WatchGuard Firebox XTM505 pfsense conversion - what to do next?



  • Hi,

    I've recently converted an XTM505 to Pfsense. Not much to say there as it was child's play (coming from a pfsense noob). Just a case of getting another CF card in with the image.

    However I've read this post https://forum.pfsense.org/index.php?topic=43574.0- which contains so many different bits of info, Im not sure what to do and how to do it next:

    1. so far I believe you can upgrade ram and CPU (within allowable types) without any BIOS mods.
    • any particular ram chips people recommend with this box?
    1. I could run pfsense totally off a SATA HDD instead of CF if I wanted to, by changing boot order in the original BIOS? Reasons being I want to run snort and squid and the writes would kill the CF.

    2. From what I see BIOS modification benefits are:

    • the arm / disarm led work properly
    • i can change fan settings either in bios / via wgxepc? I am concerned my box is running 55C idle when nothing else was on it?
    • the USB is unlocked in the bios? whats the benefits of doing that? surely thats a security risk unless im missing something?
    1. the post here <https: forum.pfsense.org="" index.php?topic="43574.msg411885#msg411885">shows you can flash the BIOS directly from within the UI of pfSense?

    2. im confused how I go about modifying LCDproc to work properly on this box.

    I guess essentially what I am after are some "dumb" instructions for flashing the bios, getting wgxepc and lcdproc working properly. Sorry if this is covered elsewhere, I am yet to find it if so.

    Many Thanks.</https:>


  • Netgate Administrator

    1. It doesn't seem particularly fussy in terms of RAM or CPUs. Some people have put much faster quad core processors in there.

    2. Yes you can boot from a hard drive but you may need to flash the unlocked bios otherwise it will only boot from CF. Hmm, I'm unsure on that now.

    3. Yes the LED works correctly, at least as I defined correct to be.  ;) WGXepc works fine on the original bios, no need to flash the bios. Yes allowing booting from the USB is a security risk, that's why Watchguard have it disabled. Most of us who have one of these boxes are not using it in a public area where it might be interfered with, which is a bigger security risk any way.

    4. It does. Unlike previous models you can flash this using the flashrom program from within pfSense. It's a command line tool though.

    5. Lcdproc runs as it does on the other boxes, not that well!  ::) I use this procedure:
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Installing_lcdproc_and_the_SDECLCD_driver

    Steve



  • Re question 2:
    Yes it booted off the SATA HDD no BIOD modding required. I simply installed pfSense using an old laptop and selected standard kernel as the last option.

    Also to add, the settings backup from Nano BSD and restore to to the full install BSD worked without issue. The packages were shown in the menus but failed. After installing the packages all worked as previously (in terms of settings).

    Re question 1:
    Can anyone share any preferences to RAM chips? There are loads on eBay that say only AMD compatible, so presume given this is an intel setup I cant choose those - although I would like to as they arent as high so I know they would fit in the case without issue.

    Thanks.


  • Netgate Administrator

    As far as I know any DDR2 DIMMs should work as long as they are rated fast enough. The chipset should support 8GB but one user reports 2x4GB failed to boot:
    https://forum.pfsense.org/index.php?topic=43574.msg413569;topicseen#msg413569

    RAM is not normally specified as AMD or Intel specific, do you have a link?

    Steve



  • Hi Steve,

    example link shown:
    http://www.ebay.co.uk/itm/New-8GB-4X2GB-DDR2-800Mhz-PC2-6400U-240pin-Dimm-Memory-Ram-Fit-AMD-Motherboard-/141233430289?pt=UK_Computing_ComputerComponents_MemoryRAM_JN&hash=item20e22b1f11

    It talks of it being high density ram only compatible with AMD. I've just bought some hynix RAM off eBay (2X2GB). Waiting for the E4500 CPU, thermal paste ans SATA caddy to arrive and going to do it all in one hit.

    My setup is still very hot though, 57C on idle. Admittedly its in a cupboard, but I've built an in line extract fan into the cupboard (sucking hot air out).


