PfSense on Firebox X550e: A few questions



  • Hi,

    I just got a pre-loaded pfSense 2.1 off eBay and it works thus for.  I am a brand spanking new to using pfSense.  I have only had the cheap $50 appliances and wanted to upgrade.  I have a few questions for which I could not find answer by using the search facility (I guess my keywords are not that good).

    Q1.  Boot time
    Is it normal for the boot time be be in excess of 3 minutes?  Or is this due to the fact I don't have my WAN hooked up yet?  What do I need to look at to track this down if it is not normal?

    Q2.  Back up CF Card
    I know nothing last forever, so I want to backup (create copies) of the CF card that came with it.  What is the best approach to do that (Assume I have a CF reader/writer)?

    Q3.  Popping in a new CF Card
    I assume if I pop in a new CF card with appropriate boot code (say new nanoBSD or other) it will boot appropriately?

    Thank for all help …


  • Netgate Administrator

    Hi, welcome.  :)

    1. Boot time will be considerably quicker if the box has internet access on WAN.

    2. You can read the card to an image file and then write it out again to a new card. If it's running Nano (which it should be) it probably will last forever though, or longer than some other component on the board.  ;)

    3. Yes, a new card with a Nano image on it will boot but you'll have to reconfigure it or restore your backed up config file (assuming you've back it up?). Additionally on the X550e you may have to change the BIOS disk geometry parameters if the new CF card is different. If it was supplied with the newest bios that may not be necessary. Do you have a console cable?

    Steve



  • Thanks for the information.

    1. I kinda figured but wanted to double check.
    2. Should I use Linux and do a dd or should I use Windows and run physicaldisk to copy it that way?  Look for advice from previous pioneers :-)
    3. I ordered a DB9 to USB null cable from Amazon and hopefully that will work.
        I have 2 4GB Kingston CF cards; guess I will have to update the BIOS it seems :-(
        I have a 256MB CF on the way to be able to manipulate the BIOS; hopefully.

    I have a few additional questions.
    4. Is there a program that I can use from nanoBSD to adjust the FAN speed or must I do that only from the BIOS?
    5. It seems when I do an FDISK from the shell (using SSH) I get a geometry error.  Can fix this (assume via console/BIOS)?  And where do I get the correct geometry to enter for CF cards?

    ******* Working on device /dev/ufs/pfsense0 *******
    parameters extracted from in-core disklabel are:
    cylinders=1875 heads=16 sectors/track=63 (1008 blks/cyl)
    
    Figures below won't work with BIOS for partitions not in cyl 1
    parameters to be used for BIOS calculations are:
    cylinders=1875 heads=16 sectors/track=63 (1008 blks/cyl)
    
    fdisk: invalid fdisk partition table found
    Media sector size is 512
    Warning: BIOS sector numbering starts with sector 1
    Information from DOS bootblock is:
    The data for partition 1 is:
    sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
        start 63, size 1889937 (922 Meg), flag 80 (active)
            beg: cyl 0/ head 1/ sector 1;
            end: cyl 850/ head 15/ sector 63
    The data for partition 2 is:
     <unused>The data for partition 3 is:
     <unused>The data for partition 4 is:</unused></unused> 
    

    Thanks again …


  • Netgate Administrator

    You can use whatever you feel most comfortable in for reading/writing the CF card, it should make any difference. I always use physdiskwrite in Windows but thats just because my Windows box has a CF reader and physdiskwrite can extract the img.gz files on the fly. However pfSense dev JimP has another view: https://forum.pfsense.org/index.php/topic,36651.msg190285.html#msg190285
    I've not had problems with either method. I also always use a 1GB image on 1,2 or 4GB cards.

    So this box was supplied with pfSense already installed? Do you know which bios version it's running? At boot it probably says 'pfSense B7' on the LCD.

    The fans can be controlled by the WGXepc program which also controls the arm/disarm LED. Does you box have a green LED? Does the LCD display anything useful? It's hard to know what has been done already.

    Have a read through the docs page if you haven't already, most stuff (hopefully everything!) is explained there:
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#X-Core-e

    The geometry will be wrong because the buggy BIOS forces us to set it incorrectly in order to boot.

    Steve



  • Thanks once again for the response.  I have been reading the article on the Fireboxes that you list below (just a lot to take in at once).  I guess I missed the fan speed on the WGXepc package :(.  Thanks again.



