Watchguard Firebox M400


  • Netgate Administrator

    Yup, Diag > Halt System.

    You can also do a graceful shutdown using the button. It works as an ACPI power button.

    Steve



  • @stephenw10 Awesome, thanks!



  • Hi there,
    I recently purchased a used M400.

    What about upgrading to a Intel Xeon E3-1285L v3 3.1GHz?
    If the microcode in the BIOS should be missing, I guess it could be injected and thus enabled…

    Any other suggested CPU upgrade?


  • Netgate Administrator

    Might work. The Lanner unit it's based on lists i3, i5 and i7 only. They don't list Celeron though so....

    Steve



  • @zanthos said in Watchguard Firebox M400:

    Hi there,
    I recently purchased a used M400.

    What about upgrading to a Intel Xeon E3-1285L v3 3.1GHz?
    If the microcode in the BIOS should be missing, I guess it could be injected and thus enabled…

    Any other suggested CPU upgrade?

    A quick update:
    Intel Xeon E3-1285L v3 @3.1GHz is just Plug'n'Play. It works out of the box ☺ ✌
    I haven't done any further testing. Also i couldn't check for any BIOS Errors, since I have no VGA screen attached and the serial console is silent...



  • @stephenw10

    Sorry to bother,

    Do you recall the exact settings you changed in order to reduce fan speed? I lowered all of the Fanout values significantly (not much documentation from AMI on Fan out) and they're still screaming on my M500

    I also noticed 2 sets of values under Main and then the corresponding heirarchy. Does location matter?

    Also, did you try getting a BIOS from Lanner?


  • Netgate Administrator

    I found you have to set the values in both places. The whole editing process seems quite flaky to be honest.

    I did not try to get a BIOS from Lanner.

    0_1546173380191_Selection_541.png

    Steve



  • @stephenw10

    Got it, editing the failsafe values seemed to take effect. Got PFsense loaded thanks to your ZFS auto install suggestion for UEFI. It was able to boot on all 3 SATA ports, no USB booting unfortunately, possibly needs UEFI as well.

    Now just the green light.

    Going from Atom Z525 to a 4160T. Should be able to make use of the 1GB connection I pay for now.


  • Netgate Administrator

    Nice. It would be nice to have the status LED come up red at boot but I've found no way to add SIO values to the bios like earlier BIOS types could.

    Steve



  • Just returned from some testing with an Intel Xeon E3-1285L v3 3.1GHz ☺


    Installed pfSense this way:

    • attached the msata SSD to my notebook (Win 10) and set it to offline
    • created a new Hyper-V Gen 2 VM, unchecked secure boot and set to open-source VM
    • direct attached the ssd as the VM SCSI disk
    • installed pfSense from the ISO installer image (VGA) using ZFS Auto install
    • shut down the VM
    • detached the ssd and installed it to the M400 on SATA3
    • power on the M400
    • attach a network cable to igb1 (LAN) and to my computer
    • log in to the web interface (192.168...)
    • change console to Serial
    • added "hw.ixgbe.unsupported_sfp=1" to /boot/loader.conf (maybe this is not necessary???)

    ISP setup:

    • inserted a generic BiDi SFP module from fiberstore (SFP-GE-BX, 1310/1490)
    • created necessary VLAN and PPPoE connection

    Speedtest to my 1000/1000 ISP:
    Result is >900MBit up/down 👍
    Checked CPU using "top" command: >96% idle

    (No additional firewall rules, packages and filtering, just the factory settings)

    I think i like the Setup 😊


  • Netgate Administrator

    @zanthos said in Watchguard Firebox M400:

    added "hw.ixgbe.unsupported_sfp=1" to /boot/loader.conf (maybe this is not necessary???)

    It isn't. There are no ix NICs on the m400 only igb. Mostly that's not necessary even if you do have ix NICs, most SFP modules are accepted anyway.
    It won't hurt having that set but it will likely be removed from loader.conf at a firmware update. Custom loader variables should be added to /boot/loader.conf.local.

    Steve



  • After a lot of hacking, bricking my M400, re-flashing via SPI, on and on and on, I finaly managed to unlock the BIOS of my M400 by flashing a self-modified BIOS from Lanner. ✌ ✌
    If it is allowed, I can upload it here…
    0_1547128821004_startup.jpg
    0_1547128829914_bios.jpg


  • Netgate Administrator

    Ooo fun. What mods did you have to do?

    Hmm, I'm pretty sure it's an FW-7585 though. The 7584 has an H81 chipset and the m400 defintely has a C226, like the 7585.



  • Do you think this modification would work for the M440 model as well? I have 2 of these units that I would love to get pfSense working.


