Install IPFire on a Raspberry Pi CM4 on DFRobot Carrier Board over Serial Console

This tutorial covers how to install a IPFire Firewall on to a Raspberry Pi Compute Module 4 that is carried on DFRobot's Router Carrier Board Mini using a serial console.

Disclaimer: all provided links in this article aren't sponsored!

→ IPFire's wiki can be found here.

→ And the DFRobot's wiki here.

• SD-Card (32 GB) + SD-Card-Reader
• Raspberry Pi Compute Module 4 (4GB RAM recommended)
• Jumper Wires (Female to Female)
• Official Raspberry Pi USB-C Powersupply (CM4 requires 5V 3A!)
• Configured and running Raspberry Pi (either with SSH-access or working display output)

Depending on your Setup:

• HDMI-Cable
• Keyboard
• or USB2TTL Apdapter

Download the aarch64 Flash Image from IPFire's webpage: ipfire.org/download. Then flash the Image on another computer to the SD-Card. Therefore you can use Win32DiskImager (Windows), the official Raspberry Pi Imager (Linux, Windows and MacOS) or BalenaEtcher (Web, Linux and Windows).

Before ejecting the SD-Card perform the following changes:

→ Enable the serial console: add (if not present) enable_uart=1 to config.txt.

→ Check if SERIAL-CONSOLE in uENV.txt is SERIAL-CONSOLE=ON.

Now connect the following pins on your carrier board's GPIO and your second Pi's GPIO with three jumper wires (female to female):

When connected properly you can power up the carrier board.

(It is recommended to first power up the second Pi and start the serial console before powering up the carrier board.)

Images sourced from siocours.lycees.nouvelle-aquitaine.pro and wiki.dfrobot.com - CM4 DFRobot Carrier Board

Before you can open a serial connection: serial console must also be enabled on the Pi from which you wish to connect. Therefore check if your /boot/config.txt contains enable_uart=1. If not, add it at top (!) and reboot.

# disable bluetooth via uart
dtoverlay=pi3-disable-bt
dtoverlay=pi3-miniuart-bt
dtoverlay=disable-bt
dtoverlay=miniuart-bt

Then you can execute the follwing command from the second Pi to connect to your serial console. It's strongly recommended to use a local attached keyboard and monitor on a Pi that boots to CLI(!) rather than creating the serial connection via SSH / Desktop.

screen /dev/ttyS0 115200

(root-permission required!) → you might install screen befire by running the following command:

sudo apt install screen

If /dev/ttyS0 doesn't work, use /dev/serial0. In case you are using a USB2TTL-Card use /dev/ttyUSB0.

Finally perform the setup of IPFire as usual!

With Ctrl+A and D you can quit the screen-session.

When booting for the first time, there will be three entries in the grub bootloader.

Select the 3rd option, that contains serial console!

As described also in this blog post in IPFire's official forum, there are assigment issues with the carrier board's NICs. It seems that the second PCIe NIC gets a self-assignet MAC everytime the device boots up. This is followed by the host OS no longer recognizing the NIC. To solve this issue there is a more or less fancy workaround here in this wiki: Set persistent MAC for RTL8111/8168/8411 (r8169) with udev (internal link).

It's also recommended to completely shut down again and reboot to verify the changes!

Resources used: cyberciti.biz - linux serial console, scribles.net - uart communitation between to Raspberry Pis and wiki.ipfire.org - Raspberry Pi 4 Model B