Difference between revisions of "Watchguard XTM 5"

From FnordWiki
Jump to navigation Jump to search
Line 205: Line 205:
 
[ 0.012013] Calibrating delay loop (skipped), value calculated using timer frequency.. 3989.98 BogoMIPS (lpj=7979972)
  
[ 0.012013] Calibrating delay loop (skipped), value calculated using timer frequency.. 3989.98 BogoMIPS (lpj=7979972)
 
[ 0.220003] smpboot: Total of 1 processors activated (3989.98 BogoMIPS)
  
[ 0.220003] smpboot: Total of 1 processors activated (3989.98 BogoMIPS)
adj@debiwall:~$
 +
adj@debiwall:~$

Revision as of 18:51, 28 August 2016

Sticker on back says "WatchGuard XTM 5 series XTM 520"

hardware description

Fairly nifty little box:

  • More or less normal x86 Wintel board inside the box
  • 1x 10/100baseT port on the front (Labeled "0")
  • 6x 1000baseT ports on the front (Labeled "1" through "6")
  • 8P8C modular connector serial console port -- The BIOS is configured for serial port redirection. And a normal Cisco console cable works well.
  • 2x USB ports inside
  • motherboard has a single Socket 775 Celeron 440 CPU (not very exciting, but this will turn exciting later on)
  • 2x DDR2 DIMM sockets
  • Compact Flash port (not sure largest capacity suppported -- The WatchGuard OS is delivered on a 1Gbyte CF card.
  • 2x SATA (SATA 2, probably, based on age) ports on motherboard.
  • 2x SATA power connectors included on the power supply
  • 1x DDR2 PC6400 1Gbyte DIMM

Modifications so far

  • Replaced DIMM with 2x 1Gbyte PC6400 DIMMs from a Dell Optiplex 740 2Gbytes of RAM
  • Removed CF card and make a backup image of its contents.

Stuff on order

  • Xeon L5430 processor (4 cores, 2.66GHz clock, 12Mbytes of L2 cache) This is not a socket 775 part, but it is a Socket 771 package. And there are readily available kits for placing a Socket 771 Xeon in a Socket 775 system board.
  • Socket 771 CPU -> Socket 775 socket adapter ("Xeon inside" stickers included)
  • 4 and 8Gbyte CompactFlash cards

Progress toward Linuxification

  • Pulled 1Gbyte Transcend CompactFlash card out, made backup copy of its contents on desktop machine 2016-08-23
  • Located a working 160Gbyte 2.5inch SATA hard drive and commenced to wiping it and ...
  • wiped (with bits from /dev/urandom) said hard drive
  • partitioned and LVMed said hard drive
  • debootstraped Debian Jessie onto said hard drive: sudo debootstrap --components=main,contrib,non-free --verbose jessie target
  • chroot target bin/bash --login and run
apt-get update
apt-get install bash-completion vim-nox sudo openssh-server
groupadd -g 1000 adj
useradd -u 1000 -g 1000 -s /bin/bash -m adj
passwd adj
dpkg-reconfigure -p low debconf
apt-get install grub-pc
# make GRUB use serial console instead of VGA
apt-get install linux-image-3.16.0-4-amd64
  • Pulled hard drive, placed in WatchGuard box.
  • Realized totally forgot an /etc/fstab. We'll see what happens without...
  • Worse realization: No LVM tools in initramfs. (Seeing as I didn't install them inside the debootstrapped chroot. D'oh!)
  • DANGER: Voodoo! Creating LVM logical volume device mapper mappings without the LVM tools is not a good idea (but it works if you have a good reference for the tables somewhere)
(initramfs) dmsetup create vg00-root --table "0 2097152 linear 8:2 2048"
(initramfs) dmsetup create vg00-tmp --table "0 8388608 linear 8:2 4196352"
(initramfs) dmsetup create vg00-var --table "0 8388608 linear 8:2 12584960"
(initramfs) dmsetup create vg00-usr --table "0 8388608 linear 8:2 20973568"
mount -t ext4 /dev/dm-0 /root
mount -t ext4 /dev/dm-1 /root/tmp
mount -t ext4 /dev/dm-2 /root/var
mount -t ext4 /mnt/dm-3 /root/usr
chroot /root /bin/bash --login

(yay for built-in journal playback. And for forgetting to vgchange -an vg00 on the machine that ran the debootstrap.

  • Add an entry to /etc/network/interfaces and ifup eth1
  • create a good /etc/fstab
  • Make sure /boot is mounted (update-initramfs needs to write here)
  • apt-get install lvm2
  • rm /etc/mtab; ln -s /proc/mounts /etc/mtab
  • reboot
  • apt-get install locales
  • Fix up network device names in /etc/udev/rules.d/70-persistent-net.rules (my box's ports are numbered 0-6 on the front and have increasing MAC addresses to correspond)
  • apt-get install pciutils flashrom
  • Fix hostname and /etc/hosts file

At this point, Debian is installed and mostly configured.

Success!

