Successful Install on Watchguard Firebox X700!
-
I replaced my Watchguard Firebox X700 with a PC running pfSense, so I wondered if I could make pfSense run on the Watchguard Hardware. IT WORKS!
Steps(more simple than I was expecting)
1. Opened FB(Firebox), Removed CF Card
2. Hooked up a notebook drive to my machine, booted from Live CD (1.2 RC3)
3. 99 Install, accepted all defaults except chose embedded kernel
4. After install was done, took the drive and plugged it into the FB
5. Used the console cable that came with the FB and plugged it into the FB and my Com port
6. Opened HyperTerminal, new connection: BPS: 9600 / Data bits: 8 / Parity: None / Stop : 1 / Flow control: Hardware
7. Turned on FB and it immediately started booting FreeBSD
8. Couldn't mount drive(since installed on different machine), so it asks what you want to mount enter: ufs:ad2s1a
9. Boots up into pfSense just fine!
10. Get into the web interface, "Diagnostics", "Edit File"
11. Load "/etc/fstab"
12. Change the old drive information to the correct one(ad2s1a & ad2s1b).
13. Save (This should fix it asking what drive to mount on boot).Anyway I haven't had a chance to really use it yet, but I will let you know how it performs. This FB also has a VPN/SSL accelerator card, not sure if I can use it in pfSense so if anyone has info about that let me know. Also if anyone has ideas on how to make the display do something that would be awesome! Otherwise everything works!
Here are the hardware specs if anyone is interested:
Celeron 1.2 Ghz
256MB PC133
Intel Chipset
6x Realtek NICs
SafeNet VPN/SSL Accelerator Card (in mini-pci slot)
Open standard PCI Slot
CF card slot
Standard IDE connector
Notebook IDE connector
and bunch of other pins for ports(not sure what they are for)Pic(I will get some of the inside if anyone is interested)
-
Very cool!
Nice to know it works so far!
-
Wow, I'm impressed!
Just wondering, doesn't the Watchguard actually have more feature than pfSense at this point?
I'm not sure that you are actually gaining anything by putting pfSense on that hardware.
What was your reason for doing this?
Thanks!
-
One less watchdog in the wild, that's the reason!
Slap a pfSense sticker on that puppy!!
-
@ flachance - Just because they list a bunch of features doesn't mean they work :D…...We have had tons of problems with these watchguards, we even paid for fireware pro to get all the features available, ie: dual wan, just wanted it to fail to the second wan when the first failed and half the time it wouldn't ever failover even if I completely unplugged the first wan interface....anyway I shouldn't get started on these things. Plus if I did the same stuff with these fireboxes that i'm doing with pfSense I would be paying over $7200/year for licenses(don't get any ideas pfSense creators, btw if pfSense keeps running well, and passes our audits, you can expect a donation from me)!
Anyway, if anyone else is interested in these watchguards, the X500, X700, X1000, and X2500 are all the same hardware, they just have different licenses to allow higher throughput.
-
@ flachance - Just because they list a bunch of features doesn't mean they work :D…...We have had tons of problems with these watchguards, we even paid for fireware pro to get all the features available, ie: dual wan, just wanted it to fail to the second wan when the first failed and half the time it wouldn't ever failover even if I completely unplugged the first wan interface....anyway I shouldn't get started on these things. Plus if I did the same stuff with these fireboxes that i'm doing with pfSense I would be paying over $7200/year for licenses(don't get any ideas pfSense creators, btw if pfSense keeps running well, and passes our audits, you can expect a donation from me)!
Anyway, if anyone else is interested in these watchguards, the X500, X700, X1000, and X2500 are all the same hardware, they just have different licenses to allow higher throughput.
We won't be changing this any time soon but I encourage you to check out our commercial support which does benefit the pfSense community by helping fund commercial projects and such.
-
Could you post a dmesg from that box?
-
???
What's a dmesg?
-
run "dmesg -a" from a command prompt (option 8 from console menu) or ssh in.