  • Let me answer those other questions you asked.

    It was shipped with pfSense installed.  It does read B7 on the LCD.  Besides the B7 I have not really watched it that much.  I believe it is very bare bones.  pkg_info only reveals mbmon installed (which I installed to get CPU temp).

    I am trying to figure out how to reduce the fan noise as my wife is complaining it is too loud :-[.  I do not want to reduce the fans too much to cause a BIOS problem. Even BB seems to loud.  There are things I am thinking of:
    1. replace the heat sink and fans with better stuff if possible
    2. write a few crontab entries to turn the fans up/down when appropriate
        need to be mindful if there is a power failure
        I have read somewhere that you can get back into the BIOS with some fan wire
        manipulation.
        Not sure the fan BB setting has to do with booting into the BIOS or just in general

    I have to do a little more reading and asking questions, but that is for another time.  Thanks again.


  • Netgate Administrator

    Ok, so if you had the B8 BIOS you might not need to have access to it. Yet to be determined how much better it is.

    The slowest you want to set the fans in the bios is BB. Anything lower than that and it will crash the bios setup requiring you to either reset the cmos or remove the speedsensor wire from all three fans to get back in. However there is no need to go lower in the bios because you can use WGXepc to reduce the fan speed much further once it's booted. I've used 32 without issue, others run even lower. The easiest and cleanest way to do that is by installing the pfSense shellcmd package and using that to run WGXepc and boot. I described how to do that in the docs but please ask if it's unclear.

    There is also a script for automating the fans speed by cpu temp you might try:
    http://forum.pfsense.org/index.php/topic,66129.0.html

    Steve



  • Hey!

    I did some more reading regarding fan speeds and as I understand it the WGXepc binary will temporarily adjust the fan speed.  If this is the case then I am good.  I can keep the fan speed where it is and when the system starts adjust to a tolerable level.  Thanks for the handy dandy program.  I will look into the fan speed script you listed.

    I think I have pfSense shellcmd installed as I see it in the menu items with a warning issued :-).

    There is a new BIOS B8 - hmmmm  ;D.  Might try that when I get my null modem cable.

    I am currently reading post from you from 2010 - it will take me a while read through it (like the blue led lights).  In the mean time, I am trying to figure out a way to maximize all the space on the CF card.  The CF card is 2GB, but the only 1GB max is used.  I … need ... more ... space  ;D.  Haven't found an article are this yet; I need to backup the stuff first before I play - don't want to get angry at myself.

    dwfa



  • Minor update one of the fans for the CPU is dead :-(.  Need to find a replacement.


  • Netgate Administrator

    Are you actually using the 1GB image? On the dashboard does it list the platform as 'nanobsd (1g)'?

    The NanoBSD images are divided into three slices. One very small slice contains the config information and the rest of the space is divided between the active and backup slices. Thus if you're running the 2GB image and you look at the running file system you'll find it's just under 1GB.

    What do you need extra space for?

    Steve



  • That is for pure need and greed  :P.  I haven't played with anything yet; just got my new 4GB CF cards and I will try playing with pfSense/nanoBSD on a laptop I have via the USB CF reader/writer.  I would expect I could go in and use tools (fdisk etc) to muck with the filesystems create/delete/view (of course I will only do this on my sandbox CF card.

    After much reading (still not done) I have decided to replace the PSU with a pico one, replace the CPU and add memory; I have to replace the fans (I know it is only one but what the heck) so why not.  In for a penny, in for a pound.  Here is what I am thinking of doing:

    Fans: Any suggestion - want one that the speed can be adjusted (I assume must be 3 pins)
            Had this in mind Top Motor Dual Bearing 40x40x20mm Fan DF124020BH
            8-10CFMs
    CPU: looking to get the Pentium-M LV or ULV (any recommendations)
            If I buy a used laptop; do I have to de-solder the CPU out?
    Memory: DDR2 2x1GB Corsair 422MHz Non-ECC
    PSU: picoPSU-120+60W adapter power kit

    I was thinking of adding a USB port to the USB header; but I am not sure what that is going to buy me.  Still not convinced.

    All input is welcomed.


