New hardware - not working with config from old hardware
-
I have used pfSense for a while now for myself and others. In this case the old hardware is an APU4D4. During time it has needed more and more configurations done. Now it has 3 differnet OpenVPN servers, one IPSEC-tunnel, 3 VLANS and one ordinary LAN. When I added the 3rd OpenVPN, I noticed that it often disconnected. Thought that it probably is because the hardware is too slow. So, I took an old Sophos SG-135 rev2 with Intel Atom C2538, 6GB RAM. Installed pfSense. First I looked at the names of the Interfaces, and was happy since they where the same(!), so did not change the XML at all.
If first also looked good when I had changed out the hardware. Was able to connect to the webbinterface and WAN and everything showed as working. But, then I noticed that the VMWARE machines, that is connected to the differnent VLANS did not have Internet access. Then after maybe 5-10 minutes they had. Strange I thought. Then I noticed that one tunnel where I before the backup of the old firewall, had set it to send all traffic over the VPN-tunnel, did not do that any more on the new hardware. Then the LAN traffic stopped having Internet access, could not ping even IP-numbers on Internet. But the VLANs still worked, and I was able to connect with VPN-tunnel from outside in to the VMs. At this point I had to get the LAN network up and running again, so I changed the Firewall back to the old one. What could have gone wrong? It seemd very unstable. For now I will just try to install Wireguard instead of the 3rd OpenVPN tunnel, and see if that fixes the problem, but in the future I will probably need to change out the slow hardware for newer one. Probably I will buy a new Qotom with J6412 CPU. But I need to know how I should do the swap without these strange issues. -
Normally, a backup of the config is to be used for that device.
Using it on another device will give issues if the NIC driver names, or their order as they are encountered during kernel boot.
Furthermore : pfSense uses a unique "device ID" :
So, better be safe then sorry : treat these backups as unique per device.
It might, of course, work. Getting the right driver names in place is the way to go.Btw : what pfSense version do you use ?
@utvecklarn said in New hardware - not working with config from old hardware:
What could have gone wrong? It seemd very unstable. For now I will just try to install Wireguard in
Normally, when you start using a new device, you should use the default setup : WAN+LAN and make sure everything is fine.
Then add other interfaces - and their DHCP settings.
Then add VLANs - and DHCP.
Then VPN stuff etc.You said : unstable ... but what can that be ? Could be anything.
-
@Gertjan said in New hardware - not working with config from old hardware:
Normally, a backup of the config is to be used for that device.
Using it on another device will give issues if the NIC driver names, or their order as they are encountered during kernel boot.My guess it's something to do with how the NIC's are assigned during boot. If the have the same name (igb0, 1, 2 etc) you should typically be fine. But if the Sophos HW has more or fewer than the 4 in the APU, you might get some mismatch in the assignement. Also, the order relative to the physical ports on the unit (left to right), might be different from what you think...
I have been able to reuse the backup and move between ixN, igbN and virtual NIC's simply by editing the xml. But you need to know the mapping towards the physical interface.
One way of checking could be to start from scratch on the Sophos HW, configure the ports and perhaps one or two VLAN's. Save the backup and then compare with the one from the APU...
-
@Gertjan said in New hardware - not working with config from old hardware:
So, better be safe then sorry : treat these backups as unique per device.
It might, of course, work. Getting the right driver names in place is the way to go.Btw : what pfSense version do you use ?
Thank you for you answer!
2.7.2
It seems that it has to be pretty often you grow out of one hardware, and need to upgrade without wanting to do all the configs again. In this case there are several OpenVPN users that I rather do not exports new certs and settings for. Would it be better to edit the XML to exclude everything but VPN? Or is there any other way of just exporting the OpenVPN-part? -
@utvecklarn When you import, you can select the parts you want, and OpenVPN is one of them. So if you can edit the xml to remove it entirely. Or perhaps remove it before backing up which might be safer in terms of really being sure you have covered everything.
Then you restore it first without OpenVPN, to see that it works, or figure out what goes wrong. And then take the original backup and just restore the OpenVPN part.
-
@Gblenn said in New hardware - not working with config from old hardware:
@Gertjan said in New hardware - not working with config from old hardware:
Normally, a backup of the config is to be used for that device.
Using it on another device will give issues if the NIC driver names, or their order as they are encountered during kernel boot.My guess it's something to do with how the NIC's are assigned during boot. If the have the same name (igb0, 1, 2 etc) you should typically be fine. But if the Sophos HW has more or fewer than the 4 in the APU, you might get some mismatch in the assignement. Also, the order relative to the physical ports on the unit (left to right), might be different from what you think...