-
I assume this is what you are looking for:
Copyright
1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.2-RELEASE-p10 #0: Tue Jan 15 22:46:42 EST 2008
sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(TM) CPU 1200MHz (1202.73-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x6b4 Stepping = 4
Features=0x383f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>real memory = 268435456 (256 MB)
avail memory = 253267968 (241 MB)
wlan: mac acl policy registered
ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cpu0 on motherboard
pcib0: <intel 82815="" (i815="" gmch)="" host="" to="" hub="" bridge="">pcibus 0 on motherboard
pir0: <pci 11="" interrupt="" routing="" table:="" entries="">on motherboard
$PIR: Using invalid BIOS IRQ 9 from 2.13.INTA for link 0x63
pci0: <pci bus="">on pcib0
pcib1: <pci-pci bridge="">at device 1.0 on pci0
pci1: <pci bus="">on pcib1
pcib2: <pcibios pci-pci="" bridge="">at device 30.0 on pci0
pci2: <pci bus="">on pcib2
pci2: <unknown>at device 6.0 (no driver attached)
re0: <realtek 10="" 8139c+="" 100basetx="">port 0xd500-0xd5ff mem 0xefefa000-0xefefa1ff irq 10 at device 9.0 on pci2
miibus0: <mii bus="">on re0
rlphy0: <realtek internal="" media="" interface="">on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re0: Ethernet address: 00:90:7f:30:e6:73
re0: [FAST]
re1: <realtek 10="" 8139c+="" 100basetx="">port 0xd600-0xd6ff mem 0xefefb000-0xefefb1ff irq 5 at device 10.0 on pci2
miibus1: <mii bus="">on re1
rlphy1: <realtek internal="" media="" interface="">on miibus1
rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re1: Ethernet address: 00:90:7f:30:e6:74
re1: [FAST]
re2: <realtek 10="" 8139c+="" 100basetx="">port 0xd900-0xd9ff mem 0xefefc000-0xefefc1ff irq 11 at device 11.0 on pci2
miibus2: <mii bus="">on re2
rlphy2: <realtek internal="" media="" interface="">on miibus2
rlphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re2: Ethernet address: 00:90:7f:30:e6:75
re2: [FAST]
re3: <realtek 10="" 8139c+="" 100basetx="">port 0xda00-0xdaff mem 0xefefd000-0xefefd1ff irq 12 at device 12.0 on pci2
miibus3: <mii bus="">on re3
rlphy3: <realtek internal="" media="" interface="">on miibus3
rlphy3: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re3: Ethernet address: 00:90:7f:30:e6:76
re3: [FAST]
re4: <realtek 10="" 8139c+="" 100basetx="">port 0xdd00-0xddff mem 0xefefe000-0xefefe1ff irq 9 at device 13.0 on pci2
miibus4: <mii bus="">on re4
rlphy4: <realtek internal="" media="" interface="">on miibus4
rlphy4: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re4: Ethernet address: 00:90:7f:30:e6:77
re4: [FAST]
re5: <realtek 10="" 8139c+="" 100basetx="">port 0xde00-0xdeff mem 0xefeff000-0xefeff1ff irq 6 at device 14.0 on pci2
miibus5: <mii bus="">on re5
rlphy5: <realtek internal="" media="" interface="">on miibus5
rlphy5: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
re5: Ethernet address: 00:90:7f:30:e6:78
re5: [FAST]
isab0: <pci-isa bridge="">at device 31.0 on pci0
isa0: <isa bus="">on isab0
atapci0: <intel ich2="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 31.1 on pci0
ata0: <ata 0="" channel="">on atapci0
ata1: <ata 1="" channel="">on atapci0
orm0: <isa option="" rom="">at iomem 0xe0000-0xe0fff on isa0
ppc0: <parallel port="">at port 0x378-0x37f irq 7 on isa0
ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/16 bytes threshold
ppbus0: <parallel port="" bus="">on ppc0
ppi0: <parallel i="" o="">on ppbus0
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A, console
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
unknown: <pnp0c01>can't assign resources (memory)
speaker0: <pc speaker="">at port 0x61 on isa0
unknown: <pnp0501>can't assign resources (port)
unknown: <pnp0401>can't assign resources (port)
RTC BIOS diagnostic error 20 <config_unit>Timecounter "TSC" frequency 1202733781 Hz quality 800
Timecounters tick every 10.000 msec
Fast IPsec: Initialized Security Association Processing.
