Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Successful Install on Watchguard Firebox X700!

    Hardware
    151
    690
    479148
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmcentire last edited by

      I replaced my Watchguard Firebox X700 with a PC running pfSense, so I wondered if I could make pfSense run on the Watchguard Hardware.  IT WORKS!

      Steps(more simple than I was expecting)

      1. Opened FB(Firebox), Removed CF Card
      2. Hooked up a notebook drive to my machine, booted from Live CD (1.2 RC3)
      3. 99 Install, accepted all defaults except chose embedded kernel
      4. After install was done, took the drive and plugged it into the FB
      5. Used the console cable that came with the FB and plugged it into the FB and my Com port
      6. Opened HyperTerminal, new connection: BPS: 9600 / Data bits: 8 / Parity: None / Stop : 1 / Flow control: Hardware
      7. Turned on FB and it immediately started booting FreeBSD
      8. Couldn't mount drive(since installed on different machine), so it asks what you want to mount enter: ufs:ad2s1a
      9. Boots up into pfSense just fine!
      10. Get into the web interface, "Diagnostics", "Edit File"
      11. Load "/etc/fstab"
      12. Change the old drive information to the correct one(ad2s1a & ad2s1b).
      13. Save (This should fix it asking what drive to mount on boot).

      Anyway I haven't had a chance to really use it yet, but I will let you know how it performs.  This FB also has a VPN/SSL accelerator card, not sure if I can use it in pfSense so if anyone has info about that let me know.  Also if anyone has ideas on how to make the display do something that would be awesome!  Otherwise everything works!

      Here are the hardware specs if anyone is interested:
      Celeron 1.2 Ghz
      256MB PC133
      Intel Chipset
      6x Realtek NICs
      SafeNet VPN/SSL Accelerator Card (in mini-pci slot)
      Open standard PCI Slot
      CF card slot
      Standard IDE connector
      Notebook IDE connector
      and bunch of other pins for ports(not sure what they are for)

      Pic(I will get some of the inside if anyone is interested)

      1 Reply Last reply Reply Quote 0
      • chpalmer
        chpalmer last edited by

        Very cool!

        Nice to know it works so far!

        Triggering snowflakes one by one..

        1 Reply Last reply Reply Quote 0
        • F
          flachance last edited by

          Wow, I'm impressed!

          Just wondering, doesn't the Watchguard actually have more feature than pfSense at this point?

          I'm not sure that you are actually gaining anything by putting pfSense on that hardware.

          What was your reason for doing this?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • S
            sullrich last edited by

            One less watchdog in the wild, that's the reason!

            Slap a pfSense sticker on that puppy!!

            1 Reply Last reply Reply Quote 0
            • J
              jmcentire last edited by

              @ flachance - Just because they list a bunch of features doesn't mean they work  :D…...We have had tons of problems with these watchguards, we even paid for fireware pro to get all the features available, ie: dual wan, just wanted it to fail to the second wan when the first failed and half the time it wouldn't ever failover even if I completely unplugged the first wan interface....anyway I shouldn't get started on these things. Plus if I did the same stuff with these fireboxes that i'm doing with pfSense I would be paying over $7200/year for licenses(don't get any ideas pfSense creators, btw if pfSense keeps running well, and passes our audits, you can expect a donation from me)!

              Anyway, if anyone else is interested in these watchguards, the X500, X700, X1000, and X2500 are all the same hardware, they just have different licenses to allow higher throughput.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich last edited by

                @jmcentire:

                @ flachance - Just because they list a bunch of features doesn't mean they work  :D…...We have had tons of problems with these watchguards, we even paid for fireware pro to get all the features available, ie: dual wan, just wanted it to fail to the second wan when the first failed and half the time it wouldn't ever failover even if I completely unplugged the first wan interface....anyway I shouldn't get started on these things. Plus if I did the same stuff with these fireboxes that i'm doing with pfSense I would be paying over $7200/year for licenses(don't get any ideas pfSense creators, btw if pfSense keeps running well, and passes our audits, you can expect a donation from me)!