  • Netgate Administrator

    The fans don't technically need to be 3 pin, the third pin provides speed sensing which you don't actually need to have. It probably easiest to use 3 pin connectors though.  ;) Many fans that claim to be quiet achieve this by being slow and not moving much air. Since you can reduce the fan speed software it's better to get more powerful fans and run them slower. Of course really nice fans are quiet by virtue of better aerodynamics on the blades so those are probably worth it. Bare in mind that the cooling on these boxes was designed to run in a hot rack somewhere so in your home/office it will probably need far less air flow. That's especially true if you fit a PICO PSU where a lot of the heat is externalised in the power brick. If you don't remember that the PSU has no fans and relies on air flow in box to keep cool.

    The ULV Pentium-Ms were not socketed, at least I've never found one. De-soldering is really not an option unless you have access to all the BGA reworking tools necessary. Try to get a 400MHz FSB model since they are supported directly by est(4), the FreeBSD speedstep driver, resulting in the best efficiency/coolest running.

    USB? In my XTM5 box I have a USB GPS module that provides time sync via NTP. Pointless but fun.  ::) I also have a USB wifi stick that I occasionally run as an access point.

    Steve



  • I was just about to buy the PicoPSU and noticed that it is missing the 4pin connector to attach to the motherboard?  I searched the forums here and could not see how you and the other chap who have Fireboxes installed the PicoPSU.  Did you use an adapter for the other 4 pin? Did you not just plug it in?

    Now I am nervous  :-[

    Edit:
    –---
    Silly me, I am assuming I can use the molex 4 pin connector with and adapter to the 4 pin ATX.  Is that how you did it?


  • Netgate Administrator

    Ah, well spotted.
    My own PSU is a Chinese knock off so I can't directly compare it to a PicoPSU however it does have the additional P4 12V connector. I guess you could use the molex connector with an adapter but it's there to power a HD if you have one. You could just use the 90W PicoPSU which looks like it has the P4 connector.

    Steve



  • I already purchased the 120 picoPSU - sigh; I would have gotten the 90.  I checked a few of them (but not the 90) to see if they come with the ATX P4 and none of the ones I looked at had that connector >:(.  Now I sit and wait for my goodies.  I will be building a 24U rack unit this weekend to put my toys in. Should be fun.

    BTW backed up the 2GB pfSense that came with the box; used dd from my linux server and copied it to a 4GB CF.  I tried to boot if off of it using my laptop, but it I get a OS error; grrrr.  Need to figure out what is going on during the boot process.

    Nod to Steven for all your help …



  • Here are some updates:

    Got the 2GB of memory and it is working okay.

    Got the RS-232 null modem cable and I am able to see the system boot.
        Counts memory shows the hard drive etc etc

    Got a 32MB CF card in the mail and imaged it with the FreeDOS image found in the tutorial. I
      imaged a few different way using the tools listed.  End result I cannot boot into FreeDOS.  I cannot
      even press ESC to bypass memory check or press DEL to get into BIOS.  I am using PUTTY
      115200 8N1 (tired both XON/XOFF on and off).  BTW I am using a Sony Windows 8 laptop.  Any
      suggestions as to what I can do to fix this?  >:(

    Got the new fans and they work good.  CPU temp is about 36 with fans at x80 (or 128 decimal)
      with no load; and much quieter (no lid at this point).

    New CPU and PSU are coming Friday.

    As for the rack I am building, got all the wood cut; but got side tracked with family stuff - just a little bit more before it is complete. :-)

    dwfa

    EDIT:

    I should have said TAB above and not DEL; in any case it finally works, I can get into the BIOS.  Not sure what the issue was.  I am still having an issue booting into FreeDOS though.  :o

    I crated a new pfSense 4GB image on CF cards I had (using dd on my Linux machine) and all seems good  :D.  I was able to use the console to do the initial setup and it all worked.  Still not able to get into FreeDOS - but that is another day's challenge…


  • Netgate Administrator

    Since your box already had the modified bios it will have been set to heads=2 in order to boot the larger CF card. In that configuration it won't boot the FreeDOS card. You have to access the bios setup (by pressing TAB as you found  ;)) and set the primary IDE channel back to auto settings. It will then detect the 32MB card and boot FreeDOS. However why are you trying to boot into FreeDOS? It's useful to know how to do it but not necessary. If you want to try the newer bios version you can flash it from pfSense with flashrom. BIOS flashing is inherently risky though, generally it's best to avoid it unless you have to. Though I always welcome more testers for the v8 bios.  :)

    Steve



  • Thanks for the info - I want exercise the experience of booting to FreeDOS.  I have gotten into the habit of test things out to ensure if something goes I can fix them instead of trying to figure out how to fix two things (hope that makes sense).