ad2: DMA limited to UDMA33, controller found non-ATA66 cable
ad2: 76319MB <toshiba mk8025gas="" ka023a="">at ata1-master UDMA33
Trying to mount root from ufs:/dev/ad2s1a</toshiba></config_unit></pnp0401></pnp0501></pc></pnp0c01></parallel></parallel></parallel></isa></ata></ata></intel></isa></pci-isa></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></realtek></mii></realtek></unknown></pci></pcibios></pci></pci-pci></pci></pci></intel></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse> -
BTW whoever fixed the bootup and shutdown beeps in RC4 THANK YOU! I swear this thing would sit and beep for a minute and a half whenever I started it up.
And it seemed to boot a lot faster and is using quite a bit less memory than RC3 was!
-
Hey this is pretty cool. I just found myself a x700 box on bay for cheep and am anxious to give this a try. You start pricing out the newer alix boards, if you can find a good deal on one of these it really makes sense. These seem to have a more powerful CPU.
-
how noisy are these boxes? Anything like the nokia Ip330's? Also, I dont see your crypto card being recognized in your dmesg.
-
how noisy are these boxes? Anything like the nokia Ip330's? Also, I dont see your crypto card being recognized in your dmesg.
Yea i'd be curious to know too. From what it looks like there are only 3 fans in the back. I'm hoping its quite.
Like you, I also noticed nothing about the encryption card in his dmesg log; I'll also be looking to try to figure that piece out when I get my paws on mine.
-
Dunno if you had tried this, but I figured I'd attempt just swapping their CF card out for one with the pfSense embedded image on it. No luck that way. :( (Figured I'd mention it in case anyone else had the same thought.) Guess it's off to scrounge up a spare hard disk.
-
Dunno if you had tried this, but I figured I'd attempt just swapping their CF card out for one with the pfSense embedded image on it. No luck that way. :( (Figured I'd mention it in case anyone else had the same thought.) Guess it's off to scrounge up a spare hard disk.
I wonder if a simple IDE to CF adapter would work?
-
anyone tried a full hard drive install with a IDE adapter, instead of embedded ?
(-edited to add, this works fine)
-
On another platform, yes. The FX5620 comes with a built in IDE-CF adaptor and I plugged a microdrive in then did a full install onto that.
-
Would this work on the older WG FB II?
-
Have a look here http://www.ls-net.com/m0n0wall-watchguard/ (Hardware seems to be a bit weak though and remember you'll need 128 mb ram at least).
-
thanks jmcentire and ridnhard19 and pfsense guys…just finished installing pfsense on a watchguard and swapping it in place of my old pfsense box
works great, what a deal..
to those who were wondering about the noise, it is kinda noisy with the 3 fans in the back, compared to a silent embedded device. and be sure to use the hard drive 'cage' if you do a laptop hard drive install like I did, if you just lay the hard drive on the motherboard its likely to short something out and not boot (happened to me)
-
supposedly the mini pci VPN accelerator card is based on the SafeNet SafeXcel 1141 which according to the product brief:
http://www.safenet-inc.com/Library/3/SafeXcel-1141_ProductBrief.pdf"Full driver support is available for
development on the most common Operating
Systems, including Windows, Linux,
VxWorks, NetBSD, and FreeBSD. Additional
OS driver support can be delivered
upon request."says the 1141 is supported in FreeBSD
maybe 1.3 will recognize it ? or maybe we need a diff kernel option compiled in?
driver info-
http://www.mirbsd.org/htman/sparc/man4/safe.htm -
http://www.freebsd.org/releases/6.2R/hardware-i386.html#CRYPTO-ACCEL
It says the SafeNet 1141 is supported already, but still doesn't show up in pfSense.
BTW so far have been running two of these x700/pfsense boxes for a few months in a production environment. No problems whatsoever!
