Watchguard XTM 5 Series
-
Bravo as always Stephen. I will definitely take a look at this when I get ready to swap out the processor as speedstep is a much needed feature. Till then I'll stick with your new release of WGXepc.
Any subtle differences in the hardware between the XTM5 and XTM8? My understanding is that the hardware was the same and the different versions referenced unlocked features by license for the Watchguard software. Curious.
Thanks!
Modifications are:
Bios setup menus are unlocked and some aditional menus are unhidden.
LCD now reports 'pfSense V1.8' at boot time.
Speedstep is unlocked and enabled if you have a compatible CPU.
Arm/Disarm LED is now red from boot.Probably the safest way to get this file, least chance of corruption, is to fetch it straight to the box.
[2.1-BETA1][root@pfsense.localdomain]/tmp(10): fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom xtm5_83.rom 100% of 1024 kB 1957 kBps
You can then also check its MD5 sum is correct:
[2.1-BETA1][root@pfsense.localdomain]/tmp(11): md5 xtm5_83.rom MD5 (xtm5_83.rom) = e75bc93ca2db547a3facb8d611f0d441
Then write it with flashrom from there:
[2.1-BETA1][root@pfsense.localdomain]/tmp(13): flashrom -w xtm5_83.rom flashrom v0.9.5.2-r1515 on FreeBSD 8.3-RELEASE-p8 (i386), built with libpci 3.1.9, GCC 4.2.1 20070719 [FreeBSD], little endian flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK. Found ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000. Flash image seems to be a legacy BIOS. Disabling coreboot-related checks. Reading old flash chip contents... done. Erasing and writing flash chip... Erase/write done. Verifying flash... VERIFIED.
It may be necessary to reset the CMOS with the on board jumper to get access to the bios menus. My box has been unlocked for so long I can't remember if I had to and I have no easy way to test. ::)
Steve
-
The XTM5 and XTM8 are very different. Different box, different mother board.
To get Speedstep sort-of working I had to use a modified DSDT file. However even when I had it seemingly functioning I could see any effects on either power consumption or heat. I put it down to the board/CPU supporting higher C states which reduce power anyway.
Steve
-
Just ordered an XTM 505 off ebay and I'm excited to try out pfSense on it. Has anyone successfully booted from or attached a USB drive or HDD yet? Also, has anyone tried stephenw10's firmware update?
Thanks!
-
Hmm, interesting, it looks like I never tried it after unlocking the BIOS. It's definitely not possible to boot from USB without altering some bios settings and to do that you need to flash the unlocked version. That obviously carries some risk but I'm quite confident that image I linked to is not corrupt. I uploaded it, downloaded it again and re-flashed it to my box without issue. Just make sure the MD5 sum is correct.
Steve
-
From my experience with the XTM8 (810), you can't boot anything from the usb ports - I tried!
I imagine the XTM505 will be the same - bios locked down and restricted as to what can be used - ie mouse and keyboard is pretty much as far as the bios will get you - until you unlock it.
My XTM8 is currently out of action - deffo be careful flashing the bios ;)
Eamon
-
StephenW10,
A little late of a response but yea duh about the hardware differences… I was thinking XTM5 series: 515, 505 etc which are all the same hardware. I can't keep up with all the Watchguard models you are working on. :P
Also, after trying LCDProc-Dev (latest package) it seems the key mapping was not integrated into the latest dev package as my key mapping are still off. I'll post in the appropriate thread about this as well but wanted to reference it here, this being the official thread for XTM5 devices. Also, Stephen, could you enlighten me on the shellcmd you use to start/restart the LCDProc service? Thanks.
LCDProc-Dev Thread:http://forum.pfsense.org/index.php/topic,44034.msg349010.html#msg349010
iolaus,
With all due respect to StephenW10 and thanks for his hard work, there isn't much to gain from unlocking the bios.I would echo Eams warning in that you do not want to flash your bios unless you know 100% that you will benefit from the features. If you want to tinker, I would suggest only doing so if you are not really relying on the hardware and can afford to brick it. You will need to have a level of comfort/experience with modifying hardware/bios as you may need to create a serial jumper soldered to the board to unbrick it or reflash the serial flash device (at least this was my understanding from reading through StephenW10s posts. Please correct me if I'm wrong).
