Watchguard V60L pfsense Instalation issues
-
Nice photo. :)
Hmm some custom IC, yikes!
In order to get the required throughput between the various local interfaces Rapidstream have used a custom ASIC in addition to the X86 board. The X86 cpu and PCI bus just wasn't up to the job in 2000. The code and specs for that will not be available. However it seems that the ASIC appears as a network device, it seems likely they would have simulated some well supported NIC (or does it?) in which case it may be possible to talk to it. :-\ On the other hand when those boxes were running the original OS the two fxp ports were only ever used to sync together several boxes in a high availability cluster. Actual network data never flowed through them. It may be that the X86 CPU only ever sent control messages to the ASIC over the PCI connection.
Whilst this would be a fascinating project it's way beyond my normal level of tinkering and the result would still be a fairly slow firewall. It would be much easier to replace the daughter board with a standard quad NIC.Steve
This is talking about a later, faster model but the idea is the same:
@http://www.checkpoint.com/press/partners/2002/rapidstream012202.html:RapidCore
ASIC and Check Point Secure XL
RapidStream is the first to deliver breakthrough VPN-1 performance on a single appliance by leveraging the Check Point SecureXL performance framework. The security decisions made by Check Point software running on the main CPU are executed by one or more RapidCore chips, RapidStream's custom programmable security ASIC. RapidStream's architecture allows the company to linearly scale appliance performance to any desired level by adding additional RapidCore ASICs. RapidCore ASICs perform parallel processing of VPN-1 and FireWall-1 functions, Network Address translation (NAT), Denial of Service (DoS) attack protection, and Quality of Service (QoS) functions by using the embedded four RISC CPUS and embedded memory cache. "With RapidStream's architecture, the data path traffic 'cuts through' the RapidCore processor(s) and not the appliance's central CPU, eliminating a typical performance bottleneck: the system bus," said Vince Liu, RapidStream president and CEO. "The execution of Check Point Next Generation software on the RapidStream platform matches network wire speeds so users are not impeded by security measures, nor limited by the number of sessions that can be supported. Productivity is enhanced and bandwidth purchased by the organization is not wasted, improving the company's return on investment (ROI)." -
Thanks for the reply .
I understand the point of view , now i am between 2 paths :
1 st : i use the motherboard nics only and use PFSense witch have a very good GUI and can be updated freely and at lan i put a switch to connect my lan .2nd : i can use an outdated firmware from watchguard where i can use the PCI Ethernet Switch Card , but at same time i will be no secure and the configuration will be over the console (witch is a bit complicated at some points .)
I surely prefer the 1st one ;)
By the way , Stephen , do you have vcontroller application from watchguard so i can give a look the the original firmware from this firewall without using the console and putty manually ?
I do not have the original CD from this firewall because i buy it on ebay and the last owner did not had it .Thanks for everything .
-
I removed the ethernet PCI card from the firewall and i notice that the irq 7 issue still remains as error on putty and on pfsense .
Is there anyway to bypass this issue ? -
Try running 'vmstat -i' at the console. What is causing the storm?
Try 'top -SH'. Anything showing high CPU usage?
Steve
-
here are the results steven :
vmstat -i
interrupt total rate
irq0: clk 2090955 99
irq4: uart0 1380322 66
irq6: fxp1 983072 47
irq7: ppc0 1965927 94
irq8: rtc 2676708 127
irq9: fxp0 1666721 79
irq14: ata0 69918 3
Total 10833623 518
[2.1-RELEASE][root@pfSense.localdomain]/root(2)about the cpu usage everything is normal , it is 93% idle and have only
11 root -60 - 0K 112K istorm 24:34 4.98% intr{irq7: ppc0}
cat /var/log/dmesg.boot
Copyright
1992-2012 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013
root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386interrupt storm detected on "irq7:"; throttling interrupt source
i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel Pentium III (847.74-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x68a Family = 6 Model = 8 Stepping = 10
Features=0x387f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,pn,mmx,fxsr,sse>real memory = 134217728 (128 MB)
avail memory = 108032000 (103 MB)
wlan: mac acl policy registered
cryptosoft0: <software crypto="">on motherboard
padlock0: No ACE support.
