Watchguard XTM 5 Series
-
Interesting… I was able to edit my original BIOS to enable the extra menus, but everything was still read only, not sure what I missed.
You have to change the 'user access level' from 2 to 3. See:
https://forum.pfsense.org/index.php?topic=43574.msg262490#msg262490Steve
I can't thank the post, so I gave some karma instead. I had read that post before (and the entire thread) but had missed that setting. I got lazy and read one of the books we picked up from the library instead of working on this. Luckily, I'm a rather fast reader and already finished the book, so I'll probably get to this after a trip to Walmart for some fireworks and food.
Any idea why when I modified your BIOS image it would just pause at that WAIT screen?
-
Not sure why it failed to open the setup screens. To be honest my experience with BIOS editors has me thinking that they are far from fool proof. ;) The later version seems significantly better at not producing corrupt images but the fact that it can at all, and without any indication, tells you what sort of program you're dealing with. These editors were never intended for making complex changes, as soon as you want to do anything fancy like adding new menus you're basically into writing machine code.
It's not helped by the fact that the Watchguard BIOS has a load of additional code not in a standard AMI bios. There's code for controlling the LCD and a complete copy of Redboot to allow serial firmware uploading. Who knows what else there is. ;)Steve
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
Thanks Steve,
I was waiting for this. I'm moving this week but will reload my 510 with X64 soon, try it and report back.
Cheers
Marian -
Not sure why it failed to open the setup screens. To be honest my experience with BIOS editors has me thinking that they are far from fool proof. ;) The later version seems significantly better at not producing corrupt images but the fact that it can at all, and without any indication, tells you what sort of program you're dealing with. These editors were never intended for making complex changes, as soon as you want to do anything fancy like adding new menus you're basically into writing machine code.
It's not helped by the fact that the Watchguard BIOS has a load of additional code not in a standard AMI bios. There's code for controlling the LCD and a complete copy of Redboot to allow serial firmware uploading. Who knows what else there is. ;)Steve
Well, I went and modified my original BIOS and got it all working how I wanted it. I also found where you enabled the red arm light as well. Only thing I haven't found yet is where you changed it from WG BIOS to pfSense on the LCD screen.
Would you recommend running on mirrored hard drives or the CF card or a combination of the two?
-
The BIOS is modular and all but one module is compressed. The code that writes to the LCD at boot is in the main module. You need to extract the module with mmtool then open it in a hex-editor and search for the string 'Watchguard'. It will probably appear in a few places but it was fairly obvious which one it was as I recall. Change it then re-insert the module.
I am running from the CF card and have not had any issues (with any box). There are some things you can't do running from CF. I was just wondering how you planned to setup mirrored drives but remembered you have two SATA power connectors. I'm sure you can get a 'Y' connector of some sort anyway. What are you planning to run?
Steve
-
The BIOS is modular and all but one module is compressed. The code that writes to the LCD at boot is in the main module. You need to extract the module with mmtool then open it in a hex-editor and search for the string 'Watchguard'. It will probably appear in a few places but it was fairly obvious which one it was as I recall. Change it then re-insert the module.
I found it in module 1B and changed it, but when trying to replace it, I'm getting an error saying "1Bh This is non-editable module!!" and won't let me replace it. I also tried deleting it and inserting it with the same error. Using mmtool v3.26.
I am running from the CF card and have not had any issues (with any box). There are some things you can't do running from CF. I was just wondering how you planned to setup mirrored drives but remembered you have two SATA power connectors. I'm sure you can get a 'Y' connector of some sort anyway.
Yeah, my box has dual SATA power connectors, so that part is easy. I've found a couple of dual 2.5" hard drive brackets that I think will fit the chassis, may need the sides trimmed off, but haven't looked too far into it. Not sure I've ever seen a Y adapter for SATA, but I wouldn't be surprised to find they exist, though a 4 pin Molex to dual SATA are much more common.
What are you planning to run?
