Watchguard Firebox M400



  • Hi,

    I have received 2 Watchguard Firebox M400's from work, they were just going to throw them out after we got ourselves some new owners who replaced all our IT systems.

    I have spoken to a few of you already and was advised to start a brand new thread with details, so here I go.

    Ok, things will come in drips and drabs as I take this thing apart.

    There are 4 screws holding it together, one on the left, two on the back and one on the right (it's under the void sticker), the top then slides to the rear and voilà!

    So inside is a Celeron G1820 with 1 4GB stick of DDR3, there is one slot free and I am led to believe the M500 has 8GB, so I don't see any reason why this wouldn't support 8GB. I will scout around for another 4GB stick, I must have one somewhere! There are 2 40mm fans pulling air through from the front, this is channelled through the CPU heatsink and past the RAM, hopefully this keeps it cool enough to support a faster AES-NI based cpu, otherwise might need a bit of modding.

    There is a 150W PSU made by FSP, 80 plus silver with 24pin ATX connection and 2 SATA power connectors. There are also 3 SATA data ports on the motherboard.

    The hard drive is a 4GB Transcend CF card.

    There is a connection on the right hand side of the motherboard and a sticker nearby that talks about a battery so possibly an option for an internal battery backup!?

    I will post some more pictures, if you have any questions, please just ask and I will do my best to fill you in.

    I don't have a console cable currently, going to try and get hold of one soon.

    Cheers guys, looking forward to getting pfSense installed on this bad boy! Also looking forward to upgrading the processor to an AES-NI chip, might not be until after Christmas though.

    Pictures are too big to attach so will upload to Google Drive and share.



  • Sorry about that guys, I have attached a link to said Google Album with lots of photos. If you want any photos of anything in particular then give me an shout.

    https://photos.app.goo.gl/qzDO6Gd7NyZ3k5DM2



  • So its got another reverse PCIE adaptor gold fingers, that's annoying again.

    3 SATA Ports and two spare SATA power cables.

    Looks like a 2.5" will go in next to the power supply nicely.

    Now all we need is to see if the bios is locked down.

    You may need to replace the CF card with a live install image and then install to a 2.5" hard drive.  When you have Pfsense up and running you can use flashrom to dump the rom.

    Can you see any USB headers on the board?



  • Any updates?  ;D Just maybe hoping you got an image of pfsense running on this by now.  :P

    Edit: Looks like they use ECC DDR3-1600. Single 4 GB stick makes upgrading to 8GB easy.

    Could pick up an i3-4130 for cheap and it adds hyper threading plus a boost from 3.2 to 3.4Ghz all the while only adding 1w to tdp making it 54w. It also gives you AES-NI support. If you're looking for more cores you'll need to go with a Xeon to keep ECC support I believe.



  • Looks like the battery sticker is a warning about the CMOS battery, not about any extra battery. It even uses the same font as the ones you used to get with Intel retail/OEM motherboards.



  • Any success? Any progress?



  • Attached a list of the specs of the other M models
    I can add pictures of the M200 box inside, but that's a no go for pfSense box to me.
    I have got such a box a month ago, but with no Sata-ports, a Freescale onboard cpu,
    and those boxes use U-Bootloader to load the software from the SD card. (yes SD card, and not CF).

    Grtz
    DeLorean




  • Hi guys,

    Sorry for the absence but I have been a little busy to say the least!

    I haven't had much time to look at this but have received the console cable and also have an I5 4460T which I need to install, maybe a little overkill but low powered.

    As soon as I can I will get the CPU installed and see what happens.





  • @revsie:

    These people seem to think pfSense can be installed!

    https://www.ebay.com/itm/Watchguard-Firebox-m400-firewall-security-appliance-or-PFsense-/122868662426

    That's right.
    All models above M300, like M400, M440 and M500 should be useable for pfSense.

    Grtz
    DeLorean



  • @Scorch95:

    Any updates?  ;D Just maybe hoping you got an image of pfsense running on this by now.  :P

    Edit: Looks like they use ECC DDR3-1600. Single 4 GB stick makes upgrading to 8GB easy.

    Could pick up an i3-4130 for cheap and it adds hyper threading plus a boost from 3.2 to 3.4Ghz all the while only adding 1w to tdp making it 54w. It also gives you AES-NI support. If you're looking for more cores you'll need to go with a Xeon to keep ECC support I believe.

    After reading your post again Scorch95 I have seen the error of my ways and ordered i3-4130.



  • I don’t believe you’ll run into any problems unless watchguard did something like the XTM8 and spec’d It without a COM1 port. I’m waiting as patiently as I can but I’m looking to upgrade from my XTM5 to either an XTM 400 or XTM 470. I’d like to get the 470 as it uses a skylake processor and a msata drive but either one will keep me good to go with 2.5 and aes-ni.