                Anyway, if anyone else is interested in these watchguards, the X500, X700, X1000, and X2500 are all the same hardware, they just have different licenses to allow higher throughput.

                We won't be changing this any time soon but I encourage you to check out our commercial support which does benefit the pfSense community by helping fund commercial projects and such.

                1 Reply Last reply Reply Quote 0
                • S
                  sporkme last edited by

                  Could you post a dmesg from that box?

                  1 Reply Last reply Reply Quote 0
                  • F
                    flachance last edited by

                    ???

                    What's a dmesg?

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich last edited by

                      run "dmesg -a" from a command prompt (option 8 from console menu) or ssh in.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jmcentire last edited by

                        I assume this is what you are looking for:

                        Copyright © 1992-2007 The FreeBSD Project.
                        Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
                        The Regents of the University of California. All rights reserved.
                        FreeBSD is a registered trademark of The FreeBSD Foundation.
                        FreeBSD 6.2-RELEASE-p10 #0: Tue Jan 15 22:46:42 EST 2008
                            sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6
                        Timecounter "i8254" frequency 1193182 Hz quality 0
                        CPU: Intel(R) Celeron(TM) CPU                1200MHz (1202.73-MHz 686-class CPU)
                          Origin = "GenuineIntel"  Id = 0x6b4  Stepping = 4
                          Features=0x383f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>real memory  = 268435456 (256 MB)
                        avail memory = 253267968 (241 MB)
                        wlan: mac acl policy registered
                        ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
                        cpu0 on motherboard
                        pcib0: <intel 82815="" (i815="" gmch)="" host="" to="" hub="" bridge="">pcibus 0 on motherboard
                        pir0: <pci 11="" interrupt="" routing="" table:="" entries="">on motherboard
                        $PIR: Using invalid BIOS IRQ 9 from 2.13.INTA for link 0x63
                        pci0: <pci bus="">on pcib0
                        pcib1: <pci-pci bridge="">at device 1.0 on pci0
                        pci1: <pci bus="">on pcib1
                        pcib2: <pcibios pci-pci="" bridge="">at device 30.0 on pci0
                        pci2: <pci bus="">on pcib2
                        pci2: <unknown>at device 6.0 (no driver attached)
                        re0: <realtek 10="" 8139c+="" 100basetx="">port 0xd500-0xd5ff mem 0xefefa000-0xefefa1ff irq 10 at device 9.0 on pci2
                        miibus0: <mii bus="">on re0
                        rlphy0: <realtek internal="" media="" interface="">on miibus0
                        rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re0: Ethernet address: 00:90:7f:30:e6:73
                        re0: [FAST]
                        re1: <realtek 10="" 8139c+="" 100basetx="">port 0xd600-0xd6ff mem 0xefefb000-0xefefb1ff irq 5 at device 10.0 on pci2
                        miibus1: <mii bus="">on re1
                        rlphy1: <realtek internal="" media="" interface="">on miibus1
                        rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re1: Ethernet address: 00:90:7f:30:e6:74
                        re1: [FAST]
                        re2: <realtek 10="" 8139c+="" 100basetx="">port 0xd900-0xd9ff mem 0xefefc000-0xefefc1ff irq 11 at device 11.0 on pci2
