Watchhguard x1000 Boot Error



  • Hello all,

    Need your help.

    i'm having a hard time trying to get Pfsense installed on my Watchguard Firebox X1000. I'm not able to get in via serial console, tried Putty, TeraTerm with different bauds and still no luck( before boot error). I'm also having an issue with a boot error that gets displayed on the lcd. This error recently started after my attempts to get consoled into the firebox. Not sure how to fix this. Is this thing bricked?

    Thanks


  • Netgate Administrator

    So you've previously had pfSense running on the box? Or any other OS? Does it still boot the Watchguard OS?
    Hard to see how you could have set anything permanent just by having the console connected.  :-\

    Steve



  • At first it booted the watchguard OS fine. I tried installing monowall at first on original card until my new cf card came in. Tried getting in via console in Ubuntu and in Windows, no luck. I bought a new serial cable still not able to console in. I received my card 8gig Kingston (read somewhere you can use larger capacity) installed correct version/size of pfsense , didn't work. Even tried the bios img to see if I hear the 3 beeps. I was able to hear the beeps but was not able to console in. Not sure what I' did but started to get this boot error. I know I didn't do any type of configuration because I was not able to console in with any of my attempts.


  • Netgate Administrator

    Ah, so you no longer have a card with the Watchguard OS on to try?
    Has it ever booted m0n0wall succefully?
    How are you writing the images to the card?
    If you booted the FreeDOS image and heard the beeps but saw no output on the console then it's very likely your serial cable is incorrectly wired.
    Try removing the CF card completely and power on the box, does it behave any differently?
    You could try reseting the CMOS with the onboard jumper in case you've somehow managed to make some change without realising it.

    Steve



  • Yeah no watchguard OS.. should have backed up…Monowall never installed..I'm writing the images with PhysGui and I tried win32 disk imager... also removed the card and no change..CMOS didn't work. I tried 2 new serial cables both did not console me in.


  • Netgate Administrator

    Hmm. Could be that both serial cables are bad. Have you proved either of them with any other OS or hardware? Have you read:
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Not_All_Null_Modem_Cables_are_Created_Equal.21

    Since the FreeDOS image is the only thing that has booted, even if you couldn't see the console, I'd try that again. It does seem to be possible to somehow destroy the formatting on the card to such an extent that it requires 'zeroing' the whole card before re-imaging. It's hard to imagine how that could prevent an image written bit-by-bit from succeeding though, I've never had an issue.

    Steve



  • Yeah..I think you are right. I was getting a bunch of issues trying to write to the cards at times… had to use the diskpart utility in windows to fix the cards ..going to give it another shot if not this thing is going up on ebay ...do you have a preferred cf card and serial cable? I'm also thinking the serial port could be bad.


  • Netgate Administrator

    @tinkernut02:

    had to use the diskpart utility in windows to fix the cards.

    That's not a good sign. The file system used by pfSense is UFS which isn't readable in Windows. The cards should appear as corrupt or unformatted if you try to view them in Windows. The FreeDOS image is FAT32 so is readable. (might even be FAT16)
    There is no need to do any formatting or partitioning as all that is contained in the card image.

    Presumably you used one of the serial cables with the Watchguard OS before you wiped the card?

    Steve



  • Had to use the Diskpart utility due to card losing capacity. I guess windows didn't like the card. it would drop from 8gig down to 1.8gigs and would not let me write to it. Diskpart would bring it back to 8gigs and allow me to write the img. Not sure why, anyway also tried a new CMOS battery which didn't help. :'(


  • Netgate Administrator

    Seeing a 1.8GB partition would be righf if you had written it with a 4GB image previously.
    Physdisk shouldn't have a problem wrting to it even if whatever formatting is on it is completely screwed.
    It could be that it won't see your 8GB card correctly. CF cards that big didn't exist when that box was designed.

    Steve



  • Steve,
    Is there a way I can access the bios through PCI video card and keyboard. I googled and found a picture of a watchguard x500 with a video card and keyboard. Want to give this a try.



  • Netgate Administrator

    Yep, pretty much just as shown in the picture. You need PCI graphics card, which are not common these days, and a PS2 keyboard header (and keyboard).

    Steve



  • Would this be the pins to connect to? If so, what are the specs for these pins for keyboard?



  • Netgate Administrator

    Yes that's it. The pinout is given somewhere here on the forum, in the X700 thread I think. It's a standard pinout though if you already have a ps2 header cable. Of course they were found on PCs that came with an AT keyboard as standard but those are rare now.  ;)

    Steve

    https://forum.pfsense.org/index.php?topic=20242.0



  • Steve,

    Very cool. Going to look for a cheap PCI card on eBay and try this. Thanks for the help.



  • Okay… got some progress here. Bought a PCI card and did the keyboard setup and was able to get into the bios. I was able to fix the boot error but now I'm getting this issue while trying to install pfsense "ad1: TIMEOUT/FAILURE-READ DMA". Do you have any ideas of a fix.



