Since I was a teenager, I have started voluntarily helping people around me with my skill of technology. This time, I’m helping someone to build up a robust, secure and cost-effective firewall/gateway/soft router at home.

It ends up on a $100 worth N100 mini-pc with dual Ethernet port, which can be a great pfSense box for home or even business use.

Hardware Tweaks

This model (T8PLUS) secured with 4 screws at outside, after removing them the outer case can be easily pried open (just a little bit more effort than Intel NUCs), and removing 4 more screws inside to get the access of the motherboard (way more simpler design of the power button comparing to NUCs).

My goal is to replace the stock 512GB M.2 SSD with a 128GB one (also adding a small alumunim heatsink) and remove the WLAN card since I don’t need the WiFi capability (as extra attack surface).

pfSense Installation

As netgate notoriously stopped to provide ISO installer for pfSense CE version (replaced by net installer instead), the last version I can get is 2.7.2 from their mirror page.

This change is a marketing strategy to force funneling community users into registered freemium users for further conversion, which would push people like me away towards alternatives like OPNsense. But right now, I can tolerate that for a bit more time.

Run sha256sum pfSense-CE-2.7.2-RELEASE-amd64.iso.gz in a terminal to check hash

SHA256 (pfSense-CE-2.7.2-RELEASE-amd64.iso.gz) = 883fb7bc64fe548442ed007911341dd34e178449f8156ad65f7381a02b7cd9e4

Extract the gz file to get the ISO image and flash it into USB drives with Etcher.

Now, it’s time to boot into the USB installer.

System Tweaks

But before that, I have to address a stderr spam issue for firmware error acpi sb.pc00.lpcb.ite8.gett

According to r/opnsense and minipcunion forum, it seems to be a common minor thermal sensor issue with recent mini-pc’s firmware.

What we need is just disabling the warning report for stdout (although it does not affect the functionality if ignoring this issue, but it’s annoying).

In the boot menu of the installer, hit 3 for escape to loader prompt

Then type set debug.acpi.disabled="thermal" after OK prompt, hit enter, type boot and hit enter again to boot with the workaround

Go to Install and use ZFS stripe to install pfSense on SSD

Then reboot with Ethernet cable connected, apply the workaround again to preserve more sanity

set up the WAN connection to get to the main menu, input 8 for Shell (or SSH would work as well) then

cd ..
cd boot
su
vi loader.conf

Press i to enter insert mode in vi and add the following line at the top:

debug.acpi.disabled="thermal"

Press ESC to exit insert mode, type :wq to save and quit the file and reboot after finished

Assign Interfaces

There are 2 Ethernet ports operated by a Realtek NIC, which can be problematic on BSD/Unix systems in general.

In my case, the left port (next to the power port) is recognized as re1, and the right port is recognized as re0 under pfSense.

For some reason, I have to assign re0 as WAN interface, and re1 as LAN interface. It doesn’t work reversely which is very odd to me, but it does not affect its functionality as a soft router or firewall.

To explore this issue, I have tried to load the driver realtek-re-kmod as this post indicates, but it still can’t work properly when I assign re1 as WAN.

Anyway, it works to serve my need and I will update for its robustness in the future.

Lastly, connect it with an unmanaged switch (NETGEAR GS308v3), then access pfSense web GUI through LAN network to pass initial setup and upgrade pfSense to the latest version 2.80. Now, this N100 pfSense box is ready to rock!