pfSense on Watchguard Firebox x5000

It’s been a while since I played around with firewalls. Picked up a really cheap Watchguard Firebox x5000 Peak on eBay. Could not resist taking the Peak platform for a spin with pfSense. I’ve heard good things about the power of the “Peak” platform. Even though the x5000 is older generation than the typical x550/x750s I’ve been playing with.

Unlike the x500 which comes with only 10/100 Realtek (problematic) interfaces. The x5000 is equipped with 3x 10/100/1000 nics and 8x 10/100 nics, all by Intel.

This box also comes with a second COM port at the rear of the unit. Though it serves no real purpose when running pfSense as all output is defaulted to COM1.

This firewall is actually just slightly shallower than the x750e series boxes. The x750 firewall is just a bit too deep for wall mount racks and required a right-angle power cable in order to fit. The x5000 is about an inch shorter.

Taking the cover off exposes all the various components of this box. The Intel NIC chips can be clearly visible.

The “Peak” comes with 512MB of RAM standard. Unfortunately I could not locate any more DDR RAM to upgrade it, so for now will stick with the stock amount. I used to have tons of original DDR RAM modules, but got rid of them thinking I’m never gonna need them again.

Just like most other boxes. This one comes with a 128MB Compact Flash card. And just like most of the other boxes, the IDE port is available for additional internal storage.

I wanted to take a quick peek at the CPU. Specifically to see what the stock CPU is. What I discovered was quite shocking. First of all, I had a problem getting the heatsink off from the CPU. Ended up tearing the heatsink and CPU directly from the ZIF socket. Closer examination revealed the cause of the problem. The amount of heat paste on this thing is insane. The gap between the heatsink and CPU was at least a couple of millimeters. It was everywhere. Someone really went to town on this sucker.

It took me almost 30 minutes to clean the CPU, heatsink and motherboard from all the thermal compound. I used plenty of rubbing alcohol and tons of cloths to get everything cleaned. Everything was completely covered with the goop.

The CPU could finally be identified. Intel Pentium 4 2.8Ghz SL6PF. Not the most energy efficient CPU, quite the opposite. This firewall definitely sucks down a lot of juice. It’s actually a pretty fast CPU for the task. With firewalls raw speed matters most when dealing with latency. This one has plenty of speed.

Loading pfSense on this firewall is incredibly easy. There’s no BIOS flashing required. It boots pfSense from a 2GB CF card without any problems at all. Unlike the x500 firewall, which has Realtek NICs and randomly stops responding, the Intel NICs are bulletproof.

Once I got the firewall configured. It was time to do some throughput testing. I was expecting the speeds to be sub-par simply because both the 1000Mbit and 100Mbit interfaces are all on the PCI bus. PCIe did not exist in P4 era.

The interfaces on pfSense are identified as follows.
em0-em2 = 10/100/1000 NICs
fxp0-fxp6 = 10/100 NICs

Interestingly enough, the 8th 10/100 NIC does not appear in the list of devices. Not sure if this is due to pfSense limitation or a problem with the port itself.

On with the testing. The test was performed by copying a 8GB file between two machines. Both machines stored the file on an SSD to eliminate the disk as the bottleneck. The test was performed 3 times for each direction and values averaged over the test.

Source Interface Destination Interface Transfer Speed CPU Usage
fxp0 em0 10.3 MB/s 20%
em0 fxp0 11.5 MB/s 21%
em0 em1 42.8 MB/s 41%
em1 em0 97.8 MB/s 100% *
fxp0 fxp1 11.5 MB/s 27%
fxp1 fxp0 11.5 MB/s 27%

* pfSense UI interface stopped responding during the transfer.

Once again it’s been shown that the bottleneck is the PCI interface. With maximum theoretical speed of 133 MB/s shared across the PCI bus, the firewall will never be able to attain faster combined throughput than roughly 100 MB/s. This is not terrible though for a small network as that kind of saturation is rather rare. What I can’t explain is why pfSense shows different max speeds depending on direction of data. This technically shouldn’t make a difference. I saw the same thing happen when benchmarking the x550e firewalls.

In the end, this is actually a pretty sweet box for what it costs nowadays. Even with “only” 512MB of RAM it’d be sufficient to run a small rack. However I do not recommend it for office use. The fans run 100% speed all the time and are fairly loud, haven’t found a way to throttle the fans other than replacing them with something quieter. The box, running pfSense draws about 52W at idle and almost 100W under load.

4 thoughts on “pfSense on Watchguard Firebox x5000

  1. Nice write up.

    You sure your performance numbers are correct? If those are truly on a single PCI bus, your achievable throughput will actually only be about 50 MB/sec at best – that’s 50 MB/sec in one NIC and 50 MB/sec out the other NIC, where you’ll hit the achievable ~100 MB/sec of the bus. It’s also a bit suspect that em1 to em0 is more than twice as fast as em0 to em1, and the latter didn’t come close to maxing out the CPU. I’m not all that familiar with the Watchguard stuff, but I’ve performance tested a slew of hardware and never seen anything that got different performance from NIC1 to NIC2 than from NIC2 to NIC1. It’s best to use something like iperf to test performance, since that eliminates factors like disk performance that can be extremely variable from the equation.

  2. Hey, nice write up indeed.
    Only just spotted your blog but thought I’d add this.
    If you look at the em NICs you’ll see that they are comprised of a single gigabit NIC chip and a dual Gigabit BIC chip. These may not perform equally.
    The chipset used has an option for a dedicated bus for Intel NICs. It’s probably this that allows it to perform so far above expectation.

    Steve

  3. I have the same hardware and plan to convert it to a pfSense box.
    But correct me if I am wrong but there are only 7 10/100 ports on the unit so the 8th port doesn’t exist!?
    If you don’t mean the mini PCI card slot if fitted with an ethernet adapter.

Leave a Reply