Watchguard questions



  • Hi all, new to the forum, watchguards and Pfsense.

    I have Pfsense 2.1 up and running on my 550 Core with an 8 Gig card within.  I have it set to bring up two PPoE DSL connections and I am trying to figure out the following.

    (1) Load Balancer, I can't figure this out.
    (2) Newer Versions will not install, gives me an error when installing, there is an update available. (using WebGUI).
    (3) I run a FreePBX server on my network, it uses dynamic addressing on a server with a static IP, used this once on a load balancing router but it failed to update the correct address.  Can this be solved using routing?

    I want to put my complete network behind this device as you can imagine, I am just looking to secure my network a little more and remove a lot of devices I have right now to cut down on cables, PSUs and all that extra crap.

    Thanks for any input.



  • Actually non of the questions you posted are bound by the fact that you are re-purposing Watchguard hardware.

    Look in each of the subforums related to your questions and you might better find your answers there.

    1. Load Balance forum

    2. Install questions

    3. Packages


  • Netgate Administrator

    Yep, with the possible exception of updating the firmware.
    What errors are you seeing? How are you trying to run the update?

    Steve



  • Sorry, I gave up on it for a while.

    I have it out and running right now and will lay out the specs and issues if anyone can chime in.

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:44 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Unit is running and functioning fine, the only issue I have is with modules and updating PFSense.

    When I try to update PFSense I get this error….

    pfsense something went wrong when trying to update the fstab entry, aborting upgrade

    Modules like SNORT will not install updates

    snort rules md5 checksum fail

    this is probably due to the older PFSense core, which I can't update.

    My box is a WatchGuard Firebox X550e, installed is a 5GB Flash.  As mentioned, it is working but needs to be upgraded so I can use SNORT among other modules.

    If someone could point me in the right direction?,  I have trawled the forums but can't find anything specific.  Still looking also.


  • Netgate Administrator

    Are you running a full install on that CF card or Nano?
    If it's a full install it may have killed the card. Or possibly filled it if you have a lot installed.
    What do you see from:

    df -hi
    

    at the command line?

    Steve



  • I am certain it is a nano, it says it's the 4G nano on the main screen.  I can check when i get home.



  • This is the output…

    Filesystem           Size    Used   Avail Capacity iused ifree %iused  Mounted on
    /dev/ufs/pfsense0    1.8G    326M    1.3G    19%     14k  228k    6%   /
    devfs                1.0k    1.0k      0B   100%       0     0  100%   /dev
    /dev/md0              38M    7.8M     27M    22%     272  5.1k    5%   /tmp
    /dev/md1              57M     19M     34M    36%     158  7.8k    2%   /var
    devfs                1.0k    1.0k      0B   100%       0     0  100%   /var/dhcpd/dev
    
    

    Edit: Changed to a code box which makes it easier to read. Steve.



  • Anyone have a clue?



  • Think I might know why now, compact flash does not allow writing to it.  So I would need to either, download the 2.2.2 NanoBSD release and install onto the flash, or maybe install a 2.5" HD into the unit and try it that way.

    Does this make sense? anyone installed an HD into one of these FireBoxes?



  • So I guess I will run this until I can build another machine, judging by the lack of replies this venture needs to be scrapped.

    Thanks anyway.


  • Netgate Administrator

    Sorry Dean I missed your last reply for some reason.
    No, the fact the filesystem is mounted read-only in Nano should not make any difference here. The upgrade procedure is part of the Nano structure, it will re-mount RW as required.
    Yes, quite a few people have installed 2.5" HD in the fireboxes. I have one running here right now.
    The symptoms you describe are as though it's trying to run a regular update on a Nano install which is very odd. Nano doesn't use the fstab for example. That could just be an error message left over and not relevant here. Snort updates can fail for other reasons. I am running Snort on Nano here and it runs fine.