Thanks
-
just had to physically reset my firebox as all network connectivity was lost for no apparent reason :-\ although the LCD was still cycling as normal and the box seemed "alive" (blinking network lights, lcd). but pings, ssh logins, or internet traffic were all frozen
I would have checked the status or rebooted cleanly via serial console, but that brings me to my question.. I am able to see the freebsd bootup sequence for pfsense over a null modem serial connection to my firebox x500, but once bootup is complete and the "beep" sounds, the serial console seems to 'die', and is unresponsive to keyboard input, nor does it update the display on hyperterminal
also I don't see any POST bios/bootup info over the serial console (before the OS starts loading), like I do with my soekris net4501. I only get info over serial once the freebsd kernel bootstraps and it stops once pfsense finishes booting. I'm guessing I might see the BIOS POST if I installed a pci video card, but I haven't messed with that. Maybe if I did install one, I could get into bios setup and fix my serial console issue?
-
Try to check the serial port option at system>advanced and see if that makes a difference for the console. The other issue sounds like you maybe have been running out of states. If that is the case you can bump up that value too at system>advanced.
-
Try to check the serial port option at system>advanced and see if that makes a difference for the console. The other issue sounds like you maybe have been running out of states. If that is the case you can bump up that value too at system>advanced.
duh, I can't believe I missed the serial console option, thanks.
I upped the states to 50,000. I previously had it set to 30,000, although I've never seen it get near that high before. Hopefully it was just a fluke
-
well I've had to reboot my Watchguard 3 times now, I've narrowed down the problem..
in the system logs right before the "lockups", you see "re1 watchdog timeout" repeated serveral times.
from searching the forum, looks like ridnhard19 also had these problems with this firebox..
I issued "echo "hint.acpi.0.disabled=1" >> /boot/loader.conf" in the console and hopefully that will fix this -
If "re1" is one of your interfaces then you might want to use a new cable on it.
Hardware issues (like a bad cable) are much more likely to happen when a system is used over a longer time than suddenly failing for ACPI settings.Just a thought.
Edit:
@Valhalla1:… just finished installing pfsense on a watchguard ...
OK, forget about this. It seems to be a new install.
-
Valhalla1: that "re1 watchdog timeout" message you are getting, I received that also, found out it was the switch the firebox was plugged into. Changed to a different switch and haven't seen that message again, BTW current uptime counter is at 34 days on two of my pfsense/fireboxes.
-
I just did some testing with the hardware on these things, they currently have a 1.2 Ghz Celeron processor. I swapped it out with a 1.4 Ghz Pentium 3:
Copyright
1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.2-RELEASE-p11 #0: Sun Feb 24 16:38:29 EST 2008
sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) III CPU family 1400MHz (1403.19-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x6b1 Stepping = 1
Features=0x383f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>Works perfectly! So if you have any old p3s laying around, swap em out and get a little more performance! Also these boards do support 512 MB sticks of PC133, so as soon as I find some I will be upgrading that as well.Does anyone know a way to test the performance difference between the two such as ipsec encryption speed or anything?</fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>
-
For benchmarking use a setup like this:
host1–---pfSense1------(ipsec)----bench-pfsense----host2
- host1 and host2 have to be able to generate traffic that can keep the ipsec encryption busy (more traffic than it actually can handle)
- pfSense1 has to be faster than the bench-pfsense or you will measure the wrong machine
- only use crossovercables between all the machines to reduce othe factors like switches or loaded networks
Once you have set this up use tools like netio or iperf to pump traffic from host2 to host1 and modify the hardware of your banch-pfsense. You also can play around with different encryptions as some are faster and some are slower.
-
After reading this topic I also revived 2 old WG Firebox X series boxes I had lying around. Install went very smooth, and everything seemed to be working very well.
Untill I found out the box runs very unstable…
Network throughput is very unpredictable, sometimes up to 6Mbit but mostly about 512kbit where it should be close to 100Mbit (other 100Mbit network devices connected through cat5e)
Network traffic often comes to a complete stop for either a few seconds or untill I reboot the box, and strange enough I can trigger this in a few ways like 'trying to open the webgui from the WAN side of the firewall' or "start a large download". Once this occurs, the box stops answering all network traffic, I can't even ping it anymore. Most of the times, once I stop the download or close the browser that is trying to open the webgui, the box starts answering to ping requests right away again.Like in the other Watchguard threads on this forum, this seems to be related to the "kernel: re0: watchdog timeout" error that shows up in the logs at the time the symptoms occur.
