WatchGuard Firebox M470 and related models (M370, M570, M670) have reached end of sale on July 1, 2023 and will remain in support with the manufacturer until July 1, 2028. However, the manufacturer encourages its customers to upgrade, so there are units available on the secondary market already, and there are reasons to expect more. We believe these devices are made by Lanner.

The M470 in factory configuration comes with a dual-core Pentium G4400 processor, 4 GB RAM (note that RAM is ECC), and 16 GB mSATA SSD. Networking consists of eight Gigabit Ethernet ports serviced by Intel i210 controllers. The only management interface is an RJ-45 console port accessible at 115200 bps. BIOS is password-protected, but the factory password is known; it is WatchGuard! (note capital-case W, capital-case G, and the exclamation point at the end). The startup message says you need to press Esc or Del to get into BIOS, but in our experience, Tab worked best.

We did a quick dive into our parts bin and came up with a couple of upgrades: a Xeon E3-1225 v5 processor and a 32 GB mSATA SSD. (Incidentally, Xeon E3-1225 v5 is used in the M670, so that's how we knew there's a good chance it would work. M570 runs on an i3-6100, so that's another possibility. Units that accept these processors tend to accept i5-6500 and i7-6700 as well, so we would add those to the list of potential upgrades.)

We tried to boot the device from a USB stick, but didn't succeed (admittedly, we didn't try very hard, as we already decided to upgrade the processor and the SSD, so we were getting inside the device no matter what). So we installed pfSense onto the upgrade SSD on another device and then planted the SSD with pfSense installed into the M470, replacing the stock SSD.

Upgrades were uneventful; the M470 started with the new processor, new SSD, and new operating system without any trouble.

Next, we had a small, but highly satisfying, task. Many WatchGuard devices have an Arm indicator light. With stock firmware, it lights up red on startup, then switches to green. pfSense has no control over this light out of the box, so it just stays red. However, a few years back, a crafty Netgate developer wrote a utility called WGXepc64 that allows to manage the Arm light and a few other things from within pfSense. Here's how it works.

Log in to the router over SSH or console. Change to /root if you're not there already:

cd /root

Download the WGXepc64 utility:

fetch https://github.com/stephenw10/WGXepc/raw/master/WGXepc64

Make it executable:

chmod +x WGXepc64

Go to the startup script location:

cd /usr/local/etc/rc.d

Open a script file for editing (we called ours z-greenlight.sh to tell pfSense to run it last):

vi ./z-greenlight.sh

Put these lines into the file:

/root/WGXepc64 -l green
/root/WGXepc64 -f 20

The first line switches the Arm LED to green. The second line sets the default fan speed to 20 (or any hexadecimal number between 00 and FF you put in; the default, set in BIOS, is 3C).

Save and exit. Then, make the script executable:

chmod +x ./z-greenlight.sh

Reboot to verify everything's working. After the bootup completes with a beep, the Arm LED should turn from red to green and fan speed should drop from the default 3C to 20.

From the better late than never department

An earlier version of this page implied that it was possible to install pfSense on an M270 device. That turned out to be an incorrect assumption. The M270 is very different from its higher-up-the-line siblings. Specifically, it has an internal switch, and all of its Ethernet ports are connected to that switch. As a result, while installation of pfSense is absolutely possible, configuration of the networking is very much not (at least as of this writing). So M270 is not a viable target for pfSense. We also checked whether OPNsense or OpenWrt would work, and no they wouldn't, and the pattern is the same: the OS installs just fine, but there's no way to configure networking.