  • Netgate Administrator

    Hmm, odd. I've never seen that before and it doesn't make much sense to me. The DDR2 standard is not platform specific. Anything that claims to only work in specific boards is probably best avoided I would think. At the very least you wouldn't be able to return it if it didn't work.

    57C doesn't seem too hot to me though it is a lot hotter than my box runs. What's the ambient temperature in the cupboard? Do you have the fans run as the default temperature target?

    Steve



  • Hi Steve,

    I ended up purchasing some "hynix" branded ram that matched brands with that of my stock XTM505. 4gb works no problem. I've also swapped the CPU for an E4500 with some Cooler Master copper paste. Current idle temps are about 39-40C with no other environmental changes.

    The Bios is currently stock - next on the list to modify to get the fan speed up! Cupboard temps are around 24C, but the main heat i believe comes from a Netgear GS748T switch - that thing gets hot for no reason!


  • Netgate Administrator

    Hmm, my test XTM5 here idles at about 30C in a ~20C ambient. That's with the modyfied bios but the fan speeds and target temperatures set as standard. I wouldn't worry too much those temps are well within the limts.

    Steve



  • In my experience, I ran into some memory that would not work. Those specified as for AMD only will not work, they are high density. Only the low density DDR2 will work. I did some research a few years back, and I think it had something to do with AMD cpus at this time had the memory controllers on the CPU, while Intel CPUs depended on motherboard chipsets to control the memory. AMD therefore had a wider range of RAM compatibility.  As a result the low density, high capacity DDR2 are more rare to find and cost more.

    Comfirmed DDR2-400, DDR2-533, are too slow and will not work.  DDR2-667,not sure
    Confirmed DDR2-800, DDR2-1066 works

    Regarding the temperature you see on these XTM5/8. It relies on coretemp software in pfSense. Years ago I found out that when coretemp was compiled for pfSense the range temperature were base on 0 to 100C. This really messed up the range for CPU's who max temp (Tcase) were below 100C, which included a lot of the server CPU. I don't think this ever got fixed in pfSense, its a minor bug, basically the temperature scaling is off. I'm using Intel L4520, and the bios temps is usually 10~15*C lower than coretemp.

    I'm no expert, hopefully someone can confirm or deny this information.


  • Netgate Administrator

    Indeed the actual figure reported by the driver is the offset value from TJMAX and that value is often incorrect for the CPU resulting in a constant offset from the real temperature.

    You can find out what value it thinks TJMAX is:

    [2.3.2-RELEASE][root@xtm5.stevew.lan]/root: sysctl dev.cpu.0
    dev.cpu.0.temperature: 29.0C
    dev.cpu.0.coretemp.throttle_log: 0
    dev.cpu.0.coretemp.tjmax: 85.0C
    dev.cpu.0.coretemp.resolution: 1
    dev.cpu.0.coretemp.delta: 56
    dev.cpu.0.cx_usage: 100.00% last 475us
    dev.cpu.0.cx_lowest: C1
    dev.cpu.0.cx_supported: C1/1/0
    dev.cpu.0.%parent: acpi0
    dev.cpu.0.%pnpinfo: _HID=none _UID=0
    dev.cpu.0.%location: handle=\_PR_.P001
    dev.cpu.0.%driver: cpu
    dev.cpu.0.%desc: ACPI CPU
    
    

    The indicated temperature is tjmax - delta.

    There are some values hardcoded into the driver and others are read from an MSR if it's available. I don't believe there's any way of changing that other than recompiling the driver with different values.
    https://svnweb.freebsd.org/base/release/10.3.0/sys/dev/coretemp/coretemp.c?revision=297553&view=markup

    Steve



  • Only to add here-  this box is capable of the 64bit build if your not already doing so..

    :)


  • Netgate Administrator

    Indeed and you should switch now if you're still running 32bit before it becomes an issue. 2.4 is still beta….. for now.

    Steve