Yes, actually the Sophos hardware has 8 ports. The first 4 ones was not vissible at all. I was finding the LAN one after the fresh install, by connecting the cable from my laptop to all connectors util I could ping the firewall.
When I imported the backup, the same port was still LAN. Then tested different ports to find WAN and the port used for the VLANS.I have been able to reuse the backup and move between ixN, igbN and virtual NIC's simply by editing the xml. But you need to know the mapping towards the physical interface.
In this case the names of the Interfaces were the same, so I was happy at first...
One way of checking could be to start from scratch on the Sophos HW, configure the ports and perhaps one or two VLAN's. Save the backup and then compare with the one from the APU...
That is a good idea!
What is strange to me, is that it seems random what works and does not. First one thing works, then it stops, then the next thing works. Seemed to be the Firewall rules that did not work consistently.
This is scarry, since people rely on the firewall and the tunnels for work. It would feel better if things did not work at all, then after fixing started to work. -
@Gblenn said in New hardware - not working with config from old hardware:
@utvecklarn When you import, you can select the parts you want, and OpenVPN is one of them. So if you can edit the xml to remove it entirely. Or perhaps remove it before backing up which might be safer in terms of really being sure you have covered everything.
Then you restore it first without OpenVPN, to see that it works, or figure out what goes wrong. And then take the original backup and just restore the OpenVPN part.
Thank you! Now I feel like a fool. I see it now that I can chose what parts to import. The other rules are pretty simple, so the best way would probably be to make the settings for everything with LAN and VLANs first, and then just import OpenVPN. The OpenVPN part actually seemed to work all the time during the short testing.
Remove it before backup seams a little scarry, since I have a working old system as it is. So I can fast just change it back, and everything will work. But, I now got an idea, I might have another APU laying arrond. Then I could restore the backup to that one, see if it works, then remove everything but OpenVPN, and then export. But the rules for VPN connects them to differnet VLANs, so those needs to be added last. -
You should just be able to import the existing config. Since the NIC/driver types are the same it will just import without any re-assignment meaning, as you found, you will have to discover the new assignment order since they may not be parsed in the same order.
But seemingly dynamic changes like that are probably some conflict. Like NICs creating a loop or something else handing out DHCP leases.
-
@utvecklarn said in New hardware - not working with config from old hardware:
Yes, actually the Sophos hardware has 8 ports. The first 4 ones was not vissible at all. I was finding the LAN one after the fresh install, by connecting the cable from my laptop to all connectors util I could ping the firewall.
I think I would focus on figuring this one out first. You should be able to see all 8 ports, so there must be something here that you need to work on?
I have been thinking about Sophos HW to use for my firwall and as far as I understand there isn't anything "special" about them. Except the SSD that might be locked from installing anything else on it (but thats apparently simple to get around?)What is strange to me, is that it seems random what works and does not. First one thing works, then it stops, then the next thing works. Seemed to be the Firewall rules that did not work consistently.
I agree, that does not sound normal at all, but I doubt it's a pfsense thing actually,
The other rules are pretty simple, so the best way would probably be to make the settings for everything with LAN and VLANs first, and then just import OpenVPN. The OpenVPN part actually seemed to work all the time during the short testing.
Remove it before backup seams a little scarry, since I have a working old system as it is. So I can fast just change it back, and everything will work. But, I now got an idea, I might have another APU laying arrond. Then I could restore the backup to that one, see if it works, then remove everything but OpenVPN, and then export. But the rules for VPN connects them to differnet VLANs, so those needs to be added last.Well, if the setup is simple to replicate, perhaps it will help you isolate the problem if you start fresh. Then you can import the real stuff when you are done. But I would still investigate why you can't see all the ports that the HW has.
-
Hi all,
I realized that I did never get back here and tell you how it went.
I did run on the old hardware for a while until it got unbearable. I than thought to go back to test different things suggested here, but when I started the new firewall again, everything just worked. All interfaces was there etc. I have now run it for several months with no issue. And the problem with the VPN that went down on the old firewall, is also solved, so it must have been too slow hardware. My thought is that it did need one more reboot(?) Maybe an update to get all drivers working or something?
@Gblenn said in New hardware - not working with config from old hardware:
I have been thinking about Sophos HW to use for my firwall and as far as I understand there isn't anything "special" about them. Except the SSD that might be locked from installing anything else on it (but thats apparently simple to get around?)
Yes, I actually did not even test to install PF Sense on the current SSD. I just installed a new SSD. And yes, it seems to be just an ordinary computer with many NICs.
