Configuring New XG-2758 with current FW-7535 config?

  • Hi all,
    The company I work for is making some long overdue improvements in the "IT" world.

    I have looked over the recommended documents and have browsed through the forums have found a TON of great information.

    We have a very small IT team here, and my knowledge of Netgate/PFsense is at a beginner/amateur level. So I was hoping that I could bother the experts here for tips on ensuring this a straightforward process for our company and give a somewhat detailed explanation of our network environment so that if we needed a more powerful firewall (looking at XG-2758) we would be prepared.

    My current task is upgrading our Netgate FW-7535 that is running Pfsense 2.1.4 FreeBSD 8.3 Release-p15 (yes this version is ages old and I know it is a big NO-NO to be running software this ancient)

    I started here about a year ago and have been told that since 2012 our company has almost quadrupled in size, we currently have Comcast Business internet and will be upgrading to Fiber in the next month or two.

    Currently have about:

    50 office/PC users – light internet usage, almost all work is done via Remote desktop to our SQL Server located onsite running our ERP software. Outside web browsing consist of checking business Gmail, using shipping sites for sending products (UPS/FedEx, etc) and basic internet browsing.

    10 thin clients running no OS, strictly use to remote in to SQL server for weighing product/printing labels.

    12 network Label printers

    13 standard network printers

    20 scan guns

    5 Unifi Access Point used only for scan gun traffic

    1 Barracuda device onsite for local evening backup as well as the cloud

    1 telnet server that our scan guns remote into

    1 ecommerce server for our online site, this site is very lightweight, we list our product codes, 2 text fields for description 1 and 2 of products and a unit of measure column of our product. Nothing too intensive.

    We’ve got about 40 total “OpenVPN” users with AES-128 encryption – However, only about 5-10 users (max) will be connected in during the day and are strictly using our SQL server to access our ERP software.

    We also have (2) site2site VPN’s set up. Essentially 2 storage facilities each with a PC, label printer, and scan gun

    50 PolyComm VOIP phones through Comcast (converged network) with Edgewater device in house.

    **5 Honeywell DVR’**s for Security Cameras

    We are a medium to large sized business and our current Netgate hardware is on the very low end.

    Now, we recently upgraded all of our network switches in the office from the cheap, unmanaged black boxes to (1) HP layer 3 – 48 port switch and (5) HP Layer 2 – 48 Port managed switches.
    We have (2) VLANS set up – 1 for scan guns and 1 for phones as well as our main 192.168.1.x scope.

    The Layer 3 switch does all of the VLAN routing/traffic for both VLANS as well as main scope and we have a DHCP server for both VLANS as well as our main scope.
    We’ve got some pretty basic NAT rules for accessing cameras via our Public IP as well as rules for our eComm server and our Synology drive but aside from that our current Netgate firewall doesn’t have too many rules/apps running.

    I have backed up our OpenVPN certificate as well as the .XML file of our current configuration. 
    When it comes to installing and configuring the new firewall (XG-2758) can I restore the exported configuration file of our current unit and not have to manually configure our rules/site2site/OpenVPN files?

    If the basic rules/WAN config’s can be restored that would be awesome, Ideally though I wouldn’t have to resend 40 people new OpenVPN install files.
    Would I be able to import or restore our current OpenVPN certificate and our users could use the same file they are now OR would I have to send out updated OpenVPN installs to everyone?

    Any help or recommendations on the process would be much appreciated. Also based on our network environment, will the (XG-2578) suffice?

  • The FW-7535 should be quite fast as it is. But I guess it is a few years old, and the new devices like you mention have 10 gig Ethernet etc so can potentially really fly along if the rest of your network and the upstream ISP(s) can keep up.

    I will just comment on the config transfer.

    1. Old configs full upgrade themselves fine when you upgrade the pfSense software in an existing box, or if you restore an old config to a (new) box that already has a newer version of pfSense software.

    2. The only changes you will need to the config are reassigning interfaces. You can backup the config from the old device, restore it onto the new device, then on the new device console it will prompt about interface assignment mismatch and you can go through the process on the console to assign the interfaces to the needed physical ports.
      Or you can get the new system with a default config and have a look at what the device names are (em0, em1, vro or whatever). Find the interfaces section of the old config you backed up from the old system. Look in the <wan>, <lan>, <opt1>etc interface sections and change the device name as desired. As you have VLANs, you should also look in the VLAN secion of the config and make corresponding changes there. Then restore to the new system and it should boot directly without needing to reassign interfaces using the console.</opt1></lan></wan>

  • Awesome, Thank you for the advise!!!

  • [ assuming bumping old thread better than starting new on similar topic ]

    This is the second time I've run into this problem … upgrading old (soekris) hardware with new (netgate) hardware. Unbox, plug in, get going, then "ok, time to restore previous configuration".

    And ... doh! Forgot that since the interface details change the box won't boot. Frustrating detour ensues figuring out how to get console access, finding/installing serial drivers that haven't been used in 3 years and it's a new laptop, etc, etc, just to get through the dialog to tell it that WAN and LAN are the "somewhat obvious" choices.

    I realize this is a very corner case (how often are old configs restored to bring up a replacement bit of hardware). Still, it's a frustrating trap when the router reboots and "doesn't come up" and then you realize "damn, the interface change problem again". Would be nice if maybe the config-restore code at least checked for this and warned you / guided you.

    Once I puzzled out the console connectivity and went through i/f assignment of course everything was fine. Just frustrating to fall into that hole...

  • Just affirming phil's instructions that you can edit the interface names fairly easily in the .xml config file; I just did my last soekris->sg-xxx upgrade and this time instead of going the console method I just saved (backup) the prior configuration, edited the xml file to change the <if>blah</if> entries as appropriate, then restored from that modified configuration onto the new hardware. Worked fine.

    I would resist the temptation to change anything else that you don't need to change "while you are there". I started to reorganize my choice of opt1 vs opt2 etc and quickly realized that had many other implications (e.g., rules); so of course I reverted all that and started over with discipline to just update for the emX -> igbX changes.

    Which method (console vs edit the xml file) you prefer seems to be a matter of preference; both are pretty simple.

Log in to reply