Feature #16387
closed
Disaster recovery when WAN is configured with a static IP
0%
Description
As confirmed in #14921, External Config Locator only triggers a package sync on first boot.
As documented in #16374, when there is no connectivity on WAN following an initial install, all package configurations are removed.
The following was done to restore a configuration to a different WAN using a distinct static IP and subnet:
1. Copy the target configuration to a Netgate Installer USB key and perform the initial install selecting this configuration (option 0, /config.xml)
Enter the shell and issue a "poweroff"
Remove all network cables and USB key. This install can be done from any network connection.
2. Reboot the firewall and assign the new static IP and Gateway to the WAN port you want to use on first boot.
Enter the shell and issue a "poweroff". This is meant to be done offline.
3. On location, insert the USB key and network cable in the target WAN port connected to the target ISP subnet.
Power on the firewall and boot from the Netgate Installer USB key
Select the recovered configuration file (option 1, typically /ada0.../config.xml) and reinstall pfSense: this file has the proper WAN configuration)
At the end of the installation, enter the shell to issue a "poweroff" and remove the USB key.
4. Reboot the firewall. Packages are now being reloaded. If you want a confirmation, enter the shell and issue the command
grep -r "rc.start_packages" /var/log
Typical results are:
/var/log/system.log:Aug 20 07:38:43 keepalive php-cgi[50948]: rc.start_packages: Restarting/Starting all packages. /var/log/system.log:Aug 20 07:38:43 keepalive php-cgi[50948]: rc.start_packages: Stopping service lldpd /var/log/system.log:Aug 20 07:38:43 keepalive php-cgi[50948]: rc.start_packages: Starting service lldpd
Please note that in my tests, I had to reload DHCP leases using the Restore Area "DHCP Server" of the Restore Backup GUI.
We need a better disaster recovery plan for configurations where DHCP is not available on WAN (which is the case of ALL my firewalls ;-).
Regards,
Updated by Jim Pingle 23 days ago
- Tracker changed from Bug to Feature
- Status changed from New to Rejected
- Priority changed from High to Normal
- Affected Version deleted (
2.8.0)
This has nothing to do with a static IP address and everything to do with your broken procedures. Opening more issues here won't change that.
The firewall must have working connectivity to reinstall packages. If the firewall does not have working connectivity or it thinks the repositories are empty/missing, it can remove the packages -- the configuration is broken otherwise because it expects things to be present which are not. Otherwise you are running in a completely undefined state that may happen to work by accident but we cannot trust that it will. There is no way to make it wait until connectivity works to reinstall because it can't run with an invalid configuration in the meantime. It's already too late by the time you have manually entered the IP address at the console.
You have a few choices:
1. Edit the new address and gateway into the config.xml then restore, but do not boot it after until it is in place with working connectivity.
2. Restore the configuration with the new/correct IP address again once it's in place with working connectivity
3. Manually reinstall the packages afterward
There is another option which may help coming with Netinstall 1.1 which is nearly to release, which is that it can inject the IP addresses configured in the installer into the target (Plus) system configuration. However, that would require you to reinstall it in the location with working connectivity, not before, since it would have to be using the new IP address to perform the installation.
The more correct ways to handle these types of deployments is with an HA setup (not cold spare/DR) or a proper isolated staging/lab environment where you can "fake" the network layout of the new target site.
Follow up on the forum if necessary, not here.
Updated by Serge Caron 23 days ago
Thank you for your time and insight.
The intent is to reinstall pfSense in the location with working connectivity.
Editing the configuration file stored on the installation key is a solution pending the release of Netinstall 1.x. Manually reinstalling the packages afterward is not.
As for the equipement setup in the original location, presume everything is destroyed: this is the staging/lab where the original network layout is being restored.
Regards,