Watchguard T70 and OPNsense questions

[LaForge]

I have just signed up to this forum and have some questions regarding my T70 box. But first, I have a couple of questions about the OPNsense forum:

1. Why does searching for "OpenSense" get you the netgate form which is for the pfSense product? I then get an admin telling me that I am "unlikely to find much love for OPNSense here on the pfSense forum". The why are they subverting the search results to exploit what must be a common mis-spelling?

2. Why did I have to look for a link in small print at the bottom of the OPNsense website to find this forum?

So now on to the T70. I acquired one a couple of weeks back running OpenWRT and its now my Broadband router. Recently I got another cheaply as a backup and it was suggested to me that I could try running OPNsense on it. I have purchased an additional mSata disk to create the install but need some instructions. I would also like to know how OPNsense and OpenWRT differ from one another and why installing OPNsense might be an advantage? I won't ask any questions about pfSense as I suspect the above feeling might be mutual....

I would also be interested to know whether OPNsense has solved the problem with the 5-port switch, or whether that still requires the resistor mod?
I asked over on OpenWRT and it seems that developers have moved on and there will be no further development there so possibly the same here, but presumably it can't hurt to ask.

[nero355]

1. Why does searching for "OpenSense" get you the netgate form which is for the pfSense product?
I then get an admin telling me that I am "unlikely to find much love for OPNSense here on the pfSense forum". The why are they subverting the search results to exploit what must be a common mis-spelling?

OpenSense != OPNsense

So dunno...

2. Why did I have to look for a link in small print at the bottom of the OPNsense website to find this forum?

https://opnsense.org/ => Be Involved => OPNsense forum => DONE! ;)

[nero355]

I have purchased an additional mSata disk to create the install but need some instructions.

https://docs.opnsense.org/ is all you need IMHO :)

I would also like to know how OPNsense and OpenWRT differ from one another and why installing OPNsense might be an advantage?

OpenWRT = Linux based
OPNsense = FreeBSD based


IMHO you should consider which one to use based on :

- The type of WAN Connection
If you need good PPPoE speeds with Low End Hardware then Linux based stuff might be the better choice !!

- Which of the two is better maintained for your hardware.
OpenWRT usually has a huge "Android Custom ROM vibe" and by that I mean that if the person maintaining the OpenWRT port for a certain device decides he no longer has the time/will/interest or simply enough spare time to do it, then you are out of luck for future updates/upgrades and thus security patches.

OPNsense however simply has releases for x86-64 hardware that are released on a regular basis and that's all you need most of the time.
_{(Most of the time = ZenArmor/Suricata/all that other weird stuff from certain repos is not included and a whole different story...)}

There is also a AArch64 port made by a 3rd party : https://forum.opnsense.org/index.php?topic=35828.0
Current last release : https://forum.opnsense.org/index.php?topic=35828.msg267203#msg267203

[patient0]

Searching the forum, someone installed OPNsense on it some time ago : https://forum.opnsense.org/index.php?topic=29602

[LaForge]

1. Why does searching for "OpenSense" get you the netgate form which is for the pfSense product?
I then get an admin telling me that I am "unlikely to find much love for OPNSense here on the pfSense forum". The why are they subverting the search results to exploit what must be a common mis-spelling?

OpenSense != OPNsense

So dunno...

2. Why did I have to look for a link in small print at the bottom of the OPNsense website to find this forum?

https://opnsense.org/ => Be Involved => OPNsense forum => DONE! ;)

The phrase "Get involved" doesn't say to me Forum. I did see that and puzzled over it but didn't click it because I thought it was related to getting involved with supporting projects. Not that I necessarily object, but it wasn't what I was looking for, i.e a discussion forum.

OpenWRT usually has a huge "Android Custom ROM vibe" and by that I mean that if the person maintaining the OpenWRT port for a certain device decides he no longer has the time/will/interest or simply enough spare time to do it, then you are out of luck for future updates/upgrades and thus security patches.

OPNsense however simply has releases for x86-64 hardware that are released on a regular basis and that's all you need most of the time.