    Looking again at your output it looks like you don't have a /conf partition mounted which is critical in Nano. Here's one of my boxes:

    $ df -hi
    Filesystem           Size    Used   Avail Capacity iused ifree %iused  Mounted on
    /dev/ufs/pfsense0    443M    276M    131M    68%    6.6k   52k   11%   /
    devfs                1.0K    1.0K      0B   100%       0     0  100%   /dev
    /dev/ufs/cf           49M    7.4M     38M    16%      41  6.5k    1%   /cf
    /dev/md0              38M    3.1M     32M     9%     206  5.4k    4%   /tmp
    /dev/md1              77M     27M     44M    38%     186   11k    2%   /var
    devfs                1.0K    1.0K      0B   100%       0     0  100%   /var/dhcpd/dev
    

    I would suggest you get a new CF card. Write the 2.2 image to it and restore you old config.

    Steve



  • So it might not be a waste then….

    I don't know where the FSTAB issue is coming from, it was a new install on to a new CF card.  I followed the instructions on this forum to load the original unit, it was not bought like this.

    I would like to go the HD way, but from reading about it, it sounds like it could be a pain to do.  At least if I did that, I could go with a full install on this unit.?

    I could also just pull the CF and burn the 2.2 nano onto it.  So many options, but would like to hear from the horses mouth on how easy/difficult this might be to do.  I am kinda a linux newbie, but know enough to get myself into trouble most times.. lol

    Thanks for your help and wisdom in this matter.

    Dean


  • Netgate Administrator

    Well something has clearly gone badly wrong with your current install. With no /conf partition you can't store the config among other things, all bad!
    Possibly your CF is slightly too small. It usually gives an error when writing the image if that's the case. If it's a 4GB card try using the 2GB image instead to be sure.

    If you are using the V8.1 (or V0.81 depending where you look!) BIOS then you can boot from most HDs without much difficulty. The box I have here is booting an IDE SSD with all the BIOS and boot loader setting at their default values.

    And FYI pfSense is built on FreeBSD which isn't Linux.  ;) (though similar in many ways!)

    Steve



  • See, I told you I was a NOOB lol.

    Surely, judging on the free space and the fact it is running, should indicate the card is big enough?



  • I am not sure how to proceed with this right now, it is in production.  Running two DSL connections, if I take it down, well there goes my internet.

    Might have to do this tonight.



  • Interestingly enough, looking into the missing directories, I am looking in the DEV folder.  There is a lot of files inside with a zero size, in fact almost all of them are of a zero size.  I am off to find instructions on how to use an HD.

    Can I run a full blown version on an HD?



  • I thought the card was big enough, it is an 8gb Kingston CF.  Maybe it was a bad image?


  • Netgate Administrator

    If the card is 8GB then any image size should be fine then. Some CF cards that claim to be, say, 2GB are actually slightly smaller. Over the years the devs have reduced the image size slightly to allow for this but people keep finding ever smaller CF cards all of which claim to be bigger.
    The /dev folder holds the device filesystem where real devices are represented. Most are links pieces of hardware or drivers that are supposed to be 0 size.

