Watchguard XTM505 & AES NI



  • Hey All

    I was looking at buying two watchguard XTM 505 last night then came across AES NI in 2.5 which looks like XTM505 do not support.  So first of all shame but 2nd of all is there anything for around £125 i can buy that is as sleek as a watchguard unit to support AES NI?

    Mat



  • Why shame?

    https://www.netgate.com/blog/more-on-aes-ni.html

    I for one think it is a good move.

    My XTM5 was brand new when I got it and it has done pfSense duty ever since. I figure its got three good years to go if I care about keeping up with the latest. But that gives me plenty of time for an upgrade path.

    One of those paths will entail contacting Lanner to ascertain if they have a replacement motherboard (that will fit the box) which has AES-NI..



  • I just dont want to spend money and have to worry about upgrading.

    I run my current pfsense on vmware and i noticed it is AES NI ready so i will just use that and add an additional box with carp as a fail over.

    Mat



  • Yes requiring AES NI means all older units like X700, X750e core-e boxes and XTM boxes will no longer be able to update. another annoying step after recently removing NANO bsd images!!



  • @diesel678:

    Yes requiring AES NI means all older units like X700, X750e core-e boxes and XTM boxes will no longer be able to update. another annoying step after recently removing NANO bsd images!!

    All watchguard box apart from the new M models and there mega money. :(



  • Yes its a shame XTM 5 will no longer support updates because it was a great little box for pfsense



  • @Mat1987:

    @diesel678:

    Yes requiring AES NI means all older units like X700, X750e core-e boxes and XTM boxes will no longer be able to update. another annoying step after recently removing NANO bsd images!!

    All watchguard box apart from the new M models and there mega money. :(

    The units to look for as an upgrade are going to be M400/M500 as they use FCLGA1150 sockets.
    The CPU IN both units would need to be replaced as the installed one's do not support AES but plenty of 1150 CPU's do support it.
    However until somebody gets one and opens it up we will not know how well it has been locked down or even what the motherboard looks like.
    I have seen them on eBay UK occasionally but they are normally selling for near a £1000. I am just hoping that by the time 2.4 is EOL these units will have come down in price quite a bit since they would be nearly 10 years old by then.


  • Netgate Administrator

    Just to be clear 2.4 will still be supported for a year after 2.5 is released and that's not happening for a good while yet.

    So if you have one of those already you're looking at maybe close to 2 years before you need to upgrade.

    If you're looking for hardware to use longer than that do you really want to be buying something with a CPU from 2007? (the original XTM5)

    The reasons to use a Watchguard box were that they were very cheap for a rack-mount unit with a lot of interfaces. Plus, for me at least, there was fun to be had poking at the hardware but still for minimal outlay. If you have access to a box that would otherwise be discarded as they are end of life they still make a great introduction to pfSense but if you're spending serious money it's probably time to consider what you're spending it on. Most of those boxes cost a fortune when new but most of that was software licensing and you're not getting that when you buy from ebay.

    Steve



  • Hi,

    I have just been looking for advice on this. I have actually got 2 Watchguard M400 units that I acquired from work, we have just been bought out and the new company have replaced all out IT equipment.

    I am looking to install pfSense on one, and I am selling the other. I can take some pictures of the motherboard and the inside if it helps?



  • @revsie:

    Hi,

    I have just been looking for advice on this. I have actually got 2 Watchguard M400 units that I acquired from work, we have just been bought out and the new company have replaced all out IT equipment.

    I am looking to install pfSense on one, and I am selling the other. I can take some pictures of the motherboard and the inside if it helps?

    That would be very useful indeed.

    If you do start a new dedicated thread and provide as much information as you possibly can.  The M400 is going to end up replacing the XTM 5 for pfsense since it has the ability to run AES with a processor upgrade.  Lots of shots of the inside of the case from different angles would be useful.  If you can get it connected with a console cable screen shots of the console will be very helpful.
    If you can get into the bios that will be good to know.  Once we know what we are dealing with we can see if it will be a viable hardware platform.



  • @dlucas46:

    @revsie:

    Hi,

    I have just been looking for advice on this. I have actually got 2 Watchguard M400 units that I acquired from work, we have just been bought out and the new company have replaced all out IT equipment.

    I am looking to install pfSense on one, and I am selling the other. I can take some pictures of the motherboard and the inside if it helps?

    That would be very useful indeed.

    If you do start a new dedicated thread and provide as much information as you possibly can.  The M400 is going to end up replacing the XTM 5 for pfsense since it has the ability to run AES with a processor upgrade.  Lots of shots of the inside of the case from different angles would be useful.  If you can get it connected with a console cable screen shots of the console will be very helpful.
    If you can get into the bios that will be good to know.  Once we know what we are dealing with we can see if it will be a viable hardware platform.

    You wont have any problems selling.  I would like 2 units eventually for CARP.


  • Netgate Administrator

    @revsie:

    I have actually got 2 Watchguard M400 units that I acquired from work, we have just been bought out and the new company have replaced all out IT equipment.

    Nice!  :D

    I would imagine no problems at all installing on that. It looks like a minimally modified Lanner (?) device.

    Like I said above these are mostly massively over-valued second hand, IMO, because of the original cost almost none of the value of which you are getting.

    Steve



  • Hi guys,

    No problem, I will get to it this weekend, if I can find the time in my manic family Christmas schedule!

    I don't have a console cable as it stands so will have to get hold of one of those, could go on eBay but will probably not be here until the new year, Royal Mail seem to have become slower since privatisation.

    I will check Amazon or maybe even Maplin, if I can afford their prices!

    Trev



  • @revsie:

    Hi guys,

    No problem, I will get to it this weekend, if I can find the time in my manic family Christmas schedule!

    I don't have a console cable as it stands so will have to get hold of one of those, could go on eBay but will probably not be here until the new year, Royal Mail seem to have become slower since privatisation.

    I will check Amazon or maybe even Maplin, if I can afford their prices!

    Trev

    You will want to try and get a Cisco console cable like this one:

    https://www.ebay.co.uk/itm/Cisco-Console-Cable-DB9-to-RJ45/253314593982?epid=219495362&hash=item3afab9f4be:g:BOoAAOSw-wFZb3wd



  • Ha, that's from Crawley, my sister lives there, maybe I can get her to pick it up and bring it with her next week!

    Do you think it would be possible to use an ethernet cable or crossover cable?


  • Netgate Administrator

    As a serial console cable? You would need to re-wire one end to a serial port adapter of some sort…. and it might be the wrong pairs twisted in the cable, but will probably work at serial speeds.

    You may not need a serial console at all if you use 2.3.5 Nano at least as an initial test. If the interface types are something standard it should boot fully (and play the start-up tune) and you'll be able to hit the webgui via whichever port was assigned as LAN.

    Steve