Watchguard Firebox XTM 8 Series
-
-
Help you do what?
What are you doing? What do you expect to happen? What's actually happening?
Steve
-
Hello
I have a XTM 8 series, I would like install PFSense on it. Can you help me please.
Best regards
-
Are you installing to a CF card or a SATA device? Do you have some means of writing to the CF or installing to the SATA device outside on the XTM8?
Steve
-
I have a CF 1Gb and an HDD 500Gb. What ISO PFsense to copy on the CF 1Gb ? And how to install PFsense on the HDD.
Thanks
-
Noting here for reference since it somehow seems to have been missed and I found myself having to search for it again.
The only change required to enable the serial console on com2 is this loader line:
comconsole_port="0x2F8"
Add that to /boot/loader.conf.local and/or set it at the loader prompt initially.
Steve
-
@stephenw10 said in Watchguard Firebox XTM 8 Series:
Noting here for reference since it somehow seems to have been missed and I found myself having to search for it again.
The only change required to enable the serial console on com2 is this loader line:
comconsole_port="0x2F8"
Add that to /boot/loader.conf.local and/or set it at the loader prompt initially.
Steve
Hi,
This is my first XTM810 that i'm converting to a pfsense box, but damn, who weird is this box compared to a XTM5 series ?
The em0 to em9 assigning is crisscross, these boxes can't shutdown because of the AT powersupply design with a hard on/off switch like the ancient X-Core boxes.
At the moment i use a 1Gb CF card with a older version (2.4.4) 64bit full version with Ramdisk enabled from a XTM5 box, i can login with the Web GUI, and with the above fix of Stephen for activating the COM2 port, i can also see whats happening throug serial console with PuTTy.
But the 2 major problems are :
No internet is passing the box, while on the dashboard the gateway is showing green, and the WAN (em0) has a dynamic IP.
The second problem is the Bios of this XTM810 (labeled FW-8750 WG v1.1 on the motherboard and Bios version 1.2 labeled on the LCD) is that i can only make a backup of the Bios with a GQ-4X Willem Programmer through the SPI interface, and that the Bios file is 2Mb in size. Flashrom gives a read error when trying to backup the original Bios.
Erasing the Bios and flashing this backup back with Flashrom gives also a read error, and the 1Mb Bios files brick this box each time.
Also, only the 1Mb Bios files can be opened by the Amibcp tool, i have tried 6 or 7 different versions of Amibcp from version v3.13 to v4.53, the 1Mb Bios files can be opened, but the 2Mb Bios file that i previously backup can't be opened for editing. So first i though that this backup was corrupt, after bricking the box with the 1Mb unlocked Bios, i revived the box again with the 2Mb Bios that i backup, so it's definitely not corrupt this 2Mb Bios file.
With the original Watchguard firmware 12.1.3 (latest version), internet works fine , so the hardware of this box is okay.
I have also tried with and without the AGP disabling fix, because on Supermicro motherboards this fix works great when the assigning of the extra added interfaces doesn't work properly.
So any help or tips to get pfSense working will be great.Grtz
DeLorean -
@delorean I ran into same issue, where the physical order of nics and emX nics in pfsense doesn't match up.
Your nic order may be issue, unless u surely know that phsycal nic and em0 is same.
my fix was as per
https://forum.netgate.com/topic/164397/watchguard-xtm850-network-interface-orders/2
-
Yeah, you can use PCI device wiring in FreeBSD 12, and hence pfSense 2.5.X, to set the NIC order. I personally chose not to because if you have to reinstall and those values are lost the NIC will all be re-ordered again. Just assigning the NICs from the order they are detected is not that hard IMO.
And yes you probably have the NICs assigned incorrectly if you are not passing traffic. There's not much you can do wrong there besides that on a clean install.
The ordering is certainly odd though. What's shown on this post seems to be correct:
https://forum.netgate.com/post/550680Steve
-
Update
I have installed 2.5.2 (memstick serial version) on a 120Gb SSD connected to a XTM5 box, then used only the 2 interfaces em0 and em1 that are assigned by default.
