I’ve got a pfSense firewall that I’m trying to replace with a newer piece of equipment, and I’d like to make the swap with as little effort as possible. If I’m being honest it would be a coinflip between sticking to pfSense or just recoding the firewall aliases and rules on an OPNSense firewall, but I’ve got HA-Proxy and ACME cert manager set up and I’d really like to not have to recreate those if possible.
The current firewall has a gigabit WAN port, the LAN port is connected to a Unifi 24 port gigabit switch, and the third in-use port is labeled STORAGE and connects to one of two 10G switches. VLANs are currently piggy backing the LAN connection.
The replacement hardware I’ve picked up has 4 SFP+ ports, and what I’d like to do is use one gigabit ethernet port for WAN, and set up two of the SFP+ ports in a failover configuration and bring LAN, STORAGE, and all VLANs over that bond. If it matters, there are 3 switches in place - the 24 port Unifi and a pair of 10G switches that all the server hardware connects to in a failover configuration. I’d love to not lose Internet for a minute or two when I update the switches.
But I’d like to do this firewall migration while still maintaining all the data that’s in the backup from my current firewall.
Is this possible, and if so what’s the best method to do so? I’m guessing it would be:
- Install pfSense
- Restore the backup from the old machine
- This presents a problem - I tried this on the clone of my existing firewall (I only have a handful of routable IPs, and this is at my location so my “failover” firewall is a duplicate I can plug in if the first one fails) and got the message that my existing packages were being reloaded, which suggests HA-Proxy and ACME won’t work until they reload after the firewall settings are restored, which means I can’t configure everything offline to minimize downtime.
- Create the bond on the 10G ports
- Re-define all the other interfaces as VLANs tagged on the bond
- insure (ensure?) that the ports on the switches are tagged to carry all the VLANS.
- Cross my fingers and do the swap.
Is this likely to succeed? Or am I better off just printing out configuration details and manually configuring the new firewall offline?
