Move existing firewalls in HA mode to new hardware and IP addresses
-
We are currently using pfSense in HA mode with BGP.
We want to change both the firewalls to new hardware and we do have a new block of IP addresses.
The old firewalls are running 2.26 and I don’t really want to do anything with those.So my plan is to do this.
Install pfsense 2.26 on the new firewalls.
Export config from old firewalls.
edit the config.xml file.
Change the interface names and IP addresses.
Then import to new firewalls.
Upgrade those to 2.3 then upgrade to 2.4.xDoes this make sense or I am missing something here.
-
We are currently using pfSense in HA mode with BGP.
if it is running well for you and yours, don´t touch it! Let it run until the new hardware is ready installed and proofed
by yours. If this will be my turn, I have to do, I would be taking the new hardware and installing at first version 2.4.1
on it and if all is configured out right and working I would be let it there, if something will be broken or not running
well, I would install version 2.4.0 and wait until the version 2.4.2 will be out.We want to change both the firewalls to new hardware and we do have a new block of IP addresses.
The old firewalls are running 2.26 and I don’t really want to do anything with those.Again if the time is there you might be able to install it right and step by step, you may be able to find out if so, where
a problem occurs and if you are saving after all steps a config backup you may only need to work out or over the last
step even! During the upgrade from 2.4.0 to 2.4.1 many problems were seen and reported and also some less but also
problems between from 2.3.x to 2.4.0. So not falling into a deep dark hole and search then the whole time only problems
you may be on the safer and know exactly where and when a problem is touching your set up! You are maybe faster with
a new config but step by step and proofing. HA and BGP is not used by peoples that might be have enough time that the
whole company is not working or without any Internet connection!So my plan is to do this.
Install pfsense 2.26 on the new firewalls.Why? do a fresh and full install at the new hardware and then you will be able to see what is going on with the
version 2.4.0 or 2.4.1. the time you think to save now, must be 10 paid on top if you need to troubleshoot something!Export config from old firewalls.
edit the config.xml file.Working only with a duplicate might be saving you the entire file if it would not be matching well to the newer
boxes.Change the interface names and IP addresses.
Then import to new firewalls.This point could be running without any issues.
Upgrade those to 2.3 then upgrade to 2.4.x
Again, there where reported problems by upgrading from the older version to 2.4.0 and also to version 2.4.1!!!
Does this make sense or I am missing something here.
In older versions ZFS where not given as an option and changing to that causes or press you to new installations.
The other thing is that IPSec VPNs were showing different things up after the upgrade, and were not even right
working too. Please have a look at the blog from netgate about updates and upgrades with version 2.4.x.
pfSense 2.4.0-RELEASE Now Available!
Alternately, reinstall pfSense 2.4.0 directly and restore the configuration.pfSense 2.4.1-RELEASE Now Available
PPP sessions on VLAN parent interfaces will not work on 2.4.1, see #7981. This has been fixed on 2.4.2 which is due out shortly.Also able to realize it with any hassle and loosing to much time could be installing the version of 2.2.6 and
swapping over the entire config, change the IP settings, upgrading then to 2.3.4-p1 and save again the
config xml file and reinstall fresh and full the version 2.4.1 and play back again the config xml file, that
aint less hassle, being most compatible and you gets the ZFS with by default enabled TRIM support too
and on top of this the AES-NI settings will be tight set up and not set up right and showing wrong or vice
versa, as seen on many upgraded installations. -
I should have specified that we are also moving to a new location so the two old firewalls will stay until we shut down that cabinet.
So setting up the new firewalls will be in a new cabinet with new IPs and connections.By moving the config I was hoping to save some time.
Setting up all IP address, rules, users, etc is a ton of work.I dont think you can use the 2.26 config on 2.4?
The upgrade path specified by Netgate is 2.2x to 2.4, you need to do a stop at 2.3x first.Basically, I am trying to get a workable config.xml I can use.
If I follow the update path to 2.4 and have a workable config, I can blow that out and reinstall 2.4.x then import the config.I appreciate you taking the time to write that long response, very kind of you.