I wanted to replace my Cisco 2610 and my WLAN-Access Point with some new, small, energy-efficient hardware. Requirements also included the capabilty to do IPv6 and IPsec, so an off-the-shelf WLAN-router would not be enough. The solution was an Alix 2C3 running FreeBSD with an Atheros WLAN-card added to the miniPCI slot.
As FreeBSD 7.1 was released, all drivers and updates (except the updated geode.c) described below as included in 7-STABLE are available in 7.1-RELEASE. If you use 8.0, the updated geode.c is already included of course.
The RTC battery is optional, so if you want one in your board just solder in any battery that provides 3 volts and you're fine. Willy Tarreau has another interesting solution to the battery-problem. Be sure to also check out his UPS.
It's possible to install the system with PXE and serial console, but also with an IDE to Compact Flash adapter. I chose the second option, because I wanted to roll my own kernel as 7-STABLE includes a heavily revamped driver for the onboard-NICs.
Before any usage of the board, disable "console redirection" in the BIOS setup. This sounds odd, but if you enable this option, boot0sio and the loader won't be usable.
You can find my kernel configuration down in the "Files"-section, note that I compiled in every needed driver for my hardware statically into the kernel, most of the stuff will work as modules, too. I enriched the sources by replacing /sys/i386/i386/geode.c with Rev. 1.11 from 8-CURRENT before compiling the kernel. The most visible effect of this is to see the LEDs on the frontpanel as devices in /dev/led/.
The CPU has built-in support for some crypto-functions, namely a random number generator and hardware-accelerated AES-CBC (but only 128 bits). A driver became available just some weeks before I installed the box and is also available in 7-STABLE now.
If you use a harddisk on the internal ATA-port, the setting hw.ata.ata_dma_check_80pin=0 in loader.conf helps to get more than UDMA33 (if you use recent 7-STABLE sources). This is quite useless if you use Compact Flash, as common CF-cards won't be faster than 33MByte/s in reality.
A problem that still comes with most Compact Flash memories is the limited number of erase and re-write cycles. FreeBSD offers the possibility to generate special NanoBSD-images that are built for being mounted read-only but I wanted to do a full installation. The solution to this problem is to mount all UFS-filesystems with noatime and to use tmpfs for all temporary files. See the fstab down in the "Files"-section. You will also notice that there is no swapspace defined.
As the CPU has only 500MHz everything must be handled very efficiently. The ppp-daemon that comes with FreeBSD is running in userland, abusing cpu-cycles. So I chose to use the netgraph-implementation of PPPoE that runs in-kernel with mpd5. Also, I wanted to use pf as firewall, not the built-in ipfw.
OK, let's make up the following scenario: I want to connect to my company's network via IPsec, authenticate with X.509-certificates and use the following IPs:
192.168.1.0/24 - company's network
192.168.2.0/24 - my network at home
4.3.2.1 - company's VPN-gateway
1.2.3.4 - my IP at home
You can find my ipsec.conf and racoon.conf down in the "Files"-section, should be more or less self-explaining. To get the traffic to the company's network routed into the tunnel, one must set up a route to the machine itself. The next two lines added to /etc/rc.conf will do this:
static_routes="company" route_company="-net 192.168.1.0/24 127.0.0.1"
This page is work in progress. If you have anything to say or add, just drop me a line.
Here are some files one may find helpful when setting up and tuning an ALIX-Board with FreeBSD:
Mail to Kvedulv
