pfSense on Watchguard M270

stephenw10

What does your script contain?

How are the interfaces configured?

reiter_f

This post is deleted!

stephenw10

@reiter_f said in pfSense on Watchguard M270:

WAN (wan) -> ix0 -> v4/DHCP4: 192.168.2.102/24
LAN (lan) -> ix1.1 -> v4: 192.168.2.1/24

Whatever was configured at that point it's a subnet conflict between WAN and LAN.

reiter_f

i have found the mistake :) ...

i deleted all the interfaces and made them new ix1.### ( ### are now the same number as the Vlans from the skript )

now i can use all seperate Ports with seperate Vlans ...

(WAN-DHCP dosen't work but i think i'll start the config again with cloneing my disk from my hyper-V setup)

reiter_f

@stephenw10

I started the setup now new. the mistake of the WAN DHCP was that i did not to the WAN interface in the VLAN (ix0.###) now every thing works.

thank you for our support, now i'll be able to change all M270s to PFsense.

if it would help someone ... this was my skript, it run while booting in crontab

/usr/local/bin/setup_switch.sh

#!/bin/sh
#
# Script to setup the switch in the M270
#

echo "Congifguring switch ... "
logger Configuring switch ...

etherswitchcfg config vlan_mode DOT1Q

etherswitchcfg vlangroup0 vlan 1 members 1,9t
etherswitchcfg vlangroup1 vlan 101 members 2,10t
etherswitchcfg vlangroup2 vlan 102 members 3,10t
etherswitchcfg vlangroup3 vlan 103 members 4,10t
etherswitchcfg vlangroup4 vlan 104 members 5,10t
etherswitchcfg vlangroup5 vlan 105 members 6,10t
etherswitchcfg vlangroup6 vlan 106 members 7,10t
etherswitchcfg vlangroup7 vlan 107 members 8,10t

etherswitchcfg port1 pvid 1
etherswitchcfg port2 pvid 101
etherswitchcfg port3 pvid 102
etherswitchcfg port4 pvid 103
etherswitchcfg port5 pvid 104
etherswitchcfg port6 pvid 105
etherswitchcfg port7 pvid 106
etherswitchcfg port8 pvid 107

etherswitchcfg port1 forwarding
etherswitchcfg port2 forwarding
etherswitchcfg port3 forwarding
etherswitchcfg port4 forwarding
etherswitchcfg port5 forwarding
etherswitchcfg port6 forwarding
etherswitchcfg port7 forwarding
etherswitchcfg port8 forwarding
etherswitchcfg port9 forwarding
etherswitchcfg port10 forwarding

echo "done"
logger done

then i've done the " 1) Assing Interfaces" - configuration
with creating on ix0 the Vlan 1 (ix0.1), on ix1 the Vlans 101-107 (ix1.101, ... ,ix1.107)
(finisching without selecting/using the ix0 and ix1)
and at last " 2) Setup interface(s) IP adress"

*** Welcome to Netgate pfSense Plus 23.05-RELEASE (amd64) on pfSense ***

 WAN (wan)       -> ix0.1      -> v4/DHCP4: 192.168.16.58/24
 LAN (lan)       -> ix1.101    -> v4: 192.168.2.1/24
 OPT1 (opt1)     -> ix1.102    -> v4: 192.168.102.1/24
 OPT2 (opt2)     -> ix1.103    ->
 OPT3 (opt3)     -> ix1.104    ->
 OPT4 (opt4)     -> ix1.105    ->
 OPT5 (opt5)     -> ix1.106    ->
 OPT6 (opt6)     -> ix1.107    ->

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + Netgate pfSense Plus tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Enable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

the result was:

[23.05-RELEASE][root@pfSense.home.arpa]/usr/local/bin: etherswitchcfg
etherswitch0: VLAN mode: DOT1Q
port1:
        pvid: 1
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
port2:
        pvid: 101
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
port3:
        pvid: 102
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port4:
        pvid: 103
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port5:
        pvid: 104
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port6:
        pvid: 105
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port7:
        pvid: 106
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port8:
        pvid: 107
        state=8<FORWARDING>
        flags=0<>
        media: Ethernet autoselect (none)
        status: no carrier
port9:
        pvid: 1
        state=8<FORWARDING>
        flags=1<CPUPORT>
        media: Ethernet 2500Base-KX <full-duplex>
        status: active
port10:
        pvid: 1
        state=8<FORWARDING>
        flags=1<CPUPORT>
        media: Ethernet 2500Base-KX <full-duplex>
        status: active
vlangroup0:
        vlan: 1
        members 1,9t
vlangroup1:
        vlan: 101
        members 2,10t
vlangroup2:
        vlan: 102
        members 3,10t
vlangroup3:
        vlan: 103
        members 4,10t
vlangroup4:
        vlan: 104
        members 5,10t
vlangroup5:
        vlan: 105
        members 6,10t
vlangroup6:
        vlan: 106
        members 7,10t
vlangroup7:
        vlan: 107
        members 8,10t

