Netgate SG-1000 microFirewall

Author Topic: Watchguard XTM 5 Series  (Read 125353 times)

0 Members and 1 Guest are viewing this topic.

Offline menacingm

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #60 on: November 10, 2013, 11:08:15 am »
There is no value in using an 8GB CF card. The largest image available is 4GB so the remaining space can never be used.
If you want to use Squid as caching proxy you must run it from hd. The continuous writes would kill flash media in short order, the package will prevent you doing it in Nanobsd.

I believe there is a ticket in for 8GB images due to there being more packages available, especially since adding support for PBI installs, but yeah 4GBs is the biggest now.

StephenW, ever try running Squid from CF with caching pointed to an NFS mount or HD mounted in cache directory path? I don't like the idea of running something as critical as a firewall from a HD.

Offline Hawk78

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #61 on: November 10, 2013, 11:29:11 am »
Thanks for your reply menacingm & stephenw10!  :)

I agree about the killing of flash media by caching. But what about the usb port. Could i use this for connecting a USB stick or USB HD for caching? What about SSD? Is there the same prob?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #62 on: November 10, 2013, 04:50:03 pm »
Ah I wasn't aware of the 8GB ticket. I have a hard time believing you could fill the space provided by the 4GB image slices though even with the PBI packages (which are a lot larger).

There are a number of people who have setup squid to cache to a separate HD but it's not handled by the webgui which presents some issues. Primarily you need to have a setup that survives a firmware update otherwise you'll have to re-make all your changes manually. Firstly there is no facility to mount an local drive but you can handle that via the shellcmd package. Then you have to manually configure squid to use you newly mounted slice forr it's cache. Lastly you need to know what happens if the hd fails. Does Squid fail to start? Does that result in no internet access for your clients?

Just running from a HD drive gets around these problems, HDs are pretty reeliable these days. I'm fairly sure there are more pfSense installs running from HD than flash. There is provision in the XTM5 for installing a 2.5" SATA drive.

There was a thread recently detailing this setup on a firebox X750e. That user used a script that ran at boot to check the HD status and mount /var accordingly:
http://forum.pfsense.org/index.php/topic,67823.0.html

Steve
« Last Edit: November 11, 2013, 01:44:29 am by stephenw10 »

Offline Hawk78

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #63 on: November 11, 2013, 01:14:41 am »
another question...  ;)

After installing CF card for the initial setup of pfsense do i need a special cable for accesing console? I see there is a rj45 console connector at front. Do i need a rj45<->rs232 cable and a rs232<->usb adapter? I don't think my pc has a serial connector any more...

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #64 on: November 11, 2013, 01:47:45 am »
Yes you need a cable. The supplied cable is rj45 to rs232 (9pin) and I use an rs232 to USB adapter with it. I'm sure you could get a single cable that did it but using two is more versatile.

Steve

Offline Hawk78

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #65 on: November 19, 2013, 12:55:38 am »
Well, i received my used XTM 505 unit with no cables. I will try to connect it to console...

The unit draws ~30W at idle. I'll remove the VPN acclerator card. What can i do to reduce power consumption and fan noise furthermore?
Are there any recommended silent fans ? Do I need all fans running?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #66 on: November 19, 2013, 12:37:20 pm »
The fans have thermal speed control by default but the minimum speed is quite high. The most recent version of WGXepc can reset it lower. I spent some time enabling speedstep (see earlier in this thread) but I couldn't ever see much improvement in power consumption. The higher C states seemed to overwhelm the P state savings. You need to swap out the CPU with something speedstep enabled to see that though. Other than that you can replace the psu with something more efficient, typically a dc-dc psu such as the picoPSU.

Steve

Offline Hawk78

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #67 on: November 19, 2013, 02:27:04 pm »
Steve, thanks for your reply. I'll try to find some silent 40x40 fans because the original ones are very loud. I have no experience in picoPSU. Can you recommend a suitable one?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #68 on: November 19, 2013, 03:36:35 pm »
I suggest you try just reducing the fan speed first. I replaced the fans in my x-peak box but only because there's no control on that. I think I detailed it in the x-peak thread.
The psu requirements are fairly low so most of the picoPSU models should work. No promises though. ;)

Steve

Offline bragle

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #69 on: December 31, 2013, 07:31:24 am »
Hello all,

First off, thanks so much for the work you did in getting this going.  I acquired a decommissioned XTM 510 from my workplace and knew Watchguard well enough to realize it would take more money than I cared to spend (or my wife would allow) to get it going on my home network with the functionality it promised.  Your work and PFSense changed that.  Kudos!

