Watchguard Firebox T55
-
@perrin said in Watchguard Firebox T55:
...is there anything comparable to Linux DSA in BSD? Or does somebody have an Idea how to get the Marvell running in BSD?
Yes, and it works in a similar way: https://www.freebsd.org/cgi/man.cgi?query=etherswitch
We use that on the devices we ship with an internal switch.
However the problem with using it here is that it requires an NIC driver that exposes the MDIO bus to the OS to allow it to 'see' the switch. The standard igb driver does not do that and we have never found any patches available to do it. Adding that is a non-trivial undertaking!
The same issue exists in a number of other devices including the T70. Forcing the switch to start in unmanaged mode is useful there though as it has other interfaces. It's not really very useful on the T55 though where it has only one.Doing that does not prevent the WGOS configuring the switch though. I'm surprised you had to replace the resistor to boot it.
There has been further discussion of this in some other threads. Probably most on the T70 thread.
Steve
-
@stephenw10 said in Watchguard Firebox T55:
I'm surprised you had to replace the resistor to boot it.
No, I did not have to replace the resistor to boot it. It did not detect the link on the network interface with the resistor connected.
So, your're basically saying, that when i disabled the switch by desoldering the resistor, I made all ports connect to the internal igb0? So essentially the system then only has a "single" port as seen from the firewall? I that were true, it would be useless as a firewall in that mode...
-
Yes, pretty much. It doesn't disable the switch, it allows it to come up with all ports in a single layer 2, exactly like it would be used in an unmanaged switch.
It probably comes up in port VLAN mode which means you could use still use an external switch and pass VLAN tagged traffic to it. Or use it as a VPN endpoint etc.
But to use it as selfcontained firewall with pfSense will require an igb driver that exposes the MDIO bus.The only other possibility, as discussed in the T70 thread, is that the switch IC can also pull it's config from an eprom when it powers up. So theoretically it would be possible to set a default config there and have it come up with the ports separated. The T70 has those jumpers that appear to enable/disable that but changing it made no difference so it might have the the ports disabled there anyway. There's no easy way to access the eprom to find out.
Did you remove a heatsink from the switch IC?
Steve
-
@stephenw10 said in Watchguard Firebox T55:
Did you remove a heatsink from the switch IC?
Yes, i did. See picture #3 in the first post. The switch ic is the same as in the T70 (Marvell 88E6176), but it seems that the eeprom is not connected (U36 is empty), also it is missing the DIP switches. I can take more pictures of the PCB is necessary...
I had no luck in finding the datasheet and just contacted Marvell to get a copy of the datasheet. I am not very confident to succeed with the inquiry at Marvell....
Let's see. Having the datasheet would give us more options.
Otherwise we could reverse engineer the Watchguard linux kernel modules, but this is also not an easy task... -
You wouldn't need to reverse engineer anything. That switch chip is already supported but numerous things including FreeBSD:
https://github.com/freebsd/freebsd-src/blob/master/sys/dev/etherswitch/e6000sw/e6000sw.c#L268What is needed is a patched igb driver. That was/is used by Stormsheild/Netasq in their hardware running their FreeBSD based OS. That is why that switch driver exists in large part. Note we also contributed to it.
You can see a similar patch applied to OpenWRT to achieve the same thing. See:
https://forum.netgate.com/post/986595Steve
-
Any updates?
-
For the igb driver? None I'm aware of.
-
@zanthos Sadly, I did not make any real further progress. Writing the igb driver or patching the igb driver is out of my scope as a programmer...
So this projects rests until i find another idea or somebody is willing to help patching the igb driver..... -
@stephenw10 Hi, I know this thread is rather old... just wanted to know if there is any new information, and the link for the IGB Patch in OpenWRT is not working anymore ...
Asking because I got a Watchguard T55 for free and wanted to use this one with either OPNSense, PFSense or OpenWRT, whatever is possible to get it running on the device.
Thanks in advance for your help. -
No updates AFAIK. There was a recent thread about OpenWRT on the T70 over on their forum that confirmed the e1000 patch to allow switch access is not present there either. Velocloud had patched it them selves and not upstreamed it. Though there's a good chance such a patch would not be accepted upstream anyway.
Steve
