Migrating pfsense from physical to vm – all kinds of issues with backup/restore

  • I must be missing some steps here…

    To backup:
    Diagnostics -> Backup & Restore -> Backup Area: ALL.  Unchecked everything so that everything gets backed up.  Download configuration as XML to do a backup of my existing system.

    Install fresh copy of pfsense 2.3 as VM
    Diagnostics -> Backup & Restore -> Restore Configuration

    But apparently that's not enough.

    First, I had to reassign the interfaces for my wan and lan -- this I expected since the hardware was different.

    However, my OpenVPN and ipv6 tunnel with he.net interfaces are still missing.  (OpenVPN and the tunnel are working however)

    DNS Resolver was broken.  I had to disable dnssec because:

    May 24 11:48:54 pfSense unbound: [78703:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN

    This was happening because the time had not synchronized – THAT was happening because -- wait for it -- ntp couldn't resolve the hostname!

    Once the time synced, I was able to re-enable dnssec.

    I then was able to install the suricata package, and it started -- however, my dropsid.conf file wasn't restored and this was in the logs:

    May  1 22:27:20 pfSense php: /etc/rc.packages: [Suricata] Error - unable to open 'drop_sid_file' "dropsid.conf" specified for WAN

    So I have to ask – what is the /correct/ way to backup a pfsense system so that EVERYTHING gets restored correctly?

    I visited this page already: (https://doc.pfsense.org/index.php/Full_Backup) however it strongly suggested that I do what I did above:

    Please note that such backups are rarely needed, and the config.xml backup contains all user settings and is capable of restoring a router to a completely functional state in nearly every case. If there is a special need for altering specific files and having those changes backed up, these scripts may help. When possible, it is best to use the config backup mechanism instead of relying on full backups.

    Any idea how to bring back my other interfaces?  Since I'm a "Gold" member and have been using the autobackups, is my dropsid.conf file out there somewhere?

  • Apparently those docs need to be updated – those "full backup" scripts don't exist in 2.3.

  • Anyone?

    I never could get my ipv6 interface to work after migration.

    I'm back to my physical box now.

    If all it takes is a change of hardware to mung up the restore, this gold level "Auto Config Backup Service" isn't worth the subscription.

  • The catch 22 there with NTP and DNSSEC is known, though outside of the system clock being way off on first boot of a new install, you shouldn't be so far off as to cause issues there.

    The config backup stores all the changes you make via the GUI configuration screens. If you make conf changes outside of that, they have to be restored separately.

Log in to reply