Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to restore config to different hardware

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 5 Posters 4.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Offline
      Gertjan @CompProbSolv
      last edited by

      @compprobsolv said in Unable to restore config to different hardware:

      but the web interface won't work. That is, I browse to http://192.168.1.1 and never get a response.

      Go console.
      Use

      ifconfig
      

      to check the assigned IP addresses.

      Btw : pSense found the correct interfaces part, like igb0 = WAN, igb1 = LAN etc.
      These "text labels" should match the labels used in the firewall part. The pfSense web server can not work if there are no rules loaded on the correct interfaces !
      I mean : the web server works, but traffic doesn't enter your LAN interface.

      So, several checks :
      Does DHCP, the server, work ? Does your PC get an IP mask gateway from pfSense ?
      Lauch

      ipconfig /all
      

      on your PC, and check what it yous see.

      On pfSense use :

      ps ax | grep 'nginx'
      

      to see what nginx instances are running.
      I have :

      [23.01-RC][admin@pfSense.brit-hotel-fumel.net]/root: ps ax | grep 'nginx'
         28  -  I       0:30.98 nginx: worker process (nginx)
        273  -  I       5:09.06 nginx: worker process (nginx)
        355  -  I       1:51.63 nginx: worker process (nginx)
       9421  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
       9526  -  I       0:23.10 nginx: worker process (nginx)
       9795  -  I       0:04.59 nginx: worker process (nginx)
      23174  -  I       3:24.06 php-fpm: pool nginx (php-fpm)
      37286  -  I       0:26.48 php-fpm: pool nginx (php-fpm)
      44782  -  I       1:33.51 php-fpm: pool nginx (php-fpm)
      71186  -  I       1:35.93 php-fpm: pool nginx (php-fpm)
      72644  -  I       0:05.38 php-fpm: pool nginx (php-fpm)
      74670  -  I       0:09.65 php-fpm: pool nginx (php-fpm)
      96007  -  I       0:31.92 php-fpm: pool nginx (php-fpm)
      98065  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal.conf (nginx)
      98179  -  I       0:00.01 nginx: worker process (nginx)
      98490  -  I       0:00.01 nginx: worker process (nginx)
      98794  -  I       0:00.07 nginx: worker process (nginx)
      98947  -  I       0:00.02 nginx: worker process (nginx)
      98986  -  I       0:00.16 nginx: worker process (nginx)
      99338  -  I       0:00.95 nginx: worker process (nginx)
      99381  -  Is      0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal-SSL.conf (nginx)
      99672  -  I       0:17.16 nginx: worker process (nginx)
      99808  -  I       0:05.62 nginx: worker process (nginx)
      99918  -  I       0:48.78 nginx: worker process (nginx)
      59685  0  S+      0:00.00 grep nginx
      

      Every process has 4 instances.
      You'll se the http version (listening on port 80) and the https version (port 443).
      There are also 4 PHP processes for the GUI needs.
      I'm using the captive portal, so there are 4 more instances.

      The pfSense GUI listens to all existing 'hardware' interfaces, so even on WAN ( ! ).

      Inspect the /var/log/system.log :

      ee /var/log/system.klog
      

      and check if you see any nginx startup error messages.

      Btw : I was using a bare bone PC type device with an 4 NIC intel card for my pfSense during .... 10 years or so.
      Lately, I bought a 4100, and tried to copy over the config.xml file, like you did.
      But I had 'issues', although I thought I kew the content of the config.xml pretty well.

      I stopped editing the config.xml, I used the old one as guide line to create a new one on the new 4100 from scratch.
      This forced me also to apply the 'keep it simple' rule.
      A basic pfSense (only) setup doesn't contain that much settings anyway.

      Afterwards, I added the packages, and finalized my setup.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      C 1 Reply Last reply Reply Quote 0
      • bingo600B Offline
        bingo600 @Gertjan
        last edited by

        gertjan said in Unable to restore config to different hardware:

        Take a good text editor, so not Notepad, not Word for Window, but, for example the 'must have' Notepad++.