    [2.2.1-RELEASE][root@pfsense.fire.box]/root: ls -l /dev
    total 3
    crw-r--r--  1 root  wheel     0x23 Mar 17 22:35 acpi
    lrwxr-xr-x  1 root  wheel        4 Mar 17 22:35 ad0 -> ada0
    lrwxr-xr-x  1 root  wheel        6 Mar 17 22:35 ad0s1 -> ada0s1
    lrwxr-xr-x  1 root  wheel        7 Mar 17 22:35 ad0s1a -> ada0s1a
    lrwxr-xr-x  1 root  wheel        6 Mar 17 22:35 ad0s2 -> ada0s2
    lrwxr-xr-x  1 root  wheel        7 Mar 17 22:35 ad0s2a -> ada0s2a
    lrwxr-xr-x  1 root  wheel        6 Mar 17 22:35 ad0s3 -> ada0s3
    crw-r-----  1 root  operator  0x5d Mar 17 22:35 ada0
    crw-r-----  1 root  operator  0x5f Mar 17 22:35 ada0s1
    crw-r-----  1 root  operator  0x66 Mar 17 22:35 ada0s1a
    crw-r-----  1 root  operator  0x61 Mar 17 22:35 ada0s2
    crw-r-----  1 root  operator  0x68 Mar 17 22:35 ada0s2a
    crw-r-----  1 root  operator  0x63 Mar 17 22:35 ada0s3
    crw-------  1 root  wheel     0x26 Mar 17 22:35 agpgart
    crw-rw-r--  1 root  operator  0x25 Mar 17 22:35 apm
    crw-rw----  1 root  operator  0x24 Mar 17 22:35 apmctl
    crw-------  1 root  wheel     0x36 Mar 17 22:35 atkbd0
    crw-------  1 root  kmem      0x1d Mar 17 22:35 audit
    crw-------  1 root  wheel      0xb May 10 17:44 bpf
    lrwxr-xr-x  1 root  wheel        3 Mar 17 22:35 bpf0 -> bpf
    crw-------  1 root  wheel      0x6 Mar 17 22:47 console
    crw-------  1 root  wheel      0x7 Mar 17 22:35 consolectl
    crw-rw-rw-  1 root  wheel     0x3c Mar 17 22:35 crypto
    crw-rw-rw-  1 root  wheel     0x22 Mar 17 22:35 ctty
    crw-rw----  1 uucp  dialer    0x2a Mar 17 22:35 cuau0
    crw-rw----  1 uucp  dialer    0x2b Mar 17 22:35 cuau0.init
    crw-rw----  1 uucp  dialer    0x2c Mar 17 22:35 cuau0.lock
    crw-rw----  1 uucp  dialer    0x30 Mar 17 22:35 cuau1
    crw-rw----  1 uucp  dialer    0x31 Mar 17 22:35 cuau1.init
    crw-rw----  1 uucp  dialer    0x32 Mar 17 22:35 cuau1.lock
    crw-------  1 root  wheel      0x5 Mar 17 22:35 devctl
    cr--r--r--  1 root  wheel     0x4f Mar 17 22:35 devstat
    dr-xr-xr-x  2 root  wheel      512 May 10 01:01 diskid
    dr-xr-xr-x  2 root  wheel      512 Mar 17 22:35 fd
    crw-------  1 root  wheel      0xd Mar 17 22:35 fido
    crw-r-----  1 root  operator   0x3 Mar 17 22:35 geom.ctl
    crw-------  1 root  wheel     0x1f Mar 17 22:35 io
    lrwxr-xr-x  1 root  wheel        6 Mar 17 22:35 kbd0 -> atkbd0
    lrwxr-xr-x  1 root  wheel        7 Mar 17 22:35 kbd1 -> kbdmux0
    crw-------  1 root  wheel      0x8 Mar 17 22:35 kbdmux0
    crw-------  1 root  wheel     0x21 Mar 17 22:35 klog
    crw-r-----  1 root  kmem       0xf Mar 17 22:35 kmem
    crw-------  1 root  wheel     0x33 Mar 17 22:35 lpt0
    crw-------  1 root  wheel     0x34 Mar 17 22:35 lpt0.ctl
    crw-r-----  1 root  operator  0x65 Mar 17 22:35 md0
    crw-r-----  1 root  operator  0x6a Mar 17 22:35 md1
    crw-------  1 root  wheel     0x3f Mar 17 22:35 mdctl
    crw-r-----  1 root  kmem       0xe Mar 17 22:35 mem