                        miibus2: <mii bus="">on re2
                        rlphy2: <realtek internal="" media="" interface="">on miibus2
                        rlphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re2: Ethernet address: 00:90:7f:30:e6:75
                        re2: [FAST]
                        re3: <realtek 10="" 8139c+="" 100basetx="">port 0xda00-0xdaff mem 0xefefd000-0xefefd1ff irq 12 at device 12.0 on pci2
                        miibus3: <mii bus="">on re3
                        rlphy3: <realtek internal="" media="" interface="">on miibus3
                        rlphy3:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re3: Ethernet address: 00:90:7f:30:e6:76
                        re3: [FAST]
                        re4: <realtek 10="" 8139c+="" 100basetx="">port 0xdd00-0xddff mem 0xefefe000-0xefefe1ff irq 9 at device 13.0 on pci2
                        miibus4: <mii bus="">on re4
                        rlphy4: <realtek internal="" media="" interface="">on miibus4
                        rlphy4:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re4: Ethernet address: 00:90:7f:30:e6:77
                        re4: [FAST]
                        re5: <realtek 10="" 8139c+="" 100basetx="">port 0xde00-0xdeff mem 0xefeff000-0xefeff1ff irq 6 at device 14.0 on pci2
                        miibus5: <mii bus="">on re5
                        rlphy5: <realtek internal="" media="" interface="">on miibus5
                        rlphy5:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
                        re5: Ethernet address: 00:90:7f:30:e6:78
                        re5: [FAST]
                        isab0: <pci-isa bridge="">at device 31.0 on pci0
                        isa0: <isa bus="">on isab0
                        atapci0: <intel ich2="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 31.1 on pci0
                        ata0: <ata 0="" channel="">on atapci0
                        ata1: <ata 1="" channel="">on atapci0
                        orm0: <isa option="" rom="">at iomem 0xe0000-0xe0fff on isa0
                        ppc0: <parallel port="">at port 0x378-0x37f irq 7 on isa0
                        ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode
                        ppc0: FIFO with 16/16/16 bytes threshold
                        ppbus0: <parallel port="" bus="">on ppc0
                        ppi0: <parallel i="" o="">on ppbus0
                        sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
                        sio0: type 16550A, console
                        sio1: configured irq 3 not in bitmap of probed irqs 0
                        sio1: port may not be enabled
                        unknown: <pnp0c01>can't assign resources (memory)
                        speaker0: <pc speaker="">at port 0x61 on isa0
                        unknown: <pnp0501>can't assign resources (port)
                        unknown: <pnp0401>can't assign resources (port)
                        RTC BIOS diagnostic error 20 <config_unit>Timecounter "TSC" frequency 1202733781 Hz quality 800
                        Timecounters tick every 10.000 msec
                        Fast IPsec: Initialized Security Association Processing.
                        ad2: DMA limited to UDMA33, controller found non-ATA66 cable
                        ad2: 76319MB <toshiba mk8025gas="" ka023a="">at ata1-master UDMA33
                        Trying to mount root from ufs:/dev/ad2s1a</toshiba></config_unit></pnp0401></pnp0501></pc></pnp0c01></parallel></parallel></parallel></isa></ata></ata></intel></isa></pci-isa></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></unknown></pci></pcibios></pci></pci-pci></pci></pci></intel></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>

