Consolidate 2 PFsense machine into one machine

waimun.wong

Hi,

Good day. Currently I have a network revamp project where I'm required to consolidate 2 PFsense VM (running with different version) into 1 VM. All the VMs are hosted in Xenserver.

May I know what would be the best approach and safest way to do this? Not really familiar with PFsense.

Thanks in advance.

Regards,
Wai Mun

maverickws

1 VM is a single point of failure.
pfSense is merely a software, first you need to know what to do regarding the network traffic, rules, IP's, gateways, network design, then putting that into one or two pfsense isn't that difficult.
Make appropriate questions regarding the specific issue at hand.

waimun.wong

@maverickws said in Consolidate 2 PFsense machine into one machine:

Sorry, let me rephrase my sentence. Right now we have 2 pairs of pfSense VM (configured with HA - master and backup) running in 4 different Xenserver:

Current Setup

• pfSense A (in XenServer 1) and pfSense B (in Xenserver 2), both with IP segment 172.16.1.x/24
• pfSense C (in Xenserver 3) and pfSense D (in Xenserver 4) , both with IP segment 172.16.2.x/24

To be Revamped

• provision 2 new Xenserver
• provision 1 new pfSense VM into each of the Xenserver and configure as HA (master and backup).
• configure with IP 172.16.0.x/21, and configure with a management VLAN.

Question

• currently the 2 pairs of pfSense are running in different firmware, which I will need to consolidate the configuration into the new pair of pfSense. I would like to seek for the advice on how can I do so in a best/proper way.

Thanks.

maverickws

@waimun-wong the ip subnet you mentioned is the LAN?

waimun.wong

@maverickws yeap, it's LAN subnet.

skogs

While routing and firewalls can mystify many, I think you'll get that part down easily enough if you're already running 4 in a redundant configuration. If there is already double redundant, shouldn't be so bad to just add the new ones and ensure traffic is moving correctly and one can soft disable the nics on the old to ensure traffic moves over correctly. Especially with the already built redundancy, turning off a pair of virtual nics is very harmless and quick to restore to the old traffic pattern.

The limiter is xenserver...man I don't miss that vm solution. Ran it for several years and all it ever did was hurt my feelings when I most needed it to just simply work.

maverickws

Ok so basically is what skogs said, simply deploy the new VM's on the new servers, put the configurations as needed then migrate the connections to it. The last time we made a similar migration we actually attributed new ipv4 addresses to the WAN connection so the new vm's had internet connectivity then was only a matter of connecting the switches to it.

But allow me to say that we also use a xenserver pfsense vm solution and we are quite happy with the result. The WAN is delivered through a switch not routed through the xen host.

waimun.wong

Thanks @skogs and @maverickws for the reply. I'm actually more concern on the configuration of the pfsense, for eg the vpn and fire rules, I'm thinking is there any easier way for eg using cli or script rather than reconfigure the rules one by one.

The approach I will take is I will spin up the new VM instance in the Xenserver and install the pfsense into it, then I will back up and restore the first pair of pfsense configuration into the new instance. So for the second pair of pfsense, I'm trying to get other possible way to migrate it to the new instance instead of using the Gui to configure it, cause the end result will be the new instance will have both configuration from the old units.

maverickws

@waimun-wong You should only have to configure once, then when you enable pfsync it will sync the config from the primary to the secondary.

waimun.wong

@maverickws understood. So I guess I will still have to manually configure the configuration via the GUI.

1st pair running with firmware 2.1.4 (LAN IP 172.16.1.0/24)
2nd pair running with firmware 2.4.2 (LAN IP 172.16.2.0/24)

Migration steps:

1. Spin up new VM in new Xenserver
2. install pfSense with firmware 2.4.2 into the new VM.
3. backup and restore the config from old unit (firmware 2.4.2) into the new pfsense VM and change the pfsense IP address (LAN IP 172.16.0.1/21).
4. Manually configure the config from old unit (firmware 2.1.4) into the new pfsense VM via GUI.
5. enable pfsync on the new pfsense VM to sync the configure to the HA unit.