    crw-rw-rw-  1 root  wheel     0x1e Mar 17 22:35 midistat
    crw-------  1 root  kmem      0x16 Mar 17 22:35 nfslock
    crw-rw-rw-  1 root  wheel     0x10 May 10 18:00 null
    crw-------  1 root  operator  0x50 Mar 17 22:35 pass0
    crw-r--r--  1 root  wheel     0x12 Mar 17 22:35 pci
    crw-rw----  1 root  proxy     0x3b Mar 17 22:35 pf
    crw-------  1 root  wheel     0x35 Mar 17 22:35 ppi0
    crw-rw-rw-  1 root  wheel     0x13 Mar 17 22:35 ptmx
    dr-xr-xr-x  2 root  wheel      512 May 10 18:00 pts
    crw-rw-rw-  1 root  wheel     0x14 Mar 17 22:35 random
    cr--r--r--  1 root  wheel      0x4 Mar 17 22:35 sndstat
    crw-------  1 root  wheel     0x20 Mar 17 22:35 speaker
    lrwxr-xr-x  1 root  wheel        4 Mar 17 22:35 stderr -> fd/2
    lrwxr-xr-x  1 root  wheel        4 Mar 17 22:35 stdin -> fd/0
    lrwxr-xr-x  1 root  wheel        4 Mar 17 22:35 stdout -> fd/1
    crw-------  1 root  wheel      0xa Mar 17 22:35 sysmouse
    crw-------  1 root  tty       0x27 May  9 20:55 ttyu0
    crw-------  1 root  wheel     0x28 Mar 17 22:35 ttyu0.init
    crw-------  1 root  wheel     0x29 Mar 17 22:35 ttyu0.lock
    crw-------  1 root  wheel     0x2d Mar 17 22:35 ttyu1
    crw-------  1 root  wheel     0x2e Mar 17 22:35 ttyu1.init
    crw-------  1 root  wheel     0x2f Mar 17 22:35 ttyu1.lock
    crw-------  1 root  tty       0x51 May  9 20:55 ttyv0
    crw-------  1 root  wheel     0x52 Mar 17 22:35 ttyv1
    crw-------  1 root  wheel     0x53 Mar 17 22:35 ttyv2
    crw-------  1 root  wheel     0x54 Mar 17 22:35 ttyv3
    crw-------  1 root  wheel     0x55 Mar 17 22:35 ttyv4
    crw-------  1 root  wheel     0x56 Mar 17 22:35 ttyv5
    crw-------  1 root  wheel     0x57 Mar 17 22:35 ttyv6
    crw-------  1 root  wheel     0x58 Mar 17 22:35 ttyv7
    crw-------  1 root  wheel     0x59 Mar 17 22:35 ttyv8
    crw-------  1 root  wheel     0x5a Mar 17 22:35 ttyv9
    crw-------  1 root  wheel     0x5b Mar 17 22:35 ttyva
    crw-------  1 root  wheel     0x5c Mar 17 22:35 ttyvb
    crw-------  1 uucp  dialer    0x6c Mar 17 22:36 tun1
    dr-xr-xr-x  2 root  wheel      512 Mar 17 22:35 ufs
    dr-xr-xr-x  2 root  wheel      512 Mar 17 22:35 ufsid
    crw-------  1 root  wheel     0x38 Mar 17 22:35 ufssuspend
    lrwxr-xr-x  1 root  wheel        9 Mar 17 22:35 ugen0.1 -> usb/0.1.0
    lrwxr-xr-x  1 root  wheel        9 Mar 17 22:35 ugen1.1 -> usb/1.1.0
    lrwxr-xr-x  1 root  wheel        9 Mar 17 22:35 ugen2.1 -> usb/2.1.0
    lrwxr-xr-x  1 root  wheel        9 Mar 17 22:35 ugen3.1 -> usb/3.1.0
    lrwxr-xr-x  1 root  wheel        9 Mar 17 22:35 ugen4.1 -> usb/4.1.0
    lrwxr-xr-x  1 root  wheel        6 Mar 17 22:35 urandom -> random
    dr-xr-xr-x  2 root  wheel      512 Mar 17 22:35 usb
    crw-r--r--  1 root  operator  0x3d Mar 17 22:35 usbctl
    crw-------  1 root  operator  0x3e Mar 17 22:35 xpt0
    crw-rw-rw-  1 root  wheel     0x11 Mar 17 22:35 zero
    