                        1 Reply Last reply Reply Quote 0
                        • J
                          jmcentire last edited by

                          BTW whoever fixed the bootup and shutdown beeps in RC4 THANK YOU!  I swear this thing would sit and beep for a minute and a half whenever I started it up.

                          And it seemed to boot a lot faster and is using quite a bit less memory than RC3 was!

                          1 Reply Last reply Reply Quote 0
                          • R
                            ridnhard19 last edited by

                            Hey this is pretty cool. I just found myself a x700 box on bay for cheep and am anxious to give this a try.  You start pricing out the newer alix boards, if you can find a good deal on one of these it really makes sense.  These seem to have a more powerful CPU.

                            1 Reply Last reply Reply Quote 0
                            • S
                              Sifter last edited by

                              how noisy are these boxes?  Anything like the nokia Ip330's?  Also, I dont see your crypto card being recognized in your dmesg.

                              1 Reply Last reply Reply Quote 0
                              • R
                                ridnhard19 last edited by

                                @Sifter:

                                how noisy are these boxes?  Anything like the nokia Ip330's?  Also, I dont see your crypto card being recognized in your dmesg.

                                Yea i'd be curious to know too. From what it looks like there are only 3 fans in the back.  I'm hoping its quite.

                                Like you, I also noticed nothing about the encryption card in his dmesg log; I'll also be looking to try to figure that piece out when I get my paws on mine.

                                1 Reply Last reply Reply Quote 0
                                • B
                                  BenHead last edited by

                                  Dunno if you had tried this, but I figured I'd attempt just swapping their CF card out for one with the pfSense embedded image on it.  No luck that way.  :(  (Figured I'd mention it in case anyone else had the same thought.)  Guess it's off to scrounge up a spare hard disk.

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    rsw686 last edited by

                                    @BenHead:

                                    Dunno if you had tried this, but I figured I'd attempt just swapping their CF card out for one with the pfSense embedded image on it.  No luck that way.  :(  (Figured I'd mention it in case anyone else had the same thought.)  Guess it's off to scrounge up a spare hard disk.

                                    I wonder if a simple IDE to CF adapter would work?

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      Valhalla1 last edited by

                                      anyone tried a full hard drive install with a IDE adapter, instead of embedded ?

                                      (-edited to add, this works fine)

                                      1 Reply Last reply Reply Quote 0
                                      • Cry Havok
                                        Cry Havok last edited by

                                        On another platform, yes.  The FX5620 comes with a built in IDE-CF adaptor and I plugged a microdrive in then did a full install onto that.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cirrusflyer last edited by

                                          Would this work on the older WG FB II?

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hoba last edited by

                                            Have a look here http://www.ls-net.com/m0n0wall-watchguard/ (Hardware seems to be a bit weak though and remember you'll need 128 mb ram at least).

                                            1 Reply Last reply Reply Quote 0
                                            • V
                                              Valhalla1 last edited by

                                              thanks jmcentire and ridnhard19 and pfsense guys…just finished installing pfsense on a watchguard  and swapping it in place of my old pfsense box

                                              works great, what a deal..

                                              to those who were wondering about the noise, it is kinda noisy with the 3 fans in the back, compared to a silent embedded device.  and be sure to use the hard drive 'cage' if you do a laptop hard drive install like I did, if you just lay the hard drive on the motherboard its likely to short something out and not boot (happened to me)

                                              1 Reply Last reply Reply Quote 0
                                              • V
                                                Valhalla1 last edited by

                                                supposedly the mini pci VPN accelerator card is based on the SafeNet SafeXcel 1141  which according to the product brief: 
                                                http://www.safenet-inc.com/Library/3/SafeXcel-1141_ProductBrief.pdf

                                                "Full driver support is available for
                                                development on the most common Operating
                                                Systems, including Windows, Linux,
                                                VxWorks, NetBSD, and FreeBSD. Additional
                                                OS driver support can be delivered
                                                upon request."

                                                says the 1141 is supported in FreeBSD

                                                maybe 1.3 will recognize it ?  or maybe we need a diff kernel option compiled in?

                                                driver info-
                                                http://www.mirbsd.org/htman/sparc/man4/safe.htm

                                                1 Reply Last reply Reply Quote 0
                                                • J
                                                  jmcentire last edited by

                                                  http://www.freebsd.org/releases/6.2R/hardware-i386.html#CRYPTO-ACCEL

                                                  It says the SafeNet 1141 is supported already, but still doesn't show up in pfSense.

                                                  BTW so far have been running two of these x700/pfsense boxes for a few months in a production environment.  No problems whatsoever!