I connected my LAN cable to port with label 3 (em1) and my WAN cable to port with label 0 (em0), same result as before, login to the Web GUI but no internet (WAN interface received a valid IP by DHCP). Then to be sure, i added a pass all through rule for the WAN interface (em0), but still no internet.
I then assigned port with label 1 (em2) as LAN, and still no internet.
Then i assigned all interfaces and enabled each interface, then i created a WAN-bridge, and applied a "pass all through" rule for this bridge and suddenly the box started passing internet through with the WAN on em0 and LAN on em2.
So i though that this has to with the bridge and/or pass all through rule, but after removing the bridge and this added rule, the box still works, even after a few reboots.
Then during testing, at certain moment, i saw only 2 cores of the default Quad Q9400 where displayed at the dashboard, but after a reboot all 4 cores are back.
Has this cpu a issue, i don't know, decent stress test will tell.
So far problem 1 is fixed, but problem 2 for unlocking the Bios is still present. Flashrom doesn't work at all, a read error and read transaction error when trying to backup or flash, and no possibility for opening the 2Mb original locked Bios file.
The Bios shows version 08.00.15 and 12/02/08 , same as the XTM5 Bios.Thanks for the quick replies and help so far.
Greetz
DeLorean -
Hmm, sounds like a bad default route maybe or no default route.
Or a subnet conflict can behave like that.Been so long since I did this the details escape me!
In fact I'm not sure I ever actually flashed the BIOS on this...It's waay easier to do now there is a default config for em NICs. Crazy struggles at the start of this thread.
-
Little sidenote.
The Amibcp tool doesn't have a sizelimit of 1 Mb (like i though),
because i searched on the Bios Mods forum for random Amibios files that are bigger, and the Amibcp tool can even open 8 Mb Bios files.
So the problem with this 2Mb Bios dump that i experience, is not related due the file size.Greetz
DeLorean -
Probably because you are dumping the entire ROM via the SPI reader and the actual BIOS image is not all of that so you end up with a RAW image that AMIBCP can't open.
Not sure why flashrom wouldn't work but the version in 2.5.2 is probably significantly newer than anything we were testing with 5-6 years ago in 2.2-2.3.
I note that my box is still running 2.3.5 Nano.Steve
-
You are probably right, because when i open the 2 Mb file in a Hex editor,
there is lots of space filled with FF.
I tried already to remove some of those FF until i had the same amount of data as the 1Mb Bios file, but Amibcp can't open that one also.
I can try with a older version of pfSense and run a older version of Flashrom,
but lets say that i prepare a CF card with pfsense 2.3 nano , and i use the command for installing flashrom, wil it then be a older version, or will it always choose the latest version of flashrom that's online available ?
In short words, is the available flashrom version , pfsense version depended ?Thanks
DeLorean
-
Hmm, nope. Fails for me too:
[2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: flashrom -p internal -r biosbackup1.rom flashrom v1.0 on FreeBSD 10.3-RELEASE-p29 (amd64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 4, resolution: 1ns). Found chipset "Intel ICH9DO". Enabling flash write... OK. Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000. Reading flash... Transaction error! Read operation failed! FAILED. [2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: pkg info flashrom flashrom-1.0 Name : flashrom Version : 1.0 Installed on : Tue May 15 15:43:54 2018 BST
I don't think I ever did this since there was no way enable access via serial even with it unlocked IIRC.
It would be nice to enable speedstep though. -
@stephenw10 said in Watchguard Firebox XTM 8 Series:
Hmm, nope. Fails for me too:
[2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: flashrom -p internal -r biosbackup1.rom flashrom v1.0 on FreeBSD 10.3-RELEASE-p29 (amd64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 4, resolution: 1ns). Found chipset "Intel ICH9DO". Enabling flash write... OK. Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000. Reading flash... Transaction error! Read operation failed! FAILED. [2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: pkg info flashrom flashrom-1.0 Name : flashrom Version : 1.0 Installed on : Tue May 15 15:43:54 2018 BST
I don't think I ever did this since there was no way enable access via serial even with it unlocked IIRC.