BIOS update

WatchGuard's BIOS allows the appliances owner to change only the date and time. This is not cool. Fortunately, there is an awesome guy out there called stephenw10 who has done a bit of hackery on the BIOS file which lets owners own their boxes. :)

Process: 

sudo flashrom --verbose --programmer internal -r stock_bios_image.bin        # save a backup of the stock BIOS bits
wget --no-check-certificate 'https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom?attredirects=0&d=1'    # the correct cert doesn't exist in Debian 8 for some reason.  Works fine in Chrome/Firefox
mv xtm5_83.rom\?attredirects\=0\&d\=1 xtm5_83.rom                            # a much less stupid filename
sudo flashrom --verbose --programmer internal -w xtm5_83.rom                 # write StephenW10's modded BIOS image to the flash chip
sudo shutdown -h now                                                         # power off system
  • then remove the coin cell battery for a few minutes (or find the "clear CMOS settings" jumber)
  • While we're at it, pull out the (mostly pointless now) Cavium Networks crypto accelerator card
  • Play a couple rounds of Candy Crush waiting for the CMOS RAM to lose its bits
  • Re-install battery (orientation matters here!)
  • Apply power
  • Turn on machine
  • Hit <TAB> on the serial console a couple of times (Not <DEL>)
  • Enjoy happy access to all of the BIOS setup menus

Special thanks to StephenW10 of the PFsense world for the BIOS image, lots of info about the hardware, and general awesomeness.

Other good packages

apt-get install iucode-tool intel-microcode        # patch the CPU
apt-get install iperf                              # network performance testing

Making it a router

IPv6 things

apt-get install radvd ndisc6        # IPv6 tools

We'll have to fill this in later when it takes over the routing duties from sacredchao.

OpenVPN

apt-get install openvpn


Network performance numbers

Installed iperf above. Let's see how many bits we can push through the network...

Over eth0, the 100baseT port: 

adj@debiwall:~$ iperf -c 172.16.0.1 -t 180
------------------------------------------------------------
Client connecting to 172.16.0.1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 172.16.0.55 port 35942 connected with 172.16.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-180.0 sec  1.97 GBytes  94.1 Mbits/sec
adj@debiwall:~$

This is over one of the GigE ports: 

adj@debiwall:~$ iperf -c 172.16.0.1 -t 180
------------------------------------------------------------
Client connecting to 172.16.0.1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 172.16.0.44 port 43872 connected with 172.16.0.1 port 5001
[ 6059.633499] perf: interrupt took too long (3161 > 3151), lowering kernel.perf_event_max_sample_rate to 63250
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-180.0 sec  19.7 GBytes   941 Mbits/sec
adj@debiwall:~$

So pretty much line rate for IPv4 over both of those. On to IPv6: 

adj@debiwall:~$ iperf -V -c 2001:470:ba93:10::1 -t 180
------------------------------------------------------------
Client connecting to 2001:470:ba93:10::1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 2001:470:ba93:10:290:7fff:fe86:1e77 port 47714 connected with 2001:470:ba93:10::1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-180.0 sec  1.95 GBytes  92.8 Mbits/sec
adj@debiwall:~$

Down by 1.3Mbits/sec for IPv6. Probably just about the overheard of the larger layer 3 headers. Seems perfectly fine still 

adj@debiwall:~$ iperf -V -c 2001:470:ba93:10::1 -t 180
------------------------------------------------------------
Client connecting to 2001:470:ba93:10::1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 2001:470:ba93:10:290:7fff:fe86:1e78 port 59108 connected with 2001:470:ba93:10::1 port 5001
[ 7489.422197] perf: interrupt took too long (3972 > 3951), lowering kernel.perf_event_max_sample_rate to 50250
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-180.0 sec  19.5 GBytes   928 Mbits/sec
adj@debiwall:~$

Line rate again with IPv6. (Much nicer on the power bill than the PE1950, too.)

Firewall beginnings

apt-get install nftables        # it's maybe more better-er that iptables ?
apt-get install vlan            # Yes, we do have lots of Ethernet interfaces, but sometimes one cable is plenty
apt-get install tcpdump         # packet captures are super useful!
apt-get install fail2ban        # wouldn't want a firewall that can't automatically add rules to block abusive systems, would you?
apt-get install screen          # best .. tool .. ever   (Unless you're a tmux person.  Then just s/screen/tmux/)
apt-get install lldpd           # Lets our switches know what is plugged into the port (and which switch port we are plugged in to)
apt-get install smart

CPU Upgrade, anyone?

Celeron 440 is not exactly a screaming piece of computing hardware. But it is what's in there now. 35 Watt TDP, one core, no hyperthreading, 2.0GHz clock. There are people out there who have discovered that a Socket 771 Xeon can be modded to fit in the Socket 775 on the board. Nicest available Socket 771 Xeon is the Xeon L5430 -- 50 Watt TDP, 4 cores, no hyperthreading, 2.66GHz clock. (There is a Xeon L3360 CPU in a Socket 775 (no need for adapter) with 4 cores a faster clock and a 65 Watt TDP, but it costs 4 times as much on eBay when it is available.) So L5430 it is...

Credit for this idea goes to people on the pfsense forums.

See http://www.delidded.com/lga-771-to-775-adapter/ for tutorial/references.

Start state

adj@debiwall:~$ hostname; echo; date; echo; lscpu; echo; dmesg | grep -i bogo
debiwall

Sun Aug 28 18:39:56 UTC 2016

Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                1
On-line CPU(s) list:   0
Thread(s) per core:    1
Core(s) per socket:    1
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 22
Model name:            Intel(R) Celeron(R) CPU          440  @ 2.00GHz
Stepping:              1
CPU MHz:               1994.993
BogoMIPS:              3989.98
L1d cache:             32K
L1i cache:             32K
L2 cache:              512K
NUMA node0 CPU(s):     0 

[    0.012013] Calibrating delay loop (skipped), value calculated using timer frequency.. 3989.98 BogoMIPS (lpj=7979972)
[    0.220003] smpboot: Total of 1 processors activated (3989.98 BogoMIPS)
adj@debiwall:~$
Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=Watchguard_XTM_5&oldid=914"