Unable to restore config to different hardware

CompProbSolv

I set up an i5 computer with an Intel 4-port NIC for a client. I'm trying to replace the hardware with something similar, but I've not been successful at restoring the configuration.

I set up the new device and accepted all of the defaults. The device works as expected. If I restore the configuration, it hangs during reboot right after stating the link status for igb0 and igb1 is Up. I've tried some selective restores as a test. If I restore just the interfaces, I can inspect the interfaces and they appear to be set correctly. When I reboot, I get the same symptom where it hangs on boot.

If I just restore System, when I reboot the firewall will pass traffic, but the web management page won't come up.

I could manually rebuild the configuration fairly easily, with one big exception. I have OpenVPN set up with about 15 clients. I'm assuming that if I recreated them, I'd have to reinstall the certificates on the different remote computers. I'd really like to avoid that.

From what I've read, restoring configurations on different hardware should work. Both systems are running 2.6.0 and the hardware is similar.

Any suggestions about how to successfully restore the configuration would be appreciated. Short of that, if there's a way to get the OpenVPN information copied over so that the existing certificates work, that would be good enough.

Thanks to all for any assistance!

Gertjan

@compprobsolv

Good news and bad news :
You asked a very known question.

Backed up config file are system (hardware !! depended) as NIC driver names are actually used FreeBSD driver names.
If the old and new system use the same NIC hardware for all interfaces, you might pull it off : copy over the config file on new hardware and you're done.

That's often not the case.
A lot has been said (check forum, use the search button) about how to proceed.

In few words :
On your new system, assign interfaces - do nothing else. Internet access should work now.
Make a backup of the config.
Take a good text editor, so not Notepad, not Word for Window, but, for example the 'must have' Notepad++.

In short :
Look at the xml file, and discover whats in it.
You will find an <interfaces> ... </interfaces> section, with the newly assigned interfaces (NICs).
Copy the one.
Past (and replace) this section into the config.xml from the previous pfSense setup.
Save, and now import this config.xml into your new system.
Cross fingers.

SteveITS

@compprobsolv It is supposed to work. One is prompted to pick interfaces during the restore, then it boots.

If interfaces were assigned incorrectly they would show on the console.

One note, you mention restoring parts of a config file...OpenVPN is an option there:

stephenw10

@compprobsolv said in Unable to restore config to different hardware:

it hangs during reboot right after stating the link status for igb0 and igb1 is Up

That's what you see if it's using the other console type as the default. So I imagine you i5 system was using a VGA console and the new device is serial console or the other way around.
So you could either remove the console line from the config file before restoring it. Or force a different console type for one boot then change it once you have access to the webgui:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/boot-issues.html#booting-with-an-alternate-console

Steve

CompProbSolv

@gertjan
Thank you for the response. I'll confirm whether or not the interface names are the same, but will also edit the config file as you suggested.

CompProbSolv

@stephenw10
I'll check the console setting in the config file. The new system is using VGA. I believe that the old one is also, but it doesn't have a monitor attached at the moment.

stephenw10

Yeah, what you are seeing is exactly what you'd see if it were set to serial console as primary. So maybe that was set at some point on the old device and it was just never a problem because it booted fully.

CompProbSolv

@stephenw10
Where would I set the primary console?

I set up the original box and definitely didn't use a serial connection, but would like to confirm that it didn't somehow get set.

stephenw10

In System > Advanced > Admin Access.

CompProbSolv

@gertjan
That was very helpful.

The original firewall used emx interface names. The new one uses igbx ones.

I edited the config file (replaced em0 with igb0, etc.) and that allowed it to boot. It acts as a proper firewall (passing traffic from LAN to WAN as expected), but the web interface won't work. That is, I browse to http://192.168.1.1 and never get a response.

I tried reconfiguring the interfaces from the console, but that didn't resolve it.

Any thoughts on how to get the web interface working?

CompProbSolv

@stephenw10
Thank you for the clarification.

The original firewall (as well as others that I've set up in the past) have Serial Console set as the primary. They've never given me any problem with booting up, with or without a monitor attached. The problem firewall shows that it is set for Dual with Serial primary (first menu that lasts a few seconds).

I did a new installation of 2.6.0 to check how this setting comes up. What's interesting is that it shows Serial Speed but not Serial Terminal or Primary Console! The older firewall (started with an older version of pfSense, then went through updates to get to 2.6.0) does have those settings. NoConsole.jpg

In any case, I don't think that this is the issue. As you'll see in a different post, I resolved (mostly) the interface issue so the system boots to the main menu.

Gertjan

@compprobsolv said in Unable to restore config to different hardware:

but the web interface won't work. That is, I browse to http://192.168.1.1 and never get a response.

Go console.
Use

ifconfig

to check the assigned IP addresses.

Btw : pSense found the correct interfaces part, like igb0 = WAN, igb1 = LAN etc.
These "text labels" should match the labels used in the firewall part. The pfSense web server can not work if there are no rules loaded on the correct interfaces !
I mean : the web server works, but traffic doesn't enter your LAN interface.

So, several checks :
Does DHCP, the server, work ? Does your PC get an IP mask gateway from pfSense ?
Lauch

ipconfig /all

on your PC, and check what it yous see.

