Watchguard Firebox M400/M500
-
@Mookatroid said in Watchguard Firebox M400/M500:
After ~5 months I thought it time to pursue M400v2 :)
I had ordered the necessary parts some time ago, and finally had the opportunity to complete the overhaul.
i.e. updated BIOSv6 w/NVMe Support + transition to an NVMe SSD
I am happy to say it has all been successful !
So my M400 is now running off a 256GB PCI-E Soldi State Drive !
WooHoo !
Pic below of completed M400v2....Thanks again to zanthos for all of the custom BIOS efforts !
PS ... a quick edit to note that what the pics do not show are the rubber bumpers underneath the M.2 SSD itself that keep it all raised up for air flow, etc. The anti-static layer is more of a precaution versus anything else.
-
Why not!
-
-
I got my Firebox M400 today thanks to @Mookatroid :)
After a upgrading it a little bit, I installed an i5-4570, why? Because that's what I had on hand. And pushed the memory to 8GB. I ordered a SSD which I had @Mookatroid along with 2.4.5 base.
The one feature I didn't realize the router came with until I got it was a power button on the front. My previous router a CAR-3030 SmoothWall and before that the Firebox XTM 5 series don't have this feature, I hated having to remote my server panel to reach in with my arm to hit the switch.
Thanks,
-
what software should i use to modify the rom thoroughly ?? i want to change system name etc ... thx a lot
-
@stephenw10 said in Watchguard Firebox M400/M500:
You can dump the BIOS image from the pfSense command line using flashrom but it cannot re-write it.
Searching though this thread still but what has everyone done to flash the bios on an M400 with software?
Ive got a donor box Im playing with. :)
Ive got the latest bios code from this thread..
-
You can flash it with AMIs dos tool, afudos. Maybe their uefi tool if you hook up a monitor the internal VGA pins. I forget if I tried that...
https://forum.netgate.com/post/836153
Steve
-
Thanks Steve: From your graphic it looks like you booted somehow while pfsense was active.. Is that not the case? I assume you booted from a freedos on CF card and worked from there..??
-
Yeah I booted FreeDOS from a CF card. Looking back that is confusing. I was connecting to the M400 com port from another pfSense box that was next to it at the time, so the first line there is from an SG-5100.
Steve
-
Mine may be a losing battle till I come up with a set of pins to use on the VGA header. Com1 does not seem to work when I use your freedos image. Though I can hear the three beeps.
edit..
Writing to the ROM as I type here. Had to append an autoexec.bat file in the copy of freedos I was using..
-
I picked up a Watchguard branded SFP 1gbps multi mode from Amazon and installed it today in this M400. Running my primary LAN over fiber from the switch now. Works well for anybody considering it.
Jumbo frames (MTU 9000).
Now my desktop is all fiber to the router. :) Im as happy as a tornado in a trailer park!
Not sure it gained me anything.. Call it educational.
Steve: My rack is starting to look like that picture of all your Watchguards you shared some time back.. The next time we have to pay the power bill may be my cure.
-
@chpalmer said in Watchguard Firebox M400/M500:
The next time we have to pay the power bill may be my cure.
Yup, I know that pain.
-
Seems like the firewall GUI itself does not like jumbo frames. I can see everything else but the GUI will not load here a day later. Switching back to 1500 and all is good.
-
Hmm, curious. Any sort of TCP off-loading enabled on the NIC?
-
"Hardware TCP Segmentation Offloading" and "Hardware Large Receive Offloading" are checked.
Im not sure I totally have a grasp on what size my frames should be though. I need to do some more research.
My switch defaults to 1536. I had 9036 running on my desktop switch port for at least the last year with 9014 (one of two options) on the actual desktop interface. I came up with those numbers after some trial and error back when I first started messing with it. Just this week I tried 9000 between the switch and router. Even 9036 and 9216 on the switch side. Same results. Pings to the router ping 172.30.150.1 -f -l 9000 would fail completely while a simple ping would work.
Tells me my frame size is wrong somewhere.
-
Ah, yeah if pings are failing too, not a TCP issue. You need to have jumbo frames everywhere in the segment if you're going to have them.
Steve
-
I give up for now. Works well at 1500. :) Some day when I get bored Ill revisit it.
Thanks for the input! :)
-
For anybody looking..
https://www.amazon.com/Extension-Female-Signal-Exchange-Flexible/dp/B086W3JK1X/ref=sr_1_689?dchild=1&keywords=PCI-E%2BPCI%2BExpress%2BFemale%2Bto%2BFemale&qid=1590442937&s=electronics&sr=1-689&th=1
There is more than one type on Amazon.
Lanner tells me that the adapter shown earlier is out of production.
-
I've got an m400 with HDD (msata adapter on the way), i3 4130t, bios flashed via spi, and the latest pfsense working. However, my fans running like a banshee are driving me mad. I've tried making a vga by crudely splicing a usb3 internal plug into a vga, but i get no output from bios or when fully booted. What am I missing? Is there a way to set auto fan speed without vga?