                                                  Thanks

                                                  1 Reply Last reply Reply Quote 0
                                                  • V
                                                    Valhalla1 last edited by

                                                    just had to physically reset my firebox as all network connectivity was lost for no apparent reason   :-\  although the LCD was still cycling as normal and the box seemed "alive" (blinking network lights, lcd).  but pings, ssh logins, or internet traffic were all frozen

                                                    I would have checked the status or rebooted cleanly via serial console, but that brings me to my question..  I am able to see the freebsd bootup sequence for pfsense over a null modem serial connection to my firebox x500, but once bootup is complete and the "beep" sounds, the serial console seems to 'die', and is unresponsive to keyboard input, nor does it update the display on hyperterminal

                                                    also I don't see any POST bios/bootup info over the serial console (before the OS starts loading), like I do with my soekris net4501.  I only get info over serial once the freebsd kernel bootstraps and it stops once pfsense finishes booting.  I'm guessing I might see the BIOS POST if I installed a pci video card, but I haven't messed with that.  Maybe if I did install one, I could get into bios setup and fix my serial console issue?

                                                    1 Reply Last reply Reply Quote 0
                                                    • H
                                                      hoba last edited by

                                                      Try to check the serial port option at system>advanced and see if that makes a difference for the console. The other issue sounds like you maybe have been running out of states. If that is the case you can bump up that value too at system>advanced.

                                                      1 Reply Last reply Reply Quote 0
                                                      • V
                                                        Valhalla1 last edited by

                                                        @hoba:

                                                        Try to check the serial port option at system>advanced and see if that makes a difference for the console. The other issue sounds like you maybe have been running out of states. If that is the case you can bump up that value too at system>advanced.

                                                        duh, I can't believe I missed the serial console option, thanks.

                                                        I upped the states to 50,000.  I previously had it set to 30,000, although I've never seen it get near that high before. Hopefully it was just a fluke

                                                        1 Reply Last reply Reply Quote 0
                                                        • V
                                                          Valhalla1 last edited by

                                                          well I've had to reboot my Watchguard 3 times now, I've narrowed down the problem..

                                                          in the system logs right before the "lockups", you see "re1 watchdog timeout"  repeated serveral times.

                                                          from searching the forum, looks like ridnhard19 also had these problems with this firebox..
                                                          I issued "echo "hint.acpi.0.disabled=1" >> /boot/loader.conf"  in the console and hopefully that will fix this

                                                          1 Reply Last reply Reply Quote 0
                                                          • jahonix
                                                            jahonix last edited by

                                                            If "re1" is one of your interfaces then you might want to use a new cable on it.
                                                            Hardware issues (like a bad cable) are much more likely to happen when a system is used over a longer time than suddenly failing for ACPI settings.

                                                            Just a thought.

                                                            Edit:
                                                            @Valhalla1:

                                                            … just finished installing pfsense on a watchguard ...

                                                            OK, forget about this. It seems to be a new install.

                                                            1 Reply Last reply Reply Quote 0
                                                            • J
                                                              jmcentire last edited by

                                                              Valhalla1: that "re1 watchdog timeout" message you are getting, I received that also, found out it was the switch the firebox was plugged into.  Changed to a different switch and haven't seen that message again,  BTW current uptime counter is at 34 days on two of my pfsense/fireboxes.

                                                              1 Reply Last reply Reply Quote 0
                                                              • J
                                                                jmcentire last edited by

                                                                I just did some testing with the hardware on these things, they currently have a 1.2 Ghz Celeron processor.  I swapped it out with a 1.4 Ghz Pentium 3:

                                                                Copyright © 1992-2007 The FreeBSD Project.
                                                                Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
                                                                The Regents of the University of California. All rights reserved.
                                                                FreeBSD is a registered trademark of The FreeBSD Foundation.
                                                                FreeBSD 6.2-RELEASE-p11 #0: Sun Feb 24 16:38:29 EST 2008
                                                                    sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6
                                                                Timecounter "i8254" frequency 1193182 Hz quality 0
                                                                CPU: Intel(R) Pentium(R) III CPU family      1400MHz (1403.19-MHz 686-class CPU)
                                                                  Origin = "GenuineIntel"  Id = 0x6b1  Stepping = 1
                                                                  Features=0x383f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>Works perfectly!  So if you have any old p3s laying around, swap em out and get a little more performance!  Also these boards do support 512 MB sticks of PC133, so as soon as I find some I will be upgrading that as well.

