Boulder ARM64 Correction

Boulder ARM64 Workaround — Round 2 Research Report

Session: 20260321-0115 Domain: Boulder Routing Peer — ARM64 Netgate 6100 Workaround Date: 2026-03-21 Tools Used: mcp__claude_ai_Tavily__tavily_search, WebFetch, WebSearch, Bash (GitHub API)

CRITICAL CORRECTION: The Netgate 6100 is NOT ARM64

Round 1 incorrectly identified the Netgate 6100 as ARM64. This is wrong. The Netgate 6100 uses an Intel Atom C3558 (AMD64/x86_64). This fundamentally changes the situation — the ARM64 blocker identified in Round 1 does not exist for the Netgate 6100.

Executive Summary

The premise of this research — that the Netgate 6100 at Boulder is ARM64 and cannot run NetBird — is based on an error in Round 1. The Netgate 6100 uses an Intel Atom C3558 (Denverton family, AMD64/x86_64) processor. The official NetBird pfSense packages provide x86_64 builds that will install and run directly on this hardware. No workaround is needed.

However, this report still provides comprehensive answers to all six questions, because:

The architecture correction must be documented definitively
ARM64 Netgate models do exist (SG-1100, SG-2100, SG-3100), and the workaround research is valuable if GSISG has those at other sites
The Linux routing peer VM option may still be preferred over installing directly on pfSense for operational reasons

Answers to Mission Questions

Q1: Is the Netgate 6100 Definitely ARM64?

Confidence: DEFINITIVE | Sources: Netgate official product page, Netgate manual PDF, multiple resellers

Answer: NO. The Netgate 6100 is AMD64 (x86_64).

Attribute	Detail
CPU	Intel Atom C3558 (Denverton family)
Architecture	AMD64 / x86_64
Cores	4 cores @ 2.2 GHz
Memory	8 GB DDR4
Features	AES-NI, QAT (QuickAssist Technology)
pfSense installer image	`netgate-installer-amd64.img.gz` (per official Netgate manual)

The Netgate 6100 manual explicitly states the installer image is netgate-installer-amd64.img.gz. The Intel Atom C3558 is unambiguously an x86_64 processor.

Which Netgate Models ARE ARM64?

Model	CPU	Architecture
SG-1100	Marvell ARMADA 3720 (dual Cortex-A53)	ARM64
SG-2100	Marvell ARMADA 3720 (dual Cortex-A53)	ARM64
SG-3100	Marvell ARMADA 8040 (dual Cortex-A72)	ARM64
Netgate 6100	Intel Atom C3558	AMD64 (x86_64)
Netgate 4200	Intel Atom C1110	AMD64
Netgate 8200	Intel Atom C3758R	AMD64
Netgate 8300	Intel Xeon D-1733NT	AMD64

The Round 1 confusion likely stemmed from the SG-3100’s Cortex-A72 being mentioned in search results alongside the 6100 name. The SG-3100 is ARM64; the 6100 is not.

Can AMD64 Packages Run on ARM64 (or Vice Versa)?

No. FreeBSD does not have a compatibility layer for running AMD64 binaries on ARM64 or vice versa. Packages must be compiled for the target architecture. However, since the 6100 IS AMD64, this question is moot for Boulder.

Q2: Does NetBird Provide ARM64 FreeBSD Binaries for pfSense?

Confidence: DEFINITIVE | Sources: GitHub API (netbirdio/pfsense-netbird releases), FreshPorts

Answer: YES. Official ARM64 pfSense packages now exist.

The official netbirdio/pfsense-netbird repository now provides packages for BOTH architectures. As of the latest release (v0.1.25, published 2026-03-15):

Package	Architecture	Download URL
NetBird client v0.66.4	x86_64	`https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/netbird-0.66.4-x86_64.pkg`
NetBird client v0.66.4	aarch64	`https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/netbird-0.66.4-aarch64.pkg`
pfSense GUI package v0.2.2	x86_64	`https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/pfSense-pkg-NetBird-0.2.2-x86_64.pkg`
pfSense GUI package v0.2.2	aarch64	`https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/pfSense-pkg-NetBird-0.2.2-aarch64.pkg`

This is a major update from Round 1, which referenced documentation pointing to v0.55.1 packages (AMD64 only). The current official packages are:

Much newer: v0.66.4 (vs v0.55.1 cited in Round 1)
Available in both architectures
Actively maintained (6 releases in March 2026 alone)
Include a GUI package v0.2.2 (vs v0.1.0 from docs)

Additionally, the FreeBSD ports collection (security/netbird) provides NetBird packages for:

FreeBSD 13 aarch64: v0.65.0
FreeBSD 14 aarch64: v0.66.3
FreeBSD 14 amd64: v0.66.3

For the Netgate 6100 at Boulder: Use the x86_64 packages. They will work natively.

