PFSense 2.2 and Watchguard X550e X-Core-E Series Firewall VPN Load Balancer

Update 2/13/2017: I have continual problems attempting to auto update. Maybe it’s because I am on “unsupported” hardware. Generally the update sits there for 30+ minutes or fails all together, i.e. after boot (See below). And it depends on the update, the most recent version 2.3.2_1, meh.

Considering the cost, another $11 CF card is worth it at this point. The one benefit, covering my house in dust after opening the case which makes me break out the vacuum.

Btw, if you “swear” via command line when failed… it will respond 🙂 …can I get an f… and a “u” too..

/etc/rc: uname: not found
() (Patch )
Bootup complete
/etc/rc: /usr/local/bin/beep.sh: not found
/etc/rc: /bin/rm: not found
Feb 10 10:36:56 init: can’t exec getty ‘/usr/libexec/getty’ for port /dev/ttyu0: No such file or directory

———————————————-

Update 5/19/2016: Do NOT update to 2.3 if you want to keep your LCD screen fanciness. The LCDProc Dev package is no longer available in 2.3. Here is a manual way to deploy, https://forum.pfsense.org/index.php?topic=44034.msg609820#msg609820.

———————————————-

I recently came across a Watchguard Firebox X550e, for free, I had been a pfsense user for sometime and heard about the ability to flash and utilize these devices for pfsense. After a quick order to amazon, I was off and running…

I will reference the helpful posts those of you had, without them I likely wouldn’t have the time to do this!

Tools and Devices
Watchguard X-Core (X550e, X750e or 1250e)
Compact Flash Media Card Reader USB (Link)
Null Modem Serial Cable (Link)
Serial Port or USB to Serial Converter (Link)
64MB to 256MB or less Compact Flash Card for Bios Flash

Software
Putty [Emulator] (Link)
CoolTerm [Emulator] (Link)
Win32 Disk Imager for Windows [Image Writing] (Link)
Image for Flashing BIOS [Bootable Image] (Link)
BIOS Image [New BIOS Image] (Link)
PFSense 1GB, 2GB or 4GB i386 Non-VGA version (Download)

PFSense Download
With 2.2.4, I tried NYI, ESF and BluegrassNet download sites. Only BluegrassNet produced an error free image.

Safety
Ensure you disconnect power before opening the chassis

Is it Broken?
Check to ensure ports, LCD and power, you don’t want to get through all of this and find out you had a bad port in the beginning.

The Guts
Watchguard_pfsense_8

Watchguard_pfsense_9

Specs
All  X-Core-e models are 1U rack mountable chassis, specs provided

  • 1.3GHz Celeron processor, i386 x86
  • 512mb of DDR2 RAM (Upgradable to 2GB of memory)
  • 4x Marvell 88e8001 gigabit NICs
  • Front-mounted HD47780 based character LCD
  • Channel well power supply

The x750e and x1250e add another set of four Marvell 88e8053 gigabit NICs, 8 total.

The firebox has two RAM slots for additional memory, type is DDR2 PC2-4200 533MHz. I currently have 2GB in my box, that is the MAX. It uses standard DDR2 DIMMs, so DDR2-400 and DDR2-533 will work.

Removing Compact Flash
Ensure your EXTREMELY CAREFUL when removing and installing compact flash. Bending pins is no good! It’s in a difficult to reach spot.

Compact Flash
The one single issue I had was attempting to boot the watchguard from a 128MB Cisco Compact Flash that I had laying around. I had to use the existing compact flash card already installed in the device, a 64MB Cisco Compact Flash. Without it I had no serial response unless I held the up arrow at boot, even then I received “Bad Signature” and wasn’t able to do anything else.

Some Fireboxes come with pre-installed 512MB CF cards whereas most come with 256MB cards. If you’re unlucky enough to get a box with a 512MB card, you’ll need to purchase a 256MB card for flashing the BIOS. The 512MB card will not work for this purpose.

Remember to backup your original compact flash before flashing. This enables you to go back to your original configuration.

If your planning to purchase a new ultra fast (30MB/s+) compact flash, read this (Link)

I opted for the 4GB compact flash, at $11 it was an easy choice.

Emulators
Another issue I had was the need to switch between putty and CoolTerm. Initially I had read putty had potential issues, which led me to switch to CoolTerm. However, once the BIOS was flashed I had to switch back to Putty since the emulator did not display the BIOS screen after. Most of what I read, people used putty, stick with that when possible.

