Migrating from pfsense + cloud key to Cloud Gateway Fiber - migration strategy

etoel · June 27, 2025, 11:31am

I have a Netgate 6100 linked to a Unifi USW Pro Max 16 PoE that feeds a UniFi Cloud Key Gen 2+ and 2 U6 APs + various clients. DHCP and VLANS are defined in pfsense and DNS is handled by Pihole. I run Network and Protect on the cloud key. I hope to get some advice on my migration strategy.

On my initial attempt I connected my ISP into the UCG-Fiber and restored a backup from the Cloud Key and that failed - nothing migrated properly. In that backup all the UniFi Networks are marked as third party GW as they are defined in pfsense and the LAN port on pfsense is a trunk port, but also has a 192.168.30.0/24 range on it which is mapped to a network in UniFi. All my clients will get an IP in this range unless specifically tagged elsewhere.

I am now considering a different approach and have some questions.

Step one would be to insert the CGF between the pfsense and the switch, remove the cloud key and restore a backup onto the CGF. This should just replace the cloud key, but pfsense still manages DHCP and VLANS. The CGF should then get a 192.168.30.x address as a wan IP (which is not ideal as this is my main network that I would like to keep. I could create a temporary VLAN and plug the CFG into that port and get an IP from a different subnet).

Step two would be to remove the pfsense box. I am not able to add IP reservations in unifi unless the network is managed by unifi (not third party gateway). Since the LAN network (192.168.30.x) is my main network, I can manually add the reservations in unifi after I change the router from third part gateway to the UCF and then tag the VLAN on the switch port (I don’t need that today as it is the default subnet on that pfsense interface).

I will then have 2 DHCP servers on the network until I remove the pfsense box - and it will take some time to add all the (30ish) reservations.

Should I increase the lease time (and let all renew) and stop the pfsense DHCP server while I do this? Or is it safe to have 2 DHCP servers for a while…

Step three would be to remove the pfsense box and get a proper WAN IP.

Many of you have probably done this already - hope you can give me some advice. Thanks

LTS_Tom · June 27, 2025, 2:10pm

When I migrated I made a spreadsheet with all the reservations, removed the pfsense, installed the UniFi gateway and entered them all.

etoel · June 27, 2025, 2:30pm

I did watch your video (ofc), and have the spreadsheet ready, Did you enter all the reservations before plugging in the downstream switches?

LTS_Tom · June 27, 2025, 3:27pm

I just noticed in UniFi Network Application 9.2.87 they now have an import option for reservations.
https://community.ui.com/releases/UniFi-Network-Application-9-2-87/81a6a594-e925-4100-b1d7-351d2b91a7fd

etoel · June 27, 2025, 4:17pm

Great. Do you know where I can find the expected format? I don’t have a GW to export from..

swiss-army-knife · June 27, 2025, 6:19pm

Just exported mine and these are the the headers that I got.

Not entirely sure sure this will help because it from the dhcp server section
Not sure if this helps if you want to upload dns records that point to a proxy (have not tested it)