Successful Install on Watchguard Firebox X700!
-
I currently have 2 WG FB X700 (both static IP) in production both running pfsense 2.03REL. The main office has dual WAN connection due to them having issues with Comcast going down now and then. Primary connection is Comcast and backup is AT&T setup for load balancing.
The satellite office has a single Comcast connection and rarely has any downtime. They currently connect through an IPsec connection with AES-128 encryption. I assume it would be using the SafeXcel 1141 card and I have the use glxsb option ticked on (should I turn this off?). Reading the docs http://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#X-Core now it appears it isn't using the card at all? I guess I should be using Blowfish encryption instead?
Lately I've been having issues with the IPsec VPN connection where it loses the connection and restarting the racoon service doesn't fix the issue. Would OpenVPN be more robust in reconnections?
My other issue is the old issue with the Web GUI not responding (thought this was fixed in 2.03). When this happens, I try the reset webconfigurator (option 11) through a SSH connection and I get the endless … screen.
Restarting the firewall on either end (I usually just pick the one where the Web GUI stops responding) appears to fix the GUI and VPN connection.
-
Certainly I have failed to find any evidence that the Safenet card is used. It's doesn't seem to work via the FreeBSD crypto framework which is how it should work. There may be some software that talks to it directly without the framework.
I would choose OpenVPN for a pfSense-to-pfSense tunnel but that's probably because I have more experience with that (which isn't saying much!). I do believe that OpenVPN tends to be slower if your hardware is the limiting factor as it may well be with X700s.
Steve
-
After my very successful re-flash of a x1250e last week I'm going to try to
resurrect a old X500 with pfSense.A quick read of the docs and page one of this thread seems to indicate that you
boot a live CD on a laptop and install directly to the CF (I assume mounted via USB). Is
that still the recommended option? And what size CF card is needed for 2.x pfsense? Or
can I just write an image to the CF card as is done for the X-core-E models?The docs appear to be a little sparse regarding these details :) :) :)
-
Just write the image to CF and boot it. :)
It should mostly be covered in the doc page: http://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Installing_pfSense
Feel free to suggest any improvements in the related forum thread: http://forum.pfsense.org/index.php/topic,59821.0.htmlSteve
-
Just write the image to CF and boot it.
It does not say that anywhere that succinctly :) (The documentation is excellent, just missing that
small detail).No size restrictions like the x-core-e models? Can i use a 4gb?
-
There are no bios restrictions like the X-e boxes. Any card should boot.
The only thing to watch out for is the serial port quirk.Steve
-
Thanks, I've got to order another CF card and did not want to have problems.
-
I got another 4gb CF card and copied a 2.0.3 1GB image on it and it boots fine.
I have read about the serial port baud rate issue but I'm not clear on when to
change it. I go through the setup and skip the vlan setup and assign re0 to the WAN and re1 to
the LAN (no option not to) and then the system boots to "Bootup complete" and hangs.There is no chance that I see to assign IP's or access the webconfig command prompt to make
these changes:console="comconsole"
comconsole_speed="115200"Where is that supposed to happen?
-
The LAN interface will be on 192.168.1.1 with dhcp enabled by default. You should be able to access the box on that way to complete the setup wizard. In 2.0.3 you have the option of setting only WAN if you want to do it that way. Just press enter when it asks for the LAN interface.
Steve
-
Thanks, I was on a different sub-net so I never saw it on my network.
-
This is a really interesting POST. However, following the WatchGuard Hardware Guide, I'm concerned about the performances. Did you know if somebody have proceed with some benchtests?
-
I guess people haven't really tested it's maximum possible throughput because the NICs are limited to 100Mbps. See this post though: http://forum.pfsense.org/index.php/topic,7458.msg164371.html#msg164371
Watchguard claim ~275Mbps firewall throughput. The throughput in pfSense is likely to lower since it's FreeBSD rather than Linux. That's not always the case though. That figure refers to the maximum summed throughput on all interfaces so it's complex to setup and not relevant for most cases. You could group some interfaces using LAGG if you have a suitable switch but that still won't help unless your test stream is multiple connections.
What are you looking for in terms of performance? What are you using the box for?
Steve
-
Hello,
I want to install pfsense on a Firebox x700 but I don't have a serial cable and I can't therefore reach the console to go through the initial configuration.
Could someone be so kind to share an image of their working embedded 4g pfsense with LCD driver / WGXepc and post a download link?
Thanks
-
I could probably manage that sometime this weekend, I'll have to check the status of my X-Core box. However you should really have a serial console cable. Sometimes it's the only way of accessing the box, if you've accidentally locked yourself out for example. They are very cheap and easily available (in most places).
Steve
-
I could probably manage that sometime this weekend, I'll have to check the status of my X-Core box. However you should really have a serial console cable. Sometimes it's the only way of accessing the box, if you've accidentally locked yourself out for example. They are very cheap and easily available (in most places).
Steve
Thanks Steve, the image would give me the instant gratification we all crave :) even though I guess buying a serial cable is inevitable…
-
Steve,
Have you ever tried to use the 256mb CF card that came in the firebox to install pfsense or you just get bigger cf cards?
I hate going out to buy one if i dont have to.
I managed to pick up a x550e this week for $50
Jeff
-
The smallest pfSense Nano image is 512MB. The price of 2GB CF cards is pretty low but I agree I hate spending money unnecessarily. ;)
Steve
-
Steve, have you ever tried to use the 256mb CF card that came in the firebox to install pfsense or you just get bigger cf cards? I hate going out to buy one if i dont have to. I managed to pick up a x550e this week for $50. Jeff
Search eBay and you'll see Hitachi 4gb microdrives listed for $5 shipped, not a big investment :)
-
Careful with those. Not all microdrives support ATA mode on the interface.
http://doc.pfsense.org/index.php/Microdrive_embedded_installationsSteve
-
Today I had an issue with the webgui so I decided to reboot through the LCD, I did hear the speaker where it would indicate it was going to reboot but after about a minute I tried the procedure again and that didn't work. So I just manually flipped the switch. When I turned it back on, all I got on the LCD was a bunch of blocks on the top half the of the display.
Has anyone run into this issue where the CF fails to boot? I've had this in production for about 3 months running pfSense 2.03 upgraded from 2.02.
I'm not sure if I saved the configuration so is there a way for me to extract the configuration before rewriting the CF? This is using a 2GB Team CF rated 133X.