Got a brand new SG-5100 and a config migration question



  • I currently have pfsense running on a desktop. I would like to just take backup of the config and drop it in the 5100 throught web gui. Is that appropriate? Do I need to enable serial console mode? What would be the correct way?

    I dont want to brick it :)

    Regards,
    --Mokey


  • Rebel Alliance Moderator

    You can modify the exported config.xml before restoring it on the SG-5100 and change the interface names with the ones, the SG-5100 uses (igb0-3, ix0-1 if I'm not mistaken). So just check which interfaces you have now and what you want to have on the SG-5100 and change accordingly. Then you should be able to restore it without too much trouble. Otherwise just restore the config and attach the serial console and wait for it to detect the interface mismatch and change it there. :)


  • LAYER 8 Rebel Alliance

    There is like no way to completely brick your Netgate device. :-) In the worst case you can just reinstall it: https://docs.netgate.com/pfsense/en/latest/solutions/sg-5100/reinstall-pfsense.html

    So your first thing to do, get the newest Image (pfSense-netgate-memstick-serial-2.4.4-RELEASE-p3-amd64.img.gz) to have it in your back pocket if anything goes wrong.
    Generally speaking you can always restore a Config File in the GUI, the devices will then reboot and that is it. BUT in your case with changing Hardware after the first reboot the SG-5100 want you to reassign the Interfaces, this happens via the Console Port.
    So hook up the Console first with the cable shipped with your SG-5100, then restore your config.

    -Rico


  • LAYER 8 Global Moderator

    How complicated is your config exactly?

    Do you have hundreds of rules? When moving a config from different devices with different names for interfaces, etc. etc. Unless your config is lots and lots of different rules.. Wouldn't it be easier to just recreate them? Vs trying to load a config from different device?

    When I moved from VM to physical - actually took this opportunity to redo the network IP scheme and vlan ID numbers to match up to the octet of the network, etc. etc.

    Bringing in a new device makes for good time to do some house cleaning - evaluate your actual rules.. Are they exactly what you want, are they as secure as they can/should be.. Hey would it be better to use ip range xyz on that vlan vs what its using now, etc. etc.. Things like this.



  • My apologies for the delay. I am a grad student and it is close to finals week. Lots of writing to do lol.

    Not really, there's quite a but of customization (squid,squidproxy over SSL(DHCP options,DNS Resolver,PfblockerNG)) and so on I was just hoping it would be seamless. Last night, is a fit of sleeplessness I migrated the config. Here was how I did it.

    I opted to do factory defaults, login to the webui and restore the config.

    I have had a b0rked user manager database for a while (two admin entries) one blank entry etc... So I went in and updated the config file with the correct bcrypted passwords before doing the restore.

    The restore went well, It dropped me after the interface update (that was expected different IP/network). I suppose I could have just set the IP to the right network.. But hindsight and all that.

    Where it got strange was on reboot squid's ssl helpers were crashing and several services were quite broken (I did wait for the package re-install) I ended up reinstalling abunch of packages and all was well.

    Overall pretty spiffy.. A great addition to our houses server cabinet. Now to figure out peek and stare on squid 3 w transparent proxy LOL.

    Regards,
    --Mokey


  • LAYER 8 Global Moderator

    Glad it worked out without too much grief.. Great learning experience for sure!

    I use to run a proxy in the house back in the day when had 2 teenage boys to filter p0rn from.. But no reason for it any more, and internet is a different place - not like its saving you much bandwidth, etc. And now that on unlimited high speed connections, etc. as well..


Log in to reply