        In short :
        Look at the xml file, and discover whats in it.
        You will find an <interfaces> ... </interfaces> section, with the newly assigned interfaces (NICs).
        Copy the one.
        Past (and replace) this section into the config.xml from the previous pfSense setup.
        Save, and now import this config.xml into your new system.
        Cross fingers.

        Besides a good editor :

        I can recommend these for comparing configs.

        Windows : https://winmerge.org/

        Linux : Install meld

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • C Offline
          CompProbSolv @Gertjan
          last edited by

          @gertjan
          I can respond to some of your comments; others will have to wait.

          The interface assignments appear to be correct. Aside from what is displayed on boot (igb0 as WAN with the appropriate WAN address, igb1 with LAN, etc.), the system does work as a basic firewall after the restore. That is, a computer connected to the LAN port with the proper IP gets through the firewall and to the internet.

          The firewall is not set up as a DHCP server; on the client's network there is a Windows server to do that. I'm accessing the firewall with a laptop set with a static IP of 192.168.1.54/24. The firewall LAN address is 192.168.1.1. I can ping the LAN address and I can ping the internet. I just can't get the web interface to work.

          Your comment about the rules may be the key here, though I thought I edited the config file correctly. How would I inspect the rules without the web interface? I'm not a Linux guy, but I can get through any steps provided.
          l
          I understand your comments about simply rebuilding the configuration from scratch. My only issue with that is the 15 or so client VPNs that are set up. I don't want to have to recopy certificates to each of those computers. I may try just restoring the OpenVPN (as suggested above) to see if that gets all of the VPN stuff back. If so, I can manually reconfigure the rest.

          Part of this was a test of disaster recovery. I want to be prepared for a scenario where the client's hardware fails and I have to replace it.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Galactic Empire @CompProbSolv
            last edited by

            @compprobsolv said in Unable to restore config to different hardware:

            How would I inspect the rules without the web interface

            "The ruleset can also be verified from the console or Diagnostics > Command in the Shell Execute box by running:

            pfctl -f /tmp/rules.debug
            "
            from https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#ruleset-failing-to-load

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Upvote šŸ‘ helpful posts!

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              CompProbSolv @SteveITS
              last edited by CompProbSolv

              @steveits
              I must be misunderstanding the docs.

              From the text menu on the firewall (VGA screen), I selected 8 (Shell). I then typed the command you suggested. I got a new prompt with no other response. I tried the same from 12 (PHP shell....) with similar results.

              I did this on a different, working firewall and also got no response other than a new prompt. I get the same results on the good system with SSH over the LAN.

              What am I missing?

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                SteveITS Galactic Empire @CompProbSolv
                last edited by

                @compprobsolv My bad, sorry, The above (re)loads the rules and shows errors.

                See
                https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                Upvote šŸ‘ helpful posts!

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  CompProbSolv @SteveITS
                  last edited by

                  @steveits
                  Restoring OpenVPN: I did that and was still able to access the GUI (after reboot). But.... that doesn't recreated the CA and user certificates. I presume that comes with restoring System. When I do that, I lose the GUI.

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    CompProbSolv @SteveITS
                    last edited by

                    @steveits
                    Thank you for the update. I understand the details better now.

                    I ran the pfctl commands through Putty (before and after restoring) and captured the outputs there. I'll work through comparing them next to see if there is something that stands out.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator @CompProbSolv
                      last edited by stephenw10

                      @compprobsolv said in Unable to restore config to different hardware:

                      What's interesting is that it shows Serial Speed but not Serial Terminal or Primary Console! The older firewall (started with an older version of pfSense, then went through updates to get to 2.6.0) does have those settings.

                      That is shown on a device that was installed from the serial console image. It is configured for only serial console.
                      Check /conf for the enableserial_force file.

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        CompProbSolv @stephenw10
                        last edited by

                        @stephenw10
                        Thank you!
                        I went back and downloaded the correct version. That didn't fix my core issue, but it did clear up why I was not seeing those choices.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.