Watchguard XTM 5 Series

ledufakademy

@stephenw10
hello, sorry for delay.

root@OPNsense:~ # pkg install flashrom
Updating OPNsense repository catalogue...
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.opnsense.org/FreeBSD:11:amd64/20.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2813191321208:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.opnsense.org/FreeBSD:11:amd64/20.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!

chpalmer

@ledufakademy said in Watchguard XTM 5 Series:

Unable to update repository OPNsense

Your not running pfsense. Without knowing the particulars of that product nobody here would be able to guess correctly.

stephenw10

@ledufakademy said in Watchguard XTM 5 Series:

root@OPNsense

Umm... yup, can't help you with that.

ledufakademy

@stephenw10
ok i will flash the card F with last pfsense

with pfsense : boot stuck at :

em5: <Intel(R) PRO/1000 Network Connection 7.6.1-k> port 0xac00-0xac1f mem 0xfe7e0000-0xfe7fffff,0xfe7dc000-0xfe7dffff irq 17 at device 0.0 on pci2 : solved.

same issue :

[2.4.3-RELEASE][root@pfSense.localdomain]/root: pkg update
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
34405266376:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_3_amd64-pfSense_v2_4_3/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!

Dufflepod

This is really a 'thank-you' to those forum contributors who did all the heavy lifting
investigating this box and getting pfSense running with all the hardware whistles & bells configured.

After lurking for a few weeks and on this thread and others concerning the XTM 5 series, I took the
plunge and bought one from eBay for £45 for my home setup.

I installed the latest pfSense 2.4.5 on a ZFS mirror with two cheapo 120 Gb SSDs, flashed the
BIOS with xtm5_83.rom without any drama, and had no problems accessing the BIOS screens with a
serial cable. The 4G RAM upgrade and E5700 CPU upgrade also went without a hitch.

I built a 64 bit WGXepc binary from source in a FreeBSD 11.3 VM (the base for pfSense 2.4.5)
and the Arm/Disarm light now does whatever I tell it to via ShellCmd.

Flush with success I splashed out £12 on an Intel Q8200S on eBay and that arrived last week
and I finally hit my first hurdle - the board doesn't boot with this chip, but will if I
reinsert the E5700. So I just wanted to check that others have got this processor working with
the xtm5_83.rom image? It's no real hardship if I can't get it working, it may just be a dudd
Chinese-scavenged chip, but it would be the icing on the cake if I could get it going.

Also - following the mantra of 'hope for success, plan for failure', I couldn't find the pinout of the SPI
header anywhere in the forums, even though it was mentioned a few times. As I'm putting together a duplicate box
for my brother this might come in handy, (though hopefully not). I've searched and googled but found nothing.
Can anyone help with this info?

Once again - thanks to everyone.

stephenw10

It should work with the Q8200S. The board seems very accommodating in general. https://forum.netgate.com/post/427056 and https://forum.netgate.com/post/544654

After camping ebay (for literally years ) I have a Xeon L3110 in mine and that runs great.

The SPI pinout is standard as far as I know. From the FW-7581 manual though:

Steve

Dufflepod

@stephenw10 Outstanding! Thanks for the info.

anoxy

Hi,

Sorry to disturbe the subject.

I have bought a WatchGuard XTM 505 and I will change the processor and the RAM.

About the processor, I have found a Pentium Dual Core E5300, does it fit with the XTM 505 ? Will it works?

For the RAM, I read that we can add up to 8Go but I think 4Go is adequate ?

I want to use all links at Gigabit speed, I have fiber that provide me 990mb/s download and 600mb/s in upload.

I will add an SSD with PFSense.

Do you think my config is good?

Thanks!

stephenw10

Yes, it probably will work. Yes it will pass Gigabit line rate (941Mbps) but it will be quite taxed doing so. I would just get an E7500 C2D as they cost peanuts these days unless you already have the E5300 in which case test it and see.

4GB is enough for almost everything sane in that level of device. I never bothered putting more than 2GB in mine. I still use it for testing stuff on occasion.

Steve

anoxy

Ok thanks! I have ordered an E7500 and 4Go DDR2 800.

I currently have a PFSense running in old stuff, with an SSD. Can I just take the SSD to the Watchguard ? or it would be better to make a fresh install ? My old stuff just has 3 gigabit ports so if I just move the SSD I guess I just have to re-configure network interface?

Thanks

stephenw10

Yes you would need to reconfigure the interfaces if they are not em in the previous box.

Yes you could just move the SSD. If the previous device does not have a serial console be sure to enable that in Sys > Adv > Admin Access before moving it.

A fresh install is probably a good idea. You will have to boot from CF though unless/until you have swapped out the BIOS to allow USB booting.

Steve

anoxy

I see. Thanks for the help, I think I will make a fresh install :)

chpalmer

So..... I took my retired XTM5 box to a radio site (some weeks ago) and have it behind a Cradlepoint doing camera duty nowadays..

If I try to use the gig ports to connect to the Cradlepoint.. if the Cradlepoint goes down for any reason such as a DHCP address change then the ports on the box will flap leaving me unable to reach it. Im 60 miles away and connected via openvpn.

If I use the 100/10 port then Im fine. Since my top speeds via Verizon are less than 20/15 this port is fine for a WAN.

It has always flapped under certain criteria I was never in a position to run down. It was a primary box while here and it did not happen very often.

But it makes me wonder if the flapping is a driver issue. I installed the latest 2.5 snapshot while I was on site today and will test that at some point but seems fishy to me.

stephenw10

Hmm, weird. On all the em ports?

Can you set a fixed speed/duplex to avoid it?

Steve

chpalmer

@stephenw10

Ill try that next time Im up there. Im risking a snapshot update right now to see if I can break it again. Ill be up there before the end of the week anyways so can rescue it if need be. And it came back up fine.

Ill wait till I get up there and switch back to em0 and play with it there.

dog2bert

Just got my XTM 5 series today. Installed pfSense 2.4.5 to an SSD. I did it with the VGA. Should I have used console?
Booting with the console cable I get it halting at Auto Detecting?
Is this when I unplug the cable, plug it back in, and should see pfSense booting?

New screen I was able to get to, but can't send F1 or F2

stephenw10

You would have to enable the serrial console or install from the serial console image (where it's enabled by default) to see output on the serial console. Though you would normally see some output from the bootloader there if it was trying to boot.

I assume you installed in something else and then moved the drive across?
What image, exactly, did you use to install from?

You still have the original BIOS it looks like?

Steve

dog2bert

@stephenw10 I still have the original bios.

I installed version 2.4.5-p1 AMD64 USB VGA on another computer and moved the drive.
I tried installing 2.4.5-p1 AMD64 USB Serial to the SSD, but don't see any video output and don't think that computer has serial.

stephenw10

Ok, did you enable the serial console in System > Advanced > Admin Access on the other device before moving it? If not try swapping it back and doing that first.

The other way to do this is to write the serial install image to CF card, the XTM5 will boot from that with the standard BIOS and you can then install to SSD directly at the serial console.

Steve

dog2bert

@stephenw10 Just wrote the console image to the CF card and now it shows up in console but looks stuck here: