Watchguard XTM 5 Series

DeLorean

Open the serial console and choose option 2 -> Set interfaces IP
Choose EM1 and use 192.168.2.1
In the next step type 24 en press Enter
Enter
Enter
On the question if you want to use DHCP , choose Y and press enter
Choose the first IP of your desired IP pool like 192.168.2.2
and the last IP like 192.168.2.254
On the question if you want to proceed with HTTP choose No.

Reboot your firewall and everything shall be fine now.

Grtz
DeLorean

m0reilly

Thanks, that is what i did earlier today. After attempting to install OPNsense (didn't find an option for CF to sata install unless outside of unit), I went through the motions of setup via seriral, then tried another reinstall of PFsense, as I had noticed that I had previously left the wan at em0…set it to fxp0, assigned the rest of the lan ports, and in the webgui, set up pass rules per port and google dns...all good. I will now start to research firewall rule options, but at the moment I am pleased that it is up and running. Thanks for your response!

DeLorean

Keep in mind that the fxp0 port is only a 100Mbps port.
If your internet connection is not above the 100Mbps speed, it doesn't matter.
By default, pfSense assign the WAN to EM0 and the LAN to EM1.
There are no extra firewall rules needed to pass through internet.
By default you have already access to the internet.

Grts
DeLorean

m0reilly

I still couldn't get the other ports (sans em0) through without setting more protocol than tcp allowed. After allowing 'any', the ports received dns, and everything worked. I will go back and whittle it down a bit, but want to first make sure my wife is issue free with her wireless needs. Thanks again.

crash9877

Hi, just got my hands on a XTM515. Bios not flashed.
ARM/DISARM works
but my Display doesn´t show e.g. Hostname. so i tried every setting under LCDproc. The only setting that works is traffic of interface. Did i get a faulty display?
Driver is Watchguard Firebox
Displaysize is 2 rows 20 colums

stephenw10

If it shows anything then the display is probably fine. If you kill the lcdproc service in Status > Services do you see the goodbye message from the daemon?

If so it's the client not passing the various displays to the daemon correctly. Check the client settings in the package.

Steve

DeLorean

@crash9877:

Hi, just got my hands on a XTM515. Bios not flashed.
ARM/DISARM works
but my Display doesn´t show e.g. Hostname. so i tried every setting under LCDproc. The only setting that works is traffic of interface. Did i get a faulty display?
Driver is Watchguard Firebox
Displaysize is 2 rows 20 colums

What version of pfSense do you use ?
I have seen this behaviour once with the embedded version 2.3.5 , while version 2.3.4 runs fine.

Grtz
DeLorean

crash9877

@stephenw10:

If it shows anything then the display is probably fine. If you kill the lcdproc service in Status > Services do you see the goodbye message from the daemon?

If so it's the client not passing the various displays to the daemon correctly. Check the client settings in the package.

Steve

Hi Steve,

thanks for your reply. Yes, if i stop the service it says "Thanks for using"

what should i check in the client settings?

crash9877

crash9877

@DeLorean:

@crash9877:

Hi, just got my hands on a XTM515. Bios not flashed.
ARM/DISARM works
but my Display doesn´t show e.g. Hostname. so i tried every setting under LCDproc. The only setting that works is traffic of interface. Did i get a faulty display?
Driver is Watchguard Firebox
Displaysize is 2 rows 20 colums

What version of pfSense do you use ?
I have seen this behaviour once with the embedded version 2.3.5 , while version 2.3.4 runs fine.