  • Netgate Administrator

    No, the M440 is completely different. You would need to start out with the UP-2010 BIOS. But as we have found it still won't help you there as the FreeBSD igb driver is, currently, unable to recognise the NIC/PHY combination.

    Steve



  • @stephenw10 said in Watchguard Firebox M400:

    Ooo fun. What mods did you have to do?

    After a lot of trial and error the solution was using UEFI Tool (https://github.com/LongSoft/UEFITool). For whatever reason I had to use an old build which let me replace parts of my file.
    I had to extract the BIOS part from the supplied Lanner BIOS and use this to replace the BIOS part of a backup ROM of my unit.
    0_1547135824191_bios-part-replace.jpg
    Maybe all the flashing (including Intel ME) finally did something else not covered in what i described above. But as I read some helping docs, Intel ME is stored in the BIOS chip which is a Winbond 25W64FV. So completely erasing this chip and reprogramming via SPI with my modified file finally did the trick.

    @stephenw10 said in Watchguard Firebox M400:

    Hmm, I'm pretty sure it's an FW-7585 though. The 7584 has an H81 chipset and the m400 defintely has a C226, like the 7585.

    I have been told by Lanner that the BIOS is exactly the same for both FW 7585 and 7584, even tough they have different chipsets. Probably the C226 is a superset of the H81...
    At least it is recognized in the BIOS:
    0_1547137989494_bios_chipset.jpg



  • @zanthos
    Does the unlocked bios allow the fans controls to be adjusted?
    I've got the fans dialed down pretty well for now, but still interested to know as I need to move to a Xeon at some point.
    Thanks



  • Unlocked BIOS overview:

    Main:
    0_1547209413657_01_bios_main.jpg
    Advanced:
    0_1547209418589_02_bios_advanced.jpg
    Advanced - CPU:
    0_1547209423067_03_bios_advanced_cpu.jpg
    Advanced - SATA:
    0_1547209428370_04_bios_advanced_sata.jpg
    Advanced - USB:
    0_1547209434380_05_bios_advanced_usb.jpg
    Advanced - Super IO:
    0_1547209442229_06_bios_advanced_io.jpg
    Advanced - H/W Monitor:
    0_1547209448900_07_bios_advanced_hwmon.jpg
    Advanced - H/W Monitor - Smart Fan:
    0_1547209453563_08_bios_advanced_hwmon_smartfan.jpg
    Advanced - LAN Boot:
    0_1547209461859_09_bios_advanced_lanboot.jpg
    Advanced - Serial Console Redirection:
    0_1547209469490_10_bios_advanced_consoleredir.jpg
    Chipset:
    0_1547209475511_11_bios_chipset.jpg
    Chipset - Power:
    0_1547209484279_12_bios_chipset_power.jpg
    Chipset - System Agent:
    0_1547209490686_13_bios_chipset_systemagent_.jpg
    Chipset - Memory Configuration:
    0_1547209498424_14_bios_chipset_memory.jpg
    Boot:
    0_1547209504158_15_bios_boot.jpg
    Security:
    0_1547209509895_16_bios_security.jpg
    Exit:
    0_1547209515153_17_bios_exit.jpg



  • @ijay-xtm5 said in Watchguard Firebox M400:

    Does the unlocked bios allow the fans controls to be adjusted?
    I've got the fans dialed down pretty well for now, but still interested to know as I need to move to a Xeon at some point.
    Thanks

    @ijay-xtm5
    You can switch from Auto to Manual mode and define a value. Haven't played with this one tough...

    @zanthos said in Watchguard Firebox M400:

    Advanced - H/W Monitor - Smart Fan:
    0_1547209453563_08_bios_advanced_hwmon_smartfan.jpg


  • Netgate Administrator

    Hmm, can you not change the target value in Smart mode?



  • @zanthos

    Could you upload the modified bios along with a detailed step by step instruction on how to flash it over?



  • Hi there

    Just managed to unlock (hopefully) everything in this BIOS.
    Speedstep is now working 👏

    Unfortunately I cannot upload it here. File size limit ☠
    Also split files (7z and rar) don't work...

    Maybe @stephenw10 you can alter this setting?


  • Netgate Administrator

    It's better to host it somewhere separately and just link to it IMO. That's what I have always done for BIOS images.
    I can put it with the other images on my Google site if you PM me.

    Do you believe it's flashable directly? You seemed to imply you had done a number of things there.

    Steve



  • DISCLAIMER: I don't take any responsibility if you flash using my files. I won't provide help if you brick your device.
    (Unbricking is possible using SPI, see below)

    Here's the BIOS:
    https://1drv.ms/f/s!AgeHb7hLRzQ-iAw82hEAiVojSDWJ
    @stephenw10 you may copy those files to your webhost. I cannot provide those files forever.

