Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect from outside after replacing pfSense firewall

    Problems Installing or Upgrading pfSense Software
    3
    5
    962
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cdonner
      last edited by

      I am replacing a Netgate FW-7535 running pfSense 2.1 with a Netgate APU2 running 2.2.2.
      I have not been able to upgrade the firmware on the FW-7535 and decided to get new hardware with Gigabit ports instead of reflashing the old one.

      We have 5 static IPs from Comcast Business.
      I copied all settings from the old to the new pfSense instance and double-checked every page, including all the firewall and NAT rules, even their order. When I swapped out the devices last night, everything worked internally, but outside traffic did not get through. There are several websites and applications exposed through 3 of the public IPs, e.g. our public website, SharePoint, etc.

      I have two questions.
      First, assuming that the configuration is exactly the same, would there be something in the SMC cable gateway that needs to get updated? I don't recall that there is, and I tried to power cycle the thing, but it has a buffer battery and just didn't shut off.

      Second, if I in fact did make a configuration error, where should I start diagnosing? I just compared all the rules again between old and new and can't find a difference.

      ps: The configuration file cannot be exchanged between these 2 devices. I tried this and bricked the APU so badly that it required a reflash.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can restore the config from a 7535 to an APU, or across any diff hardware for that matter. Just have to reassign NICs where they're different as they are in that case.

        Got Virtual IPs configured for your additional public IPs? If not, add them. If so, those modems will not reliably pick up a change of MAC address until they're power cycled. Shouldn't be hard to get it to power cycle.

        1 Reply Last reply Reply Quote 0
        • C
          cdonner
          last edited by

          ok, thanks, cmb. I will give it another try and be more persistent with power cycling the cable modem. The virtual IPs are properly configured as type Proxy ARP, I made sure of the that.

          The problem with loading the 7535 settings (1+5 ports) on the APU (3 ports) was that it did no longer boot, not even to the point where I could initiate a factory reset, so it was not possible to reassign NICs and the only way out of it was the reflash.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah.  You probably want to delete the interfaces that will have no home on the new hardware before trying to load the config into the APU.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              cdonner
              last edited by

              Just following up on this - when I tried this again and power-cycled the model, it worked right away. Thanks again!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.