    I will change the bios settings and give it ago - thx a gain.

    dwfa



  • Just picked up Firebox X750e 8 port off of fleabay for under $100 so will be joining the fun soon. :)

    I already have a firewall that I recently upgraded to newer hardware so I will be leaving that alone for couple of years.  Funny said it's locked with unknown name and password.  No biggie.  Nothing factory reset can't fix.  :)  Besides, I'd do that anyway.

    We have few WatchGuards XTMs at work that I manage.  What about the little boxes like the XTM 21s?  Can those load PfSense?  I don't even know what CPU it's using.  Have to research this.

    Wanted to see what mods I can do with it besides just loading PfSense on it.

    EDIT:  After quick searching around on PfSense found XTM21 is not x86 hardware.  Bummer.


  • Netgate Administrator

    Indeed the XTM2 boxes (older models at least) are ARM based, Intel X-Scale. I have spent a while attempting to load OpenWRT on one but got nowhere for months and gave up. Recently I made something of a breakthrough though so who knows. It's way more advanced than my normal level of tinkering hence the months of staring at code and scratching my head.  ::)
    Would be nice to get running though it has a pretty nice spec for that type of device, 256MB RAM and 256MB flash.

    Steve



  • Yep.  Found a PDF file that talks about the hardware spec.  All it said was the CPU runs at 667 Mhz along with 256 meg of RAM and flash.

    The XTM21 aren't bad little boxes and we have a few of them.  Some even have built-in wireless.  Most without active Live Security so would be nice to get the software loaded with something else and put it into good use without the DRM.

    I will keep digging around and if I find something I will post a link.



  • We have progress.  I was able to boot to FreeDOS; but first I had to change the baud rate to 9600.  I will have to go back and check the instructions again to see if I missed that.  I ran the biosid program but the CR/LF are messed up.  It reads as if there are no line feeds after the logo.  I can live with it.



  • With my picoPSU arriving soon, I was wondering if there was a way to hookup the existing on/off switch to the new PSU?  Has anyone done that?


  • Netgate Administrator

    It depends how much you mind damaging the existing PSU setup. The output from the power switch going to the PSU is a two pin plug that you may have difficulty obtaining the matching socket for. You might have to cut it off. If you don't mind cutting the wires then it would be fairly easy.
    The input to the switch is spade terminal on the AC inlet, you may be able to use them. Looking at the PicoPSU 120 you may be very lucky and find that the connector in the DC input fits.  :-\ Try it and see.

    Steve



  • I got my new PSU, I like ;D …

    I was looking at the little connector for the power supply?  Anyone know what that is called?  Once I know the name I will order one and then hook that up to the on/off switch then voila...



  • Netgate Administrator

    No idea I'm afraid. You'll have to connect to both sides of the switch though. I don't know if the spade terminals on the back of the IEC AC inlet can be pushed into the connector on the picopsu cable directly, seems like they might. I would think you'll juts have to offer it up and see.

    Steve



  • I sent a message to the company that makes the PSU on the offhand they answer me :P .  I will continue to search; however, I want to preserve the modular connections.  Thank for the input.



  • I want to change the CPU, but it seems I cannot find a Pentium M LV cpu.  Where did others get their LV CPU to put into their Firebox?  I am jealous  :'( …


  • Netgate Administrator

    I'm using standard voltage CPUs. I believe everyone else it also. I've only once seen a socketed LV Pentium-M and never seen a socketed ULV. To be fair it was claimed to be an LV model by the seller but I never actually saw it!  ;)
    Although the wikipedia page lists all models as being available socketed I'm unsure.

    Steve



  • I received information from Mini-Box regarding the PicoPSU, they provided a wiring diagram of the connection type they use (not the specific one for the PSU, but good enough).  After some research and phone calls, I believe I found the parts to be able to connect into an on/off switch.  The connector type is known as a Molex Mini-Fit Jr 4 circuit (circuit IMHO is misleading, it really means the # of pins).  The Molex part numbers are:

    Female housing 39-01-2040
    Female terminals (22AWG) 39-00-0039

    Male housing 39-01-2041
    Male terminals (22AWG) 39-00-0041

    I will be ordering some soon; just need to find an on-line distributor with reasonable prices.  Hope this helps others if they want to build in an on/off switch.

