Here’s how to get pfSense 2.1 running on your WatchGuard Firebox X-core-e, including the x550e, x750e, x1250e, SSL 100, and SSL 500. I have personally confirmed that this procedure works on the x750e and SSL 500.
- A WatchGuard X-core-e Firebox (x550e / x750e / x1250e or SSL 100 / SSL 500)
- A compact flash (CF) card reader
- A null modem cable
- An appropriate CF card – I recommend a fast 4gb card
- A USB-to-serial adapter if your laptop or computer does not have a serial port
- A small philips head screwdriver
(And of course, the power & lan cables)
Available X-Core-e Models:
All the WatchGuard X-Core-e models are largely identical with one notable exception. All X-Core-e models are 1U chassis loaded with a 1.3GHz Celeron processor, 512mb of DDR2 RAM, four Marvell 88e8001 gigabit NICs, a channel well power supply, and front-mounted HD47780 based character LCD. The x750e and x1250e add another set of four Marvell 88e8053 gigabit NICs, but all X-Core-e models can be upgraded to the same specification as the unpopulated area simply contains a block off plate on the x550e, SSL 100, and SSL 500. I believe the SSL 100 / 500 come with a (optional?) hard drive, but my SSL 500 arrived without a hard drive.
After you receive your Firebox, you should verify that it works. This is simple – just plug the firebox in to AC power, turn the switch on, and watch the LCD screen. It should display “Memory Test Passed” after a short period of time, then proceed to boot the factory operating system. After a period of time, the display will switch to displaying the uptime. If you wish, you can plug each port into your network and confirm the LEDs for the applicable port light up. As we are replacing the OS, I will not discuss logging into the factory management interface.
We will be installing pfSense Nano which is specifically built to run from flash memory (CF cards). To do this, we must disassemble the firebox, remove the factory CF card, and install pfSense to our own CF card. This process is further complicated by a bug in the Firebox’s BIOS which prevents it from booting from CF cards larger than 512mb; as all pfSense Nano images are now larger than 512mb, we must first change the BIOS settings prior to installing pfSense.
Turn off and unplug the Firebox. Remove the four sets of three screws located at the front left, front right, rear left, and rear right (note that one of these screws is covered by a warranty label). Now remove the remaining two screws located high on the back of the firewall – the back being where the power cable plugs in. Finally, slide the top of the metal case towards the back of the firewall and lift up to expose the motherboard.
Booting FreeDOS and Flashing the BIOS
Because the Firebox is designed to be rack mounted and accessed solely via the network or serial interfaces, there is no readily available direct video output. This presents a problem because the BIOS cannot be observed. Furthermore, no keyboard headers are available either, making it difficult to enter the BIOS in the first place! Several remedies are available – a VGA output & keyboard header exist on the motherboard, but are unpopulated; two PCI-e slots are also available into which an external video card can be plugged; but the easiest solution is to flash the BIOS with a version that redirects the output to the serial port. To access the utility needed to flash the BIOS, we boot into a pre-made FreeDOS image.
Begin by downloading the FreeDOS image [here]. Make a note of where it is saved. Now download either Win Disk Imager which uses a simpler graphical interface or the potentially more powerful Physdiskwrite which must be accessed via the command line. Verify the MD5 checksum for the zipped FreeDOS image is 5ebb3f11925a8a78f7829e3ca0823f5d before proceeding. If using Win Disk Imager, extract the zip to a location of your choice and verify the .img file’s checksum is 86e32dc36d9d0098d11a5d15df05f586. You are now ready to write FreeDOS to a CF card of your choice ranging in size from 16mb to 512mb.
*NOTE* The Firebox can be picky about what CF cards it will boot from. I tried several old SanDisk CF cards without success. The CF card that comes with the Firebox is guaranteed to work. If you wish to keep the factory image so the Firebox can be reverted back to factory operation, use Win Disk Imager to back up the card.
Flashing with Win Disk Imager
First open Win32 Disk Imager
Click the folder icon to the right of the text box, then locate and select (“open”) your disk image. You will do this once with freeDOS and again with pfSense.
If necessary, change the drive letter to your compact flash disk under the “device” dropdown, located to the right of the folder icon. Click the “Write” button. Win Disk Imager will ask you to confirm the write operation – select “Yes.”
You should see it start writing the image to the CF card. This may take a while and will vary depending on the speed of your CF card.
You will be greeted with pop up window when done.
Once the image has been successfully written to the CF card, remove the factory CF card from the Firebox and install your newly flashed CF card, being careful to line the card up in the tray – you don’t want to bend the pins! Now plug your null modem cable into the front of the Firebox and into your computer, using the USB-to-serial adapter if necessary.