-
BIOS is password protected on the base product, you'd need to flash a bios listed above or modify the existing bios to have different values. you can backup and edit the existing bios with afudos.
There's a bios settings editor with info above, you can flash the bios with the new settings.
You'll need VGA though.
I bought one of these for a more perm solution (though you could hogepoge vga together and then enable RS232 and forget about it. You will have to re-pin it to this mobo.
https://www.ebay.com/itm/130824913486
-
@mdneilson
If you have flashed my latest BIOS, there are two things to mention regarding VGA output:- VGA output is disabled in BIOS to allocate all RAM to the system.
You can manually re-enable it.
To do that, you need to access the BIOS using the Serial console. - Make sure your CPU contains an IGP (integrated graphics processor).
Otherwise it will not work no matter any BIOS setting you have.
If you just want to access the unlocked BIOS to configure the fans, you can do that using the serial console.
- VGA output is disabled in BIOS to allocate all RAM to the system.
-
@mdneilson I suggest that you install Shellcmd
and activate it through the gui, then install (WGXepc) for the Watchguard m400-m500
These suggestions should get you pointed in the right direction. I don't have one up and running at the moment. However WGXepc has a shell fan speed control command I believe. stephenw10 has been an awesome contributor to me and the community. -
Yeah, you should just be able to use the serial console to setup the fan if you flashed the BIOS, depending on which image you used. But if you used the image I edited originally it should already have the fans set to something reasonable.
It's probably trivial to add the M400 fan control to WGXepc. I never got around to it because I had already set it in the BIOS.
Steve
-
Any idea do m400 with mod BIOS will handle:
E3-1285L v4 or any Broadwell family processor?
Any confirmed cases? -
Turns out it was relatively easy to add the fan control to WGXepc as it's pretty much identical to the Mx70 boxes. Though I managed to break it several times by not setting enough things and ending up with a negative temperature/speed ramp.
So find the updated code: https://github.com/stephenw10/WGXepc/blob/master/WGXepc.c
And a compiled binary here for those willing to trust it.If you run
WGXepc64 -f 14
you will get the same values I set in the BIOS I modded. Those values work well for me with the CPU I have but you should test it at full load.[2.4.5-RELEASE][admin@m400-3.stevew.lan]/root: ./WGXepc64 Found Firebox M400/500 WGXepc Version 1.6_1 22/11/2020 stephenw10 WGXepc can accept two arguments: -f (CPU fan) will return the current and minimum fan speed or if followed by a number in hex, 00-FF, will set it. -f2 (System fan) will return the current and minimum fan speed or if followed by a number in hex, 00-FF, will set it. -l (led) will set the arm/disarm led state to the second argument: red, green, red_flash, green_flash, red_flash_fast, green_flash_fast, off -b (backlight) will set the lcd backlight to the second argument: on or off. Do not use with LCD driver. -t (temperature) shows the current CPU temperature reported by the SuperIO chip. X-e box only. Not all functions are supported by all models [2.4.5-RELEASE][admin@m400-3.stevew.lan]/root: ./WGXepc64 -f 14 Found Firebox M400/500 Minimum fanspeed set to 14 at 45°C or less
Steve
-
Thank you, Stephen. Choosing ZFS with the UEFI+BIOS partition scheme finally allowed me to boot off of my hard drive.
-
Just to add my own experience to this thread, I picked up an old M500 courtesy of work, I tried firstly getting the VGA adaptor pointed to above in thris thread, and when I plugged that in found I got nothing at all, I didn't know at that point that the VGA was disabled in the BIOS, so rather than mess about trying to flash the BIOS I had a stab at installing PFSense on an SSD via the console.
I connected a 128GB Kingston A400 SSD, removed the CF Card and put a PFSense bootable USB drive in the USB slot, I also connected the serial to an old PC with a com port using a spare Cisco console cable I had knocking around. I used putty software on the PC, port speed 115200.
I used this guide to create the PFSense bootable USB: https://netosec.com/install-pfsense-flash-drive/
When the M500 booted it loaded the PFSense installer from the USB and saw the SSD and allowed me to do an install to the SSD, after completing the install I then rebooted, removing the USB and it booted off the SSD with no issues. I've rebooted it a couple of times since and it has been fine, I was able to config PFSense enough using the console connection to get into it using the Web interface.
The only thing I've done since outside of PFSense rules and config changes is to download the precompiled WGXepc64 utility from https://sites.google.com/site/pfsensefirebox/home/WGXepc64 (thanks stephenw10) and copy that to the M500 using WinSCP (I also used WinSCP to make it executable), I was then able to SSH into PFSense and set the fan control speed accordingly, although I can't use any other command but -f, none of the others work.
Thanks to so many of you here for your insights and posts. Now to sit it inbetween my Plusnet router and my LAN, interrupting the kids internet access might be the hardest part of this install.
-
You should be able to set the arm/disarm LED too.
