WatchGuard Firebox T70

stephenw10 · Jan 11, 2021, 3:48 AM

I acquired one of these for (probably waaay too much!).

Unfortunately the switch remains stubbornly with all it's ports disabled whatever I have done to it.

They do not seem to come up even for a second at reboot (or complete power cycle) or in the BIOS setup. Or even if you short the CMOS so it doesn't boot at all.

It's interesting. The outside looks very Lanner but the PSU (I have) is from Senao who make their access points.

I was able to confirm he other DIP switches, if you change them from MDIO to SoC the WG OS fails to find the switch and other ports etc.

Steve

stephenw10 · Jan 11, 2021, 3:53 AM

Some success; but horribly hacky!

[2.4.5-RELEASE][root@t70.stevew.lan]/root: ifconfig -vm igb3
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        capabilities=753fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,>
        ether 00:a0:c9:00:00:00
        hwaddr 00:a0:c9:00:00:00
        inet6 fe80::2a0:c9ff:fe00:0%igb3 prefixlen 64 scopeid 0x4
        inet 192.168.70.1 netmask 0xffffff80 broadcast 192.168.70.127
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        supported media:
                media autoselect
                media 1000baseSX
                media 1000baseSX mediaopt full-duplex

There are a number of ways we might try to address the switch ports access. The best way would be to enable actual access to switch via the etherswitch framework. We could then actually configure it with VLANs etc to make separate ports. Most of the components to do that exist but unfortunately there are also some pretty big blockers:
You can't compile etherswitch as a module as far as I can tell so you need a new kernel.
Even with that and after importing the mdio module you need a special igb driver to expose the mdio bus so it can be created as a device and allow the switch to be seen.
The work has almost certainly already been done by Netasq/Stormshield as they have devices very similar to this and a FreeBSD base but I'm not sure if that code was ever made public. I could just be missing something!
The T70 also has the intriguing option to create an mdio bus direct from the SoC without going via the NIC. That may be possible but I think would require code. I can see no reference of anyone doing that in FreeBSD though the etherswitch docs, such as they are, imply it could be attached like that.

We could attempt to change the config in the 2-wire eeprom that the switch chip loads to enable the ports. However it looks like that is only accessible via the switch chip itself or via a clip on type programmer maybe. Also I have no idea how that might be formatted etc. Interestingly it looks like the default position for the DIP switches is 'off', the EEPROM is not connected. And connecting seems to make no difference in either OS as far as I can see. So maybe if doesn't have any config in it.

The final nuclear option became apparent to me whilst chasing something else. I couldn't actually find the datasheet for the 88e6176 so I had to guess from other info but most Marvell chips are similar so... The chip can be configured by holding various pins high or low using external components. This way it can be in a cheap 5 port switch with no CPU or even eeprom required. It has a pin 'NO_CPU'; if that is set low implying there is a CPU it automatically disables all the ports when it is reset as it is at power on. The CPU then configured is later. This is a security measure so the ports are not connected together at boot until the OS is ready. That pin (pin 35) is pulled low by a 5K resistor, if that is disconnected it assumes there is no CPU and does not disable the ports. It would be nice if that was one of the DIP switches or a jumper.... nope.

It is R607 as shown below. It is grounded via the adjacent pad on the unpopulated R614. By cutting the track under the blue line it removes the ground and the chip boots as a regular 5 port unmanaged switch.
login-to-view

It should go without saying that this is not without risk. In fact I would say it is high risk! No one should attempt this! In all likelihood it will brick your, still expensive, T70

I may have simply been lucky.

I will say it does not prevent the WG OS configuring the switch if you go back, or if we later found a way to do it from pfSense. It does make it less secure since all the ports are connected by default. PoE still works.

Steve

networkBob · Sep 12, 2020, 9:32 PM

Thank you so much @stephenw10 very grateful for your efforts here.

I attempted this approach and it indeed worked perfectly. Had to use a microscope in order to sever that small connection!

