode LX processor that these use don't even need a heat sink for cooling, so there are few if any concerns related to heat.
   [Click on the photos for a larger image.]


   There are several operating systems to choose from that will run on these boxes, but I much prefer running Debian.

HOWTO: load a PC Engines Alix2c3 with Debian Wheezy

Okay, so below is the procedure.

All of this work is based on this page, so that's who deserves the real credit for figuring out most of this procedure. [I'd like to give the author credit but can't figure out who it is -- Yasuyasu?]

Here's another page about loading the Alix2c3 with Debian Sid: Peter's Alix2c3 page

 1. The first thing you need is a LiveCD that runs something Debian-based, which could possibly be a Knoppix CD, Ubuntu Live CD, or from an installation of Ubuntu or Debian. What's necessary is the debootstrap binary. [It's one of the ways that Knoppix CDs can be made, too.]

 2. Attach the Compact Flash card to a CF card reader. Both PCMCIA CF card readers, or USB CF card readers work, but depending on which you use it may change which device the CF card shows up as. Usually it shows up as either /dev/sd? for USB or /dev/hd? for PCMCIA -- use 'fdisk -l' (that's a lower-case L) as root after attaching the CF card to a laptop running Linux to find out which device it is.
   In my case the CF card device showed up as /dev/sdb -- your milage may vary. Wherever you see "sdb" in the instructions below, replace it with the device that is detected for your CF card.

 3. fdisk /dev/sdb                # (or whatever device your CF card shows up as)

Delete any partitions that are there, and make a new one that uses the full space.
The new partition in my case showed up as /dev/hdc1

 4. mkfs.ext2 -L <volume-label> -c -v /dev/sdb1        # to format the partition with ext2

The flash chips in Compact Flash have a limited number of writes, so it's generally a good idea to use a non-journaling filesystem, or a filesystem designed for use with flash chips, such as jffs2... but jffs2 takes longer to boot, so I've been sticking with ext2 for CF cards. [The LogFS filesystem is also available in the kernel, but is not considered stable enough for real-world use yet.]

 5. tune2fs -c 5 -i 30 /dev/sdb1

This sets the periodic fsck at boot time based on how many times the filesystem has been mounted without a check to 5, and the maxiumum number of days without a check to 30. This insures that the filesystem will be periodically checked when the system is rebooted.

 6. mount /dev/sdb1 /media/cf_card -o sync       # mount the filesystem locally to a previously created /media/cf_card directory, syncronously

Strangely enough it seems to be best to do this first before actually installing Debian:

 7. grub-install --root-directory=/media/cf_card /dev/sdb        #Installs the grub2 boot loader.

 8. time nice debootstrap --arch i386 wheezy /media/cf_card

This downloads and installs the minimal Debian Wheezy files from the internet, so internet access is required. This takes at least 20 minutes to run. You can also load another release directly at this point instead of wheey if you want to (but not sid), but I prefer to run the stable distribution of Debian for servers.

 9. Several directories from the current running LiveCD or other Linux environment need to be mounted with a bind mount onto the newly created Debian installation on the CF card so that the Grub2 boot loader can find hardware devices and partitions. The Grub2 installation will fail if this is not done first.

mount -o bind /dev /media/cf_card/dev          # bind mount /dev
mount -o bind /dev/pts /media/cf_card/dev/pts  # bind mount /dev/pts
mount -o bind /proc /media/cf_card/proc        # bind mount /proc
mount -o bind /sys /media/cf_card/sys          # bind mount /sys

10. chroot /media/cf_card /bin/bash        # enter the installed environment

10. install 'locales-all' and set a default language so that apt-get and perl doesn't complain about missing language information.

apt-get install locales-all
echo "LANG=\"C\"" > /etc/default/locale

If you instead want to use UTF-8, instead use:

echo "LANG=\"en_US.UTF-8\"" > /etc/default/locale

11. nano /etc/apt/sources.list

Set up the repositories by modifying the sources.list file to contain:

deb wheezy main
deb wheezy-updates main
deb wheezy/updates main

12. apt-get update        # update the local Debian repository

13. apt-get install grub2 less ntp

This will cause apt-get to add several other packages as well:

