Successful Install on Watchguard Firebox X700!

stephenw10

@jonnytabpni:

I'm really trying to get to the bottom of why things are beginning to work now. Can any devs comment on if any defaults have changed? Looking at the FreeBSD code:

The change was not in FreeBSD but in pfsense. The defaults were changed such that all the cpu offloading was turned off. You can still turn it back on manually.

@iFloris:

Also, regarding the speed of the firebox:
I use the fireboxe to firewall a 120/10 connection and it reaches a sustained 98.8 mbit down while uploading at 9.89 mbit with around 48% CPU usage (tends to fluctuate up and down a lot).
When I only just got the fireboxes I ran some tests using a 100/100 connection and while the machine still threw up watchdog timeouts back then (February or march) it was able to firewall 98/98 mbit when testing with FTP transfers.

That's interesting. It ties in better with Watchguards claimed 275/300Mbps 'firewall throughput', under their linux based OS.

Steve

jonnytabpni

@iFloris, that's interesting stats regarding your throughput. It could just my CIFS server or something. I guess I need to set up an HTTP server locally and test via that. However, 60Mbps is ok for me as my fastest WAN connection is 15/1

Now for some more test results:

This time, I transfered a whole directory of files from a CIFS server to my laptop which is plugged directly into the FB. The CIFS servers goes via an HP procurve switch. I also ran "cat /dev/random > /dev/null" from a SSH shell. I was also viewing the RRD graph. The whole test lasted about 6 or 7 minutes.

Not a single timeout :D

Pics attached. You'll notice a dip in traffic in the RRD graph. Not sure what this was about (Probably just Windows CIFS being silly). You'll notice not a single timeout in system.log (also attached)

iFloris

@stephenw10:

That's interesting. It ties in better with Watchguards claimed 275/300Mbps 'firewall throughput', under their linux based OS.

That's interesting indeed, I never knew that Watchguard claimed such a throughput.
This morning I had to get a large file for a project and thought I'd post the throughput and cpu use as a reference.

It would seem that the cpu usage / speed ratio I reporter earlier either changed somewhat in the past months or that there is some process going on that I don't know about causing a few percents of cpu usage on the firebox.

See attached image, sorry about all the white space.

Pfsense reports a speed in of 98.47 and out of 3.47 mbit at a cpu usage of around 50% with less than 500 states.
This is with a minimal amount of firewall rules, as I only have a few port forwards configured.
Packages installed are minimal; OpenVPN Client Export Utility, RRD Summary, Unbound, arpwatch, ifBWStats, phpSysInfo and vnstat2.

Also, I hadn't noticed before that the cpu graphs to the above right note something way different to what the bar in system information shows.

stephenw10

That's really interesting. There are always people asking what throughput different hardware is capable of, at last here's some numbers!  :)
Watchguards specs are here: http://www.watchguard.com/products/x2500.asp
You have to look at the top X-Core model as all ther others are software restricted.
You've inspired me to do some testing. However to do this I'd have to swapout my box as my wan connection is only ~10Mbps. Would a test between two of the other ports be equivalent? I can't see why not they are still firewalled.
Then I'm possibly up against streaming a file at a sufficient speed. There must be a software package for doing this that doesn't rely on disk speed anyone recommend anything?

Steve

jonnytabpni

So here is my dreaded post. I finally managed to make my x700 timeout :(

It happens when I VNC from my LAN (re2 in my case) to a server on the other side of an IPSEC tunnel.

Does anyone have any clues on what I can try to do to fix this?

stephenw10

Oh no!  >:(
Can't help with that I'm afraid. You might want to check that VNC isn't sending some crazy packet size or using an odd protocol.
I have ended up using ttcp for network speed testing seems a useful package. Easy to install it to pfsense, pkg_add -r ttcp, but also windows and linux versions and all seem compatible.
I'm pretty impressed that iFloris managed 98.4Mbps from a 100M interface using a suposedly bad NIC chip. I'm only getting around 85Mbps.

iFloris

@jonnytabpni:

It happens when I VNC from my LAN (re2 in my case) to a server on the other side of an IPSEC tunnel.

Does anyone have any clues on what I can try to do to fix this?

What I've found is that the firebox nics are very sensitive to mtu sizes.
Make sure that you are sending regular sized, e.g. 1500 byte packages as opposed to irregular sized 1501 byte packages or something of that ilk.