Grtz
DeLorean

Hi DeLorean,

using Pfsense 2.4.2 (64Bit) installed it with 2 ssd´s and zfs and raid (mirrored)

this was a clean install. so i installed it when the ssd´s were connected to my pc and after installation i plunged it right back in to the WG

crash9877

Hey Guyz,

this is what i tried so far.
looks like my XTM515 has a newer Display. tried with pfsense 2.34 and 2.4 fresh installations. no chance. 2nd row doesn´t work at all.
the only thing that works is time, load and that´s it.

crash9877

Hey Guyz,

this is what i tried so far.
looks like my XTM515 has a newer Display. tried with pfsense 2.34 and 2.4 fresh installations. no chance. 2nd row doesn´t work at all.
the only thing that works is time, load and that´s it.

dmidecode | less brings this

Scanning /dev/mem for entry point.
SMBIOS 2.5 present.
44 structures occupying 2148 bytes.
Table at 0x000FBCD0.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
Vendor: American Megatrends Inc.
Version: 080015
Release Date: 04/26/2010
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 1024 kB
Characteristics:

t-rexky

G'day,

I've been lurking here for a while and many of the posts have been extremely helpful in allowing me to tweak my very recent hardware version of XTM 515. Thank you for that to everyone! Now, I don't actually run pfSense on my XTM but in all the fun time spent with the box I learned a few new things that might be useful to others. So here it goes…

The on-board VGA header definitely works, and it works very well. I made a custom cable with a connector I got from digiKey and it's been extremely useful in playing with the box. The front USB ports work well with USB keyboards and mice as well, so the box becomes a fully functional PC with on-board video.
The unit serial number is present in the original BIOS. If you have backed-up your original BIOS, as you should have, the serial number is stored in plain ASCII starting at offset 0x0h, and is terminated with 0x00h. There is also another ASCII sequence stored in the original BIOS at offset 0x100h. Both of those are replaced with zeros once you edit the BIOS image with AMI editors. So, if anyone feels adventurous enough you can re-instate your serial number and the other number back into the edited BIOS and see if it works.
I had great success in unlocking and modifying the BIOS. The log of my modifications is shown below. I can make it available for anyone who is interested.

XTM515-BIOS1.3-UNLOCKED-5:
Changed 'Sign On Message' to include 'Unlocked v1.5 PT'.
Enabled 'PCIPnP' and 'Chipset' menus.
Enabled 'CPU Configuration' submenu in 'Advanced' menu.
Enabled 'ACPI Configuration' submenu in 'Advanced' menu.

XTM515-BIOS1.3-UNLOCKED-4:
Updated platform 11 CPUID 1067a microcode to version a0b.

XTM515-BIOS1.3-UNLOCKED-3:
Disabled 'Lan ByPass Control' submenu in 'Advanced' menu.
Modified BIOS Strings from 'Port0 AHCI Speed limit to' to 'Port0 AHCI Speed limit' for POrt0 to Port3.

XTM515-BIOS1.3-UNLOCKED-2:
Changed 'Aways CF Card Boot' to 'Show' in 'Advanced' menu.

XTM515-BIOS1.3-UNLOCKED-1:
Unlocked the BIOS by changing 'User Access Level' to 03 in 'Security' menu.

Cheers,
Peter.

DeLorean

@t-rexky:

G'day,

I've been lurking here for a while and many of the posts have been extremely helpful in allowing me to tweak my very recent hardware version of XTM 515. Thank you for that to everyone! Now, I don't actually run pfSense on my XTM but in all the fun time spent with the box I learned a few new things that might be useful to others. So here it goes…

The on-board VGA header definitely works, and it works very well. I made a custom cable with a connector I got from digiKey and it's been extremely useful in playing with the box. The front USB ports work well with USB keyboards and mice as well, so the box becomes a fully functional PC with on-board video.

The unit serial number is present in the original BIOS. If you have backed-up your original BIOS, as you should have, the serial number is stored in plain ASCII starting at offset 0x0h, and is terminated with 0x00h. There is also another ASCII sequence stored in the original BIOS at offset 0x100h. Both of those are replaced with zeros once you edit the BIOS image with AMI editors. So, if anyone feels adventurous enough you can re-instate your serial number and the other number back into the edited BIOS and see if it works.

I had great success in unlocking and modifying the BIOS. The log of my modifications is shown below. I can make it available for anyone who is interested.
XTM515-BIOS1.3-UNLOCKED-5:
Changed 'Sign On Message' to include 'Unlocked v1.5 PT'.
Enabled 'PCIPnP' and 'Chipset' menus.
Enabled 'CPU Configuration' submenu in 'Advanced' menu.
Enabled 'ACPI Configuration' submenu in 'Advanced' menu.

