Hey everyone, just wanted to share my experience with you on how to install pfSense on a Watchguard XTM 5 525, in case anyone has an old box laying around with no active subscription.
The reason I did that, was I needed to separate my 1G fiber connection for 4 different flats we have here in 2 buildings with an option to isolate all the IoT stuff and guest Wifi. Consumer routers will have their limits here, so I was looking into an alternative.
I got two of these boxes for 29€ ea. on eBay in perfect condition, one acts as a cold standby. It´s running on x86 hardware, it´s upgradable and has 6 Intel Gigabit NICs. There are different models of the XTM 5, 505, 515, 525, 545.
The difference in hardware is mainly the CPU and memory, where for example an XTM 515 has a 2.0 GHz Celeron 440 ingle Core and 1 GB Memory and a XTM 525 has a 2.6 GHz Celeron E3400 Dual Core. Because of Socket 775 there are plenty of options when it comes to CPU upgrades.
I threw in a XEON 3050, which clocks a bit lower with 2.13 GHz, has a bit faster FSB and a lower Tcase of 61,4 °C instead of 74,1 °C of the E3400. But you can also use much more powerful Quad Core Core2Duo, Core2Quad and XEON 3000 series and Pentium 4 Extreme series, for the drawback of higher power consumption, more heat dissipation, noise and probably lower lifetime.
If you consider a CPU upgrade visit the Intel website for the specs, to check the power consumption and heat dissipation. A Celeron 440 will draw only 30 Watts of power, while dual or quad core’s can easily draw 60 to 70 watts, which will increase your monthly power bill fast. You can get Socket 775 CPU´s on eBay for 2-3 €, same for memory. I recommend 2x 2GB DDR2 800 modules because of dual channel mode and the very low price. It´s reported that the mainboards in those boxes only support 4GB of memory, but pfSense will run just fine with only 2GB or even 1GB depending on the workload.
- Prerequisites
Things you need or should consider:
- Watchguard XTM 5 Series appliance
- 2.5” HDD or SSD which can withstand 24/7 reliably
- A PC or Laptop with a free SATA Port
- 4GB USB pen drive
- SATA II / III cable of approx. 30 cm with one side angled 90 degree for better mounting
- USB – Console Cable (optional)
- 2x 2GB DDR2 800 Memory (optional, non-ECC)
- Socket 775 CPU with more or less power (optional)
- Thermal grease (optional, when you want to replace the CPU, make sure to clean the heatsink and use new thermal grease)
- Silent 40mm silent fans if you want to make the appliance even more quiet (optional)
- 3x for the case and CPU
- 1x for the power supply
- Normal 40x20mm 3 pin fans e.g. from NOCTUA, but I recommend to try the default setup first, because the BIOS of the XTM 5 does thermal management and lowers the fan speeds quite good
- Hardware Upgrade
If you´re planning to upgrade the hardware here are some pictures, you will at least need to open the box to mount the hard drive and remove some parts. You see the PSU on the left and a sort of usual x86 mainboard with all the NICs. Watchguard´s OS is flashed to the 1GB industrial grade CF card. Next to it is a VPN accelerator board from CAVIUM which is not supported by pfSense due to the lack of drivers. In any case you will need to remove the VPN accelerator board and the CF card!
I used the following upgrade to give my appliance a bit more juice, got all of them on eBay for less than 50 €:
- 2x 2GB DDR2 800 Memory
- 250GB Samsung SSD
- Intel XEON 3050 2.12 GHz Dual Core
Remove the heatsink and install the new CPU, also apply thermal grease. I used some Arctic MX-2, apply only a tiny bit in the size of a pea. Make sure the CPU is seated properly and mount the heatsink carefully. Replace the old memory, but do not mount the hard drive yet. Remove the PCI-Express CAVIUM Nitrox VPN accelerator board and the 1GB Compact Flash card, keep it if you want to go back to Fireware OS sometime .
Installation Part 1
Because you have no VGA out you will have to do a little workaround. While you could use a regular USB to Console cable, like one from Cisco you won´t be able to run the installer from a USB pen drive, because this option has been deactivated in BIOS for security reasons and the password is hardcoded, so you can´t just enable it.
For that reason, we´re going to pre-install the OS on the hard drive/SSD with the help of another PC or Laptop, then attach the drive to the Watchguard and do the rest of the configuration tasks on the web interface.
- Download pfSense ISO from Download pfSense Community Edition
- Choose AMD64
- USB Memstick Installer
- Serial
- Mirror of your choice
- Burn the ISO with “Win32 Disk Imager” Win32 Disk Imager to the USB drive
- Hook up your SSD to an old Laptop or PC and make sure you are booting in legacy mode and the SSD is the only drive attached, otherwise you will run into trouble when the Watchguard tries to boot it
- Attach the USB Drive and boot from it, the installer will start automatically
- You can blindly run the installer with the default settings, make sure you select the SSD and hit automatic partitioning
- When the installer finishes and asks for a reboot, do so but immediately after the shutdown, power off the PC and to not boot the SSD drive
Installation Part 2
- Mount the SSD into your Watchguard, use the SATA power connector from the PSU and the SATA cable and attach them to the drive and the mainboards SATA connector.
- There is no genuine mounting bracket which will hold your drive in place, so you either build yourself one from scrap parts or fix it somehow with zip ties. For me, an old 2.5” drive cage from a Lenovo I guess, did the trick. I mounted it with two screws which fit the holes in the cage, the box has four mounting pointsin total which you could use.
- Connect an ethernet cable from your PC to the Watchguard on Port #2, where DHCP runs by default and which will be the first optional LAN port
- Power on the box and wait until it booted, you will hear some friendly beeps when it´s ready
- Open pfSense webinterface through http://192.168.1.1 Default Login is admin / pfsense
- You´re now all set and good to go to do all the configurations you need
Installation via Console
You need a RJ45 to USB console cable, e.g. from a Cisco Box and then you can connect to the Terminal with these settings:
- Speed: 115200
- Data Bits: 8
- Stop Bits: 1
- Parity: None
- Flow Control: None
You need to burn the ISO to USB, hook it up in of the ports. Attach the console cable and open a Terminal. Boot up the Firebox and you should be able to install pfSense through terminal.
Maybe someone finds this helpful, because there are several guides in the net, but most of them are outdated.
Edit:
Hardware compatibility
Check the Hardware specs on Watchguards “Hardware Guides” site: Hardware Guides | WatchGuard Technologies some run on Freescale CPUs, some others on Intel.
Also some are having a CF card, while newer boxes already use mSata.