If that doesn't help, lay off the IPSEC and switch to OpenVPN, which, in my usage (road warrior setup) hasn't caused a timeout yet.

@stephenw10:

I'm pretty impressed that iFloris managed 98.4Mbps from a 100M interface using a suposedly bad NIC chip. I'm only getting around 85Mbps.

If you like, I can do some additional tests, but I download a few files at that speed nearly every day.
I actually have two fireboxes, originally an x500 and the x700 currently in use.
Since I did something stupid yesterday I switched out the disk drive to the x500 and the speeds remain the same, so my speeds aren't a fluke/oddity.
It'll be interesting to see if my original measurements of being able to firewall 100/100 hold up since I'm upgrading / crossgrading my home office 120/10 docsis 3.0 connection to a 100/100 fiber connection in a month or two.
When that change is complete I'll be able to test more completely for what I think (or hope) is full duplex linespeed capability.

jonnytabpni

@iFloris:

What I've found is that the firebox nics are very sensitive to mtu sizes.
Make sure that you are sending regular sized, e.g. 1500 byte packages as opposed to irregular sized 1501 byte packages or something of that ilk.

Any idea on how I can change the MTU size of the VNC packets? Or force it VPN wide?

stephenw10

If it's an MTU problem try pinging through your vpn tunnel with increasing packet size until you get timeouts.

ping -l 1480 -f  (remote IP)

The f option prevents the packet being fragmented, in Windows.
You could try capturing some packets in pfsense. I've never used that function so can't help you.

What OS's are you running ?

jonnytabpni

All Linux, bar pfsense of course.

BTW, it's the LAN NIC on my side that times out

intera5

I bought today an X700 firebox, flashed latest nightly on a 4GB CF, and inserted on Firebox.

Firebox booted correctly into pfSense, followed the setup and assigned two NICs, and then continue booting until "Bootup complete" message, and beeper play pfSense ring. And nothing …. serial terminal don't respond, no welcome string, no main menu, no Control+C response, nothing ....

Only way is switching off the Firefox.

What I'm doing wrong ?

Edit: I already tried with differents nightlies, with equal results. Tried different NIC configurations, with LAN cables pluged and unplugged ... Nothing. Already tried the "hint.acpi.0.disabled=1". Nothing.

(sorry for my bad english)

Thanks!

Brak

@intera5:

I bought today an X700 firebox, flashed latest nightly on a 4GB CF, and inserted on Firebox.

Firebox booted correctly into pfSense, followed the setup and assigned two NICs, and then continue booting until "Bootup complete" message, and beeper play pfSense ring. And nothing …. serial terminal don't respond, no welcome string, no main menu, no Control+C response, nothing ....

Only way is switching off the Firefox.

What I'm doing wrong ?

Edit: I already tried with differents nightlies, with equal results. Tried different NIC configurations, with LAN cables pluged and unplugged ... Nothing. Already tried the "hint.acpi.0.disabled=1". Nothing.

(sorry for my bad english)

Thanks!

I have the same issue, but even tho the console was useless the webgui was up on the LAN port.

I have since taken a break from working on the Firebox, waiting on my 512 RAM, 1.4Gz Celeron and 4GB microdrive to arrive.

intera5

@Brak:

@intera5:

I bought today an X700 firebox, flashed latest nightly on a 4GB CF, and inserted on Firebox.

Firebox booted correctly into pfSense, followed the setup and assigned two NICs, and then continue booting until "Bootup complete" message, and beeper play pfSense ring. And nothing …. serial terminal don't respond, no welcome string, no main menu, no Control+C response, nothing ....

Only way is switching off the Firefox.

What I'm doing wrong ?

Edit: I already tried with differents nightlies, with equal results. Tried different NIC configurations, with LAN cables pluged and unplugged ... Nothing. Already tried the "hint.acpi.0.disabled=1". Nothing.

(sorry for my bad english)

Thanks!

I have the same issue, but even tho the console was useless the webgui was up on the LAN port.

I have since taken a break from working on the Firebox, waiting on my 512 RAM, 1.4Gz Celeron and 4GB microdrive to arrive.

But, it's the first run. I have no chance to assign an IP address to the LAN port. So, how can I access the webgui without an IP address ?

Edit: pfSense 1.2.3 works perfectly. So, problem is with 2.0-BETA5.