  • Well I might try later this evening, if I get time.

    I did have 2 of these but just sold 1 for £400, they are sort after so they seem to be a little expensive. I think I was lucky to get one from work!



  • Well, a little further.

    The i3-4130 arrived and is installed, there were no errors and the system loaded up successfully, I haven't flashed pfSense yet so it loaded the Watchguard firmware. But good news is the processor runs fine.



  • Did you add more ram or are you gonna stick with 4Gb?



  • Hi,

    For now, stick with the 4GB, see how it all goes.



  • Any luck?



  • Not yet I'm afraid, had a few car troubles which have taken over and I also start a new job soon so getting ready for that!

    I will get back to you as soon as I can though, I really want to get this up and running.



  • Well, finally had time to look at this, so far so good.

    I just backed up the 4GB compact flash card, wrote the 64-bit nano image to the CF card, put it back in the Firebox M400, started up and voila!

    I can connect using the front com port and I can connect to the web GUI using port 1, 0 seems to be for the WAN, haven't finished setting it up but can confirm everything seems to be ok, very simple to setup with no issues so far. Will update when I have some more info.



  • Can you install flashrom from the terminal and then make a copy of the bios please?

    The exact instructions for doing so should be the same as for the xtm 5

    Thanks


  • Netgate Administrator

    If you try to use flashrom on the M400 you will see this:

    BIOS_CNTL = 0x0a: BIOS Lock Enable: enabled, BIOS Write Enable: disabled
    Warning: Setting Bios Control at 0xdc from 0x0a to 0x09 failed.
    New value is 0x0a.
    

    I highly recommend not using it! Or you too can spend some fun hours in the flashrom IRC room.  ;)
    In the end I powered it off and it booted back fine but…

    afudos or the Intel fpt tool seem to work better.

    I took several backups and got different checksums each time. Not a good sign.

    Also worth noting that board has a jumper to enable write access to the ME section of the flash. Didn't seem to make any difference.

    All that said I did mod the BIOS and flash it back (only the BIOS section) and it was successful. Enabled console redirect. Set the fans to a rational speed. Enabled Speedstep.
    The result is still password protected, I've yet to find a way to clear the password. So even though you can see the POST via serial you cannot enter the setup.  :(

    Steve



  • Great so it looks like watchguard really locked the bios down this time!

    What limitations does the stock bios have?


  • Netgate Administrator

    Other than the 3 things I changed it also has turbo mode disabled. Boot order is probably an issue too. I think it boots CF by default first though it does boot USB if CF is not present/not bootable.

    Steve



  • @stephenw10:

    Other than the 3 things I changed it also has turbo mode disabled. Boot order is probably an issue too. I think it boots CF by default first though it does boot USB if CF is not present/not bootable.

    Steve

    Have you tried booting / installing from a SSD or other HDD?


  • Netgate Administrator

    I did a full install to CF card, no swap and /var and /tmp moved to RAM. Works fine…for now at least.  ;)

    I imagine it would boot from SATA no problem, the BIOS is not configured to only boot from CF just to boot from that first. So if you break your install you will need to format the CF card in something else or re-install in something else (which is what I did).

    Steve



  • @Steve, would you mind sharing details on bios flashing/slowing the fans down?

    By a bit of luck, I will have a M400 headed my way in the near future. Are there any details on how to install pfsense on an M400? I have previously installed pfsense on an XTM525 via a CF card as well as externally with an SSD. I am planning to transplant the 120 GB sata drive from the XTM 525 to the M400.

    I'd appreciate any help/pointers with the installation.
    Thanks!



  • I would like tp reiterate my request for help with the M400 box. I recently took delivery of the M400 and need help with flashing the bios. I have read the XTM5 thread but  unlike my XTM525, the M400 box does not seem to display the bios menu, via the console, during the boot process.
    I am not sure how the go about dumping the bios to the CF card, unlocking the options and flashing it back again. I'd be grateful if someone could point me to the right thread/direction.
    Many Thanks for your help!



  • What have you tried and what errors, if any are you getting? I would recommend putting a Hdd/ssd into an external enclosure and load pfSense that way. Then drop it into the m400 and finish setup that way. Remove CF entirely and it should boot after it doesn’t find a CF. When dealing with equipment outside what most will spend in a rack piece you’ll find yourself the guinea pig sometimes and will have to blaze ahead and create a new path so speak when you run into trouble.



