Best strategy for pfSense recovery

stephenw10

Yes.

papdee

If you are just using this at home assuming you have a recent backup.xml file simply restore your backup to the new machine and reassign the nics. Should not be more than a 5 mins job.

If you're supporting a business use NICs that you can carry over from the old machine to the new machine restore the backup.xml and all should be good straight off the bat.

JKnott

@papdee

I copied the config.xml file, in case there were any changes after the last backup.

darkcorner

It wasn't exactly painless.
First all NICs had to be assigned because these were associated with the old IDs, but this was the minor problem.
All packages were not installed. In the GUI it looks like yes, but in the Package Manager the list is empty.
Even after hours it always stays that way and the "clear lock" button doesn't seem to do anything because the message "process with pid # still holds the lock" always appears. Restarted several times, but uselessly.
Squid and NUT are inactive and must be started by hand and then also by restarting pfSense they are still inactive.
The biggest problem is that I can no longer shut down and restart from the GUI and I have to do it from the console, but this is impossible remotely, obviously.

stephenw10

What hardware did you install into? What happens when you try to shutdown or reboot remotely?

papdee

@darkcorner after restoring the config and reassigning the NICs the packages should have downloaded and installed automatically. SQUID is not bound to any specific hardware so not sure why you should be having issues there. NUT is bound to specific hardware so you may need to tweak the config if you have moved to new and different hardware.

darkcorner

I was hoping to use the initial configuration as a base or "template" for the new final configuration and perhaps for future configurations on other firewalls.
However, if I have to waste a day to reconfigure everything, then it is more convenient to do a new installation and follow my personal "step by step" guide and then load the backups of the individual services.
After all, the most complicated part that cannot be saved is the one relating to users and OpenVPN.
It is my personal opinion after only one migration. After this installation (I have to finish by tomorrow, Monday) I will try to do other tests on other PCs.

The NICs have to be reassigned because I started from a PC with 4 Realtek NICs, two on Motherboard and two on the board, plus a "NIC-USB".
There is now a card with 4 NICs and a fifth on Motherboard.
But, as I said, it is the minor problem.
The reassignment must be done in the GUI. If you do this in the console before completing the setup, then you end up with old and new NICs.
So I did the installation from scratch, entered the GUI, completed the initial Wizard, loaded the restore, reassigned the NICs.

Squid and NUT don't start automatically, as it should be.
I think the problem is related to the fact that the packages are not restored and from the package manager they cannot be reinstalled because they are blocked.
FreeRadius is inaccessible and cannot be reinstalled.
Internet access should be guaranteed. Two NICs are connected directly to the two routers, one NIC is on the 4 NICs card and one is the one on the motherboard.
I don't see a reason why there shouldn't be. On the first firewall I was even able to configure failover.

Shudown and Reboot just don't work.
Given the confirmation in the GUI, no message appears on the console relating to the stop of services as normally happens.
I am forced to do it as a console.

Now I go back to the office again to understand what is happening. Last night it was 9:00 pm and I couldn't see anymore due to fatigue.

papdee

@darkcorner sorry you've been having trouble. I admit I don't have VPN setup on my system. But I do have squid, apcupsd, snort, haproxy, and multiple VLANs setup. This is a business setup so I made sure I have a dedicated 4-port NIC I can carry over. I had a melt down with the mainboard and HDD. I kept an exact model mainboard in stock knowing one day I may need to replace the old one if there was ever a failure. My experience is that the recovery was reasonably quick and painless. I installed fresh pfsense from CD then recovered the config.xml file made sure it could connect to internet and just waited for the whole system to update. It took about an hour to update and everything was back to normal.

stephenw10

If for some reason there is no available internet access at the first boot after restoring pfSense will fail to re-install packages. But when that happens you will see an alert in the webgui telling you which packages failed to install (maybe all of them). In that situation it's often easiest to just restore the config a second time. Since the currently running config will then match that the connection at the next boot should be valid and it will install the packages.
You can always just manually install the packages, the package config will still be present.
The only time you might not be able to reinstall a package would be if the previous install was very old and contained packages that are no longer present.

Steve

darkcorner

I have done several tests and I have some considerations to make (as a newbie).

If I install from the packet manager, I can see both the completion bar and the list of operations carried out, step by step.
If, on the other hand, the packages are automatically restored, there is no way to know what pfSense is doing, how much work still needs to be done and, above all, where it is jammed.
I have not found a log related to the installation of the packages.

Loading the XML config file after the basic installation wizard does not create major problems, except for that related to different hardware.
But if I load it with packages already present, then the installation fails often. It happened to me several times even leaving pfSense on for hours without doing anything else.
Probably the new installation conflicts with what is already on the disk from a previous installation.
For sure the FreeRadius reinstallation crashes very often.
These are the packages I install, in this order:

• nut
• Squid
• Lightsquid
• SquidGuard
• Backup
• cron
• iperf
• nmap
• openvpn-client-export
• RRD_Summary
• Sudo
• Snort
• FreeRadius

The pfBlockerNG package also creates problems for me, but I think it is instead related to a conflict with Squid, and therefore I don't install it anymore and open a separate post.

SteveITS

@darkcorner When restoring to a new device make sure the new pfSense is the latest version...you want to be installing packages for the version of pfSense you have, and its default is to install for the latest version.