Any way to "ninja edit" interface assignments?

mattlach

Hey everyone,

I am in the process of taking down my pfSense router/firewall box for overhaul and upgrade.

In the mean time I am just imaging it over to a KVM virtual machine on another box, with IOMMU passed through NIC's.

The problem? The interface names changed and it erased all of my vlans and a lot of their configs on first boot. (luckily I had the image handy and could start over)

The problem is this:

The bare metal box has four network interfaces.

• igb0 and igb1 (on board); and
• ix0 and ix1 (discrete NIC card)

igb0 is configured as WAN and ix1 is configured as LAN.

Well, ix1 is not used in and of itself, but rather it has 10-20 child VLAN interfaces that are used. (ix1.1, ix1.2, ix1.3, etc.)

The temporary VM (KVM on a Linux box) also has:

• igb0 and igb1 (on board); and
• ix0 and ix1 (discrete NIC card)

However, one of the igb and one of the ix devices are in active use, meaning only one of each can be IOMMU forwarded to the guest.

The result? The guest has an igb0 and an ix0, but no ix1.

After imaging the drive over to the KVM box, and booting for the first time, pfSense throws a little hissy fit that it can't find ix1, and demands that interfaces be assigned on boot. Doing so erased all of my VLAN's (and I think (but not sure) all of the firewall and routing rules I have set up between them.

So, I imaged the VM and tried again. I was forced to temporarily forward both IX devices from the host (interrupting what it was doing) to the guest, such that there was an ix1 for pfsense to see during boot.

Then I could change the interface assignment for each of the VLAN's, to ix0.1, ix0.2, ix0.3 etc.

Then shut down the VM, and remove the second ix device from being forwarded.

So, I was able to solve it. It was a little bit inconvenient as I needed to interrupt the host, but it worked.

But what if I had a mission critical host? Or what if I just didn't have the same NIC, so ix devices didn't show up at all?

I guess my question is, is there a way to edit the interface assignments before first boot of the changed system, so this does not happen?

I presume there must be some way of doing this, but I just don't know what it is. I'd appreciate any suggestions on how to better do this next time.

Thank you,
Matt

SteveITS

@mattlach I’ve edited the config file and restored before. It can be done on pfSense:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#edit-in-place

It’s normal that it stops at boot if interfaces change. There should be a VLAN option on the console though IIRC.

stephenw10

Yup if you have a bunch of VLANs like that it's often easier to edit the config file directly. Of course that is always open to human error, so be sure to have a recovery plan in place!

mattlach

@SteveITS
Interesting.

So you actually edit it on the drive, or do you export the config, edit and reimport?

I imagine it is just an XML formatted file?

I should probably just be able to search for - for example - ix1.1, and replace it with ix0.1?

And do the same for all the VLANS?

Much appreciated,
Matt

stephenw10

I would export it, edit it and reimport it. Doing that reloads everything as required.

If you're moving to different hardware then you would apply a basic setup on that then import the edited config.

Yeah, if the old hardware was using, for example, em NICs and the new has igb then you would switch out the interface definitions and the VLAN config.

So you'd have to swap em for igb in potentially three places:

		<lan>
			<enable></enable>
			<if>igb1</if>
			<descr><![CDATA[LAN]]></descr>
			<ipaddr>192.168.226.1</ipaddr>
			<subnet>24</subnet>
			<spoofmac></spoofmac>
		</lan>

		<opt11>
			<descr><![CDATA[VLAN50]]></descr>
			<if>igb1.50</if>
			<enable></enable>
			<ipaddr>10.10.50.10</ipaddr>
			<subnet>26</subnet>
			<spoofmac></spoofmac>
		</opt11>

		<vlan>
			<if>igb1</if>
			<tag>50</tag>
			<pcp></pcp>
			<descr><![CDATA[VLAN50]]></descr>
			<vlanif>igb1.50</vlanif>
		</vlan>

SteveITS

@mattlach said in Any way to "ninja edit" interface assignments?:

just be able to search for - for example - ix1.1, and replace it with ix0.1?

If memory serves there was a way to two to get into trouble with a global search and replace...encoded values/passwords maybe? Also changing ix0 to ix1 is fine unless you also needed to change ix1 to ix2 in which case do that first. :)

I would search a bit more restrictively, like "<if>igb1" in Steve's example, and/or review each replacement.

stephenw10

Yup you need to manually check each replacement because there's a significant chance you might find the string em0 for example in the certs fields.