  • Netgate Administrator

    Ok, so the CF slot on the Watchguard box doesn't have the IDE DMA lines connected. That's common to many CF slots. If your card is new and fast enough it will support DMA and will be reporting to the OS and BIOS that it's DMA capable. pfSense tries to use DMA and you get errors as you're seeing.
    For this reason DMA is disabled in the NanoBSD snapshots. However it isn't disabled on the Nano+VGA snapshots because those were originally built for a box that required DMA to boot. I assume you're booting the Nano+vga image because you're running the PCI card? You need to disable DMA by doing this:
    https://doc.pfsense.org/index.php/Boot_Troubleshooting#Disable_DMA_for_IDE_drives

    Steve



  • Okay got it…. disabled DMA... still stuck..trying to add line to boot loader. Keep on getting a /boot/loader.conf.local: not found. Where do I  enter this text?

    Stuck at this point.

    After the installation, add the following line to /boot/loader.conf.local:

    To disable DMA for hard drive(s):
    hw.ata.ata_dma=0

    To disable DMA for optical drives:
    hw.ata.atapi_dma=0


  • Netgate Administrator

    It's not a file that's included by default you have create it. You can do this at the console (or probably via the Command screen in Diagnostics):

    echo 'hw.ata.ata_dma=0' >> /boot/loader.conf.local
    

    No need to worry about optical drives.

    Steve

    Edit: Yes you can do that in Diagnostics: Command Prompt:



  • Got it finally…pfsense is booting perfectly..thank you for the help Steve... Do you have a guide on lcdproc setup..downloaded the packages and nothing on LCD.... thanks again.  :P


  • Netgate Administrator

    It's a bit of a fiddle to setup because the lcdproc package doesn't play nicely with the sdeclcd driver that's required. There's a link in the wiki page but this is where you want to look:
    https://forum.pfsense.org/index.php/topic,7920.msg344513.html#msg344513

    Steve



  • Thanks Steve..It worked!!!



  • Steve,

    Do you have a how to guide for WGXepc setup? Sorry to keep bugging ;D.Thanks


  • Netgate Administrator

    Also on the wiki page.  :D
    https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Controlling_hardware_with_WGXepc
    You can use Shellcmd to run it at boot.

    Actually reading back through that section it could use an update. Still valid for your box though.

    Steve



  • Thanks for the help..got pfsense running but the internet is really slow. Web pages do not load or load very slowly to the point where its not usable. Strange thing YouTube loads well but other sites do not. Theres many threads here but do not know where to start. What would cause a slow internet connection?..one thing that has been bugging me is the amber light on the modem link light. It only turns amber when connected to the watchguard/pfsense. Modem is an Arris model# CM820A. My set up is ..modem to watchguard @192.168.0.1…watchguard to Cisco 3550 catalyst switch@192.168.0.24...Access Point dlink DGL 4500(DHCP disabled) @192.168.0.5...and a Linksys router as a repeater bridge flashed with ddwrt@192.168.0.2. The only rules I set were for Xbox live for the Xbox one, which actually set my Nat to open.
    Thanks


  • Netgate Administrator

    Unusual link light on the modem sounds like it could be connected at 10Mbps or maybe half duplex. Either would indicate a failure in the speed/duplex negotiation which could definitely cause slow and erratic throughput. Check the Status: Interfaces: page for errors or collisions and the link state. The Realtek NICs in the X-Core are known to be pretty poor unfortunately, I would normally suggest trying to set a fixed speed and duplex but that may not work for you. Worth trying though.

    One thing to try is putting a switch in between your modem and the X1000 if you can.

    Try to confirm the throttling is at the WAN interface by downloading something on the firebox itself. At the command line:

    [2.1.5-RELEASE][root@pfsense.fire.box]/root(1): fetch -o /dev/null http://109.123.87.183/speedtest.256mb
    /dev/null                                     100% of  256 MB 8307 kBps 00m00s
    
    

    The file is from the London test site at http://www.cloudtestfiles.net. You should choose a server local to yourself.

    Steve



  • okay changed to 100base full duplex. I also changed DNS to 8.8.8.8 …8.8.4.4. on PC ...now I'm getting improved web access..speedtest.net speeds are 34.71 download and 4.95 upload.  not my usual 50 down and 5 up but an improvement. Looks like a DNS issue. Also, can't get wireless connected.


  • Netgate Administrator

    You tried the download test at the machine and you are seeing the low throughput there?
    No errors or collisions?

    Did you set it to 100Mb-FD at both ends?

    Hard to say about the wireless. What's not working? DHCP? DNS? general connectivity? Do you see firewall hits in the logs?

    Steve



  • Steve thanks again for your help…I went ahead and set pfsense back to default and tried fresh setup..I was able to get it working right w/wireless. I just added googles DNS 8.8.8.8 at set up and everything started playing nice..



  • @stephenw10:

    It's a bit of a fiddle to setup because the lcdproc package doesn't play nicely with the sdeclcd driver that's required. There's a link in the wiki page but this is where you want to look:
    https://forum.pfsense.org/index.php/topic,7920.msg344513.html#msg344513

    Steve

    I fixed the problem on all my WatchGuard units by editing the following file.

    /usr/local/pkg/lcdproc.inc

    	define('LCDPROC_HOST','localhost');
    	define('LCDPROC_PORT','13666');
    

    My changes: See line 36

    	define('LCDPROC_HOST','127.0.0.1');
    	define('LCDPROC_PORT','13666');
    

Log in to reply