Change interface assignments: effects on firewall rules



  • This seems to be the most relevant thread for my question, but the discussion in the thread has left me confused:
    https://forum.netgate.com/topic/93688/change-interface-assignments

    2.2.6-RELEASE (amd64)

    This pfSense will be updated to the latest firmware, however I have to make some scheduled configuration changes before I can do that.

    The question is whether changing an interface assignment will have an adverse effect on the firewall rules that are configured on that interface, or will the firewall rules continue to function on that interface after it is assigned to a new device.

    To illustrate the context of my question, I am planning the merging of two pfSense firewalls into one. Both firewalls are virtual machines in the same VSphere instance. pfSense A will be deleted and its two interfaces, in the DMZ and LAN networks, will be added as two new interfaces on pfSense B. pfSense B will assume the two IP addresses that pfSense A was using on those interfaces and the firewall rules that are active on pfSense A will continue to be active on pfSense B.

    To minimise down time during the cutover, I am planning on the following implementation steps:

    • Create two invalid vlan interfaces on pfSense B called DMZ and LAN
    • Copy IP addresses, firewall aliases and rules from pfSense A to pfSense B
    • Shut down pfSense B and add DMZ and LAN network adapters
    • Shut down pfsense A
    • Start pfSense B
    • Change interface assignments on DMZ and LAN from vlans to new physical (VMware) interfaces
    • Delete placeholder vlans

    My only concern with this procedure is that the firewall rules I create on the dummy DMZ and LAN interfaces may not follow the interface reassignment. Can anybody clarify whether my plan is sound and that the firewall rules will follow as I hope?


  • Netgate Administrator

    The firewall rules are fixed to the assigned interface, WAN for example, not the NIC assigned as that such as vmx0.

    So, yes, you can reassign DMZ from a VLAN to a real interface and it will keep the same rules you created on it.

    But! some things to watch out for here:

    You will have to re-create the rules from pfSense A on pfSense B, you cannot just copy them as the internal interface name-order will not match.
    If you are using vmxnet NICs adding more than 4 to an instance will change the order they are detected in at boot and therefore how they are assigned in pfSense. If you need more than 4 vmxnet NICs you probably will have to reassign them in pfSense B after rebooting which will mean discovering how they are now ordered and downtime while you do that.

    Steve



  • That's helpful, thanks. I am recreating the rules on pfSense B, rather than trying to import them.

    pfSense B currently has two em NICs but I will be adding two vmxnet NICs in the next maintenance window, then two more in a future maintenance window. I will be watching for reordering as they are added.


Log in to reply