Watchguard_pfsense_1

Write the Image for BIOS Flash
Install Win32 Disk Imager
Connect the Compact Flash Media Reader
Insert the original compact flash from the watchguard or replacement compact flash
Open Win32 Disk Imager
Select and confirm the device
Watchguard_pfsense_4
Select the Blue Folder icon, locate the FreeDOSBios.img file
Watchguard_pfsense_2
Select Write
Confirm
Watchguard_pfsense_3
Wait for success message
Copy and paste the X750EB2.BIN file to the newly created bootable compact flash using File Explorer
Install the compact flash into the watchguard

Backup and Flash the BIOS
Connect using your emulator software using 9600, 8, 1, None
After 3 beeps, you should get a command prompt
Backup the BIOS, awdflash /pn /sy WGbackup.bin /e
Watchguard_pfsense_7
Once backup is complete, run the following to flash the BIOS

Freedos on COM1:
Current date is Mon 06-20-2011
Current time is  7:18:20.20 pm
C:\>cd bios
C:\BIOS>awdflash.exe X750EB2.BIN /py /sn /cc /e

C:\BIOS>

Wait until the C:\BIOS> is ready for additional input

Configure the BIOS
Connect using your emulator software using 115200, 8, 1, None
Reboot the firebox
At POST, during the memory test, use the DEL or TAB keys to enter the BIOS
(The screen will show a standard BIOS Screen with options for configuration if your connected correctly)
Enter Standard CMOS Features
Select the IDE Master 0 (Zero) using the enter key
Update the following

IDE Channel 0 Master      [Manual]
Access Mode               [CHS]
Head                      [    2]

Exit using the ESC key
Save using the F10 key
Fan speed can also be adjusted inside the BIOS
Under Health Check{?}
Within fan speed, enter “BB” without quotes
Exit using the ESC key
Save using the F10 key

Write the Image for PFSense
Open Win32 Disk Imager
Connect the Compact Flash Media Reader
Insert the NEW 1, 2 or 4GB compact flash
Watchguard_pfsense_4
Select the Blue Folder icon, locate the pfSense-2.2.4-RELEASE-4g-i386-nanobsd-upgrade-20150725-1956.img file
Watchguard_pfsense_6
Select Write
Confirm
Watchguard_pfsense_3
Wait for
 success message
Power down the watchguard
Remove the factory/temporary compact flash card and install the new pfsense compact flash card

Connect to PFSense
Connect using your emulator software using 9600, 8, 1, None. I had to use 115200 myself, results vary…
After a bunch of garbled text, you should get a familiar PFSense console screen
Configure the device as needed
Watchguard_pfsense_5

DMA Limited to UDMA33, controller found non-ATA66 cable
After the first boot, I kept getting the following message over and over again. Come to find out there is a fix…

ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable

I found a post which requests you add a line to the /boot/loader.conf file (Link) which disables DMA (Link). Notes below…

In the newer 2.2.x nano images, DMA access is no longer disabled by default. A fresh 2.2 install won’t boot from a CF card. The following has to be added to the /boot/loader.conf.local file: hint.ata.0.mode=PIO4.

If you add this line before an upgrade, it will be copied to the new 2.2 slice which will boot. We will consider a fresh install (the same applies if you already upgraded to 2.2 but your Firebox won’t boot). Interupt the boot loader when it is counting down from 4.

FreeBSD/x86 bootstrap loader, Revision 1.1
(root@pfs22-i386-builder, Mon Apr 13 20:28:31 CDT 2015)
Loading /boot/defaults/loader.conf
/boot/kernel/kernel text=0x11fb1a7 data=0x832e48+0x279e60 syms=[0x4+0xf3a10+0x4+0x16bd76]

Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel] in 4 seconds...

Type '?' for a list of commands, 'help' for more detailed help.
OK

At the prompt enter:

set hint.ata.0.mode=PIO4
boot

Watchguard_pfsense_10

pfSense now continues booting and enters the initial setup. For now we don’t set up VLAN’s and set WAN to sk0 and LAN to sk1 (sk0 is the left most port (port 0) and MSK3 is the right most port (port 7)). If everything went well, you will now see the console configuration menu.