So, as of this morning after some minor fiddling about in the console, I am up and running with a brand new install, fully functional from what my bleary eyes can see so far.  This brings up the obvious question of "what next?".  I utilized a 1 Gb CF card for the install and PFSense is reporting about 40% disk utilization so far.  This seems high enough to me that I might want to consider putting in a bigger card and/or installing a spare drive in that beckoning slot next to the board.

1.  Do I need to flash the BIOS to enable a higher capacity CF card and/or install a spare drive?
2.  If yes, is the xtm5_83.rom mentioned on this thread sufficient to accomplish that?
3.  Would it simply be a matter of SSHing into the box and sending this (fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom) and then following Stephen's subsequent directions?
4.  What dragons should I expect to find?

Once again thanks for the hard work of everyone involved.  I was up until 3:30 AM just trying to apply what meager abilities I possess to get this going, so I can only imagine what late nights have been in by the efforts of this crew.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #70 on: December 31, 2013, 07:59:48 am »
Hi. Another firebox saved from scrap.  :)

You don't need to do anything to boot a larger CF card. I've not tried using a SATA HD in mine but I would assume that too boots no problem. Having said that you are unlikely to need a bigger card. That remaining space will only be used by adding further packages and there are only so many that can be run (usefully) under NanoBSD.
You can flash the BIOS by fetching it directly as you say. There are some other advantages to doing so: fully unlocked bios, LED the correct colour, speedstep enabled. Flashing the BIOS is always inherently risky but several other people have done it with that file without issue. Also, as I was forced to find out, it is possible to recover from a bad flash on that box but doing so is not straight forward.

If you decide to bridge some of the ports (because you don't need that many subnets at home  ;)) there is a bug in 2.1 that will bite you. It's since been patched but you have to apply the patch manually:
http://forum.pfsense.org/index.php/topic,66908.msg386279.html#msg386279

You can add the WGXepc program to access the fan and arm/disarm led.

More hours than I care to admit!  ::)

Steve

Offline bragle

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #71 on: December 31, 2013, 08:30:12 am »
Thanks for the fast response!  I'll take your advice and caution and just leave well enough alone for the time being.  I upgraded the RAM to 2 Gb and checked over the available packages to see what, if any, might appeal to me.  I'm satisfied enough at this point that I have a solid install going and a much faster piece of kit to replace my existing router/firewall.  As I am connecting this directly to a 50 port switch, I don't see a need to bridge any interfaces at this point, though I appreciate the heads up on the 2.1 bug.  Once I get the network fully fleshed out, I might be tempted to see what other goodies I can install or get going, but this so far makes my morning.

Thanks again!

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #72 on: December 31, 2013, 08:35:26 am »
No problem.  :)

I forgot to mention the LCD, it's all in the wiki page though.
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox

Steve

Offline hobbit666

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #73 on: January 20, 2014, 04:05:33 pm »
Hi
I'm new to pfsense and would like to install it on some expired Watchguard boxes.  I have some XTM's and Xcore.

I'm trying it on a XTM505 first to see what it does but having some issues.


Can someone point me to the correct image I should be using for the XTM505? I've tried installing it on the 1GB CF card that was in the box but I can't get it booting.


Do I need to flash the BIOS? first or should I be ok with the default?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #74 on: January 20, 2014, 07:46:53 pm »
Hey,
No you don't have to flash the bios to boot pfSense.
How did you write the CF card? Did you see any errors?
The image you should use is:
http://files.bgn.pfsense.org/mirror/downloads/pfSense-2.1-RELEASE-1g-i386-nanobsd.img.gz (you might choose a mirror closer to you)

However manufacturers of CF cards like to label cards as 1GB even if they're actaully slightly smaller so if you see errors writing the card try the 512MB image instead:
http://files.bgn.pfsense.org/mirror/downloads/pfSense-2.1-RELEASE-512mb-i386-nanobsd.img.gz

The Celeron 440 in the XTM5 is 64 bit capable so you can run 64bit images instead. However I'm not sure the LCD driver is supported under 64bit.  :-\

You should see the card boot on the serial console at 9600bps and it will wait at the assign interfaces prompt.

Steve