                                                                Does anyone know a way to test the performance difference between the two such as ipsec encryption speed or anything?</fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>

                                                                1 Reply Last reply Reply Quote 0
                                                                • H
                                                                  hoba last edited by

                                                                  For benchmarking use a setup like this:

                                                                  host1–---pfSense1------(ipsec)----bench-pfsense----host2

                                                                  • host1 and host2 have to be able to generate traffic that can keep the ipsec encryption busy (more traffic than it actually can handle)
                                                                  • pfSense1 has to be faster than the bench-pfsense or you will measure the wrong machine
                                                                  • only use crossovercables between all the machines to reduce othe factors like switches or loaded networks

                                                                  Once you have set this up use tools like netio or iperf to pump traffic from host2 to host1 and modify the hardware of your banch-pfsense. You also can play around with different encryptions as some are faster and some are slower.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • P
                                                                    PeeZee last edited by

                                                                    After reading this topic I also revived 2 old WG Firebox X series boxes I had lying around. Install went very smooth, and everything seemed to be working very well.

                                                                    Untill I found out the box runs very unstable…

                                                                    Network throughput is very unpredictable, sometimes up to 6Mbit but mostly about 512kbit where it should be close to 100Mbit (other 100Mbit network devices connected through cat5e)
                                                                    Network traffic often comes to a complete stop for either a few seconds or untill I reboot the box, and strange enough I can trigger this in a few ways like 'trying to open the webgui from the WAN side of the firewall' or "start a large download". Once this occurs, the box stops answering all network traffic, I can't even ping it anymore. Most of the times, once I stop the download or close the browser that is trying to open the webgui, the box starts answering to ping requests right away again.

                                                                    Like in the other Watchguard threads on this forum, this seems to be related to the "kernel: re0: watchdog timeout" error that shows up in the logs at the time the symptoms occur.
                                                                    From what I've read, it has to do with hardware issues concerning the network cards ?

                                                                    I've searched the forums and google, and found a few 'solutions' suggested by other people with the same issues:

                                                                    • disable ACPI using 'echo hint.acpi.0.disabled="1" >> /boot/loader.conf' -> didn't help
                                                                    • enable device polling -> after this, once the watchdog issue occures the firewall always stops answering network traffic untill a power cycle, quite anoying
                                                                    • throw out the NICs, replace them with NICs using other chipset -> unfortunately, on this Watchguard hardware that is quite difficult, these are 6 onboard realtek based nics
                                                                    • disable "plug and play OS" in the BIOS -> unfortunately the watchguard mobo doesn't have a keyboard connector, so I can't get in the bios.
                                                                    • use the SMP kernel in stead of the uniprocessor kernel -> I'm running on the embedded kernel because the firebox only has serial input/output in stead of vga/kb.

                                                                    I have three questions actually:

                                                                    • How do I switch to the SMP kernel without losing the serial console ? How can I do this from within pfsense, without reinstalling the entire device ?

                                                                    • Callout to the other people using watchguard hardware for pfsense, does this watchdog timeout error occur on all fireboxes with pfsense ?

                                                                    • Does anybody have any other suggestions I can try ?

                                                                    (That's 4 questions actually :) )

                                                                    This is a big problem since the box is just unusable now, and I'd really like to get pfsense on it.

                                                                    Small Update: This occurs on both fireboxes with pfsense on them, in completely different environments, connected to different switches, different cabling.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • J
                                                                      jmcentire last edited by

                                                                      Right now I have 3 x700s running, so far have not had a problem.  I used to receive the watchdog timeout errors when it was connected to any netgear hub or switch(tried 4 different ones).  Once I removed the netgear switches(plugged directly into cable modem and an HP procurv switch) the errors were gone.  However when I was getting the watchdog timeout error it still never caused any problems(currently my 3rd x700 is still plugged into a netgear switch and continually gets those errors).  So maybe if we find some differences between your install and mine it will help you narrow down the problem.