That is a really important point. I am not sure whether what came on the T70 that had OpenWRT pre-installed was custom or generic firmware. A number of these boxes have turned up on the market recently due to expired support and they seem more than good enough for home broadband, certainly as an interim solution.

Searching the forum, someone installed OPNsense on it some time ago : https://forum.opnsense.org/index.php?topic=29602

,
Thanks. That is helpful.

[Nullman]

1. Why does searching for "OpenSense" get you the netgate form which is for the pfSense product?

Its because you are using garbage search engine.

I then get an admin telling me that I am "unlikely to find much love for OPNSense here on the pfSense forum".

You should know better. You never go to competitor forum and ask for help there. It doesnt matter if its a firewall, car, refrigerator or toaster.

The why are they subverting the search results to exploit what must be a common mis-spelling?

They dont. Its the trash search engine you are using. And you are probably logged into your google account while you are searching, so those search results are product of data collection and your poor security and privacy practices.

2. Why did I have to look for a link in small print at the bottom of the OPNsense website to find this forum?

Such a minor thing to complain about. A simple ecosia search for "OpenSense" would get you here right away. It will also display youtube videos from reputable people that can answer majority of questions you asked here.

So now on to the T70. I acquired one a couple of weeks back running OpenWRT and its now my Broadband router. Recently I got another cheaply as a backup and it was suggested to me that I could try running OPNsense on it. I have purchased an additional mSata disk to create the install but need some instructions. I would also like to know how OPNsense and OpenWRT differ from one another and why installing OPNsense might be an advantage? I won't ask any questions about pfSense as I suspect the above feeling might be mutual....

You need to do the research of your own before starting threads like this. There are tons of youtube videos and there is even AI that can explain these things to you. Dont be lazy is the best advice i can give you at this point.

I asked over on OpenWRT and it seems that developers have moved on and there will be no further development there so possibly the same here, but presumably it can't hurt to ask.

You are all over the place with your questions.  And im not trying to be mean and hostile.

[LaForge]

Sadly this is the only forum out of the three where I have been made to feel unwelcome.

I thought that being re-directed to a competitor forum due to the omission of the 'e' in the product name might be of interest and concern.

I also thought that some feedback about the "low profile" perception of the forum on the main OPNsense website might also be of some interest to the admins. It can, of course, be found, but not very obvious like on most websites where its usually a link from the top of the page or its menu.

If one cannot ask questions, then what's the point of having a forum?

Still, I do take your point about the videos. I didn't find 'tons' but a handful and will review a couple that look relevant so thanks for that.

[Monviech (Cedrik)]

This forum is for general discussions, and this is a general discussion. The responses here kinda scraped into Ad-hominem territory, which should not be the standard here.

Please keep it friendly to newcomers (@Nullman), not responding when there is nothing nice to say can also be a choice.

[Nullman]

Please keep it friendly to newcomers (@Nullman), not responding when there is nothing nice to say can also be a choice.

I will. Its not my intention to make anyone feel unwelcome. Its tough love. I want to help him get the answer he needs instead of not getting anything at all.

[LaForge]

Ok, so I am a bit hesitant to ask this now, but here goes....

I have reviewed 3 installation guides:

The official OPNsense one:

https://docs.opnsense.org/manual/install.html

The one linked earlier:

https://forum.opnsense.org/index.php?topic=29602.0

And this one on Reddit:

https://www.reddit.com/r/homelab/comments/1sxkq33/i_wanted_an_opnsense_firewall_in_2026_firebox_t70/

The first and official one I least understand, perhaps because it is specifically targeted for OPNsense appliances. The second one is similar but simplified and that one I do get. From my reading of the first two sources, it seems that for some reason it is necessary to create a medium twice. The first one talks about downloading, unpacking and copying the install image onto a USB stick. The second one does something similar but requires an SSD drive to be connected to the T70 instead. The third one seems to take a different approach and suggests installing "OPNsense from another machine onto the mSATA". He doesn't specify what "other machine" he used, but does that mean it possible to use my PC to install OPNsense directly onto to the mSata? I will need to check whether I have a means to separately power an SSD drive, so possibly booting from the USB stick will be the way forward. The next steps seems to be figuring out whether I can get into the BIOS and boot from the USB and download the appropriate image and associate files for verification.

