Pfsense backup - automated without Gold on Windows Only



  • Hi all

    not sure where to post this, but found a neat little command line tool for windows to backup pfsense config.xml. you can create Task Schedule based on this.

    https://github.com/KoenZomers/pfSenseBackup

    just download & unzip the file.

    run pfsensebackup.exe with these options

    pfSense Backup Tool v2.4.1 by Koen Zomers

    ERROR: No arguments provided

    Usage:
      pfSenseBackup.exe -u <username>-p <password>-s <serverip>[-v <pfsense version="">-o <filename>-usessl -norrd -nopackage]

    u: Username of the account to use to log on to pfSense
    p: Password of the account to use to log on to pfSense
    s: IP address or DNS name of the pfSense server
    v: PFSense version. Supported are 1.2, 2.0, 2.1, 2.2 and 2.3 (2.2 = default, optional)
    o: Folder or complete path where to store the backup file (optional)
    e: Have pfSense encrypt the backup using this password (optional) RECOMMENDED
    t: Timeout in seconds for pfSense to retrieve the backup (60 seconds = default, optional)
    usessl: if provided https will be used to connect to pfSense instead of http
    norrd: if provided no RRD statistics data will be included
    nopackage: if provided no package info data will be included
    silent: if provided no output will be shown

    Example:
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1:8000
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -usessl
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -o c:\backups -norrd
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -o c:\backups\pfsense.xml -norrd -nopackage
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -o "c:\my backups"
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -e "mypassword"
      pfsenseBackup.exe -u admin -p mypassword -s 192.168.0.1 -t 120

    Output:
      A timestamped file containing the backup will be created within this directory unless -o is being specified

    If you use SSL then make sure you use the -usessl flag otherwise you'll get this error

    Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.</filename></pfsense></serverip></password></username>


  • Rebel Alliance Developer Netgate

    I would not encourage anyone to pass their firewall credentials to a pre-compiled binary of any kind, especially one for windows.


  • Rebel Alliance Moderator

    Also if you need to run an .exe via Tasks anyway you could - without much effort - run an scp oder sftp client, that copies the config.xml from the config directory to the local drive (or any other config.xml file that is available via config history). As you could run this with a "normal" pfSense user that only needs ssh / shell usage and can run via SSH private keys, that feels like a safer variant of using some precompiled binary with your admin credentials. But that may be just me.



  • I tend to agree with both previous replies, even 'though I know Koen is a good guy :)



  • I love this but I do have a questions.

    This works great on our local network, but we have VPN's setup to other pfsense routers when i try to back them up I get this.

    pfSense Backup Tool v2.4.1 by Koen Zomers

    Connecting using protocol version 2.3
    Authenticating
    Requesting backup file
    Retrieving backup file
    No valid backup contents returned

    This is what I ran and the IP is going over ipsec VPN

    I:\pfsense\pfSenseBackup\pfSenseBackup2.4.1.exe -u admin -p removed -s 192.168.50.1 -v 2.3 -o I:\pfsense\backups\kron\

    I can access the IP via SSH and http over our VPN but the backup fails with "No valid backup contents returned" never seen this but never tried to backup over the PVN before.

    EDIT I also tried v2.4.2 and we are on pfsense 2.3.3-RELEASE-p1

    EDIT Number2: Never mind I found it in the readme go figure.

    2.4.2 - released February 22, 2017 - download - 10 kb

    There was a minor modification to the backup page in pfSense 2.3.3. Added support for 2.3.3 and made it the default version. So if you're on 2.3.3 you don't need to provide the -v flag. If you're still on 2.3 you need to provide the -v 2.3 still.


Log in to reply