                                                                      Did you do a full install onto a HDD or embedded on CF?
                                                                      What switches are you using?

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • P
                                                                        PeeZee last edited by

                                                                        @jmcentire:

                                                                        Did you do a full install onto a HDD or embedded on CF?
                                                                        What switches are you using?

                                                                        I'm having these issues on 2 firebox units, let's call the firebox 1 and firebox 2 for now.

                                                                        Firebox 1 is a full install on a 1GB CF card using a usb cf reader and a laptop with the livecd, installed through option 99, selected the embedded kernel at kernel selection, plugged the CF card into the firebox after install.
                                                                        It is connected to a cisco catalyst 3550 on one of the FastEthernet 100Mbit ports.

                                                                        Firebox 2 is a full install on a 2.5" hard drive, installed identically the same way.
                                                                        This one is connected to a cheap 16port table switch but I can't remember the brand right now (I'll try to get back on that later tonight)

                                                                        Both units have the lcdd process installed to show cpu and memory stats on the firebox lcd display, installed as described in http://forum.pfsense.org/index.php/topic,7920.msg46356.html#msg46356 . Would this be causing an issue ?

                                                                        Strange thing is I ran firebox1 on my home network for about 3 hours while installing and configuring it, and did not notice these errors at that time. However, I can't say for sure they weren't there, maybe I just didn't notice them since I didn't run any traffic through the box.

                                                                        Thanks a lot for helping me on this !

                                                                        UPDATE: Testing stuff is a bit difficult since both boxes are on remote locations (which is exactly why this is such an annoying problem :) ) but I'll try to drive over there tomorrow and see if the problem persists when I plug my laptop straight into firebox 2 in stead of through the desktop switch. We should be able to confirm/rule out a switch problem then.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • J
                                                                          jmcentire last edited by

                                                                          I am also running lcdd, but not the way "ridnhard19" did it(check my post a few down: http://forum.pfsense.org/index.php/topic,7920.msg46902.html#msg46902).

                                                                          Is your 1GB CF card a microdrive or regular flash mem?

                                                                          Looks like we installed them the same way, did you have to change the partition information in /etc/fstab?  If so did you also change your swap partition to the correct drive?

                                                                          I was thinking the watchdog error might have been from just using cheap switches, but the cisco rules that out.

                                                                          I don't have many other ideas, 2 of mine have been up for over a month running a couple ipsec tunnels, carp, squid, squidguard, and handling quite a bit of traffic(about 3-4 voip calls, 4-5 terminal server sessions, large file transfers, and some web browsing all at the same time) and it doesn't seem to slow down at all.

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • P
                                                                            PeeZee last edited by

                                                                            @jmcentire:

                                                                            Is your 1GB CF card a microdrive or regular flash mem?
                                                                            Looks like we installed them the same way, did you have to change the partition information in /etc/fstab?  If so did you also change your swap partition to the correct drive?

                                                                            The CF card is a normal CF card, not a microdrive. I know this is not recommended and I plan to change this over time. The reason I installed it like this is that I originally thought picking the 'embedded kernel' during install also meant having a read only filesystem like on the embedded images. I found out after installation that it is not, but didn't bother reinstalling yet. Figured it'd be a nice test to see how long the CF card lasts. (CF cards are cheap nowadays anyways, this one was 6 euro)

                                                                            On the partition information, yes I had to change them after install, and I also changed the swap partition info on firebox 2.
                                                                            The correct setting on firebox 2 (with the 2.5" hard drive) was /dev/ad2s1a for the root fs and /dev/ad2s1b for the swap.
                                                                            Firebox 1 needed /dev/ad0s1a since it is running from a CF card.
                                                                            Firebox 1 however doesn't have a swap partition since I manually removed that during install. (I figured using swap on a CF card would be really overdoing it :) )

