Your BIOS screenshot shows 3.50.0.9-18 with a date of 04/13/2022. Was that before or after your BIOS update? If that's the after version, then what package did you use to update? I have a minor network issue that I'd like to fix.
Dell VEP/VMWare Edge/Velo Cloud SD-WAN/VeraCloud VEP1400/VEP1400-X firewall units
- Thread starter j_h_o
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Definitely the screenshot was took after BIOS update.
Checking my downloads I've only found some old archives, and the last I have is VEP1400-X-BIOS-3.48.0.9-19_ufw.2.3_External.zip
Quite odd, since I do not remember downloading and/or installing any other firmware.
No idea where this 3.50.0.9-18 came from, sorry.
Erm, ok.... somewhere on this board is a 128GB SSD.... I finally found it in BIOS after the DIAG-OS dmesg showed it to me.... now to figure out how I can actually use it... seems the BIOS still wants to boot the eMMC.
Edit to add: Got it working. Got pfsense CE installed. And can't get QAT working because new ID. Bleh. So much for free pfPlus. But I'm not gonna go there.
Edit to add: Got it working. Got pfsense CE installed. And can't get QAT working because new ID. Bleh. So much for free pfPlus. But I'm not gonna go there.
Last edited:
Looks like you got the newer 620 without Wi-Fi. It's the Wi-Fi module that uses mini PCIe. There's some 680 photos here. The m.2 SATA SSD is on the other side next to the backup battery.
The missing connectors are fine-pitch, but they could be added. The question is whether there's any other required components that were omitted. We could compare close-up photos. I'm guessing that most people aren't going to risk soldering. If it's any consolation, the PCIe is only x1, so similar speed to the SATA. You can upsize the m.2 SATA. If you go longer than 2242, you'll need to stay single-sided or grind down the 2242 post for clearance. You'll find lots of deals (< $25) on name-brand 512GB. Anything larger comes at a premium. Realistically, unless you want a media/file server, the existing SSD should be adequate?
Last edited:
Since the existing 2242 post cannot be easily removed, you'll either need to stick to a single-sided m.2 SATA SSD or grind down the 2242 post. They make NVMe carrier boards, but I couldn't find one keyed for SATA.
I used a drill press so I wouldn't slip. I also put down a bib of plastic wrap to catch the shavings. Rather scary procedure, but I'd already purchased double-sided SSDs. The modified 2242 post can still be used. You'd just need a spacer and a longer screw.
Mystery solved. Historically, the Dell packages started with 3.48. The bundled BIOS inside can start with either 3.48 or 3.50 and may depend on the model. It's only the final number that matters. The latest available is 3.50.0.9-20 (640) or 3.48.0.9-22 (680) which is bundled with VEP1400_UFW2.5_External.zip. There are obviously different BIOS images inside. This indicates a compatibility check of some sort. The build date is the same. The build time is within 1 hour.
Last edited:
At some point I'm going to do a detailed write-up of my experiences. Here are a few more tidbits.
There are definitely 2 BIOS slots. The update tools will only touch slot 1. There's probably some secret option to use slot 2. You're not going to brick these units.
If you remove the cover, there are 2 tiny pushbuttons between the power and Ethernet jacks. Other posts have suggested these have magical properties that can disable the watchdog and/or enable missing Ethernet ports. I think they just force a reboot from the corresponding BIOS slot.
I lost the I350 Ethernet ports after upgrading the BIOS. They were no longer displayed in lspci outside of OS-Diag. That's when I started playing with the tiny pushbuttons. No combination I tried would bring back the I350 ports-- at least not with the newer BIOS. I then held the real reset button until 'Factory Reset' came over the console. That did restore all the ports. I think some of the previous BIOS initialization has been offloaded to DXE, and before the factory reset, DXE did not have a profile defined.
However, after the factory reset, DXE also noticed that I had removed the mini PCIe Wi-Fi module. DXE would reboot multiple times with the primary BIOS and then repeat with the second BIOS. DXE would finally give up and boot from the second BIOS. That did not help me since the old BIOS has an SR-IOV bug that I was hoping to fix. I had swapped the Wi-Fi module for a 1TB NVMe SSD with Proxmox installed and working nicely. Boot had never complained previously.