From what I've read, it has to do with hardware issues concerning the network cards ?I've searched the forums and google, and found a few 'solutions' suggested by other people with the same issues:
- disable ACPI using 'echo hint.acpi.0.disabled="1" >> /boot/loader.conf' -> didn't help
- enable device polling -> after this, once the watchdog issue occures the firewall always stops answering network traffic untill a power cycle, quite anoying
- throw out the NICs, replace them with NICs using other chipset -> unfortunately, on this Watchguard hardware that is quite difficult, these are 6 onboard realtek based nics
- disable "plug and play OS" in the BIOS -> unfortunately the watchguard mobo doesn't have a keyboard connector, so I can't get in the bios.
- use the SMP kernel in stead of the uniprocessor kernel -> I'm running on the embedded kernel because the firebox only has serial input/output in stead of vga/kb.
I have three questions actually:
-
How do I switch to the SMP kernel without losing the serial console ? How can I do this from within pfsense, without reinstalling the entire device ?
-
Callout to the other people using watchguard hardware for pfsense, does this watchdog timeout error occur on all fireboxes with pfsense ?
-
Does anybody have any other suggestions I can try ?
(That's 4 questions actually :) )
This is a big problem since the box is just unusable now, and I'd really like to get pfsense on it.
Small Update: This occurs on both fireboxes with pfsense on them, in completely different environments, connected to different switches, different cabling.
-
Right now I have 3 x700s running, so far have not had a problem. I used to receive the watchdog timeout errors when it was connected to any netgear hub or switch(tried 4 different ones). Once I removed the netgear switches(plugged directly into cable modem and an HP procurv switch) the errors were gone. However when I was getting the watchdog timeout error it still never caused any problems(currently my 3rd x700 is still plugged into a netgear switch and continually gets those errors). So maybe if we find some differences between your install and mine it will help you narrow down the problem.
Did you do a full install onto a HDD or embedded on CF?
What switches are you using? -
Did you do a full install onto a HDD or embedded on CF?
What switches are you using?I'm having these issues on 2 firebox units, let's call the firebox 1 and firebox 2 for now.
Firebox 1 is a full install on a 1GB CF card using a usb cf reader and a laptop with the livecd, installed through option 99, selected the embedded kernel at kernel selection, plugged the CF card into the firebox after install.
It is connected to a cisco catalyst 3550 on one of the FastEthernet 100Mbit ports.Firebox 2 is a full install on a 2.5" hard drive, installed identically the same way.
This one is connected to a cheap 16port table switch but I can't remember the brand right now (I'll try to get back on that later tonight)Both units have the lcdd process installed to show cpu and memory stats on the firebox lcd display, installed as described in http://forum.pfsense.org/index.php/topic,7920.msg46356.html#msg46356 . Would this be causing an issue ?
Strange thing is I ran firebox1 on my home network for about 3 hours while installing and configuring it, and did not notice these errors at that time. However, I can't say for sure they weren't there, maybe I just didn't notice them since I didn't run any traffic through the box.
Thanks a lot for helping me on this !
UPDATE: Testing stuff is a bit difficult since both boxes are on remote locations (which is exactly why this is such an annoying problem :) ) but I'll try to drive over there tomorrow and see if the problem persists when I plug my laptop straight into firebox 2 in stead of through the desktop switch. We should be able to confirm/rule out a switch problem then.
-
I am also running lcdd, but not the way "ridnhard19" did it(check my post a few down: http://forum.pfsense.org/index.php/topic,7920.msg46902.html#msg46902).
Is your 1GB CF card a microdrive or regular flash mem?
Looks like we installed them the same way, did you have to change the partition information in /etc/fstab? If so did you also change your swap partition to the correct drive?
I was thinking the watchdog error might have been from just using cheap switches, but the cisco rules that out.
I don't have many other ideas, 2 of mine have been up for over a month running a couple ipsec tunnels, carp, squid, squidguard, and handling quite a bit of traffic(about 3-4 voip calls, 4-5 terminal server sessions, large file transfers, and some web browsing all at the same time) and it doesn't seem to slow down at all.
-
Is your 1GB CF card a microdrive or regular flash mem?
