Watchguard Firebox M400/M500

Testing

SSD is OCZ arc100-120gb and pfsense installs fine and works fine if I use my notebook.
When moving back to Firebox, doesn't boot.

So it seems I can't boot from sata at all, even with CF removed.

I ordered an old vga card, the older low profile ones have the same pinout for the vga connector as this board. So I ordered it for the cable with vga port, was cheaper than ordering jumpercables and vga port seperately ;).

Freedos needs vga port if I am correct, so I can do that next week. Vga card arrives saturday or monday.

Maybe the m500 has more restrictions in bios? How can I dump the bios to a rom and open it?
Or maybe the bios is set to legacy mode for sata instead of the other one(can't come up with the name now)?

ADDED: Did you try to reset CMOS? Does that remove password?

ADDED2: I noticed someone here had the same problem: https://forum.pfsense.org/index.php?topic=61799.0. He got it installed by disabling some features for the cpu. As you guys have the original CPU and I have got 2cores/4threads(and a bunch of extra features), maybe it's because the cpu has too many features. Still doesn't explain why a working installation won't boot… I will try to access bios when I have got the vga cable ;)

stephenw10

@Testing:

ADDED: Did you try to reset CMOS? Does that remove password?

Yes. No.

It's custom coded into the BIOS code somewhere which makes it difficult to impossible to remove.

The CPU option theory is interesting though I think most of that is disabled in the BIOS default settings anyway, speedstep, hyperthreading etc. Also it still boots the Nano image.

When you installed to the SSD in the laptop I assume you used the VGA installer? Did you enable the serial port? Did you complete the install using the laptop NIC as an interface? If it wasn't an igb NIC the SSD might be booting fine but stopping at the interfaces assign screen due to the mismatch and you dont see it because it's on the VGA console.

Steve

Testing

I installed with vga, and also it uses the laptop NIC. So you are right it isn't the igb0/igb1 I use on firebox for wan/lan.

Where can I enable serial port after vga-installation? And how can I configure it so it uses the igb0 and igb1 for wan/lan?

ADDED: found the serial setting. fresh install on the ssd, works fine in notebook. Put it in the firebox, no output on serial port. So looks like it just won't boot sata. I think when I have the vga port I can use windows live cd, create bios rom and try to tinker with that. Or maybe the vga output shows a message which describes how to fix it ;)

ADDED2: Is it possible to install an ami bios from ami itself? So without passwords and such? Or maybea bios from the FW-7585 mainboard?

ADDED3: Got it to boot. Sata2: nothing. Sata4: error with privileges or something. Sata3: boots. Strange, any explanations?

iJay-XTM5

Good deal, looks like you're finally on your way!

If you need to access the VGA, all you need are some $3 arduino jumper cables from ebay. Here's what my crappy setup looks like - not very elegant, but works! I was able to boot freedos and tinker a bit….

IMG_3290.JPG_thumb

IMG_3282.JPG_thumb

Testing

Yeah, I think my bios is setup for different devices on the sata ports. In the manual I saw that you need to select which kind of device is connected to which sata port. So it seems Sata4 is for HDD in a Firebox m500.

The complete videocard with the right vga port+cable was 8dollars including shipping. I will send a picture when I have it up and running ;)

iJay-XTM5

Hopefully the BIOS is setup to switch automatically to an external VGA when one is detected. The problem with the locked BIOS is you can't change any setting.
I was naive and actually called WatchGuard support expecting to get an unlocked version of the BIOS or the password to unlock it! :)

stephenw10

I'd be surprised if it cannot boot a legacy install though it might be locked out of doing so in the BIOS. You'd have to inspect the BIOS image to know for sure.

What options did you chose in the install process?

My own VGA hookup was even more basic. I connected only the green signal line and used some random header cables from an old PC. ;)

Steve

N1ck

Well, it seems only uefi will boot, nothing else.

