My guide to installing pfSense on Watchguard x750e



  • So finally got my Watchguard x750e up and running with pfSense 2.3.4 was mostly straight forward but thought would document what I did here in the hopes someone might find it useful as I ended up following a couple of guides to get it all working.

    Things you will need

    Getting Started

    1. Make sure the Watchguard boots first, turn it on, make sure it comes up to the booted screen on the LCD this just checks to make sure its working

    2. Power it off and open her up, and have a look to see how big the compact flash card is, you want it to be less than 256Mb to be able to flash the BIOS, mine had a 128Mb one in so used that.

    3. Assuming you have a CF card smaller than 256Mb we can begin.

    Flashing the BIOS

    1. With the above all downloaded, plug your small CF card into your PC and open up WinDiskImager.  Make sure the CF card is selected and open the FreeDOSBios2.img you might need to unpack the archive first.  Once your have put the disk image on the CF card, you will also need to copy the 8.1 BIOS into the BIOS folder on the CF card.

    2. Once that is done, eject the CF card and pop it back into your Watchguard.

    2. Connect the serial cable to your pc/laptop and to the serial port on the front of the watchguard.

    4. Open Putty go to the options and set it for 9600 8N1 Flow Control = None then click Open

    5. Power on the Watchguard, after a minute or so you should get 3 beeps and you will be presented with a c:\ prompt in your putty window

    6. Change to the BIOS folder and run "biosid" you should get same as the image below, if not you will need to find out why as mine matched so can not help with what to do next on that.

    7. I did not do this, but it is advised to backup the existing BIOS to the internal CF do this by running “awdflash /pn /sy backup1.bin /e” backup1.bin can be anything you like, once complete you should be returned to the C:\ prompt (It can take a few minutes depending on the speed of your CF card)

    8. Once you have made your backup its time to flash the BIOS.  This is where I ran into my next problem, I had the 8.1 BIOS from the link above but when running the command to flash and despite leaving the command to run while doing a WoW raid it still was not done, so restarted the Watchguard even though this is not advised.

    9. In the end I had to upgrade to the BIOS that came with the BIOS flash utility, reboot, then flash the 8.1 BIOS.

    10. To flash to the BIOS run this command “awdflash x750eb7.bin /py /sn /cc /e" once complete you should be returned to the C:\ prompt (It can take a few minutes depending on the speed of your CF card)

    11. I then restarted my Watchguard and it showed B7 on the LCD screen, then I ran the above command again but used the 8.1 BIOS and this worked and rebooted and showed B8 on the LCD screen.

    So far so good :)

    Booting pfSense

    1. Power off the Watchguard

    2. Back on your pc/laptop with the new bigger CF card, download pfSense I have put the link at the top and an image of the options to pick.  I have only done this on a Watchguard x750e but should be the same options for other Watchguards but do check.

    3. Burn the pfSense image to the new CF card and put it into your Watchguard

    4. Open Putty go to the options and set it for 115200 8N1 Flow Control = None then click Open

    5. Power on the Watchguard and press "Tab" or "Del" to get into the BIOS of the Watchguard

    If you have done it right you should get a familiar style BIOS screen to what you get on a PC before the heady days of UEFI

    6. Go into "Standard CMOS Features"  Scroll down to the "IDE Master 0" press enter and change this to "Manual" and then change Access Mode to "CHS" escape back out to the main BIOS screen.

    7. Go into "PC Health Status" and there is a section for fan speed should be the first option set this to "BB" this will make the fans quieter on boot up.

    8. Escape back out then "Exit and Save"

    9. You should see the memory check go through then the boot menu for pfSense.  You might need to revert to the 9600 8N1 settings in Putty.

    10. You need to make one change to make pfSense boot off your CF card when you see the below text press Space or Escape and will drop you to the OK prompt

    Hit [Enter] to boot immediately, or any other key for command prompt.
    Booting [/boot/kernel/kernel] in 4 seconds...
    
