Migration Path
-
Hey folks,
I am having a small 2-NIC Appliance running pfsense so far, which did its duty for over 3 years. Now I got my hands on a WatchGuard XTM 5 firewall appliance with 7 ports, running pfsense as well (same version).
Looking only at the configuration of pfsense, what is the smartest way to migrate? The rules should mostly stay the same. The appliance has 6 ports 1 Uplink, the remaining 5 will be joint together like a switch.
I really, realldy dread re-doing all the rules; I have oodles and oodles of them! :/
In my mind I just whack the new appliance with the saved configuration from the old one. Using the serial console I will setup the LAN/WAN ports again, join the 4 remaining ports to the one LAN port and off I go.
How many pitfalls am I blissfully ignoring here? :)
Cheers,
-Chris. -
You should be ok with just backing up your current configuration and restoring it to the new unit, the only "pitfall" is that you'll have to redo the interface assignments again from the console menu on first boot after restoring the configuration to the new unit.
join the 4 remaining ports to the one LAN port
Don't do this, pfSense makes a very bad switch, get a proper dedicated switch instead.
-
- Do a default install on the Watchguard first. Backup the config and have a look in it to see what are the FreeBSD device names of WAN and LAN.
- Backup the config of your existing pfSense system. Edit it to change the FreeBSD device names of WAN and LAN to match what the Watchguard uses.
- Restore the edited config to the Watchguard.
Now you have a Watchguard running with WAN and LAN.
Presumably you already have a switch of some sort on your LAN. Leave that switch in place - do not bother messing about trying to bridge a bunch of ports on the Watchguard. And ordinary switch will be much quicker at passing LAN traffic between LAN devices.
If you want to segregate various devices that are all currently on LAN (e.g. to keep them secure from each other, keep guests off your main LAN…) then use Interfaces->Assign to add interfaces for the extra ethernet on the Watchguard and move the devices (with a switch on each ethernet or a VLAN switch segregated into multiple VLANs or...) to the appropriate interfaces. Put the appropriate rules on each interface to let the devices access what you let them.
-
Hey,
Thank you all for your very timely replies. Helped a lot!
While on the subject (cough) anyone got some info regarding Installing pfsense on a watchguard? What I gathered from (rather old) howtos its yanking out the cf-card, installing on a real pc pfsense (standard edition, embedded kernel) on a spare SSD, placing said SSD into the Watchguard and off I go. Rest should be do-able via console port.
Right? :)
-Chris.
-
@kpa:
Don't do this, pfSense makes a very bad switch, get a proper dedicated switch instead.
Little off-topic but I think it's important to mention it. It's bad because those are not switch ports but separate network interfaces. While it has only two interfaces, SG-1000 has switch ports. And pfSense learned how to use them. The devices we are working on will have more switch ports ;)
-
Hey all,
Thanks for the port info. :)
I avergage roughly 2mbit/s and no matter how slow/bad it's implemented I hope pfsense than can manage that on joint interfaces. I have 3U heights available, 2 Server and 1 Pfsense so I cant afford (space) another appliance.pfsense does not have to excell, it just should perform. There might be spike ranging up to 1gb/s but that's bulk transfer and if thats a little slower no one would notice :)
-Chris.