Round 1 Documentation Was Outdated

The Round 1 research referenced the NetBird docs page which still links to v0.55.1 packages. The actual GitHub releases have been updated far beyond this. The docs page is stale and should not be relied upon for current package versions or architecture availability.

Q3: Options for a Linux Routing Peer VM in Boulder

Confidence: HIGH | Sources: NetBird docs, Microsoft Hyper-V docs, NetBird knowledge hub

Given that the Netgate 6100 can run NetBird directly (it is AMD64), a Linux routing peer VM is no longer a necessity. However, there are valid operational reasons to prefer a dedicated routing peer VM:

Separation of concerns: firewall remains clean, VPN overlay managed separately
Easier updates: Linux packages update independently of pfSense
HA capability: multiple routing peers can be deployed
Avoids pfSense package compatibility issues during pfSense upgrades

Option A: VM on Existing Hyper-V Hosts (RECOMMENDED if not installing on pfSense)

Aspect	Detail
Viable?	YES
Host	DATA001 (10.15.0.12) or DATA007 (10.15.0.13) — whichever has more spare resources
Guest OS	Ubuntu 24.04 LTS Server (minimal) or Debian 12 Bookworm
Specs needed	1 vCPU, 512 MB RAM, 8 GB disk (NetBird is extremely lightweight)
Network	Single vNIC on the 10.15.0.0/24 LAN, static IP (e.g., 10.15.0.20)
Hyper-V generation	Gen 2 (UEFI boot, supports Debian 12 and Ubuntu 24.04)

Pros:

No additional hardware cost
Leverages existing infrastructure and backup processes
Fast to deploy (15-30 minutes)
Hyper-V fully supports Linux guests with built-in integration services

Cons:

Depends on Hyper-V host being online
Adds a management dependency
Must coordinate with Boulder IT for VM creation

Option B: Small Dedicated Device

Aspect	Detail
Viable?	YES, but unnecessary
Device options	Raspberry Pi 4/5 (~~$35-60), Intel NUC (~~$200-400), or any spare mini-PC
OS	Ubuntu 24.04 LTS, Debian 12, or Raspberry Pi OS
Specs needed	Any ARM64 or AMD64 device with 512 MB+ RAM and Ethernet

Pros:

Independent of other infrastructure
Cheap, low-power, always-on
No VM overhead

Cons:

Additional hardware to procure, ship, and manage
Physical device needs space, power, network port
Overkill when pfSense or Hyper-V VMs are available

Option C: Docker Container on Existing Server

Aspect	Detail
Viable?	YES, with caveats
Host	Any server at Boulder with Docker installed
Image	`netbirdio/netbird:latest`
Requirements	`--cap-add=NET_ADMIN`, `--device /dev/net/tun`, host networking or macvlan

Pros:

Minimal footprint
Fast to deploy
Easy to update

Cons:

Container must run in privileged/NET_ADMIN mode for WireGuard tunnel
Network namespace complexity may interfere with routing
Not ideal for routing peer role (NetBird docs recommend Linux, Windows, macOS, or Docker peers for routing, but container networking adds complexity)

Q4: Network Configuration for Each Option

Confidence: HIGH | Sources: NetBird docs (network routes, routing traffic to private networks), OPNsense NetBird guide

Common Requirements for Any Routing Peer

IP Forwarding: Must be enabled on the routing peer

sudo sysctl -w net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/99-netbird.conf

NetBird handles routing automatically: When you designate a peer as a routing peer in the NetBird dashboard and define a network route (e.g., 10.15.0.0/24), NetBird configures the necessary iptables rules on the routing peer.
WireGuard traffic: NetBird uses UDP hole-punching via ICE/STUN. No inbound firewall ports need to be opened on the pfSense WAN interface. All connections are initiated outbound. If direct P2P fails, traffic is relayed through TURN servers.
pfSense firewall rules needed: Only if masquerade is disabled (for source IP transparency). In that case, a static route on pfSense pointing remote subnets through the routing peer is needed, and pfSense must allow that traffic.