I'm not entirely certain yet. I may put a squid/dansg setup directly on the firewall for simplicity instead of having it on a separate server, and also because the re-purposed Barracuda SPAM firewall that's currently running it only has a 10/100 NIC and not 10/100/1000, though it's still faster than fetching from the internet. While I don't know much about snort, I would like to learn, so I'll probably be installing that as well. Those are the two packages I can think of offhand that would most likely benefit the most from a hard drive install. IIRC, when running from the CF, /var is a md device correct? Which means logs are gone if the power goes out. So that's also a consideration for installing to a hard drive.
I could always work out a hybrid setup where I install to CF but put /var, squid, and snort on a physical drive with fallback to md if the hard drive goes out. And I'd need some sort of alternate non-caching squid/dansg config for when the drive goes dark. Not sure what I'd have to do with snort in that instance.
It would certainly be a lot easier to either do a full hard drive install or run completely from CF than an unsupported hybrid install.
In any case, any thoughts on why I can't replace module 1B (Single Link Arch BIOS) with mmtool?
-
Hmm, I think you need a special modified version of the tool that allows it. I think that s the only version I ever tried so I probably didn't hit that particular barrier. I can't find and reference to it now though. Could be I'm thinking of Award bios tools. I'll check what I used.
Steve
-
Hmm, I think you need a special modified version of the tool that allows it. I think that s the only version I ever tried so I probably didn't hit that particular barrier. I can't find and reference to it now though. Could be I'm thinking of Award bios tools. I'll check what I used.
I found a version that works and updated that bit. Think I got just about everything set now in regards to BIOS modding. :)
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
Hi Steve,
I have finally got around to install X64 on my xtm 510 and try your WGXepc64 on it. It works perfectly fine, thanks.
Cheers
Marian -
Good to hear, thanks for thee feedback! :)
Steve
-
Well, I finally got around to doing a permanent mount for my serial port. I got this header to DB9 connector out of a HP dc5100 PC that we were sending to the recycling company at work: .
I think I did a pretty good job with the Dremel when cutting out this hole for it:
I decided to use a drill then to put the holes for the nuts instead of cutting out a slot for them. I'm not entirely certain if this is working or not yet though as I had to smack it around with a hammer to get a nice mark of where to cut. I have several of these serial ports, so if I did end up breaking this one (I'll have to test later tonight or this weekend) I have a spare that should work just fine.
So I now have an alternate console port for when needed for FreeDOS or anything else that doesn't want to work over the RJ45 console port. Only thing left is to get myself a cheap serial GPS unit for NTP for the rest of the time that I'm not using it as a console.
-
Nice work. :)
Steve
-
Nice work. :)
Steve
Thanks! And I just verified that I didn't bust it when tapping it with the hammer to mark where to cut the hole. Loaded FreeDOS up and it worked perfectly. Now to re-install all over again. Luckily I was changing the config around completely from how it was, so I needed a re-install anyway. I really should install to a hard drive soon, but just haven't found a mount yet that I know will work. Any recommendations on a 2x2.5" mount bracket that will work in a XTM5? Preferably without modification, but I doubt that's possible.
Also, as mentioned on the XTM8 thread, I'm debating adding a VGA port but am not sure which header the cable would connect to. I might have a cable already. I know I had some video cards with the VGA port on a cable, but am not sure if I still have them. If I can dig one out and it will reach, I think I'll plug it in, just need to figure out which header it goes to.
Wish Lanner still had that forum with the files for the boards available so I could figure out what all these headers are for easier.
-
No idea on a bracket I'm afraid. Let me know if you find something. Just a single drive bracket would be great.
Steve
-
Although not directly related to this thread, I'm wondering if the XTM 330 has the same hardware and would therefore work with Pfsense? I may have access to a used device and would like to give pfsense a try for the first time. If not, I'll just buy a X550e/X750e/X1250e as I see there is good documentation on those.
I thought this related to the XTM 5 series, but maybe it's not.