Looks like we installed them the same way, did you have to change the partition information in /etc/fstab? If so did you also change your swap partition to the correct drive?The CF card is a normal CF card, not a microdrive. I know this is not recommended and I plan to change this over time. The reason I installed it like this is that I originally thought picking the 'embedded kernel' during install also meant having a read only filesystem like on the embedded images. I found out after installation that it is not, but didn't bother reinstalling yet. Figured it'd be a nice test to see how long the CF card lasts. (CF cards are cheap nowadays anyways, this one was 6 euro)
On the partition information, yes I had to change them after install, and I also changed the swap partition info on firebox 2.
The correct setting on firebox 2 (with the 2.5" hard drive) was /dev/ad2s1a for the root fs and /dev/ad2s1b for the swap.
Firebox 1 needed /dev/ad0s1a since it is running from a CF card.
Firebox 1 however doesn't have a swap partition since I manually removed that during install. (I figured using swap on a CF card would be really overdoing it :) )So far I can't really think of anything we did different. Tomorrow evening I'm going over to firebox 2 to test whether the problem also occurs using just a network cable, without being connected to the switch. I'll post an update while testing it.
-
I'm on an x500 with 2.5" laptop drive, full install, not embedded kernel.. also do have the LCD driver
I've had the watchdog timeouts, on re1 LAN interface only… about 4 or 5 times I think, sometimes its able to recover other times required a hard reboot. I can pretty confidently say this problem only occurred to me while I was clicking around in the webgui configurator, while under minimal network load. Haven't had them happen when not logged into gui even when maxing out my dual wan bandwidth for hours at a time/lots of states, torrents etc
when it happens I can't help but get the (probably incorrect) feeling that the http server or php is running away with the cpu or network card or something... thought about trying a tweak i read about on these forums about increasing the priority of the http server, an update supposedly adjustable in upcoming 1.3
-
Ok, some more debugging info from the aforementioned firebox 1, but this one is a tricky one, I have absolutely no logical explanation for it:
First a little network schematic:
LAN (re1) <--- 172.20.2.1/24 ---> Firebox 1 <--- WAN (re0) using public x.x.x.x/28 subnet ---> SWITCH <---> The internet <---> Laptop at remote location |_> linux server in same /28 subnet(I hope this is clear, the linux server is connected to the same switch as the WAN port of the firebox, the /28 subnet consists of public internet ip addresses)
Yesterday I was doing some tests on when the watchdog errors occur, from my laptop at the remote location.
pfsense Webgui is running on HTTPS, port 443 so I opened up the HTTPS port and icmp ping replies on the WAN side of the firewall.
I'm continuously running a ping from the laptop to the WAN IP of the firebox.
As soon as I told firefox on my laptop to connect to the firebox WAN ip through https, firefox shows me the http authentication dialog, I fill in the fields and press OK, and the firebox WAN ip immediately stops responding to ping requests.
Firefox tries to load the page but stays blank (since the firebox obviously stopped sending data), as soon as I press the STOP button in firefox the firebox WAN ip address starts replying to PING requests again.So far you'd think the http process is causing the problem, but now it starts to get really strange:
I open up an SSH session to the linux box in the same public /28 internet range as the firebox, and tunnel a https connection through the SSH connection.
In other words, I mapped a tcp port on my laptop to one on the linux server so that from the firebox point of view my requests to open up the web interface come from the linux server in its own WAN subnet.
And now, opening up the web interface works perfectly right away. I see the pfsense interface, can click around in all menu's, don't get any timeouts and don't get any watchdog errors in the logs… The public WAN ip also keeps responding to the still running ping requests.So I tried to open the web interface from my laptop over the internet through the real public IP again, and again the watchdog errors occurs and the firebox stops responding to network traffic...
I'm not making any sense of this...
-
Thanks for the help trying to solve this, but I'm afraid I'm running out of time to fix this.
I've replaced both fireboxes with 'normal' pc's, exported and imported the config, and all problems have disappeared.I'm not giving up on the watchguard hardware yet, but I don't have the time to keep looking for a solution right now.
-
ugh.. just had to add a few rules to the firewall and it ended up being a multi-reboot network outage due to watchdog timeout freezeups.. box had been up for a couple weeks, transferring tens of gigs of data per day, but soon as I need to poke around the webgui, the lan interface decides to puke all over itself
