Installing pfSense on a Watchguard Firebox X

Daniel Bernhardt

Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License

Abstract

The Watchguard Firebox is a pretty solid firewall. Inside the unit you find fairly regular x86 components. pfSense uses NetBSD to turn a PC into a full fledged firewall/routing machine. Of course you can use a small pfSense image on a CF card to bring new life to your Firebox. This manual explains how it is done.


Revision History
Revision 1.02011-06-20Daniel Bernhardt
initial manual release

Flashing the BIOS

As of version 1.2.3 of pfSense you need at least a 512MB large CF card to use the prebuild images. Unfortunately the Firebox BIOS will not boot from a CF card larger than 256MB. The BIOS must be configured to boot from a larger medium first. To access the BIOS you have to solder a plug to attach a PS/2 keyboard to the mainboard and somehow attach a graphic card or take a preflashed BIOS which is configured to send its output to the serial console and change the settings using a PC and a serial cable. We will perform the latter.

Get a CF card which is small enough for the Firebox to boot from. The card that comes with the box is your best choice. Download the image for flashing the BIOS and put it on your CF card using dd for example.

# dd if=/path/to/FreeDOSBios.img of=/dev/sdb
			

Your CF card might not show up as /dev/sdb. Check via dmesg as what device your CF card came online.

Check your device

Do not blindly use dd to flash a disk. If you fail to specify the correct output file, you might destroy partition table and data of your system disk.

After flashing the CF card mount it and put the new BIOS on it. Download the BIOS and copy it to the bios folder on the CF card. Unmount the card and put it in your Firebox. Connect a crossed serial cable to the firebox and your pc and start a terminal session on your serial device.

$ screen /dev/ttyS0 9600
		 

Terminal Settings

You can use any terminal client you want. Just make sure you are using 9600 baud. Otherwise you only see gibberish or nothing at all.

Power on the machine. When the image has been loaded the Firebox will beep 3 times. After that you should see a DOS command prompt on your terminal client. Now it is time to copy the new BIOS over to the machine.

Freedos on COM1:
Current date is Mon 06-20-2011
Current time is  7:18:20.20 pm
C:\>cd bios
C:\BIOS>awdflash.exe X750EB2.BIN /py /sn /cc /e

C:\BIOS>
		

That's it. awdflash.exe has flashed the new BIOS and cleared CMOS cache. You can now prepare to enter the BIOS using the serial console.

Close your terminal and create a new connection using 19200 baud.

$ screen /dev/ttyS0 19200

Power off your machine and turn it back on. You will notice that counting the memory is extremely slow. That is the cost of enabling console output in the BIOS. But you won't boot your new Firebox very often anyway.

Baud Rate is going to change

After your first successful boot, you are only able to access the BIOS with 115200 baud! Remember that for future access of your BIOS. Also memory will count faster with 115200 baud! Your boot time will be shorter.

Hit DEL to enter the BIOS. If you have connected a real keyboard to the CN_KBMS2 plug on the mainboard use the keyboard to make the settings in the BIOS. It will react more quickly to your key presses. But you don't have to.

Goto * Standard CMOS Features and select * IDE Channel 0 Master (that should be your CF card). Adjust the settings to these values:

IDE Channel 0 Master      [Manual]
Access Mode               [CHS]
Head                      [    2]

Setting up the BIOS is now done. Continue with setting up your large CF card.

Installing pfSense

Download a pfSense Image for the size of your CF card, extract it and copy the image to your card using dd as before. You can always use a smaller image on a larger card. Depending on the size of your card, this may take a few minutes.

# dd if=/path/to/pfSense-2.0-RC1-4g-i386-20110226-1633-nanobsd.img of=/dev/sdb bs=16k

Put your new CF card in and start a Terminal session using 9600 baud. You won't see the BIOS messages this way (gibberish may appear) but you can see pfSense boot after a while. And this is what you want. After pfSense booted you will get to the setup screen. Follow the instructions there. After you finished, pfSense is successfully installed.

Throttle CPU

To reduce the produced heat by the CPU you can let powerd dynamically throttle your CPU. If you have a Pentium-M processor you also will have reduced power consumption by the CPU. The Centrino-M will only have a different clock frequency. In both cases, if you want your Firebox to be quiet you should throttle the CPU.

Log in to the webinterface and locate the System: Advanced: System Tunables page. Scroll down until you see the category Power savings and enable Use PowereD.

Check your System Log if you see the following error coming up multiple times each second.

kernel: timecounter TSC must not be in use when changing frequencies; change denied

If so, go to System: Advanced: System Tunables add the following entry and apply the changes.

Tunable:	kern.timecounter.hardware
Value:		i8254
		

Controlling FAN Speed

aka making this beast silent

You can regulate all FANs from the BIOS. But unless you want to reboot and change your terminal session parameters everytime you are experimenting with your FAN speed you can use a program written by stephenw10 called WGXepc.

Copy the mentioned program to your CF card. You can now control your FAN speed.

: ./WGXepc -f 10
Found Firebox X-E
Fanspeed set to 10

System Update

If you perform a System Update, a new image will be put on your CF card. All user data (the WGXepc program) will be lost.

Credits

Credits go to stephenw10 from the pfSense Forum who put most of the information together on how to get pfSense running on a Firebox.