It would be nice to enable speedstep though.I always used the flashrom command different, like this :
"flashrom -w file.rom --programmer internal"
for writing the Bios to the device and for backups :
"flashrom -r backup.rom --programmer internal"But it seems the same output.
Greetz
DeLorean -
Except that I'm completely wrong about that! Just been too long...
You can access the BIOS on the serial console if you spam F11 enough.
And I seem to have full access to it so I guess I did flash it at some point. I assume I must have done it from FreeDOS.
No Speedstep options there by default though. Booo!Steve
-
Okay, i made a huge progress.
I have managed to pull only the actual 1Mb Bios instead of the entire Rom content.
I used Freedos from the link that Stephenw10 provided :
https://sites.google.com/site/pfsensefirebox/home/FreeDOSBios.img
Used Win32DiskImager to prepare a 1Gb CF card with Freedos.
I then added the Amibios Flashtool called AFUDOS (v4.40) that i downloaded from the Amibios site.
Then i modified the autoexec.bat file to change the serial console to COM2 and 115200 bauds,
but "COM1" is 4 times stated, i tried different combinations but it kept complaining that there was no read/write device detected etc.
I them filled in 4 random COM ports like COM5, 6, 7 and 8,
and it start complaining again about the COM number, but it passed through to the command prompt with the date and clock this time.
I then used the command "AFUDOS backup.rom /O" and i started with the backup, which was very fast (less then 2minutes) and completed without any error.
This typing was very onresponsive,the cursor didn't react sometime, and then it jumped a few spaces, but it worked.
I then pulled the 1Mb Backup file from the CF card and unlocked the Bios with Amibcp (v4.53) tool.
Then i placed this unlocked Bios back to the CF card and booted Freedos again, and at the commandprompt i used the command : AFUDOS Backup.rom
And it started flashing and ended without any problem.
I reset the CMOS and i could enter the Bios and change settings.
The next goal is now for activating COM1 and solder a connector or serial cable straight to the COM1 contacts, and connect this to the COM header on the back of the firewall.
I have already looked in the Bios, and only COM2 is seen in the dropdown list, but it's maybe possible to change the adress and IRQ for using the COM1 port.
If this doesn't work, then i gonna add a VGA port to the back of the firewall.
Because this firewall can't shutdown, but reboots instead, i have looked for changing some powersettings in the Bios, but there isn't much to change this behavour.
Watchguard has modified the ATX powersupply, and added a hard on/off switch that cut of the mains inside the powersupply.
Also, near the CF card reader is a button labeled with PSW1, i presume that this is "Powerswitch1", but pressing this button place the firewall in some sort of sleepmode with all off and only the background of the LCD screen lit with no text.
On the XTM5 series, this button was placed in parallel with the soft on button on the back.
So far the progress :-)Greetz
DeLorean -
You shouldn't need to use com1, you can use com2 for everything as far as I know.
Steve
-
I have managed to use COM2 port and act like it's COM1
by reassigning the I/O Adress to 0x3F8 / IRQ4 (thanks to Stephenw10 for this tip in a earlier message in this thread.
I then removed the added line comconsole_port="0x2F8" from the /boot/loader.conf.local file.
I also modified the Bios file to set this I/O Adress fixed to 0x3F8 / IRQ4, under the option Super I/O Configuration -> Serial Port2 Adress and changed the default value of 03 to 02 in both colums failsafe and optimal.
I then flashed this modified Bios back to the firewall, did a CMOS reset and placed a blank SSD drive and installed Pfsense memstick serial without any problems.
Finally i made a entire dump of the Bios through SPI with my True-USB PRO GQ-4X Willem Programmer to a 2Mb Rom file.The next challenge is to get this firewall working like a XTM5 series, so that the firewall can be power off instead of rebooting, my modding skill are not that big, but know i can poke arround in the Bios files without bricking the firewall.
Greetz
DeLorean