And for my vga cable, forgot a few holidays here, so that will arrive tuesday. I am not using the vga card, only the vga cable that comes with it. It's a low profile card and those had the blue vga port above the rest(full profile), but in low profile you needed an extra steel plate next to the card and there you would mount the blue vga port. That's why on those cards the vga port is connected via a ribbon with 12pin(1NC) connector. Ordering header/arduino cables was an option, but it was cheaper to buy an entire graphics card which has the correct vga port with ribbon ;)

stephenw10

That's interesting. Yet legacy images boot fine from CF?

I don't see anything in the default BIOS settings that I can see in the image that might do that. However some stuff is not visible there.

Can we see a comparative output from the console command 'geom part list'?

For example from a Minnowboard Turbot which only boots UEFI:

[2.4.4-DEVELOPMENT][admin@4220.stevew.lan]/root: geom part list
Geom name: ada0
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 62533255
first: 40
entries: 152
scheme: GPT
Providers:
1\. Name: ada0p1
   Mediasize: 209715200 (200M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 20480
   Mode: r0w0e0
   efimedia: HD(1,GPT,3da27220-1e32-11e8-8da9-0008a20bc486,0x28,0x64000)
   rawuuid: 3da27220-1e32-11e8-8da9-0008a20bc486
   rawtype: c12a7328-f81f-11d2-ba4b-00a0c93ec93b
   label: (null)
   length: 209715200
   offset: 20480
   type: efi
   index: 1
   end: 409639
   start: 40
2\. Name: ada0p2
   Mediasize: 29855055872 (28G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 209735680
   Mode: r1w1e2
   efimedia: HD(2,GPT,3da318d6-1e32-11e8-8da9-0008a20bc486,0x64028,0x379c000)
   rawuuid: 3da318d6-1e32-11e8-8da9-0008a20bc486
   rawtype: 516e7cb6-6ecf-11d6-8ff8-00022d09712b
   label: (null)
   length: 29855055872
   offset: 209735680
   type: freebsd-ufs
   index: 2
   end: 58720295
   start: 409640
3\. Name: ada0p3
   Mediasize: 1601175552 (1.5G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 20480
   Mode: r1w1e1
   efimedia: HD(3,GPT,3da43efe-1e32-11e8-8da9-0008a20bc486,0x3800028,0x2fb800)
   rawuuid: 3da43efe-1e32-11e8-8da9-0008a20bc486
   rawtype: 516e7cb5-6ecf-11d6-8ff8-00022d09712b
   label: (null)
   length: 1601175552
   offset: 30064791552
   type: freebsd-swap
   index: 3
   end: 61847591
   start: 58720296
Consumers:
1\. Name: ada0
   Mediasize: 32017047552 (30G)
   Sectorsize: 512
   Mode: r2w2e5

Any 2.4.X should be able to create that. You do have to choose efi rather than freebsd-boot though.

Steve

N1ck

I will install a CF image(nanobsd) and will try the command. Or is there a faster way to use the command? Now I have install image on my CF and unfortunately only have 1 CF.
I don't think the images are legacy images, my image has got an efi-partition and is a GPT not MDR.

stephenw10

The installer image has both efi and freebsd-boot partitions so it should boot either.

In the MBT which only boots efi the installer only adds en efi image. I'm pretty sure I didn't do anything special there. I suspect it adds the partion type depending on how the installer booted. Trying to confirm that.

So if you installed to a HD in an efi laptop it will probably work.

Steve

N1ck

Ok, geom part list command executed on pfsense 2.1(grabbed a 1gb card from my dad). Seems MBR, but it could be that sata needs efi(as each sata port needs to be configured and can only accept what was configured by firebox). I don't have the vga cable yet, so I can't run anything to grab the bios image.