To this end I also need to confirm which image I should download and use - the serial or the nano image? Both use the console port which is necessary here since the T70 has no VGA port.

Also I am curious about the extra verification step using OpenSSL? I have not seen this until now. Usually comparing the SHA256 hash is sufficient enough to confirm whether the file has been corrupted or altered in any way. Is that no longer the case?

[Nullman]

Ok, so I am a bit hesitant to ask this now, but here goes....

You are overreacting now. Relax. No one is going to bite your head off.

I have reviewed 3 installation guides:

The official OPNsense one:

https://docs.opnsense.org/manual/install.html

The one linked earlier:

https://forum.opnsense.org/index.php?topic=29602.0

And this one on Reddit:

https://www.reddit.com/r/homelab/comments/1sxkq33/i_wanted_an_opnsense_firewall_in_2026_firebox_t70/

You need to follow instructions on the second link.

From my reading of the first two sources, it seems that for some reason it is necessary to create a medium twice. The first one talks about downloading, unpacking and copying the install image onto a USB stick. The second one does something similar but requires an SSD drive to be connected to the T70 instead.

It doesnt say you need to create media twice. You do it once, but instead of writing opnsense installation image to USB flash drive, you write it to a temporary SSD or HDD. The reason you have to do it like this is because your device can not boot from USB media. So the only way around that is to use another (temporary) HDD or SSD. That temporary drive needs to be connected to another computer that has Windows installed. Once you connect it there, download HDD Raw Copy and opnsense serial installation image. Use HDD Raw Copy to write opnsense image to your attached temporary drive. Once complete, power off your system, disconnect the drive, connect it to your Watchguard device, select it as a primary boot device in bios, and reboot. Your Watchguard will reboot and start opnsense installation process and allow you to install opnsense on Watchguard primary storage. Once the installation is completed, remove the temporary drive and you are done.

The third one seems to take a different approach and suggests installing "OPNsense from another machine onto the mSATA". He doesn't specify what "other machine" he used, but does that mean it possible to use my PC to install OPNsense directly onto to the mSata?

Do not follow these instructions. There is so much to go wrong there.

I will need to check whether I have a means to separately power an SSD drive, so possibly booting from the USB stick will be the way forward. The next steps seems to be figuring out whether I can get into the BIOS and boot from the USB and download the appropriate image and associate files for verification.

You cant do that on Watchguard. This is why these non standard installation instructions exist in a first place. It would the same if you were installing OpenWRT. Or pretty much any operating system that is not from Watchguard.

To this end I also need to confirm which image I should download and use

Download serial image because your Wtchguard has no VGA/HDMI/dP output. Console navigation is your only way.

Also I am curious about the extra verification step using OpenSSL? I have not seen this until now. Usually comparing the SHA256 hash is sufficient enough to confirm whether the file has been corrupted or altered in any way. Is that no longer the case?

If you are downloading from official repository and you have stable internet connection, you can skip this part.

[LaForge]

Thank you for the detailed reply. That's starting to make sense now. I was unaware that it was not possible to boot from USB on the Watchguard. I imagine its not a feature provided in its BIOS. That would explain why the author of the second link used an SSD. Fortunately I do have a couple of spare SSD drives. I have also now dug out the power adapter I have for powering SSD drives so should be good to go once I get the mSata drives.

[Nullman]

Thank you for the detailed reply. That's starting to make sense now. I was unaware that it was not possible to boot from USB on the Watchguard. I imagine its not a feature provided in its BIOS. That would explain why the author of the second link used an SSD. Fortunately I do have a couple of spare SSD drives. I have also now dug out the power adaptor I have for powering SSD drives so should be good to go.

They say its a security feature, and i understand that, but i think the real reason behind it is to make it harder to repurpose the device once its EOL. There is a custom bios for higher end Watchguard devices that restore USB boot functionality. Not sure if there is a version for T70. Search for it on github.

[Monviech (Cedrik)]

Thank you both for finding common ground :)