Migrating from 2.1.4 on old hardware to 2.2.6 on new(er) hardware



  • My old setup is a Dell desktop, running pfSense for quite some time, currently still at 2.1.4. My new setup is a WatchGuard firebox x750e running 2.2.6 using quite some modifications (see https://forum.pfsense.org/index.php?topic=20095.1500). I would go to the 2.1.4 and use backup to export these settings:

    • Aliases

    • DHCP Server

    • Firewall rules

    And that's it? I'm not using DNS forwarder, Interfaces will be named different (sk and msk in stead of fxp and em), nothing is configured in NAT, PPTP, Scheduled Tasks, SNMP and syslog. Package manager will have different packages (LCDproc etc) on the new box, as will System tunables.
    And what about System? Is it only about hostname, username, password,… or much more?

    Or is it better to make a complete backup (ALL) and edit the xml to delete what will be different? Or is it better to upgrade the 2.1.4-box to 2.2.6 and then move the config to the new box?

    It's the first time I'm migrating and it's from version to version on different hardware. Any more caveats I have to look out for? Or is my plan the right way to go?

    Many thanks in advance!


  • LAYER 8 Netgate

    In general:

    Install 2.2.6 on the new hardware and run through the initial config to see what interfaces will be WAN, LAN etc.

    Do a full backup of the old system (with or without rrd data - your choice) then edit the config file with a text editor replacing the old interface names with the new ones.

    Connect to the new hardware and restore the config.

    This can all be done off-line with the old firewall continuing its duties until you're happy.

    Then just move the connections to the new hardware and deal with whatever you need to deal with at the ISP to get an address on the new MAC if anything.

    There is a built-in interface renamer that generally does OK but I've had it get squirrelley with complicated sets of interfaces, VLANs, etc.  I usually just edit the file.

    And there's a standard warning about using search and replace. You can do it to be certain you don't miss anything but manually approve every change making sure it's an interface name being replaced. Very likely to have "re0" in some base64-encoded binary blob somewhere and you will blow it up if you change that to em0.



  • There are already some package installed, system tunables tuned and changes made to loader.conf.local specifically for the WatchGuard-hardware. Will these be overwritten when restoring from a full backup?


  • LAYER 8 Netgate

    The packages should reinstall but will take more time. System > Tunables will migrate in the config. You'll want to manually copy loader.conf to the new system.

    Restoring a full backup and restoring a config file to a new install are two different things.


Log in to reply