I figured I had 2 options. Either put the Wi-Fi module back and move my NVMe to USB 3.0, or see if DXE would disappear if I went back to really old BIOS with the SR-IOV bug. Not liking either choice, I started poking around in the Diag-OS. There's an eepromtool where I could have changed the device and/or serial number. Maybe try to fake a model without Wi-Fi. I decided this was too risky. There's also an nvramtool. I found that setting 0x54 to 0 (disable POST) solved my problem. DXE has relented and lets the unit boot (first time) with the 'critical' Wi-Fi module missing. The memory tests still run on boot.
At some point after updating the BIOS (many times), the default password (<service tag>!) was not accepted. I still had full privileges as 'User' rather than 'Administrator'. I found that 'Restore Defaults' in the BIOS also resynced the password.
So, there's a happy ending, but there were multiple times where I wanted to cry.
There are definitely 2 BIOS slots. The update tools will only touch slot 1. There's probably some secret option to use slot 2. You're not going to brick these units.
If you remove the cover, there are 2 tiny pushbuttons between the power and Ethernet jacks. Other posts have suggested these have magical properties that can disable the watchdog and/or enable missing Ethernet ports. I think they just force a reboot from the corresponding BIOS slot.
I lost the I350 Ethernet ports after upgrading the BIOS. They were no longer displayed in lspci outside of OS-Diag. That's when I started playing with the tiny pushbuttons. No combination I tried would bring back the I350 ports-- at least not with the newer BIOS. I then held the real reset button until 'Factory Reset' came over the console. That did restore all the ports. I think some of the previous BIOS initialization has been offloaded to DXE, and before the factory reset, DXE did not have a profile defined.
However, after the factory reset, DXE also noticed that I had removed the mini PCIe Wi-Fi module. DXE would reboot multiple times with the primary BIOS and then repeat with the second BIOS. DXE would finally give up and boot from the second BIOS. That did not help me since the old BIOS has an SR-IOV bug that I was hoping to fix. I had swapped the Wi-Fi module for a 1TB NVMe SSD with Proxmox installed and working nicely. Boot had never complained previously.
I figured I had 2 options. Either put the Wi-Fi module back and move my NVMe to USB 3.0, or see if DXE would disappear if I went back to really old BIOS with the SR-IOV bug. Not liking either choice, I started poking around in the Diag-OS. There's an eepromtool where I could have changed the device and/or serial number. Maybe try to fake a model without Wi-Fi. I decided this was too risky. There's also an nvramtool. I found that setting 0x54 to 0 (disable POST) solved my problem. DXE has relented and lets the unit boot (first time) with the 'critical' Wi-Fi module missing. The memory tests still run on boot.
At some point after updating the BIOS (many times), the default password (<service tag>!) was not accepted. I still had full privileges as 'User' rather than 'Administrator'. I found that 'Restore Defaults' in the BIOS also resynced the password.
So, there's a happy ending, but there were multiple times where I wanted to cry.
Last edited:
My current test system is Debian 12 (Proxmox install). ls /dev shows the following:
Code:
i2c-0
i2c-1
i2c-2
i2c-3
i2c-4
i2c-5I installed i2c-tools. Using the register data found in default_led_list.xml, I attempted the following:
Code:
[root@edge680 /]$ i2cset 1 0x20 0 0 0 0 i
WARNING! This program can confuse your I2C bus, cause data loss and worse!
I will write to device file /dev/i2c-1, chip address 0x20,
data address 0x00, data 0x00 0x00 0x00, mode i2c block.
Continue? [Y/n] y
Error: Write failedUPDATE:
To control the front LED, use
Code:
i2cset -y 0 32 <red> <green> <blue> i
i2cget -y 0 32 0 i 3
Last edited:
Hey guys, hate to jump in so late here. I've been running a VeloCloud 5X0 for a year or two running pfsense and it's been solid. I saw some ebay listings for some dell/vmware 610 units and I'm curious if you guys got past the watchdog and CSM and NIC configuration issues. I'm seeing something about little buttons/jumpers next to the physical network ports inside the unit to change configuration "presets"? If the 610 isn't worth my time, maybe the 620 will be? These look like really nice options for a small firewall which is exactly what I need.
I found this on the VMware website. It should give you some idea of where things are headed.
