Messages

Hi all,

I have OPNsense running still with release 20.1 and want to port the configuration to another hardware, which I want to run the most recent version. Unfortunately the configuration file I am able to create on the 20.1 system is not compatible to 23.x. So I had the idea to install 20.1 first, take over the configuration as a second step and finally to upgrade step by step to the most recent version. Even that is not possible since version 20.1 can not be downloaded any more.

Does anyone has a tip how to migrate my configuration to the new hardware?

Thanks in advance,

Werner

PS: The configuration is quite extensive and complex, so manually reconfiguring everything is not my preferred option.

[not]

Hi Ben,

thanks a lot for your help. Meanwhile, I was able to fix everything. Renaming the NIC device names in the config file works fine as well as the fix for HAProxy. I still have found a strange behavior of the logging system, which suddenly stops logging ony WAN traffic, but I could fix even that by resetting the logs via System->Settings->Logging.

I still ask myself, what I generally have to bear in mind when I am going to migrate a firewall setup to new hardware. Is the config file always backwards compatible, i.e.

• Is it always possible to migrate (import) a config file from an older version of OPNsense to a newer one?
• Is it needed, that both versions at least have the same major version number? If the answer is YES, what's the best strategy to migrate a setup from 20.1 to 21.7.4?
• Which hardware differences are acceptable?
• Which hardware differences are not acceptable at all?
• ...

I think, that there is much space for improvments, e.g. if the config file imported uses igb as a NIC device name and the target system does use em instead, isn't it meaningful to automatically map igb to em during import?

Thanks :-) I am happy again,
Werner

Hi,

I have OPNsense 21.7.4 running on a small computer with 4 Intel NICs and a J1900 quad core cpu with HAProxy in use. Now, I wanted to migrate my configuration to another J1900 computer even with 4 Intel NICs.

My first problem was, that the first system is using igb0 ... igb3 as NIC device names whereas the second one is using em0 .... em3. So I changed in the config file the device names from igb to em. After having set up the second system with a fresh OPNsense installation I added the HAProxy extension and tried to import the manipulated configuration file.

In principle, everything seems to work fine, but HAProxy service as well as syslogd service are not starting up correctly. I detected that the haproxy.conf file is missing in /usr/local/etc on the new hardware although the web gui shows correct setup for HAProxy. Even the configuration test runs with no errors. I have copied the haproxy.conf as well as haproxy.conf.staging to the new hardware and now the HAProxy service is starting up, but in the GUI it looks like the service is still not running. OPNsense is behaving strange and instable. syslogd still is not starting up and there is no protocol available for HAProxy.

My question is: How to migrate reliably a setup from one OPNsense hardware device to another. The two hardware devices used are pretty much the same excepting the device names of the NICs.

Thanks in advance,
Werner

Addendum: It seems to be primarily a problem with the HAProxy and OPNsense 21.7.4. After reinstalling everything again syslogd runs but HAProxy still is not starting up because necessary config files are not created via the gui even if you check syntax.

Danke für den Hinweis. Das habe ich inzwischen auch gesehen und wollte es gerade posten.

Hallo Zusammen,

nach dem Upgrade auf 18.1 habe ich Probleme mit einer NAT Regel:

Die betreffende NAT Regel definiert, dass sämtlicher Traffic per Port-Weiterleitung an einen Rechner in meinem Netzwerk weitergeleitet wird. Über einen Alias habe ich die Menge der Ports definiert {19000, 19100}, bei denen das erfolgen soll und konfiguriert, dass Anfragen von beliebiger Quelle unter Verwendung dieses Port-Alias an den Rechner X unter Verwendung desselben Port-Alias weitergeleitet werden sollen. Daraufhin passiert das, was beabsichtigt ist, nämlich:

<beliebige IP>:19000 -> RechnerX:19000
<beliebige IP>:19100 -> RechnerX:19100.

Unter 17.7 hat das wunderbar funktioniert. Das an denselben Port weitergeleitet wird, ist der Default. Unter 18.1_1 werden alle Anfragen bei derselben Regel nur noch an den Port 19000 weitergeleitet, d.h.

<beliebige IP>:19000 -> RechnerX:19000
<beliebige IP>:19100 -> RechnerX:19000.

Ist das ein Bug in Version 18.1_1 oder hat sich die Semantik bei NAT Regeln in Verbindung mit einem Port-Alias verändert, wenn der Port-Alias eine Menge von Ports definiert?

Es wäre schade, wenn ich die Weiterleitung separat für jeden Port definieren müsste. Die Verwendung des Alias war super bequem.

Wäre sehr dankbar für einen Tipp.