pfsesne cold backup
-
Hello; I currently have pfsense on a bare metal system which is running fine using a single WAN DHCP link. I am now looking to fire up a VM (via unraid) and get pfsense on a VM as a cold backup. Just not too sure on how to make this happen.
On my main pfsesne, i have the ISP fiber going directly in via a fiber card and I also have the same fiber card on the VM. On the main pfsesne i am using 2 LAGG ports going up to my unifi switch.
My idea is to leave the pfsesne VM running all the time and if ever my main pfsesne goes down due to a hardware issue or maint; i would just swing the wan fiber cable over along with just 1 LAN cable for the LAN (instead of the lagg pair)
If this even an option? If i make changes on my main pfsense, will the changes sync over to my vm pf? And since i have lagg configured on main pf, do i need to have 2x lagg on my vm?
Thank you!
-
Replacing my hobby pfSense hat for my pro Backup hat...
Done...
If you make an on-line snapshot of a guest, you will get a crash consistent copy of the guest. Crash consistent is not always without problems. It is just like pulling the power.
Assuming you get a working copy it will be a clone of the guest as it sat at the moment the snapshot was taken, so your changes will transfer with each snapshot, but changes will obviously not be in older snapshots.
If there is a way to quiesce pfSense before the snapshot you should always get a good copy. We do this 1,000's of times a day at work.Back to the hobby hat...
-
@andyrh maybe I mistyped. I was looking for a way to setup a pfsense HA but instead of always available I am ok with the firewall being down for 20mins while I go swing the cables over from main to the VM. Just not too sure if this is possible.
-
@iptvcld pfSense does have HA. It is designed that both be online at the same time, and if the primary dies no one notices. With different hardware note that firewall states can sync only with the same NIC names. As noted a LAGG gets around this. You do need three WAN IPs though it is possible to have the routers use private IPs and share the public IP, if the ISP allows private IPs to work while bridging (Comcast does).
-
@steveits so I know the best way for HA is to have both devices connected to wan, etc.. But I only have 1 dhcp wan fiber connection. I am ok with a downtime for like 10 mins while I swing the cables over. Is there an option for this? Both devices will not have the same nic card names as one will be a VM. I almost want all options to sync except the interfaces. As on the VM I won't have lagg and on my main I have lagg to the switch.
-
@iptvcld I've not tried to sync without HA. I don't think the config sync would strictly be limited to a live HA setup. You would need to update the WAN and LAN IP though, since to sync they need to connect. Or maybe you could get it to sync the config on a third interface and leave the WAN and LAN on the VM disconnected.
You can make a one-NIC LAGG on the VM just to get the interfaces to match (so there's a LAGG on both).
Worst case you could just make a backup after every change (which we do anyway) and upon failure restore the backup on the other router.
-
@steveits good tips, thank you!