                                                                            So far I can't really think of anything we did different. Tomorrow evening I'm going over to firebox 2 to test whether the problem also occurs using just a network cable, without being connected to the switch. I'll post an update while testing it.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • V
                                                                              Valhalla1 last edited by

                                                                              I'm on an x500 with 2.5" laptop drive, full install, not embedded kernel.. also do have the LCD driver

                                                                              I've had the watchdog timeouts, on re1 LAN interface only… about 4 or 5 times I think, sometimes its able to recover other times required a hard reboot.  I can pretty confidently say this problem only occurred to me while I was clicking around in the webgui configurator, while under minimal network load.   Haven't had them happen when not logged into gui even when maxing out my dual wan bandwidth for hours at a time/lots of states, torrents etc

                                                                              when it happens I can't help but get the (probably incorrect) feeling that the http server or php is running away with the cpu or network card or something...  thought about trying a tweak i read about on these forums about increasing the priority of the http server, an update supposedly adjustable in upcoming 1.3

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • P
                                                                                PeeZee last edited by

                                                                                Ok, some more debugging info from the aforementioned firebox 1, but this one is a tricky one, I have absolutely no logical explanation for it:

                                                                                First a little network schematic:

                                                                                
                                                                                LAN (re1) <--- 172.20.2.1/24 ---> Firebox 1 <--- WAN (re0) using public x.x.x.x/28 subnet ---> SWITCH <---> The internet <---> Laptop at remote location
                                                                                                                                                                                 |_> linux server in same /28 subnet
                                                                                
                                                                                

                                                                                (I hope this is clear, the linux server is connected to the same switch as the WAN port of the firebox, the /28 subnet consists of public internet ip addresses)

                                                                                Yesterday I was doing some tests on when the watchdog errors occur, from my laptop at the remote location.
                                                                                pfsense Webgui is running on HTTPS, port 443 so I opened up the HTTPS port and icmp ping replies on the WAN side of the firewall.
                                                                                I'm continuously running a ping from the laptop to the WAN IP of the firebox.
                                                                                As soon as I told firefox on my laptop to connect to the firebox WAN ip through https, firefox shows me the http authentication dialog, I fill in the fields and press OK, and the firebox WAN ip immediately stops responding to ping requests.
                                                                                Firefox tries to load the page but stays blank (since the firebox obviously stopped sending data), as soon as I press the STOP button in firefox the firebox WAN ip address starts replying to PING requests again.

                                                                                So far you'd think the http process is causing the problem, but now it starts to get really strange:

                                                                                I open up an SSH session to the linux box in the same public /28 internet range as the firebox, and tunnel a https connection through the SSH connection.
                                                                                In other words, I mapped a tcp port on my laptop to one on the linux server so that from the firebox point of view my requests to open up the web interface come from the linux server in its own WAN subnet.
                                                                                And now, opening up the web interface works perfectly right away. I see the pfsense interface, can click around in all menu's, don't get any timeouts and don't get any watchdog errors in the logs… The public WAN ip also keeps responding to the still running ping requests.

                                                                                So I tried to open the web interface from my laptop over the internet through the real public IP again, and again the watchdog errors occurs and the firebox stops responding to network traffic...

                                                                                I'm not making any sense of this...

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • P
                                                                                  PeeZee last edited by

                                                                                  Thanks for the help trying to solve this, but I'm afraid I'm running out of time to fix this.
                                                                                  I've replaced both fireboxes with 'normal' pc's, exported and imported the config, and all problems have disappeared.

                                                                                  I'm not giving up on the watchguard hardware yet, but I don't have the time to keep looking for a solution right now.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • V
                                                                                    Valhalla1 last edited by

                                                                                    ugh.. just had to add a few rules to the firewall and it ended up being a multi-reboot network outage due to watchdog timeout freezeups..   box had been up for a couple weeks, transferring tens of gigs of data per day, but soon as I need to poke around the webgui, the lan interface decides to puke all over itself

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post