XTM515-BIOS1.3-UNLOCKED-4:
Updated platform 11 CPUID 1067a microcode to version a0b.

XTM515-BIOS1.3-UNLOCKED-3:
Disabled 'Lan ByPass Control' submenu in 'Advanced' menu.
Modified BIOS Strings from 'Port0 AHCI Speed limit to' to 'Port0 AHCI Speed limit' for POrt0 to Port3.

XTM515-BIOS1.3-UNLOCKED-2:
Changed 'Aways CF Card Boot' to 'Show' in 'Advanced' menu.

XTM515-BIOS1.3-UNLOCKED-1:
Unlocked the BIOS by changing 'User Access Level' to 03 in 'Security' menu.
Cheers,
Peter.

Hello,

Thank you for the usefull information.
I have also being experimenting with the BIOS unlocking, and noticed also that the original serial number is wiped,
from the moment you do a modification.
The downside is, that the BIOS is still let the box boot pfSense without any problem,
but when you want to use back the original Watchguard OS, the login in the Web GUI fails.
The box passes internet, but when you try to login with the right credentials, the page refresh and stays at the login page.

I had discovered if you open the BIOS file with notepad, that the serial number is at the very first line,
but nowhere else (or i missed it).

Grtz
DeLorean

DrKappy

Greetings…

I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.

TIA.

Kap

DeLorean

@DrKappy:

Greetings…

I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.

TIA.

Kap

The XTM 5 series use a mainboard with Intel Socket S775 , in the S775 design there doesn't exist any CPU that supports AES-NI.
For these boxes to upgrade from the stock Celeron, i always use a Intel E5800 Dual Core @ 3.2Ghz ,
this type is in the same thermal range (65Watt) as the original cpu.
That way, the cpu runs at same temperature (sometimes even cooler) then the original cpu, and you still got a decent extra cpu power.
There are users that use a Intel Quad Core Q6600 cpu in these boxes, but i never done this,
because that cpu is a 105Watt type, so the box gets hotter and draws more power.

Grtz
DeLorean

DrKappy

@DeLorean:

@DrKappy:

Greetings…

I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.

TIA.

Kap

The XTM 5 series use a mainboard with Intel Socket S775 , in the S775 design there doesn't exist any CPU that supports AES-NI.
For these boxes to upgrade from the stock Celeron, i always use a Intel E5800 Dual Core @ 3.2Ghz ,
this type is in the same thermal range (65Watt) as the original cpu.
That way, the cpu runs at same temperature (sometimes even cooler) then the original cpu, and you still got a decent extra cpu power.
There are users that use a Intel Quad Core Q6600 cpu in these boxes, but i never done this,
because that cpu is a 105Watt type, so the box gets hotter and draws more power.

Grtz
DeLorean

Yes - this is what I thought, but wanted some confirmation in case I overlooked something. So I guess the XTM 5 series is confined to 2.4 since the 2.5 will require AES NI. Guess I will need a new box when 2.5 arrives :)

Thanks for your quick response…

Kap

stephenw10

Well 2.4 will be supported for some time after that, like 2.3 is now. So there will be time to make the switch.

Steve

DrKappy

@stephenw10:

Well 2.4 will be supported for some time after that, like 2.3 is now. So there will be time to make the switch.

Steve

Yep - fully understand, my statement was not meant to be a complaint, just a confirmation that I will eventually need to get off this XTM 5 hardware. I like to run the latest greatest :) Keep up all the great work, AES-NI makes sense and I look forward to my next build when 2.5 arrives!

Thanks - Kap

evoliddaw

Argh!

I finally got pfSense working on my XTM 535 with Dual Core E5300 / 4GB RAM. Took me forever to figure out how to unlock my own BIOS, get it booting from USB and installed via SSD. Had a ton of issues with the CF card. Now I read your post about AES-NI.

I am disappoint :-[

stephenw10

Think about how much you learned along the way though. ;)

You're still good for some time to come anyway as I said.

Steve