Thanks.

stephenw10

Interesting. What is the date on the snapshot you were using?

intera5

@stephenw10:

Interesting. What is the date on the snapshot you were using?

I've tried snapshots from 3 days ago until today, and same result. Then, tried one from December (random pick) and same result.

But, I've used 1.2.3 and it works. Then, used the webgui to upgrade to latest snapshot (pfSense-2.0-BETA5-4g-i386-20110113-2030-nanobsd-upgrade.img.gz) and WORKS! Now I have 2.0-BETA5, but only upgrading from a configured and working 1.2.3.

Any idea ?

Brak

@intera5:

@Brak:

@intera5:

I bought today an X700 firebox, flashed latest nightly on a 4GB CF, and inserted on Firebox.

Firebox booted correctly into pfSense, followed the setup and assigned two NICs, and then continue booting until "Bootup complete" message, and beeper play pfSense ring. And nothing …. serial terminal don't respond, no welcome string, no main menu, no Control+C response, nothing ....

Only way is switching off the Firefox.

What I'm doing wrong ?

Edit: I already tried with differents nightlies, with equal results. Tried different NIC configurations, with LAN cables pluged and unplugged ... Nothing. Already tried the "hint.acpi.0.disabled=1". Nothing.

(sorry for my bad english)

Thanks!

I have the same issue, but even tho the console was useless the webgui was up on the LAN port.

I have since taken a break from working on the Firebox, waiting on my 512 RAM, 1.4Gz Celeron and 4GB microdrive to arrive.

But, it's the first run. I have no chance to assign an IP address to the LAN port. So, how can I access the webgui without an IP address ?

Edit: pfSense 1.2.3 works perfectly. So, problem is with 2.0-BETA5.

Thanks.

Pretty sure as soon as LAN interface goes up after initial configuration it's already assigned 192.168.1.1 and is also starting to hand out DHCP leases.

ng12345

So re seating the CPU got the firebox working!

Unfortunately, now when I try to run the laptop drive, it says boot error on the console.  I tried connecting the laptop drive in both directions to the PATA cable.  One way it says boot error, the other way i just get a blank screen on the lcd but nothing shows up in the terminal.

I am using a serial to USB adapter to try and connect to it on my laptop – do I need the special firebox console cable?

Thanks for your help.

Brak

@ng12345:

So re seating the CPU got the firebox working!

Unfortunately, now when I try to run the laptop drive, it says boot error on the console.  I tried connecting the laptop drive in both directions to the PATA cable.  One way it says boot error, the other way i just get a blank screen on the lcd but nothing shows up in the terminal.

I am using a serial to USB adapter to try and connect to it on my laptop – do I need the special firebox console cable?

Thanks for your help.

No, it's a standard console cable.

The exact type is a DB9 Null Modem F/F Console Cable I believe.

stephenw10

This post and those following it explain what's happening:
http://forum.pfsense.org/index.php/topic,7458.msg84688/topicseen.html#msg84688

Assuming you installed pfsense to the HD by booting from a cd in a laptop.
If you select full install then the serial console isn't enabled by default so you can't see any errors.
You need to boot up the HD in the laptop and then, in the webgui, enable the serial console.

Steve

BigF

Hi Folks,

I thought I'd share my stress and success on getting pfsense running on an old Watchguard X700.
The box is using a 8GB CF card which has replaced the original 64Mb Watchguard CF Card.  (That's got monowall on it now, but don't tell anyone on this forum!)

Install was pretty straight forward - thanks to a Doug Mitchell - http://dougmitchell.us/?p=401

However where I had an absolutely nightmare was trying to create VPN's.  I have three VPN's - one to work (Watchguard x750e firewall), one to home test network (Watchguard X5) and one for my wife (Draytek Vigor 2820 Firewall).  Yes she gets her own network!

Although I got the VPN's up and running and all firewalls confirmed that the VPN's were indeed there, no end of playing around with firewall rules, examination of logs could produce any clue as to what the issue was.

Finally I had a thought; the Watchguard X firewalls have a VPN Accelerator…..I wonder....

Removed one VPN accelerator card (AV-SFB160) and switched back on.  VPN's started pinging straight away.

Other mods; cut a hole above the CPU and put a 92mm fan above.  The original CPU blower along with the three fans by the memory are just way too noisy!

Now everything is working a treat.
Lovin' pfsense - well done to everybody involved in such a great product.

All the best,

BigF