-
I've not had a chance to look inside an XTM330, yet. Unfortunately Watchguard has stopped publishing (at least publicly) their de-manufacturing guides however there are some important clues in the hardware guide. There we learn it has a 1GHz dual core CPU. Since it's obviously almost identical to the XTM5 and 8 we can assume it is also a customised Lanner device.
I can only speculate here but I think it's unlikely it's a X86 CPU. It would have to be something like an embedded Atom and I can't see any dual core Atoms that run at 1GHz so it would have to be underclocked also. Combine that with the fact that Watchguard have experience Freescale PowerPC CPUs which they run in their XTM33 and XTM 25/26 models and I think it's much more likely one of those.
Edit: Could be some embedded Celeron? :-\Though the performance figures are significantly higher than the XTM33.
pfSense doesn't (currently) run on anything but X86 so you'd be out of luck.However I could be wrong so if you have access to one look at the bootloader console output and see. :)
Edit: A further clue pretty much confirms it's not X86. Watchguard released a firmware(bootloader) update for the 330 and it's U-boot.
Steve
-
I've not had a chance to look inside an XTM330, yet. Unfortunately Watchguard has stopped publishing (at least publicly) their de-manufacturing guides however there are some important clues in the hardware guide. There we learn it has a 1GHz dual core CPU. Since it's obviously almost identical to the XTM5 and 8 we can assume it is also a customised Lanner device.
I can only speculate here but I think it's unlikely it's a X86 CPU. It would have to be something like an embedded Atom and I can't see any dual core Atoms that run at 1GHz so it would have to be underclocked also. Combine that with the fact that Watchguard have experience Freescale PowerPC CPUs which they run in their XTM33 and XTM 25/26 models and I think it's much more likely one of those.
Edit: Could be some embedded Celeron? :-\Though the performance figures are significantly higher than the XTM33.
pfSense doesn't (currently) run on anything but X86 so you'd be out of luck.However I could be wrong so if you have access to one look at the bootloader console output and see. :)
Edit: A further clue pretty much confirms it's not X86. Watchguard released a firmware(bootloader) update for the 330 and it's U-boot.
Steve
Steve, thanks for the quick response. I've been scouring my sources trying to confirm that, but appreciate you providing the clarity and details I needed to make a decision. With that said I'm now watching for the xtm 5 series boxes on ebay…wish me luck!
Hope to be contributing to this thread shortly.
Thanks again,
Scott -
Good luck! :D
Still be interesting to get more info on the 330 though. The XTM5 is a lot more powerful than the X-e boxes, you may not need that.
Steve
-
Good luck! :D
Still be interesting to get more info on the 330 though. The XTM5 is a lot more powerful than the X-e boxes, you may not need that.
Steve
Welp, I decided to roll the dice as I don't need the throughput of the 5 series firewalls, and won http://www.ebay.com/itm/Watchguard-XTM330-Firewall-VPN-Rack-Mount-7-WAN-Ports-/271556386710?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2047675.l2557&nma=true&si=KoSHr6AcHnM0%252F%252BEdBMaH37FWiFk%253D&orig_cvip=true&rt=nc on eBay.
I likely overpaid a bit, but here's to digging into it and seeing what makes it tick! At the very worst, I'll resell it and take a slight hit while stalking eBay for 5 series devices.
Thanks again for your help/insight,
Scott -
So I've just got my shiny used XTM 505 up and running with pfSense (all working fine :) ) and wanted to upgrade the BIOS with the custom version. I'm stuck trying to run the flashrom cmd earlier in the thread. Flashrom tool isn't installed by default so I followed the instructions on the X550e thread to download and install it, it seems to install ok (if I try to run the get-pkg command again it says it already exists) however if I try to run the flashrom command I just get cmd not found error - am I being thick?
Also, did anyone ever establish whether it was possible to boot directly from a SSD card (was thinking of dropping a cheap 60gb card in)
Was also going to upgrade the RAM to 4GB to better cope with large pfBlocker lists.
Cheers
Mark
EDIT: Scratch that, just stumbled across the 'rehash' command which once run means the command is now recognised :-)