Code:
Edge Model End of Sale End of Support/End of Life
VMware SD-WAN Edge 500-N 12/10/2016 12/10/2021
VMware SD-WAN Edge 510 Wi-Fi 08/01/2024 08/01/2029
VMware SD-WAN Edge 510N 08/01/2024 08/01/2029
VMware SD-WAN Edge 520 03/25/2021 03/25/2027
VMware SD-WAN Edge 520v 03/25/2021 03/25/2027
VMware SD-WAN Edge 540 03/25/2021 03/25/2027
VMware SD-WAN Edge 610 Wi-Fi 08/01/2024 08/01/2029
VMware SD-WAN Edge 610N 08/01/2024 08/01/2029
VMware SD-WAN Edge 640 Wi-Fi 07/29/2022 07/29/2027
VMware SD-WAN Edge 680 Wi-Fi 07/29/2022 07/29/2027
VMware SD-WAN Edge 840 09/29/2020 09/29/2025
VMware SD-WAN Edge 1000 07/16/2017 07/16/2022
VMware SD-WAN Edge 2000 08/17/2020 08/17/2025I can find recent (Sept 2023) firmware for the 620/640/680, but the 610 seems to be absent-- despite the later EOL.
If you look at the retail pricing for these devices, there's either a huge ($1000s) one-time purchase or a 'lease' option. I'm guessing that the eBay sales are rental units. Maybe the companies went broke and never returned the units. Maybe Dell/VMware don't ask for them back. I've scored lots of great deals on eBay, but we're talking 3-5% of retail on units that are just a few years old. Not that they're worth retail!
I don't personally own a 620, but it uses the same firmware as the 640/680. I think the 640 is the sweet spot. You get 32GB of DDR4/ECC RAM which is a huge step up. I saw a lot more 640s last year.
Pass on the 610. Consider the bigger brothers. There are also lots of other compact boxes showing up on AliExpress and Amazon. They typically have newer processors, multiple m.2 slots, USB 3+, serial ports, video, and sometimes even GPIO.
Thank you for the info! I just placed an order on a 620 unit. There were just a couple left on eBay so I guess these are in hot demand for one reason or another.
Did you all end up getting all the NICs to work in pfsense or opnsense? I’m pretty sure I read that the watchdog can be turned off by loading the dell VEP firmware on it through Diag OS. I’m happy to run proxmox or esxi on here if that’s the only way to pass the NICs through. Also I’m having trouble understanding if this is considered a 1440-X unit or just a 1440. I don’t want to accidentally load the wrong bios image on the 620.
Once I receive my unit and get it all set up I can make a detailed write up for anyone in the future.
The 620 shares the same firmware with 640/680. You're good.
Here's how I would proceed:
1) Create a USB drive with a live Linux distribution like Finnix. This will allow you to poke around the internal file systems. You will want to add console=ttyS0,115200 to grub.cfg.
2) Create a USB install from Dell Diagnostics OS V3.43.3.81-27 for VEP1400-X Switch.
3) Copy the vep1400x_ufw_2.5 file from VEP1400_UFW2.5_External.zip to one of your USB drives.
4) Apply power [12V 5A 5.5mm x 2.1mm (2.5mm for 680)]. You can manage with less than 5A. I haven't tested to see how low.
5) Connect a micro USB cable to the back of the unit and open a terminal (PuTTY) on the corresponding port.
6) Momentarily press reset. After the memory tests, press [Delete] to enter the BIOS and select your USB drive as boot.
7) Install Diag OS to the eMMC. If this fails, use your live Linux to remove any existing partitions from the eMMC and/or SATA. You may also want to create a USB drive with Diag OS. That way you could use the (tiny) 16GB eMMC for something else.
8) Run ./vep1400x_ufw_2.5 interactive from within Diag OS (root/calvin). Updating the CPLD or PIC requires a reboot. New BIOS will take a long time to 'initialize'. Not to worry.
9) Once BIOS/CPLD/PIC have been updated, press and hold the external reset button until you see Factory Reset on the console. Not sure this is actually necessary. Instead, you may need to press/hold the button inside closest to the power jack. Something triggers DXE which is what initializes all 8 network ports.
10) Reenter the BIOS (password <service tag>! ) and tweak settings. I just disabled most of the fancy stuff. You can remove the password by changing to blank.
You now have a fairly standard x86 box with no display. You may have to install your target OS to external media and then copy the image. I did that with OpenWrt. I think the easiest solution is to swap the Wi-Fi module (assuming you have one) with an NVMe. You can then install to the NVMe using a PC.
Here's how I would proceed:
1) Create a USB drive with a live Linux distribution like Finnix. This will allow you to poke around the internal file systems. You will want to add console=ttyS0,115200 to grub.cfg.
2) Create a USB install from Dell Diagnostics OS V3.43.3.81-27 for VEP1400-X Switch.