   Reading package lists... Done
   Building dependency tree
   Reading state information... Done
   The following extra packages will be installed:
     dmsetup gettext-base grub-common grub-pc libbsd0 libcap2 libdb4.7
     libdevmapper1.02.1 libedit2 libfreetype6 libopts25 os-prober perl perl-modules ucf
   Suggested packages:
     multiboot-doc grub-emu xorriso desktop-base ntp-doc perl-doc
     libterm-readline-gnu-perl libterm-readline-perl-perl make
   The following NEW packages will be installed:
     dmsetup gettext-base grub-common grub-pc grub2 less libbsd0 libcap2 libdb4.7
     libdevmapper1.02.1 libedit2 libfreetype6 libopts25 ntp os-prober perl perl-modules
   0 upgraded, 18 newly installed, 0 to remove and 0 not upgraded.
   Need to get 12.4 MB of archives.
   After this operation, 42.8 MB of additional disk space will be used.
   Do you want to continue [Y/n]?

Choose 'Y' or simply press Enter, as that is the default.

grub-pc will ask if it should be installed without being configured. Choosing 'No' will simply bring up the same question again, so the only thing possible to do at this point is to choose 'Yes'. Or, grub-pc may come up with a menu of which devices to install GRUB onto; for the moment leave these entries blank and choose "Okay".

14. nano /boot/grub/

Edit this file to remove entries that are not related to the CF card. For example after I installed Grub2, the file contained the following:

(hd0) /dev/disk/by-id/ata-HITACHI_HTS542525K9SA00_080311BB0F02WDGZV66C
(hd1) /dev/disk/by-id/usb-Kingston_FCR-HS219_1_100601005954-0:0

Instead you most likely want to detect the boot device by UUID. First, run 'blkid' on the CF card device to find the UUID:

blkid /dev/sdb1

(When I ran the above what I got back was:)

/dev/sdb1: LABEL="redbox" UUID="9c56b6fe-b7dd-4078-a18b-cda7bc750c06" TYPE="ext2"

Modify the file to use by-uuid instead:

(hd0) /dev/disk/by-uuid/9c56b6fe-b7dd-4078-a18b-cda7bc750c06

14. nano /etc/default/grub

In this file, under the '#GRUB_TERMINAL=console' line, add the following:

A. Add a section after the first set of comments (after the first four lines of #'s) with:

   ## Redirect the Grub menu to the serial port
   GRUB_SERIAL_COMMAND="serial --unit=0 --speed=38400 --word=8 --parity=no --stop=1"

This configures the Grub2 boot loader to output the boot menu to the serial port. This is important as this is the only way to have access to the boot menu.

Additionally, at the end of the file add the following to keep OS Prober from trying to detect alternate operating systems:

   # Disable OS Prober to keep from detecting Windows

15. update-grub

Answer "Would you like /boot/grub/menu.lst generated for you? (y/N)" with Y.

16. ??? nano /etc/kernel-img.conf

Populate the kernel-img.conf file with:

# Kernel image management overrides
# see kernel-img.conf(5) for details
do_symlinks = no
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
postinst_hook = update-grub
postrm_hook = update-grub

17. apt-get install linux-image-486        # install Linux kernel for 486

This will again pull in several other packages:

   # apt-get install linux-image-686
   Reading package lists... Done
   Building dependency tree
   Reading state information... Done
   The following extra packages will be installed:
     busybox firmware-linux-free initramfs-tools klibc-utils libklibc libuuid-perl
     linux-base linux-image-2.6.32-5-686
   Suggested packages:
     bash-completion linux-doc-2.6.32 grub lilo
   The following NEW packages will be installed:
     busybox firmware-linux-free initramfs-tools klibc-utils libklibc libuuid-perl
     linux-base linux-image-2.6.32-5-686 linux-image-686
   0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
   Need to get 28.2 MB of archives.
   After this operation, 81.3 MB of additional disk space will be used.
   Do you want to continue [Y/n]?

Say 'Y'.

If you've installed the grub package and properly modified the /etc/kernel-img.conf and /boot/grub/menu.lst files, then at this point when the kernel is installed the grub boot menu will be updated automatically.