First thing to do now is enabling secure shell (sshd) by choosing option 14. This way, you can use PuTTY or any other SSH client to connect to a terminal over the LAN.

Next thing is editing the /boot/loader.conf.local file to disable DMA after a reboot. This can be done with the webinterface on http://192.168.1.1 or the console shell (option 8) or WinSCP.

Webinterface default username/password: admin/pfsense

Choose menu Diagnostics > NanoBSD and click ‘Switch to Read/Write’. This way you can make changes to the file system.

Watchguard_pfsense_12

Then go to Diagnostics > Edit file and browse to /boot and open the file loader.conf. Then change the filename to loader.conf.local and press save. Then delete the existing content of this file and add the rule

hint.ata.0.mode=PIO4

Watchguard_pfsense_11

Click save and it’s done. Don’t forget to mount the filesystem back to read-only via Diagnostics > NanoBSD. This happened to me automatically after I rebooted for testing.

If you use one of the other options, set the file permissions of loader.conf.local to 0644.

Config.xml is Corrupted and is 0 Bytes
As noted above, this was a bad PFSense image download. I tried all the download sites, only BluegrassNet produced an error free image. It booted right into the system with the newly written image.

..done.
>>> Under 512 megabytes of ram detected.  Not enabling APC.
ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Launching the init system... done.
Initializing..................ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Starting CRON... done.
ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Bootup complete
grep: /conf/config.xml: No such file or directory
[: -gt: unexpected operator

FreeBSD/i386 (Amnesiac) (console)

ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.

 0) Logout (SSH only)
 1) Assign Interfaces

Fan Speed
Your watchguard is loud, if you want to quiet it down, use this post which controls fan speed (Link)

After enabling SSH access, login as your admin user.

Alternatively you can use the shellcmd package to execute the command at startup.

  • System > Packages
  • Available Packages Tab
  • Locate Shellcmd
  • Select the + icon to the right
  • Confirm install is complete
  • Services > Shellcmd
  • Click the + icon to add a new command
  • Enter in the following
    Command: /conf/WGXepc -f 30 (10 is minimum, FF is full speed [Loud])
    Shellcmd Type: Shellcmd
    Description: Configure Fan Speed
  • Reboot
  • Confirm

Note that while the fan speed I recommend above is the hex value 10, the slowest fan speed that should be selected in the BIOS is BB which is much faster. Stability problems have been reported when using the BIOS to slow down the fans; WGXepc does not have these limitations.

These settings are only after boot, if you want to control during startup, see this Link.

  • /etc/rc.conf_mount_rw
  • fetch -o /usr/local https://www.hexhound.com/files/fanctrl-new.zip
  • cd /usr/local
  • tar -xzf fanctrl-new.zip
  • touch /etc/rc.conf.local
  • vi /etc/rc.conf.local
  • (Press “i” once, then type “fanctrld_enable=”YES” ” with the YES in double quotes. Press escape, then the colon : and type “x”, then press return to save and exit. Sorry, this step can be a little advanced if you’re not used to VI.)
  • /etc/rc.conf_mount_ro

LCD Screen
The LCD screen is supported by the LCDproc-dev package (Link). To use, do the following:

  • System > Packages
  • Available Packages Tab
  • Locate LCDproc-dev
  • Click the + sign
  • Confirm
  • Go to services->LCDproc
  • Tick “Enable LCDproc”
  • Change “Driver” from “prymaid” to “Watchguard Firebox with SDEC (x86 only)” driver
  • Click Save
  • Tick the “Screens” tab
  • Select what you want to show on the screens tab
  • Go to status > services and start the LCDProc service
  • Use the up/down button on the firebox to turn on the back-light and move between “screens”

NIC LED’s
To enable the NIC LED’s

8 Port Watchguard
If you have an x750e or x1250e, you have 4 additional ports, 8 total. PFSense is known to have problems with these ports, the fix is below, I wasn’t able to test this.

