Hardware upgrade?



  • I'm fairly certain I know what the answer to this is going to be but here goes.

    I'm looking to upgrade my current pfsense box.  My current setup is a P4 3.0G (could be 2.6 i'm not in-front of it at the moment), 1gig ram, 80GB 7200 RPM HD, 3 physical NICs and is running the latest release.  It works amazingly well.  I have a core2 duo, 4gig ram, 64GB SSD HD, and 4 physical NICs, that's just sitting around getting old… older.  I have no use for this thing at all so I was thinking although it's over kill for my pfsense box it's newer than my current setup and well, why not...

    My current network setup - I have 1 GB nic and 2 100 mb nics.  One 100MB nic is used as my WAN since I only have 30Mb up and down from my ISP.  The other 100MB nic is treated like a DMZ.  Only systems that are accessed remotely are put on that network.  The gig nic connects my local subnets and has all my vlans assigned to it.

    The new system - It has 3GB NICs and 1 100MB NIC.  I want to use the 100mb nic as the WAN since I only have a 30mb link to my isp.  I'd like to setup the (3) 1 gb nics in a LAGG for the local subnets and the "dmz".  I'll create a vlan just for the dmz traffic.  Alternatively i'll put 2gb NICs in a LAGG and the remaining gb nic in the DMZ.  It would be awesome if I could also get advise on which route I should go with the 3 GB NICs.  The reason for the LAGG is speed.  My setup is a "router on a stick" so all VLan crossing happens at the router, and there is a lot of traffic flowing through the router. I'm fairly certain i'm no where near 50% on the current router but like I said above... why not.

    Finally, the main question - I know I'll probably have to recreate my vlans and interfaces.  What i'm not sure about is if I can backup just my current firewall rules and import them into the new box?  I know on the back up page there is an option to backup or restore just the rules, but i'm not sure if the rules will just work with the new NIC configuration if I keep the vlan, IPs, subnets, and everything else exactly the same.  The "DMZ" subnet/IP would probably change if I go from a physical nic to a vlan on the LAGG, but I'm sure I can keep everything else the same. So would the new box be able to use the current rules or will I have to recreate all my rules?

    Sorry for the long post, I figured the more info the better.  Thanks in advance!



  • Presumably you have some equipment that understands LAGG to connect to the other (non-pfSense) end of the LAGG.



  • @wallabybob:

    Presumably you have some equipment that understands LAGG to connect to the other (non-pfSense) end of the LAGG.

    That part I know.  My switch supports lagg and I have the switch capacity to create 4 more lagg groups.

    I'm more concerned about the firewall rules and if they'll just work with the new configuration.  Where i'm stuck is when the rule is created I don't know what it applies to.  For example, If I created a rule to allow any:any from 172.25.25.10 to 172.25.30.0, on the back end.. the code or config level (what ever you want to call it).  Is it actually written as 172.25.25.10 to 172.25.30.0 any:any, which as I would imagine would work regardless of the hardware as long as the ip range is the same.  Or is the interface name and/or mac address of the NICs assigned to the subnet in there somewhere, which would make the rule fail if it was imported to new hardware because the mac address is different.

    Can someone advise me on that or am I over thinking this?



  • Depends on how the rules are created, if they are generic rules then they don't apply to any specific interface. If they are bound to an interface it would be the friendly name like LAN or WAN or OPT1, etc, not the freebsd name like em0.

    I would say just export your config, build the new box, import the config and then see where you stand. You should be pretty much ready to go, you will just need to reconfigure the interfaces themselves, but the rules should be fine.



  • @extide:

    Depends on how the rules are created, if they are generic rules then they don't apply to any specific interface. If they are bound to an interface it would be the friendly name like LAN or WAN or OPT1, etc, not the freebsd name like em0.

    I would say just export your config, build the new box, import the config and then see where you stand. You should be pretty much ready to go, you will just need to reconfigure the interfaces themselves, but the rules should be fine.

    Awesome!  Thank you very much for clearing that up.  Knowing that it may not be a waste of time makes me a little more comfortable bringing down the network to attempt this.  I'm going to give it a go.


Locked