18. nano /etc/fstab

Populating the fstab file requires finding the UUID of the filesystem in order to mount it in a driver inspecific way. In other words, if the underlying device is /dev/hda1 or /dev/sda1 it is desirable if either one will work. To find out the UUID of the filesystem in order to mount either one, use the following command:

blkid /dev/sdb1

Then use the UUID of the filesystem to populate the fstab file:

# /etc/fstab: static file system information.
# <file system> <mount point> <type> <options> <dump> <pass>(fsck order)
proc            /proc         proc   defaults    0      0
UUID=fa0a1f06-0958-45c7-8e20-56e941bd0b80     /     ext2     noatime,nodiratime     0     0

"noatime" and "nodiratime" are mount options that reduce wear on the flash by eliminating writing the last access time on files, which is not very useful to have anyway. [I use these mount options on all of the disk filesystems on my desktop, for instance.

19. nano /etc/inittab

Modify the inittab file in the following way:

A. Comment out all /sbin/getty lines. i.e.:

   #1:2345:respawn:/sbin/getty 38400 tty1
   #2:23:respawn:/sbin/getty 38400 tty2
   #3:23:respawn:/sbin/getty 38400 tty3
   #6:23:respawn:/sbin/getty 38400 tty6

B. A couple of lines down, uncomment and modify the T0:23 getty line to read:

   T0:23:respawn:/sbin/getty -L ttyS0 38400 vt100

20. nano /etc/network/interfaces

Populate the interfaces file with:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The looback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp

21. apt-get dist-upgrade

Updates installed packages, including security updates

22. exit

23. unmount CF card related filesystems:

umount /media/cf_card/dev/pts
umount /media/cf_card/dev
umount /media/cf_card/proc
umount /media/cf_card/sys
umount /media/cf_card

24. If you're using a USB CF cardreader you do not need to do anything at this step.
If you're using a PCMCIA CF cardreader, tell the system you're about to remove the CF cardreader with:

pccardctl eject 0

Connecting to the Alix2c3 with a serial cable

This requires a 9-pin serial cable [wired the standard way] and a serial null modem. From a computer running Gnu/Linux you can either use minicom or ckermit, or you can use HyperTerminal from Windows. For connection settings use 38400 8N1 with no hardware flow control. Run 'minicom -s' as root to edit the system-wide defaults when that is desired. Both minicom and HyperTerminal are newer and easier to set up than ckermit.

To configure minicom to connect to the COM1 serial port:

run 'minicom -s', as root
select "serial port setup"
press 'A' and change the serial device to /dev/ttyS0
press 'E' and then 'D' to select port speed of 38400
press 'F' to turn off hardware flow control
press ENTER to leave the serial port menu
select "save setup as dfl" to make it the default[[<<]
from here run minicom as a normal user.

To configure ckermit to connect to the COM1 serial port:

set port /dev/ttyS0
set speed 38400
set carrier-watch off

After connecting, plug in the Alix2c3 to see the bootup messages. You should see something similar to:

PC Engines ALIX.2 v0.99
640 KB Base Memory
2611120 KB Extended Memory

01F0 Master 044A CF 1GB
Phys C/H/S 1966/16/63 Log C/H/S 983/32/63
GRUB Loading stage1.5.

GRUB loading, please wait...

... and then the GRUB boot menu appears. If all goes well, Debian will boot automatically and you will be able to log in as root without any password.

Next immediate steps to take:

1. Run   passwd   to change the root password, and write the password down somewhere.

2. Connect an ethernet cable to the first RJ45 jack on the Alix2c3, closest to the power and USB ports. Assuming you have DHCP locally available and you followed step 20 of the installation, this should allow the box to get internet access.

3. Run   ntpdate -u   to update the system time. This is rather important to do because Debian will complain during new package installation if the clock is far off.

4. If ntpdate ran successfully and updated the system time (you can verify that with the date command), then push the system time to the hardware clock with    hwclock --systohc
This step is optional, since the system clock will be pushed the hardware clock at shutdown or reboot anyway.

5. Install ntpd

6. Installation of Grub2 on a CF card using an external computer leaves the file containing incorrect settings. This can be fixed with grub-mkdevicemap -n. Unless this is executed, any execution of update-grub (which includes any kernel updates) will cause the Grub2 configuration file grub.cfg to use the raw device /dev/sda1 rather than hd0 in the "set root" setting in menu entries, leaving an unbootable configuration.

7. Set the timezone with dpkg-reconfigure tzdata

From here, there is a nice writeup from Hacom with some suggested tweaks to keep from writing to the CF card too often, which also helps protect the CF card from being corrupted in the case of power loss or unclean shutdown.

Now that you have a running system, you can take it from here.  :-)  
Good luck!!
-- Chris

November 04, 2012, at 01:12 PM