    Type '?' for a list of commands, 'help' for more detailed help.
    OK
    

    11. Type in the following

    set hint.ata.0.mode=PIO4
    boot
    

    The watchguard will continue to boot and you should get the initial setup screen for pfSense, say no to setting up VLANs, set your WAN port to be sk0 (left most port) and LAN to sk1 (next one along)

    12. Select 8 and drop to the shell.

    13. We need to edit the boot file to add the line we type in before so pfSense will boot correctly each time.

    "vi /boot/loader.conf"

    You should then get a file displayed with the first line being "loader_color=NO" scroll down to the end of the line that says hw.usb.no_pf="1" and press A

    This will let you append to the file, press enter to get a new line and type in "set hint.ata.0.mode=PIO4"

    Once done press Esc and this will drop you to the command mode, type in :wq

    This will drop you back to the shell to make sure the changes were save type "cat /boot/loader.conf" and you should see your line at the bottom.

    Select option 5 and restart the Watchguard and watch as you should come back to the pfSense menu.

    All Done for now

    This is as far as I got last night at 2330, I still need to configure up the LAN port get connected, install the LCD packages, the fan control etc but will detail my journeys into them later once I know what I am doing.

    I hope this helps someone else get up and running with a watchguard :)

    Credits

    Would like to credit a few sites that helped me:

    https://www.hexhound.com/how-to-flash-pfsense-2-1-to-a-watchguard-firebox-x750e-x550e-ssl-500/
    https://harkink.com/pfsense-on-a-watchguard-firebox-x750e/
    http://www.lagmonster.org/docs/vi.html
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Installing_pfSense_3
    https://forum.pfsense.org/



  • for what are you change this hw.usb.no_pf="1"
    ?



  • @kobzar:

    for what are you change this hw.usb.no_pf="1"
    ?

    You dont change it, i found I had to go to the end of that line, then append to insert a new line.

    If you can do it another way in vi please share :)

    Thanks



  • In VI, when on a line, hitting the letter "O" will insert a new line below the line you are currently on.



  • I do it in another way:

    Just insert what are you needed in /boot/loader.conf.local

    --# cat /boot/loader.conf.local
    
    kern.cam.boot_delay=10000
    hw.msk.msi_disable=1
    hint.ata.0.mode=PIO4
    


  • Thanks Kimbe and kobzar! You guys got me up and running on a x5500e with 2.3.4. I would not boot off the stock 512Mb CF card flashed with the bio's using Win32DiskImager. I tried it using Rufus to make a bootable disk, and it booted right into FreeDOS.

    Also, I would not boot automatically with putting the hint command in the /boot/loader.config file. I used Kobzar's suggestion and put it in the /boot/loader.conf.local file, worked like a charm. It is also the location recommended in the pfsense watchguard wiki. Thanks again guys.

    Also a huge improvement in fan volume is Hex Hounds: https://www.hexhound.com/quiet-the-fan-on-your-pfsense-watchguard-firewall/ website. To get it to work 2.3.4 Goajunkie found you need to change the permissions on a couple files after the install though. 1.chmod a+x /usr/local/etc/rc.d/fanctrld.sh 2. chmod a+x /usr/local/sbin/fanctrld.

    Hope this helps others.



  • @Kimbie:

    If you have done it right you should get a familiar style BIOS screen to what you get on a PC before the heady days of UEFI

    6. Go into "Standard CMOS Features"  Scroll down to the "IDE Master 0" press enter and change this to "Manual" and then change Access Mode to "CHS" escape back out to the main BIOS screen.

    7. Go into "PC Health Status" and there is a section for fan speed should be the first option set this to "BB" this will make the fans quieter on boot up.

    A few notes here.

    Setting IDE Master 0 to "Manual" and Access Mode to "CHS" is no more needed when u use the BIOS version 8.1 ,
    only the older BIOS version like 7 needed those specific changes.
    You can leave these settings on "AUTO",  the bigger CF card will be detected with no problem since BIOS version 8.0

    Under PC Health Status changing the value to BB is also not recommended, because this setting can sometimes crash your BIOS,
    and the result is NO Booting at all, and a CMOS reset is needed for get back in business.
    This is not recommed if you want stability in your network

    The only BIOS settings that i change in the BIOS is enabling ACPI for showing the cpu temp in the Dashboard,
    and the shutdown temperature of the cpu as a safety.