# geom part list
Geom name: ad4
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 1969631
first: 63
entries: 4
scheme: MBR
Providers:
1\. Name: ad4s1
   Mediasize: 472195584 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 32256
   Mode: r1w0e2
   attrib: active
   rawtype: 165
   length: 472195584
   offset: 32256
   type: freebsd
   index: 1
   end: 922319
   start: 63
2\. Name: ad4s2
   Mediasize: 472195584 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 472260096
   Mode: r0w0e0
   rawtype: 165
   length: 472195584
   offset: 472260096
   type: freebsd
   index: 2
   end: 1844639
   start: 922383
3\. Name: ad4s3
   Mediasize: 52641792 (50M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 944455680
   Mode: r1w0e2
   rawtype: 165
   length: 52641792
   offset: 944455680
   type: freebsd
   index: 3
   end: 1947455
   start: 1844640
Consumers:
1\. Name: ad4
   Mediasize: 1008451584 (961M)
   Sectorsize: 512
   Mode: r2w0e4

Geom name: ad4s1
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 922256
first: 0
entries: 8
scheme: BSD
Providers:
1\. Name: ad4s1a
   Mediasize: 472187392 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 40448
   Mode: r1w0e2
   rawtype: 0
   length: 472187392
   offset: 8192
   type: !0
   index: 1
   end: 922256
   start: 16
Consumers:
1\. Name: ad4s1
   Mediasize: 472195584 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 32256
   Mode: r1w0e2

Geom name: ad4s2
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 922256
first: 0
entries: 8
scheme: BSD
Providers:
1\. Name: ad4s2a
   Mediasize: 472187392 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 472268288
   Mode: r0w0e0
   rawtype: 0
   length: 472187392
   offset: 8192
   type: !0
   index: 1
   end: 922256
   start: 16
Consumers:
1\. Name: ad4s2
   Mediasize: 472195584 (450M)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 472260096
   Mode: r0w0e0

ADDED: I don't have any other device that uses uefi boot. laptops and computers all don't use uefi.

N1ck

Tested MBR image in CF->works.
Image installed to ssd->doesn't work.

So it seems my router requires UEFI on sata. The router has a locked bios, so can't change anything there.
The pfsense 2.4.3 image has uefi, but when it installs it formats the ssd GPT and doesn't add an efi-partition with data to the ssd. So I think I just need an option to let pfsense install an efi-partition and data on the ssd.

stephenw10

You can just add an efi partition using the manual install method. I've never tried that and don't have any easy way to test it but it should work.

You can probably remove the freebsd-boot slice too. Though it should work with both in place.

Steve

N1ck

With manual installation I can add an efi-partition. But pfsense doesn't install anything in it, so it's just an empty partition. Maybe I need to use another command to install something in the efi-partition?

stephenw10

Ok try installing using the 'Auto (ZFS)' option. Then you can set the Partition Scheme to GPT(UEFI) or GPT (BIOS+UEFI). Both of which should boot.

[2.4.3-RELEASE][admin@pfSense.localdomain]/root: gpart show
=>     40  8388528  ada0  GPT  (4.0G)
       40   409600     1  efi  (200M)
   409640     1024     2  freebsd-boot  (512K)
   410664      984        - free -  (492K)
   411648  7974912     3  freebsd-zfs  (3.8G)
  8386560     2008        - free -  (1.0M)

Steve

N1ck

That worked! I selected GPT(UEFI) and it installed and booted without a problem.

stephenw10

Nice! :D

That's weird. Learned something there though.

Steve

N1ck

Yeah it seems my Firebox M500 will only boot an hdd or ssd on sata port 3. 2 and 4 will not work(won't even now I installed it on port 3).

And the Firebox M500 will boot MBR on CF, but requires UEFI on sata.

Strange, but with my tests it looks like this is 100% true.

stephenw10

I imagined that would be identical to the m400 other than RAM and CPU but maybe not.

You can dump the BIOS image from the pfSense command line using flashrom but it cannot re-write it.

pkg install flashrom

rehash

flashrom -p internal -r /root/backup.rom

Reading that should be no risk but any operation involving the carries some danger. I've done that several times here though.

Steve