Migrating HAProxy configuration to new firewall hardware

Started by WernerD, October 28, 2021, 09:20:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 28, 2021, 09:20:29 PM Last Edit: October 29, 2021, 10:38:35 AM by WernerD
Hi,

I have OPNsense 21.7.4 running on a small computer with 4 Intel NICs and a J1900 quad core cpu with HAProxy in use. Now, I wanted to migrate my configuration to another J1900 computer even with 4 Intel NICs.

My first problem was, that the first system is using igb0 ... igb3 as NIC device names whereas the second one is using em0 .... em3. So I changed in the config file the device names from igb to em. After having set up the second system with a fresh OPNsense installation I added the HAProxy extension and tried to import the manipulated configuration file.

In principle, everything seems to work fine, but HAProxy service as well as syslogd service are not starting up correctly. I detected that the haproxy.conf file is missing in /usr/local/etc on the new hardware although the web gui shows correct setup for HAProxy. Even the configuration test runs with no errors. I have copied the haproxy.conf as well as haproxy.conf.staging to the new hardware and now the HAProxy service is starting up, but in the GUI it looks like the service is still not running. OPNsense is behaving strange and instable. syslogd still is not starting up and there is no protocol available for HAProxy.

My question is: How to migrate reliably a setup from one OPNsense hardware device to another. The two hardware devices used are pretty much the same excepting the device names of the NICs.

Thanks in advance,
Werner

Addendum: It seems to be primarily a problem with the HAProxy and OPNsense 21.7.4. After reinstalling everything again syslogd runs but HAProxy still is not starting up because necessary config files are not created via the gui even if you check syntax.
October 29, 2021, 04:11:44 PM #1
Hi Werner,

The HAProxy issue is a bug with a patch. More here.

Not sure if that sorts everything for you. You may still have a query regarding dissimilar hardware.

HTH,
Ben
November 01, 2021, 04:43:00 PM #2
Hi Ben,

thanks a lot for your help. Meanwhile, I was able to fix everything. Renaming the NIC device names in the config file works fine as well as the fix for HAProxy. I still have found a strange behavior of the logging system, which suddenly stops logging ony WAN traffic, but I could fix even that by resetting the logs via System->Settings->Logging.

I still ask myself, what I generally have to bear in mind when I am going to migrate a firewall setup to new hardware. Is the config file always backwards compatible, i.e.

  • Is it always possible to migrate (import) a config file from an older version of OPNsense to a newer one?
  • Is it needed, that both versions at least have the same major version number? If the answer is YES, what's the best strategy to migrate a setup from 20.1 to 21.7.4?
  • Which hardware differences are acceptable?
  • Which hardware differences are not acceptable at all?
  • ...

I think, that there is much space for improvments, e.g. if the config file imported uses igb as a NIC device name and the target system does use em instead, isn't it meaningful to automatically map igb to em during import?

Thanks :-) I am happy again,
Werner
November 02, 2021, 11:24:23 AM #3
Kudos and credit be to Fright (if I'm not mistaken) for spotting the typo and for writing the patch.

In relation to migrations:

I would start on the same version. The most recent stable would be best because it will minimise differences and should help with support if you need it. I think you would be asking for problems migrating between different versions.

Quote from: lar.hed on December 28, 2020, 09:41:29 AM
Unless someone else has a solution, a simple one, I think this is howto:
1. take backup on old installation
2. take a backup of new installation (same version as old installation I guess, or you will find more differences)
3. copy the old installation backup to a specific editable file
4. compare backup files so that one can change the interface names in the newly copied editable file
5. load the edited version on new installation

However I hope there is a better way to do this.

...and from the same topic...

Quote from: dcol on July 24, 2021, 11:56:14 PM
I would also make sure any added plugins be installed on the new hardware that exist on the old hardware.
Also custom files need to be copied to the new hardware. And, of course, adjust the interfaces as needed...

So you have essentially done the same. I'm not sure if backup and restore also captures your HAProxy config; perhaps it does. If so, maybe it could be included in the technique above. If not, it possibly could be included through some plugin mechanism or coded into the backup. Whilst it is likely of some benefit, I believe writing some sort of diff wizard / editor for the restore process would not be a trivial piece of work.

As you still need to install OPNsense on a new system before restoring the old config on to it, using dissimilar hardware shouldn't be too much of an issue. Having said that, a thorough parsing and review of the backup file would be highly recommended.
Print
Go Up Pages1
User actions