    Other then that, i verry nice tutorial for installing pfSense to a X E-Core Watchguard  8)

    Grtz
    DeLorean


  • Netgate Administrator

    You should definitely put the lines

    hint.ata.0.mode=PIO4
    hw.msk.msi_disable=1
    
    

    in /boot/loader.conf.local

    The standard loader.conf file can be overwritten at an update.

    Steve



  • hi i banging my head on the wall .
    i'm trying to install pfsense on the cf card . its timing out searching for ata after starting the install process.
    can i install on a hdd first on a laptop the install the hdd in the firebox??
    any help appreciated thank you


  • Netgate Administrator

    You do not normally 'install' to a CF card. Instead you write the Nano image to it directly with a bit-for-bit writer like Win32 Disk Imager. Though recently I have found etcher to be my tool of choice in any OS. (https://etcher.io/)

    Yes you can install to a PATA hard drive in a laptop (if you have one that old) and transfer it. I have done that a number of times. You may have to set the drive path though on first boot because it might be different to the laptop.
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Booting_from_HD_3

    Steve



  • Question for anyone who has successfully installed pfSense on their x750e. Do you have a backup for the original Watchguard x750e BIOS? I want to install that BIOS for a special project. The x750e I bought on eBay had pfSense B8 installed on it already.

    Things I've learned:

    1. Using a 64MB CF with the FreeDOSBios2.img works fine
    2. I successfully backed up the BIOS on my x750e (ver B8)
    3. As a test, I installed ver B7, that worked
    4. I was able to restore the backup ver B8 BIOS image
    5. This BIOS backup image does not install: https://sites.google.com/site/pfsensefirebox/home/biosbkup.bin

    I'm hopeful once I get a good Watchguard BIOS image, I'll be able to install that on this system.



  • The original Watchguard Bios doesn't support big CF cards like 4Gb and bigger,
    besides converting the x750e back to the Watchguard OS (Fireware), there isn't any profit
    to use the original Bios.

    Grtz
    DeLorean



  • Has anyone got the latest pfsense 2.4.1 working on X750e? thanks



  • @diesel678:

    Has anyone got the latest pfsense 2.4.1 working on X750e? thanks

    No, because since version 2.4 there is no 32Bit version available.
    The x750e can run only 32Bit version of pfSense.
    The latest version for the x750e is 2.3.5

    Best regards
    DeLorean



  • @DeLorean:

    @diesel678:

    Has anyone got the latest pfsense 2.4.1 working on X750e? thanks

    No, because since version 2.4 there is no 32Bit version available.
    The x750e can run only 32Bit version of pfSense.
    The latest version for the x750e is 2.3.5

    Best regards
    DeLorean

    Will Celeron M 5xx series CPU work on X-Core-e?



  • @CuriousG:

    Will Celeron M 5xx series CPU work on X-Core-e?

    No, a Celeron M 5xx is socket BGA479
    A Watchguard X Core-E series use a socket mPGA478C

    For a X Core-E series, i always used a Intel Pentium M 760 @ 2Ghz 533Mhz with Dothan Core.
    The motherboard of this type firewall only support cpu's with a Banias or Dothan core.
    After replacing the cpu, you must set the 2 sets of dip switches from Banias setting to Dothan,
    oftherwise the 2Ghz cpu will run as a 1.7Ghz due wrong multiplier setting.

    Grtz
    DeLorean



  • Hello,

    So I am thinking of loading pfSense on an X750e that I inherited. Two questions:

    1. If I upgrade the processor to the Pentium M 760 @ 2Ghz 533Mhz Dothan Core, will I be able to load the latest version of pfSense?

    2. Will this device support loading pfSense with an SSD vs. the Compact Flash?

    Thank You!



  • @gavinslayer

    You can run 2.3.5 on it but not any of the later versions. These boxes are pretty much done at this point.

    Support for 2.3 branch is going away.




  • Netgate Administrator

    Yes, those boxes are pretty much for fun or experimenting only now.
    If you do go ahead you might want to choose one of the 400MHz FSB Pentium M CPUs as they are supported directly by powerd so you get proper frequency scaling.

    Steve