In my use case, each of the 5-port switch interfaces would belong to the same flat network segment. So, while the security aspect of this mod is important to consider, for me it makes no difference. In fact, for me it is simpler this way, as I actually wanted these 5 ports to function as an unmanaged switch. Cheers to you @stephenw10 :)

-Bob

stephenw10 · Sep 14, 2020, 3:56 AM

Nice. Let me know if you see anything unexpected. Those pins are all used for several things but I don't have the specific datasheet for that chip so I'm unsure exactly what. Probably potentially driving an LED somewhere. The NIC LEDs all seem to work as expected here though.

Steve

networkBob · Sep 15, 2020, 1:55 AM

@stephenw10 Each of the "1000" interface activity LEDs on my modified WatchGuard T70 operates as expected. As far as I can tell, the "Status", "Attn", and "Mode" LEDs do not illuminate under any circumstances, which for me is not super important. If, one day, the WGXepc package makes it possible to make use of these WatchGuard T70 LEDs from within pfSense, that would be great but I am not expecting this any time soon. Thanks again @stephenw10 :)

Bob

bruor · Jan 10, 2021, 4:38 AM

@networkbob how did you get pfsense installed on the msata drive in the T70? Should I install using another system or can I do boot selection using the serial console and install via USB?

stephenw10 · Jan 10, 2021, 5:06 PM

There's no way to install to it in the T70 directly as the BIOS is locked down, no way to select a boot device other than the mSATA.
So, yes, install in something else and move it across. If that other thing is not a serial console device then be sure to enable the serial console in the webgui before moving it.

Steve

bruor · Jan 10, 2021, 8:25 PM

@stephenw10 awesome thanks, I was able to get it installed, but it doesn't look like I was successful in breaking the trace under the blue line. I'm trying to score the board with a utility knife, how did you sever it?

stephenw10 · Jan 11, 2021, 12:44 AM

Yes I used a small craft knife. I think I went over that with the corner of a watchmakers screwdriver. It's a delicate operation!

bruor · Jan 11, 2021, 12:56 AM

@stephenw10 I might just try to remove that resistor instead

bruor · Jan 13, 2021, 12:41 AM

@bruor confirming, used the super fine tip on my iron, popped the resistor off, switch is active on igb3!

Thanks for the help!

stephenw10 · Jan 13, 2021, 2:31 AM

Nice!
I wish there was a better way. Maybe one day...

Steve

Souljumper · Jun 8, 2021, 11:55 AM

@stephenw10 it worked perfectly with my T70 and OPNsense. Thank you very much! Now I can use the 5 port switch as lan interface.

Eihab · Jul 7, 2021, 9:37 PM

@stephenw10 can you upload the config.xml with the defaults of pfsense setup . Unable to reconfigure setup, my m2 laptop has no ethernet ports and setup shutdown immediately. Thanks

stephenw10 · Jul 8, 2021, 3:05 AM

It uses igb ports. pfSense will assign igb0 as WAN and igb1 as LAN by default.

Are you seeing something different?

You can setup the interfaces from the console anyway.

Steve

Eihab · Jul 8, 2021, 4:07 PM

@stephenw10 Thanks for the reply. I tried getting into the console but unable to directly on the T70. Since I was unable to get to the GUI on my laptop I could not enable console access. I added a USB ethernet interface to the laptop, it automatically makes it a WAN. I can SSH to it as well, but do not know how to enable console access in the initial setup [not listed as an option] so that when I move into T70 it will allow console access.

bruor · Jul 8, 2021, 4:12 PM

@eihab you should be able to just run through the pfsense installation on your laptop, don't boot it, then swap the drive into the t70.

I had no success getting console to work on the t70. Even when configured properly I'll get an initial handshake with some output, but then it goes kind of dead and doesn't respond to keystrokes etc. Have tried a mix of cables with null modem adapters etc.

stephenw10 · Jul 8, 2021, 5:55 PM

Hmm, weird. The serial console works fine here. Nothing special required.

But, yeah. If you install to the mSATA drive on something else and then move it across before the first boot it will use the defaults which should allow you access it on the LAN port.

Steve

Eihab · Jul 8, 2021, 6:11 PM

@bruor Thanks for the tip. I tried that using the second option [EFI] but nothing happens on the T70? I am unable to access from a PC connected to the LAN port? Any thing I missed?

Eihab · Jul 8, 2021, 6:18 PM

@stephenw10 Any specific version of pfsense? I downloaded the latest iso and installed on the laptop with 2nd option or EFI boot.