Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Watchguard V60L pfsense Instalation issues

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    26 Posts 3 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Nice photo.  :)
      Hmm some custom IC, yikes!
      In order to get the required throughput between the various local interfaces Rapidstream have used a custom ASIC in addition to the X86 board. The X86 cpu and PCI bus just wasn't up to the job in 2000. The code and specs for that will not be available. However it seems that the ASIC appears as a network device, it seems likely they would have simulated some well supported NIC (or does it?) in which case it may be possible to talk to it.  :-\ On the other hand when those boxes were running the original OS the two fxp ports were only ever used to sync together several boxes in a high availability cluster. Actual network data never flowed through them. It may be that the X86 CPU only ever sent control messages to the ASIC over the PCI connection.
      Whilst this would be a fascinating project it's way beyond my normal level of tinkering and the result would still be a fairly slow firewall. It would be much easier to replace the daughter board with a standard quad NIC.

      Steve

      This is talking about a later, faster model but the idea is the same:
      @http://www.checkpoint.com/press/partners/2002/rapidstream012202.html:

      RapidCore® ASIC and Check Point Secure XL™
      RapidStream is the first to deliver breakthrough VPN-1 performance on a single appliance by leveraging the Check Point SecureXL™ performance framework. The security decisions made by Check Point software running on the main CPU are executed by one or more RapidCore® chips, RapidStream's custom programmable security ASIC. RapidStream's architecture allows the company to linearly scale appliance performance to any desired level by adding additional RapidCore ASICs. RapidCore ASICs perform parallel processing of VPN-1 and FireWall-1 functions, Network Address translation (NAT), Denial of Service (DoS) attack protection, and Quality of Service (QoS) functions by using the embedded four RISC CPUS and embedded memory cache. "With RapidStream's architecture, the data path traffic 'cuts through' the RapidCore processor(s) and not the appliance's central CPU, eliminating a typical performance bottleneck: the system bus," said Vince Liu, RapidStream president and CEO. "The execution of Check Point Next Generation software on the RapidStream platform matches network wire speeds so users are not impeded by security measures, nor limited by the number of sessions that can be supported. Productivity is enhanced and bandwidth purchased by the organization is not wasted, improving the company's return on investment (ROI)."

      1 Reply Last reply Reply Quote 0
      • P Offline
        pedropt
        last edited by

        Thanks for the reply .
        I understand the point of view , now i am between 2 paths :
        1 st : i use the motherboard nics only and use PFSense witch have a very good GUI and can be updated freely and at lan i put a switch to connect my lan .

        2nd : i can use an outdated firmware from watchguard where i can use the PCI Ethernet Switch Card , but at same time i will be no secure and the configuration will be over the console (witch is a bit complicated at some points .)

        I surely prefer the 1st one  ;)
        By the way , Stephen , do you have vcontroller application from watchguard so i can give a look the the original firmware from this firewall without using the console and putty manually ?
        I do not have the original CD from this firewall because i buy it on ebay and the last owner did not had it .

        Thanks for everything .

        1 Reply Last reply Reply Quote 0
        • P Offline
          pedropt
          last edited by

          I removed the ethernet PCI card from the firewall and i notice that the irq 7 issue still remains as error on putty and on pfsense .
          Is there anyway to bypass this issue ?

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Try running 'vmstat -i' at the console. What is causing the storm?

            Try 'top -SH'. Anything showing high CPU usage?

            Steve

            1 Reply Last reply Reply Quote 0
            • P Offline
              pedropt
              last edited by

              here are the results steven :
              vmstat -i
              interrupt                          total      rate
              irq0: clk                        2090955        99
              irq4: uart0                      1380322        66
              irq6: fxp1                        983072        47
              irq7: ppc0                      1965927        94
              irq8: rtc                        2676708        127
              irq9: fxp0                      1666721        79
              irq14: ata0                        69918          3
              Total                          10833623        518
              [2.1-RELEASE][root@pfSense.localdomain]/root(2)

              about the cpu usage everything is normal , it is 93% idle and have only

              11 root    -60    -    0K  112K istorm  24:34  4.98% intr{irq7: ppc0}

              cat /var/log/dmesg.boot
              Copyright © 1992-2012 The FreeBSD Project.
              Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
                      The Regents of the University of California. All rights reserved.
              FreeBSD is a registered trademark of The FreeBSD Foundation.
              FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013
                  root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386interrupt storm detected on "irq7:"; throttling interrupt source
              i386
              Timecounter "i8254" frequency 1193182 Hz quality 0
              CPU: Intel Pentium III (847.74-MHz 686-class CPU)
                Origin = "GenuineIntel"  Id = 0x68a  Family = 6  Model = 8  Stepping = 10
                Features=0x387f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,pn,mmx,fxsr,sse>real memory  = 134217728 (128 MB)
              avail memory = 108032000 (103 MB)
              wlan: mac acl policy registered
              cryptosoft0: <software crypto="">on motherboard
              padlock0: No ACE support.
              pcib0: <intel 82443bx="" host="" to="" pci="" bridge="" (agp="" disabled)="">pcibus 0 on motherboard
              pci0: <pci bus="">on pcib0
              fxp0: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xfc00-0xfc3f mem 0xc0000000-0xc0000fff,0xc0020000-0xc003ffff irq 9 at device 5.0 on pci0
              miibus0: <mii bus="">on fxp0
              inphy0: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus0
              inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
              fxp0: [ITHREAD]interrupt storm detected on "irq7:"; throttling interrupt source

