Unable to restore config to different hardware

CompProbSolv

@stephenw10
Where would I set the primary console?

I set up the original box and definitely didn't use a serial connection, but would like to confirm that it didn't somehow get set.

stephenw10

In System > Advanced > Admin Access.

Screenshot from 2023-02-16 19-27-49.png

CompProbSolv

@gertjan
That was very helpful.

The original firewall used emx interface names. The new one uses igbx ones.

I edited the config file (replaced em0 with igb0, etc.) and that allowed it to boot. It acts as a proper firewall (passing traffic from LAN to WAN as expected), but the web interface won't work. That is, I browse to http://192.168.1.1 and never get a response.

I tried reconfiguring the interfaces from the console, but that didn't resolve it.

Any thoughts on how to get the web interface working?

CompProbSolv

@stephenw10
Thank you for the clarification.

The original firewall (as well as others that I've set up in the past) have Serial Console set as the primary. They've never given me any problem with booting up, with or without a monitor attached. The problem firewall shows that it is set for Dual with Serial primary (first menu that lasts a few seconds).

I did a new installation of 2.6.0 to check how this setting comes up. What's interesting is that it shows Serial Speed but not Serial Terminal or Primary Console! The older firewall (started with an older version of pfSense, then went through updates to get to 2.6.0) does have those settings. NoConsole.jpg

In any case, I don't think that this is the issue. As you'll see in a different post, I resolved (mostly) the interface issue so the system boots to the main menu.

Gertjan

@compprobsolv said in Unable to restore config to different hardware:

but the web interface won't work. That is, I browse to http://192.168.1.1 and never get a response.

Go console.
Use

ifconfig

to check the assigned IP addresses.

Btw : pSense found the correct interfaces part, like igb0 = WAN, igb1 = LAN etc.
These "text labels" should match the labels used in the firewall part. The pfSense web server can not work if there are no rules loaded on the correct interfaces !
I mean : the web server works, but traffic doesn't enter your LAN interface.

So, several checks :
Does DHCP, the server, work ? Does your PC get an IP mask gateway from pfSense ?
Lauch

ipconfig /all

on your PC, and check what it yous see.

On pfSense use :

ps ax | grep 'nginx'

to see what nginx instances are running.
I have :

[23.01-RC][admin@pfSense.brit-hotel-fumel.net]/root: ps ax | grep 'nginx'
   28  -  I       0:30.98 nginx: worker process (nginx)
  273  -  I       5:09.06 nginx: worker process (nginx)
  355  -  I       1:51.63 nginx: worker process (nginx)
 9421  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
 9526  -  I       0:23.10 nginx: worker process (nginx)
 9795  -  I       0:04.59 nginx: worker process (nginx)
23174  -  I       3:24.06 php-fpm: pool nginx (php-fpm)
37286  -  I       0:26.48 php-fpm: pool nginx (php-fpm)
44782  -  I       1:33.51 php-fpm: pool nginx (php-fpm)
71186  -  I       1:35.93 php-fpm: pool nginx (php-fpm)
72644  -  I       0:05.38 php-fpm: pool nginx (php-fpm)
74670  -  I       0:09.65 php-fpm: pool nginx (php-fpm)
96007  -  I       0:31.92 php-fpm: pool nginx (php-fpm)
98065  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal.conf (nginx)
98179  -  I       0:00.01 nginx: worker process (nginx)
98490  -  I       0:00.01 nginx: worker process (nginx)
98794  -  I       0:00.07 nginx: worker process (nginx)
98947  -  I       0:00.02 nginx: worker process (nginx)
98986  -  I       0:00.16 nginx: worker process (nginx)
99338  -  I       0:00.95 nginx: worker process (nginx)
99381  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal-SSL.conf (nginx)
99672  -  I       0:17.16 nginx: worker process (nginx)
99808  -  I       0:05.62 nginx: worker process (nginx)
99918  -  I       0:48.78 nginx: worker process (nginx)
59685  0  S+      0:00.00 grep nginx

Every process has 4 instances.
You'll se the http version (listening on port 80) and the https version (port 443).
There are also 4 PHP processes for the GUI needs.
I'm using the captive portal, so there are 4 more instances.

The pfSense GUI listens to all existing 'hardware' interfaces, so even on WAN ( ! ).

