Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Importing config from the "other" freebsd firewall?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 2 Posters 588 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sporkme
      last edited by

      Hi,

      Is this still an option? I know when I moved from pfsense to opn, with some light editing of the xml file I was able to pull in some of the things that would be time-consuming, like aliases. I'd like to come back to pfsense for awhile to see how things compare, but would like to import as much of the config as I can. What's the current status of this?

      Also what's the countdown on the AES-NI thing? Looks to be at least a year before this is forced, correct? I'm on a perfectly fine Core2Duo SFF Dell that remains healthy and has more than enough CPU for my needs.

      provelsP 1 Reply Last reply Reply Quote 0
      • provelsP
        provels @sporkme
        last edited by

        @sporkme If they were once that similar, I think I'd build a base pfSense and export the config and do a side-by-side. Re. AES-NI that has been skipped for the present in both the current release and development versions.

        Peder

        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        1 Reply Last reply Reply Quote 1
        • S
          sporkme
          last edited by

          Thanks - I'm installing pfsense in a VM with a matching number of ethernet interfaces and then I'll do some diffing of stuff after creating a basic config.

          Great news on the AES-NI thing. Might actually buy new hardware by the time that rolls around.

          S 1 Reply Last reply Reply Quote 0
          • S
            sporkme @sporkme
            last edited by

            Hmmm, they are diverging, but migrating chunks is possible.

            Here's the opn format for aliases. Of note, it's nested within the firewall section. There is also a UUID attached, but that's simply ignored on input. Also "description" is "descr" and wrapped in CDATA tags, "content" needs to be combined to a single line and changed to "address", and the fields for "update frequency", "counter" and "enabled" can be removed:

            <Firewall>
              <Alias version="1.0.0">
                <aliases>
                  <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
                              <enabled>1</enabled>
                              <name>voip</name>
                              <type>host</type>
                              <proto/>
                              <counters>0</counters>
                              <updatefreq/>
                              <content>10.3.2.19
                  10.3.2.20
                  10.3.2.21
                  10.3.2.51</content>
                              <description>voip devices</description>
                            </alias>
               </aliases>
              </Alias>
            </Firewall>
            

            And the same after some massaging:

            <aliases>  
            <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
            	<enabled>1</enabled>
            	<name>voip</name>
            	<type>host</type>
            	<address>10.3.2.19 10.3.2.20 10.3.2.21 10.3.2.51</address>
            	<descr><![CDATA[voip devices]]></descr>
              </alias>
            </aliases>
            
            1 Reply Last reply Reply Quote 0
            • S
              sporkme
              last edited by

              Well, with a small amount of work I was able to grab the most time-consuming stuff for import: IP aliases and DHCP config (including all the reservations). Works great so far.

              Now to continue testing and see if the panics I was seeing on the other firewall are hardware-related or (my suspicion) HardenedBSD-related.

              If I had more time I'd be a true nerd and make a configuration transmogrifier that lets you flip-flop between these two vendors.. :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.