-
I will be using my XTM505 in my local network so I'll definitely have to be careful not to brick it. I had hoped to try out Snort but I'm wondering if I have to worry about the finite write capabilities of the CF card. If so, is it possible to install additional storage (SSD or larger USB Flash), perhaps as secondary storage, without unlocking the BIOS?
-
I had the same issue and question but the answer for me was much simpler/easier than having to install secondary storage. Instead I used the SHELLCMD package to mount an NFS Share at post boot and then setup logs to write to the share. A much more elegant solution, especially if you hope to use any other software (Splunk etc) to parse your log files.
Hope that helps.
-
I have to agree, general policy for flashing your bios should always be don't do it unless it offers something you need. That might go double for some hacked bios you downloaded from a forum! ;)
That said I have flashed it many times succefully, I'd have no hesitation flashing a new box if I found one for the right price. The problems Eamon had with the XTM8 were mostly due to a bios chip that wasn't correctly handled by flashrom. It was doubly unfortunate because it reported no errors and seemed to be functioning correctly.The XTM5 has provision for an internal HD by way of a power connector on the PSU and sata connectors on the board. I can't remember if the standard bios has HD auto detection enabled. :-\
Steve
-
Hi, i can confirm that the bios from stephenw10 (xtm5_83.rom) works like a charm on my XTM 510. If i remind correctly, i boot pfsense on it and downloaded the bios direct to the XTM510 in a shell.
After flashing i was wondering that the bios was still locked, but i read that the cmos have to reset. I removed the power cord and the battery, drink a coffee, and anything was fine with unlocked bios.Thanks to stephenw10!
Now i try my luck with a XTM810 to boot a other system as Watchguards XTM OS.
-
Some updates:
I've got my XTM 505 up and running. I replaced the CPU with a Core2Duo E4500, replaced the RAM with a couple 1GB sticks I had lying around, and installed a 2.5" HD which I also had lying around.
I mounted the HD to a modified Intel 2.5" to 3.5" converter cage. The cage is mounted to the XTM 505 right behind the LCD on risers.
The XTM successfully finds the SATA HD without any BIOS modification and I have SHELLCMD mounting it at boot time.
Pictures:
-
Nice! :)
I would recommend removing the VPN accelerator card. It's just using power and isn't doing anything useful, unfortunately.Steve
-
Any one have any luck locating or compiling a suitable driver for the
Cavium card? I believe a Linux one exists but no luck with BSD. -
I believe it's closed source driver in Linux or at least you have to sign an NDA before they'll give you access to the SDK. No driver like that would ever make it into FreeBSD so it would have to be reverse engineered. Not an easy task.
Steve
-
Yeah that pretty much sums that up.
Anyone wanna buy a Cavium VPN card cheap? ;D
-
You never know support for the low end cavium chips may yet appear once they are of no resale value.
It's a shame they chose to use a reversed pci-e connector, I've tried to find a female to female adapter bug failed. Having the pci-e bus terminated in an edge connector like that seems to be known as 'golden fingers'. Can turn up some interesting Google results! :PSteve
-
I'd say chances are pretty slim considering Cavium has already released several models newer than the one in this box (Nitrox CN1605). Still, you never know.
"Golden Fingers" you say?
Could always use a PCI-e to mini-pci card or wifi card. Or a 10GB Ethernet card and mod the box to have a cable permanently attached internally and fed out the back. Not the most elegant solution but would make use of the port. Seems like there is enough room left to do something with it.
-
That's just it, you can't use any of those things without some sort of adapter because the slot is on the card! I had thought a back plane style riser of the sort sued for single board computers might do it but I haven't found one of those either.
Steve
Edit: Like this maybe: http://www.onestopsystems.com/backplane_427.php
-
Hello,
We have successfully installed pfsense on a watchguard xtm 505.
Just letting you know that the Quad Core Q8200S is supported by this motherboard and runs beautifully.
This CPU actually runs cooler than the Celeron - sits between 37-40C. The "S" model is of smaller lithography and runs more efficiently / cooler.
http://ark.intel.com/products/40816/Intel-Core2-Quad-Processor-Q8200S-4M-Cache-2_33-GHz-1333-MHz-FSBOur specs are:
2GB RAM
Quad Core Q8200S
8GB Transcend CF Card (with 4GB image)Works great!