Inspect the /var/log/system.log :

ee /var/log/system.klog

and check if you see any nginx startup error messages.

Btw : I was using a bare bone PC type device with an 4 NIC intel card for my pfSense during .... 10 years or so.
Lately, I bought a 4100, and tried to copy over the config.xml file, like you did.
But I had 'issues', although I thought I kew the content of the config.xml pretty well.

I stopped editing the config.xml, I used the old one as guide line to create a new one on the new 4100 from scratch.
This forced me also to apply the 'keep it simple' rule.
A basic pfSense (only) setup doesn't contain that much settings anyway.

Afterwards, I added the packages, and finalized my setup.

bingo600

gertjan said in Unable to restore config to different hardware:

Take a good text editor, so not Notepad, not Word for Window, but, for example the 'must have' Notepad++.

In short :
Look at the xml file, and discover whats in it.
You will find an <interfaces> ... </interfaces> section, with the newly assigned interfaces (NICs).
Copy the one.
Past (and replace) this section into the config.xml from the previous pfSense setup.
Save, and now import this config.xml into your new system.
Cross fingers.

Besides a good editor :

I can recommend these for comparing configs.

Windows : https://winmerge.org/

Linux : Install meld

/Bingo

CompProbSolv

@gertjan
I can respond to some of your comments; others will have to wait.

The interface assignments appear to be correct. Aside from what is displayed on boot (igb0 as WAN with the appropriate WAN address, igb1 with LAN, etc.), the system does work as a basic firewall after the restore. That is, a computer connected to the LAN port with the proper IP gets through the firewall and to the internet.

The firewall is not set up as a DHCP server; on the client's network there is a Windows server to do that. I'm accessing the firewall with a laptop set with a static IP of 192.168.1.54/24. The firewall LAN address is 192.168.1.1. I can ping the LAN address and I can ping the internet. I just can't get the web interface to work.

Your comment about the rules may be the key here, though I thought I edited the config file correctly. How would I inspect the rules without the web interface? I'm not a Linux guy, but I can get through any steps provided.
l
I understand your comments about simply rebuilding the configuration from scratch. My only issue with that is the 15 or so client VPNs that are set up. I don't want to have to recopy certificates to each of those computers. I may try just restoring the OpenVPN (as suggested above) to see if that gets all of the VPN stuff back. If so, I can manually reconfigure the rest.

Part of this was a test of disaster recovery. I want to be prepared for a scenario where the client's hardware fails and I have to replace it.

SteveITS

@compprobsolv said in Unable to restore config to different hardware:

How would I inspect the rules without the web interface

"The ruleset can also be verified from the console or Diagnostics > Command in the Shell Execute box by running:

pfctl -f /tmp/rules.debug
"
from https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#ruleset-failing-to-load

CompProbSolv

@steveits
I must be misunderstanding the docs.

From the text menu on the firewall (VGA screen), I selected 8 (Shell). I then typed the command you suggested. I got a new prompt with no other response. I tried the same from 12 (PHP shell....) with similar results.

I did this on a different, working firewall and also got no response other than a new prompt. I get the same results on the good system with SSH over the LAN.

What am I missing?

SteveITS

@compprobsolv My bad, sorry, The above (re)loads the rules and shows errors.

See
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

CompProbSolv

@steveits
Restoring OpenVPN: I did that and was still able to access the GUI (after reboot). But.... that doesn't recreated the CA and user certificates. I presume that comes with restoring System. When I do that, I lose the GUI.

CompProbSolv

@steveits
Thank you for the update. I understand the details better now.

I ran the pfctl commands through Putty (before and after restoring) and captured the outputs there. I'll work through comparing them next to see if there is something that stands out.

stephenw10

@compprobsolv said in Unable to restore config to different hardware:

What's interesting is that it shows Serial Speed but not Serial Terminal or Primary Console! The older firewall (started with an older version of pfSense, then went through updates to get to 2.6.0) does have those settings.

That is shown on a device that was installed from the serial console image. It is configured for only serial console.
Check /conf for the enableserial_force file.

CompProbSolv

@stephenw10
Thank you!
I went back and downloaded the correct version. That didn't fix my core issue, but it did clear up why I was not seeing those choices.