Migration Advice - Moving to New CPU/MoBo
-
I'm upgrading my pfSense box to a new CPU/MoBo combo. I'm looking for some tips on how to avoid prolonged downtime due to configuration mismatches between my current config and the new setup.
My current system has 4 1GbE NICs. I'm using 1 for WAN, and 2 are in a LAGG that connects to my core switch for all my local VLANs. This is my main concern because the new system only has 2 onboard 10GbE NICs and I've got an add-on card with 4 1GbE NICs.
The plan is to re-install pfSense from scratch on the new system and import my config but I know the interfaces are certainly going to get mismatched and I'm not very comfortable with the CLI. What's my best strategy here?
-
Build the new system
Set up your interfaces with the same names (or rename your present system interfaces if you plan use different names)
Save your entire config from the old machine.
Selectively restore different portions of your config to the new firewall.
(Don't restore the interfaces. ) I only restore the options Im currently using. i.e. no reason to restore DNS Forwarder if your not using it.
Keep the new box offline until you fully test it. :)
-
Ok so I installed pfSense, accessed the WebGUI and started to restore different portions, minus the interfaces. All was well until I realized there is no way to restore certs from the WebGUI so I edited the backup XML taking out the interfaces and a few other items I didn't need to restore. Upon restoring the whole config, the firewall restarted and now it's hung at:
Waiting for Internet connection to update pkg metadata…
Obviously something go screwed up with my WAN interface but it won't get much further than this.
What now?
EDIT: Looks like this is a bug with the package re-installation.
https://redmine.pfsense.org/issues/7604
-
Ok so I installed pfSense, accessed the WebGUI and started to restore different portions, ….
But then :
Waiting for Internet connection to update pkg metadata…
Consider you "config.xml" as a guide line (print it out), but do not import it.
Make your WAN work - can't be much of haslle to get online.
Updates/upgrades should work.
pfSense never published a version that couldn't upgrade/update, most often a broken DNS or whatever config other issue stops it from doing so.All was well until I realized there is no way to restore certs from the WebGUI
Certs backup and restore just fine …
Upon restoring the whole config, the firewall restarted and now it's hung at:
As said above : install from scratch, make LAN and then WAN working.
Then proceed step by step, be ready to do the step backwards that makes it all fail … -
Where can you restore just the certs?
-
The certs can be found as <cert>…</cert> pairs in the config.
But, be careful, al these <caref>... <caref>inside them are used on other places (where the certs are used) should also be included, if not => bad things will happen. It's this aspect that makes certs difficult to import or export separately.</caref></caref>