Difference between revisions of "Watchguard XTM 5"

Sticker on back says "WatchGuard XTM 5 series XTM 520"

Fairly nifty little box:

• More or less normal x86 Wintel board inside the box
• 1x 10/100baseT port on the front (Labeled "0")
• 6x 1000baseT ports on the front (Labeled "1" through "6")
• 8P8C modular connector serial console port -- and the BIOS is configured for serial port redirection
• 2x USB ports inside
• motherboard has a single Socket 775 Celeron 440 CPU (not very exciting, but this will turn exciting later on)
• 2x DDR2 DIMM sockets
• Compact Flash port (not sure largest capacity suppported -- The WatchGuard OS is delivered on a 1Gbyte CF card.
• 2x SATA (SATA 2, probably, based on age) ports on motherboard.
• 2x SATA power connectors included on the power supply
• 1x DDR2 PC6400 1Gbyte DIMM

Modifications so far

• Replaced DIMM with 2x 1Gbyte PC6400 DIMMs from a Dell Optiplex 740 2Gbytes of RAM
• Removed CF card and make a backup image of its contents.

Stuff on order

• Xeon L5430 processor (4 cores, 2.66GHz clock, 12Mbytes of L2 cache) This is not a socket 775 part, but it is a Socket 771 package. And there are readily available kits for placing a Socket 771 Xeon in a Socket 775 system board.
• Socket 771 CPU -> Socket 775 socket adapter ("Xeon inside" stickers included)
• 4 and 8Gbyte CompactFlash cards

Progress toward Linuxification

• Pulled 1Gbyte Transcend CompactFlash card out, made backup copy of its contents on desktop machine 2016-08-23
• Located a working 160Gbyte 2.5inch SATA hard drive and commenced to wiping it and ...
• debootstraped Debian Jessie onto said hard drive: sudo debootstrap --components=main,contrib,non-free --verbose jessie target
• chroot target bin/bash --login and run

apt-get update
apt-get install bash-completion vim-nox sudo openssh-server
groupadd -g 1000 adj
useradd -u 1000 -g 1000 -s /bin/bash -m adj
passwd adj
dpkg-reconfigure -p low debconf
apt-get install grub-pc
# make GRUB use serial console instead of VGA
apt-get install linux-image-3.16.0-4-amd64

• Pulled hard drive, placed in WatchGuard box.
• Realized totally forgot an /etc/fstab. We'll see what happens without...
• Worse realization: No LVM tools in initramfs. (Seeing as I didn't install them inside the debootstrapped chroot. D'oh!)
• DANGER: Voodoo! Creating LVM logical volume device mapper mappings without the LVM tools is not a good idea (but it works if you have a good reference for the tables somewhere)

(initramfs) dmsetup create vg00-root --table "0 2097152 linear 8:2 2048"
(initramfs) dmsetup create vg00-tmp --table "0 8388608 linear 8:2 4196352"
(initramfs) dmsetup create vg00-var --table "0 8388608 linear 8:2 12584960"
(initramfs) dmsetup create vg00-usr --table "0 8388608 linear 8:2 20973568"
mount -t ext4 /dev/dm-0 /root
mount -t ext4 /dev/dm-1 /root/tmp
mount -t ext4 /dev/dm-2 /root/var
mount -t ext4 /mnt/dm-3 /root/usr
chroot /root /bin/bash --login

(yay for built-in journal playback. And for forgetting to vgchange -an vg00 on the machine that ran the debootstrap.

• Add an entry to /etc/network/interfaces and ifup eth1
• create a good /etc/fstab
• Make sure /boot is mounted (update-initramfs needs to write here)
• apt-get install lvm2
• rm /etc/mtab; ln -s /proc/mounts /etc/mtab
• reboot
• apt-get install locales
• Fix up network device names in /etc/udev/rules.d/70-persistent-net.rules (my box's ports are numbered 0-6 on the front and have increasing MAC addresses to correspond)
• apt-get install pciutils flashrom
• Fix hostname and /etc/hosts file

At this point, Debian is installed and mostly configured.

Success!

BIOS update

WatchGuard's BIOS allows the appliances owner to change only the date and time. This is not cool. Fortunately, there is an awesome guy out there called stephenw10 who has done a bit of hackery on the BIOS file which lets owners own their boxes. :)

Process:

sudo flashrom --verbose --programmer internal -r stock_bios_image.bin        # save a backup of the stock BIOS bits
wget --no-check-certificate 'https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom?attredirects=0&d=1'    # the correct cert doesn't exist in Debian 8 for some reason.  Works fine in Chrome/Firefox
mv xtm5_83.rom\?attredirects\=0\&d\=1 xtm5_83.rom                            # a much less stupid filename
sudo flashrom --verbose --programmer internal -w xtm5_83.rom                 # write StephenW10's modded BIOS image to the flash chip
sudo shutdown -h now                                                         # power off system

• then remove the coin cell battery for a few minutes (or find the "clear CMOS settings" jumber)
• While we're at it, pull out the (mostly pointless now) Cavium Networks crypto accelerator card
• Play a couple rounds of Candy Crush waiting for the CMOS RAM to lose its bits
• Re-install battery (orientation matters here!)
• Apply power
• Turn on machine
• Hit <TAB> on the serial console a couple of times (Not <DEL>)
• Enjoy happy access to all of the BIOS setup menus

Making it a router

IPv6 things

apt-get install radvd ndisc6        # IPv6 tools

We'll have to fill this in later when it takes over the routing duties from sacredchao.

OpenVPN

apt-get install openvpn