pfSense on Watchguard M370

rflcptr

@networkBob said in pfSense on Watchguard M370:

Hi everyone,

I recently bought a Watchguard M370 with the intention of repurposing the box to run pfSense. Just wanted to let the community know that pfSense can be easily installed on a Watchguard M370, via mSATA, and with all interfaces operational. Even the front panel soft power switch halts and boots pfSense, which is nice. And the fans are reasonably quiet, although the could be quieter. The BIOS is password protected, though, so I cannot make any BIOS adjustments to the fans. The motherboard is a Lanner NCB-WG4210. If anyone knows how to unlock this BIOS, please let me know. I already tried removing the battery, the CMOS reset jumper procedure, and all the AMI BIOS passwords that I could find. The BIOS only allows for 3 tries then requires a reboot.

Bob

I just got this model myself for the same purpose. Since this is my first pfSense setup, would you be willing to describe how you went about installing it on this model?

Is the selected pfSense (2.4.4-p3) download configuration correct?
Architecture: AMD64
Installer: USB Memstick
Console: Serial

Would I simply replace the shipped mSATA SSD with my own, set up a console session (Cisco-compatible pinout?) from my laptop to the unit, plug in the USB drive containing the pfSense image, wait for the M370 to boot from the USB drive, then proceed?

Thanks!

stephenw10

Almost certainly a Cisco style console cable will work. They do work with other Lanner devices.
The first thing I would try is to just boot the memstick serial image from USB. It may or may not boot from USB by default.
If it does not you can always install pfSense to mSATA in some other device and swap it in.

Steve

rflcptr

USB stick doesn't seem to be successful - how would I get the pfSense image onto the mSATA drive otherwise?

stephenw10

If I were doing this I would move the mSATA drive (or use a different mSATA drive) to a different device and install to it there then move it back.
Does it boot from USB if you remove the mSATA drive? In other words is it just booting from mSATA because of the boot priority?

Steve

rflcptr

@stephenw10
I just see a BIOS password prompt when the USB drive alone is present.

rflcptr

I managed to get the live CD image installed via VMWare USB passthrough to the mSATA adapter with a GPT partition scheme (should it be MBR instead?), then installed the drive in the M370. I heard a weird chime on boot and some disk activity.

Can't seem to use the console and can't reach 192.168.1.1 . Is there a way to verify the install?

rflcptr

Here's why I'm an idiot:

The installation was correct. I was plugged into the WAN port.

pfSense is good to go. Thanks, Steve.

stephenw10

If you install from a CD image you won't have the serial console enabled by default. You can do so (and set it as the primary console) from System > Advanced > Admin Access. You could do that in whatever you installed in before you swap the drive back.

Steve

rflcptr

This setup has been running smooth so far (minus my mistakes) and performance has been really good.

An 'instant-on' IPSec VPN running the highest level encryption at or beyond my Internet service speeds is super nice. Native iOS/MacOS support is a treat. I wish Windows 10 had native IPSec support - any chance for pfSense PPTP support? (I kid!)

I replaced the stock 40mm fans with three Noctua NF-A4x20 units. The fans' connectors weren't going to match up with those on the mainboard, so I used my flush cutters to remove their physical keying. It's whisper-quiet now and I've measured no meaningful increase in temperature.

Following a power outage and during my fan replacement testing, I learned that I made the mistake of originally installing pfSense with the UFS file system instead of ZFS. A few reboot loops later, recovery became simple enough to handle, but I'm still going to reinstall.

There's also a Core i3-6100T lying around that I'm eager to drop in to replace the included Celeron G3900. Higher clocks, lower TDP, more cache, and SMT can't hurt. Thinking and writing - is there a way to test VPN and overall performance before / after?

This has been a fun project. Thanks again for the help, Steve!

stephenw10

I usually use iperf3 for a basic throughput test. You would want to run it on a client at each end of the VPN, not on the firewall itself if possible though you can install it on pfSense. It only tests full size TCP so you see the biggest number you could get which is often not representative of real traffic but it will give you a good comparison between the two CPUs.

Steve

stephenw10

Just gonna leave this here:

[2.4.4-RELEASE][root@m470.stevew.lan]/root: ./WGXepc64 -l green
Found Firebox M370/470/570/670.
[2.4.4-RELEASE][root@m470.stevew.lan]/root: ./WGXepc64 -f
Found Firebox M370/470/570/670.
Current fanspeed is c, minimum fanspeed is a

https://github.com/stephenw10/WGXepc

Binary for anyone wanting to test. I've seen no problems but messing with the cooling system is potentially dangerous. You should test any new settings at full load etc.

Steve

djstrauss

Hi @stephenw10
This Works perfect, combined with ShellCMD on startup.
BTW
Im running M370 with installed Celeron G3900 and only changed mSATA 16g to mSATA120g that it was on my techstuff. Using it with 4Gb but i tested up to 16Gb with Crucial nonECC Memory.
The Thing is i tried a Xeon E3-1225 v5 that i bought for a server (The same listed for M570) and doesnt boot at all, maybe Motherboard or BIOS limitations.
Do you thing a i3 6100 non T model would work ?
Is there any Chance to Find the BIOS password?
Maybe unlock the BIOS as the one on M400 or X Series ?

What do you think?

Regards.

stephenw10

Ah, good info! I would expect a 6100 i3 to work there. I just haven't seen one at a price I can justify.... yet.

Unlocking the BIOS is non-trivial. Finding the password is probably never going to happen.

Steve

melozo

I have a few M370 models 470, 570, 670, 10 g card

melozo

@nicknitro I have been trying to remove the BIOS password, but have not been successful.
I install the E3-1240 l V5, 4 * 10 g CARDS.

stephenw10

Oh nice! Those 10G cards are still waaay outside my price range.

I do have one of the older Lanner style for the XTM800/1500 which works fine.

Steve

stephenw10

I removed your other thread, it has nothing to do with firewalling.

If you look 5 posts up though you will see that WGXepc can now detect and set the fan speed on that board. I don't have access to an M670 to test with but they are all the same board AFAIK so it should work. Give it a try.

Steve

melozo

@stephenw10 In my here is very cheap, 650 yuan; 100 dollars.

melozo

@stephenw10 BIOS password has been unable to clear, the research for many days.
4 * 10 g network card is very cheap, less than $100, China's 650 yuan.

stephenw10

I haven't seen one for less than £1000 here. So I don't have one.