pfSense on Watchguard M270

unixmagic

That is a pitty, I was convinced that it were just 2 Intel i350-AM4 network interfaces..
https://ark.intel.com/content/www/us/en/ark/products/52966/intel-ethernet-controller-i350-am4.html
But I will dive into that a bit more now.

stephenw10

I split this into a new topic to avoid confusion.

The C3558 (like all C3K CPUs) is a SoC that includes up to 4 ix NICs and that's what they use:

[2.4.5-RELEASE][admin@m270.stevew.lan]/root: ifconfig -a
ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=e400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
	ether 00:a0:c9:00:00:02
	hwaddr 00:a0:c9:00:00:02
	inet6 fe80::2a0:c9ff:fe00:2%ix0 prefixlen 64 scopeid 0x1
	inet 172.21.16.216 netmask 0xffffff00 broadcast 172.21.16.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (2500Base-KX <full-duplex,rxpause,txpause>)
	status: active
ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=e400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
	ether 34:12:78:56:01:03
	hwaddr 34:12:78:56:01:03
	inet 192.168.216.1 netmask 0xffffff00 broadcast 192.168.216.255
	inet6 fe80::1:1%ix1 prefixlen 64 scopeid 0x2
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (2500Base-KX <full-duplex,rxpause,txpause>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xd
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: enc
pfsync0: flags=0<> metric 0 mtu 1500
	groups: pfsync
pflog0: flags=100<PROMISC> metric 0 mtu 33160
	groups: pflog
ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
	tunnel inet 172.21.16.216 --> 172.21.16.22
	inet6 fe80::2a0:c9ff:fe00:2%ipsec1000 prefixlen 64 scopeid 0x11
	inet 10.10.41.1 --> 10.10.41.2 netmask 0xfffffffc
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	reqid: 1000
	groups: ipsec

Note the link rate at 2500Base-KX indicates no PHY. It's connected to the switch internally directly.

Steve

haowei

@stephenw10 我想请教你，你的Watchguard M270现在能使用其他的系统吗？

Edit, translation:
I want to ask you, can your Watchguard M270 use other systems now?

haowei

@stephenw10 我测试了很多种系统网卡都启动不了无法使用。

stephenw10

It is possible to run pfSense Plus on the M270. It contains the required switch code and drivers to attach to it. So when that becomes available for 'white box' devices that may be an option for some. It still requires some hackery though. I use a script to setup the switch at boot as the M270 is not recognised as a device that has a switch.

Steve

haowei

@stephenw10 非常感谢你的回复，有软件下载链接吗请给我个谢谢。。。

stephenw10

@haowei said in pfSense on Watchguard M270:

Thank you very much for your reply, is there a software download link, please give me a thank you.

No, not yet. pfSense Plus is planned for release for whitebox devices in the near future but all the pieces to allow that are not yet in place.

Steve

haowei

@stephenw10 再次感谢你得回复祝福你身体健康万事如意。。

haowei

@stephenw10 你好再次求教你的M270主板BIOS有解锁或者去掉密码吗？

stephenw10

@haowei said in pfSense on Watchguard M270:

Hello again, is there any unlocking or removing the password for your M270 motherboard BIOS?

No, there is no unlocked BIOS available and the password is unknown. Also it probably going to be very difficult to do so since Lanner do not appear to make an equivalent unbranded model.

Steve

haowei

@stephenw10 技术支持应该快了这是我查到有关信息。https://www.freebsd.org/releases/13.0R/announce/
https://forum.openwrt.org/t/intel-quick-assist-v1-5-drivers-and-openssl-1-1-1e-acceleration-engine-for-19-07-2/58692

stephenw10

This is an English language forum, please post in English. Otherwise I have to use Google translate every time.

We already have that in Plus though:

[21.05-RELEASE][admin@m270.stevew.lan]/root: pciconf -lv qat0
qat0@pci0:1:0:0:	class=0x0b4000 card=0x00008086 chip=0x19e28086 rev=0x11 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Atom Processor C3000 Series QuickAssist Technology'
    class      = processor

Steve

haowei

@stephenw10 Are you running on m270 now?

stephenw10

Yes, that is it shown above.

deadare321

@stephenw10 any chance you can share what that setup script looks like? I've got pfsense running no problem but can't get any of the interfaces functioning.

stephenw10

The script looks like this:

#!/bin/sh
#
# Script to setup the switch in the M270
#
# SteveW 5/6/2020
#

echo "Configuring switch..."
logger Configuring switch...

etherswitchcfg vlangroup1 vlan 1 members 9
etherswitchcfg vlangroup2 vlan 2 members 3,4,5,6,7,8,10
etherswitchcfg vlangroup3 vlan 3 members 2,4,5,6,7,8,10
etherswitchcfg vlangroup4 vlan 4 members 2,3,5,6,7,8,10
etherswitchcfg vlangroup5 vlan 5 members 2,3,4,6,7,8,10
etherswitchcfg vlangroup6 vlan 6 members 2,3,4,5,7,8,10
etherswitchcfg vlangroup7 vlan 7 members 2,3,4,5,6,8,10
etherswitchcfg vlangroup8 vlan 8 members 2,3,4,5,6,7,10
etherswitchcfg vlangroup9 vlan 9 members 1
etherswitchcfg vlangroup10 vlan 10 members 2,3,4,5,6,7,8

etherswitchcfg port1 forwarding
etherswitchcfg port2 forwarding
etherswitchcfg port3 forwarding
etherswitchcfg port4 forwarding
etherswitchcfg port5 forwarding
etherswitchcfg port6 forwarding
etherswitchcfg port7 forwarding
etherswitchcfg port8 forwarding
etherswitchcfg port9 forwarding
etherswitchcfg port10 forwarding

echo "done"
logger done

But it will only run in Plus. None of the switch stuff is in CE.
It's still not really perfect there. The required loader hints are lost at upgrade currently.

Steve

ozon08

Hey, i bought a Watchgaurd M270 and installed pfsense on a new mSata drive, activated pfsense plus home.
After i stick it in the M270, it boots up but ich can not config the etherswitch.
I get this error:

etherswitchcfg: Can't open control file: /dev/etherswitch0: No such file or directory

stephenw10

You need the loader hints to create the switch device. Add these lines to /boot/device.hints:

hint.mdio.0.at="ix1"
hint.e6000sw.0.addr=0
hint.e6000sw.0.is6190=1
hint.e6000sw.0.port0disabled=1
hint.e6000sw.0.port9cpu=1
hint.e6000sw.0.port10cpu=1
hint.e6000sw.0.port9speed=2500
hint.e6000sw.0.port10speed=2500

Unfortunately as I said those are lost at upgrade. The file handling for the 7100 switch adds/removes those lines when needed and the m270 is not recognised. Been a while since I looked at it though. Might be different in 22.01.
Edit: Nope still removed at upgrade so you need console access to add it back.

Steve

ozon08

@stephenw10 thank you.
My Switch is now working, but is ix1 wan and lan port or is ix0 wan and ix1 lan?

stephenw10

If you used the script I posted above WAN should be ix0 and connects to port 0.
LAN should be ix1 and connects to ports 1-7.

Of course you can change that to be however you want. Add VLANs to get 8 separate interfaces/ports for example.

Steve