OpenWrt on Watchguard Firebox M400

Installing and Using OpenWrt
1

Watchguard Firebox M400 is going out of support in June 2023, so there might be an influx of these devices into the secondary market. In my opinion, this is a very good device to run OpenWrt on...

image
image1135×350 95.3 KB

The M400 is a very straightforward x64 device (I believe it is actually made by Lanner; maybe @RaylynnKnight knows the exact model number?). The specs are as follows:

  • Processor: Intel Celeron G1820
  • RAM: 4 GB
  • Storage: 4 GB CF card
  • Networking: 8 x Intel i210 (6 x RJ-45 + 2 x SFP)

There's some skullduggery going on around BIOS, so I wasn't able to get into it (but I didn't try all that hard, and I know that some people have had it unlocked entirely). In my case, it wasn't strictly necessary, so I just downloaded the latest OpenWrt (SquashFS / BIOS, although ext4 / BIOS would probably have worked just as well), flashed it onto a CF card, swapped that card into the M400, replacing the card with stock firmware, and everything JustWorked™:

2023-05-30_OW_M400
2023-05-30_OW_M4002732×1536 358 KB

Obviously, the screenshot above was taken after a few add-ons were installed... :smile:

OpenWrt recognized all eight ports without a problem and, per tradition, made eth0 LAN and eth1 WAN. By editing /etc/config/network, I swapped those designations (so eth0 became WAN and eth1, LAN) and added all yet-unassigned ports (eth2 through eth7) into the LAN bridge, just to be able to test them. After reboot, all ports appeared to function normally (obviously, your mileage may vary with SFP ports depending on what SFP cartridges you use).

All in all, an absolutely uneventful journey. Highly recommended to anyone who wants a rack-mountable OpenWrt device. Please note that this device has a bigger sibling, the M500, which, I surmise, should be about as easy to wrangle as the M400 has been. Note also that junior siblings, M200 and M300, despite the similarity of looks, are not x86, but rather Freescale, so a totally different can of worms. Come to think of it, the Wiki has an entry on the M300; very different indeed...

In the department of it's never perfect, the Arm LED remains red. I have not tried to fight it yet, but I know it's manageable under pfSense / OPNsense. On Netgate forums, there's stephenw10, a Netgate developer, who wrote a FreeBSD utility called WGXepc, which is used to manage miscellaneous hardware, including the said LED, on Watchguard devices running "the senses". I have used WGXepc on an M400 running OPNsense nano, and it worked as advertised. I was able to set the Arm LED to switch green at the end of the boot sequence and adjust the default fan speed, also at the end of the boot sequence. So in the worst case scenario, someone will have to see if WGXepc can be ported to Linux...

2 Likes
2

Looks like a custom variant of the FW-7585.

What worries me a bit from the specs (without ever having touched one), are the idle power consumption (Lanner suggests a 220W PSU, Watchguard only says 75 watts max.; for the device configured as-is, that would be o.k.) and the fan volume (three 40mm fans). If they've done a good job about the former, I would expect around 30W idle (which would still be a lot, but the device is powerful) and the fans suggest quite some noise…

3

Well, in the Watchguard implementation, there's plenty of empty space inside the enclosure, plus the device is running off a CF card. At the same time, even in the Watchguard implementation, there are power connectors for two SATA drives and, if memory serves, three SATA data connectors on the motherboard. There's also a reverse PCIe connector for a daughter board, which conceivably could accommodate an eight-port Gigabit switch or some kind of multi-gig thingamabob...

Also, Celeron G1820 has a TDP of 53W, but the socket it sits in can take up to an i7-4xxx processor with TDP of up to 84W.

So it appears that what I have on hand is very much a base model that could be (and was) expanded in a variety of ways...