and now only the Firewall-configuration with the web-gui 192.168.2.1

thanks for all the help

stephenw10

Be careful using VLAN1. I would try to avoid that if possible.
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

Steve

reiter_f

@stephenw10
thanks, i will change it

mr.rosh

Hi All,

Could someone with BIOS password for Watchguard M270, please share with me. i've got a Watchguard M270 from eWaste, and keen to have pfsense plus on it.
thanks.

shaker

Hey guys, one more question.
I like to use the M270's WAN on my modem and the PPPoE to connect to the internet.
Generally it works, the pfsense is online. But something is wrong. I can scan for latest versions, I can DNSlookup google, but nothing more. I can not reach servers via ping or visit websites on LAN.
Firewall settings are checked. It might be something different.
Could it has something to do with VLAN setting on the WAN? Can I configure the M270 to have no VLAN on WAN, but VLANs on all LAN ports?

stephenw10

If DNS lookup from the gui works and returns results from all configured servers you must have two way traffic on WAN. So that implies the switch/vlan settings must be correct.

Are you testing ping from the webgui? What error is shown?

Kieran_

This post is deleted!

shaker

Sorry for the late answer.
I really don't know why it was not working. But I tried it out twice again, and now it is fine. In my opinion I did the same, but anyway.

One other thing:
In the post from Apr. 16th you, @stephenw10 ,described to use ports as a LAGG. Can somebody let me know, what I have to change in the script, when I like to link port 2 and 3 together?
Finally I need only one VLAN on them, cause I use then the pfsense as the router to connect the ISP via PPPoE and link another main router behind on the LAGG to extend the networks behind.
Maybe this is working well.

But I wasn't sure to try it out, because with the script I have, I can add LAGGs to ix0 or ix1 only at the moment. I think that's not a good idea and I may loose connection to the webGUI without doing it correctly.

Thank you

stephenw10

Hmm, you want to add a LAGG between switch ports 2 & 3 to some other router? Not a switch?

The NICs in the M270, ix0 and ix1, are connected to switch ports 9 and 10. You can LAGG ix0 and ix1 to the internal switch if you want to but you don't really gain anything by doing so.

The biggest issue is that the internal switch can only do a load-balance LAGG, it cannot do LACP. So that makes it quite limited.

psp

Upgraded from 23.05.1 to 23.09 without problems.

Just re-add (from serial console, after update) to /boot/device.hints the lines to load the drivers:

hint.mdio.0.at="ix1"
hint.e6000sw.0.addr=0
hint.e6000sw.0.is6190=1
hint.e6000sw.0.port0disabled=1
hint.e6000sw.0.port9cpu=1
hint.e6000sw.0.port10cpu=1
hint.e6000sw.0.port9speed=2500
hint.e6000sw.0.port10speed=2500

shaker

Is the solution now not interesting any more for private use, due to the information that the plus licence become no free access any more?
I don't need the plus licence, but there was no solution for the CE one with the M270.
What are your plannings in the next month, WHO written in this post before?

stephenw10

Currently that's still true. It will only run with Plus because of the requirement for the specially modified ixgbe driver.

But there may be other options.

shaker

Other options coming or there are some already. Can you give updates about the news here?

stephenw10

Nothing yet. If you already had a plus sub it will still be valid though.

New2This

@stephenw10 How are you guys getting the plus version even installed. I have my M270 with a fresh install of CE 2.7.0. i have IP'S assigned to my WAN and LAN interfaces but since they are not UP, i cant connect to the webgui or ping from my laptop.
With the interfaces being in a down state, how do you upgrade to plus?

Thank you in advance,

stephenw10

When I did it I installed it in something else first then moved the drive into the m270. Of course that's easier for me as I have numerous other things I can do it with and no issues with upgrading.

If you have a Plus sub already on some other NDI we can probably migrate it to the m270 if/when you move the drive.

Steve