Consolidate 2 PFsense machine into one machine

maverickws

Ok so basically is what skogs said, simply deploy the new VM's on the new servers, put the configurations as needed then migrate the connections to it. The last time we made a similar migration we actually attributed new ipv4 addresses to the WAN connection so the new vm's had internet connectivity then was only a matter of connecting the switches to it.

But allow me to say that we also use a xenserver pfsense vm solution and we are quite happy with the result. The WAN is delivered through a switch not routed through the xen host.

waimun.wong

Thanks @skogs and @maverickws for the reply. I'm actually more concern on the configuration of the pfsense, for eg the vpn and fire rules, I'm thinking is there any easier way for eg using cli or script rather than reconfigure the rules one by one.

The approach I will take is I will spin up the new VM instance in the Xenserver and install the pfsense into it, then I will back up and restore the first pair of pfsense configuration into the new instance. So for the second pair of pfsense, I'm trying to get other possible way to migrate it to the new instance instead of using the Gui to configure it, cause the end result will be the new instance will have both configuration from the old units.

maverickws

@waimun-wong You should only have to configure once, then when you enable pfsync it will sync the config from the primary to the secondary.

waimun.wong

@maverickws understood. So I guess I will still have to manually configure the configuration via the GUI.

1st pair running with firmware 2.1.4 (LAN IP 172.16.1.0/24)
2nd pair running with firmware 2.4.2 (LAN IP 172.16.2.0/24)

Migration steps:

1. Spin up new VM in new Xenserver
2. install pfSense with firmware 2.4.2 into the new VM.
3. backup and restore the config from old unit (firmware 2.4.2) into the new pfsense VM and change the pfsense IP address (LAN IP 172.16.0.1/21).
4. Manually configure the config from old unit (firmware 2.1.4) into the new pfsense VM via GUI.
5. enable pfsync on the new pfsense VM to sync the configure to the HA unit.

Guess that will be my approach.

maverickws

@waimun-wong its more wise to have the same sw version on both.
If you're configuring one new I'd do the following:

1. spin up new vm
2. install pfsense 2.5.0 (already available)
3. backup config from the old primary to be replaced
4. restore that config on the new vm
5. check IP's and adjust the config on the new VM
6. spin up new vm #2
7. enable pfsync (or edit the pfsync details) and check HA

waimun.wong

@maverickws cause both the unit are running with production traffics, and both of it are running in single leg due to some HA issue previously which causing both unit to be master. so right now both unit are running in single leg. So out client would like to keep that status until we install the new unit and consolidate those 2 pairs into 1 new pair. So we couldn't do any upgradation on the old unit.

Old unit Pair 1 with LAN IP segment 172.16.1.0/24

• pfSense A (in XenServer 1) (Active)
• pfSense B (in Xenserver 2) (Shutdown)

Old unit Pair 2 with LAN IP segment 172.16.2.0/24

• pfSense C (in Xenserver 3) (Active)
• pfSense D (in Xenserver 4) (Shutdown)

New unit with LAN IP segment 172.16.0.0/21

• configure in a separated Xenserver (5 and 6)
• with configuration of both the old pair unit pfSense A and C
• enable pfSync to sync the config to the HA unit

Just wondering it's possible to backup and restore the config from a older version of pfSense to a newer version of pfSense?

waimun.wong

This post is deleted!

waimun.wong

@waimun-wong said in Consolidate 2 PFsense machine into one machine:

@maverickws cause both the unit are running with production traffics, and both of it are running in single leg due to some HA issue previously which causing both unit to be master. so right now both unit are running in single leg. So out client would like to keep that status until we install the new unit and consolidate those 2 pairs into 1 new pair. So we couldn't do any upgradation on the old unit.

Old unit Pair 1 with LAN IP segment 172.16.1.0/24

• pfSense A (in XenServer 1) (Active)
• pfSense B (in Xenserver 2) (Shutdown)

Old unit Pair 2 with LAN IP segment 172.16.2.0/24

• pfSense C (in Xenserver 3) (Active)
• pfSense D (in Xenserver 4) (Shutdown)

New unit with LAN IP segment 172.16.0.0/21

• configure in a separated Xenserver (5 and 6)
• with configuration of both the old pair unit pfSense A and C
• enable pfSync to sync the config to the HA unit

Just wondering it's possible to backup and restore the config from a older version of pfSense to a newer version of pfSense?

Old unit Pair 1 running with firmware 2.1.4
Old unit Pair 2 running with firmware 2.4.2

maverickws

If that was me I would plan some downtime (for example after business hours) to make the shift.

From the information you provide, you are going to change the LAN for the machines inside your network, which means they'll have to connect to the new firewall, which means somehow connecting them to a new network/switch, gain new IP's and new gateway etc. There'll be always a bump. So I would schedule this to a period of least traffic.

It is possible to restore the config from an older version to a newer, however, since for some reason you say HA its not working, I would probably not use that method, and would instead make the whole configuration from scratch.

You can spin the new pfSense / VM's and test pfsync, you can attribute different WAN addresses for a period of configuration and testing, then put the definitive addressing up. I don't know how you deliver WAN, so different cases will have different approaches.

waimun.wong

Thanks @maverickws . The purpose of this revamp:

• they wanted to use only single pair of pfSense so that it can handle the traffics for the whole subnet 172.16.0.0/21. For eg 172.16.1.0/24 for client A, 172.16.2.0/24 for client B, 172.16.3.0/24 for client C and so on.
• Initially there are 2 WAN as in 2 ISP, 1 for each pair of the old pfSense unit. So now will be reduce to only 1 WAN (1 ISP).
• I will need to create few VIP at the new pfsense as a gateway for each subnet, for eg 172.16.1.1/24 for client A, 172.16.2.1/24 for client B, and assign VLAN to each of the subnet and configure some rules so that they wont be able to communicate with each other.