Watchguard Firebox M400/M500

chpalmer

@xxup

Its my production box and is on a (spinner) laptop drive now. I loaded it via USB a few years ago but after 2.5 or so I could no longer get that method to work. Ive been just upgrading ever since and really want to just refresh this thing with the new SSD.

What ever SATA port I am using is working now. I have not tried to install the drive after I wrote it tonight. Gotta wait till I can take the network down for a while.

Rack mounted PIA to move ect..

chpalmer

@chpalmer said in Watchguard Firebox M400/M500:

@xxup

Its my production box and is on a (spinner) laptop drive now. I loaded it via USB a few years ago but after 2.5 or so I could no longer get that method to work. Ive been just upgrading ever since and really want to just refresh this thing with the new SSD. (old drive Seagate Certified Repaired Momentus 7200.2 80GB drive. Date: 08462)

Finally got this to work. ;)

I had to reload the drive again but this time I did it with my lab XTM5 box which I could not get to load from USB before.. (finally found the correct setting in BIOS and it finally booted from the memstick..)

This morning swapped the drive over to the M400.. (replaced my fans with the much quieter Noctua fans I bought about two years ago) reloaded the backup config.. and primary network is up before anyone in the house here is out of bed..

Getting to my dashboard was taking about 60 seconds before so something was up.. now it is instant.

gilphilbert

Lurking as I get my M400 running... I'm trying to flash the BIOS but whatever I do I can't get FreeDOS to boot. I've flashed USB keys, CF cards... pretty much every device I have. The devices will boot other machines, but not the M400.

I hooked up a VGA port and it's complaining that there's no bootable Device ("Insert bootable medium"). I wanted to try the FreeDOSBIOS2.img file linked to here, but the Google Site is down and I can't access the file. Does anyone have a copy or know why I can't get FreeDOS to boot?

Thanks!

stephenw10

Should be here.

Though interestingly I failed to boot that myself on an M500 recently. Been too long since I last did it.

gilphilbert

@stephenw10 Awesome, thanks - I'll see if I can get my M400 to boot from it tonight. If not, looks like I'll be trying the SPI method - if I can find my SPI programmer!

gilphilbert

@gilphilbert Woohoo! I'm up and running with v6. This was the only FreeDOS version that booted. I tried my own 64G CF card but it wouldn't boot from that - only the one that came with the unit.

Interestingly, FreeDOS couldn't open the serial port so I had to use a VGA cable. The message on boot was "unable to write to COM1", so I had to use a VGA cable.

I did have a moment of panic when the box rebooted then the VGA monitor stayed dark... I thought I'd bricked it until I realized the three beeps were FreeDOS booting. Attached a serial cable and relaxed again!

stephenw10

Ah nice. So you had to use the VGA header initially? I did that with the first M400 I had but I'm sure I didn't have to do that for others.

gilphilbert

@stephenw10 Yep, I can't explain why, since pfSense can open the serial port and write to it, but FreeDOS wouldn't - it just complained about not being able to write to COM1 - meaning there was no serial output.

I wonder if a Watchguard firmware update has broken this along the way, although it's odd that Linux seems to be able to open ttyS0 while FreeDOS can't open COM1.

gilphilbert

I started this a couple of days ago because I thought I might need it when I couldn't get FreeDOS to boot and I thought I'd share it as it doesn't need the VGA adapter to work.

I created a custom version of Tiny Core Linux that includes afulnx - the Linux version of afudos. The environment also includes Zanthos' v6 BIOS ROM ready to flash.

https://drive.proton.me/urls/F89NEJFPN8#3A6Fs0a7VBup

To use it, write the image to a CF card or USB key. Use BalenaEtcher or other cloning software (dd works just fine from Linux) to write the image directly to the device and boot the firewall from it. My unit defaults to booting the CF card, so I had to remove it to force the machine to boot from the USB key. Serial is enabled in the image (115200) and you'll be auto-logged in as the default user. There's a readme file (~/readme) with instructions as well as a short disclaimer (the usual, I'm not responsible for you breaking your stuff, etc.). The binary and v6 ROM are located in /opt/rom and work the same way as afudos - the same commands to backup and flash. Since the binary loads kernel modules it needs to be run with sudo priviledges:

cd /opt/rom
sudo ./afulnx ~/backup.rom /O
sudo ./afulnx m400.rom /B /P /N

Assuming all goes well:

sudo reboot

The usual beeps will occur and you'll likely need to clear the CMOS with J4.