Thanks to everyone who contributed.
Scott
http://www.synergy8.com/ -
Ooo, nice!
The only reason I went for the E4500 (other than it was cheap on ebay) was that it matched the lithography and bus speed on the Celeron closely. If we can use 45nm and 1333MHz that opens up many other cpus.Are you using the original BIOS?
Steve
-
Hi Steve,
Yes - original BIOS. No changes or flashing needed.
I'm sure other faster CPUs will work. But! Id be wary of the power consumption with other CPUs. That PSU in the box is pretty small!
I would be pretty confident in saying that most of the CPUs in the "Compatible products" list of: http://ark.intel.com/products/36528/82G41-Graphics-and-Memory-Controller-Hub would work.But I can certainly confirm the stability and operation of the Q8200S. Power wise, we removed the VPN card and do not have a hard drive installed.
Here is a pic of the dashboard (some info removed).Cheers,
Scott
http://www.synergy8.com/
-
Regarding the LCDProc dev package not automatically starting at boot I'm trying StephenW's method for restarting the services with SHELLCMDs from here:
http://forum.pfsense.org/index.php/topic,7920.msg344513.html#msg344513
-
Is the XTM 5 series powerful enough to run squid and anti virus package? does it work with the CF card or do i need an appliance with HDD Installation (e.g. Symantec 5420)?
-
Yes & yes. I'm running off CF now and I have read of people installing an HD, but I'm not sure about using it to boot.
Also, this unit is upgradeable. You can upgrade the proc to a C2D and RAM as well.
All in all, a great box (with intel NICs) if you can get a good deal on one.
-
The Xtm 510 has usually a Celeron 2Ghz CPU and 1Gb. Shouldn't this be enough power to run it with antivirus, proxy and content filter?
Does it make sense to use 8gb CF card or higher for installation or should 4 GB be enough?
Cu Hawk78
-
It certainly is for a small to medium network but every scenario is different, if you turn on all the bells & whistles, your mileage may vary.
-
Exactly. It depends what throughput you need. If you're running Squid, Havp and Squidguard/Dansguardian you're not going to see 1Gbps. Chances are you don't need that though.
There is no value in using an 8GB CF card. The largest image available is 4GB so the remaining space can never be used.
If you want to use Squid as caching proxy you must run it from hd. The continuous writes would kill flash media in short order, the package will prevent you doing it in Nanobsd.Steve
-
There is no value in using an 8GB CF card. The largest image available is 4GB so the remaining space can never be used.
If you want to use Squid as caching proxy you must run it from hd. The continuous writes would kill flash media in short order, the package will prevent you doing it in Nanobsd.I believe there is a ticket in for 8GB images due to there being more packages available, especially since adding support for PBI installs, but yeah 4GBs is the biggest now.
StephenW, ever try running Squid from CF with caching pointed to an NFS mount or HD mounted in cache directory path? I don't like the idea of running something as critical as a firewall from a HD.
-
Thanks for your reply menacingm & stephenw10! :)
I agree about the killing of flash media by caching. But what about the usb port. Could i use this for connecting a USB stick or USB HD for caching? What about SSD? Is there the same prob?
-
Ah I wasn't aware of the 8GB ticket. I have a hard time believing you could fill the space provided by the 4GB image slices though even with the PBI packages (which are a lot larger).
There are a number of people who have setup squid to cache to a separate HD but it's not handled by the webgui which presents some issues. Primarily you need to have a setup that survives a firmware update otherwise you'll have to re-make all your changes manually. Firstly there is no facility to mount an local drive but you can handle that via the shellcmd package. Then you have to manually configure squid to use you newly mounted slice forr it's cache. Lastly you need to know what happens if the hd fails. Does Squid fail to start? Does that result in no internet access for your clients?
Just running from a HD drive gets around these problems, HDs are pretty reeliable these days. I'm fairly sure there are more pfSense installs running from HD than flash. There is provision in the XTM5 for installing a 2.5" SATA drive.
There was a thread recently detailing this setup on a firebox X750e. That user used a script that ran at boot to check the HD status and mount /var accordingly:
http://forum.pfsense.org/index.php/topic,67823.0.htmlSteve
-
another question… ;)
After installing CF card for the initial setup of pfsense do i need a special cable for accesing console? I see there is a rj45 console connector at front. Do i need a rj45<->rs232 cable and a rs232<->usb adapter? I don't think my pc has a serial connector any more...
