Watchguard Firebox M400/M500

gilphilbert

@stephenw10 Yep, I can't explain why, since pfSense can open the serial port and write to it, but FreeDOS wouldn't - it just complained about not being able to write to COM1 - meaning there was no serial output.

I wonder if a Watchguard firmware update has broken this along the way, although it's odd that Linux seems to be able to open ttyS0 while FreeDOS can't open COM1.

gilphilbert

I started this a couple of days ago because I thought I might need it when I couldn't get FreeDOS to boot and I thought I'd share it as it doesn't need the VGA adapter to work.

I created a custom version of Tiny Core Linux that includes afulnx - the Linux version of afudos. The environment also includes Zanthos' v6 BIOS ROM ready to flash.

https://drive.proton.me/urls/F89NEJFPN8#3A6Fs0a7VBup

To use it, write the image to a CF card or USB key. Use BalenaEtcher or other cloning software (dd works just fine from Linux) to write the image directly to the device and boot the firewall from it. My unit defaults to booting the CF card, so I had to remove it to force the machine to boot from the USB key. Serial is enabled in the image (115200) and you'll be auto-logged in as the default user. There's a readme file (~/readme) with instructions as well as a short disclaimer (the usual, I'm not responsible for you breaking your stuff, etc.). The binary and v6 ROM are located in /opt/rom and work the same way as afudos - the same commands to backup and flash. Since the binary loads kernel modules it needs to be run with sudo priviledges:

cd /opt/rom
sudo ./afulnx ~/backup.rom /O
sudo ./afulnx m400.rom /B /P /N

Assuming all goes well:

sudo reboot

The usual beeps will occur and you'll likely need to clear the CMOS with J4.

Note
Make sure you store your backup in /home/tc (~) since other directories are not persistent and your backup will be lost when you reboot!

stephenw10

That worked almost perfectly, thanks!

As you noted I could not make it boot either TinyCore or OpenWRT from anything but the CF card it came with. Which is odd I don't recall having that issue.

I also noted that after updating the BIOS it then failed boot TinyCore again from the CF. Not sure why.

Also that it does not boot USB by default after updating I had to choose it from the boot device menu.

gilphilbert

@stephenw10 said in Watchguard Firebox M400/M500:

That worked almost perfectly, thanks!

As you noted I could not make it boot either TinyCore or OpenWRT from anything but the CF card it came with. Which is odd I don't recall having that issue.

I also noted that after updating the BIOS it then failed boot TinyCore again from the CF. Not sure why.

Also that it does not boot USB by default after updating I had to choose it from the boot device menu.

Now that's interesting, my machine boots TC just fine after the upgrade (I did have to clear the CMOS though). I gave up entirely trying to boot FreeDOS - it's just too picky on these machines.

Building that image was far more complicated than I expected, so I'm glad someone other than just me made use of it!

gilphilbert

I'm not sure if this is normal, but I'm not getting any CPU temps from the box:

# sysctl -a | grep temperature
hw.acpi.thermal.tz1.temperature: 29.9C
hw.acpi.thermal.tz0.temperature: 27.9C

# sysctl -a | grep "dev.cpu.*.temperature"
#

Does anyone else see CPU temps? I installed an i3 and wanted to see what temp it was running at.

stephenw10

That with the default fan speed? Those temps are pretty good (low), what sort of i3 is that?

I probably need to go and blow the dust out of mine!

Oh wait you need to enable the coretemp module in Sys > Adv > Misc then check:

sysctl dev.cpu.0.temperature dev.cpu.1.temperature
dev.cpu.0.temperature: 46.0C
dev.cpu.1.temperature: 44.0C

That's with the default G1820, without speedstep enabled and the fans set to 0x20.

[24.03-RC][root@m500.stevew.lan]/root: sysctl dev.cpu.0.temperature dev.cpu.1.temperature
dev.cpu.0.temperature: 34.0C
dev.cpu.1.temperature: 30.0C

The G3420 with speedstep enabled and fans at 0x1b

gilphilbert

@stephenw10 Ah, that did it (coretemp module):

# sysctl -a | grep "dev.cpu.*.temperature"
dev.cpu.3.temperature: 51.0C
dev.cpu.1.temperature: 49.0C
dev.cpu.2.temperature: 52.0C
dev.cpu.0.temperature: 50.0C

It's a Core i3 4130 with SpeedStep enabled.

I replaced the fans with Noctua ones (including the power supply) so I'm expecting the temps to be higher even with SpeedStep enabled.

stephenw10

Did you try just running the fans at a slower speed before replacing them?

gilphilbert

@stephenw10 No, because my plan was to put this in my office... but that plan has now changed and it's going in a different room. Chances are I'll actually re-install the original fans for better cooling. When I do, I'll let you know what temps I get

acsaba

@gilphilbert I appreciate your effort.
I have an M500 and I have tried to boot Firebox with the provided image and I do not have serial console access. The cable is good ( I have connection with the original firmware), so the question is if the image should work with M500. As I have seen in the specs, the motherboard is the same. In addition it is not clear for me if I need to reset the BIOS before to use the image or after.
I appreciate any feedback in this matter.

Many thanks.

stephenw10

I used it on an M500. It's identical to the M400 other than the CPU and RAM which shouldn't make any difference for this.

Did you use the original CF card?

acsaba

@stephenw10
No, I have another CF and I have tried with USB stick as well. I have successfully boot Arc loader and ubuntu core.
Many thanks for your feedback. I will keep working on it.

stephenw10

It won't boot USB with the original BIOS but if you've got a CF that will boot at all that should work.

acsaba

@stephenw10 said in Watchguard Firebox M400/M500:

iI won't boot USB with the original BIOS but if you've got a CF that will boot at all that should work.

I can boot with the original bios using USB stick As I have mentioned, I did this couple of times.
The condition is to remove the CF.

stephenw10

Hmm, curious. I never managed to make that work before flashing the BIOS.

acsaba

@stephenw10

I manage to install Synology DMS 7.2 using an arc-24.6.2.img, then installed an SSD.
The boot is still on the USB stick.

I just ordered i5-4590T CPU as replacement for the original one and 8 GB CF to not brake the original CF.
I will keep you posted.

iJay-XTM5

This M500 may have an unlocked bios, otherwise, it would not boot from USB IIRC. I had to unlock the bios through the serial console using the password others have posted in this forum. I was able to enable USB booting after unlocking the bios and successfully booted from a USB flash drive that had the USB memstick installer (Serial Console). I chose to install pfsense on the internal CF card as I did not want to open the box. The box boots off the CF now without a fuss.
I upgraded the CPU to an i5-4590T and installed low noise fans on my M400 previously, but it hangs on reboot every single time, so I left the M500 's original configuration as is.

acsaba

@iJay-XTM5
Appreciate your feedback. I have a second M500 (I used both in datacenter in HA mode), so I can test on this as well. Yesterday did the CPU update and I'm looking forward to replace the fans as well. Unfortunately a low noise fan is expansive, so in case you have any hint please share with me.

Regarding CPU temperature, it is ~60-62C in full load with the original fans.

stephenw10

You can lower the fan speed existing fans to reduce the noise using WGXepc

That seems quite hot though. I assume you replaced the heatsink compound when you fitted that?

acsaba

@stephenw10 said in Watchguard Firebox M400/M500:

That seems quite hot though. I assume you replaced the heatsink compound when you fitted that?

Yes. I did.

What is a normal temperature on your end ?
Many thanks.