T20/T25/t30 question

Just looking to confirm in the small Soho style T20/T25/t30/t35 firewalls are running the same firmware /consoles /management interface as the larger enterprise m390 versions.

Thinking of picking one up after configuring a few large units for a client so I can use it to segregate sandbox traffic.

Do these support multiple vlan and multiple SSID if picking up a -w version?

I don’t need any licenced products, just simple set of vlans with subnets and basic deny/allow rules around layer 3.

looking at eBay special prices under £50 which seem decent value for money.

Many thanks

I’d avoid the T30, they’re EOL and quite old. T25 is a current model (the low tabletop), it’s predecessors were 20,15,10. The 30,35,40 is the mid range (current is T45.

T15/35 is EOL next year.

They all have their own firmware (some have the same downloads), but you can’t update the firmware without a current feature key, or you can through the recovery process, then you need to re-enter the feature key during setup. If you don’t have a feature key (even expired) then it operates in single device mode.

Interface, gui etc all the same. -w denotes a WiFi unit, they all support multiple VLAN etc.

At the risk of waking an old thread, how would I get a feature key for a recently EOL device?
Is that even a possibility?
Or do watchguard go out of their way to stop EOL goods changing hands?

I’ve been given the offer of an old t30-w which had been factory reset.

Is this something I will be able to register and get beyond single Mac address mode?

Thanks

That’s the thing that is the most annoying about WG is they ran through hardware numbers so fast they not either need to find a new scheme or there will be the old T30 that’s EOl soon, or new T30 that’s brand new…

Well that and SSL VPN could use some better hardware acceleration.

Perfect, that’s the kind of response I love to see on here :+1:

I’m reasonably comfortable picking something up that only has a couple of months left before EOL, since I will be battering it for a couple of weeks building a new config, then it will pretty much be set and forget apart from any updates.

I’m deffo looking for one with WiFi so I can segregate all my TV and Camera crap away from meaningful networks.

Thanks gremlin!

Yeah when Ive checked on the support portal for what is EOL I can see I have to pay attention to older versions of the same model numbers etc.

Since you mentioned it in your post, T10/15 and T30/35 are on 12.5 still, not 12.10. they also can’t connect to WG Cloud (citation needed, but ours aren’t), but the Live Security license now does come with Dimension.

I know not much has changed, but semantics and technically not the same firmware, but only like a year off.

T25W and 45W are dual band wifi 6, so if you need 2.4 and 5ghz at the same time, grab one of those. T35W is okay, but I’d rather have a T25W. Just as powerful but newer, smaller, snd lower power

You can compare the specs and limitations of units here: Compare Appliances | WatchGuard Technologies

Personally I run separate WiFi, as I need more than one AP.

T35 can definitely connect to WG Cloud, but any device needs an active feature key to do so.

I get where you are coming from.

I have a small home lab setup consisting of a couple of servers, a couple of NAS devices, and a laptop which I work from, accessing the above via RDP / SSH / HTTPS, which Im looking to tuck behind a physical firewall device.

Im happy to leave TV/speakers/cameras etc on the ISP provided router with basic Wifi which is enough. Im looking to patch in something small footprint like the T35-W which can provide me some basic block rules something similar to :

  1. Block everything sourced in ISP LAN / internet from accessing protected network (behind Firebox)
  2. Have a 3-4 VLANS and subnets defined for splitting up servers, storage and end user devices, with associated rules blocking cross VLAN traffic for specific devices.
  3. Allow a couple of end user devices out to the internet.
  4. Block everything else behind firebox going out to ISP LAN / Internet.
  5. There is a remote chance that if VPN works without feature key required, that I would use this for remote access, but this is NOT in any way a requirement.

I spotted a couple of your posts on other WatchGuard threads which made me question if Im getting an ebay unit which has been factory reset, assuming no feature keys listed (even expired ones) then this would be in “single device mode”.

Would “single device mode” prevent me from applying the above?

I only have 1 wan link so any limitations around limiting to a single uplink wouldnt be a concern.

ADDED:

Also, Im making wild assumptions that this can be managed in a standalone manner without any dependency on cloud portals. I Actively want to avoid cloud management, so there is no issue with it not having any cloud connectivity.

Yeah, I checked again and looked harder. We have Dimension Command, but not Dimension Basic. Not a huge deal and they’ll probably be replaced in a couple years.

Main benefit we get from Cloud is scheduled updates so not a big problem.

SSL VPN works without a feature key. Fireboxes can work without connectivity to the cloud (excluding the FireboxV of course), newer gen APs can only be configured through the cloud, so obviously they need a subscription.

Single device mode is only one device in the network can talk through the WG to Internet etc. You simply don’t want that scenario. Even plugging in it’s expired key will unblock that.

You can write rules, blocks, routing between VLANs (think of it like a fancy Mikrotik) you just can’t use any of the smarts, ie, subscription services for threat scanning, packet inspection etc without an active feature key. That’s really where most of the cost of the WG is… The services.

Firebox V doesn’t need cloud access.