    Currently it's my Version 5.
    There may be things to be enhanced. There may be bugs. Be warned! 👆

    How to flash:
    a) SPI:
    Use your favorite SPI programmer connected to the mainboard.
    I used this one:
    https://www.ebay.de/itm/CH341A-Series-Chip-SPI-Flash-USB-Programmer-24-EEPROM-BIOS-Writer-25-Neu/273040494657?hash=item3f927b5041:g:U8oAAOSw3wVaaagG:rk:1:pf:0
    You will need a programming software. I used "AsProgrammer":
    https://github.com/nofeletru/UsbAsp-flash/releases/
    0_1547475755662_spi-flashing.jpg

    b) Software flashing:
    Download Rufus here: https://rufus.ie/
    Create a bootable FreeDOS Stick or CF Card. FreeDOS is embedded in Rufus. So no need to download.
    Maybe your original M400 will not boot from USB. Then create CompactFlash card.
    Download "freedos_ext_v5.7z" above and extract it to your just created FreeDOS drive. Overwrite all files!!
    Maybe you will need to alter "autoexec.bat" to match your keyboard layout. Current setting is German ("keyb gr"). To have US keyboard layout, you will need "keyb us".
    Connect via Serial to your M400. Use a CISCO style cable. Use 9600 8 N 1. I tried higher speeds, didn't work.
    I can't help using AFUEFI.exe or AFUDOS.EXE. There are lots of parameters… Maybe someone here knows all the tricks or find help with your favorite Internet search engine.

    Good luck and please report back!


  • Netgate Administrator

    Just to be clear there is real risk doing this. Not until you've felt the regret of your shiny box failing to POST because you updated a firmware to get something you didn't really need in the first place will you understand that! Ask me how I know. 😉

    If you have an SPI reader then you can be reasonably confident of being able to recover it eventually if anything does go wrong. But if you don't...

    Steve



  • Do we know what the max ram is on this board?


  • Netgate Administrator

    The standard Lanner board claims 8GB.

    Steve



  • @stephenw10

    Do we know if it’s ECC registered or unbuffered?


  • Netgate Administrator

    Unbuffered ECC or non-ECC. Again that's just from the fw-7585 manual, I haven't actually tried anything else myself.
    The RAM supplied is Unbuffered ECC which means I don't have anything spare lying around to add to it. Not that I need to as 4GB is plenty for most applications, and I only use it for testing.

    Steve



  • @scorch95
    Registered ECC does not work. At least this one I tried: Samsung 8GB 2Rx4 PC3 10600R (M393B1K70CH0)
    0_1547710878565_memory_ecc_test.jpg

    .

    The supplied memory seems to be ECC unbuffered: Transcend 4G 1Rx8 DDR3 1600 ECC (679323-0288)
    0_1547711022069_memory_ecc_supplied.jpg



  • Is there any way to figure out why the system hangs on reboot whereas with the XTM5 it didn't have any problems? I went ahead and did a reinstall on the SSD and it still has the issue. I'm assuming that it has something to do with no longer running from the CF card.

    EDIT: By this I mean is there any kind of logs I can pull that I could post here that might be useful in determining the cause and hopefully help find a solution to the issue?


  • Netgate Administrator

    I doubt it. There wouldn't be anything logging at that point.

    I would hook up a console and see if it shows any sort of error there.

    I just hangs still powered up rather than rebooting or halting? And a CLI reboot does the same?

    Steve



  • It will halt just fine. I will get it set back up and log in over serial and try and get a screen shot of where it sits anytime it tries to reboot whether it is due to updates or user initiated.



  • @zanthos

    The supplied memory’s sticker shows a serial number which confusingly looks like a part number. The actual Transcend part number is: TS512MLK72V6H

    I managed to get one of these from a small company in TX - took them 6 weeks to order it.



  • @stephenw10

    Here is what I get when doing a reboot from serial:

    pfSense will reboot. This may take a few minutes, depending on your hardware.
    Do you want to proceed?

    Y/y: Reboot normally
    S: Reboot into Single User Mode (requires console access!)
    F: Reboot and run a filesystem check
    

    Enter an option: y

    pfSense is rebooting now.
    Terminated
    Waiting (max 60 seconds) for system process vnlru' to stop... done Waiting (max 60 seconds) for system processbufdaemon' to stop... done
    Waiting (max 60 seconds) for system process `syncer' to stop...
    Syncing disks, vnodes remaining... 0 0 0 done
    All buffers synced.
    Uptime: 4m39s
    uhub3: detached
    uhub4: detached

    and it stays there. Now if I do a system halt it goes through a few different items but in the end it still goes through the above and the only thing after uhub4: detached is "acpi0: powering off system". So I'm not sure if its hanging on uhub4 or if its missing something after that.