Watchguard Firebox XTM 8 Series
-
@delorean I ran into same issue, where the physical order of nics and emX nics in pfsense doesn't match up.
Your nic order may be issue, unless u surely know that phsycal nic and em0 is same.
my fix was as per
https://forum.netgate.com/topic/164397/watchguard-xtm850-network-interface-orders/2
-
Yeah, you can use PCI device wiring in FreeBSD 12, and hence pfSense 2.5.X, to set the NIC order. I personally chose not to because if you have to reinstall and those values are lost the NIC will all be re-ordered again. Just assigning the NICs from the order they are detected is not that hard IMO.
And yes you probably have the NICs assigned incorrectly if you are not passing traffic. There's not much you can do wrong there besides that on a clean install.
The ordering is certainly odd though. What's shown on this post seems to be correct:
https://forum.netgate.com/post/550680Steve
-
Update
I have installed 2.5.2 (memstick serial version) on a 120Gb SSD connected to a XTM5 box, then used only the 2 interfaces em0 and em1 that are assigned by default.
I connected my LAN cable to port with label 3 (em1) and my WAN cable to port with label 0 (em0), same result as before, login to the Web GUI but no internet (WAN interface received a valid IP by DHCP). Then to be sure, i added a pass all through rule for the WAN interface (em0), but still no internet.
I then assigned port with label 1 (em2) as LAN, and still no internet.
Then i assigned all interfaces and enabled each interface, then i created a WAN-bridge, and applied a "pass all through" rule for this bridge and suddenly the box started passing internet through with the WAN on em0 and LAN on em2.
So i though that this has to with the bridge and/or pass all through rule, but after removing the bridge and this added rule, the box still works, even after a few reboots.
Then during testing, at certain moment, i saw only 2 cores of the default Quad Q9400 where displayed at the dashboard, but after a reboot all 4 cores are back.
Has this cpu a issue, i don't know, decent stress test will tell.
So far problem 1 is fixed, but problem 2 for unlocking the Bios is still present. Flashrom doesn't work at all, a read error and read transaction error when trying to backup or flash, and no possibility for opening the 2Mb original locked Bios file.
The Bios shows version 08.00.15 and 12/02/08 , same as the XTM5 Bios.Thanks for the quick replies and help so far.
Greetz
DeLorean -
Hmm, sounds like a bad default route maybe or no default route.
Or a subnet conflict can behave like that.Been so long since I did this the details escape me!
In fact I'm not sure I ever actually flashed the BIOS on this...It's waay easier to do now there is a default config for em NICs. Crazy struggles at the start of this thread.
-
Little sidenote.
The Amibcp tool doesn't have a sizelimit of 1 Mb (like i though),
because i searched on the Bios Mods forum for random Amibios files that are bigger, and the Amibcp tool can even open 8 Mb Bios files.
So the problem with this 2Mb Bios dump that i experience, is not related due the file size.Greetz
DeLorean -
Probably because you are dumping the entire ROM via the SPI reader and the actual BIOS image is not all of that so you end up with a RAW image that AMIBCP can't open.
Not sure why flashrom wouldn't work but the version in 2.5.2 is probably significantly newer than anything we were testing with 5-6 years ago in 2.2-2.3.
I note that my box is still running 2.3.5 Nano.Steve
-
You are probably right, because when i open the 2 Mb file in a Hex editor,
there is lots of space filled with FF.
I tried already to remove some of those FF until i had the same amount of data as the 1Mb Bios file, but Amibcp can't open that one also.
I can try with a older version of pfSense and run a older version of Flashrom,
but lets say that i prepare a CF card with pfsense 2.3 nano , and i use the command for installing flashrom, wil it then be a older version, or will it always choose the latest version of flashrom that's online available ?
In short words, is the available flashrom version , pfsense version depended ?Thanks
DeLorean
-
Hmm, nope. Fails for me too:
[2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: flashrom -p internal -r biosbackup1.rom flashrom v1.0 on FreeBSD 10.3-RELEASE-p29 (amd64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 4, resolution: 1ns). Found chipset "Intel ICH9DO". Enabling flash write... OK. Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000. Reading flash... Transaction error! Read operation failed! FAILED. [2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: pkg info flashrom flashrom-1.0 Name : flashrom Version : 1.0 Installed on : Tue May 15 15:43:54 2018 BST
I don't think I ever did this since there was no way enable access via serial even with it unlocked IIRC.