Guess that will be my approach.

maverickws

@waimun-wong its more wise to have the same sw version on both.
If you're configuring one new I'd do the following:

1. spin up new vm
2. install pfsense 2.5.0 (already available)
3. backup config from the old primary to be replaced
4. restore that config on the new vm
5. check IP's and adjust the config on the new VM
6. spin up new vm #2
7. enable pfsync (or edit the pfsync details) and check HA

waimun.wong

@maverickws cause both the unit are running with production traffics, and both of it are running in single leg due to some HA issue previously which causing both unit to be master. so right now both unit are running in single leg. So out client would like to keep that status until we install the new unit and consolidate those 2 pairs into 1 new pair. So we couldn't do any upgradation on the old unit.

Old unit Pair 1 with LAN IP segment 172.16.1.0/24

• pfSense A (in XenServer 1) (Active)
• pfSense B (in Xenserver 2) (Shutdown)

Old unit Pair 2 with LAN IP segment 172.16.2.0/24

• pfSense C (in Xenserver 3) (Active)
• pfSense D (in Xenserver 4) (Shutdown)

New unit with LAN IP segment 172.16.0.0/21

• configure in a separated Xenserver (5 and 6)
• with configuration of both the old pair unit pfSense A and C
• enable pfSync to sync the config to the HA unit

Just wondering it's possible to backup and restore the config from a older version of pfSense to a newer version of pfSense?

waimun.wong

This post is deleted!

waimun.wong

@waimun-wong said in Consolidate 2 PFsense machine into one machine:

@maverickws cause both the unit are running with production traffics, and both of it are running in single leg due to some HA issue previously which causing both unit to be master. so right now both unit are running in single leg. So out client would like to keep that status until we install the new unit and consolidate those 2 pairs into 1 new pair. So we couldn't do any upgradation on the old unit.

Old unit Pair 1 with LAN IP segment 172.16.1.0/24

• pfSense A (in XenServer 1) (Active)
• pfSense B (in Xenserver 2) (Shutdown)

Old unit Pair 2 with LAN IP segment 172.16.2.0/24

• pfSense C (in Xenserver 3) (Active)
• pfSense D (in Xenserver 4) (Shutdown)

New unit with LAN IP segment 172.16.0.0/21

• configure in a separated Xenserver (5 and 6)
• with configuration of both the old pair unit pfSense A and C
• enable pfSync to sync the config to the HA unit

Just wondering it's possible to backup and restore the config from a older version of pfSense to a newer version of pfSense?

Old unit Pair 1 running with firmware 2.1.4
Old unit Pair 2 running with firmware 2.4.2

maverickws

If that was me I would plan some downtime (for example after business hours) to make the shift.

From the information you provide, you are going to change the LAN for the machines inside your network, which means they'll have to connect to the new firewall, which means somehow connecting them to a new network/switch, gain new IP's and new gateway etc. There'll be always a bump. So I would schedule this to a period of least traffic.

It is possible to restore the config from an older version to a newer, however, since for some reason you say HA its not working, I would probably not use that method, and would instead make the whole configuration from scratch.

You can spin the new pfSense / VM's and test pfsync, you can attribute different WAN addresses for a period of configuration and testing, then put the definitive addressing up. I don't know how you deliver WAN, so different cases will have different approaches.

waimun.wong

Thanks @maverickws . The purpose of this revamp:

• they wanted to use only single pair of pfSense so that it can handle the traffics for the whole subnet 172.16.0.0/21. For eg 172.16.1.0/24 for client A, 172.16.2.0/24 for client B, 172.16.3.0/24 for client C and so on.
• Initially there are 2 WAN as in 2 ISP, 1 for each pair of the old pfSense unit. So now will be reduce to only 1 WAN (1 ISP).
• I will need to create few VIP at the new pfsense as a gateway for each subnet, for eg 172.16.1.1/24 for client A, 172.16.2.1/24 for client B, and assign VLAN to each of the subnet and configure some rules so that they wont be able to communicate with each other.