pcib0: <intel 82443bx="" host="" to="" pci="" bridge="" (agp="" disabled)="">pcibus 0 on motherboard
pci0: <pci bus="">on pcib0
fxp0: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xfc00-0xfc3f mem 0xc0000000-0xc0000fff,0xc0020000-0xc003ffff irq 9 at device 5.0 on pci0
miibus0: <mii bus="">on fxp0
inphy0: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
fxp0: [ITHREAD]interrupt storm detected on "irq7:"; throttling interrupt sourcefxp1: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xf800-0xf83f mem 0xc0040000-0xc0040fff,0xc0060000-0xc007ffff irq 6 at device 6.0 on pci0
miibus1: <mii bus="">on fxp1
inphy1: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus1
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
fxp1: [ITHREAD]
isab0: <pci-isa bridge="">at device 7.0 on pci0
isa0: <isa bus="">on isab0
atapci0: <intel piix4="" udma33="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf400-0xf40f at device 7.1 on pci0
ata0: <ata channel="">at channel 0 on atapci0
ata0: [ITHREAD]
ata1: <ata channel="">at channel 1 on atapci0
ata1: [ITHREAD]
uhci0: <intel 82371ab="" eb="" (piix4)="" usb="" controller="">port 0xf000-0xf01f irq 11 at device 7.2 on pci0
uhci0: [ITHREAD]
usbus0: <intel 82371ab="" eb="" (piix4)="" usb="" controller="">on uhci0
piix0: <piix timecounter="">port 0x10a0-0x10af at device 7.3 on pci0
Timecounter "Pinterrupt storm detected on "irq7:"; throttling interrupt source
IIX" frequency 3579545 Hz quality 0
pci0: <processor>at device 8.0 (no driver attached)
cpu0 on motherboard
atrtc0: <at real="" time="" clock="">at port 0x70 irq 8 on isa0
ppc0: <parallel port="">at port 0x378-0x37f irq 7 on isa0
ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
ppc0: [ITHREAD]
ppbus0: <parallel port="" bus="">on ppc0
ppi0: <parallel i="" o="">on ppbus0
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: [FILTER]
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
uart1: [FILTER]
Timecounter "TSC" frequency 847739792 Hz quality 800
Timecounters tick every 10.000 msec
IPsec: Initialized Security Association Processing.
interrupt storm detected on "irq7:"; throttling interrupt source
usbus0: 12Mbps Full Speed USB v1.0
ad0: 7623MB <cf card="" ver7.02k="">at ata0-master PIO4
ugen0.1: <intel>at usbus0
uinterrupt storm detected on "irq7:"; throttling interrupt source
hub0: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0
Root mount waiting for: usbus0
uhub0: 2 ports with 2 removable, self powered
Trying to mount root from ufs:/dev/ufs/pfsense1</intel></intel></cf></parallel></parallel></parallel></at></processor></piix></intel></intel></ata></ata></intel></isa></pci-isa></i82555></mii></intel></i82555></mii></intel></pci></intel></software></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,pn,mmx,fxsr,sse>i am also trying to find how to activate the leds of the firewall , "ready,admin & alarm" or at least the "ready" led .
but most important than that is solve this issue with the irq .
I was wondering if the cause may be related to the 128M sdram memory installed on the firewall and i be using the 512M pfsense image ?
Can that affect this issue ?thank you for all your help on this , and as matter of fact this topic may be usefull for others users in future if they acquire a beast like this one , lol ;) .
Note : before posting here i notice on the start on the boot that disabling acpi may fix this issue and i disable it on the boot , but issue still remains .
-
So it appears to be having a problem with the parallel port (ppc0). Do you need the parallel port? Can it be disabled? About the only thing I can think it might be used for is the leds.
You can read about my own investigation into the front panel leds on other Watchguard boxes here:
http://forum.pfsense.org/index.php/topic,32013.0.htmlI also just noticed that there is another device shown in your pci listing. Vendor:13a3 Device:0006. This appears to be a Hi-fn crypto chip. It is supported by the lofn(4) driver in other BSDs but hasn't been ported to FreeBSD unfortunately.
Steve
-
Hi Steve , i can not understand why it says parallel port ?!!
Why it says parallel port if the hardware have none ?
can that port be related to the db9 ups port at back of the hardware ?
I will check your topic about the leds later , i have to go to work now . -
The UPS connector is almost certainly a serial port.
