OpenBSD Journal

Double Soekris 4801 How-To

Contributed by sean on from the all soekris all the time dept.

Michiel van Baak writes: After looking at the new double soekris in 1 case sold by wim@ I decided to get one of them. It's a 1U 19' rackmountable case with 2 soekris net4801 boards in it.
I wanted to setup these machines as a failover firewall with CARP and pfsync.

Now there are a lot of documents on the internet how to netboot OpenBSD on in and a lot of other documents about how to setup CARP.
But what is^H^Hwas missing is a complete document that helps you from start to a running failover setup.

I took parts of Ryan's page about CARP, parts of other documents and a lot of info from the manual and started installing and keeping docs at the same time.

Now there actually is a complete document that starts with the netboot and installation of OpenBSD 4.0 on a soekris and guides you all the way to get a working failover setup.
The document can be found here.

Now let's get these nice machines and some OpenBSD 4.0 cd's to install everything!

(Comments are closed)


Comments
  1. By shef (shef) shefys@gmail.com on

    What about performance of Soekris device?

    Comments
    1. By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info

      > What about performance of Soekris device?

      I emulated our 10mbit uplink (work) with a 10mbit switch and I have to say the soekris setup in the middle showed no difference with a setup without the soekris in the middle.
      This test setup has 3 webservers, 2 dns servers and a smtp/imap mailserver on one side and 5 workstations hammering the services on the other side.
      I'm very confident this setup will handle our hosting setup without trouble. FTP looses 4% of it's speed, but that is only used to update static webpages so no big deal there.

      It all comes down how many packets per second your are handling and what type of pf rules you have active. Our setup is real simple:
      allow http to webservers, ftp to one ftp server, dns to one server that does not allow recursion and imap to a 500domain mailserver.

      I dont think this setup will survive in a 100mbit internetlink, but where do you have those ?
      If you have the money to buy a dedicated 100mbit uplink you can also afford some more powerfull firewall setup right ?

    2. By jb (jb) jb@caustic.org on

      > What about performance of Soekris device?

      The only performance hit I've had with my net4501 has been in my pf configuration and line. No issues otherwise, and the impact even under a heavy load has been minimal to non-existent.

  2. By Mitja Muzenic (193.77.241.135) mitja@kerberos.si on http://www.kerberos.si/ENG/Soekris19.htm

    Shameless plug - if you haven't seen the soekris rack cases yet, follow my link. "One picture counts more..." and all. :)

    Comments
    1. By Brynet (Brynet) on

      > Shameless plug - if you haven't seen the soekris rack cases yet, follow my link. "One picture counts more..." and all. :)

      Man thats sad, The site is using Adobe Flash..

      Shame on you...

      Comments
      1. By edgarz (159.148.213.71) on

        > > Shameless plug - if you haven't seen the soekris rack cases yet, follow my link. "One picture counts more..." and all. :)
        >
        > Man thats sad, The site is using Adobe Flash..
        >
        > Shame on you...

        Shame on you, because you live in the middle of 80ties.
        Maybe shame is that you can't support or provide something new, only old things?

        Comments
        1. By Brynet (Brynet) on

          > > > Shameless plug - if you haven't seen the soekris rack cases yet, follow my link. "One picture counts more..." and all. :)
          > >
          > > Man thats sad, The site is using Adobe Flash..
          > >
          > > Shame on you...
          >
          > Shame on you, because you live in the middle of 80ties.
          > Maybe shame is that you can't support or provide something new, only old things?


          Pardon me? It was a comment about how ironic it is to advertise an OpenBSD product using flash..

          When flash doesn't support OpenBSD.. And is closed source..

        2. By phessler (phessler) spambox@theapt.org on http://theapt.org

          > > > Shameless plug - if you haven't seen the soekris rack cases yet, follow my link. "One picture counts more..." and all. :)
          > >
          > > Man thats sad, The site is using Adobe Flash..
          > >
          > > Shame on you...
          >
          > Shame on you, because you live in the middle of 80ties.
          > Maybe shame is that you can't support or provide something new, only old things?

          flash is disgusting crap. its offensive and annoying. even on systems that do support flash, I uninstall it quickly.

          requiring flash for simple jpgs is silly and bizzare.

        3. By Anonymous Coward (74.115.21.120) on

          First of all, what are eightyties? Second, flash is bloated, proprietary crap. Its one thing to use it for animations, but to show images? Everyone with two brain cells to rub together will take jpegs thanks.

