Watchguard Firebox M400/M500
-
Just to add my own experience to this thread, I picked up an old M500 courtesy of work, I tried firstly getting the VGA adaptor pointed to above in thris thread, and when I plugged that in found I got nothing at all, I didn't know at that point that the VGA was disabled in the BIOS, so rather than mess about trying to flash the BIOS I had a stab at installing PFSense on an SSD via the console.
I connected a 128GB Kingston A400 SSD, removed the CF Card and put a PFSense bootable USB drive in the USB slot, I also connected the serial to an old PC with a com port using a spare Cisco console cable I had knocking around. I used putty software on the PC, port speed 115200.
I used this guide to create the PFSense bootable USB: https://netosec.com/install-pfsense-flash-drive/
When the M500 booted it loaded the PFSense installer from the USB and saw the SSD and allowed me to do an install to the SSD, after completing the install I then rebooted, removing the USB and it booted off the SSD with no issues. I've rebooted it a couple of times since and it has been fine, I was able to config PFSense enough using the console connection to get into it using the Web interface.
The only thing I've done since outside of PFSense rules and config changes is to download the precompiled WGXepc64 utility from https://sites.google.com/site/pfsensefirebox/home/WGXepc64 (thanks stephenw10) and copy that to the M500 using WinSCP (I also used WinSCP to make it executable), I was then able to SSH into PFSense and set the fan control speed accordingly, although I can't use any other command but -f, none of the others work.
Thanks to so many of you here for your insights and posts. Now to sit it inbetween my Plusnet router and my LAN, interrupting the kids internet access might be the hardest part of this install.
-
You should be able to set the arm/disarm LED too.
I don't think my Plusnet router ever made it out of the box. Straight DSL modem only.
Steve
-
@stephenw10 Hi Steve, I did think about trying something like that but I don't think the M500 has the required hardware to act as a DSL Modem. I'll setup the Plusnet router to forward everything to the M500 interface in DMZ mode and let the M500 do the heavy lifting.
That's if I keep it, the heatsink gets quite hot even when there's virtually no load on it which means the fans are running quite high most of the time so it's a noisy beast, not great for the corner of the office, I may have to go to a PFSense VM on the server instead, which will be a shame because I like the idea of it being a separate physical box for just firewall purposes.
-
Sorry I mean I use a separate modem instead of the router. Any Openreach DSL modem will work.
The M400/500 is normally quite quiet. If you flash the BIOS with the unlocked one (or the one I changed the defaults on) you can enable Speedstep which saves a few Watts. Might be worth remounting the heatsink with fresh paste.Steve
-
I run two M400's in a cluster setup. I have upgraded them to be fairly identical:
Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
16G RAM.The only difference is the SSD-drives which are different brands and a few gigs different in size.
-
@tsmalmbe Do you find the upgraded CPU makes much difference, we were running this M500 for a firm over nearly 400 users and didn't notice any particular speed or thoughput issues with the existing Firebox software, it never really seemed to be stressed, we only changed the box because we got a new one when we renewed.
Does PFSense have much of an overhead compared to the Firebox software?
Bearing in mind I'm planning to use this for home use so 4 users, my main use will be traffic management to ensure that the kids game downloads/Netflix don't affect Teams/Zoom and Citrix sessions.
-
@mh-0 said in Watchguard Firebox M400/M500:
@tsmalmbe Do you find the upgraded CPU makes much difference, we were running this M500 for a firm over nearly 400 users and didn't notice any particular speed or thoughput issues with the existing Firebox software, it never really seemed to be stressed, we only changed the box because we got a new one when we renewed.
Does PFSense have much of an overhead compared to the Firebox software?
Bearing in mind I'm planning to use this for home use so 4 users, my main use will be traffic management to ensure that the kids game downloads/Netflix don't affect Teams/Zoom and Citrix sessions.
Good questions - I do not have readily good answers for you. I run 2-3 end-users OpenVPN as well as 4 site2site OpenVPN's. This all works fine. The connection is 500M, but rarely do I stress it a lot. Now where I do appreciate the power is the fact that I have 7 LAN's + the VPN-connections which all have a separate Snort-profile. With this hardware, it is very smooth. The only times where I see something is when the vulnerability scanners kick in - it increases the temps by 10-15 degrees on the CPU's.
Comparisons to stock firebox-software I cannot do. I know these run on lesser specs when they come from the factory, however Watchguard have done their own perf tests and they seem reliable thouhg (have customers running similar with native software).
-
@eisenb11 Was a solution to the failure to reboot ever found?
-
I have never found one. I'd sure love to hear about it if you find it!
I have an i3-4160 in mine and with that it doesn't reboot.
Steve
-
I had a 4370 and it also couldn’t reboot. Eventually downgraded to a 4130 and reboot works as it should.
-
@stephenw10 I was looking at the spec sheets for all of the processors that didn't work. It may be tied to Intel's "Secure Key" Feature. I'm wondering if this is used for something on UEFI or if the bios behavior is different on a reboot. The key is used for the RDSEED and RDRAND instruction codes.
From https://www.intel.com/content/dam/support/us/en/documents/mini-pcs/BIOSGlossary_NUC.pdf "Generates a new Secure Boot Platform Key during next boot. The private half of the Platform Key Is discarded. This Requires the Intel Secure Key processor feature." It is used for the Secure Boot Feature. I looking through the settings and nothing stands out for use of that feature.
-
@deathwarror https://www.lanner-america.com/wp-content/uploads/Lanner-Secure-Boot-and-Secure-Flash.pdf Lanner Had this for the FW-7585 with the C226. I do not see the setting in the bios we have.
-
@deathwarror Mmm, not seeing anything that looks too promising.
Not clear why it would boot at all if that were the case...
There are so many options in the unlocked BIOS though, no way to test them all.
Steve
-
So I wanted to add 10gb networking to a couple of PCs and I thought since there's a PCIe slot on the M400, I could just throw a card on with a female to female pcie extender and presto chango, i'd be able to get 10GBe copper on my network for a fraction of a 4 port 10GBe switch.
Used a Dell Chesio 5MHDP that I know works and has tested in another machine.
extension is a cheap 20cm female-female extender. I can't test the extension cable, as I have no other boards with a male PCIe connector.
power basically flickers and it doesn't even turn on. I can confirm the card is getting power. Is it possible that there's a whitelist of devices that can be plugged in?
I'll look at the BIOS a bit more but was hoping this would work.
edit: I am running the stock BIOS, will try Zanthos's modded BIOS and post results, was hoping I wouldn't have to flash it.
-
@myst412
I have used the PCIe slot for an M.2 NVMe SSD on the M400 but I have since retired my M400 in favor of an M470 which offers native 10G connectivity -
It's more likely a power issue than the BIOS having a card whitelist. There would really be no reason for WatchGuard/Lanner to add that.
Especially with a Chelsio card, those run hot. I've never attempted to cgeck the power consumption but it will be high.Steve
-
@stephenw10 Going to try a separate PSU, PCIE card, and also flash tonight. Will post results.
-
You were right, it was the psu.,
I even tried a supposedly low power card and it still had the same issue. looking for a bigger 1u psu now.
-
Hmm, so nothing has worked? It is a standard (inverted) PCIe slot so I would start to suspect the cable/adapter.
If it was a power limitation it would be on the PCIe bus/slot. Using a different PSU in the box itself may not help at all.Steve
-
No. You were right and it was the internal psu capacity. Worked with a 450w atx just fine. I guess if it were blacklisted it would keep running but not boot. Looking for a 200-300w flexatx.