Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automate full config backups from a pfSense to a Synology NAS on the same network

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ojosaghae
      last edited by

      Hi. Please I need pointers.
      I want to automate backups from pfSense to a Synology DS1819+ NAS. I want it to populate the NAS periodically (once a week). Most of the solutions I've seen online were proferred years ago, so I don't want to risk it as the pfSense in production, and breaking something will result in consequences I'd rather not face.
      I know about SSH, rsync and scp. Which would be preferable, and (if possible) I'd really appreciate a pointer to a documentation that I can follow.
      Many thanks!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        A few methods are shown here: https://docs.netgate.com/pfsense/en/latest/backup/remote-backup.html

        O 1 Reply Last reply Reply Quote 0
        • O
          ojosaghae @stephenw10
          last edited by

          @stephenw10 Thanks for your help, as always!
          That was my first point of call when I set out to perform this task.
          I've configured SSH passwordless authentication from Synology to pfSense, but it didn't work when I did the same from pfSense to Synology.
          I set up rsync, and I want to use Cron on pfSense to automate the process using the command

          rsync -av /cf/conf/backup username@Synology-ip::NetBackup

          but it keeps asking me for the password. I've tried setting up passwordless authentication from pfSense to Synology, but it's not working. A workaround would be to include the password (as a file with permissions 600) with a flag in the rsync command using the flag

          --password-file

          command, but I've not been able to get it to work. Any ideas?

          O 1 Reply Last reply Reply Quote 0
          • O
            ojosaghae @ojosaghae
            last edited by ojosaghae

            @stephenw10 I finally got it to work! - through a slightly different route. Just putting it here for someone who needs the same. And I'm open to corrections.
            Since I already have passwordless authentication to pfSense, it was just a logical step further to run a scheduled task from Synology to pfSense!
            I set up a basic automated task on Synology by doing the following:

            • Log in to Synology, then go to Control Panel > Task Scheduler > Create > Scheduled Task > User-defined script.

            • Give the task a name.

            • Choose a user. This should be the user with passwordless login credentials into pfSense - For illustration purposes, let me use DOracle as the username. Check the Enabled box.

            • Click on the Schedule tab, and select the frequency of the update.

            • Click on the Task Settings tab, and paste the following command into the User-defined script box:
              ssh DOracle@pfsense-ip cat /cf/conf/config.xml > ~/DOracle/path-to-the-backup-folder/config-`date +%Y%m%d%H%M%S`.xml
              The "date +%Y%m%d%H%M%S" is to ensure that the config.xml file carries the date and time when the backup was made.

            • Check the Notifications box and enter an email to notify you if the command has run. You can check the "Send run details only when..." if you only want to be notified when the script doesn't run.
              Click Ok.

            Next, I'll be looking to implement automatic backups only when changes are made.
            I'll update the thread as I go on. ๐Ÿ˜Š

            Thanks so much for your help!

            M 1 Reply Last reply Reply Quote 2
            • M
              madbrain @ojosaghae
              last edited by

              @ojosaghae Did you ever get the diff feature working, ie. only backup changes ?

              For now, I just did this to schedule a nightly backup . I guess I could write a script to do the diffs.

              echo '0 2 * * * sshpass -p "password" ssh root@pfsense.localdomain "cat /cf/conf/config.xml" > /array/zfs/Backups/pfSense/pfsense-$(date +%Y%m%d-%H%M%S-%3N).xml' | crontab -

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @madbrain
                last edited by Gertjan

                @madbrain said in Automate full config backups from a pfSense to a Synology NAS on the same network:

                the diff feature working

                A diff ? The day you need the latest backup file, you want to be 'online' fast so take the latest backup, import and done, or you want to rebuild the latest valid config from i.e. 10 days ago, and then have to merge in the latest 10 days of diffs first ?
                Normally, its not the Mbytes that are missing on our NAS ;)
                Probably, imho, would be better to implement a "file management system" like deleting backup files that are older then, let's say 100 days.
                I'm pretty sure ... wait, fact checking in progress :

                Using username "Gertjan".
Authenticating with public key "rsa-key-20230908"

Using terminal commands to modify system configs, execute external binary
files, add files, or install unauthorized third-party apps may lead to system
damages or unexpected behavior, or cause data loss. Make sure you are aware of
the consequences of each command and proceed at your own risk.

Warning: Data should only be stored in shared folders. Data stored elsewhere
may be deleted when the system is updated/restarted.

Gertjan@DiskStation2:~$ diff
diff: missing operand after 'diff'
diff: Try 'diff --help' for more information.

                yep, it has diff.

                edit : i'm wrong. My Syno NAS has diff ... maybe not yours.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                M 1 Reply Last reply Reply Quote 0
                • M
                  madbrain @Gertjan
                  last edited by

                  @Gertjan By diff I meant some diff process, so that new config files are not stored if there have been no changes. This is not so much to conserve space as to make it less confusing at the time of restore - it should only show the versions that changed.

                  My NAS is a custom one running Ubuntu 22, not Synology.

                  The command I posted yesterday did not work. It produced 0 byte files. Turns out logging in to pfSense+ 24.11 via ssh presents the user with a menu. One needs to select option 8 before executing any command. Is there any cleaner way than forcing the input of 8 + LF before the command ?

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @madbrain
                    last edited by Gertjan

                    @madbrain said in Automate full config backups from a pfSense to a Synology NAS on the same network:

                    The command I posted yesterday did not work. It produced 0 byte files. Turns out logging in to pfSense+ 24.11 via ssh presents the user with a menu. One needs to select option 8 before executing any command. Is there any cleaner way than forcing the input of 8 + LF before the command ?

                    Aha .... Let "AI" the thing ... ๐Ÿ˜Š
                    What about these 4 keywords ? :
                    pfsense ssh backup config

                    Use the very first Alternate Remote Backup Techniques | pfSense ... solution proposed.
                    Over there, 3 solutions. the last one, Basic SSH backup will interest you.
                    edit : ok ... stupid me, this link was already given above. But take note : no "menu" issues for me.

                    Still, this doesn't work for me, as I'm using this :

                    43f98ab9-41ef-4a0d-bd40-e98da3c073eb-image.png

                    so no root (admin) password is asked, but a key passphrase is needed.

                    After placing my pfsense private key in some '.ssh' directory (name : pfsense.key) I could use

                    Christian@DiskStation2:~/.ssh$ ssh -i /var/services/homes/Christian/.ssh/pfsense.key root@192.168.1.1 cat /cf/conf/config.xml > backup.xml
Enter passphrase for key '/var/services/homes/Christian/.ssh/pfsense.key': ############

                    Now I have the config file "backup.xml" on my NAS :

                    Christian@DiskStation2:~/.ssh$ ll backup.xml
-rw------- 1 Christian users 639484 Feb 20 08:41 backup.xml

                    Look at this if you want to automate it 100 % (somewhat not secure)

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.