It would be nice to enable speedstep though. -
@stephenw10 said in Watchguard Firebox XTM 8 Series:
Hmm, nope. Fails for me too:
[2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: flashrom -p internal -r biosbackup1.rom flashrom v1.0 on FreeBSD 10.3-RELEASE-p29 (amd64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 4, resolution: 1ns). Found chipset "Intel ICH9DO". Enabling flash write... OK. Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000. Reading flash... Transaction error! Read operation failed! FAILED. [2.3.5-RELEASE][admin@xtm8.stevew.lan]/root: pkg info flashrom flashrom-1.0 Name : flashrom Version : 1.0 Installed on : Tue May 15 15:43:54 2018 BST
I don't think I ever did this since there was no way enable access via serial even with it unlocked IIRC.
It would be nice to enable speedstep though.I always used the flashrom command different, like this :
"flashrom -w file.rom --programmer internal"
for writing the Bios to the device and for backups :
"flashrom -r backup.rom --programmer internal"But it seems the same output.
Greetz
DeLorean -
Except that I'm completely wrong about that! Just been too long...
You can access the BIOS on the serial console if you spam F11 enough.
And I seem to have full access to it so I guess I did flash it at some point. I assume I must have done it from FreeDOS.
No Speedstep options there by default though. Booo!Steve
-
Okay, i made a huge progress.
I have managed to pull only the actual 1Mb Bios instead of the entire Rom content.
I used Freedos from the link that Stephenw10 provided :
https://sites.google.com/site/pfsensefirebox/home/FreeDOSBios.img
Used Win32DiskImager to prepare a 1Gb CF card with Freedos.
I then added the Amibios Flashtool called AFUDOS (v4.40) that i downloaded from the Amibios site.
Then i modified the autoexec.bat file to change the serial console to COM2 and 115200 bauds,
but "COM1" is 4 times stated, i tried different combinations but it kept complaining that there was no read/write device detected etc.
I them filled in 4 random COM ports like COM5, 6, 7 and 8,
and it start complaining again about the COM number, but it passed through to the command prompt with the date and clock this time.
I then used the command "AFUDOS backup.rom /O" and i started with the backup, which was very fast (less then 2minutes) and completed without any error.
This typing was very onresponsive,the cursor didn't react sometime, and then it jumped a few spaces, but it worked.
I then pulled the 1Mb Backup file from the CF card and unlocked the Bios with Amibcp (v4.53) tool.
Then i placed this unlocked Bios back to the CF card and booted Freedos again, and at the commandprompt i used the command : AFUDOS Backup.rom
And it started flashing and ended without any problem.
I reset the CMOS and i could enter the Bios and change settings.
The next goal is now for activating COM1 and solder a connector or serial cable straight to the COM1 contacts, and connect this to the COM header on the back of the firewall.
I have already looked in the Bios, and only COM2 is seen in the dropdown list, but it's maybe possible to change the adress and IRQ for using the COM1 port.
If this doesn't work, then i gonna add a VGA port to the back of the firewall.
Because this firewall can't shutdown, but reboots instead, i have looked for changing some powersettings in the Bios, but there isn't much to change this behavour.
Watchguard has modified the ATX powersupply, and added a hard on/off switch that cut of the mains inside the powersupply.
Also, near the CF card reader is a button labeled with PSW1, i presume that this is "Powerswitch1", but pressing this button place the firewall in some sort of sleepmode with all off and only the background of the LCD screen lit with no text.
On the XTM5 series, this button was placed in parallel with the soft on button on the back.
So far the progress :-)Greetz
DeLorean -
You shouldn't need to use com1, you can use com2 for everything as far as I know.
Steve
-
I have managed to use COM2 port and act like it's COM1
by reassigning the I/O Adress to 0x3F8 / IRQ4 (thanks to Stephenw10 for this tip in a earlier message in this thread.
I then removed the added line comconsole_port="0x2F8" from the /boot/loader.conf.local file.