Then there could be problems with the MSK interfaces (the four most right interfaces). An interface becomes unresponsive and a watchdog timeout will be shown in the log. Add the following line to /boot/loader.conf.local to workaround this issue

hw.msk.msi_disable=1

References
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox

http://phil.lavin.me.uk/2013/03/installing-pfsense-on-a-watchguard-firebox-x550e-and-x750e/

https://www.hexhound.com/how-to-flash-pfsense-2-1-to-a-watchguard-firebox-x750e-x550e-ssl-500/

http://documentation.dbernhardt.com/pfsense/article.html

https://www.slashetc.us/2014/05/getting-pfsense-loaded-to-watchguard-firebox-x-core-e-utm-part-1/

https://www.slashetc.us/2014/05/getting-pfsense-loaded-to-watchguard-firebox-x-core-e-utm-part-2-lcd/

https://harkink.com/pfsense-on-a-watchguard-firebox-x750e/

https://www.hexhound.com/quiet-the-fan-on-your-pfsense-watchguard-firewall/

http://forum.pfsense.org/index.php/topic,7920.msg344513.html#msg344513

Advertisements

6 thoughts on “PFSense 2.2 and Watchguard X550e X-Core-E Series Firewall VPN Load Balancer

  1. the_toph October 20, 2015 / 7:29 pm

    I’m reading this excellent how-to about 24 hours too late…. I (somehow) managed to successfully install pfSense on a x550e using the multitude of forum posts and wiki articles on the pfSense site. Was this just a project, or are you using it on your network? If you’re using it, have you had any issues, or do you have any additional comments?

    Like

    • colinl79 October 20, 2015 / 7:56 pm

      It turned into a side project, someone passed it along as they didn’t want to deal with it anymore. I am using it on my network, my “oh so important” home network. I couldn’t tell you how the performance is as I don’t pay attention to it much. I will say, the “lights on the front are still blinking”.

      Honestly, as with any hardware/software, be cautious when deploying into a real live corporate network. Unsupported hardware such as this setup can get you in a pickle at the wrong time.

      Like

  2. ipat8 January 2, 2016 / 5:47 am

    Does using: “hw.msk.msi_disable=1” disable these ports? I need to be able to use them.

    Like

  3. Derek Bartram September 9, 2016 / 6:03 pm

    Any reason you use the upgrade rather than install image?

    Does the following mean anything to you? Really struggling to get this box running (x1250e)

    PCI device listing …
    Bus No. Device No. Func No. Vendor/Device Class Device Class IRQ
    ——————————————————————————–
    0 2 0 8086 2592 0300 Display Cntrlr 11
    0 29 0 8086 2658 0C03 USB 1.0/1.1 UHCI Cntrlr 9
    0 29 1 8086 2659 0C03 USB 1.0/1.1 UHCI Cntrlr 10
    0 29 2 8086 265A 0C03 USB 1.0/1.1 UHCI Cntrlr 5
    0 29 3 8086 265B 0C03 USB 1.0/1.1 UHCI Cntrlr 11
    0 29 7 8086 265C 0C03 USB 2.0 EHCI Cntrlr 9
    0 31 1 8086 266F 0101 IDE Cntrlr 14
    5 4 0 177D 0003 1000 En/Decryption Cntrlr 11
    1 pfSense
    2 pfSense

    F6 PXE
    Boot: 1
    /boot/config: -S115200 -h
    Consoles: serial port
    BIOS drive C: is disk0
    BIOS 638kB/1039360kB available memory

    FreeBSD/x86 bootstrap loader, Revision 1.1
    (root@ce23-i386-builder, Tue Jul 19 13:40:21 CDT 2016)
    Error — unmatched control structure “target”
    Error while including /boot/check-password.4th, in the line:
    again
    Error while including /boot/loader.4th, in the line:
    include /boot/check-password.4th
    |
    /boot/kernel/kernel text=0x121f23a inflate: invalid code — missing end-of-block

    readin failed

    elf32_loadimage: read failed
    can’t load ‘kernel’
    Hit [Enter] to boot immediately, or any other key for command prompt.
    Booting [/boot/kernel/kernel] in 7 seconds…

    Type ‘?’ for a list of commands, ‘help’ for more detailed help.
    OK set hint.ata.0.mode=PIO4
    OK boot
    /boot/kernel/kernel text=0x121f23a |

    Any suggestions would be really appreciated – thanks.

    Like

    • Niloc79 September 9, 2016 / 6:28 pm

      Based on the error it sounds as if something may be off/corrupt, I would start with a fresh install on the card. The file /boot/password.4th is the one to look at for further troubleshooting.

      Try the forum, you will get more visibility there, https://forum.pfsense.org.

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s