Note
Make sure you store your backup in /home/tc (~) since other directories are not persistent and your backup will be lost when you reboot!

stephenw10

That worked almost perfectly, thanks!

As you noted I could not make it boot either TinyCore or OpenWRT from anything but the CF card it came with. Which is odd I don't recall having that issue.

I also noted that after updating the BIOS it then failed boot TinyCore again from the CF. Not sure why.

Also that it does not boot USB by default after updating I had to choose it from the boot device menu.

gilphilbert

@stephenw10 said in Watchguard Firebox M400/M500:

That worked almost perfectly, thanks!

As you noted I could not make it boot either TinyCore or OpenWRT from anything but the CF card it came with. Which is odd I don't recall having that issue.

I also noted that after updating the BIOS it then failed boot TinyCore again from the CF. Not sure why.

Also that it does not boot USB by default after updating I had to choose it from the boot device menu.

Now that's interesting, my machine boots TC just fine after the upgrade (I did have to clear the CMOS though). I gave up entirely trying to boot FreeDOS - it's just too picky on these machines.

Building that image was far more complicated than I expected, so I'm glad someone other than just me made use of it!

gilphilbert

I'm not sure if this is normal, but I'm not getting any CPU temps from the box:

# sysctl -a | grep temperature
hw.acpi.thermal.tz1.temperature: 29.9C
hw.acpi.thermal.tz0.temperature: 27.9C

# sysctl -a | grep "dev.cpu.*.temperature"
#

Does anyone else see CPU temps? I installed an i3 and wanted to see what temp it was running at.

stephenw10

That with the default fan speed? Those temps are pretty good (low), what sort of i3 is that?

I probably need to go and blow the dust out of mine!

Oh wait you need to enable the coretemp module in Sys > Adv > Misc then check:

sysctl dev.cpu.0.temperature dev.cpu.1.temperature
dev.cpu.0.temperature: 46.0C
dev.cpu.1.temperature: 44.0C

That's with the default G1820, without speedstep enabled and the fans set to 0x20.

[24.03-RC][root@m500.stevew.lan]/root: sysctl dev.cpu.0.temperature dev.cpu.1.temperature
dev.cpu.0.temperature: 34.0C
dev.cpu.1.temperature: 30.0C

The G3420 with speedstep enabled and fans at 0x1b

gilphilbert

@stephenw10 Ah, that did it (coretemp module):

# sysctl -a | grep "dev.cpu.*.temperature"
dev.cpu.3.temperature: 51.0C
dev.cpu.1.temperature: 49.0C
dev.cpu.2.temperature: 52.0C
dev.cpu.0.temperature: 50.0C

It's a Core i3 4130 with SpeedStep enabled.

I replaced the fans with Noctua ones (including the power supply) so I'm expecting the temps to be higher even with SpeedStep enabled.

stephenw10

Did you try just running the fans at a slower speed before replacing them?

gilphilbert

@stephenw10 No, because my plan was to put this in my office... but that plan has now changed and it's going in a different room. Chances are I'll actually re-install the original fans for better cooling. When I do, I'll let you know what temps I get

acsaba

@gilphilbert I appreciate your effort.
I have an M500 and I have tried to boot Firebox with the provided image and I do not have serial console access. The cable is good ( I have connection with the original firmware), so the question is if the image should work with M500. As I have seen in the specs, the motherboard is the same. In addition it is not clear for me if I need to reset the BIOS before to use the image or after.
I appreciate any feedback in this matter.

Many thanks.

stephenw10

I used it on an M500. It's identical to the M400 other than the CPU and RAM which shouldn't make any difference for this.

Did you use the original CF card?

acsaba

@stephenw10
No, I have another CF and I have tried with USB stick as well. I have successfully boot Arc loader and ubuntu core.
Many thanks for your feedback. I will keep working on it.

stephenw10

It won't boot USB with the original BIOS but if you've got a CF that will boot at all that should work.