Pfsense+, tokens vs nic changes, broken registration
-
use case: home lab
I'm in the process of planning to migrate from sophos UTM to pf.
I need some clarification on how the NDI number is tied to tokens to hardware.
It's my understanding part of the hardware hash includes the nic(s) mac address(es).
For example, pfsense instance (vm), has 2 nics in vfio (passthrough). Token applied and instance registered, software upgraded to pf+ 23.01.
What happens when a third nic is added (vfio or virtual)? Will the registration break?
What is the best way to strategize adding new nics so as to avoid breaking the registration?
Based on reading other posts, a ticket can be created to fix the existing registration or a new free token applied. Is one method preferred over the other?
-
@gpz1100 said in Pfsense+, tokens vs nic changes, broken registration:
I need some clarification on how the NDI number is tied to tokens to hardware.
The token is one-time use and is converted into a pfSense Plus license/record for your NDI.
It is based on all the NICs in your system at the time of application. If you have 2.5GbE NICs that are not recognized your NDI will change after installing pfSense Plus.
Best solution to not breaking the NDI is not changing your NICs. If you're on VM take plenty of snapshots so you can roll back. If you have to crush your install and start over use the same VM instance and don't make a new one. If you can make your MACs static, do that.
If you have Intel 226 NICs and you do the upgrade you have two options:
-
Open a ticket and explain your situation and include your original NDI, the new NDI, your Shopify Order number and we'll migrate. Please also include a screenshot of your System Information widget on your pfSense GUI Dashboard in your ticket.
-
If your original one-year license is expired get a new token.
If you subscribe to TAC Pro or TAC Enterprise as well just do step one and open a ticket explaining your situation.
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
-
@rcoleman-netgate
Thank you for the quick response.Is the NDI tied to the physical nic mac or virtual (spoofed)? To get the wan operational its mac has to be spoofed.
-
@gpz1100 said in Pfsense+, tokens vs nic changes, broken registration:
Is the NDI tied to the physical nic mac or virtual (spoofed)? To get the wan operational its mac has to be spoofed.
The MAC as it is presented to the core OS. Internal spoofing in pfSense is not taken into account.