    

    Steve



  • I just installed the 2.2.2 on to the CF, just trying to figure how to config from the serial… lol



  • I am missing something, I am seeing something boot, but no menu to setup anything?



  • This is getting worse, now it will not get past the bios.  It gets stuck on this screen and I am stumped, I thought it was the 2.2.1 image so I downloaded and pushed 2.2 to the CF.

    Anyone have a clue?



  • Netgate Administrator

    If you are using a new CF card and you're still running BIOS V1.7 (as you are) then you will need to reset the primary master channel to auto so that it detects the card geometry and then change back to CHS H=2.
    Alternatively the image may not be on the card correctly, did you extract the image first?

    Steve



  • Yeah, I have done this 12 times now with the settings for the drive.

    I press enter to auto detect the drive, which shows capacity of 8019 MB

    I change the IDE channel 0 master mode to manual, access mode to CHS, change heads to 2.

    Save and exit yes, reboots and does the mem check…...  starts the PCI device listing and gets stuck, now on En?decryption.....

    I did extract the image, used Win32diskimager to put the image on the CF.



  • Frustrated…






  • I made some progress…....

    Now all I am seeing is this repeatedly.

    Timecounter "TSC" frequency 1300076613 Hz quality 800
    uhub0: 2 ports with 2 removable, self powered
    uhub1: 2 ports with 2 removable, self powered
    uhub2: 2 ports with 2 removable, self powered
    uhub3: 2 ports with 2 removable, self powered
    uhub4: 8 ports with 8 removable, self powered
    (ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 de fc ee 40 00 00 00 00 01 00
    (ada0:ata0:0:0:0): CAM status: Command timeout
    (ada0:ata0:0:0:0): Retrying command
    ata0: DMA limited to UDMA33, controller found non-ATA66 cable
    (ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 de fc ee 40 00 00 00 00 01 00
    (ada0:ata0:0:0:0): CAM status: Command timeout
    (ada0:ata0:0:0:0): Retrying command
    ata0: DMA limited to UDMA33, controller found non-ATA66 cable
    (ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 de fc ee 40 00 00 00 00 01 00
    (ada0:ata0:0:0:0): CAM status: Command timeout
    (ada0:ata0:0:0:0): Retrying command
    ata0: DMA limited to UDMA33, controller found non-ATA66 cable
    
    


  • Figured it out….

    set hint.ata.0.mode=PIO4
    boot

    Set up my Wan and Lan and off to the interface to set the rest up!

    The issue with the card or getting stuck at the boot, that was due to my installing the bigger CF and running auto detect on that CF.  The instructions I was following was not very good, found more and I left the original card in and set manual and 2 hd from that.  Booted right away, well until I got the error above.

    I really appreciate your help.


  • Netgate Administrator

    Ah, interesting. I admit I've not tried an 8GB myself. I guess the presented card geometry is sufficiently different to cause a problem.
    Glad you got it sorted.

    Steve



  • It certainly would seem so, I did not think about it at first, the instructions I was following was not the original and could not remember all of the details to get it working again.

    An 8 gig card is really over kill, the 4G does what it says, it Partitions the drive and leaves around 3.7GB unpartitioned on the CF, maybe use that later as a swap drive or something.

    So glad it is up and running, I still have not looked to make sure the correct directories are on the CF…..  Best look into that before getting too excited huh.  lol.



  • Look what I have :)

    $ df -hi
    Filesystem          Size    Used  Avail Capacity iused ifree %iused  Mounted on
    /dev/ufs/pfsense0    1.8G    190M    1.5G    11%    5.8k  237k    2%  /
    devfs                1.0K    1.0K      0B  100%      0    0  100%  /dev
    /dev/ufs/cf          49M    89K    45M    0%      23  6.5k    0%  /cf
    /dev/md0              38M    584K    35M    2%    100  5.5k    2%  /tmp
    /dev/md1              58M    19M    34M    36%    148  8.0k    2%  /var
    devfs                1.0K    1.0K      0B  100%      0    0  100%  /var/dhcpd/dev