Just because there isn't a parallel port connector on the box does not mean it doesn't have one. It's standard PC hardware it probably uses a SuperIO chip to provide various services and it may provide a parallel port even if it's not connected to anything. Purely speculation but I could imagine an incorrectly terminated parallel interface generating way too many interrupts. On the later fireboxes the parallel port is used for the LCD.
Try looking in the BIOS, if you can, see if it can be disabled.Steve
-
how do i go to the bios settings on this firewall ?
i only have the console as an interface to communicate with the hardware !!!! -
Well I wasn't sure if you could. Many appliance style boxes use console-redirect to access the BIOS via the serial port. Often you have to press TAB to enter the setup. Otherwise we could try switching the serial port mode using a tunable.
Edit: Try adding the line:
hint.ppc.0.flags="0x24"to the file /boot/loader.conf.local. You will have to create that file.
That line should disable the parallel port using an IRQ and force it to use EPP mode.Steve
-
Bingo , worked just fine , thanks
no more irq issues .
Tab does not work to get access to bios , you told about tuneable settings that i may can get access to it , how do i do it ?Thanks for everything
-
Ah sorry I wrote serial and meant parallel. That device hint is the sort of thing I was thinking of. There's probably no easy way of accessing the BIOS if console redirect isn't enabled. We had to do it on the firebox x-e box because you need BIOS access to boot pfSense on that. It was high risk initially though.
Steve
-
Hi,
@pedropt: You can access the BIOS by hitting CTRL + C (I use Putty) in the console when you see the memory test
Because it looks like there is no way to bring this 4 port NIC to work i wanted to replace it but non of the NICs i tried
is recognized. did somebody tried this before and had success with it?Thanks in advance for any answer or idea
-
thanks for the tip Canus Lupus , i did not knew that one .
my issue now is working in the bios from putty .
i have try many commands to navigate on the bios , but i had no success doing it , i believe that half of my keyboard keys on bios just give it an exit code and then run the boot .
About getting the other 4 nics working i did not yet managed to get them working .
I can only get those nics working using the original watchguard firmware .
Other thing before i leave , i posted a cable connection schematic on this thread for this firewall , i later notice that using a Cisco console cable it will work perfectly too .
-
Hi pedropt,
yes this exactly what i am using. One of my CISCO cables :-)
yes the original 4 port NIC which is inside i get also only working with the original SW and i gave up to get it
to work with another SW. I try to use then some other NICs inside but i run always in some problems. It looks like
best is working NICs with an Intel chip set (like the 2 on board ports). I only run in to an IRQ problem with an 2 port
Intel based NIC which i actually wanted to use.About the navigation in the BIOS. Yes when you press a wrong button kicks you out of the BIOS. Unfortunately i
am right now not at home but later on when i will be back i will have a look on my notices and will post here an
description how to navigate in this BIOS :-) -
In the x-peak box the console redirect in the bios is pretty buggy. I was able get around that by connecting a keyboard to use for input while using the serial port to see the output. I don't see a keyboard header on the board though.
Steve
-
i can only get the HTA ports on the motherboard working , right now i am using both for wan and lan .
i am curious to know if there is a way to know how watchguard put those 4 nics working in V60L .
tomorrow i will put my original card from watchguard on a card reader , and i will look the files using my linux .
maybe i can copy the uncompressed files to a rar file to someone here with experience look into them .
I think i can also convert the files in ntfs file system for those that are using Windows OS ?
Shall i give the trouble doing that ?
it will give us some kind of advantage to understand how firmware puts the 4 nics working ?
let me know .
Best of all . -
The extra 4 NICs are more like a layer 3 switch than a quad NIC card. As such it will be veery difficult to control them from pfSense. It might theoretically be possible if you were able to determine how Watchguard's OS talks to the card but it would be hard.
The card appears as a networking device in pciconf and that initially makes you think it's a network card of some sort that might be recognisable by a standard FreeBSD driver given the correct PCI IDs however there isn't a NIC chip on the card that we might reasonably talk to. If we were able to talk to the card how is the Rapidstream chip controlled? If we're very lucky it might be via telnet or some simple protocol but it might just as likely be directly via the PCI slot using completely proprietary coding.
Looking in the Watchguard firmware might reveal some clues but it's likely all the stuff to talk to the card will be binary blobs.Steve