  • @Scorch95, I have not installed pfsense in the M400 box yet but I do have a working SSD installation which was working flawlessly in an XTM525 box. So far I have only booted the M400 with stock Watchguard firmware while I monitored the console output. The fans on this box appear to be equally noisy if not more than the XTM5 and I was hoping I would get the fans and bios fixed when I transplant the SSD into this box. Unfortunately, I have not been able to find instructions on how to patch the bios and am stuck for now.
    I have recently ordered an IDC12 connector to make a VGA monitor cable, so I can boot DOS. Hopefully I can use afu and get a copy of the bios to patch. I am not an expert at this and would rather prefer somebody smarter than me give me directions. I am willing to be the beta tester! At some point in the future I would also like to update the processor to an i3 which does AES-NI as the Celeron in the box currently is not able to execute AES-NI instructions.
    Will post details when I get DOS going.



  • I would go ahead and drop an ssd in with pfsense loaded and get it up and running before worrying about the other stuff. You can always look to replace the fans with quieter ones. Look for a used i3-4130 and you’ll be good



  • It appears the M400 bios has been configured to boot only from the CF card. I transplanted a working SSD installation that has previously worked flawlessly in an XTM525 and the M400 would not boot. I did a fresh reinstall of pfsense on the SSD using another PC and plopped it into the M400, just as I had previously done with the XTM525, and the M400 refuses to boot.
    I also tried switching from the SATA 4 to SATA 2 port but no luck. If anybody's gotten the M400 to boot off an SSD, I'd like your input on what I am doing wrong. I have a 120 GB HP SSD by the way. I do not have access to a CF card reader and will try booting off a CF card after I find one.
    Thanks for your help!



  • I managed to get the VGA port connected and the M400 is definitely not interested in booting anything other than the CF card. Here's the message the VGA screen displays:

    Reboot and select proper Boot device
    or InserBoot Media in Selected Boot device and press a key

    Next step is to find a CF card reader


  • Netgate Administrator

    Yeah, I couldn't make it boot USB. It should boot CF or SATA if CF is not present. So you should be able to write the install image to CF, boot from it and install to SATA and then boot from that after pulling the CF card.

    Or you can install to CF in something else and swap it into the m400.

    Steve



  • Thanks Steve, I was able to successfully install pfsense by booting with the CF and installing to SSD.


  • Banned

    Hello,

    I have got an Firebox M500 with 4370T CPU. it boots fine in the original software, but won't install pfsense or opnsense.
    The error I get is: usr/local/bin/cpdup -vvv -I -o
    When I search on internet I find it has something to do with not enough RAM, but mine has 8gb ECC memory.
    How did you install it?

    Thanks in advance!

    ADDED: I can boot CF with opnsense or pfsense. I can run installer, but both installers(and both manually and auto) give this error.


  • Netgate Administrator

    It might have bad RAM. That's not the standard CPU, is it the factory RAM?

    Can we see a screenshot of the actual error you see?

    Can you boot and run a Nano image as a test?:
    https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-2.3.5-RELEASE-2g-amd64-nanobsd.img.gz

    Steve


  • Banned

    Ram during start of opnsense and pfsense: both show 8120mb present and usable.
    Ram is factory standard, box wasn't opened until I replaced CPU. Box worked fine with factory OS.
    After replacing the CPU(for AES-NI support), box still worked fine with factory OS.

    Now I tried to install pfsense and because of error, also opnsense. Both halt at exactly the same command.

    I have removed Dimm0, box gives error during installation.
    I have removed Dimm1, box gives error during installation.

    Tried the Nano image: box works fine.

    Saw on internet that opnsense and pfsense updated to freebsd 11.1 and that gives errors.

    Maybe I will try installation of older pfsense/opnsense?  Or maybe more ideas? I will post picture of error tomorrow.


  • Netgate Administrator

    You're booting the installer on a CF card and installing to hard drive? Is the drive standard in the m500 or something you added?

    Personally I installed to a CF card in another box and then moved it across into the m400 I have. Never had any issues.

    You might try a 2.4.4 snapshot. If it's a known FreeBSD bug it might have been fixed in 11.2:
    https://www.pfsense.org/snapshots/

    Steve


  • Banned

    Drive is not standard in m500, m500 is the same as m400 only with 8gb ecc memory instead of 4gb. I added a 120gb ssd, works fine in notebook. Also it receives some files, but not all(stops at the error).

    Thanks for your suggestion! Will try that tomorrow.


  • Banned

    Tried version 2.4.x(newest)=>error
    Tried version 2.3.x(newest)=>error

    Error message is different on opnsense vs pfsense.
    Pfsense: CAM status: Uncorrecatable parity/CRC error
    It keeps retrying a couple of times and then gives up.

    Which sata port did you use?