On pfSense use :

ps ax | grep 'nginx'

to see what nginx instances are running.
I have :

[23.01-RC][admin@pfSense.brit-hotel-fumel.net]/root: ps ax | grep 'nginx'
   28  -  I       0:30.98 nginx: worker process (nginx)
  273  -  I       5:09.06 nginx: worker process (nginx)
  355  -  I       1:51.63 nginx: worker process (nginx)
 9421  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
 9526  -  I       0:23.10 nginx: worker process (nginx)
 9795  -  I       0:04.59 nginx: worker process (nginx)
23174  -  I       3:24.06 php-fpm: pool nginx (php-fpm)
37286  -  I       0:26.48 php-fpm: pool nginx (php-fpm)
44782  -  I       1:33.51 php-fpm: pool nginx (php-fpm)
71186  -  I       1:35.93 php-fpm: pool nginx (php-fpm)
72644  -  I       0:05.38 php-fpm: pool nginx (php-fpm)
74670  -  I       0:09.65 php-fpm: pool nginx (php-fpm)
96007  -  I       0:31.92 php-fpm: pool nginx (php-fpm)
98065  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal.conf (nginx)
98179  -  I       0:00.01 nginx: worker process (nginx)
98490  -  I       0:00.01 nginx: worker process (nginx)
98794  -  I       0:00.07 nginx: worker process (nginx)
98947  -  I       0:00.02 nginx: worker process (nginx)
98986  -  I       0:00.16 nginx: worker process (nginx)
99338  -  I       0:00.95 nginx: worker process (nginx)
99381  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal-SSL.conf (nginx)
99672  -  I       0:17.16 nginx: worker process (nginx)
99808  -  I       0:05.62 nginx: worker process (nginx)
99918  -  I       0:48.78 nginx: worker process (nginx)
59685  0  S+      0:00.00 grep nginx

Every process has 4 instances.
You'll se the http version (listening on port 80) and the https version (port 443).
There are also 4 PHP processes for the GUI needs.
I'm using the captive portal, so there are 4 more instances.

The pfSense GUI listens to all existing 'hardware' interfaces, so even on WAN ( ! ).

Inspect the /var/log/system.log :

ee /var/log/system.klog

and check if you see any nginx startup error messages.

Btw : I was using a bare bone PC type device with an 4 NIC intel card for my pfSense during .... 10 years or so.
Lately, I bought a 4100, and tried to copy over the config.xml file, like you did.
But I had 'issues', although I thought I kew the content of the config.xml pretty well.

I stopped editing the config.xml, I used the old one as guide line to create a new one on the new 4100 from scratch.
This forced me also to apply the 'keep it simple' rule.
A basic pfSense (only) setup doesn't contain that much settings anyway.

Afterwards, I added the packages, and finalized my setup.

bingo600

gertjan said in Unable to restore config to different hardware:

Take a good text editor, so not Notepad, not Word for Window, but, for example the 'must have' Notepad++.

In short :
Look at the xml file, and discover whats in it.
You will find an <interfaces> ... </interfaces> section, with the newly assigned interfaces (NICs).
Copy the one.
Past (and replace) this section into the config.xml from the previous pfSense setup.
Save, and now import this config.xml into your new system.
Cross fingers.

Besides a good editor :

I can recommend these for comparing configs.

Windows : https://winmerge.org/

Linux : Install meld

/Bingo

CompProbSolv

@gertjan
I can respond to some of your comments; others will have to wait.

The interface assignments appear to be correct. Aside from what is displayed on boot (igb0 as WAN with the appropriate WAN address, igb1 with LAN, etc.), the system does work as a basic firewall after the restore. That is, a computer connected to the LAN port with the proper IP gets through the firewall and to the internet.

The firewall is not set up as a DHCP server; on the client's network there is a Windows server to do that. I'm accessing the firewall with a laptop set with a static IP of 192.168.1.54/24. The firewall LAN address is 192.168.1.1. I can ping the LAN address and I can ping the internet. I just can't get the web interface to work.

Your comment about the rules may be the key here, though I thought I edited the config file correctly. How would I inspect the rules without the web interface? I'm not a Linux guy, but I can get through any steps provided.
l
I understand your comments about simply rebuilding the configuration from scratch. My only issue with that is the 15 or so client VPNs that are set up. I don't want to have to recopy certificates to each of those computers. I may try just restoring the OpenVPN (as suggested above) to see if that gets all of the VPN stuff back. If so, I can manually reconfigure the rest.

Part of this was a test of disaster recovery. I want to be prepared for a scenario where the client's hardware fails and I have to replace it.

SteveITS

@compprobsolv said in Unable to restore config to different hardware:

How would I inspect the rules without the web interface

"The ruleset can also be verified from the console or Diagnostics > Command in the Shell Execute box by running:

pfctl -f /tmp/rules.debug
"
from https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#ruleset-failing-to-load

CompProbSolv

@steveits
I must be misunderstanding the docs.

From the text menu on the firewall (VGA screen), I selected 8 (Shell). I then typed the command you suggested. I got a new prompt with no other response. I tried the same from 12 (PHP shell....) with similar results.

I did this on a different, working firewall and also got no response other than a new prompt. I get the same results on the good system with SSH over the LAN.

What am I missing?

SteveITS

@compprobsolv My bad, sorry, The above (re)loads the rules and shows errors.

See
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

CompProbSolv

@steveits
Restoring OpenVPN: I did that and was still able to access the GUI (after reboot). But.... that doesn't recreated the CA and user certificates. I presume that comes with restoring System. When I do that, I lose the GUI.

CompProbSolv

@steveits
Thank you for the update. I understand the details better now.

I ran the pfctl commands through Putty (before and after restoring) and captured the outputs there. I'll work through comparing them next to see if there is something that stands out.

stephenw10

@compprobsolv said in Unable to restore config to different hardware:

What's interesting is that it shows Serial Speed but not Serial Terminal or Primary Console! The older firewall (started with an older version of pfSense, then went through updates to get to 2.6.0) does have those settings.

That is shown on a device that was installed from the serial console image. It is configured for only serial console.
Check /conf for the enableserial_force file.