I don't think my Plusnet router ever made it out of the box. Straight DSL modem only.
Steve
-
@stephenw10 Hi Steve, I did think about trying something like that but I don't think the M500 has the required hardware to act as a DSL Modem. I'll setup the Plusnet router to forward everything to the M500 interface in DMZ mode and let the M500 do the heavy lifting.
That's if I keep it, the heatsink gets quite hot even when there's virtually no load on it which means the fans are running quite high most of the time so it's a noisy beast, not great for the corner of the office, I may have to go to a PFSense VM on the server instead, which will be a shame because I like the idea of it being a separate physical box for just firewall purposes.
-
Sorry I mean I use a separate modem instead of the router. Any Openreach DSL modem will work.
The M400/500 is normally quite quiet. If you flash the BIOS with the unlocked one (or the one I changed the defaults on) you can enable Speedstep which saves a few Watts. Might be worth remounting the heatsink with fresh paste.Steve
-
I run two M400's in a cluster setup. I have upgraded them to be fairly identical:
Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
16G RAM.The only difference is the SSD-drives which are different brands and a few gigs different in size.
-
@tsmalmbe Do you find the upgraded CPU makes much difference, we were running this M500 for a firm over nearly 400 users and didn't notice any particular speed or thoughput issues with the existing Firebox software, it never really seemed to be stressed, we only changed the box because we got a new one when we renewed.
Does PFSense have much of an overhead compared to the Firebox software?
Bearing in mind I'm planning to use this for home use so 4 users, my main use will be traffic management to ensure that the kids game downloads/Netflix don't affect Teams/Zoom and Citrix sessions.
-
@mh-0 said in Watchguard Firebox M400/M500:
@tsmalmbe Do you find the upgraded CPU makes much difference, we were running this M500 for a firm over nearly 400 users and didn't notice any particular speed or thoughput issues with the existing Firebox software, it never really seemed to be stressed, we only changed the box because we got a new one when we renewed.
Does PFSense have much of an overhead compared to the Firebox software?
Bearing in mind I'm planning to use this for home use so 4 users, my main use will be traffic management to ensure that the kids game downloads/Netflix don't affect Teams/Zoom and Citrix sessions.
Good questions - I do not have readily good answers for you. I run 2-3 end-users OpenVPN as well as 4 site2site OpenVPN's. This all works fine. The connection is 500M, but rarely do I stress it a lot. Now where I do appreciate the power is the fact that I have 7 LAN's + the VPN-connections which all have a separate Snort-profile. With this hardware, it is very smooth. The only times where I see something is when the vulnerability scanners kick in - it increases the temps by 10-15 degrees on the CPU's.
Comparisons to stock firebox-software I cannot do. I know these run on lesser specs when they come from the factory, however Watchguard have done their own perf tests and they seem reliable thouhg (have customers running similar with native software).
-
@eisenb11 Was a solution to the failure to reboot ever found?
-
I have never found one. I'd sure love to hear about it if you find it!
I have an i3-4160 in mine and with that it doesn't reboot.
Steve
-
I had a 4370 and it also couldn’t reboot. Eventually downgraded to a 4130 and reboot works as it should.
-
@stephenw10 I was looking at the spec sheets for all of the processors that didn't work. It may be tied to Intel's "Secure Key" Feature. I'm wondering if this is used for something on UEFI or if the bios behavior is different on a reboot. The key is used for the RDSEED and RDRAND instruction codes.
From https://www.intel.com/content/dam/support/us/en/documents/mini-pcs/BIOSGlossary_NUC.pdf "Generates a new Secure Boot Platform Key during next boot. The private half of the Platform Key Is discarded. This Requires the Intel Secure Key processor feature." It is used for the Secure Boot Feature. I looking through the settings and nothing stands out for use of that feature.
-
@deathwarror https://www.lanner-america.com/wp-content/uploads/Lanner-Secure-Boot-and-Secure-Flash.pdf Lanner Had this for the FW-7585 with the C226. I do not see the setting in the bios we have.
-
@deathwarror Mmm, not seeing anything that looks too promising.
Not clear why it would boot at all if that were the case...
There are so many options in the unlocked BIOS though, no way to test them all.
Steve
-
So I wanted to add 10gb networking to a couple of PCs and I thought since there's a PCIe slot on the M400, I could just throw a card on with a female to female pcie extender and presto chango, i'd be able to get 10GBe copper on my network for a fraction of a 4 port 10GBe switch.
Used a Dell Chesio 5MHDP that I know works and has tested in another machine.
extension is a cheap 20cm female-female extender. I can't test the extension cable, as I have no other boards with a male PCIe connector.
power basically flickers and it doesn't even turn on. I can confirm the card is getting power. Is it possible that there's a whitelist of devices that can be plugged in?
I'll look at the BIOS a bit more but was hoping this would work.
edit: I am running the stock BIOS, will try Zanthos's modded BIOS and post results, was hoping I wouldn't have to flash it.