Option: Install Directly on pfSense (The Correct Answer for Boulder)

Since the Netgate 6100 is AMD64, install NetBird directly:

# SSH into pfSense
ssh admin@10.15.0.254

# Download latest packages
fetch https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/netbird-0.66.4-x86_64.pkg
fetch https://github.com/netbirdio/pfsense-netbird/releases/download/v0.1.25/pfSense-pkg-NetBird-0.2.2-x86_64.pkg

# Install
pkg add -f netbird-0.66.4-x86_64.pkg
pkg add -f pfSense-pkg-NetBird-0.2.2-x86_64.pkg

Post-install:

Navigate to VPN > NetBird in pfSense GUI
Enter Management URL and Setup Key, click Save
Assign wt0 interface: Interfaces > Assignments > select wt0(wt0) > Add
Enable the interface (name it NETBIRD)
Create firewall rules on the NetBird interface to permit traffic
Configure Outbound NAT if needed (Hybrid mode, add rule for wt0)

pfSense firewall rules for WireGuard traffic:

NetBird does NOT require inbound WAN rules (uses NAT traversal)
The pfSense WAN already allows outbound UDP (default behavior)
If P2P is desired without relay, ensure outbound UDP on high ports (49152-65535) is not blocked

Option: Linux VM Routing Peer Behind pfSense

Configuration Item	Value
VM IP	Static, e.g., `10.15.0.20/24`
Gateway	`10.15.0.254` (pfSense)
DNS	Whatever Boulder uses
IP forwarding	Enabled (`net.ipv4.ip_forward=1`)
NetBird setup	`netbird up --setup-key <KEY> --management-url <URL>`

pfSense requirements if using a Linux VM as routing peer:

No WAN firewall changes needed (NetBird uses outbound UDP hole-punching)
If masquerade is ON in NetBird (recommended for simplicity): No pfSense changes needed
If masquerade is OFF: Add a static route on pfSense:
- Destination: 100.x.0.0/16 (NetBird overlay) and 10.100.7.0/24 (Honolulu LAN)
- Gateway: 10.15.0.20 (Linux VM IP)

Q5: OPNsense on Netgate 6100?

Confidence: HIGH | Sources: OPNsense forum, OPNsense documentation, Netgate documentation

Could GSISG Replace pfSense with OPNsense on the Netgate 6100?

Technically possible but strongly discouraged for an enterprise deployment.

Aspect	Detail
OPNsense on AMD64 hardware?	YES — OPNsense fully supports AMD64
OPNsense on Netgate 6100 specifically?	Technically possible (AMD64), but untested and unsupported by Netgate
OPNsense ARM64 support?	NO official ARM64 support — OPNsense admin Franco stated: “no final generic arm build came of it that would make sense to release officially”
OPNsense os-netbird plugin?	YES — OPNsense has an official NetBird plugin (`os-netbird`) with full GUI integration
Netgate warranty/support?	Would be voided — Netgate support only covers pfSense Plus on their hardware

Why this question is now moot: Since the Netgate 6100 is AMD64 and NetBird provides x86_64 pfSense packages, there is no reason to switch to OPNsense for NetBird compatibility. The NetBird pfSense package provides the same functionality.

If the question were about an SG-1100/SG-2100/SG-3100 (ARM64): OPNsense would not help, as OPNsense does not officially support ARM64 either.

Q6: Running NetBird in a Jail/Bhyve VM on pfSense?

Confidence: HIGH | Sources: Netgate forum, FreeBSD bhyve documentation

Bhyve on Netgate 6100

Aspect	Detail
Is bhyve available on pfSense?	YES — FreeBSD includes bhyve hypervisor, pfSense has the kernel modules
Is it supported by Netgate?	NOT officially — pfSense is designed as a firewall/router, not a VM host
Is it practical?	NO — bhyve on pfSense is highly manual (no GUI), does not persist across reboots without custom scripts, and there are known stability issues
Has anyone done it?	Yes — community members have run bhyve VMs on pfSense, but it is fragile and not recommended for production

FreeBSD Jails on pfSense

Aspect	Detail
Jails available?	YES — FreeBSD jails are available in pfSense
Can NetBird run in a jail?	Unlikely to work well — NetBird needs WireGuard kernel module access and tun/tap devices, which require privileged jail configuration
Is it supported?	NO — Netgate does not support running services in jails on pfSense

Bottom line: Neither bhyve nor jails are a viable approach for running NetBird on pfSense. Since the 6100 is AMD64and official pfSense packages exist, install NetBird directly on pfSense using the official x86_64 packages.

Revised Recommendation for Boulder

Primary Recommendation: Install NetBird Directly on pfSense (Netgate 6100)

The ARM64 blocker does not exist. The Netgate 6100 is AMD64, and the official NetBird pfSense packages support x86_64. This is the simplest, most direct approach:

SSH into pfSense at 10.15.0.254
Download and install netbird-0.66.4-x86_64.pkg and pfSense-pkg-NetBird-0.2.2-x86_64.pkg
Configure via VPN > NetBird in the pfSense GUI
Assign the wt0 interface, create firewall rules
In the NetBird dashboard, create a network route for 10.15.0.0/24 with the pfSense peer as the routing peer

Time to deploy: ~15 minutes Additional hardware: None Additional VMs: None Risk: Low (official packages, well-documented process)

Fallback Recommendation: Linux VM on Hyper-V

If for operational reasons GSISG prefers not to install third-party packages on the production firewall:

Create a minimal Ubuntu 24.04 LTS VM on DATA001 or DATA007
Assign static IP 10.15.0.20 on the Boulder LAN
Install NetBird via APT, enable IP forwarding
Configure as routing peer in NetBird dashboard

Gaps & Uncertainties

#	Gap	Impact	Mitigation
1	pfSense Plus FreeBSD version compatibility with NetBird .pkg	LOW	The pfsense-netbird releases are actively maintained and tested; v0.1.25 released 2026-03-15
2	NetBird docs page still references v0.55.1 packages	LOW	Use GitHub releases directly, not the docs page
3	Exact pfSense Plus version running on Boulder’s Netgate 6100	LOW	Should confirm before installing, but all recent pfSense Plus versions use FreeBSD 14/15 which are compatible
4	Whether Boulder Hyper-V hosts have spare capacity for a VM	LOW	Only relevant if the fallback option is chosen
5	nhdIT unofficial package may confuse future searches	LOW	Use official `netbirdio/pfsense-netbird` packages, not the nhdIT fork

Round 1 Error Correction Summary

Round 1 Claim	Correction
”The Netgate 6100 uses ARM64 (aarch64) architecture”	WRONG. Netgate 6100 uses Intel Atom C3558 (AMD64/x86_64)
“Official ARM64 support: NOT AVAILABLE”	OUTDATED. Official ARM64 pfSense packages exist since at least March 2026 (netbirdio/pfsense-netbird releases)
“NetBird client package version: 0.55.1”	OUTDATED. Current version is 0.66.4
”pfSense GUI package version: NetBird-0.1.0”	OUTDATED. Current version is 0.2.2
”Community workaround: Unofficial ARM package at github.com/nhdIT/pfsense-netbird”	NO LONGER NEEDED. Official packages now cover both aarch64 and x86_64
”Consider running NetBird on a separate Linux VM behind pfSense”	UNNECESSARY for the Netgate 6100. Direct installation with x86_64 packages is the correct approach

Sources & Tool Usage Log

Primary Sources

Netgate 6100 Product Page — CPU: Intel Atom C3558 (AMD64)
Netgate 6100 Manual (PDF) — Installer: netgate-installer-amd64.img.gz
netbirdio/pfsense-netbird GitHub Releases — v0.1.25 with aarch64 + x86_64 packages
FreshPorts: security/netbird — FreeBSD ports availability matrix
NetBird pfSense Install Docs — Installation procedure (outdated package versions)
OPNsense Forum: Netgate ARM64 — No official ARM64 support
Netgate Forum: ARM64 Image Plans — pfSense CE ARM64 not planned
Netgate Blog: Introducing SG-2100 — ARM64 Cortex A53 confirmation
OPNsense NetBird Plugin Docs — OPNsense os-netbird setup
NetBird FAQ: Firewall — No inbound ports required
NetBird Network Routes Docs — Routing peer configuration
Microsoft: Debian on Hyper-V — Hyper-V Linux guest support
Netgate Hardware Documentation — Architecture compatibility
nhdIT/pfsense-netbird — Unofficial package (superseded by official releases)

Tool Usage Summary

Tool	Calls	Purpose
mcp__claude_ai_Tavily__tavily_search	9	Architecture verification, FreeBSD binaries, OPNsense compatibility, bhyve, Hyper-V, pfSense versions
WebFetch	5	Netgate product pages, GitHub releases, OPNsense forum, NetBird docs
Bash (GitHub API)	3	Enumerate exact release assets and download URLs from pfsense-netbird repo