3) Copy the vep1400x_ufw_2.5 file from VEP1400_UFW2.5_External.zip to one of your USB drives.
4) Apply power [12V 5A 5.5mm x 2.1mm (2.5mm for 680)]. You can manage with less than 5A. I haven't tested to see how low.
5) Connect a micro USB cable to the back of the unit and open a terminal (PuTTY) on the corresponding port.
6) Momentarily press reset. After the memory tests, press [Delete] to enter the BIOS and select your USB drive as boot.
7) Install Diag OS to the eMMC. If this fails, use your live Linux to remove any existing partitions from the eMMC and/or SATA. You may also want to create a USB drive with Diag OS. That way you could use the (tiny) 16GB eMMC for something else.
8) Run ./vep1400x_ufw_2.5 interactive from within Diag OS (root/calvin). Updating the CPLD or PIC requires a reboot. New BIOS will take a long time to 'initialize'. Not to worry.
9) Once BIOS/CPLD/PIC have been updated, press and hold the external reset button until you see Factory Reset on the console. Not sure this is actually necessary. Instead, you may need to press/hold the button inside closest to the power jack. Something triggers DXE which is what initializes all 8 network ports.
10) Reenter the BIOS (password <service tag>! ) and tweak settings. I just disabled most of the fancy stuff. You can remove the password by changing to blank.
You now have a fairly standard x86 box with no display. You may have to install your target OS to external media and then copy the image. I did that with OpenWrt. I think the easiest solution is to swap the Wi-Fi module (assuming you have one) with an NVMe. You can then install to the NVMe using a PC.
Last edited:
I basically did all those same steps as listed, had to do the DiagOS install to eMMC so I could boot into that and do the firmware update.
Did the pfsense install using the serial memstick image, its default settings dump out to ttyS0 at 115,200, so didn't even have to change speeds during the bootup. And yes, I'm able to use all 8 interfaces, although only using the two SFP+ ports and one of the X553 1G ports.
Did the pfsense install using the serial memstick image, its default settings dump out to ttyS0 at 115,200, so didn't even have to change speeds during the bootup. And yes, I'm able to use all 8 interfaces, although only using the two SFP+ ports and one of the X553 1G ports.
Ok so question, is a 620 or 640 "worth getting". It sounds like most of the issues are figured out and all ports can work? It also sounds like people have had levels of luck with pfsense, opnsense, and proxmox.
Does anyone have actual power numbers for a 620 or 640? The manual I found said to expect 20w for 620 and 30w for 640 "typical".
How would that CPU do at doing NAT and firewall for 2Gb internet?
Does anyone have actual power numbers for a 620 or 640? The manual I found said to expect 20w for 620 and 30w for 640 "typical".
How would that CPU do at doing NAT and firewall for 2Gb internet?
I've got a 640 with the Wi-Fi module removed and an NVMe drive in its place. Idle power is 12V 1.2A on a lab power supply. That's 15W minimum. When I power via a 12V 4A 'medical grade' adapter, my generic Chinese power meter shows 17W. I'd have to stage some tests to find the maximum.
From what I've read, it's difficult to get a router/firewall to utilize multiple cores. There's probably little benefit moving from 4 to 8 cores, but the 640 comes with 8x more RAM and 2x SATA disk. It's worth the small premium.
These benchmarks look a little suspect. Probably because of low sample count. The C3958 numbers are obviously wrong. The C3558 (620) and C3758 (640) numbers seem reasonable. Figure a Passmark of 850 single core which is pretty low by today's standards. Since there's no throttling(?)/boost, I assume the TDP numbers imply all cores active. You'll never come close.
Since some newer units come without Wi-Fi/BT (and the mini PCIe socket), prospective buyers need to look closely at the model numbers.
From what I've read, it's difficult to get a router/firewall to utilize multiple cores. There's probably little benefit moving from 4 to 8 cores, but the 640 comes with 8x more RAM and 2x SATA disk. It's worth the small premium.
These benchmarks look a little suspect. Probably because of low sample count. The C3958 numbers are obviously wrong. The C3558 (620) and C3758 (640) numbers seem reasonable. Figure a Passmark of 850 single core which is pretty low by today's standards. Since there's no throttling(?)/boost, I assume the TDP numbers imply all cores active. You'll never come close.
Since some newer units come without Wi-Fi/BT (and the mini PCIe socket), prospective buyers need to look closely at the model numbers.