              fxp1: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xf800-0xf83f mem 0xc0040000-0xc0040fff,0xc0060000-0xc007ffff irq 6 at device 6.0 on pci0
              miibus1: <mii bus="">on fxp1
              inphy1: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus1
              inphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
              fxp1: [ITHREAD]
              isab0: <pci-isa bridge="">at device 7.0 on pci0
              isa0: <isa bus="">on isab0
              atapci0: <intel piix4="" udma33="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf400-0xf40f at device 7.1 on pci0
              ata0: <ata channel="">at channel 0 on atapci0
              ata0: [ITHREAD]
              ata1: <ata channel="">at channel 1 on atapci0
              ata1: [ITHREAD]
              uhci0: <intel 82371ab="" eb="" (piix4)="" usb="" controller="">port 0xf000-0xf01f irq 11 at device 7.2 on pci0
              uhci0: [ITHREAD]
              usbus0: <intel 82371ab="" eb="" (piix4)="" usb="" controller="">on uhci0
              piix0: <piix timecounter="">port 0x10a0-0x10af at device 7.3 on pci0
              Timecounter "Pinterrupt storm detected on "irq7:"; throttling interrupt source
              IIX" frequency 3579545 Hz quality 0
              pci0: <processor>at device 8.0 (no driver attached)
              cpu0 on motherboard
              atrtc0: <at real="" time="" clock="">at port 0x70 irq 8 on isa0
              ppc0: <parallel port="">at port 0x378-0x37f irq 7 on isa0
              ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
              ppc0: [ITHREAD]
              ppbus0: <parallel port="" bus="">on ppc0
              ppi0: <parallel i="" o="">on ppbus0
              uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
              uart0: [FILTER]
              uart0: console (9600,n,8,1)
              uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
              uart1: [FILTER]
              Timecounter "TSC" frequency 847739792 Hz quality 800
              Timecounters tick every 10.000 msec
              IPsec: Initialized Security Association Processing.
              interrupt storm detected on "irq7:"; throttling interrupt source
              usbus0: 12Mbps Full Speed USB v1.0
              ad0: 7623MB <cf card="" ver7.02k="">at ata0-master PIO4
              ugen0.1: <intel>at usbus0
              uinterrupt storm detected on "irq7:"; throttling interrupt source
              hub0: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0
              Root mount waiting for: usbus0
              uhub0: 2 ports with 2 removable, self powered
              Trying to mount root from ufs:/dev/ufs/pfsense1</intel></intel></cf></parallel></parallel></parallel></at></processor></piix></intel></intel></ata></ata></intel></isa></pci-isa></i82555></mii></intel></i82555></mii></intel></pci></intel></software></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,pn,mmx,fxsr,sse>

              i am also trying to find how to activate the leds of the firewall , "ready,admin & alarm" or at least the "ready" led .
              but most important than that is solve this issue with the irq .
              I was wondering if the cause may be related to the 128M sdram memory installed on the firewall and i be using the 512M pfsense image ?
              Can that affect this issue ?

              thank you for all your help on this , and as matter of fact this topic may be usefull for others users in future if they acquire a beast like this one , lol ;) .

              Note : before posting here i notice on the start on the boot that disabling acpi may fix this issue and i disable it on the boot , but issue still remains .

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                So it appears to be having a problem with the parallel  port (ppc0). Do you need the parallel port? Can it be disabled? About the only thing I can think it might be used for is the leds.

                You can read about my own investigation into the front panel leds on other Watchguard boxes here:
                http://forum.pfsense.org/index.php/topic,32013.0.html

                I also just noticed that there is another device shown in your pci listing. Vendor:13a3 Device:0006. This appears to be a Hi-fn crypto chip. It is supported by the lofn(4) driver in other BSDs but hasn't been ported to FreeBSD unfortunately.

                Steve

                1 Reply Last reply Reply Quote 0
                • P Offline
                  pedropt
                  last edited by

                  Hi Steve , i can not understand why it says parallel port ?!!
                  Why it says parallel port if the hardware have none ?
                  can that port be related to the db9 ups port at back of the hardware ?

                  I will check your topic about the leds later , i have to go to work now .