    As for the CPU; currently it is running 350C with no load using x80 fan speed. I need to run the tests to see what temp will be with the CPU running at peak load.

    I would love to get a LV socket-ed CPU, but I just do not know where to find one  :-\


  • Netgate Administrator

    Yep, I'd love to try one of those 10W 778s for example. Though I have no idea if the firebox would recognise it correctly.
    CPU-world lists it a BGA only.

    Steve



  • Okay, I think I just got difference between PGA and BGA.  The BGA CPUs are ones that do not have the pins whereas the PGA have the pins on them.  I know it seems obvious; just never really thought about it before.  That is the reason I could not find what I was looking for :-[ .  I am clued back into the real world - for a short time at least…



  • I am an unhappy camper :-[

    I got everything situated and tried to cut over from my $40 dlink to the X550e.  I did a release IP address on the dlink, switched the cables and big let down.  It seems the WAN keeps going up/down up/down as seen in the demsg output.  I switched the WAN from SK3 to SK1 to SK2 all the same problem.  It gets the ip address from my ISP then drops it is an endless cycle.

    Here are a few things I noticed:
    [list]

    • CPU is 100% running check_reload_status at near 90%
    • I see this in the syslog
    
    The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf sk1 > /tmp/sk1_output 2> /tmp/sk1_error_output' returned exit code '15', the output was ''
    The command '/sbin/ifconfig 'sk1' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
    
    
    • the port just keeps cycling up/down like a yo-yo

    The only thing I found is information related to MSK drivers, but mine or SK.  I will do more reading, but if anyone has info that would be great.

    Thx …

    EDIT:
      I tested the X550e trying to get an ip address using my own Linux DHCP server and that had the same issue.  The WAN interface behaved the same :-[.  I would think this eliminates the an incompatibility between the hardware.  X550e to Ubee for ISP and X550e to D-Link switch (16x1GB).  If I use static addresses it works fan (could test it with ISP 'cause that is not how it works).


  • Netgate Administrator

    There have been some fixes gone in for things like that since 2.1 was released. The easiest thing is to try one of the 2.1.1 snapshots which have the fixes in place.
    https://forum.pfsense.org/index.php/topic,71546.0/topicseen.html

    Steve



  • Hi - I am on-line and using my pfSense X550e.  The 2.2.1 release worked like a charm, and as a bonus feature the LED nic lights work; guess Stephen's patch made into the new release.  Thanks for all your help.  I am almost finished with this project, just need to build the on off switch and attach the barrel adapter for my picoPSU to where the other plug was.  Think I will use some plexi-glass and screws, if not I will figure something else out.

    Next project - finish building my server rack - got all the word cut and now I have to assemble them with the metal uprights.

    dwfa


  • Netgate Administrator

    I would be amazed if my led patch had made it into anything. It was a hideous bodge!  ::)
    Very interesting that you say the LEDs have started behaving I wonder if a newer sk driver has made it in. Time to check the source…

    Steve



  • Building the on/off switch.

    I received my mini-fit jr plugs they fit :-).  This might be a simple question; does it matter the rocker switch that I get as long as it it rated for the same AMPS and voltage?  As well does it matter if it is DC or AC rated?  I would think it is does matter; but I am no expert.


  • Netgate Administrator

    Switches usually have a rating for both AC and DC current. The DC rating is almost always lower because it's harder to break dc current and it damages the contacts more. The voltage rating of any switch is probably higher than the 12V you're switching but the current might be an issue in the small format on the existing switch.

    The original switch:
    http://www.rongfeng.com.tw/pdf/RF-1003.pdf
    Doesn't seem to have an explicitly indicated DC rating. The '(4)' rating could be for an inductive load. At 12V DC you should be good for the 3-4A the box might draw.

    Steve



  • Thanks for the info.  I think I understand what you are writing.  hmmmm - from what you are writing I gather the switch might not work due to "hard to break the dc current".  Did I understand you correctly?


  • Netgate Administrator

    That was basically what I was saying although having just read up on it (I should know this stuff but have forgotten) I think an identical switch would be fine. Although it's true that DC current is far harder to break than AC the low voltage tends to cancel that out. Some light reading. If you were using 125V DC then the switch would be toast! Even so you would find if you looked that the switch contact sustain far more damage due to arcing with DC current. How often do you plan on switching it on or off anyway?

    Steve


Log in to reply