I also modified the Bios file to set this I/O Adress fixed to 0x3F8 / IRQ4, under the option Super I/O Configuration -> Serial Port2 Adress and changed the default value of 03 to 02 in both colums failsafe and optimal.
I then flashed this modified Bios back to the firewall, did a CMOS reset and placed a blank SSD drive and installed Pfsense memstick serial without any problems.
Finally i made a entire dump of the Bios through SPI with my True-USB PRO GQ-4X Willem Programmer to a 2Mb Rom file.The next challenge is to get this firewall working like a XTM5 series, so that the firewall can be power off instead of rebooting, my modding skill are not that big, but know i can poke arround in the Bios files without bricking the firewall.
Greetz
DeLorean -
@stephenw10 said in Watchguard Firebox XTM 8 Series:
You shouldn't need to use com1, you can use com2 for everything as far as I know.
Steve
Our messages have cross eachother :-)
I assumed that after a CMOS reset, the problem of no serial output by a clean pfSense install would come back.
Correct me if i'm wrong.Greetz
DeLorean -
As far as I know the BIOS I'm using is simply unlocked, no other changes.
Console redirect was already set for com2 so you can access the BIOS setup there. Only that loader line was needed in pfSense to set com2 as the default console.One thing I have noticed is that after making some changes in the BIOS setup and savinh them WGXepc is no longer able to set the fan controllers at boot. The superio chip there was always tricky to work with. I suspect saved some default value that prevents writing the registers.
Steve
-
Before i added that loader line, my serial console hangs short after booting up the memstick serial version.
Only after doing a clean install on a XTM5 with only em0 and em3 configured, i could login to the Web Gui and added that loader line, to get the full serial console output visable.
Regarding WGXepec64, it's still possible to set the fan controllers at boot, as long as the CPU / System FAN setting in the Bios is set at "Automatic", on "Full mode on" , WGXepec64 has no effect on lowering the fan speed. With the PWM setting and a value of say 070, WGXepec64 can also work.
I use the PWM setting at 070 in the Bios, and Shellcmd to set the lower F and F2 speed to 40 with WGXepec64 in pfSense.Greetz
DeLorean -
Ah, interesting I'll have to try that. WGXepc should probably allow for that but I guess I never saw the chip in that state when I was testing.
Are you sure you used AMIBCP v4.53? I can't open file from there with any v4 version, I have to use v3.51.
Steve
-
@stephenw10 said in Watchguard Firebox XTM 8 Series:
Ah, interesting I'll have to try that. WGXepc should probably allow for that but I guess I never saw the chip in that state when I was testing.
Are you sure you used AMIBCP v4.53? I can't open file from there with any v4 version, I have to use v3.51.
Steve
You're right, it is AMIBCP v3.51 , v4.53 doesn't open the file here either.
I have downloaded many versions the last few days :-)ps: with the CPU / System FAN setting on PWM in the Bios, and WGXepec64 for lowering the Fan speed in pfSense, this work great, but when i experiment with different fan speeds through the command prompt in the Web Gui, at a sudden moment all 3 CPU's Fans and System fan stops completely, and didn respons anymore. Only when i rebooted pfSense they came back to life.
But with the settings of WGXepec64 set with Shellcmd at boot, everything works fine.
Also the Arm / Disarm LED works fine.Greetz
DeLorean -
I am having a bit of an issue upgrading or doing a fresh install to the latest version of PFSense.
I would like to say that I have been using PFSense for quite a few years without issue until now. I am running PFSense 2.4.5-RELEASE-p1 (amd64) perfectly but I am stuck here. I install from CF to an internal SATA drive on a WG XTM 800 Series.
The issue I am having happens whether or not I do an upgrade or a fresh install. I have not seen anyone yet with this issue and I feel it may be hardware related but I can not pin down what the issue is. When I start the installation, everything appears to go well but at a random interval during the installation, the screen starts scrolling hex characters. Even if I manage to install the latest version, the system freezes and fills the error log with hex characters. PFSense 2.4.5 is rock solid on my hardware and I have had zero issues over the years upgrading to this version but anything beyond 2.4.5 causes this strange behavior.
Has anyone else encountered this or have a clue to what could be causing it and how to fix it? Again, it can be a fresh install without even completing the install for this to happen.
Thanks!
-