[SOLVED] Migrate from PFsense to OPNsense

[shade73]

Hello,

I wish to migrate 2 PFsense 2.2.6 servers in HA setup, to OPNsense 16.1 (or 16.7 if timetable will shift).

Any thoughts or guide for the best way? Is there a way to export/import config?

Thanks in advance.

[netrixtardis]

While OPNsense and pfsense are from similar base, they are not really interchangeable like that.  You should export your pfsense config only as a reference, do not try to re-import it into OPNsense

[franco]

You can still import individual sections and see if that works. Additional info here:

https://github.com/opnsense/core/issues/28#issuecomment-141755217

It may work, depending on your config.xml complexity. Good luck. Test in a VM.

[shade73]

Thanks for the input.

I'm in the middle of the migration, seems like 16.7rc2 is the only download so starting on that.

Not much could be imported from old config, so had a good cleanup - only aliases could be used, that was many lines of config I where saved from typing.

I'm using a Intel i350-T4 card and on PFsense (or the old FreeBSD) I had a buffer exhaustion in the kernel because of the load on the card with hardware offload.

I had these added to /boot/loader.conf
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"

Do you know if they are still needed in 10.3, or mabee a better value?

Regards

[franco]

There is also an older 16.1.8 image, but 16.7-RC2 is almost all of 16.7 so it's best to start there.

Wouldn't risk omitting the loader values, although it makes we wonder where you came from. pfSense 2.2.6 maybe? In that case e.g. from 10.1 to 10.3 not a lot has changed in FreeBSD as most of the network stack reworks are locked into FreeBSD 11 due to a larger rework/restructuring happening there.


Cheers,
Franco

[Julien]

This is my new project after I will finish with some implantation .
Have created a LAB and will test on a VM.
If any one has gotten this working would like to know if it even possible .

[shade73]

Yes, I came from pfSense 2.2.6.

I also think it will be best to keep the values in loader.conf, because we have 1 Gbps internet connection, and the netcard have alot of load on all 4 ports.

[shade73]

My migration goes well I have now both boxes (Lenovo RS140) up and running with 16.7r2.

All rules and configuration have been migrated, mostly by hand.

I have configured High Availability and it seems to work, the master can see the backup and show what services are running on it and configuration changes on the master are shown on the backup almost instant.

Fail over also seems to work, only one problem. On the master under Firewall/Virtual IP's/Status it says that it is master on ALL carp interfaces (all good here), but on the backup it says it is backup on almost all carp interfaces. The backup is also master on the WAN interface.

That shows in 2 ways, one if I ping one of our server from the WAN then i get a (DUP) reply on the ping, one correct answer from the master firewall and one DUP from the backup.

Second the backup can not check for updates our reach the internet because it uses the carp address, and then the master picks up on the answer.

I have looked both here (https://docs.opnsense.org/manual/how-tos/carp.html) and in the https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) for ideas on if I have done something wrong. But everything seems to be configured correct.

[franco]

The problem in both cases seems to be the backup being stuck in a faulty state. I'm guessing that a reboot didn't help.

I don't know how to debug this, Ad will be back tomorrow.

[shade73]

No, a reboot does not change a thing.

Shall I disable HA until furter notice?

[shade73]

Got to the last migration point, the OpenVPN server, got the configuration in and the service up and running and listening on the right port.

I can no find any client settings to export (client install packages). I have checked where it normmaly goes wrong and all seems right, I have created a Trust Authoritie, and with that I have created a certificate for the OpenVPN server and also a client/user certificate.

But no user to export, do you have some input?

[franco]

For the certificates to show up the user certificates need to be assigned to the users and the OpenVPN server mode must be set to "Remote Access" with SSL/TLS in it.

Yes, temporary disable HA. Let us help figure out the issue out tomorrow.


Cheers,
Franco

[shade73]

Okay great, that makes sense and now I can se the users.

On the old platform, I did not create the users as the where external verified.

[franco]

We discussed the HA issue and were wondering whether

(a) there is a typo in the VHID, or

(b) there is a policy/piece of metal between the two boxes that prevents them from able to talk CARP to each other on the WAN side.


Cheers,
Franco

[shade73]

Regarding

(a) Everything seems to be OK, the VHID where created on the primary firewall and synced to the backup when HA was enabled so whey should be the same.

(b) There is a cable between the two firewalls on a dedicated sync port on the NIC, in the firewall rules on both firewall under the "sync tab" is is ipv4 allow everything.

Regards