A WatchGuard Firebox M200 joins the home lab

Introduction

I had been running a SonicWall NSA 220 “for ages” in my home lab but after 5 years of non-stop service, it died on me. This was not good. The appliance provided both my home office and my lab environment with routing and firewall capabilities. Part of that setup is static and part of it is dynamic as for testing purposes lab environments are built and destroyed. So I needed to fix this asap.TL-DR: a WatchGuard Firebox M200 joins the home lab.

Workaround

I was looking at buying a pfSense dedicated appliance or a MikroTik router. It wanted to avoid my temporary workaround which was pfSense running in a virtual machine. That is great for temporary testing especially when you need to test various distros depending on the project. Integrating a dedicated appliance in the home lab does have some advantages. The drawback is that it does cost extra money to go get an appliance.

Dedicated appliance

With a dedicated appliance, I can isolate and protect my guest network, my home network as well as maintain a secured IoT segment. If the appliance is a VM I need to make sure it is always running. The appliance is also always ready to whenever I start up my home lab and work environment. Likewise, when I shut that all down the physical appliance still provides services for other needs.

A physical appliance also has the benefit of a small form factor, a 1U size which provides the ability to rack mount it. We need to keep the lab clean and well ventilated to prevent a fire hazard. A desk full of powered on devices is not the way to go.

Last but not least I find that getting some hands-on with the more popular brands these is always a good thing. While they all provide similar functionality and some are more capable than others, they all do have their own particular ways of doing things. This means that working with different appliances helps solve issues in real life as we encounter a variety of appliances out there.

A WatchGuard Firebox M200 joins the home lab

I was in luck, however. After talking shop on our way to some community events, a buddy who runs his own company provided me with some decommissioned WatchGuard hardware to use in the home office lab. I have tried to help him out with various small things over the years and what goes around came around. Thanks, buddy! You see, you don’t have to take dumpster diving to literally.

The M200 and AP 300 during initial configuration

I got a WatchGuard Firebox M200 and a WatchGuard AP300 to go with it. This meant I could rebuild the main firewall/router functionality in the home lab. These products have been replaced by newer editions (M270). They are still excellent products however and provide great functionality to test. In a lab environment, these are great to have around. As I work in environments that require enterprise-level functionality within SME budget this kit hits the mark.

Even with the licenses for the advanced features expired it packs a punch. I also found a way to upgrade the OS to the latest version (v12.4.1). The standard ways require an active license but there is an option that does not. It took me a while to find it but it works and it is legit.

The WAP, which I also upgraded to the latest firmware (2.0.0.11) provides Wi-Fi for a guest network and a corporate authenticated network in my default permanent lab setup. More SSIDs and networks can be configured when the need arises for testing various scenarios. Wi-Fi in all its forms plays an essential part in any environment with more mobile and flexible roles than ever before. More recently I was testing 802.1x port authentication for deployments in DevOps environments that leverage Hyper-V quite a lot. You might recall the fact that the Hyper-V switch supports 802.1x since Windows Server 2019 (LTSC 1809) and Windows 10 (1809 and above) which was very timely for the solution I needed to provide.

The fist and most essential configurations

I registered with another free dynamic DNS provider (http://freedns.afraid.org/about-us/) which the M200 on firmware 12.4.1 supports. The previous one I used to was not supported. That was easily done quickly. I don’t need this because “host” stuff at the home lab but mainly because that how I keep my dynamic IP updated in a place where I can grab it with some code to update VPN local gateway settings in Azure and other stuff like that.

The WatchGuard Firebox M200 is now the new core of the home network. I recreated all my VLANs and routes. While I am not yet done with everything, I do have BGP routing running between my lab Azure deployments and my on-premises home lab now. This testing out hybrid connectivity as well as high availability, failover, and transitive scenarios.

Checking my routed VPN to Azure BGP advertised routes

After making sure RDS Gateway was working I created a custom rule to have SMTP work with STARTTLS over 587 next to TLS over 465. But that was about it. Except for one special jump host in a DMZ. For this host, I added rules to enable TeamViewer to work. Which was kind of easy to do as we can specify FQDN names so no matter how many and changing IP addresses are used this helps deal with this. TeamViewer, for better or for worse, is used a lot, and once in a while, I need to test with it.

Configuring the WatchGuard Firebox M200 firewall ploicies

Conclusion

Now that I have the M200 & AP300 up and running the lab and home office are now again capable of simulating and testing business environment scenarios. This matters a lot while testing and learning because it helps me get a better grasp of all the pieces and parts that make up a design or solution. In my humble opinion, this has always been more helpful than pure paper-driven designs. My experimenting in the lab benefits myself, my employers and the community at large. Self-improvement and community contributions are by nature a win-win situation. So I am happy a WatchGuard Firebox M200 joins the home lab.

While I am at it I will upgrade my Azure VPN script from AzureRM to AZ. The reason is that I need to delete the Gateway when not testing as the minimal BGP capable VPN gateway SKU ( VpnGw1) is eating away at my limited Azure at home budget. This is still my main beef with cloud computing. Dumpster diving is a cost-effective CAPEX budget model. OPEX is not a personal budget-friendly model.  It is game over when that runs out.

8 thoughts on “A WatchGuard Firebox M200 joins the home lab

    • Withou an active license, you can only do it by going into maintenance mode and upgrading that way. However, it wipes the config. Restoring a backup only works to the same FW level. The best you can do en an export and an import of the config but this does not bring over certs etc. A bit of a shame but that is what it is. There are no NFR or community licenses that I have ever found.

  1. Ahh OK that makes sense, thank you.

    Thankfully I haven’t setup the WatchGuard box yet so losing anything that’s on their won’t be an issue. Thanks for your help!

  2. I recently acquired one of these units as a freebie. My only issue is that I want an open source OS (like OpenBSD for powerPC) on it. so far, I have found no way to replace the OS and I just don’t have the budget to support paying the company $379 a year for full functionality. are there any solutions?

  3. I have both an M200 and M400 in my homelab, and M270’s at work.
    What are the steps you took to boot into recovery mode to upgrade the firmware? I can boot into recovery mode by holding the reset button, but it never installs the image from the USB. I have the USB formatted FAT and I’ve tried numerous ways of presenting to sysa-dl and fxi file to the system. I’ve placed them in the root of the USB and I’ve tried different folders “/auto-restore/M400/auto-restore.fxi” and “/SerialNumber/Flash-images/M400.fxi”, but nothing seems to load.

    • I don’t use them anymore as the recovery mode upgrade started failing on me and I lost too much time getting it to work. That’s a pity as they are nice devices, but without any working basic free/community capabilities of at least being able to upgrade the firmware it could not remain in my lab for me to use and learn. I did reach out to them but never got any replies and I did not detect any interest in community support so, that is where it ended.

Leave a Reply, get the discussion going, share and learn with your peers.

This site uses Akismet to reduce spam. Learn how your comment data is processed.