End of the Internet

Replacing Untangle with OPNsense on old hardware

As ever, TLDR is at the end.

So this is the tale of how, after 2 years of using Untangle (now Arista Edge Threat Management, but referred to as Untangle herein), I decided to move to OPNsense when my subscription lapsed.

It was a weekend and my wife was out for the day; a golden opportunity with zero-consequences for any downtime! Perfect!
But like many of my spare-time projects, it didn’t go as expected.

Read more: Replacing Untangle with OPNsense on old hardware

Untangle vs. OPNsense

So for a bit over a 2 years at this point, I’ve been using Untangle NGFW Home edition, a Debian-based firewall distro with a friendly web UI and various “next-gen” firewall features (such as granular layer 7 application filtering, and using tags to apply rules and policies dynamically). While I appreciated these features however, I felt others some were missing; such as native IPv6 tunnel support, and IPS/threat protection. Untangle also rolled out support for Wireguard VPN, but it was only included in the newly introduced “Home Pro” tier which also added virus scanning and the aformentioned IPS and threat protection, much to the chagrin of the community.

Despite these pitfalls, Untangle did seem to run well on the hardware I gave it, an old repurposed desktop PC with a 2.4GHz dual core Intel Pentium E2220, 4GB RAM, and a 2TB HDD, storage which was complete overkill! This PC is certainly old; the CPU was apparently launched in Q1 of 2008.

OPNSense on the other hand is a fork of PFSense, arguably one of the oldest and most well-known open source firewall operating systems, with many plugins and a commercial version. Based on the history, OPNSense appears to be a result of some disagreement within the PFSense community, but enough on that, it’s time to get to work!

Installation attempt 1 – ISO Mode

As mentioned at the start, I assumed this would be easy. OPNsense’ website was easy to navigate, with a big download button in the corner, and the options presented were easy enough to read. I chose the amd64 architecture vga ISO image, planning to use Rufus to write the ISO to a USB flash drive. Like I said, easy.

But when using Rufus to write an ISO to USB, I was presented with 2 “write mode” options: the recommended ISO mode, or DD mode. Experience tells me that DD mode is probably a more basic “take bits from ISO, write them directly to USB” with no additional changes (as the UNIX/Linux dd utility would do).
For the first attempt, I went with ISO mode, thinking at worst that I’d have to re-write the image in DD mode if it didn’t work. Oh how wrong I was, as I shut down the machine and entered the BIOS boot menu on startup.

Kicking off a day of false starts, writing the image in ISO mode was a no-go as it threw an error saying it couldn’t find the filesystem. My best guess is that using “ISO mode” adds a Syslinux bootloader to chainload the installer. No matter, straight on to…

Installation attempt 2 – DD Mode

After firing up Rufus again and rewriting the ISO in DD mode, I was confronted by a new, more confusing error message: no boot partition!

Now I was confused. I compared the checksum of the image file with that on the website and they matched. I even chose another USB drive which was smaller (8GB vs. 32GB) thinking that the PC’s older BIOS might take issue with the larger drive, again to no avail.

Now my only option was opening a search engine and searching the open Internet for help!

First I found a post on the OPNsense forum suggesting that it could be a formatting issue with the drive, so I tried using the diskpart command to clear the partition table, then wrote the image again.

Still no luck, but returning to the search results turned up a more promising explanation: While the error mentioned wasn’t the exact one I was seeing, it mentioned something I hadn’t thought of so far – the fact that the ISO image contained multiple partitions, and that the partition table was in the GPT format.

A partition table is the part of any storage drive (SD card, HDD, SSD) which describes partitions – logical splits in the drive that most operating systems treat as drives in their own right. MBR and GPT are the 2 main formats for partition tables, with MBR being the older of the two (it was first released in 1983!). MBR comes with limitations; such as not supporting drives larger than 2 terrabtyes, and only supporting a maximum of 4 partitions, without actually nesting them.

Now I had something resembling an answer, and the forum post even gave me a solution – ActivePartition manager! This is a freeware partition manager for Windows, which will happily change the format of a partition table, without destroying the data within the partitions.

Installation Attempt unknown – Success!

So I had definitely lost count of my attempts now, but it worked! The installation starte and, finally, I had a working OPNsense installation!

TLDR

  • Older machines may not understand newer partition tables!
  • If your machine has a UEFI-style firmware (or “BIOS” even though it’s not actually a BIOS), it will support GPT, otherwise it’s trial and error.

zz_adm

Leave a Reply

Your email address will not be published. Required fields are marked *