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    The UPS connector is almost certainly a serial port.
                    Just because there isn't a parallel port connector on the box does not mean it doesn't have one. It's standard PC hardware it probably uses a SuperIO chip to provide various services and it may provide a parallel port even if it's not connected to anything. Purely speculation but I could imagine an incorrectly terminated parallel interface generating way too many interrupts. On the later fireboxes the parallel port is used for the LCD.
                    Try looking in the BIOS, if you can, see if it can be disabled.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      pedropt
                      last edited by

                      how do i go to the bios settings on this firewall ?
                      i only have the console as an interface to communicate with the hardware !!!!

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Well I wasn't sure if you could. Many appliance style boxes use console-redirect to access the BIOS via the serial port. Often you have to press TAB to enter the setup. Otherwise we could try switching the serial port mode using a tunable.

                        Edit: Try adding the line:

                        hint.ppc.0.flags="0x24" 
                        

                        to the file /boot/loader.conf.local. You will have to create that file.
                        That line should disable the parallel port using an IRQ and force it to use EPP mode.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          pedropt
                          last edited by

                          Bingo , worked just fine , thanks
                          no more irq issues .
                          Tab does not work to get access to bios , you told about tuneable settings that i may can get access to it , how do i do it ?

                          Thanks for everything

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            Ah sorry I wrote serial and meant parallel. That device hint is the sort of thing I was thinking of. There's probably no easy way of accessing the BIOS if console redirect isn't enabled. We had to do it on the firebox x-e box because you need BIOS access to boot pfSense on that. It was high risk initially though.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • C Offline
                              Canus Lupus
                              last edited by

                              Hi,

                              @pedropt: You can access the BIOS by hitting CTRL + C (I use Putty) in the console when you see the memory test

                              Because it looks like there is no way to bring this 4 port NIC to work i wanted to replace it but non of the NICs i tried
                              is recognized. did somebody tried this before and had success with it?

                              Thanks in advance for any answer or idea

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                pedropt
                                last edited by

                                thanks for the tip Canus Lupus , i did not knew that one .
                                my issue now is working in the bios from putty .
                                i have try many commands to navigate on the bios , but i had no success doing it , i believe that half of my keyboard keys on bios just give it an exit code and then run the boot .
                                About getting the other 4 nics working i did not yet managed to get them working .
                                I can only get those nics working using the original watchguard firmware .
                                Other thing before i leave , i posted a cable connection schematic on this thread for this firewall , i later notice that using a Cisco console cable it will work perfectly too .

                                1 Reply Last reply Reply Quote 0
                                • C Offline
                                  Canus Lupus
                                  last edited by

                                  Hi pedropt,

                                  yes this exactly what i am using. One of my CISCO cables :-)

                                  yes the original 4 port NIC which is inside i get also only working with the original SW and i gave up to get it
                                  to work with another SW. I try to use then some other NICs inside but i run always in some problems. It looks like
                                  best is working NICs with an Intel chip set (like the 2 on board ports). I only run in to an IRQ problem with an 2 port
                                  Intel based NIC which i actually wanted to use.

                                  About the navigation in the BIOS. Yes when you press a wrong button kicks you out of the BIOS. Unfortunately i
                                  am right now not at home but later on when i will be back i will have a look on my notices and will post here an
                                  description how to navigate in this BIOS :-)

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S Offline
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    In the x-peak box the console redirect in the bios is pretty buggy. I was able get around that by connecting a keyboard to use for input while using the serial port to see the output. I don't see a keyboard header on the board though.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • P Offline
                                      pedropt
                                      last edited by

                                      i can only get the HTA ports on the motherboard working , right now i am using both for wan and lan .
                                      i am curious to know if there is a way to know how watchguard put those 4 nics working in V60L .
                                      tomorrow i will put my original card from watchguard on a card reader , and i will look the files using my linux .
                                      maybe i can copy the uncompressed files to a rar file to someone here with experience look into them .
                                      I think i can also convert the files in ntfs file system for those that are using Windows OS ?
                                      Shall i give the trouble doing that ?
                                      it will give us some kind of advantage to understand how firmware puts the 4 nics working ?
                                      let me know .
                                      Best of all .

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S Offline
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        The extra 4 NICs are more like a layer 3 switch than a quad NIC card. As such it will be veery difficult to control them from pfSense. It might theoretically be possible if you were able to determine how Watchguard's OS talks to the card but it would be hard.
                                        The card appears as a networking device in pciconf and that initially makes you think it's a network card of some sort that might be recognisable by a standard FreeBSD driver given the correct PCI IDs however there isn't a NIC chip on the card that we might reasonably talk to. If we were able to talk to the card how is the Rapidstream chip controlled? If we're very lucky it might be via telnet or some simple protocol but it might just as likely be directly via the PCI slot using completely proprietary coding.
                                        Looking in the Watchguard firmware might reveal some clues but it's likely all the stuff to talk to the card will be binary blobs.

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.