Fire up your terminal program of choice – I like PuTTY – select your serial port, and set the connection speed to 9600 baud (bits per second or BPS), 8 data bits, 1 stop bit and no parity bit (hereafter abbreviated 8N1). If using PuTTY, the default settings work. Don’t worry if you don’t know the exact serial port – it can be a trial and error process. The device manager may provide clues if you need help and most USB-to-Serial adapters are listed above COM 4 (e.g. COM 5 or COM 6). I’m lucky my Dell Latitude D620 comes with a hardware serial interface and it is listed as COM 1. Switch on the power to the Firebox and you should hear 3 beeps after a short period of time. If your terminal is configured correctly, you will be welcomed by an MS-DOS prompt. It is now time to flash the BIOS so that it will read the higher capacity CF card needed to run pfSense.
First, confirm that your Firebox is like the rest by running “biosid” or BIOS ID(entification). It is important this information matches my screenshot – if it doesn’t something might be different about your Firebox and flashign the BIOS could render the machine useless.
Next, backup the existing BIOS to the internal CF card by running “awdflash /pn /sy backup1.bin /e” like so. “backup1.bin” can be any name of your choosing.
Complete the BIOS flash by running “awdflash x750eb7.bin /py /sn /cc /e”
You are done when the DOS prompt returns. Don’t worry if it takes a while as this will vary depending on the speed of your CF card. If in doubt, leave the Firebox running – turning the machine off prematurely can corrupt the BIOS and leave you with an expensive red doorstop.
With the BIOS flashed, change your terminal program to 115200 baud 8N1 and switch on / restart the Firebox. You should see the Firebox run through its power on self test (POST) as the memory is tested. Press the TAB key to enter the BIOS (yes, it says to press delete – the delete key is emulated in the terminal environment with the tab key). Enter the IDE hard drive setup, change the settings to manual, and set the head to “2.”
At this time, you may also change the fan speed to ‘BB’ to help quiet the fans during the boot process. Once pfSense is running, an additional script may be loaded to dynamically vary the fan speed, resulting in a near inaudible Firebox.
With the BIOS hurdle out of the way, it is time to download and flash pfSense. This process closely follows the process used to flash FreeDOS. First download your pfSense image of choice from here. You want a pfSense “Nano” image which is specifically built to run from flash memory. Choose the version appropriate for your flash card – 512mb for a 512mb card, 1g for a 1 gig card, 2g for a 2 gig card, or 4g for a 4 gigabyte CF card. The Firebox runs on x86 hardware with serial console output instead of VGA, so choose an i386 build without the vga tag. If you use the 4 gig card I recommended above, download “pfSense-2.1-RELEASE-4g-i386-nanobsd-20130911-1816.zip” (newly updated link! – MD5 hashes here). Verify the MD5 hash for the unzipped .img file is B64BC70515D72C6E90D5AE6A4ABC4354 before proceeding.
With the pfSense image in hand, insert your new, large CF card into your card reader and following the procedures above, flash pfSense to the card with either Win Disk Imager or physdiskwrite. It will take longer to write the image to the card this time as pfSense is a much larger program than FreeDOS.
Once completed, ground yourself, unplug the Firebox, remove the old FreeDOS CF card and insert your newly flashed pfSense CF card.
Booting into pfSense
It is now time to boot pfSense for the first time. Make sure your null modem cable is connected and fire up your terminal (hyperterminal, PuTTY, etc). Like before, connect at 9600 8N1 and turn on the Firebox. After the POST, you will see pfSense begin to boot, eventually landing on the initial configuration. Here you will configure your WAN, LAN, and additional ports. Ports 1-4 will be mapped to interfaces sk0 – sk3. Ports 5-8, if available, will be mapped to interfaces msk0 – msk3. Be sure to put your critical network devices on the sk interfaces – the msk interfaces have been known to have stability issues in the past. Once you have your WAN & LAN connections setup, you can plug your computer into the LAN port, navigate to the Web UI, and configure your new pfSense firewall – but that’s another article.
Several further enhancements exist to improve functionality of the pfSense flashed WatchGuard firewalls. Community support has been integral in implementing fan control to help quiet the banshee like howl of the fans; with healthy fans in a residential environment, the fans slow down to a whisper (stay tuned as I am working to release an enhanced version of the fan control!). So too has the community found a way to enable the LCD, and buttons, on the front of the firewall, making this mod feel factory once complete. Beyond software mods, hardware additions also exist. On the SSL boxes & the x550e, it is possible to add the extra NICs found in the x750e and x1250e for additional capacity. Because the entire firewall is a specialized x86 computer, the processor and memory can be upgraded. If you are using the box as a VPN gateway, hardware encryption cards pop right in although support is in the air. Finally, a hard drive can be added which supports more advanced features of pfSense, like squid caching to help reduce the load on your external connection. Most of this is overkill in a residential home – the benefits become apparent in a small business environment and above. Look for a future post detailing how these improvements.
Learn how to control the fan speed here -> https://www.hexhound.com/quiet-the-fan-on-your-pfsense-watchguard-firewall/