  3. By Wim Vandeputte (wvdputte) wim@kd85.com on https://kd85.com/soekris.html

    You know Michiel, you were supposed to spend your Xmas holiday with your family, not your new toys ;-)

    Comments
    1. By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info

      > You know Michiel, you were supposed to spend your Xmas holiday with your family, not your new toys ;-)

      it's .... stronger....than.....me
      ;)

      I mean, boring meals, endless discussions about the history of family. _OR_ having fun with OpenBSD.....
      What would you do ;)

    2. By jeff (65.120.116.178) on

      > You know Michiel, you were supposed to spend your Xmas holiday with your family, not your new toys ;-)


      Wim,

      I saw the pictures with the dual 4801's and then saw that kd85 does not ship to my country (USA). Do you know of distributors on my side of the pond who ship such casing hardware? (Or might you be able to provide schematics for the design of the double 4801 box so that I may make my own?)

      Wonderful read, looking forward to spending some of my holiday money on a development 4801.

      -Jeff

      Comments
      1. By sthen (85.158.44.146) on

        > I saw the pictures with the dual 4801's and then saw that kd85 does not ship to my country (USA). Do you know of distributors on my side of the pond who ship such casing hardware?

        You might also want to look for resellers of the Yawarra cases for Soekris/pcengines (they also have rackmount cases for some of the Commell boards) - they're Australian and do ship outside .au but don't take international credit cards.

      2. By Wim (89.22.102.81) wim@kd85.com on https://kd85.com/soekris.html

        > I saw the pictures with the dual 4801's and then saw that kd85 does not
        > ship to my country (USA). Do you know of distributors on my side of the
        > pond who ship such casing hardware? (Or might you be able to provide
        > schematics for the design of the double 4801 box so that I may make my
        > own?

        Actually if you look at the webform, we do ship to Canada and the US, but
        as the case weights about 7 kg, so shipping with UPS is a bit expensive
        (don't have the rates in front of me now, but I guess it would be about
        EUR 65 to ship)

  4. By Anonymous Coward (24.37.236.100) on

    What made you do it this way instead of adding MFS entries to fstab? Just curious...

    Comments
    1. By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info

      > What made you do it this way instead of adding MFS entries to fstab? Just curious...

      Because all articles out there mention /etc/rc
      And because this way I have it all at the same page in vi.
      It's easier for me to maintain the mfs on one place, including populating stuff and setting permissions.

      Comments
      1. By sthen (85.158.44.146) on

        > And because this way I have it all at the same page in vi.
        > It's easier for me to maintain the mfs on one place, including populating stuff and setting permissions.

        It's really simple to maintain the files if you use the -P flag to mount_mfs which you can set in the options column in fstab; you then don't have to worry about merging /etc/rc changes between releases...it's also easy to use rc.shutdown to copy the MFS back onto CF if you want to preserve state (dhcp leases, spamdb and so on).

        Comments
        1. By Anonymous Coward (83.5.232.240) on

          I second that, I have the a script as rc.shutdown and the same from a periodic cron job to sync /var changes, and would add that it's considered good practice to add local changes to rc.local not rc, but then I am an old sod ;)

          best wishes to all!

  5. By Matthew R. Dempsky (76.185.92.143) mrd@alkemio.org on

    > It's a 1U 19' rackmountable case with 2 soekris net4801 boards in it.

    I'd hope you could fit more than just 2 soekris boards in a 19 foot case! :-)

    Nice article though. I wish I had the resources to play with carp/pfsync.

    Comments
    1. By jb (69.239.198.33) on

      > > It's a 1U 19' rackmountable case with 2 soekris net4801 boards in it.
      >
      > I'd hope you could fit more than just 2 soekris boards in a 19 foot case! :-)
      >
      > Nice article though. I wish I had the resources to play with carp/pfsync.


      Actually, I was trying to locate the hardware, and didn't find it. I'd love to see the Net4801 19" case..

      Comments
      1. By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info

        > Actually, I was trying to locate the hardware, and didn't find it. I'd love to see the Net4801 19" case..

        I bought the hardware from http://www.kd85.com
        The image of the case is here. My setup is simular but lacks the extra 2port nic for every soekris.

    2. By Anonymous Coward (24.37.236.100) on

      > Nice article though. I wish I had the resources to play with carp/pfsync.

      All you need is two boxes, even a second old/cheap system and you're set.

  6. By Anonymous Coward (75.132.109.74) on

    I just bought a couple 4801's and am using Bill Maas' mfsmount script for MFS: (script, README).

    Comments
    1. By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info

      > I just bought a couple 4801's and am using Bill Maas' mfsmount script for MFS: (script, README).

      Thanks for the link.

      Thanks to Lasse Bach I found out my soekris boards dont mount / ro at all.
      This has to do with syslogd. Bill Maas' script takes care of this.
      I wont have time till Jan 2nd to do anything (I'm not going to redo the mfs mounts AND the website tonight *midnight here now* but the setup I described has a flaw when it comes to mounting stuff read-only.

      I'll let you all know when I get stuff sorted out and an updated document is on my site.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]