Last edited:
Just received my Edge 620 unit today and successfully loaded OPNsense and OpenWRT onto it after performing the BIOS update with the diagnostic OS. I did not get a chance to test pfSense. Surprisingly, the whole process went very smoothly, especially compared to the effort it took to set up the same configuration on my older VeloCloud 5X0 unit. I followed the exact instructions posted here, and the only notable difference with mine was that my NICs worked flawlessly without requiring me to push the internal or external reset buttons.
Here are some key points to note about these units:
1. The fan noise is quiet enough for small office use, but it's not completely silent. I noticed that the original VC software included some sort of fan control, as it would turn off the fan when fully booted. However, OPNsense and OpenWRT don't seem to have any control over the fan, so it remains at a consistent speed.
2. Some of the newer models are missing the wireless card. Fortunately, my unit still had Wi-Fi capability. However, I couldn't use it with any of the BSD-based firewalls like PFsense or OPNsense. This isn't a significant issue since an access point typically offers better performance unless integrated Wi-Fi is needed for diagnostic purposes.
3. The 620, 640, and 680 models all come with a PCIe drive. Mine came with a 120GB SSD labeled as "SATA 120G USB drive." I was able to install OPNsense and OpenWRT on this drive and boot from it without any issues.
4. Additionally, my unit has an extra RAM slot on the bottom, accessible through the removable bottom plate. I haven't tested adding RAM to this unit yet, but it should function similarly to any other expandable RAM slot.
I paid $75 USD for my unit, and for the price, I can't complain. The low power requirements and decent performance make this a very compelling option for a small firewall.
Here are some key points to note about these units:
1. The fan noise is quiet enough for small office use, but it's not completely silent. I noticed that the original VC software included some sort of fan control, as it would turn off the fan when fully booted. However, OPNsense and OpenWRT don't seem to have any control over the fan, so it remains at a consistent speed.
2. Some of the newer models are missing the wireless card. Fortunately, my unit still had Wi-Fi capability. However, I couldn't use it with any of the BSD-based firewalls like PFsense or OPNsense. This isn't a significant issue since an access point typically offers better performance unless integrated Wi-Fi is needed for diagnostic purposes.
3. The 620, 640, and 680 models all come with a PCIe drive. Mine came with a 120GB SSD labeled as "SATA 120G USB drive." I was able to install OPNsense and OpenWRT on this drive and boot from it without any issues.
4. Additionally, my unit has an extra RAM slot on the bottom, accessible through the removable bottom plate. I haven't tested adding RAM to this unit yet, but it should function similarly to any other expandable RAM slot.
I paid $75 USD for my unit, and for the price, I can't complain. The low power requirements and decent performance make this a very compelling option for a small firewall.
The fan controller is TC654 at address 0x1B on i2c-0. The temperature sensor is LM75A at address 0x4A on i2c-0. I have verified that I can read from both devices under standard Debian. The temperature value does go down when I remove the cover. I'm reading 34°C at idle (cover on with 2 fans). Per Intel, the processor maximum is 82. The Diag-OS has a 'warn' value of 45 and a 'critical' value of 70. I think there's some room for tweaking. The fan controller has an analog temperature sensor input. I'm not sure it's connected to anything. It seems like my fans run at fixed rate. Maybe I just haven't pushed it hard enough.
I'll need to write an actual program with temperature feedback to safely lower the fan speed. The fan controller also monitors RPM, so those thresholds might also need to be adjusted.
I can control the front LED which has full 24-bit color. The NIC link LEDs are either system-controlled or all on/off, so not very useful. Ultimately, I'd like to expose everything in Home Assistant.
For the curious, the I2C addresses can be found in the /etc/dn/diag folder of the Diag-OS install. That's low-hanging fruit.
Last edited:
What version and build date do you see in the BIOS? I was questioning my steps when a 640 and 680 showed different versions from the same 'update'.
Do you see any mention of DXE during boot? I see a message after the memory test and another right before the target OS takes over. It appears that DXE is what initializes the I350 NICs. DXE will also refuse to boot if the Wi-Fi card is removed.
My BIOS version matched the flash tool used in the diagnostic OS (3.50.0.9-20) with a build date of 09/19/2023. I also observe DXE during the POST sequence, and it does like to complain when I remove the Wi-Fi card. However, this doesn't prevent my OS from booting, and all NICs continue to initialize without any issues.
Here are screenshots of my BIOS version and the message I get about the missing WIFI card.