-
Yes you need a cable. The supplied cable is rj45 to rs232 (9pin) and I use an rs232 to USB adapter with it. I'm sure you could get a single cable that did it but using two is more versatile.
Steve
-
Well, i received my used XTM 505 unit with no cables. I will try to connect it to console…
The unit draws ~30W at idle. I'll remove the VPN acclerator card. What can i do to reduce power consumption and fan noise furthermore?
Are there any recommended silent fans ? Do I need all fans running? -
The fans have thermal speed control by default but the minimum speed is quite high. The most recent version of WGXepc can reset it lower. I spent some time enabling speedstep (see earlier in this thread) but I couldn't ever see much improvement in power consumption. The higher C states seemed to overwhelm the P state savings. You need to swap out the CPU with something speedstep enabled to see that though. Other than that you can replace the psu with something more efficient, typically a dc-dc psu such as the picoPSU.
Steve
-
Steve, thanks for your reply. I'll try to find some silent 40x40 fans because the original ones are very loud. I have no experience in picoPSU. Can you recommend a suitable one?
-
I suggest you try just reducing the fan speed first. I replaced the fans in my x-peak box but only because there's no control on that. I think I detailed it in the x-peak thread.
The psu requirements are fairly low so most of the picoPSU models should work. No promises though. ;)Steve
-
Hello all,
First off, thanks so much for the work you did in getting this going. I acquired a decommissioned XTM 510 from my workplace and knew Watchguard well enough to realize it would take more money than I cared to spend (or my wife would allow) to get it going on my home network with the functionality it promised. Your work and PFSense changed that. Kudos!
So, as of this morning after some minor fiddling about in the console, I am up and running with a brand new install, fully functional from what my bleary eyes can see so far. This brings up the obvious question of "what next?". I utilized a 1 Gb CF card for the install and PFSense is reporting about 40% disk utilization so far. This seems high enough to me that I might want to consider putting in a bigger card and/or installing a spare drive in that beckoning slot next to the board.
1. Do I need to flash the BIOS to enable a higher capacity CF card and/or install a spare drive?
2. If yes, is the xtm5_83.rom mentioned on this thread sufficient to accomplish that?
3. Would it simply be a matter of SSHing into the box and sending this (fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom) and then following Stephen's subsequent directions?
4. What dragons should I expect to find?Once again thanks for the hard work of everyone involved. I was up until 3:30 AM just trying to apply what meager abilities I possess to get this going, so I can only imagine what late nights have been in by the efforts of this crew.
-
Hi. Another firebox saved from scrap. :)
You don't need to do anything to boot a larger CF card. I've not tried using a SATA HD in mine but I would assume that too boots no problem. Having said that you are unlikely to need a bigger card. That remaining space will only be used by adding further packages and there are only so many that can be run (usefully) under NanoBSD.
You can flash the BIOS by fetching it directly as you say. There are some other advantages to doing so: fully unlocked bios, LED the correct colour, speedstep enabled. Flashing the BIOS is always inherently risky but several other people have done it with that file without issue. Also, as I was forced to find out, it is possible to recover from a bad flash on that box but doing so is not straight forward.If you decide to bridge some of the ports (because you don't need that many subnets at home ;)) there is a bug in 2.1 that will bite you. It's since been patched but you have to apply the patch manually:
http://forum.pfsense.org/index.php/topic,66908.msg386279.html#msg386279You can add the WGXepc program to access the fan and arm/disarm led.
More hours than I care to admit! ::)
Steve
-
Thanks for the fast response! I'll take your advice and caution and just leave well enough alone for the time being. I upgraded the RAM to 2 Gb and checked over the available packages to see what, if any, might appeal to me. I'm satisfied enough at this point that I have a solid install going and a much faster piece of kit to replace my existing router/firewall. As I am connecting this directly to a 50 port switch, I don't see a need to bridge any interfaces at this point, though I appreciate the heads up on the 2.1 bug. Once I get the network fully fleshed out, I might be tempted to see what other goodies I can install or get going, but this so far makes my morning.
Thanks again!
-
No problem. :)
I forgot to mention the LCD, it's all in the wiki page though.
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_FireboxSteve